Decrypting EFI - Prior to 2011

Rundown

As some of you may know, on Mac's prior to 2011 the EFI passcode is actually obfuscated and stored in PRAM (NVRAM). On those models you can actually dump the hex variable of the EFI passcode if you have admin rights on the system. This could then be simply reversed by converting the hex (without the % delimiters) to binary, doing a bit flip on every other bit starting with the first, and converting the result back to ASCII. Now if you didn't have admin rights you wouldn't have been able to dump the PRAM at all. Since then Apple has stopped using this method, which is why we have come up with a couple other ways to get around the EFI lock.

Evolution

While doing some research Pavel Klukin (token.paul) found this variable stored on the EFI chip and found a simple way to locate it after dumping the firmware. When you have found the hex you would then have to do the conversions or use a script to do so, but I am sure a lot of you don't just have it lying around or remember the conversions. I took it upon myself to create a little tool that you can use after finding the hex to display the EFI passcode for pre-2011 Macs, so that you can just enter it in at the lock screen and get to restoring your Mac! The steps to finding the hex and the tool can be found below, enjoy.

The Tool

All of this is assuming you have at least dumped the firmware or PRAM. If you have been able to dump the PRAM variable for the passcode just drop it in the box below without spaces or the "%" delimiter and click Decrypt.

In a hex editor search for the hex values "730065006300750072006900740079002D00700061007300730077006F0072006400".
Directly following what you just searched for you will need to copy the hex between "00 00" and "AA 55 7F" (Just like in the image above)
Drop what you just copied in the box below and hit Decrypt.

Comments

-1 #5 neighborhoodguy 2016-09-24 17:00

Quoting ggltech:

For Macbook's before 2011.
If you can change the RAM amount to bypass the lock .
boot off media you have admin rights to..in terminal run command
sudo nvram -c
reboot computer

So do both ways (the "sudo nvram -c" way and the "C-O-P-R nvram reset" way) clear these variables?
security password
security mode
security pin type

The hex string isn't in my dump from efi locked Macbook Air A1369 2010 emc 2392. i dont think this unit was icloud locked tho, only efi

Quote

-1 #4 baileyw813 2016-01-07 14:29

Does this work for, not only clearing the EFI passcode, but clearing out the iCloud lock, as to be able to reinstall the OS?

I have a 2009 MBP 13" that has a 6 digit iCloud lock/EFI passcode (assuming EFI is same as icloud 6 digits)
Would it be better to dump the efi chip contents and find the hex values for the passcode? That way, I'd have the 6 digit pin for the icloud lock as well (assuming they are the same... I've had one MBP where the EFI passcode and the iCloud PIN were different, I'd input the EFI passcode (9632) and then the icloud screen would come up, but that PIN didn't work...)

Thank you for any clarification

Quoting ggltech:

0 #3 thaGH05T 2015-12-06 15:51

Thanks for adding this as a comment, this does work in older cases such as 2009 and below. But in a lot of 2010 models i have found clearing PRAM does not work.

Quoting ggltech:

+1 #2 ggltech 2015-11-22 21:11

0 #1 krayzeeman 2015-11-19 04:39

Does anybody know how the password is encrypted on the newer Macs?
It's probably a one-way encryption, but if the password is a 4-digit PIN, there are only 10.000 possibilities, and this should be easy to brute-force once we know the encryption algorithm.

Krayzeeman

Refresh comments list
RSS feed for comments to this post