3 METHODS FOR BYPASSING APPLE EFI FIRMWARE PASSWORD / ICLOUD LOCK (Guest Post from Robert Bryant)

Robert Bryant

First off I’d like to say that none of this information is intended for illicit activity. This guide is simply to help those who have locked themselves out of their Mac, or have purchased a Mac from someone who did not give them the password.

The initial method of hacking EFI Firmware / iCloud Locked Macs is with a device called the Teensy. This device costs about $30 on eBay and plugs into the USB port on your mac. The Teensy works by brute force attacking the 4 digit pin code, trying every combination of 4 digits. Apple circumvented this by enabling a 6 digit code. Later revisions of the Teensy now cost more and also do 6 digit brute force attacks. The real hitch I ran into with the Teensy is that it only works to unlock iCloud locked Macs. If you have a locked EFI Firmware Password, and can not boot into the iCloud login, for all intents and purposes you are yet again stuck.

The final two methods require a lot more technical proficiency, but have both worked with proven success. The first method is to reprogram the EFI with a Raspberry Pi, or SPI Programmer and and SOIC 8 Pin clip.

via these instructions (from Ghostlyhaks):

Step 1 – Buy a SPI Programmer and 8 pin SOIC clip with F-F wires.

Step 2 – Read the chip three times and verify MD5 check-sum to ensure you have a good backup if things go wrong.

Step 3 – Make a copy of the dump and open it in a hex editor. I use Notepad ++.

Step 4 – Search for “$SVS” in the dump and you should find 2 instances. The first instance is what you will need to clear out making sure to keep the file length the same. It is safe to replace it with an empty value such as “ÿ”. The string including the $SVS should be 128 characters long and will all need to be replaced with 128 ÿ’s. You can copy and paste it from below.

128 bit string – ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Step 4 Alt. – Get a clean dump that is not firmware locked from the community making sure you use the correct EMC and processor architecture. Make absolutely sure it is the same size as your original dump which is usually 8 MB. If you go this route then you will need to replace the serial of the donated dump with your own serial in order to not register over their Mac. You can do this my simply searching for “override-version” and on that same line there will be an 11 digit serial number that you will replace with your own.

Step 5 – Hook your programmer back up to the chip, erase the chip, write the new dump and verify it.

Step 6 – Remove the clip and turn your Mac over to turn it on and test. You will immediately use the hot-keys to get to single user mode to test.

Step 7 – If you do not get to SU mode or the Mac does not boot right you will need to erase the chip and write the old dump back to it. You then can exhaust other options.

Step 7 Alt. – If you do get to SU mode turn the Mac back off and use the hot-keys to clear the PRAM. This will get rid of the 4 digit lock at OS load. Or you can simply re-install at this point. Remember to register the Mac to a new iCloud account to avoid future lock downs. 

The other more solid method that I have found is to replace the EFI itself. In fact if you look at most Apple EFI chipsets they are actually raised up off of the circuit board and held up by their 8 leads (4 on each side). If you take either a soldering iron or Micro Air Torch and cut off the leads you can easily replace this chip with one found on eBay and reprogrammed to your board ID and Serial #.

Again none of these methods should be used illicitly. This Article is for educational purposes only.