Badcaps Forums

Badcaps Forums (https://www.badcaps.net/forum/index.php)
-   BIOS Requests ONLY! (https://www.badcaps.net/forum/forumdisplay.php?f=40)
-   -   Macbook M1 bypass FMM / EFI Unlock (https://www.badcaps.net/forum/showthread.php?t=103095)

betonel 01-31-2022 08:46 AM

Macbook M1 bypass FMM / EFI Unlock
 
Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon. :rejoice:

curiositymaster 01-31-2022 11:38 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1104627)
Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

SMDFlea 01-31-2022 01:31 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by curiositymaster (Post 1104704)
Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Schematic requests go here: https://www.badcaps.net/forum/forumdisplay.php?f=41 .Use the forum search as well,it might be posted already

Stephen 01-31-2022 02:20 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1104627)
Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon. :rejoice:

You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy ;)

RethoricalCheese 01-31-2022 02:25 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Why would it be in the nand? Have you seen iPhones and iPads? :) Apple has done it before so it might be same with M1 macbooks.

Stephen 01-31-2022 02:35 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by RethoricalCheese (Post 1104759)
Why would it be in the nand? Have you seen iPhones and iPads? :) Apple has done it before so it might be same with M1 macbooks.

Where would it be then? For sure not the nand I am sure...

heatorious 01-31-2022 02:51 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
To add on this would be MDM locks with fmm off. Is there a bypass or full removal option. I wrote a script back for 2015-2017 models before the usb thing to bypass the mdm prompts upon boot. Will be looking into getting a M1 and tweaking to see if i can get it to work on a M1.

LEOMORALES 01-31-2022 03:23 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
It's the Nand. The info is in the nand. We have lowered the nand and tried to read with irrepair 12 but it does not let me read, it is hidden in some way. If you could access that hidden info, it would be there like the iPad info.

betonel 01-31-2022 04:21 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

Stephen 01-31-2022 11:13 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1104801)
What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

Sure I can get some M1 info for a locked device.

betonel 02-01-2022 01:58 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
10 Attachment(s)
Quote:

Originally Posted by curiositymaster (Post 1104704)
Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable :compy:


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )


25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

betonel 02-01-2022 02:17 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
1 Attachment(s)
Quote:

Originally Posted by Stephen (Post 1104886)
Sure I can get some M1 info for a locked device.

Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours.. :spin:
Unlocked with Secure boot disabled is wanted. :uzi:

btw: if you re not a bot, to get correct SN, xor all 1 with 1

Stephen 02-01-2022 08:54 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1104918)
Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours.. :spin:
Unlocked with Secure boot disabled is wanted. :uzi:

btw: if you re not a bot, to get correct SN, xor all 1 with 1


How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.

betonel 02-01-2022 09:05 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by Stephen (Post 1105023)
How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.

Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

imranromi 02-01-2022 09:52 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
2 Attachment(s)
Quote:

Originally Posted by betonel (Post 1105025)
Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

Here both file is M1
Mdm locked.

heatorious 02-01-2022 06:21 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Does any one have a working M1 FMM off and MDM locked. If so can ya pm me i want to try to see if i can do a decent bypass of the prompts thru updating until we have a more perm solution. I've only seen some things about editing the host file don't know how that would go thru updates.

betonel 02-02-2022 04:08 AM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by imranromi (Post 1105033)
Here both file is M1
Mdm locked.

Please tell us SN for each dump and machine type. BTW..

Couldn't start my MBP M1 13" 2020 with your dumps. It will start DFU mode at least.

M1.bin -> iboot-6723.61.3
M2.bin -> iboot-6723.41.11
my.bin -> iboot-6723.50.2

Nico Latour 02-02-2022 03:11 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by Stephen (Post 1104756)
You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy ;)

m1 bin is encrypt! when you decrypt you see serial!!! but change serial in this bin is not working for unlock icloud)

curiositymaster 02-02-2022 10:25 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1104915)
Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable :compy:


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )

25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

Thanks for this info. I have the DS809SE and t203.

ebaymonster 02-02-2022 11:35 PM

Re: Macbook M1 bypass FMM / EFI Unlock
 
Quote:

Originally Posted by betonel (Post 1105025)
Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

I have 5pcs MBA 2020 m1 and 1 MBP 13 m1 + t203. if you want i can desoldering and make dump.


All times are GMT -6. The time now is 07:30 AM.

Powered by vBulletin ®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.