Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by bluestone

How do you get the iCloud email from an iCloud locked & un-erased Mac

As I've yet to read the entire thread, I apologize if my statements are:
- Redundant
- No longer possible

Pre-2018 (non-T2):

1. EFI | ROM .BINs contained the AppleID of an iCloud logged in user.
2. SN modification requires updating a SN-derived CRC HASH.


Medusa 2.7+ edits the SN + fix the Fsys block's checksum on < 2018 macs.

I'm feeling like this is going to be necessary also.

Maybe the BIN location is the same / similar (equal sizes)
I'll look for the exact location with a HEX editor
Compare the file-differences to find the exact location.

Any suggestions of a mac application ideal for this (quickly) may help.

If all of this is common knowledge, I apologize for wasting anyone's time.


The HELP in this forum is just SO AMAZING that I felt obliged to try to do SOMETHING that could be of some utility. And to that end, I have also found the method by which I can read the BIN from my CH341 on MacOS, and intend to provide a thread on that topic ... as it's taken me YEARS to figure it out. If that's pathetic and again, common knowledge, sorry (and yes, I'm embarrassed).


I have several units with MDM locks, one of which is an M1

I will provide the info on the equipment I have in another post so this wall of text doesn't get any more onerous than it already is.

Re: Macbook M1 bypass FMM / EFI Unlock

M1 Dump also contain mail, apple id and details of the user.

Re: Macbook M1 bypass FMM / EFI Unlock

[QUOTE=betonel;1109819]Bypassing M1 involves patching ipsw file.
Eg. UniversalMac_11.0.1_20B29_Restore.ipsw\022-10604034\3_Apple_APFS

KRAActivationAuthViewController


I re-wrote the list (I'd seen it elsewhere also) just to make sure I understood it and to make it maybe cleaner for others...(still iPhone-oriented):






01. Download the iPSW-extension file (official IPSW URL)
02. Change File.IPSW – Change IPSW extension to ZIP.
03. Copy LARGEST DMG to the desktop.
04. A UTILITY & a KEY are required to mount the Encrypted DMG.
5a. FirmWare keys listed at: www.theiphonewiki.com/wiki/Firmware_Keys
5b. Download iDecrypt to mount the DMGat : theiphonewiki.com/wiki/iDecrypt
NOTE: 2nd + 3rd download links were more reliable.
06. Launch iDecrypt: Paste FW key, choose File.DMG & destination.
NOTE: accept iDecrypt warning dialog + enter ROOT password
07. Success message confirms encrypted DMG has been mounted.
08. Open image & navigate to Applications/ dir to delete: Setup.app
09. Close + Eject mounted DMG (reverts to being compressed + encrypted)
10. Ensure modified DMG's name matches the original name.
11. Replace/delete original DMG with modded DMG in folder with 2 DMGs
12. ZIP folder with mod DMG + 2 original DMGs (3 in total).
13. Revert extension from ZIP back to IPSW (check via "get info").

The wording made me think I needed to “re-compress” & “re-encrypt” it.
But iDecrypt doesn’t decrypt or decompress,
...but mount compressed & encrypted data. .




Lessons from non-T2 computers which may apply to T2 ..?
- Pre T2 units with changed SN's “About this Mac” say “bad SN", unless:
- The CRC is at 0x590000 has also bin.
- I located (but don’t understand the changes)...
- And thus, I'll provide pictures of the regions, or study on my own).

LMK if there’s anything you’d like me to do with the equipment i have.

The question is -- how was the SN used to get whatever is at 59 0000 ...?

There were also a TON of differences between the two bins, only separated by
- one with a C-Zero-...
- one with a C-Capital O ...

Yet, when using VBinDiff (great for seeing the differences at each row) ... the differences were FAR more than the SN and the CRC (if that's what's there). And the implicit question is, how this info could allow inferences of what we can do for T2 and more importantly M1 macs going further.

Thanks


Thanks!

Re: Macbook M1 bypass FMM / EFI Unlock

Perhaps a dumb question, but, what about the "Purple iOS" readers?
For iPads / iPhone like Magico: R/W NAND without desoldering.

My understanding of late model iP, iPad + iPad Pro, Air, Mini, etc., is, they're encrypted until the first (keypad) password's entered. But these devices can read them (I do data recovery so this was my initial interest).

Magico (no desoldering) allows editing:
SN / IMEI / BT / Color / RW ROM / Change ROM size, etc.

Re: Macbook M1 bypass FMM / EFI Unlock

Holy shit. The JC looks like a Rusolot NAND reconstructor for iPhones.

If they work this out for MBP I would be VERY interested in that.
(Very interesting interface) !!

Re: Macbook M1 bypass FMM / EFI Unlock


I was wondering if the BINs supplied with the T203 replace the URL that is used to go to the Apple Server, and instead, refers it to a server which authenticates it irrespective the MDM / iC status ...?

Again, no way to test the hypothesis.

Re: Macbook M1 bypass FMM / EFI Unlock


I have both the cable and the Magico device ...

If I know the structure of how i'd set it up I can try it tomorrow ...?

(again, I'm reading the thread to get caught up so hopefully I'm not a day late and dollar short) ..

Re: Macbook M1 bypass FMM / EFI Unlock

One more idea ... get an MDM account ...

I know this isn't a technical solution -- but from what I hear they're more liberal about transferring devices, which, you can then remove. ?

Re: Macbook M1 bypass FMM / EFI Unlock


NOW THIS LOOKS PROMISING!
I dig it -- will try tomorrow also!

Re: Macbook M1 bypass FMM / EFI Unlock

Some elegant naming convention apple went with.

Re: Macbook M1 bypass FMM / EFI Unlock

Does anyone know if this MDM bypass works? It seems like this would only prevent the MacBook from retrieving information that's already been set. It's useless if it doesn't block all communication from the MDM including the ability to remote wipe and lock.

Re: Macbook M1 bypass FMM / EFI Unlock

Hi Nico,

I know the Apple Id from former Owner
How can I use this information.

Re: Macbook M1 bypass FMM / EFI Unlock

Currently we have 3 M1 Pro / Max on deck. Got the iClouds removed due to owner email being tied and looking them up. Currently MDM method is something that should be very easily possible by knowing where the SN is located on this board. Changing that would make it easily possible to remove SN, however, we would have to find legit serials of these devices to implement. I always in my experience take a guess by going to Mac Serial Lookup and type in a few digits to see if it pulls up. In my experience with T2 MDM locks, I always associate the serial with the exact model (A1990 serial changed to another A1990 serial found on Mac Serial Lookup). I would believe this is the same concept for M1 devices. MDM bypass is useless, personally who cares? I personally rather do the hardware method and remove it for good. With that said, if we find any movement on the MDM which I am certain we can it will be possible.

Another thing to add is now we found out that these M1 Pro devices can boot into LINUX, this also opens possible doors to creating a back door into the device...just food for thought.

Re: Macbook M1 bypass FMM / EFI Unlock

Stepen, to install linux on this devices you will need to provide access to partitions from main os, so it's not possible to install linux if it is locked. SN, as we already concluded, is stored on first sectors or ssd nand, iphone style. As external access to nand is not possible for the moment, it remains the hard way.. hardware nand removal/read.

Elegant way will be to write custom firmware for bios which will write on nand whatever we want, but this is beyond my skill

Re: Macbook M1 bypass FMM / EFI Unlock

Hi Stephen,

In another post from November you sad you unlocked an M1 Macbook.
Is there any chance, you tell us what you did?
I am happy to help.

Furthermore for anyone else.
I don't know if I can recreate this, but I updated the Macbook with Apple Configurator 2, when I restored the Macbook via iTunes on Windows with an older Firmware ISPW in noticed iBoot was on an older version.
This is what I got from Windows Device Manager:
[iBoot-5540.0.0.400.2]
Maybe this information can help.

Re: Macbook M1 bypass FMM / EFI Unlock

That's true, M1 can be downgraded because there are signed ipsw available, but even the oldest iBridge version for M1 is not vulnerable to checkra1n. Don't expect much from Stephen, he did nothing on M1, neither on t2, he just started a thread to show how to use t203. Let's not close this thread as t2 was, we still have much to find about M1.

Re: Macbook M1 bypass FMM / EFI Unlock

Hi Betonel,

Stephen statet on another thread these words:

Re: Macbook M1 bypass FMM / EFI Unlock

I don't see that as an affirmative, he made that post out of excitement and as betonel said; Stephen didn't say anywhere (not even in that post you quoted) that he's found an unlock solution for M1.

Re: Macbook M1 bypass FMM / EFI Unlock

I think he found out a way but it requires a MDM server, so... Nothing is happening in the near future I guess.

Re: Macbook M1 bypass FMM / EFI Unlock

hi I'm glad to follow this excited thread ,changing M1 serial will be useful only if apple didn't change activation method