Macbook M1 bypass FMM / EFI Unlock

[betonel]

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon.

[curiositymaster]

Quote:

Originally Posted by betonel

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

[SMDFlea]

Quote:

Originally Posted by curiositymaster

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Schematic requests go here: https://www.badcaps.net/forum/forumdisplay.php?f=41 .Use the forum search as well,it might be posted already

[betonel]

Quote:

Originally Posted by curiositymaster

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )


25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

[curiositymaster]

Quote:

Originally Posted by betonel

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )

25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

Thanks for this info. I have the DS809SE and t203.

[TrumanHW]

Quote:

Originally Posted by betonel

Instead of wasting $$$
~$250+ - on T203 for a USON 4×3 or
~$200 - for an DS809SE (exactly an R809F)

Use these...

$ 64 - RT809F (with 15 adapters)
$ 10 - 1.8V 'Level shifter' (for T2 ROM)

Very good advice:

If the M2012 - 2013 Retina 13"+15" isn't needed, would this be a good deal?


$38 www.aliexpress.com/item/201005003289066054.html
- Includes the CH314a
- The PCB to solder the T2 ROM (4x3mm)
- Includes J6100 connectors for Late-2013 - 2017 (excludes M12-E13 retina)
- Negates any need for getting the VCC, CLK, wiring (already done).

Already Includes the:
$20 - T2 board
$45 - "SAM connectors" (just not the M12 - E13, looks but ≠ L13-M14)
$ 5 - Includes CH314a plus the 'DIL' adapter interface to the cables...
(not as good a programmer but can be okay)


The attached annotated image shows Betonel's suggested means of reading
the T2 with the Level Shifter and, by soldering it on a 4x3 reader.

(which he suggests bc 'clamshell' adapters are all a FORTUNE for 4x3mm).

Betonel: I found a "3mm x 3mm" that's 1/3rd the price ... think it'd fit..?

https://www.aliexpress.com/item/1005001510434419.html
(I ask bc it looks like the width of the chip is 'unconstrained' in the holder..?)


Last:
You wired the board analyzer (Zaleae) where the T2's ROM mounts...

Are you really decoding the SINGALS that way ..? (reverse engineering it?!)
The M1 looks RIDICULOUSLY difficult :'( (see animated GIF)

[tungtuoitinh]

Quote:

Originally Posted by betonel

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )


25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

in this image, i can see you use apdapter "DIP8 to SOP8 0.65mm" to read Uson8 4*3 T2 chip, does it fit?
sorry for dumb question because im a newbie and I'm a knowledge seeker
Sr english not my main language,
Hope you reply me soon

[kevingill]

A DIP8 to SOP8 won't work.
You need a board from AliExpress called "serial number modification tool T2 chip unlocking BIOS reading adapter board" as posted by betonel.
This has USON8 and other types of useful pinouts.

[tungtuoitinh]

thanks for answer, but my Macbook in new version bridgeOS, hope checkra1n team do something

[tungtuoitinh]

Quote:

Originally Posted by kevingill

A DIP8 to SOP8 won't work.
You need a board from AliExpress called "serial number modification tool T2 chip unlocking BIOS reading adapter board" as posted by betonel.
This has USON8 and other types of useful pinouts.

over 20$ in my country very expensive, what do you think when I use copper jump wire to connect T2 Rom chip in Adapter "DIP8 to SOP8"

[Stephen]

Quote:

Originally Posted by betonel

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon.

You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy

[Nico Latour]

Quote:

Originally Posted by Stephen

You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy

m1 bin is encrypt! when you decrypt you see serial!!! but change serial in this bin is not working for unlock icloud)

[mazoot]

Quote:

Originally Posted by Nico Latour

m1 bin is encrypt! when you decrypt you see serial!!! but change serial in this bin is not working for unlock icloud)

how about MDM locked M1 with modified serial situation? Did you test ?

[RethoricalCheese]

Why would it be in the nand? Have you seen iPhones and iPads? Apple has done it before so it might be same with M1 macbooks.

[Stephen]

Quote:

Originally Posted by RethoricalCheese

Why would it be in the nand? Have you seen iPhones and iPads? Apple has done it before so it might be same with M1 macbooks.

Where would it be then? For sure not the nand I am sure...

[heatorious]

To add on this would be MDM locks with fmm off. Is there a bypass or full removal option. I wrote a script back for 2015-2017 models before the usb thing to bypass the mdm prompts upon boot. Will be looking into getting a M1 and tweaking to see if i can get it to work on a M1.

[LEOMORALES]

It's the Nand. The info is in the nand. We have lowered the nand and tried to read with irrepair 12 but it does not let me read, it is hidden in some way. If you could access that hidden info, it would be there like the iPad info.

[betonel]

What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

[Stephen]

Quote:

Originally Posted by betonel

What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

Sure I can get some M1 info for a locked device.

[betonel]

Quote:

Originally Posted by Stephen

Sure I can get some M1 info for a locked device.

Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours..
Unlocked with Secure boot disabled is wanted.

btw: if you re not a bot, to get correct SN, xor all 1 with 1