Icarus Lite is a lightweight and easy-to-use version of the ChromeOS unenrollment exploit known as Icarus, which unenrolls devices with device management interception using a proxy and a custom Certificate Authority.
Important
As of 3/10/25, Icarus Lite is fully functional and works with prebuilt shims from kxtz's file host and/or fanqyxl's file host. Please use the automatic certificate downloader for best results.
Icarus Lite is based off the original Icarus code and works in the same way. Although the original Icarus is currently archived and no longer recieving support, Icarus Lite will be supported and updated.
Important
Icarus AND Icarus Lite only work on ChromeOS versions between 125 and 130. If you are not in the range of compatible versions, please upgrade/downgrade to a compatible version to use Icarus."
- Do not use any public Icarus proxies. Icarus can be used maliciously to remotely manage and track devices. Icarus Lite is intended to be simple to use, and self-hosting Icarus is heavily advised over using any public proxies.
- Icarus Lite does NOT currently have functionality to build Icarus shims. Please download a prebuilt shim to use Icarus Lite, or refer an Icarus fork for information on manually building shims.
Using the Windows pre-compiled .exe version of Icarus Lite, you will not need to worry about dependencies as they are packaged with the .exe. Icarus Lite uses:
As shown in Setup Instructions, these packages can be installed simultaneously by utilizing requirements.txt.
If you are on Windows, you can download a pre-compiled .exe version of Icarus Lite in the "Releases" section of this repository. Alternatively, you can follow the Linux/Mac instructions below to manually build Icarus on your machine.
If you are on Linux or Mac (or wish to run Icarus Lite from its source directly on Windows), the below instructions will cover how to run Icarus Lite.
- Open a Command Prompt/Terminal window and run
python --versionand/orpython3 --version. If the command is not found, install Python from python.org (or wherever/however is best for your OS/distro). Once Python has been installed, close and re-open a new terminal. - Run
git --version. If the command is not found, install Git from git-scm.com (or wherever/however is best for your OS/distro). Once Git has been installed, close and re-open a new terminal. - In whichever directory you want to copy Icarus Lite into, run
git clone https://github.com/cosmicdevv/Icarus-Lite.git, then runcd Icarus-Lite. - Install all Python package dependencies, which can be done by running
pip install -r requirements.txt/pip3 install -r requirements.txt. On some Linux distros (specifically in managed environments), pip may not work correctly, in which case you may need to usesudo apt install python3-protobuf python3-requests python3-openssl python3-cryptography. - Run
python main.pyand/orpython3 main.py. - Icarus Lite will attempt to automatically set up the required file structure and download the latest SSL certificates from kxtz's Icarus fork.
Icarus Lite failing to download certificates?
You will need to manually download the certificates from a proper source (recommended to use kxtz's Icarus fork) and place them into Icarus Lite/manualcerts.
Once Icarus Lite is running, usage is extremely simple. Icarus Lite will attempt to automatically fetch your local IP when the Proxy Server starts, and will provide you with an IP and port to use. Using Icarus Lite on the target ChromeOS device is the same process as using normal Icarus assuming the device's Stateful Partition has already been modified by an Icarus shim. The target ChromeOS device should be on the SAME network as the device hosting the Icarus Lite server.
- After rebooting into ChromeOS verified mode following using an Icarus shim, do not click "continue". Instead, manually open the Network Configuration by clicking on the bottom-right icons which contain the time, WiFi, and Battery status. Once in Network Configuration, connect to your WiFi and enter the proxy settings.
- Set "Connection Type" to Manual
- Set the "Secure HTTP" IP address to the IP Icarus Lite gives you
- Set the "Secure HTTP" port to the port Icarus Lite gives you
- Click "Save"
- Resume the ChromeOS setup process as normal and Icarus Lite should unenroll you.
Device still enrolling/getting "Can't reach Google"?
-
Make sure that Icarus Lite is recieving and handling the ChromeOS device's requests; check the terminal/window where Icarus Lite is running for any output past "Icarus LITE is running on...". If nothing else has been output, it means Icarus Lite isn't recieving requests from the Chromebook and therefore is not handling them accordingly. In this case:
-
Re-run the Icarus shim and ensure the target ChromeOS device and the device hosting the proxy are on the SAME WiFi network.
-
Ensure the shim used on the target ChromeOS device was built with the same CA (Certificate Authority) used to generate the SSL certificates
- If you're using a prebuilt shim and don't know what CA was used, consider building your own shim and SSL certificates if nothing else works.
-
It is also important to note being above ChromeOS v130 or below ChromeOS v125 will cause the target ChromeOS device to reject the connection to the MiniServer, causing the "Can't reach Google" screen.
Icarus Lite only replaces the server functionality of Icarus, but for Icarus to successfully unenroll a ChromeOS device, that device still must have had an Icarus shim ran on it. Icarus Lite does not currently have the functionality to build shims, so users must either use prebuilt shims or build their own shims from Icarus's original source. Instructions on building shims, along with a maintained fork of Icarus, can be found here.
For prebuilt shims, it is recommended to download them from the below servers:
In order for the client (target ChromeOS device) to establish a proper connection to the MiniSever, we need an SSL certificate to establish the secure tunnel. If the SSL certificate is invalid, the target device will reject the connection (which in most cases will bring you to a "Cannot reach Google" screen). Icarus uses a custom CA (Certificate Authority) which isn't trusted to external devices, which also means any SSL certificates generated from our custom CA will also not be trusted to external devices. This causes most devices (including any ChromeOS devices) to reject the connection because of the untrusted CA.
This is why a user must run an Icarus shim on a ChromeOS device prior to using the Icarus Lite server for unenrollment; in the simplest terms, the shim makes the device trust the CA so that way the device won't refuse the connection to 6D68 the MiniServer.
When a shim has been built using a different CA than the SSL certificates, the target device will still reject the connection. This is why if constantly getting a "Can't reach Google" screen, users should consider building their own shim and SSL certificates.
Icarus Lite has the ability to automatically generate SSL certificates with a provided CA (Certificate Authority). The process is relatively simple:
- Generate your CA (you must have a key and pem) or use an existing CA.
- Put your CA (key and pem) into
IcarusLite/manualcertswith the namesmyCA.pemandmyCA.key. - In
IcarusLite/manualcerts, create two empty files namedgoogle.com.pemandgoogle.com.key. - Run Icarus Lite and when prompted to select certificate options, select option 1 (Use manual certificates).
- Icarus Lite will attempt to check the validity of the certificates, and will ask you if you want to generate new certificates.
- Select
yesand wait for the SSL certificates to be generated.
Upon first setup, Icarus Lite will automatically create and set a config.json file which will store certain configuration options designed for debugging Icarus Lite. The file can be directly edited to store true or false values for each configuration option, and the config will be loaded the next time Icarus Lite starts.
Current configuration options include:
bypassCA: This option, if set totrue, will bypass Icarus Lite requiring a CA in addition to SSL certificates. It will also disable SSL certificate validation.autoUpdate: This option, if set totrue, will automatically update Icarus Lite when an update is detected and bypass asking the user yes or no.autoCertificateMode: This option, if set to1or2, will automatically select the certificate mode and bypass asking the user for a selection. Its default value is0, where it will not affect anything.disableDelays: This option, if set totrue, will disable the 5-second delays between intialization sections of Icarus Lite.
This section contains planned updates to Icarus Lite to improve functionality.
- Shim building implementation
- cosmicdevv - Writing and maintaining Icarus Lite
- kxtzownsu - Maintaining certificates Icarus uses
- Fanqyxl - Emotional support + keyrolling his chromebook lol
- MunyDev - Discovering and creating original Icarus