SHARED EXTERNALLY

RSU (RMA Server Unlock)

Process Overview
The RMA Server Unlock (RSU) process covers the steps of disabling hardware write
protect and enabling developer mode on devices being RMAed. This will allow you to
perform RMA on devices without having to open them and even if the device is still
enterprise enrolled with developer mode disabled. The other steps of the RMA process are
not impacted.

Requirements
● Updated RMA shim with RSU process included
● QR code scanner or QR code scanning app
● Secondary device with an internet connection and a Chrome web browser
● Approved RSU account with associated security key (basic U2F device)

RSU Process
Step-by-step on how to perform RSU.

Server Access
Setting up and managing tech agents access.

FAQ
Repository of questions and issues
encountered.

Pilot feedback and communication channels

● Google will provide assistance to set up the pilot at the OEM’s local main repair
center. Feedback will be provided during the weekly OEM/Google service call.
● OEM will track # of devices that successfully complete the RSU process, data on
time & cost required for repair using RSU process vs previous process.

1
 RSU (RMA Server Unlock) Process Overview

RSU Process

1.
When the device boots up, press
ESC+Refresh+Power to enter recovery
mode (or Power+Vol Up+Vol Down for 10
secs on a tablet). There will be a few
seconds of black screen before entering
recovery mode.
Sometimes the key combo is not detected
and the device simply reboots into login
screen. Try again if it happens.

2.
Press Ctrl+D to access the OS
verification screen (or Vol Up+Vol Down
on a tablet, and then navigate with
volume to confirm disabling OS
verification)

3.
Press Enter to turn off OS verification.

2
 RSU (RMA Server Unlock) Process Overview

RSU Process cont’d

4.
When the device reboots, you’ll see a
“OS verification is off” screen. Press
ESC+Refresh+Power to enter recovery
mode again (or Power+Vol Up+Vol
Down on a tablet).

5.
Plug in the USB shim.

6.
If the device has a cr50 firmware version
< 0.3.11, the RMA shim will automatically
update the firmware and reboot (this
takes about 1 minute). After reboot,
manually enter the recovery screen by
pressing ESC+Refresh+Power (or
Power+Vol Up+Vol Down for 10 secs on
a tablet).
Since the USB shim is still plugged in, it
will automatically boot into RMA shim. If
the latest cr50 firmware is already on the
device, this step will be skipped.

3
 RSU (RMA Server Unlock) Process Overview

RSU Process cont’d

7.
A QR code will appear on the device. This
contains an URL to our RSU server to
acquire an authentication code to unlock
the device.

8.
Open a Chrome browser window and scan
the QR code in the address bar (use your
scanning device or a QR code scanning
app).
The QR code web link will appear in the
bar.

9a.
You will be invited to touch your security
key. Make sure it’s inserted and tap it.

Note: if you get an error, verify that your

registered RSU account is being used in
the top right corner, next to the sign out
button.

4
 RSU (RMA Server Unlock) Process Overview

RSU Process cont’d

9b.
An 8-digit unlock code will appear.

10.
Type in the 8-digit unlock code and
press enter (if you’re using a tablet and
has only one USB port, unplug the USB
and plug in an external keyboard to
enter the code)

11.
A message “RMA unlock succeeded”
will appear and the device will reboot.
Once the screen goes black, manually
enter the recovery screen by pressing
ESC+Refresh+Power (or Power+Vol
Up+Vol Down on a tablet for 10 secs).

5
 RSU (RMA Server Unlock) Process Overview

RSU Process cont’d

12a.
The RMA shim will automatically install
the payloads in the shim. It takes a few
minutes.

12c.
Once all the tests are passed, the
factory toolkit will wipe the device and
shutdown. The RMA process is
completed.

6
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step

Process Overview

7
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step cont’d

1.

Google needs to create a CPCon account for the OEM.

Note: CPCon uses the concept of “account” to enforce access control on almost all the
operations that a user could perform. In order to gain access to CPCon, a user must have
a Google Account so that the user could login with the account and be authenticated.
After a user logins, CPCon will display the user’s Google Account email address, and the
current account the user belongs to. Accounts are limited to RMA centers.

2.

RMA center creation: Click “Create” to create a new center. Any OEM user with a valid
Google Account in the RMA_MANAGER Google Group will be able to login into CPCon, to
perform RMA center management operations.

8
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step cont’d

3.

Name your RMA center and add emails of repair agents that will use RSU.

4.

Invite users to register a security key by clicking on the “Send Invitation” link.

9
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step cont’d

5.

Select all users that you want to invite to register a security key. For each invitation, CPCon
will send out an email with a link for registration.

Note: security keys are associated to an RMA center, not a specific user. This means that
an admin could register all security keys and distribute them to the agents without having
each of them to follow that process. To do so, the admin should add himself to the repair
center and send invitation to himself.

6.

The invited user will receive an email with a link to register his security key.

10
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step cont’d

7.

