Skip to content

Instantly share code, notes, and snippets.

@willzhang05
Last active October 22, 2024 16:37
Show Gist options
  • Save willzhang05/e5b5563cdc65514dfb7ca131e03ca4b2 to your computer and use it in GitHub Desktop.
Save willzhang05/e5b5563cdc65514dfb7ca131e03ca4b2 to your computer and use it in GitHub Desktop.

Removing a Mac's Firmware Password By Reflashing EFI ROM

According to Apple, the only way to remove an unknown firmware password from a MacBook (2011 and later) is to take it to the Apple Store with the original proof-of-purchase. However, I've found that there is another way, which I've been successful with for the unibody MacBook Pro--it's essentially just modifying a couple bytes in the EFI ROM, which should be simple. What's not simple, however, is figuring out how to read and write to the EFI chip. In this post, I'll talk about the process that I figured out and what worked for me.

The Official Method

Apple's method of resetting the firmware password is not reproducible, as Apple generates an SCBO file that unlocks the EFI using their private key. You can read more about this process here. The problem with this system is that, if you are in the unfortunate situation of neither having the firmware unlock password nor the original proof of purchase, you have no other options. This is understandable from Apple's viewpoint, as it can deter theft; once the Mac is stolen, the thief cannot reimage the computer, making it useless. Many threads on the Internet show that this situation is often not a result of theft, however. For instance, one commenter on a thread I read explained that a family member had gifted the system to them, but no longer remembered the password nor had the receipt, leaving no options to reuse the computer.

The Story

I was recently at another TJ student's house helping organize his basement full of computers and computer parts. I was volunteering for the non-profit he ran. The non-profit took donations of computers and refurbished them to be donated to families and other students without computer access at home. However, the student whose basement had been formerly used for the organization had graduated, so all the hardware had been moved to the new location. In the mess of computer parts, I found a 2012 MacBook Pro A1286 that was missing its battery, memory, and hard drive. The organization typically didn't bother with ordering specific parts for individual computers, as it wasn't worth the time or effort with the number of computers they needed to process, so I bought it for $30, as it had sat there for a long time and would likely have become e-waste.

After I got it home, I found that it would power on intermittently, and that it had a firmware lock. I wasn't sure whether it was due to the 60W charger I was using rather than the 85W recommended, or whether it was due to the different A1278 battery I had temporarily rigged to power the laptop up. To find out which was the case, I took the risk and purchased a brand new OEM battery off of eBay for $48, as well as a hard drive retention bracket.

Once I got all the parts installed, the Mac powered on, but the problem of the firmware lock remained. As I searched for methods to remove the firmware lock, I saw the recommendation to bring the computer to the Apple Store over and over, and that there was no other way.

There actually turns out to be an alternative, but I only found two sources online that described the process. One source was the Rossmann Group Forum and another from ghostlyhaks.com.

However, the article on ghostlyhaks.com was somewhat dubious and provided inaccurate information, particularly with the schematic, but the general description of the steps was correct.

The inaccurate schematic

This schematic is not only somewhat confusing, it is incorrect. It has the resistors on precisely the wrong pins that they should be on; they should instead be on the select, clock, I/O and GND pins. Even then, they are not strictly necessary, they merely provide some protection from voltage fluctuations.

The post on the Rossmann Group forum did cite the latter source, but it actually had an accurate schematic!

Tutorial

I've bored you enough with the story, let's get to the exciting part. I'll describe the method that worked for me; it may be somewhat different on your particular MacBook. I am also not responsible for any bricked Macs this may result in, do this at your own risk with the possibility of a bricked Mac in mind.

Stuff you'll need

  • A way to connect to the Raspberry Pi -- I used SSH, but serial can work as well.
  • Hex editor -- I recommend HxD if you're using Windows.
  • Raspberry Pi -- I used a Pi 3 Model B with Raspbian 8.
  • Flashrom -- This is a package in the Raspbian repositories, so you can install it with apt.
  • Some jumper wires -- Many thanks to my friend Liam, who provided me with some.
  • Breadboard -- Had this sitting around.
  • A couple low resistance resistors -- I used 150Ω.
  • A power supply capacitor -- A small ceramic capacitor will do, I used a 104μF.
  • SOIC 8-pin clip -- This is probably the most important out of all the components, you'll want something quality that can make a solid connection with the pins of the EFI chip. I used a Pomona 5250.

Setup

First, we'll need to verify that we can interface with the EFI flash chip at all. To get to the chip, you'll need to disassemble your MacBook to the point where you can see the top side of the logic board and identify the chip. On the A1286, the chip is located near the SD card reader and speaker. The chip will be fairly large and have eight pins.

img

The particular chip on my A1286 was a Micron 25Q064A.

First we'll need to set up the Raspberry Pi to function as an SPI programmer. To use it as an SPI programmer, we'll need to install flashrom from the Raspbian repositories.

$ apt install flashrom

imgNext, follow the above schematic from the Rossmann Group forum post to connect the Raspberry Pi GPIO pins to the SOIC clip, then clip onto the chip on the logic board. As far as I know, the pinout should be identical for all Mac EFI flash chips, but be sure to check the specific datasheet for your chip and modify the wiring as needed.

img

This is what my setup looked like.

$ modprobe spi_bcm2835

This will load the kernel module we need to do SPI programming on the Pi. Then, if you've wired everything correctly, check /dev for the SPI device and it will probably appear as /dev/spidev0.0.

I was initially worried about the fact that my exact chip wasn't on the flashrom supported devices list, but it turns out that the N25Q064..3E is identical in pinout and uses the same 3.3V logic, so it can be safely selected in flashrom.

