MBA from end of 2010 (MC505LL)


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
More
7 years 10 months ago #3173 by Stero
Hi guys,

New guy on this forum. I've been looking at topics and searching for a while on this website.
First of all, I'd like to thank token.paul and Thaghost for all the great work they have done!

So, I just bought a mac from end of 2010 (MC505LL). The previous owner told me he tried to format and reinstall everything. Since then, the mba displays a folder with a question mark. When I try to access the recovery mode or any other option, it asks me for the EFI password.

Token.paul mentions in his post ( ghostlyhaks.com/forum/macbook/55-how-to-bypass-an-efi-password-and-boot-any-os ) that if the hdd is blessed, then the macbook will turn on without asking for the EFI password.
As my MBA is from late 2010, from what I understood from Thaghost topic ( www.ghostlyhaks.com/blog/apple-efi/23-efi-deobfuscate ), I can get the EFI password from the PRAM.
From token.paul topic ( www.ghostlyhaks.com/forum/macbook/65-icloud-wipeout-and-admin-access-on-efi-locked-mac ) I've come to understand that there is a recovery boot on my SSD.

So, my question is: considering that my hdd seems to be blessed, can I try to connect it to my PC to restore the OSx. Once this will be done I should be able to turn on the mac and this will give me access to a PRAM dump where I'll be able to find the EFI password.

Do you guys think this is possible or do you believe I have no other choice than flashing the chip.

Thanks in advance!

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3180 by thaGH05T
Well, the folder with the question mark is an issue, I am not sure it is recoverable by means of token.paul's method anymore. i would recommend giving it a shot the way Token.Paul suggests and if it doesnt work, then dump the firmware and deobfuscate the passcode. Do you have a Teensy by chance?
The following user(s) said Thank You: Stero

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3182 by Stero
I guess i'll try the token.paul's method.

When you talk about dumping the firmware, you're taking about connecting to the EFI chips with the adaptator that you built right?

I don't have a Teensy. I'm aware of this method but in your post you mention "I won’t waste time on the brute force method as I believe it isn't relevant in most cases" so I didn't consider this option. I have to admit I'm a little confused between the EFI password that can be remove by brute force and those who can't. Do you believe I could remove mine by bruteforce?

Thanks!

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago - 7 years 10 months ago #3183 by thaGH05T
You have a 2010 mac so you would need a soic 8 Pomona clip. But the reason I asked you about the teensy wasn't for brute force. However, your mac may be able to be brute forced since it was locked by icloud. The only thing that would stop you is if the efi password was set prior to the icloud lock.
Last edit: 7 years 10 months ago by thaGH05T.
The following user(s) said Thank You: Stero

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3184 by Stero
Thanks for the answer.

I actually don't know if the password was set by icloud when the mac was formatted or if it was set by the first owner. As far as I know, the Mac has had only two owners.

So you're suggesting me to use the Teensy and connect it to a soic 8 Pomona clip?

Concerning the use of the soic 8 pomona clip, I took a picture of the motherboard. I though that to read the bios I had to connect to the MBA header circle in red. But you're telling me that for this model, I should connect to the 8 pin chip that I've circled in yellow? How could I confirm this?



Thanks!
Attachments:

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3191 by thaGH05T
Yes, you are able to talk to the chip without the use of the header. Please buy a teensy and clip then get back to me and i will give you some firmware I wrote to test.

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3230 by Stero
Hi thaGhost,

I'm ready to hear your explanations ;) . Just bought a SOIC clip and got a raspberry by a friend (or i'll buy a teensy if not possible with the raspberry).

Thanks!

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3231 by CygnusX1
If you have a PI and a SOIC8 clip, follow this video.


If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago - 7 years 8 months ago #4027 by ggltech
Ok i have this same one...dumped the EFI ...now what ?

I tried manual decrypt www.ghostlyhaks.com/blog/apple-efi/23-efi-deobfuscate

Any ideas ?
Attachments:
Last edit: 7 years 8 months ago by ggltech.

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago #4036 by CygnusX1

ggltech wrote: Ok i have this same one...dumped the EFI ...now what ?

I tried manual decrypt www.ghostlyhaks.com/blog/apple-efi/23-efi-deobfuscate

Any ideas ?


Upload the original EFI file and let me look at it.

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago #4046 by Stero
Hi!

The manual decrypt didn't work for me. I just had to erase what is after " “$SVS”" as THAGHOST explained in this video:
ghostlyhaks.com/blog/apple-efi/18-how-to-hack-apple-efi-2

Then it worked well ;)

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago #4068 by CygnusX1

Stero wrote: Hi!

The manual decrypt didn't work for me. I just had to erase what is after " “$SVS”" as THAGHOST explained in this video:
ghostlyhaks.com/blog/apple-efi/18-how-to-hack-apple-efi-2

Then it worked well ;)


Glad we could help!

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago - 7 years 8 months ago #4079 by ggltech

File Attachment:

File Name: eddy2.bin.zip
File Size:2,728 KB

CygnusX1 wrote:

ggltech wrote: Ok i have this same one...dumped the EFI ...now what ?

I tried manual decrypt www.ghostlyhaks.com/blog/apple-efi/23-efi-deobfuscate

Any ideas ?


Upload the original EFI file and let me look at it.


Here it is
Attachments:
Last edit: 7 years 8 months ago by ggltech.

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago #4080 by CygnusX1
The file wasn't attached. Be sure it is in a ZIP format.

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 8 months ago #4081 by CygnusX1

CygnusX1 wrote: The file wasn't attached. Be sure it is in a ZIP format.


Here is the bin with the password removed. Enjoy! :)

If I helped you buy me a latte!
Attachments:
The following user(s) said Thank You: ggltech

Please Log in or Create an account to join the conversation.

Who's Online

We have 241 guests and no members online

N00BZ

  • ljamal
  • ljamal74
  • mikeg2atest
  • ducchinhbui
  • anjarezt

Cookies