Macbook M1 bypass FMM / EFI Unlock

[.::iRizwan::.]

Quote:

Originally Posted by qava

2nd NAND says

The hard drive is reversed, please re-insert the NAND...Attachment 256730

It's mean you are inserting the NAND in wrong direction.

[RethoricalCheese]

iPhone 12 nand says the same thing. JC just doesn't support iPhone 12 and up yet, including macbooks. Atleast that's my conclusion.

[Apple_Unlocking_Services]

Quote:

Originally Posted by qava

It’s A1706 intel MacBook.

Thats my video, its not A1706
look at the device keyboard on bottom left, you will see T2 mac keyboard 😁

[qava]

Quote:

Originally Posted by .::iRizwan::.

It's mean you are inserting the NAND in wrong direction.

No, it mens this NAND is not supported. If I put NAND in wrong way than have information "replace chip 90 degrees"

btw I got a lot of knowledge in repair and i know how to recognize 1st leg of IC

[qava]

Quote:

Originally Posted by Apple_Unlocking_Services

Thats my video, its not A1706
look at the device keyboard on bottom left, you will see T2 mac keyboard 😁

Oh, looks like A1706, anyway, I wanted to clarify that this is not M1 Apple Silocon chip

[qava]

Quote:

Originally Posted by betonel

One way for bypass M1 will be patching ipsw file, eg. UniversalMac_11.0.1_20B29_Restore.ipsw\022-10604-034\3_Apple_APFS

KRAActivationAuthViewController



Similar work has been successfully performed for iphone:

1. Download the iPSW file you need from the official website: IPSW.
2. Secondly, convert the iPSW file into a ZIP file by changing the extension and extract it.
3. Now open the extracted file folder, and you will see 3 different .dmg files in there.
4. Look for the biggest file and drag it to your desktop. You will notice that the .dmg files will not be able to open in one click. It’s because these files are encrypted.
5. You would need a firmware key to open this file. For this purpose, direct to “The iPhone WiKi” and find your firmware key.
6. Once you have the key, it’s time to use ???iDecrypt that is already on your Mac. Simply launch the software and open your .dmg file with it.
7. You will see a warning message on your screen. Simply click on the “OK” button and select your output folder and paste your key for “RootFilesystem."
8. Now, you need to click on “Decrypt DMG," and when the process is finished, you will see a success message.
9. Open the iPSW file that is decrypted and go to the Applications folder. Here, you need to delete the “Setup” file.
10. Then, exit this folder and right-click on your decrypted file and click on “Eject."
11. When the file is successfully saved, delete the original file and rename the new decrypted file matching the original file. Then, paste this file into the extracted folder again.
12. The last step is to compress the folder back to the IPSW format.

I also tried to try this but there's no firmware key so access to folder is locked. Step 5 kill all process

[kevingill]

Don't know if this has been posted elsewhere, but on the activation screen where it asks for Apple ID/Password, I put in 'null' and 'null' and it says that the Apple account is locked and an email will be sent with instructions on how to unlock. It partly lists the email address.
Just thinking it might remind someone to look at the devices in their iCloud and remove the MacBook from their account? I can live in hope!

[Nico Latour]

Quote:

Originally Posted by kevingill

Don't know if this has been posted elsewhere, but on the activation screen where it asks for Apple ID/Password, I put in 'null' and 'null' and it says that the Apple account is locked and an email will be sent with instructions on how to unlock. It partly lists the email address.
Just thinking it might remind someone to look at the devices in their iCloud and remove the MacBook from their account? I can live in hope!

they also can see your location! and macbooks in 90% lost modus

[techman9510]

would we be able to remove iCloud lock if we took the SN from a locked M1 and put it in a T2 Mac bypass it using jailbreak than use jumpcloud.com to install MDM and use the MDM key to bypass the M1 Mac? we wouldn't need the wifi and bt address from the M1 because we aren't going though the activation process. has anyone given this a shot?

[techman9510]

we can first attempt this on a iPhone and iPad. with mdm bypass key you would just put in key in the password field and leave the username/email blank. and it would be easier to attempt on a iPad because all we would need is the DCSD cable no Nand soldering required.

[betonel]

Quote:

Originally Posted by techman9510

would we be able to remove iCloud lock if we took the SN from a locked M1 and put it in a T2 Mac bypass it using jailbreak than use jumpcloud.com to install MDM and use the MDM key to bypass the M1 Mac? we wouldn't need the wifi and bt address from the M1 because we aren't going though the activation process. has anyone given this a shot?

We've tried that.. it isn't working.. mdm key doesn't match. They send wifi mac + bt mac. Once u re able to change sn+wifi+bt you're good to go. No solution for that yet..

[kevingill]

What happens if the Wi-Fi/BT chip has its power removed by cutting a track?
Or is it stored in flash?

[techman9510]

Quote:

Originally Posted by betonel

We've tried that.. it isn't working.. mdm key doesn't match. They send wifi mac + bt mac. Once u re able to change sn+wifi+bt you're good to go. No solution for that yet..

Can’t we get the wifi and bt address from terminal? I saw someone said they were able to open up terminal

[techman9510]

Quote:

Originally Posted by kevingill

What happens if the Wi-Fi/BT chip has its power removed by cutting a track?
Or is it stored in flash?

That doesn’t matter the problem is activation servers require SN wifi and Bluetooth to successfully activate the device. So we would need to get all 3 from a locked M1 and out it into a T2 Mac and than from their we can get the MDM key and theoretically use the MDM key to bypass activation lock on the M1 mac

[techman9510]

Quote:

Originally Posted by betonel

We've tried that.. it isn't working.. mdm key doesn't match. They send wifi mac + bt mac. Once u re able to change sn+wifi+bt you're good to go. No solution for that yet..

On iPads and iPhone I use a DCSD cable to read the hidden info from the NAND. Sn,wifi,bt etc etc I saw on AliExpress their is a DCSD cable that has a usb C connector I asked the seller what’s it’s for and he told me either for iPads or MacBooks. Maybe we can use this device to read the nand info on the MacBooks. Here is the link maybe someone can make a software for it.

https://www.ebay.com/itm/iDCSD-UART-...-127632-2357-0

[mazoot]

hoco u86 can make it possible?

[betonel]

Quote:

Originally Posted by techman9510

On iPads and iPhone I use a DCSD cable to read the hidden info from the NAND. Sn,wifi,bt etc etc I saw on AliExpress their is a DCSD cable that has a usb C connector I asked the seller what’s it’s for and he told me either for iPads or MacBooks. Maybe we can use this device to read the nand info on the MacBooks. Here is the link maybe someone can make a software for it.

https://www.ebay.com/itm/iDCSD-UART-...-127632-2357-0

Interesting approach. Looks iDCSD is not exploiting anything, it's just a manufacturing testing interface, would be great if it can access NAND/shell for M1 device.

[techman9510]

Quote:

Originally Posted by betonel

Interesting approach. Looks iDCSD is not exploiting anything, it's just a manufacturing testing interface, would be great if it can access NAND/shell for M1 device.

I’m sure Apple uses special software that allows communication to the laptop and the software. So we would have to find our own exploit to make that communication possible.

[kevingill]

Has anyone actually tried the iDCSD cable with a MacBook M1?

[mazoot]

i will find the adapter and test that