To read to a file read.bin from the chip, I used the following command.

$ flashrom -r read1.bin -c "N25Q064..3E" -V -p linux_spi:dev=/dev/spidev0.0

You'll probably want to make more than one read of the chip, just in case anything was corrupted. We can check that the reads are identical by checking the md5 checksum of the files.

$ md5sum read1.bin
b9d90db64f953cb5879f1a8cd100b233  read1.bin
$ md5sum read2.bin
b9d90db64f953cb5879f1a8cd100b233  read2.bin

Since the checksums are identical, we know that the files are identical too. As an extra precaution, I made two more reads and copied the files to another computer.

Now, with the files on another computer, I opened one of the files up in HxD, and searched for the ASCII string "$SVS" without quotes. This string denotes the blocks of hex values with the firmware password. To get rid of these blocks, we just need to fill in the hex values with "FF" without quotes. You'll want to do this to each block starting with "$SVS" in the file.

img

Once we're done, we can copy the modified file back to the Pi. I once again copied multiple times and checked the MD5 checksums, just in case.

Now on to the scary part: we can now erase the chip on the logic board.

$ flashrom -E -V -p linux_spi:dev=/dev/spidev0.0

And, with our modified file mod.bin, we can now write the modified firmware without the firmware password back onto the EFI flash chip.

$ flashrom -w mod.bin -V -p linux_spi:dev=/dev/spidev0.0 -c "N25Q064..3E"

Once the process completes, you can turn off the Raspberry Pi and put the MacBook back together. If you've done everything correctly, the MacBook should just power right up.

The firmware password may appear upon initial boot up, but don't worry! All you need to do is to reset the NVRAM using the key combination Command + Option + P + R as soon as you press the power button. This will clear the firmware password from memory, and you should now have no firmware password.

@rajeshkumar45
Copy link

THANKS

@KameronKeller
Copy link

This worked great on a mid-2012 Macbook Pro with the Micron 25Q064A chip. I also made some modifications to the commands:

Reading the chip:
flashrom -r read1.bin -V -p linux_spi:dev=/dev/spidev0.0,spispeed=3000
Setting the spispeed caused flashrom to detect my board without me specifying which chip I had.

I could not get flashrom to read my chip without the spispeed. Initially, I tried 30000 as was written here, but my md5sums showed the reads were not identical. Slowing down the speed to 3000 worked great.

Erasing the chip:
flashrom -E -V -p linux_spi:dev=/dev/spidev0.0,spispeed=3000

Writing to the chip:
flashrom -w mod.bin -V -p linux_spi:dev=/dev/spidev0.0,spispeed=3000

I used Hex Fiend for Mac for editing the bin file.

@MarianoBarella95
Copy link

Hi! I´ve seen some videos on Youtube where this process was succesfully done with a ch341a programmer, have you heard of this? The process of erasing the $SVS password is identical, but instead of using the Raspberry they use the ch341 programmer.

@alwe2710
Copy link

alwe2710 commented Jun 29, 2023

Hi! I've followed your steps. Insead of a Raspberry Pi I've been using a SPI Programmer. No issues there. However I still get the password request. I've done the NVRAM reset. Pulled out the CMOS battery etc. Could somebody check my files for any errors I made?
Edit: Found my problem. I couldn't write to the chip.

@LuisCifaldi
Copy link

LuisCifaldi commented Feb 16, 2024

Dear All, can you tell me if this computer has EFI or MDM password insert ? It is an iMac 2015. For ages it has been stored in my closet when I used to work for a company, they went out of business and now I want to try to restore it. It is not stolen or lost! I will send a picture of the screen. It says : this computer system it is property of xxxxxx. Use of this system is restricted ........

@LuisCifaldi
Copy link

IMG_3691s

@RickiThaDragon
Copy link

This is absolutely fascinating! There are some really talented people in the world! Thank You to the person (Orignal Poster) for taking the time to put this whole thing together in such clear detail so that most who approach it will be able to understand it whethere they can actually pull it off or not --who knows? It was written well and I had to stop what I was doing to comment here about that. Giving credit where it is due! Awesome Stuff. (Also someone mentioned a C431a Programmer that did the same thing and was a you tube thing! It has been awhile since I saw a video myself on there as well where a guy removed the chip from a ipad i think it was from the motherboard and flashed it with i think what the person had mentioned earlier on here but after flashing the chip theyactually i think just replaced the chip with a chip of the same build it was a different chip i think i dont know cant remember but within 30 45 min they guy had the ipad or macbook whicebr it was up and running and did the whole process right there on the video, anyhow. Peace

@RickiThaDragon
Copy link

What i meant to say about the youtube was that "bascally the dude removed the chip from the board flashed it and soldered it back to the motherboard and fired her up.

@kiddo71
Copy link

kiddo71 commented Mar 26, 2024

hi. I got an older macbook A1342 Unibody Policarbonate. i got the bin file but there is no $SVS string in it. can you someone help to find the password is stored?

@amxcs
Copy link

amxcs commented Jul 16, 2024

Thanks! It worked on Macbook Air 2015 with MX25L6473EZNI

Check
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=8000
Read
sudo flashrom -r read1.bin -c "MX25L6473E" -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000
Erase
sudo flashrom -c "MX25L6473E" -E -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000
Write
sudo flashrom -w mod.bin -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000 -c "MX25L6473E"

IMG_20240713_010745
IMG_20240715_180725

@zxczxccaa
Copy link

zxczxccaa commented Jul 25, 2024

Hi. After all operations firmware password is gone BUT now my macbook cant see an battery and all keys except arrows up and down. Any suggestions why and how to fix that? 2015 pro a1398

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment