Where can I find iMac EFI firmware binaries that I can flash onto the EFI Flash?

[Lolucoca]

Hi!
I am trying to help a friend who has an iMac with a Firmware Password. He's already tried to go to the Apple store and let them remove the password but they apparently couldn't verify that the Mac was actually his. I had the Idea of just rewriting the whole EFI Flash IC using a super cheap and widely available programmer, the CH341. Now I've come across the problem of just not finding any binaries for Mac EFIs. Of course there are ones available from apple but those are in .dmg format, a.k.a unusable for my standard Windows machine. Do you guys know any source of EFI binaries for Macs?
 Thanks a lot,
Lolucoca

[Ian.M]

The answer would be 'not here'.   Apple are known to be litigatious, so posting any links to third party sites hosting (c) Apple firmware could make trouble for our host (EEVblog Dave).  Also, as we have absolutely no way to confirm (A) your friend's legitimate ownership, and (B), that all subsequent readers of this thread legitimately own any Apple hardware in their possession, leading you by the hand to a site that cracks Macs would be stupid, unethical and again could make trouble for Dave.

.dmg files can be extracted under Windows (as 2 minutes googling dmg file would tell you), so if you have access to legitimate binaries, don't let the lack of a Mac stop you.
However it is highly likely that the official firmware updates DO NOT overwrite critical data like the machine serial number or firmware password, so I doubt you'll find anything to help in them.

[Lolucoca]

Well, I actually DID uncompress that .dmg file but it turns out that it's just a bunch of files that are of no particular use to me. There are two "free" files that just contain Hex 00s, one ddm file that just contains what I think is a header and then 00s, one "Apple_partition_map" file which just isn't large enough to be an EFI firmware and then an HFS file that I guess contains the Apple filesystem. I have yet to find a site that shows me how I can find the firmware password within the existing EFI firmware IC and erase it.

[Ian.M]

If I was designing firmware security for Apple, I certainly wouldn't code it to accept the unprogrammed/erased state of the locations holding the password hash as no password set. I strongly suspect that Apple's firmware team aren't stupider and less security concious than I am.

In fact, various articles suggest that the EFI firmware and an additional Atmel security chip handshake with each other so tampering with critical parts of the firmware (short of rewriting it to bypass all security checks and patching the OS to match) will (most likely) simply 'brick' a 2011 or later iMac, and even copying the firmware image from a good board of exactly the same model and revision wont work unless you also transplant the security chip.

[amyk]

Also, as we have absolutely no way to confirm (A) your friend's legitimate ownership, and (B), that all subsequent readers of this thread legitimately own any Apple hardware in their possession, leading you by the hand to a site that cracks Macs would be stupid, unethical and again could make trouble for Dave.

This line of reasoning quickly leads to dangerous censorship. Apple are known to be highly opposed to any repair of their products, but we should not stop fighting them. A quick Google shows that it is still pretty trivial to clear a BIOS password with a clean (physical) reflash.

(The "security chip" you're referring to is the TPM, which can be used to hold keys for file encryption etc. but AFAIK can still be reset relatively easily, as long as you don't care about what the keys are encrypting.)

That said, you'll probably find better help on laptop repair forums and the like. The keywords you want to look for are "BIOS dump" and "password reset".

[Ian.M]

Also, as we have absolutely no way to confirm (A) your friend's legitimate ownership, and (B), that all subsequent readers of this thread legitimately own any Apple hardware in their possession, leading you by the hand to a site that cracks Macs would be stupid, unethical and again could make trouble for Dave.

This line of reasoning quickly leads to dangerous censorship. Apple are known to be highly opposed to any repair of their products, but we should not stop fighting them.

Its a fine line to walk between helping a legitimate tech working on a friend's device and enabling the theft of devices by providing assistance in cracking their anti-theft security measures.   

This forum is hosted in the USA.  There are *reasons* why nearly all the unauthorised component level repair documentation for Apple products is hosted in places like the USSR.   If you want to fight censorship in the USA, do it on your own USA based server (or a fellow activist's server - with permission), not on Dave's leased USA based server.   Personally I think a lot of USA copyright and digital rights law *SUCKS* and that Dave shouldn't use US based hosting, but that's his decision and I don't feel strongly enough about the issue to boycott this forum.

[Lolucoca]

Thanks a lot for your replies! I just contacted Apple whether they could send me the required files (if not I can at least say I tried ). I guess I'll have to take a look at that Rossmannrepair forum since those guys handle a lot of Apple products, if that doesn't work out I'll just have to buy a dead Mac motherboard with like a dead CPU or graphics card or just one that's way beyond economical repair and try to do it that way...