The user will be requested to name his key and click on the “Register” button.

Note: It is recommended to follow a simple nomenclature to manage keys easily (ie:

OEM-RepairCenterLocation-Key#). The keys themselves should also be labeled.

8.

Insert and touch your U2F security key to complete the registration process.

11
 RSU (RMA Server Unlock) Process Overview

RSU server registration

process step-by-step cont’d

9.

Status of the invitations can be checked in the “Invitations” section.

10.

Registered security keys can be managed in the “All U2F Devices” section.

12
 RSU (RMA Server Unlock) Process Overview

FAQs
1) What are the benefits of RSU versus alternative ways of servicing enrolled Chrome OS
devices?
❏ RSU was designed with the following benefits in mind:
1. Security: RSU users are authenticated to a central Google server via a 2-factor key
that you control and can revoke. This means that even if someone steals an RMA
shim, they cannot use it to steal an enterprise-enrolled Chromebook.
2. Speed: RSU functionality is already integrated into the RMA shim and service flow
(no separate shim required), and entering the challenge code/response is assisted
by a QR code for faster input.
3. Removal of hardware write-protect without having to open the device: For example,
if a device contains a fingerprint sensor, its biometric data will need to be cleared
before sending it to a different customer. RSU facilitates this in a way that does not
require awkwardly trying to remove the battery while resetting the fingerprint sensor
at the same time.
4. Prevention of errors: With RSU, it is much harder to accidentally send a Chrome OS
device to another customer in a state of being enrolled to its original organization.
5. Proper accounting for enrolled devices: Enterprise administrators see the fleet of
devices enrolled to their organization in the admin console. RSU ensures that
decommissioned motherboards are removed from the enterprise’s roster, preventing
them from being billed for licenses that they cannot use.

2) Do I need to deploy 2-factor authentication tokens to all my service staff?

❏ Since force-unenrolling a device via RSU is a highly sensitive operation, a one-time code
generated by a hardware security key has always been required. This is the same Google
account-based process used by thousands of enterprises to authenticate users, and
includes the ability to revoke keys if they were to go missing. While there is an initial cost
to acquire the keys, there are significant benefits for increased security and goodwill of
organizations investing in devices under your brand.

13
 RSU (RMA Server Unlock) Process Overview

FAQs
3) Who should I contact to be added to an RMA group?
❏ Please create a bug and copy [email protected]

4) How do we get security keys?

❏ You can purchase them here, and there's also a version with NFC. Google can first lend a
few keys to OEM/ODM for initial testing. Please request them from
[email protected].

5) The QR code webpage gives me an error message.

❏ “This device is not registered.”
You are using an unregistered security key. Please contact the RMA group admin to send
an invitation to register the key.

❏ "No devices registered for the current user."

This is mostly caused by the device not added to the RMA group you belong to. Please
check with [email protected] to add the device to the RMA group.

❏ "Failed to decode the challenge."

There are several possibilities for this issue. Please first check that the challenge code in
the URL has 80 characters, and check with TAM if the brand code of the device is
configured in DLM. Otherwise, please file a bug to [email protected]

❏ "Failed to generate auth code."

RSU is blocked by the enterprise admin.

6) What is the difference between the terms “enrolled”, “managed” and “provisioned”?
❏ For the purposes of this document, they are the same.

14
 RSU (RMA Server Unlock) Process Overview

FAQs
7) What if I don’t have an RMA shim?
❏ RSU can also be done directly from the cr50 console without the use of an RMA shim. This
is a rare case but we provide the instructions here for completeness.

a) Follow this document to connect a SuzyQ or Servo v4 to the device and get the cr50
console.
b) Run the command `rma_auth` in cr50 console to get the 80 digit RSU challenge code.

c) Connect to the URL

https://chromeos.google.com/partner/console/cr50reset?challenge=<80 digit challenge
code> and get the unlock code as in step 8, 9a and 9b.
d) Use the same `rma_auth` command to enter the 8-digit unlock code in cr50 console.

8) How does RSU relate to Shimless RMA?

❏ RSU is already required for enrolled devices going back to a different owner under the
Shimless RMA program. In addition, this announcement serves to inform you that all
enrolled devices requiring service that would have previously used the RMA shim need to
be un-enrolled with RSU after the date specified above.

9) RSU turns on cr50 factory mode. There's another option in RMA shim menu: Enable factory
mode (action M). What's the difference between the two methods?
❏ Both methods turn on cr50 factory mode, but with different requirements. RSU needs to
access Google server with an allowed account and a security key, but without opening the
device. The other option needs to disable hardware write protection first (usually done by
removing the battery), and also requires the device not being enterprise enrolled.

10) Which devices have Google Titan-C (H1) Security Chip?

❏ All Chromebooks launched since January 2019 come with the Titan security chip except
for the Lenovo 100e Chromebook 2nd Gen MTK and the Lenovo 300e Chromebook 2nd
Gen MTK, which come with a different security chip which does not support RSU.

15