Announcement

Collapse
No announcement yet.

Macbook M1 bypass FMM / EFI Unlock

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Re: Macbook M1 bypass FMM / EFI Unlock

    Originally posted by bluestone View Post
    How do you get the iCloud email from an iCloud locked & un-erased Mac
    As I've yet to read the entire thread, I apologize if my statements are:
    - Redundant
    - No longer possible

    Pre-2018 (non-T2):

    1. EFI | ROM .BINs contained the AppleID of an iCloud logged in user.
    2. SN modification requires updating a SN-derived CRC HASH.


    Medusa 2.7+ edits the SN + fix the Fsys block's checksum on < 2018 macs.

    I'm feeling like this is going to be necessary also.

    Maybe the BIN location is the same / similar (equal sizes)
    I'll look for the exact location with a HEX editor
    Compare the file-differences to find the exact location.

    Any suggestions of a mac application ideal for this (quickly) may help.

    If all of this is common knowledge, I apologize for wasting anyone's time.


    The HELP in this forum is just SO AMAZING that I felt obliged to try to do SOMETHING that could be of some utility. And to that end, I have also found the method by which I can read the BIN from my CH341 on MacOS, and intend to provide a thread on that topic ... as it's taken me YEARS to figure it out. If that's pathetic and again, common knowledge, sorry (and yes, I'm embarrassed).


    I have several units with MDM locks, one of which is an M1

    I will provide the info on the equipment I have in another post so this wall of text doesn't get any more onerous than it already is.

    Comment


      Re: Macbook M1 bypass FMM / EFI Unlock

      Originally posted by TrumanHW View Post
      [FONT="Fixedsys"][FONT="Courier New"]

      As I've yet to read the entire thread, I apologize if my statements are:
      - Redundant
      - No longer possible

      Pre-2018 (non-T2):
      M1 Dump also contain mail, apple id and details of the user.
      Last edited by SMDFlea; 04-07-2022, 03:06 AM.

      Comment


        Re: Macbook M1 bypass FMM / EFI Unlock

        [QUOTE=betonel;1109819]Bypassing M1 involves patching ipsw file.
        Eg. UniversalMac_11.0.1_20B29_Restore.ipsw\022-10604034\3_Apple_APFS

        KRAActivationAuthViewController


        I re-wrote the list (I'd seen it elsewhere also) just to make sure I understood it and to make it maybe cleaner for others...(still iPhone-oriented):






        01. Download the iPSW-extension file (official IPSW URL)
        02. Change File.IPSW – Change IPSW extension to ZIP.
        03. Copy LARGEST DMG to the desktop.
        04. A UTILITY & a KEY are required to mount the Encrypted DMG.
        5a. FirmWare keys listed at: www.theiphonewiki.com/wiki/Firmware_Keys
        5b. Download iDecrypt to mount the DMGat : theiphonewiki.com/wiki/iDecrypt
        NOTE: 2nd + 3rd download links were more reliable.
        06. Launch iDecrypt: Paste FW key, choose File.DMG & destination.
        NOTE: accept iDecrypt warning dialog + enter ROOT password
        07. Success message confirms encrypted DMG has been mounted.
        08. Open image & navigate to Applications/ dir to delete: Setup.app
        09. Close + Eject mounted DMG (reverts to being compressed + encrypted)
        10. Ensure modified DMG's name matches the original name.
        11. Replace/delete original DMG with modded DMG in folder with 2 DMGs
        12. ZIP folder with mod DMG + 2 original DMGs (3 in total).
        13. Revert extension from ZIP back to IPSW (check via "get info").

        The wording made me think I needed to “re-compress” & “re-encrypt” it.
        But iDecrypt doesn’t decrypt or decompress,
        ...but mount compressed & encrypted data. .




        Lessons from non-T2 computers which may apply to T2 ..?
        - Pre T2 units with changed SN's “About this Mac” say “bad SN", unless:
        - The CRC is at 0x590000 has also bin.
        - I located (but don’t understand the changes)...
        - And thus, I'll provide pictures of the regions, or study on my own).

        LMK if there’s anything you’d like me to do with the equipment i have.

        The question is -- how was the SN used to get whatever is at 59 0000 ...?

        There were also a TON of differences between the two bins, only separated by
        - one with a C-Zero-...
        - one with a C-Capital O ...

        Yet, when using VBinDiff (great for seeing the differences at each row) ... the differences were FAR more than the SN and the CRC (if that's what's there). And the implicit question is, how this info could allow inferences of what we can do for T2 and more importantly M1 macs going further.

        Thanks


        Thanks!
        Attached Files
        Last edited by TrumanHW; 04-07-2022, 04:28 AM.

        Comment


          Re: Macbook M1 bypass FMM / EFI Unlock

          Originally posted by betonel View Post
          You don't need to touch encrypted part of NAND. There is a plain clear partition containing SN/BT-MAC/WIFI-MAC. If we have valid pair it's possible to replace and get rid of activation lock. Can your programmer read raw data from NAND chip? Upload it on mega and share it please.
          Perhaps a dumb question, but, what about the "Purple iOS" readers?
          For iPads / iPhone like Magico: R/W NAND without desoldering.

