hi all. i've been using the teensy to brute force MacBooks for a long while. it's slow and tedious, but i would like to share a few things i've learned along the way:
after guessing the password at the lock screen, the slightly older macs will load the recovery dialog. from the recovery dialog, you can open the firmware password utility, and the dialog window there can be brute forced much faster. i would then reprogram my teensy to make three attempts per second. i would never actually learn the PIN, but defeating it was the goal anyway.
the new firmware is trickier: it maintains a lock status in the EFI, which locks down the recovery console and any bootable OS X media as well. the answer?
rEFInd
build a bootable USB stick with rEFInd boot loader on it. insert an OS X installer USB and the rEFInd USB. boot with ALT, let the teensy guess the password, then select rEFInd boot option. this will present you with the boot loader, in which you can select the OS X installer, hit F2, and specify to boot that in single-user mode.
once in single-user mode, you can clear the nvram with "nvram -c"
it still takes some time to run through, but i have successfully unlocked a 2015 A1495 EMC 2924 with this technique.
yes, for shame, your code is superior... but i don't understand why there are so many people focused on knowing the PIN. correct me if i'm wrong, but the mission is to defeat the PIN not to learn it?
Well, if you know the pin, you can actually defeat it sooooo.... BUT, I can agree with you; it is faster and easier to just use the SPI flash method. You all will be super surprised with my next project I am releasing. I have not decided where to go with this yet, but will be making an announcement soon.
I was once intimidated by using my bus pirate or rbp to flash the EFI chip. For those who lack the equipment, ability, or gumption, brute force is good for a single application.
I wish I could contribute to your awesome projects. I haven't a ton of requisite experience, a ton of capital, or much to offer. A wide variety of MacBooks do pass through my hands often though.
I definitely want to say thanks for the info on your Brute Force method. It's not all too often that I find a post somewhere that I, myself have not dabbled in any described methodology. So just to clarify what you had mentioned above... When Brute Forcing the EFI Pin on 2015 models it will boot you into Recovery afterwards? I've never messed around with Brute Force method so I've never really seen the results or reactions a MacBook has to it.
In later model MacBooks, after brute forcing the pin, it will allow you to alt-boot the recovery partition or an Install media, however:
As soon as that recovery or install media loads, it will lock down.
You can however alt/boot some other boot loader (rEFInd in my case) which will allow you to boot into single user mode. The iCloud lock doesn't shut things down until the OS is full loaded, so single user mode is fully functional and you can manually clear the nvram, and boot the OS of your choice.
Very nice! That's good to know! I'd like to mess around with one of these brute force devices sometime! You've pretty much provided most of the information about them here and I've gotta say you've definitely changed my entire perspective about them! For the longest time I've prudently stuck my nose in the air about them since I figured it's power was limited, great work man seriously.
It's powerful, just handicapped by time. I'm actually doing an a1502 I just picked up with the teensy for shits and giggles. I've clocked orvtech's code at roughly 17.45sec per attempt and I'm filming the brute force process with a time stamp to pull a hard number.
It's just sitting on my desk plugging away, at about 26hrs now. I usually find PINs to be a combination of 1, 2, and 3 typically. I'll shit myself if this one is 9999
EDIT: I've got four extra teensys (teensies?) that are already programmed if you want to borrow one since we are super close and whatnot
This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.
You have declined cookies. This decision can be reversed.
You have allowed cookies to be placed on your computer. This decision can be reversed.
This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.
