Announcement

**curiositymaster** · 10-27-2022, 10:16 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by Mario1241 View Post

hello genhack, thank you for your observations.

I was thinking about the UniversalMac_11.0.1_20B29_Restore.ipsw we can edit it and instead of the diagnostic options we change it to the terminal file what would happen?

Considering that I can load by DFU. I do not know how to edit it but it is an option that occurs to me, what do you think?

Cheers!

Has anyone tried the hidden diagnostic while booting with a jumpstick?

**genhack** · 10-27-2022, 11:10 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by curiositymaster View Post

@genhack, do you have an idea how I can extract mobileactivationd from a mina-jailbroken t2 mac and how to use it to bypass those with upgraded bridgeOS version?

If you have a t2 bypassed make a zip with a password of this folder and upload:

Code:

/usr/libexec/

I'm working on T2 latest bridgeOS, can be pwn and i think is possible to bypass!

Originally posted by Mario1241 View Post

hello genhack, thank you for your observations.

I was thinking about the UniversalMac_11.0.1_20B29_Restore.ipsw we can edit it and instead of the diagnostic options we change it to the terminal file what would happen?

Considering that I can load by DFU. I do not know how to edit it but it is an option that occurs to me, what do you think?

Cheers!

You can't just edit ipsw like iphone/ipad, devices will refuse the flash. I need an m1 locked and see where we can play around.

**curiositymaster** · 10-28-2022, 05:57 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by genhack View Post

If you have a t2 bypassed make a zip with a password of this folder and upload:

Code:

/usr/libexec/

I'm working on T2 latest bridgeOS, can be pwn and i think is possible to bypass!

I'll see if I can get my hands on one and share it ASAP.

**fshadow** · 10-28-2022, 07:52 AM

Re: Macbook M1 bypass FMM / EFI Unlock

When you start diagnostics there is dmg image (FieldServiceDiskImagePersonalized) downloded via internet, which contains another dmg image (like 012-94675-003.dmg). That last dmg contains apps, libs, lua scripts and so on, for running diagnostics, but this image is trustcache protected, so if you have control over network it is not possible to change... almost.
assume, you've found a way to change on this image whatever you want, what would you do?

**genhack** · 10-28-2022, 08:50 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by fshadow View Post

When you start diagnostics there is dmg image (FieldServiceDiskImagePersonalized) downloded via internet, which contains another dmg image (like 012-94675-003.dmg). That last dmg contains apps, libs, lua scripts and so on, for running diagnostics, but this image is trustcache protected, so if you have control over network it is not possible to change... almost.
assume, you've found a way to change on this image whatever you want, what would you do?

I fully agree. Diagnostics do not help the purpose, starting a shell from there wouldn't allow us to do anything.

**VHS** · 10-28-2022, 11:04 PM

Re: Macbook M1 bypass FMM / EFI Unlock

I've got a couple of bypassed T2s and one that won't unlock due to it having Monteray on it.
I also have a water-damaged M1 that won't charge its battery, and it doesn't seem to have sound but other than that, it's running fine and an identical locked M1 that someone could probably make an easy repair of.

**Mario1241** · 10-28-2022, 11:10 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by genhack View Post

Hello Mario,
In order:

Code:

Through DFU I have been able to reverse the firmware of the locked mac I have installed the UniversalMac_11.0.1_20B29_Restore.ipsw even so I have not been able to skip the icloud step.

You can't edit and flash this ipsw, Bootchain will refuse any mod. so this try is usless untill m1 is pwn (*Like t2* with checkm8).

Code:

I have tried to start with linux but the operating system does not recognize me or it does not show me the memory or at least I do not know how to boot the operating system that is already combatable.

Ok i think you need to check how boot m1m1 by usb. Just a Ps: M1 will refuse to boot other os in activation, secure state is enbaled but you can try.

Code:

The hidden diagnostic system allows me to store all the analysis on a usb stick.

About diagnostic, i check myself and i think there is no way to use external drive for boot something or open app. Diagnostic is designed for just save do that and can't be the skip part of the process, you need to sign binary inside the other volume and make full bypass, this mean if i press activate you go on this flow and do all things you need for boot proper. if mobileactivationd don't make the necessary cert of the devices i think you will never boot inside the real os.

Originally posted by VHS View Post

I've got a couple of bypassed T2s and one that won't unlock due to it having Monteray on it.
I also have a water-damaged M1 that won't charge its battery, and it doesn't seem to have sound but other than that, it's running fine and an identical locked M1 that someone could probably make an easy repair of.

the important thing is to find how to unlock it.

**curiositymaster** · 10-29-2022, 02:56 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by genhack View Post

If you have a t2 bypassed make a zip with a password of this folder and upload:

Code:

/usr/libexec/

I'm working on T2 latest bridgeOS, can be pwn and i think is possible to bypass!.

Couldn't upload the whole libexec folder here as it was too large (42mb after compression). However, I have uploaded the mobileactivationd file from the bypassed mac if that is enough for your research.

Attached Files

mobileactivationd.zip (66.1 KB, 115 views)

**genhack** · 10-30-2022, 02:03 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by curiositymaster View Post

Couldn't upload the whole libexec folder here as it was too large (42mb after compression). However, I have uploaded the mobileactivationd file from the bypassed mac if that is enough for your research.

Tsm ill check.

**fshadow** · 11-02-2022, 09:26 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by genhack View Post

I fully agree. Diagnostics do not help the purpose, starting a shell from there wouldn't allow us to do anything.

actually you can get kernel privileges, bypass the FileVault, mount main partition and do whatever you want. I'm on this stage now, and have already booted linux with success. But my goal is to bypass activation lock and install normal macos.

**kevingill** · 11-02-2022, 09:30 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Oh, interesting. Can you update us with how you've managed to boot Linux?

**fshadow** · 11-02-2022, 09:58 AM

Re: Macbook M1 bypass FMM / EFI Unlock

i'm not gonna expose it right now, because it is huge hole in macos security and seems like nobody know it. at first i'll post a vidio next week with poc without ditails, next i'll contact apple bug bounty(i know it's weak) , next... anyway i'll get profit and then i'll tell u

**curiositymaster** · 11-03-2022, 04:18 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by fshadow View Post

i'm not gonna expose it right now, because it is huge hole in macos security and seems like nobody know it. at first i'll post a vidio next week with poc without ditails, next i'll contact apple bug bounty(i know it's weak) , next... anyway i'll get profit and then i'll tell u

If you weren't going to share how you managed to bypass filevault, why talk about it?

**curiositymaster** · 11-03-2022, 04:28 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by genhack View Post

Tsm ill check.

Kindly update us as your research progresses. Cheers!

**Mmsdma** · 11-03-2022, 08:07 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by ugamazing View Post

OK, I found a quick way to pull serial info from locked boards. Going to go through and pull more M1 ROM dumps later this week to check for emails; I still haven't found any in the dumps I've checked (over 25 checked now--including 2 more A2442 boards), but going to play with different scenarios (will take time).

hi guys, has anyone managed to find where the sn is recorded?
After reading through the entire thread I only found information that it is somewhere on the first nand and you can not get to it.

**nomade** · 11-04-2022, 09:29 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Hi guys thank you for sharing your findings and questions.
BTW, has anyone managed to install/run a linux or any other OS on a locked M1 MAC PRO? Could you share how you did it?

Thanks.

**genhack** · 11-05-2022, 07:32 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by curiositymaster View Post

Kindly update us as your research progresses. Cheers!

I'm working on, i can't find the original mobileactivationd version for understand where they make the patch. But, i have an idea and in the free time i work on python program, i think this can work easy with a macbook just bypassed. So just for proof of t2 can be pwn:

J40aap key latest bridgeos.

IBSS:
IV: 120402A7168E7AAAC1F94C6A5D58F8F1,
key: 5C1E07A0EA5A8F48D09FA568182172CA74880896761CFA6992006558CDD9981D

IBEC:
IV: 6909A0A0D9675B5BAEFB9ECFAA00386C,
key: C7DA39AF1DB80189C27F5D3A39C01F13D4FD7C7B6453DAADE018DC6188BAD24A

About diagnostic i have no idea how you can boot m1n1 with security on. If you wonna make this a bit of sense send me a pvt thanks.

**ranzoo** · 11-05-2022, 08:16 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by alerm View Post

Here you go
I put in some images for you to see from where I got them (If you don't already have them)
I hope this helps a little bit

u get this file by controle+option+commnad +shit+/:

**Mario1241** · 11-05-2022, 01:42 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by fshadow View Post

actually you can get kernel privileges, bypass the FileVault, mount main partition and do whatever you want. I'm on this stage now, and have already booted linux with success. But my goal is to bypass activation lock and install normal macos.

Hi fshadow;

Can you share with us how you were able to start in linux?

**killeur** · 11-05-2022, 06:15 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Hello every one,

i want to thank you all for effort and contribution,
I was wondring if any one had tried to replace the ssd nand ships and reset the mac from dfu mode using Apple configurator App ? like replacing a normal ssd would that bypass FMM ? i am new so forgive me if iam saying bullshits.

Regards.

Announcement

Macbook M1 bypass FMM / EFI Unlock

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment