iCloud wipeout and admin access on EFI locked Mac

iCloud locking technology used on Macs.

Every Mac with Mac OS X 10.8 and higher runs 'Find My Mac' (FMM) service at startup. FMM guided by data which is stored into NVRAM.
In general case it is 2 variables: 'fmm-computer-name' and 'fmm-mobileme-token-FMM'. 'fmm-computer-name' - is a hostname of the Mac and it always present in the NVRAM data even machine is not registered in the iCloud. 'fmm-mobileme-token-FMM' - is a binary plist contains an owner identification, FMM server hostname and authorization token used for machine identification in the iCloud service.
After OS startup the FMM daemon keeps a connection with an iCloud server, listen for commands from and sends geo data to it. When the 'lock' command and PIN-code are received daemon puts into NVRAM the locking data. It is 4 variables:
"good-samaritan-message" - Messages from locker
"fmm-password-hash" - hash for PIN
"security-pinType" - hashing/crypting algorithm type for PIN
"recovery-boot-mode" - Recovery boot mode. For iCloud locked state is a value 'locked'.

Also daemon is trying to setup EFI password. In mostly cases EFI password is not set and can be installed without additional data. On the machines released before 2011 FMM daemon can install EFI password with pin-code value, but on released later - not, if password has been already set.
The last step - system boot sticks to the Recovery HD by 'bless' command. After all data is written to the NVRAM machine makes reboot and start form the Recovery partition. Recovery booting launches an 'Installer.app'. The 'Installer.app' checks the NVRAM and if 'recovery-boot-mode=locked' is detected the 'Lock.app' will be started. The 'Lock.app' will display the PIN-pad and "good-samaritan-message".
BUT
Keep in mind that Mac OS X - is a UNIX. For all UNIX systems the control may be always taken if physical access to hardware is exists. It is law #1. For all UNIX systems username 'root' is required username and it is only one username who can do anything inside OS. And it is law #2.
In case of Macs, all low-level machine configuration is stored into NVRAM and main task is changing NVRAM payload to release locking settings.

Described bellow methods will work if you are able to get an access to the HD or SSD of your Mac, so you have to unscrew computer, dismount a system disk and reconnect it to other computer.
And if we talk about Macs, iFixit - is your friend. It is help for you to find how to disassamble your machine, get a disk and assemble your Mac back. Read it first!!!
Also you should be able to connect a disk from locked machine to another. I mean usb adapters for disks which is applicable for interface of your storage.

Recovery boot vs Normal boot
As you should know, every Mac running Mac OS X 10.7 and latter, has 'Recovery HD' partition. Is a little piece of internal HD which contains small fileset, nevertheless is a fully independent Operation System with own kernel and tools. Logic for control the Recovery mode is same as for Normal boot but the controlling files may be located at different places. For example: 'com.apple.Boot.plist' - file which provide an arguments for boot to the kernel, located at path /Library/Preferences/SystemConfiguration/
for Normal boot, but for Recovery boot this path is not available in kernel loading time, because file system for Recovery mode is encapsulated into disk image 'BaseSystem.dmg' which can not be mounted before kernel is loaded. By this reason this file placed at '/com.apple.recovery.boot/', a place that kernel can read before it start itself. Aslo you must to realize that password changing procedure under Recovery boot is a different thing against same procedure under Normal boot.

So, Recovery HD is a neighbour living in the other room. And shared space between two neighbours are disk and NVRAM, each neighbour can change something on the filesystem of its neighbour and NVRAM to do controll another.

Escaping an iCloud lock.

Phase 1. Reaching a 'root'-access on the iCloud locked Mac.

The way #1

This is a first tested method. It is little long and require other Mac machine but it funny. Based on the replacement of Lock.app by Terminal.app.

First of all you’ll need to pull out the hard drive from locked Mac and attach it to another Mac as external.
In this guide 'disk0' is an attached disk example, in your case it can be something else. Be careful - check your configuration twice.  


1. Mount Recovery Partition:
Usually it mounted to /Volumes/Recovery\ HD/

2. Copy and convert compressed BaseSystem.dmg to RW format

Keep a copy of original BaseSystem.dmg for rollback. It can be useful

3. Mount and edit writable copy of BaseSystem (BS_RW.dmg)
Ok, now lets replace Lock.app with Terminal.app

Eject image
4. Compress edited image and replace by it BaseSystem.dmg:
5. Detach HD and put it back to the locked Mac. Turn machine on.

