iCloud wipeout and admin access on EFI locked Mac

Thank you! I have a laptop with iCloud locked and EFI now working.

I did "The way #2"
1) Took out the HD to another mac and edited the com.apple.Boot.plist and added " -s -v" after "BaseSystem.dmg"
2) With the HD back on the EFI locked Mac I did the "nvram -c" then I mounted the drive as Read/Write
3) deleted (I'm serious) the "/Library/Preferences/SystemConfiguration/com.apple.Boot.plist" (it doesn't delete but now the drive is "corrupted")
4) Ctrl-D to exit Single User Mode
5) the mac now wants to install the OS
6) the Install os app doesn't seem to want to install the OS (if it does for you you're done)
7) I format the main drive with the disk utility
8 ) I insert a USB with the install OS image (Thank you Disk Maker X)
9) Bingo. I now have a fully installed, fully upgraded mac.

NOTE the EFI password is STILL there (but I won't need it unless I want to re-install the OS at any time or do a internet restore (but I can't do these steps again)

ALSO NOTE: the disk was locked so I was NOT able to "add my own admin user" or all the things. but this mac had had Yosemity (Mac os 10.10) installed. Maybe this worked on older OS's

Hi.
You didn't switch a filesystem into RW mode. Please note that in single user mode MacOS like other UNIX systems launches shell immediately after kernel loaded.
To make filesystem accessible, you should run filesystem check '/sbin/fsck -fy' and re-mount filesystem '/sbin/mount -uw /' after these steps done filesystem will be RW-mounted and you can do something with it.
Also, if you boot the Mac which iCloud locked it will boots from Recovery Partition only. But you can change a boot partition with 'bless' command or with Installer.app, it has an option.

hi,

please help me - i have an pcie ssd from an imac late 2013 and i connected it to my windows pc with an pci x adapter. i can read the main partition but i cannot read and write on recovery partition. with hfs explorer i can read it but cannot write on it, and with paragon efs+ i only can mount the efi partition and the main partition. i cannot assign a letter to the recovery one. please give me a solution.

10X

i did the steps from:
Reaching a 'root' access on EFI password protected (not iCloud) Mac.

This way based on 'com.apple.Boot.plist' file edition/replacement on the OS filesystem. The 'com.apple.Boot.plist' file is located into '/Library/Preferences/SystemConfiguration/' folder. Remember that you should replace or edit the file which is located on the locked machine disk, so actual path to the file would be '<MOUNT_POINT_FOLDER>/Library/Preferences/SystemConfiguration/com.apple.Boot.plist' Edit 'com.apple.Boot.plist' and put '-s' and '-v' args into them like this:
...
<key>Kernel Flags</key>
<string>-s</string>
<string>-v</string>
...

but after i put the ssd back to my imac i get error loading kernel cache(0xe). what can i do?

I'm guessing that this method won't work if the SSD has been formatted. It will only work with the original untouched SSD? I'm trying to get this working with a freshly installed SSD with the method #2 hack, but it still goes to the EFI password lock screen.

does your mac power on to the [?] screen?

Yes, if I leave it, the ? folder screen comes up.
If I press Opt, the padlock screen comes up.
It's a MBA 2012, 11"

The original owner damaged the laptop with a small water spillage and then took it to Apple to get their data off and the SSD wiped.
I will be able to reflash once my adapter arrives, but in the mean time, I thought I'd give this method a go.

Is it iCloud locked? Or just EFI locked?

An iCloud lock is linked to the OS X install and won't boot anything else.

Try throwing that ssd into another MBA and installing OS X on it. Then put it back in yours and power on.

Thanks for your response.

Its got an EFI password on it. Not sure if there's an iCloud lock yet.
I've tried installing MACOSX on another MBA, then transferred back and it still won't boot.

If you've already done that and the mac boots to the w[?] screen, then its iCloud locked. The iCloud lock is linked between the EFI and the os.

Your remaining option is hardware unlock, or brute force. That's not to say you had too many other options lol.

I'm the case of iCloud locks with removable storage, NEVER erase the storage unless you're prepared to hardware unlock.

Do you have the proper equipment to get this started?

That helps to explain what's going - thank you.

I didn't have a lot of choice. The owner has given me a list of possible passwords, but none of these work.
They did offer to take it to the Apple shop as they have proof of purchase, but this means posting it off and back again.

I will unlock it - I've done a few before, but have ordered the EasyFlash adapter to make life a little easier this time.
Otherwise, it's a soldering job wiring up the board to a Raspberry Pi with the help of this wonderful site.
I've got another board that needs the serial number changing too, so the EasyFlash adapter will get a good test.

