Badcaps.net Forum
Go Back   Badcaps Forums > Troubleshooting Hardware & Devices and Electronics Theory > Troubleshooting Laptops, Tablets, and Mobile Devices > BIOS Requests ONLY!
Register FAQ Calendar Search Today's Posts Mark Forums Read

 
Thread Tools Display Modes
Old 01-31-2022, 08:46 AM   #1
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Default Macbook M1 bypass FMM / EFI Unlock

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon.

Last edited by betonel; 01-31-2022 at 09:57 AM..
betonel is offline   Reply With Quote
Old 01-31-2022, 11:38 AM   #2
curiositymaster
Member
 
Join Date: Apr 2021
City & State: Lagos
My Country: Nigeria
I'm a: Knowledge Seeker
Posts: 49
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.
Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Last edited by SMDFlea; 01-31-2022 at 01:30 PM..
curiositymaster is offline   Reply With Quote
Old 01-31-2022, 01:31 PM   #3
SMDFlea
Super Moderator
 
Join Date: Jan 2018
City & State: York
My Country: UK
I'm a: Knowledge Seeker
Posts: 10,764
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by curiositymaster View Post
Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?
Schematic requests go here: https://www.badcaps.net/forum/forumdisplay.php?f=41 .Use the forum search as well,it might be posted already
SMDFlea is offline   Reply With Quote
Old 01-31-2022, 02:20 PM   #4
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: USA 🇺🇸
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 412
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon.
You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy
__________________

MEOWING IN THE IMPOSSIBLE UNIVERSE!
Stephen is offline   Reply With Quote
Old 01-31-2022, 02:25 PM   #5
RethoricalCheese
Badcaps Veteran
 
Join Date: Mar 2013
City & State: Tartu
My Country: Estonia
I'm a: Knowledge Seeker
Posts: 1,286
Default Re: Macbook M1 bypass FMM / EFI Unlock

Why would it be in the nand? Have you seen iPhones and iPads? Apple has done it before so it might be same with M1 macbooks.
RethoricalCheese is offline   Reply With Quote
Old 01-31-2022, 02:35 PM   #6
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: USA 🇺🇸
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 412
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by RethoricalCheese View Post
Why would it be in the nand? Have you seen iPhones and iPads? Apple has done it before so it might be same with M1 macbooks.
Where would it be then? For sure not the nand I am sure...
Stephen is offline   Reply With Quote
Old 01-31-2022, 02:51 PM   #7
heatorious
New Member
 
Join Date: Apr 2020
City & State: CA
My Country: USA
I'm a: Knowledge Seeker
Posts: 10
Default Re: Macbook M1 bypass FMM / EFI Unlock

To add on this would be MDM locks with fmm off. Is there a bypass or full removal option. I wrote a script back for 2015-2017 models before the usb thing to bypass the mdm prompts upon boot. Will be looking into getting a M1 and tweaking to see if i can get it to work on a M1.
heatorious is offline   Reply With Quote
Old 01-31-2022, 03:23 PM   #8
LEOMORALES
New Member
 
Join Date: Dec 2019
City & State: chiapas
My Country: tuxtla gtz
I'm a: Knowledge Seeker
Posts: 1
Default Re: Macbook M1 bypass FMM / EFI Unlock

It's the Nand. The info is in the nand. We have lowered the nand and tried to read with irrepair 12 but it does not let me read, it is hidden in some way. If you could access that hidden info, it would be there like the iPad info.
LEOMORALES is offline   Reply With Quote
Old 01-31-2022, 04:21 PM   #9
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Default Re: Macbook M1 bypass FMM / EFI Unlock

What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.
betonel is offline   Reply With Quote
Old 01-31-2022, 11:13 PM   #10
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: USA 🇺🇸
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 412
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.
Sure I can get some M1 info for a locked device.
Stephen is offline   Reply With Quote
Old 02-01-2022, 01:58 AM   #11
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by curiositymaster View Post
Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?
Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )


25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.
Attached Images
File Type: jpg 0.jpg (674.6 KB, 343 views)
File Type: jpg 1.jpg (563.3 KB, 320 views)
File Type: jpg 2.jpg (339.8 KB, 317 views)
File Type: jpg 3.jpg (328.1 KB, 310 views)
File Type: jpg 4.jpg (551.9 KB, 316 views)
File Type: jpg 5.jpg (561.2 KB, 300 views)
File Type: jpg 6.jpg (322.9 KB, 317 views)
File Type: jpg 7.jpg (348.1 KB, 286 views)
File Type: jpg 8.jpg (765.7 KB, 310 views)
Attached Files
File Type: pdf W25Q64JW_RevB_11042019-1760399.pdf (1.56 MB, 123 views)