6. If everything is ok, you’ll see a Terminal instead of the PIN request window.

The way #2

It is more short way. Based no edit/replacement of 'com.apple.Boot.plist' file on the Recovery HD. As in case of Way #1 you need to connect
HD or SSD from locked Mac to other computer. Only one requirement here - possibility to read and write HFS+ filesystem.

Recovery HD doesn't contains the full OS filesystem instead all OS files are placed into disk image - 'BaseSystem.dmg' and
'com.apple.Boot.plist' exists into one folder with this image.

To tell the kernel to boot into single user mode for Recovery booting you should add '-s -v' to the 'rp=...' argument into 'com.apple.Boot.plist'.

Like this:

...
<string>rp=file:///com.apple.recovery.boot/BaseSystem.dmg -s -v</string>
...

Edit 'com.apple.Boot.plist' or replace it by file included at end of this post. The file is located at /RECOVERY_MOUT_POIUNT/com.apple.recovery.boot/.
After 'com.apple.Boot.plist' edition or replacement put HD back to the locked Mac. Turn it on. Instead PIN-windows you'll see a non-graphical single user mode console with 'root' prompt.

Phase 2. Modifying NVRAM for wipeout iCloud lock and unlink machine from the FMM service.

Clean up iCloud lock.
Unlink Mac from FMM serviceOr simply zap NVRAM
Reaching a 'root' access on EFI password protected (not iCloud) Mac.

This way based on 'com.apple.Boot.plist' file edition/replacement on the OS filesystem. The 'com.apple.Boot.plist' file is located into '/Library/Preferences/SystemConfiguration/' folder. Remember that you should replace or edit the file which is located on the locked machine disk, so actual path to the file would be '<MOUNT_POINT_FOLDER>/Library/Preferences/SystemConfiguration/com.apple.Boot.plist' Edit 'com.apple.Boot.plist' and put '-s' and '-v' args into them like this:

...
<key>Kernel Flags</key>
<string>-s</string>
<string>-v</string>
...

Detach a disk, put it back into your Mac and turn machine on. Mac will be booted into Single user mode.

In the single user mode you should at first do:
1. Make filesystem check: '/sbin/fsck -fy'
2. re-mount filesystem and make it writable: '/sbin/mount -uw /'
3. Launch OpenDirectory service: 'launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist'

4. Now create a new admin user. How to do it described many times, so I just place a link, like this: http://www.maclife.com/article/columns/terminal_101_creating_new_users

The citation from article:

First, we’ll create a new entry for the user under /Users:
dscl . create /Users/corybohon

Next, we’ll create and set the shell property to bash:
dscl . create /Users/corybohon UserShell /bin/bash

Next, we’ll add some user credentials, and set the user’s full name:
dscl . create /Users/corybohon RealName "Cory Bohon"

Now, we’ll create and set a unique ID for the user. Pick whatever works for you here, ensuring that it hasn’t been used by previous users:
dscl . create /Users/corybohon UniqueID 503

Next, we’ll create and set the user’s group ID property:
dscl . create /Users/corybohon PrimaryGroupID 1000

Now, we’ll set the user’s home directory by running the following command. Ensure that you replace both instances of the shortname in the command below:
dscl . create /Users/corybohon NFSHomeDirectory /Local/Users/corybohon

Now we’ll add some security to the user account and set their password. Here, you’ll replace “PASSWORD” with the actual password that will be used initially for their account. The user can always change the password later:
dscl . passwd /Users/corybohon PASSWORD

If the user will have administrator privileges, then we’ll run the following account to assign that title to the newly minted user:
dscl . append /Groups/admin GroupMembership corybohon

And, that’s it. The most simple way to create a user through the command line, and assign all of the OS X account privileges to the new account.

End of citation.

5. Press 'ctrl - d' to exit from Single Mode. System will continue startup and the graphic login screen will appears. Login with username you created.
6. Edit/replace 'com.apple.Boot.plist' back and return its usual state.

Files:

That's the kind of info that is real treasure

Thanks!

So using your method(s) is it possible to bypass efi lock or are these compactiple for some macbook's sry for my bad english

Unfortunately no it will not bypass the efi lock on the mac system.. This method will let you have full access to the system... EFI password is stored on a physical chip not the hdd itself

Exactly. The full access. What it means?
Ok, ask yourself what sort of operations you can't do on the locked machine? Only one - you can not boot other OS. Please correct me if I wrong.
Well, if you have a full access you can control anything from userland by OS commands. So, if you want 'by-pass' EFI password just change a boot loader. Just 'bless' rEFInd for example.
By this methods you can't kill EFI password... but this methods may be a part of 'EFI-password wipe-tool'. I'm working on it now...

