2015 macbook air unlocking w/o EFI flash: success!


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
More
3 years 1 month ago #3267 by reverendalc
hi all. i've been using the teensy to brute force MacBooks for a long while. it's slow and tedious, but i would like to share a few things i've learned along the way:

after guessing the password at the lock screen, the slightly older macs will load the recovery dialog. from the recovery dialog, you can open the firmware password utility, and the dialog window there can be brute forced much faster. i would then reprogram my teensy to make three attempts per second. i would never actually learn the PIN, but defeating it was the goal anyway.

the new firmware is trickier: it maintains a lock status in the EFI, which locks down the recovery console and any bootable OS X media as well. the answer?

rEFInd

build a bootable USB stick with rEFInd boot loader on it. insert an OS X installer USB and the rEFInd USB. boot with ALT, let the teensy guess the password, then select rEFInd boot option. this will present you with the boot loader, in which you can select the OS X installer, hit F2, and specify to boot that in single-user mode.

once in single-user mode, you can clear the nvram with "nvram -c"

it still takes some time to run through, but i have successfully unlocked a 2015 A1495 EMC 2924 with this technique.
The following user(s) said Thank You: therealjayvi

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago - 3 years 1 month ago #3270 by reverendalc
For what it's worth I've successfully unlocked a 2015 A1502 EMC 2835 MacBook Pro retina with this method now too
Last edit: 3 years 1 month ago by reverendalc.

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3309 by thaGH05T
Or you could use my brute force code that actually saves the passcode when found ;)

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3323 by reverendalc
yes, for shame, your code is superior... but i don't understand why there are so many people focused on knowing the PIN. correct me if i'm wrong, but the mission is to defeat the PIN not to learn it?

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3346 by thaGH05T
Well, if you know the pin, you can actually defeat it sooooo.... BUT, I can agree with you; it is faster and easier to just use the SPI flash method. You all will be super surprised with my next project I am releasing. I have not decided where to go with this yet, but will be making an announcement soon.

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3350 by reverendalc
I don't like surprises lol

I was once intimidated by using my bus pirate or rbp to flash the EFI chip. For those who lack the equipment, ability, or gumption, brute force is good for a single application.

I wish I could contribute to your awesome projects. I haven't a ton of requisite experience, a ton of capital, or much to offer. A wide variety of MacBooks do pass through my hands often though.

Looking forward to the future...

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3362 by therealjayvi
I definitely want to say thanks for the info on your Brute Force method. It's not all too often that I find a post somewhere that I, myself have not dabbled in any described methodology. So just to clarify what you had mentioned above... When Brute Forcing the EFI Pin on 2015 models it will boot you into Recovery afterwards? I've never messed around with Brute Force method so I've never really seen the results or reactions a MacBook has to it.

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago #3939 by reverendalc
In later model MacBooks, after brute forcing the pin, it will allow you to alt-boot the recovery partition or an Install media, however:

As soon as that recovery or install media loads, it will lock down.

You can however alt/boot some other boot loader (rEFInd in my case) which will allow you to boot into single user mode. The iCloud lock doesn't shut things down until the OS is full loaded, so single user mode is fully functional and you can manually clear the nvram, and boot the OS of your choice.

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago #3940 by therealjayvi
Very nice! That's good to know! I'd like to mess around with one of these brute force devices sometime! You've pretty much provided most of the information about them here and I've gotta say you've definitely changed my entire perspective about them! For the longest time I've prudently stuck my nose in the air about them since I figured it's power was limited, great work man seriously.

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago - 3 years 1 week ago #3941 by reverendalc
It's powerful, just handicapped by time. I'm actually doing an a1502 I just picked up with the teensy for shits and giggles. I've clocked orvtech's code at roughly 17.45sec per attempt and I'm filming the brute force process with a time stamp to pull a hard number.

It's just sitting on my desk plugging away, at about 26hrs now. I usually find PINs to be a combination of 1, 2, and 3 typically. I'll shit myself if this one is 9999

EDIT: I've got four extra teensys (teensies?) that are already programmed if you want to borrow one since we are super close and whatnot
Last edit: 3 years 1 week ago by reverendalc.

Please Log in or Create an account to join the conversation.

More
3 years 4 days ago #3949 by ggltech
It worked thank you !

Please Log in or Create an account to join the conversation.

More
3 years 4 days ago #3950 by reverendalc
The following user(s) said Thank You: CygnusX1

Please Log in or Create an account to join the conversation.

More
3 years 4 days ago #3951 by CygnusX1
Great job rev!

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

Who's Online

We have 171 guests and no members online

N00BZ

  • samaduck
  • donlan78
  • cyannyan
  • johnnybeast
  • gabry120

Cookies