Tutorial for brute-forcing modern Macs


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
More
3 years 2 months ago - 3 years 2 months ago #4098 by reverendalc
I've done this myself countless times, waiting for the UEF to be released. I've assisted several others through the process, and decided to make a tutorial.
NOTE: This guide is not guaranteed to work. If the mac has a pre-existing firmware password, or a six digit iCloud lock, it will not work.

To be clear: manually created EFI passwords can contain all characters and have no predefined length, so they are not realistically brute-forceable. If a MacBook has a manually created EFI password, and is afterwards locked via iCloud, the custom password remains in place.

Introduction: When Apple computers are iCloud locked, they are (typically) locked with a 4 digit pin specified by the iCloud owner at time of lockdown. This iCloud lock exists in two forms: OS lock and EFI lock. Assuming there was NO firmware password prior to the iCloud lock, you can safely assume that the resulting EFI lock is the same 4 digit pin as the iCloud lock. This is not always the case, and as time goes on it becomes a less viable solution.

I NEVER recommend booting an iCloud locked Mac to the iCloud lock screen, as it will enable location services. Doing so will demonstrate whether you have a four or six digit pin though. Ideally, you could remove the wifi/bluetooth card before doing this if you're concerned about location services.

If you boot the Mac to the iCloud lock screen, you'll see either a 4 box or 6 box prompt. If you see six boxes, give up now (-;



What you’ll need:

a teensy (any version 2.0+ will do)



a usb-micro cable (the shorter the better)



USB thumb drive at least 8mb, seriously anything will do

a copy of rEFInd boot loader
google: download refind

teensyduino plugin (notice which versions of arduino are compatible)
google: download teensyduino

arduino software (download the latest version compatible with teensyduino, 1.6.9 at time of writing)
google: download arduino 1.6.9

orvtech’s brute force code
github.com/orvtech/efi-bruteforce/blob/master/efi_attack.ino

These software packages are available for Windows, Linux, and OS X.
Download and save them in a folder on your desktop, or some other easily accessible location.
Attachments:
Last edit: 3 years 2 months ago by reverendalc.
The following user(s) said Thank You: mtronmeta, Ghost3DO, ferdeenand

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #4099 by reverendalc
Let’s start with the teensy:

1. (On OS X) copy the downloaded app to Applications. Launch it, approve it, allow connections, then close it.
2. Launch teensyduino installer, navigate to your Arduino.app, and I usually install all libraries for shits and giggles.


3. Open Arduino
4. Select board type, select usb mode.

5. paste orvtech’s code

6. connect teensy via usb, and hit upload

if you did this correctly, it will automatically reboot your teensy and upload the code. if you receive errors, ensure you’ve selected the correct board type, and that you’ve enable usb keyboard functionality.
7. unplug the teensy, open a text editor of your choice, and plug it back in. it’ll take a little while before it starts typing (to allow for macbook booting to EFI lock screen



if these steps have been performed correctly, you will see your teensy begin typing in the text editor.
Last edit: 3 years 2 months ago by reverendalc.
The following user(s) said Thank You: mtronmeta, LRiley

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #4100 by reverendalc
The rEFInd usb:

1. On the Windows platform, you can easily use Rufus to create the rEFInd usb
rufus.akeo.ie
It's very straight forward, like a fancy version of the native Windows format utility.
2. On OS X: download the binary zip file or CD-R image file, prepare a USB flash drive with an MBR FAT32 partition and title it REFIND. Open the zip or iso and copy the refind-bin-0.10.3.img to your desktop. Open terminal, and type “diskutil list” and look for your “REFIND” disk’s identifier, in my case it’s disk0.

Then unmount the drive with “diskutil unmountDisk /dev/diskX”. In terminal type “cd Desktop” and then “ls” and make sure you see the refind-bin-0.10.3.img. Now run “sudo dd if=refind-bin-0.10.3.img of=/dev/rdiskX bs=1m” where X is the disk number you located earlier.

Adding the r to rdisk specifies raw disk which should write faster, and bs=1m specifies 1mb block size. Then “diskutil eject /dev/diskX” and pull the drive when complete.
3. Plug the drive back in, reboot your mac with ALT or your PC with the appropriate key and you should see the rEFInd boot option.
Attachments:
Last edit: 3 years 2 months ago by reverendalc.

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #4101 by reverendalc
Let's finish it off:

if your mac has a working, bootable OS X install, you won’t require USB or DVD install media. I ALWAYS use my trusty 10.11.5 install USB. Connect the teensy with microUSB cable to one usb port, and your OS X install media to the other.

Power on your mac with the ALT key to select an alternate boot device. You’ll be presented with the EFI lock screen. I usually give a single mouse click in the text field to make sure it has focus when the teensy begins typing. In about 30 seconds, you’ll see it start plugging away.


I will usually take note of the exact time I start the process, and set up a webcam or the like to record it with a timestamp in case it guesses the pin while i’m working or sleeping. It takes precisely 17.45 seconds per attempt, so you can do some math to figure out what it guessed when it guessed it. ThaGH05T has made some really cool progress on making the teensy record the winning pin, but that's another story.