          My understanding of late model iP, iPad + iPad Pro, Air, Mini, etc., is, they're encrypted until the first (keypad) password's entered. But these devices can read them (I do data recovery so this was my initial interest).

          Magico (no desoldering) allows editing:
          SN / IMEI / BT / Color / RW ROM / Change ROM size, etc.

          Comment


            Re: Macbook M1 bypass FMM / EFI Unlock

            Originally posted by qava View Post
            2nd NAND says

            The hard drive is reversed, please re-insert the NAND...
            Holy shit. The JC looks like a Rusolot NAND reconstructor for iPhones.

            If they work this out for MBP I would be VERY interested in that.
            (Very interesting interface) !!

            Comment


              Re: Macbook M1 bypass FMM / EFI Unlock

              Originally posted by techman9510 View Post
              That doesn't matter the problem is activation servers require SN wifi and Bluetooth to successfully activate the device. So we would need to get all 3 from a locked M1 and out it into a T2 Mac and than from their we can get the MDM key and theoretically use the MDM key to bypass activation lock on the M1 mac

              I was wondering if the BINs supplied with the T203 replace the URL that is used to go to the Apple Server, and instead, refers it to a server which authenticates it irrespective the MDM / iC status ...?

              Again, no way to test the hypothesis.

              Comment


                Re: Macbook M1 bypass FMM / EFI Unlock

                Originally posted by kevingill View Post
                Has anyone actually tried the iDCSD cable with a MacBook M1?

                I have both the cable and the Magico device ...

                If I know the structure of how i'd set it up I can try it tomorrow ...?

                (again, I'm reading the thread to get caught up so hopefully I'm not a day late and dollar short) ..

                Comment


                  Re: Macbook M1 bypass FMM / EFI Unlock

                  Originally posted by techman9510 View Post
                  so in order to get a MDM activation key the MacBook has to be supervised and in order to do that you need a business or school Apple ID. I'm in the process of getting the business Apple ID and I will test the mdm activation key on a iPad that is jailbroken.
                  One more idea ... get an MDM account ...

                  I know this isn't a technical solution -- but from what I hear they're more liberal about transferring devices, which, you can then remove. ?

                  Comment


                    Re: Macbook M1 bypass FMM / EFI Unlock

                    Originally posted by mazoot View Post
                    1. Open Utilities-"Terminal" and type
                    $ csrutil disable
                    $ reboot
                    2. Hold `command-R` during the reboot to enter Recovery Mode again
                    3. Enter Disk Utility, and mount the `Macintosh HD` volume (or whatever your main volume is named). (It might already be mounted.)
                    4. Exit Disk Utility, open Utilities"Terminal", and type
                    $ cd "/Volumes/Macintosh HD/System/Library"
                    $ cd ../../etc
                    $ echo "0.0.0.0 iprofiles.apple.com" >> hosts
                    $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
                    $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
                    $ echo "0.0.0.0 gdmf.apple.com" >> hosts
                    $ csrutil enable
                    $ reboot
                    sure to not select a wireless network, but continue without an internet connection
                    After a normal boot, you can verify the DEP status in Terminal:
                    $ profiles status -type enrollment
                    Enrolled via DEP: No
                    MDM enrollment: No

                    NOW THIS LOOKS PROMISING!
                    I dig it -- will try tomorrow also!

                    Comment


                      Re: Macbook M1 bypass FMM / EFI Unlock

                      Originally posted by alerm View Post
                      I forgot one folder
                      Some elegant naming convention apple went with.

                      Comment


                        Re: Macbook M1 bypass FMM / EFI Unlock

                        Originally posted by mazoot View Post
                        1. Open Utilities-"Terminal" and type
                        $ csrutil disable
                        $ reboot
                        2. Hold `command-R` during the reboot to enter Recovery Mode again
                        3. Enter Disk Utility, and mount the `Macintosh HD` volume (or whatever your main volume is named). (It might already be mounted.)
                        4. Exit Disk Utility, open Utilities"Terminal", and type
                        $ cd "/Volumes/Macintosh HD/System/Library"
                        $ cd ../../etc
                        $ echo "0.0.0.0 iprofiles.apple.com" >> hosts
                        $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
                        $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
                        $ echo "0.0.0.0 gdmf.apple.com" >> hosts
                        $ csrutil enable
                        $ reboot
                        sure to not select a wireless network, but continue without an internet connection
                        After a normal boot, you can verify the DEP status in Terminal:
                        $ profiles status -type enrollment
                        Enrolled via DEP: No
                        MDM enrollment: No
                        Does anyone know if this MDM bypass works? It seems like this would only prevent the MacBook from retrieving information that's already been set. It's useless if it doesn't block all communication from the MDM including the ability to remote wipe and lock.

                        Comment


                          Re: Macbook M1 bypass FMM / EFI Unlock

                          Originally posted by Nico Latour View Post
                          yes they are scripts for 2 step verify but you cant now the email adres from the apple id (in the past you can buy serial gsx info name and email adres from user, but apple blocks al this info!
                          Hi Nico,

                          I know the Apple Id from former Owner
                          How can I use this information.