Got my EasyFlash Adapter today from GhostlyHaks!
This works great - I've been able to remove the EFI password on one MBA and replace the serial number on another (board had to be replaced).
Awesome site - many thanks to all

excellent news! i'm happy all the hard work has resulted in a positive experience for you.

would you mind sharing your success here:
ghostlyhaks.com/forum/efi-destroyer-lite/711-post-your-successful-flash-environments-here

Need some help, trying to do this on a iCloud locked 2012 13 inch Macbook Air. I tried method 2 first, it didn't work, so I tried method 1, I am able to get all the way to Phase 2, in single user mode up to step 3 which states "3. Launch OpenDirectory service: 'launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist'". The problem is that the terminal says that no such directory exists. I even took the SSD back out, connected it to a working laptop, and went to the path location and saw the "com.apple.opendirectoryd/plist" file, so I am confused as to why it's saying that no such directory exists. Any help would be greatly appreciated. Also, please keep it simple, I am not that technically savvy, much obliged.


Update: Ok, so I pressed ctrl + d and now I am out of single user mode and at the user login screen (so I'm assuming I got past iCloud lock, since it didn't asking for the 4 digit pin?) but I don't know the user password. I tried command + r at bootup but that takes me to the firmware lock screen and I don't know the password to that either. Any ideas? Is there any ways I can just do a fresh install of a Mac OS? I don't need any data off the SSD.

Thank you @token.paul for all your effort.
I have 15" MBP 2015 that is both iCloud and EFI locked.
I have tried method 1, but I ended up with the screen where apple logo and no pass sign are altering on every 5 seconds.
I replaced modified BaseSystem.dmg with original (Thankfully, I listened your advice and save original file) and tried method 2.

I got non-graphical single user mode and I ran 'nvram -c'.
After that I ran 'nvram -p' and there is no output.
Then I tried '/sbin/fsck -fy' which went well
But when I try '/sbin/mount -uw /' I get the following message:
'disk1s1: device is writte lock'
Is there anything else I could try?
Sorry for bad English, I am not native English speaker.

Thank you for your time,

This happened because you trying re-mount a root partition in 'Recovery Mode'. Device is write locked because its filesystem based on file 'BaseSystem.dmg'.
After you cleared the NVRAM you release iCloud lock. Your next steps should be:
1. Shutdown a system
2. Return kernel keys back in the com.apple.Boot.plist file on Recovery Partition
3. Boot system. Mac OS installer should start
4. Change boot device (look for Boot Disk application in Installer menus) if you want boot into normal system...

If you want to add administrative user in the system you can mount MacOS partition in Terminal app while you are inside recovery mode and change '/Library/Preferences/SystemConfiguration/com.apple.Boot.plist' to get single user mode inside NORMAL MacOS boot. Where '/sbin/mount -uw /' will works.

Thank you very much. I am not at home right now. I will try this in the couple of days and I will let you know the outcome.

Thanks,

Thank you @token.paul for your time.

I did the following:
Cleared nvram
Removed flags from com.apple.Boot.plist
Boot system and Mac OS installer did start
I had a problem with “untrusted_cert_title”. The issue occurs because date was wrong. I managed to fix this one by going to Terminal and setting correct date and time.
But unfortunately, after that I couldn’t reinstall OS because locked HD was not visible when I was prompted to choose disk to install OS on.
Then I made a dumb decision, I ran Startup Disk and set it to external USB HDD. Now whenever I turn on my mac it will boot from external USB HDD if it is present. If external USB HDD is not present, folder icon with question mark appears on the screen. It blinks for few times and then computer turns off. So I can’t do anything.
I run Startup Disk from OS on external HDD and External HDD is selected, but I can’t deselected it.
I returned flags to com.apple.Boot.plist, but without any success.
Could you please help me and advise me what I can do from this point on (except to kill myself ).

Thank you very much,

Milos

Sorry for delay, I not always have a time for answers... Anyway...
If you boot an iCloud locked computer you need run a 'Disk Utility' and erase internal disk. This utility will not touch a recovery partition if it exist. But you can't install or reinstall the OS if main disk partition corrupted or unrecognised by Mac OS. By this reason HDD was not visible. Perhaps it was "secured" and crypted during a locking process.
What now? If you able boot from external disk then you need install boot loader which can give you possibility to choose a partition to boot. Look it here: www.rodsbooks.com/refind/
You need boot into recovery mode again, erase internal disk and install OS on clean HDD.

No need for apologies, I understand that this is something you do in your free time and I am very thankful for your help. I am at the vacation at the moment, so I will try to do this when I am back home. I have another question, is there any possibility to unlock disk without destroying the data? I have some files that I would like to save. I will report the progress.

Thank you,

Milos