Last edited by betonel; 02-01-2022 at 03:10 AM..
betonel is offline   Reply With Quote
Old 02-01-2022, 02:17 AM   #12
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by Stephen View Post
Sure I can get some M1 info for a locked device.
Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours..
Unlocked with Secure boot disabled is wanted.

btw: if you re not a bot, to get correct SN, xor all 1 with 1
Attached Files
File Type: zip W25Q64FV.zip (11.42 MB, 131 views)

Last edited by betonel; 02-01-2022 at 02:22 AM..
betonel is offline   Reply With Quote
Old 02-01-2022, 08:54 AM   #13
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: USA 🇺🇸
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 412
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours..
Unlocked with Secure boot disabled is wanted.

btw: if you re not a bot, to get correct SN, xor all 1 with 1

How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.
Stephen is offline   Reply With Quote
Old 02-01-2022, 09:05 AM   #14
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by Stephen View Post
How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.
Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

Last edited by betonel; 02-01-2022 at 09:14 AM..
betonel is offline   Reply With Quote
Old 02-01-2022, 09:52 AM   #15
imranromi
Badcaps Veteran
 
Join Date: Jan 2015
City & State: Rawalpindi
My Country: Pakistan
Line Voltage: 240Hz
I'm a: Knowledge Seeker
Posts: 1,277
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?
Here both file is M1
Mdm locked.
Attached Files
File Type: rar M1.rar (2.85 MB, 140 views)
File Type: rar M2.rar (2.06 MB, 95 views)
imranromi is offline   Reply With Quote
Old 02-01-2022, 06:21 PM   #16
heatorious
New Member
 
Join Date: Apr 2020
City & State: CA
My Country: USA
I'm a: Knowledge Seeker
Posts: 10
Default Re: Macbook M1 bypass FMM / EFI Unlock

Does any one have a working M1 FMM off and MDM locked. If so can ya pm me i want to try to see if i can do a decent bypass of the prompts thru updating until we have a more perm solution. I've only seen some things about editing the host file don't know how that would go thru updates.
heatorious is offline   Reply With Quote
Old 02-02-2022, 04:08 AM   #17
betonel
Member
 
betonel's Avatar
 
Join Date: Nov 2015
City & State: bucharest
My Country: romania
Line Voltage: 380V 50Hz
I'm a: Knowledge Seeker
Posts: 31
Thumbs up Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by imranromi View Post
Here both file is M1
Mdm locked.
Please tell us SN for each dump and machine type. BTW..

Couldn't start my MBP M1 13" 2020 with your dumps. It will start DFU mode at least.

M1.bin -> iboot-6723.61.3
M2.bin -> iboot-6723.41.11
my.bin -> iboot-6723.50.2

Last edited by betonel; 02-02-2022 at 04:13 AM..
betonel is offline   Reply With Quote
Old 02-02-2022, 03:11 PM   #18
Nico Latour
Banned
 
Join Date: Sep 2019
City & State: nice
My Country: france
I'm a: Hobbyist Tech
Posts: 75
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by Stephen View Post
You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy
m1 bin is encrypt! when you decrypt you see serial!!! but change serial in this bin is not working for unlock icloud)
Nico Latour is offline   Reply With Quote
Old 02-02-2022, 10:25 PM   #19
curiositymaster
Member
 
Join Date: Apr 2021
City & State: Lagos
My Country: Nigeria
I'm a: Knowledge Seeker
Posts: 49
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable


Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:


64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )

25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.
Thanks for this info. I have the DS809SE and t203.
curiositymaster is offline   Reply With Quote
Old 02-02-2022, 11:35 PM   #20
ebaymonster
New Member
 
Join Date: Dec 2021
City & State: Chernivtsi
My Country: Ukraine
Line Voltage: 220
I'm a: Knowledge Seeker
Posts: 6
Default Re: Macbook M1 bypass FMM / EFI Unlock

Quote:
Originally Posted by betonel View Post
Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?
I have 5pcs MBA 2020 m1 and 1 MBP 13 m1 + t203. if you want i can desoldering and make dump.
ebaymonster is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Badcaps.net Technical Forums 2003 - 2022
Powered by vBulletin ®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
All times are GMT -6. The time now is 01:24 AM.
Did you find this forum helpful?