We can observe the magic bytes being tested in the following piece of code:. This means that we have a good entrypoint into this problem and now need to reverse backwards to understand what this function is trying to accomplish and how is it called. To assist our reversing engineering effort it is important to collect as much data as possible about our target works. The following describes how to use the SCBO file to reset the firmware password:. This gives us important clues to what we should be looking for — code that has access to the filesystem and reads one of these two files.
If we look at the strings of current disassembled binary we can see we are on the right track. Reversing U EFI binaries is quite annoying because every external function is a function pointer, so the disassembly output is not very clear and needs some assistance to improve it. Snare created ida-efiutils , a set of scripts that improve the disassembly output by trying to rename function pointers, offsets, and structures.
It does extra things like commenting the known functions with their prototype and documentation, generate some statistics, and extract information about installed and used protocols into a database.
The next picture shows the start function as IDA disassembles without any plugin help. This is very useful information to have a quick idea of what the binary is doing. With improved disassembly output we can proceed to try to understand what happens with the SCBO file. What happens is that an event notification is installed by this EFI binary. When a USB flash drive is inserted, it triggers the notification and a callback is executed.
One of the callback tasks is to try to read the SCBO file from the flash drive and verify if its format is correct checking the magic number, etc. This GUID is not unique to this variable and it is used for other variables, e. If the. The event notification code can be found at start. The following code snippet is responsible for creating the event:.
The most interesting thing in this code is the third parameter to CreateEvent service, NotifyFunction. This is the callback that gets executed when the event triggers. The code that follows merely registers the event, in this case a file system related event. The code above is responsible for opening the USB flash drive volume so it can read its contents. This protocol contains a single function, OpenVolume.
Use the command-line to set a firmware password on macOS – St. Ignatius College Prep Tech Blog
It is interesting to read its description to understand what will happen if it executes successfully. We need to look at another protocol to understand its features. There are no man pages to save us! The previously posted disassembly snippet first tries to open the root volume, and if it succeeds uses the returned handle to try to open the.
- all my files mac finder.
- How the Firmware Password Works;
- How to turn on a firmware password?
- reset macOS firmware password!
The file is read in two steps, first 12 bytes, which is the size of SCBO header. If the header contents appear correct then the remaining is read. We can observe in the above code snippet the first 12 bytes being read, and then the verification of header structure. This may be pretty useful for a system administrator that has to reset many Macs. The rest of the function resets the file position back to the beginning and reads the whole SCBO contents into a previously allocated memory buffer.
Remember that the nonce is rotated every time the firmware password is modified. If the serial and nonce are confirmed to be correct, then a new variable named. The new variable contains all the SCBO data minus the 12 bytes header: bytes total length. Now we understand a bit more how the SCBO feature works. If the SCBO file contents match the current Mac, a new variable is set and the computer is rebooted before any other operations.
- slow motion program free download mac.
- Apple EFI firmware passwords and the SCBO myth.
- Join the Conversation?
- Search This Blog.
This means that there will be another EFI binary reading and processing the new variable. The current binary is only responsible for reading the SCBO file and doing basic integrity verification but it has no capabilities to remove the firmware password. We now know what it does and we can move to the really interesting binary.
Bruteforcing the firmware password is useless for any password longer than four digits, since the high number of rounds makes it impossible within a reasonable time frame.
The following structure can describe the variable contents:. Given this structure a bruteforce utility just needs to retrieve this information via IOKit and start bruteforcing until the password matches the current hash. This takes a couple of minutes for a four digits password. The main function is pretty simple. First we have the usual storage of BootServices and RunTimeServices table pointers in local variables, then a call to a function, and last the installation of the protocol that is called from the first EFI binary we reversed.
The installed protocol is composed of seven function pointers. It is interesting to verify which EFI binaries are calling this protocol. This binary installs another protocol that is called from some other binary — probably the binary that deals with the user input and screen drawing, which I was unable to pinpoint. If you try to patch this function to always return zero, pack it again into a firmware dump, and reflash it, then any firmware password will be accepted.
This means we are on the right track.
Use the command-line to set a firmware password on macOS
If you have a SPI flasher and want to remove an Apple EFI firmware password, what you need to do is to dump the flash contents, remove the CBF2CC32 variable you just need to flip a single bit on its name for example , and reflash the modified firmware. Or just locate the variable and erase or modify it directly without reflashing the whole contents.
There is also another way to do this. This means that the. Static analysis is not always easy on U EFI binaries because we have very limited ways to test hypothesis — each reflash takes around 5 to 8 mins if we want to patch code and see what happens. This is when I had an idea!
How To Hack Apple EFI
I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code.
I gave it a gdbinit -style UX and emulated some basic commands such as add breakpoints, step in and step out of calls, dump memory, set memory and registers, making it a very basic but extremely useful EFI debugger. While far from feature and emulation complete this is a pretty useful tool that was a critical development on this and future U EFI projects.
Remember to register the Mac to a new iCloud account to avoid future lock downs. NOTE: Here are a few things worth mentioning That is the entire process in a nutshell. Now I will explain how you can do this in as much detail as possible. The first thing that you will need to do is pick up your entire inventory before you begin. After that lay everything out and do some testing. Make sure your chip is supported having the datasheet and any diagrams available. I also suggest after you get the clip connected to all the wires you check for continuity from the clips pins to the end of the F-F wires on each pin.
There is no guarantee, implied or expressed, in this procedure. You are following this guide knowingly and accept that damaging your property may be the outcome. Although I do not for see that being the case as I have tested this method many times.
Now, I am going to assume that you at least have some experience in Linux and basic troubleshooting skills. So critical thinking is also required although I have not added it to the list.
When you have your Raspberry Pi all set up and Raspian is booted up you will need to set it up for the first time.