Script for EFI Password Removal

Details
Parent Category: Blog
Category: Apple EFI
Hits: 85360

Process description:

The general idea taken from thaGH05T's tutorial. You should read the chip into the firmware dump file and process it with the 'scan-n-patch' script which replaces a SVS area and creates a cleaned firmware file. With modified firmware you can flash a chip, but not entire. Actually you need remove password only and you can do it with 'flashrom'. The 'scan-n-patch' script will create a layout file and prints a command-line arguments for partial chip flashing. It is more safe approach because you will touch only small piece of the chip content, firmware itself and your settings will unchanged.

 

 

 

 

Requirements:

  1.  Raspberry PI or other SPI device and SOIC-8 clip or Easy Flash clip.
  2.  If your SPI device is not Raspberry PI then ability to run the Perl script is needed.
  3. Working 'flashrom' utility.
  4. scan-n-patch fileset (Google Drive link). 

  

Scan-n-Patch script.

'scan-n-patch' is Perl script which reads file specified as command-line argument. It looking for data signatures and can replace a portion of file content by another data.

Right now it can be launched in two modes:

  • 'SCANONLY' mode. In this mode it will search SVS area and print its parsed content, so you can see each password's record and state is active it or not.
  • 'SILENT' mode. In this mode script will skip printing some information. This mode is used for if you want analyze several files.

To specify the mode you should set SCANONLY and/or SILENT variables in the environment. Example: 

SCANONLY=1 ./scan-n-patch.pl <file_name>

 or

SCANONLY=1 SILENT=1 ./scan-n-patch.pl <file_name>

 

Instruction:

1. Read a chip and save its content to the file.

For RP command like this:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r <file_name>

Note: For Macronix flash you need specify a chip. Use '-c' option.

 

2. Check that chip has been correctly read.

   You can read a chip 2-3 times and check results with 'md5' tool or you can do that check with 'flashrom' like this:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -v <file_name>

3. Run 'scan-n-patch' with your dump file specified as command line argument.

./scan-n-patch.pl ./<file_name>

   Note that scanning process takes alot of time on RP approx. 20-25 minutes... So, be patient.

 If your dump has a password, its hash will be printed as well as how much times it was set. Make sure that 'RFT' variable has been defined. 'RFT' is a Record Format Type, it may have value 1 or 2 in other cases patching will be incorrect.

To confirm patching press 'Enter'.

In result you will get:

  •    Modified firmware file named as <file_name>.modified and placed into one directory with original dump.
  •    Layout file for 'flashrom', placed into current directory.
  •    Additional command line arguments for 'flashrom'

 4. Apply patch to the chip.

On step 3 you have got an additional command line arguments for 'flashrom' like this:

--layout ./flashrom.layout --image SVS -w ./<file_name>

To apply changes on the chip you need specify it to 'flashrom' tool:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 --layout ./flashrom.layout --image SVS -w ./<file_name>.modified

5. Shutdown RP after 'flashrom' finish, disconnect a clip and power on your Mac.