Rundown

As some of you may know, on Mac's prior to 2011 the EFI passcode is actually obfuscated and stored in PRAM (NVRAM). On those models you can actually dump the hex variable of the EFI passcode if you have admin rights on the system. This could then be simply reversed by converting the hex (without the % delimiters) to binary, doing a bit flip on every other bit starting with the first, and converting the result back to ASCII. Now if you didn't have admin rights you wouldn't have been able to dump the PRAM at all. Since then Apple has stopped using this method, which is why we have come up with a couple other ways to get around the EFI lock.

 

Evolution

While doing some research Pavel Klukin (token.paul) found this variable stored on the EFI chip and found a simple way to locate it after dumping the firmware. When you have found the hex you would then have to do the conversions or use a script to do so, but I am sure a lot of you don't just have it lying around or remember the conversions. I took it upon myself to create a little tool that you can use after finding the hex to display the EFI passcode for pre-2011 Macs, so that you can just enter it in at the lock screen and get to restoring your Mac! The steps to finding the hex and the tool can be found below, enjoy.

 

The Tool

All of this is assuming you have at least dumped the firmware or PRAM. If you have been able to dump the PRAM variable for the passcode just drop it in the box below without spaces or the "%" delimiter and click Decrypt.

  1. In a hex editor search for the hex values "730065006300750072006900740079002D00700061007300730077006F0072006400".
  2. Directly following what you just searched for you will need to copy the hex between "00 00" and "AA 55 7F" (Just like in the image above)
  3. Drop what you just copied in the box below and hit Decrypt.