> As far as I know, you'll need to take the machine apart to reflash it, plus special hardware
Oct 23, 2019.
- My original goal when I started poking around Apple's EFI implementation was to find a way to reset a MacBook's firmware password. My preliminary research found references to a 'magical' SCBO file that could be loaded onto a USB flash drive and booted to remove the password. The normal process workflow is to first contact Apple support. Since I don't have the original sales receipt.
- Jun 24, 2016.
- Can Read, Erase and Write the EFI-ROM on MacBook Pro 13 ' and 15' model 2016 A1708, A1706, A1707 - Can Read, Erase and Write the EFI-ROM on MacBook Pro 13 ' and 15' model 2017 A1708, A1706, A1707.
This doesn't take very long. Maybe 5 minutes to disassemble the machine.
As for hardware, you can flash SPI chips using a Teensy and a clip chip. [1] The total cost of parts is under $30.
Incidentally, I highly recommend investing in one of these if you're doing firmware development for routers. It's so much easier to flash a backup than muck around with TFTP.
> because when a firmware password is set, a Mac requires the password to choose a different boot disk.
This is hardly unique to Apple. Most PC laptop manufacturers also disable changing the boot device or choosing a temporary boot device when a setup password is enabled.
> with this feature, Apple HQ can give a service center the ability to clear a particular firmware password without giving them a universal backdoor (hardware or software).
Um, this is how it works for PC firmware passwords as well. Unless there is a keygen available, most modern implementations use a hashed value from the serial number or hard drive as the master unlock password. It's unique to the laptop being unlocked.
[1] https://trmm.net/SPI_flash
A security engineer who goes by the name of fG!, specialized in Mac security and reverse engineering, has found a way to reset a Mac's firmware password without help from Apple's support team.
Apple allows iMac and MacBook users to set a password for their firmware so that no intruder can go in there and change core device settings.
Apple helps authorized users reset their firmware password
Just like any password, users tend to forget it once in a while. In case this happens, users can call Apple Support, and during boot-up, they're guided through the process of pressing five keys simultaneously [SHIFT + CONTROL + OPTION + COMMAND + S] to make a long code appear on their screen.
Users give this code to Apple's staff, and they receive back an SCBO file, which they can then put on a USB flash drive they insert into their device, and they can thus remove the password.
This is all fine and dandy, but only if you can prove ownership of your device with the original sales receipt. If you can't, then you're left on your own.
Crooks are selling SCBO files online for $100
Macbook Scbo File
fG! says he discovered shady online services that were providing SCBO files, but for a fee of $100. Since trusting this kind of services and running mysterious code on his laptop did seem like a good idea, the researcher set out to find out how SCBO and Apple's EFI (Extensible Firmware Interface) worked, and if he could find a way to bypass this process. Motorola cdr700 repeater programming manual.
You can read the step-by-step reverse engineering process on fG!'s personal blog, but the good news is that he managed to find a way to do it. Below are the researcher's findings:
' My work helped me determine that the EFI variable that contains the firmware password information is 'CBF2CC32.' '
' If you have a SPI flasher and want to remove an Apple EFI firmware password, what you need to do is to dump the flash contents, remove the 'CBF2CC32' variable (you just need to flip a single bit on its name for example), and reflash the modified firmware. Or just locate the variable and erase or modify it directly without reflashing the whole contents. '
' There is also another way to do this. The '3E6D568B' variable is special because if you remove it, the NVRAM will be reset to a default state where the firmware password is not set anymore. '
Is Apple Support compromised?
Furthermore, the researchers also discovered that there was no way to generate an SBCO file without having access to Apple's private encryption keys.
The online services that were selling SBCO files were obviously fake, or downright illegal.
' So what is happening with all those videos and people claiming they were able to buy SCBO files from websites? My bet is that these guys somehow are able to submit illegitimate requests to Apple's support system and then sell the SCBO files they receive for some nice fat profit. These could be insiders working at Apple support centers or even Apple itself. Only Apple has a real chance to investigate and track the source of these files. '
Remember that story from February? When the press discovered that hackers were offering Apple employees in Ireland thousands of euros for their enterprise passwords? We now may know why crooks are willing to pay so much for Apple employee credentials.Macbook Pro 2016 Scbo File Free
Warning: If it ever gets to the point of having to reset your firmware password, please consult a specialist before attempting any of the advice described in this article.
