Rundown

As some of you may know, on Mac's prior to 2011 the EFI passcode is actually obfuscated and stored in PRAM (NVRAM). On those models you can actually dump the hex variable of the EFI passcode if you have admin rights on the system. This could then be simply reversed by converting the hex (without the % delimiters) to binary, doing a bit flip on every other bit starting with the first, and converting the result back to ASCII. Now if you didn't have admin rights you wouldn't have been able to dump the PRAM at all. Since then Apple has stopped using this method, which is why we have come up with a couple other ways to get around the EFI lock.

 

Evolution

While doing some research Pavel Klukin (token.paul) found this variable stored on the EFI chip and found a simple way to locate it after dumping the firmware. When you have found the hex you would then have to do the conversions or use a script to do so, but I am sure a lot of you don't just have it lying around or remember the conversions. I took it upon myself to create a little tool that you can use after finding the hex to display the EFI passcode for pre-2011 Macs, so that you can just enter it in at the lock screen and get to restoring your Mac! The steps to finding the hex and the tool can be found below, enjoy.

 

The Tool

All of this is assuming you have at least dumped the firmware or PRAM. If you have been able to dump the PRAM variable for the passcode just drop it in the box below without spaces or the "%" delimiter and click Decrypt.

  1. In a hex editor search for the hex values "730065006300750072006900740079002D00700061007300730077006F0072006400".
  2. Directly following what you just searched for you will need to copy the hex between "00 00" and "AA 55 7F" (Just like in the image above)
  3. Drop what you just copied in the box below and hit Decrypt.

Comments   
neighborhoodguy
-1 #5 neighborhoodguy 2016-09-24 17:00
Quoting ggltech:
For Macbook's before 2011.
If you can change the RAM amount to bypass the lock .
boot off media you have admin rights to..in terminal run command
sudo nvram -c
reboot computer


So do both ways (the "sudo nvram -c" way and the "C-O-P-R nvram reset" way) clear these variables?
security password
security mode
security pin type

The hex string isn't in my dump from efi locked Macbook Air A1369 2010 emc 2392. i dont think this unit was icloud locked tho, only efi
Quote
baileyw813
-1 #4 baileyw813 2016-01-07 14:29
Does this work for, not only clearing the EFI passcode, but clearing out the iCloud lock, as to be able to reinstall the OS?

I have a 2009 MBP 13" that has a 6 digit iCloud lock/EFI passcode (assuming EFI is same as icloud 6 digits)
Would it be better to dump the efi chip contents and find the hex values for the passcode? That way, I'd have the 6 digit pin for the icloud lock as well (assuming they are the same... I've had one MBP where the EFI passcode and the iCloud PIN were different, I'd input the EFI passcode (9632) and then the icloud screen would come up, but that PIN didn't work...)

Thank you for any clarification

Quoting ggltech:
For Macbook's before 2011.

If you can change the RAM amount to bypass the lock .

boot off media you have admin rights to..in terminal run command

sudo nvram -c

reboot computer
Quote
thaGH05T
0 #3 thaGH05T 2015-12-06 15:51
Thanks for adding this as a comment, this does work in older cases such as 2009 and below. But in a lot of 2010 models i have found clearing PRAM does not work.

Quoting ggltech:
For Macbook's before 2011.

If you can change the RAM amount to bypass the lock .

boot off media you have admin rights to..in terminal run command

sudo nvram -c

reboot computer
Quote
ggltech
+1 #2 ggltech 2015-11-22 21:11
For Macbook's before 2011.

If you can change the RAM amount to bypass the lock .

boot off media you have admin rights to..in terminal run command

sudo nvram -c

reboot computer
Quote
krayzeeman
0 #1 krayzeeman 2015-11-19 04:39
Does anybody know how the password is encrypted on the newer Macs?
It's probably a one-way encryption, but if the password is a 4-digit PIN, there are only 10.000 possibilities, and this should be easy to brute-force once we know the encryption algorithm.

Krayzeeman
Quote

Who's Online

We have 300 guests and no members online

N00BZ

  • xmoney
  • fizzmich
  • syscall
  • YU$oTokSic
  • TokSic

Cookies