If it took 12hrs 42min, you’ll do:
42/60=.7, 12+.7=12.7 total hours. I like to call it metric time (-;
12.7x3600=45,720. 3600 seconds in an hour, so this job took 45,720 seconds
Divided by 17.45 seconds per attempt 45,720/17.45=2620.
Your code should be +/-5 of that number if you recorded your times and did your math properly.

IF THE TEENSY COMPLETED (IT TAKES ABOUT 48HRS TO REACH 9999) AND DID NOT UNLOCK YOUR MAC, IT’S SAFE TO ASSUME YOU MUST FLASH THE EFI CHIP MANUALLY. Running the tool again and again is an exercise in futility.

Modern Macs (including older ones with modern firmwares) store iCloud lock status in the NVRAM, so you can no longer simply boot an OS X installer and reinstall. Any other OS X media, whether it’s install, original drive, external drive… it will all lockdown preventing you from doing anything. You could easily install Windows, Linux, or something else and be done. If you wish to reinstall OS X:

Load the rEFInd usb. It will present you with another boot selection screen:

Navigate to the OS X install media (or existing bootable installation) and press F2. You will see this option menu, and select “boot single user mode”


After a verbose boot, you’ll be presented with a command prompt. At this prompt simply type “nvram -c” and press enter. Many folks insist on zapping NVRAM three times, I call it superstition, but do what you will here. Then type “reboot” and enter. This is where i get superstitious, and perform a keyboard cmd/opt/P/R to reset the NVRAM again.

Now you have an iCloud unlocked Apple computer, ready for a new OS X installation. Do not attempt to load the previous OS X installation.



This is not the best, nor the fastest method. Probably the cheapest (from scratch) and the easiest if you’re unfamiliar or uncomfortable with the flashing process.

I hope this has been helpful.
Attachments:
Last edit: 3 years 2 months ago by reverendalc.
The following user(s) said Thank You: mariob, 0E800

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4213 by therealjayvi
Aye Rev why don't you make this a full fledged article so it can get more exposure? This is really good stuff!

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4217 by reverendalc
What is a full fledged article and how to make it into that?

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4234 by therealjayvi
Full fledged article meaning located in the blog section ;) go into your profile settings to write one

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4239 by reverendalc
Oh. Yeah, I could do that, but I feel like this tutorial is a little choppy and lacking refinement for that (-;

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #4242 by CygnusX1
Wasn't "brute force" taught in kindergarten? :) LOL Just a little humor guys!

If I helped you buy me a latte!
Last edit: 3 years 2 months ago by CygnusX1.

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4244 by reverendalc
Haha yes, but what about those still in kindergarten?

Be honest, you've brute forced lately haven't you?
The following user(s) said Thank You: ferdeenand

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4245 by CygnusX1

reverendalc wrote: Haha yes, but what about those still in kindergarten?

Be honest, you've brute forced lately haven't you?


Yes I did. I had a 2015 model and thank god it only had a 4 digit pin.

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4247 by MMCH
So a Teensy 2.0 will work?

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4248 by reverendalc
Yes, teensy2.0 has USB keyboard support. I've built them as early as 2.1, but I can't imagine that would be any different.

Do you have a 2.0 sitting around somewhere?
I didn't know that you could still buy them

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4249 by CygnusX1

reverendalc wrote: Yes, teensy2.0 has USB keyboard support. I've built them as early as 2.1, but I can't imagine that would be any different.

Do you have a 2.0 sitting around somewhere?
I didn't know that you could still buy them


They have a 3.2 now. Checkout this link.
They are only $17.00 and right now they have the limited supply "purple edition"!

If I helped you buy me a latte!

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4250 by reverendalc
yeah. I had some limited edition breast cancer pink ones once.

The latest teensy is super cheap, and there's touchscreen frameworks now also. Perhaps brute force an iPad? Lol

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago #4253 by reverendalc
Well if it's far cheaper go for it. In my experience those guys take forever to get you your wares though. Unless I'm thinking of alibaba.

Anyway, get whichever you like. That link itself says "keyboard" and "mouse" in the URL, so I concur with my original statement:

It works

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago #4730 by KingBonecrusher
You can also use an arduino micro pro clone ~ 6,95€. This one has the 32u4 chip which could act as kbd or mouse. Combine it with a photo resitor and the most work is done...

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago - 3 years 1 week ago #4731 by reverendalc
true. there are several options, and awesome ways to improve the process.

@ggltech:
the hardware functionality of the ALT key isn't being disabled... the software response is.
additionally, an SMC reset does not aid in iCloud unlocking, it must be the NVRAM
Last edit: 3 years 1 week ago by reverendalc.

Please Log in or Create an account to join the conversation.

More
3 years 1 week ago #4739 by mtronmeta

reverendalc wrote: NEVER recommend booting an iCloud locked Mac to the iCloud lock screen, as it will enable location services. Doing so will demonstrate whether you have a four or six digit pin though. Ideally, you could remove the wifi/bluetooth card before doing this if you're concerned about location services.


Just looking for clarification on this, If the locked MacBook isn't actually connected to the internet can it still send it's location?, As in if it's just physically close to a wireless access point but not connected can it still send it's location? Thanks.

Please Log in or Create an account to join the conversation.

Who's Online

We have 198 guests and no members online

N00BZ

  • tusj2048
  • turbobuickguy
  • theOnlyJVH
  • Sci
  • dmitriy-ivanov

Cookies