First of all thanks in advance for this info, has im currently have a macbook air efi locked with no system....
i'm trying to unlock the efi according to ghostly hack method, since my air is papelweight right now...
But if i get the picture here, i would be able to install the OS X ,and use the mac,right ?
Even with the efi locked, it would still work right ?
i mean, will i be able to used it , but still dont get acess to the efi ?
when i started the computer i currently have a folder with a question mark..
i have a MacBook Air "Core i5" 1.4 11" (Early 2014)2631
Help please..

It's clear for me now... i go back to school !

Hi !

Please tell me if I'm writing in the wrong subforum.

I have a MBA mid 2013 that is only EFI locked, not iCloud locked.
I think the HDD was never formatted
I'm almost sure the EFI password was never changed.

I`ve reading this forum 3 or 4 months ago before i started to try something. I realized that I can start from the very basic thing: Try to bruteforce the EFI with the teensy method, i think it was the easiest (and maybe cheapest) way, so I decided to start from there. The teensy went through all the 10000 combinations and didnt found it. So my first question is: "Is there a possibility that the MB had a 6-digit EFI password by default ? Or should I try again to run de teensy but in smaller jumps?"

My second question is: If I extract the HDD from the locked MBA, can I work on it with another Macbook?

Thank you very much and sorry for my english.

Well, if you have not iCloud EFI locked MBA why you think that password set to 4 or 6 digits? Actually it can be any length and contains any symbols which you can type.
The password encryption algorithm allows it to make at least. Is an answer on your first question.

On second: Yes, it can. But you should realize that MBA HDD it is a SSD device with its own interface. You can buy an USB adapter for it and even boot from it on other Mac.

Hi token.paul,

I thought it can be 4 or 6 digits thinking that the default password for the EFI was that way.

So, I think I will go through your way. I will buy an usb adapter and try it. Since its not iCloud blocked, is there any other way I can do it?. Working on it only pluged to another Mac (without booting)? What I want is only bypass the password for the OSX (the user password). I think I wont have problems booting it, but just asking if there's another solution.

Thank you very much

Thank's for this great tutorial
I've MBP Late 2013 locked via iCloud and UNLOCKED EFI. I'm trying to install OSX ElCapitain but unfortunally each time I try to install the new OSX (via bootable USB with OSX ElCapitan or from appStore) my MBP restart and take me to the iCloud lock screen.
My MBP now is running on Mavericks, I don't know how this worked but Installing mavericks via USB worked and It didn't redirected me to the iCloud Lock screen.
So my question is :

1. Why Installing OSX Mavericks work but trying to install OSX ElCapitan I get redirected to the iCloud Screen ?
2. Which WAY I use to wipe the iCloud lock Screen directly from Mavericks Without the need of removing the HDD and using other MB ?

This is screen cap from diskutil list (executed directly from my MBP ) as you can see the recovery HD doesn't exist

Would you show me 'nvram -p' command output?

token.paul wrote: Would you show me 'nvram -p' command output?

it's seem like NVRAM still containing iCloud lock

Yes, lock on place. Why it working as you wrote...
This machine have no Recovery partition. You are know an EFI password, so you can boot from any partition or device. And while you are on Mavericks without installed Recovery partition you will not see an iCloud lock-pad. But ElCapitan installation process will create that partition unconditionally, next step an installation process will read NVRAM and will set boot to the Recovery partition because 'recovery-boot-mode=locked'. So... after installation you will see iCloud lock-pad again.
Cleanup NVRAM and you will happy.

Thank's it worked

Hi Token.Paul,

I followed your tute and successfully unlocked my mates MBP . Then I bought a SSD adapter and tried to do the same with MBA 2014. I went through all the steps and everything looked good. When I put SSD back to MBA and turn on I get a message 'Your computer restarted because of a problem. Press a key or wait few seconds to continue starting up." in different languages. I press Enter there MBA restarts in a padlock screen asking for pass code. I enter my pass code then it looks like its booting with apple long and a progress bar underneath it. In just few seconds half a screen full letters and numbers starting "panic(cpu 0 caller 0xffffff8013e48f8f):" and so on.... appears behind the apple logo. Half way down the progress bar, machine restarts to the same message 'Your computer restarted because of a problem. Press a key or wait few seconds to continue starting up."

Do You know why this is happening and if there is anything you know I could do to get over it.

Thank you for everything you have done. Hope to hear from you soon.

Thanks again