                          Comment


                            Re: Macbook M1 bypass FMM / EFI Unlock

                            Currently we have 3 M1 Pro / Max on deck. Got the iClouds removed due to owner email being tied and looking them up. Currently MDM method is something that should be very easily possible by knowing where the SN is located on this board. Changing that would make it easily possible to remove SN, however, we would have to find legit serials of these devices to implement. I always in my experience take a guess by going to Mac Serial Lookup and type in a few digits to see if it pulls up. In my experience with T2 MDM locks, I always associate the serial with the exact model (A1990 serial changed to another A1990 serial found on Mac Serial Lookup). I would believe this is the same concept for M1 devices. MDM bypass is useless, personally who cares? I personally rather do the hardware method and remove it for good. With that said, if we find any movement on the MDM which I am certain we can it will be possible.

                            Another thing to add is now we found out that these M1 Pro devices can boot into LINUX, this also opens possible doors to creating a back door into the device...just food for thought.
                            sigpic
                            MEOWING IN THE IMPOSSIBLE UNIVERSE!

                            Comment


                              Re: Macbook M1 bypass FMM / EFI Unlock

                              Stepen, to install linux on this devices you will need to provide access to partitions from main os, so it's not possible to install linux if it is locked. SN, as we already concluded, is stored on first sectors or ssd nand, iphone style. As external access to nand is not possible for the moment, it remains the hard way.. hardware nand removal/read.

                              Elegant way will be to write custom firmware for bios which will write on nand whatever we want, but this is beyond my skill

                              Comment


                                Re: Macbook M1 bypass FMM / EFI Unlock

                                Originally posted by Stephen View Post
                                Currently we have 3 M1 Pro / Max on deck. Got the iClouds removed due to owner email being tied and looking them up. Currently MDM method is something that should be very easily possible by knowing where the SN is located on this board. Changing that would make it easily possible to remove SN, however, we would have to find legit serials of these devices to implement. I always in my experience take a guess by going to Mac Serial Lookup and type in a few digits to see if it pulls up. In my experience with T2 MDM locks, I always associate the serial with the exact model (A1990 serial changed to another A1990 serial found on Mac Serial Lookup). I would believe this is the same concept for M1 devices. MDM bypass is useless, personally who cares? I personally rather do the hardware method and remove it for good. With that said, if we find any movement on the MDM which I am certain we can it will be possible.

                                Another thing to add is now we found out that these M1 Pro devices can boot into LINUX, this also opens possible doors to creating a back door into the device...just food for thought.
                                Hi Stephen,

                                In another post from November you sad you unlocked an M1 Macbook.
                                Is there any chance, you tell us what you did?
                                I am happy to help.

                                Furthermore for anyone else.
                                I don't know if I can recreate this, but I updated the Macbook with Apple Configurator 2, when I restored the Macbook via iTunes on Windows with an older Firmware ISPW in noticed iBoot was on an older version.
                                This is what I got from Windows Device Manager:
                                [iBoot-5540.0.0.400.2]
                                Maybe this information can help.

                                Comment


                                  Re: Macbook M1 bypass FMM / EFI Unlock

                                  That's true, M1 can be downgraded because there are signed ipsw available, but even the oldest iBridge version for M1 is not vulnerable to checkra1n. Don't expect much from Stephen, he did nothing on M1, neither on t2, he just started a thread to show how to use t203. Let's not close this thread as t2 was, we still have much to find about M1.


                                  Originally posted by alerm View Post
                                  Hi Stephen,
                                  In another post from November you sad you unlocked an M1 Macbook.
                                  Is there any chance, you tell us what you did?
                                  I am happy to help.

                                  Furthermore for anyone else.
                                  I don't know if I can recreate this, but I updated the Macbook with Apple Configurator 2, when I restored the Macbook via iTunes on Windows with an older Firmware ISPW in noticed iBoot was on an older version.
                                  This is what I got from Windows Device Manager:
                                  [iBoot-5540.0.0.400.2]
                                  Maybe this information can help.

                                  Comment


                                    Re: Macbook M1 bypass FMM / EFI Unlock

                                    Originally posted by betonel View Post
                                    That's true, M1 can be downgraded because there are signed ipsw available, but even the oldest iBridge version for M1 is not vulnerable to checkra1n. Don't expect much from Stephen, he did nothing on M1, neither on t2, he just started a thread to show how to use t203. Let's not close this thread as t2 was, we still have much to find about M1.
                                    Hi Betonel,

                                    Stephen statet on another thread these words:
                                    EUREKA! Yours truly may have just figured out how to unlock an M1! I am doing more stress testing boys but you might just see the first M1 unlocked that is activation locked! I will give more details soon when we get a few more M1's to test this out on! It is a hardware unlock so just be mindful as I trial and error this stuff!

                                    Comment


                                      Re: Macbook M1 bypass FMM / EFI Unlock

                                      Originally posted by alerm View Post
                                      Hi Betonel,

                                      Stephen statet on another thread these words:
                                      I don't see that as an affirmative, he made that post out of excitement and as betonel said; Stephen didn't say anywhere (not even in that post you quoted) that he's found an unlock solution for M1.

                                      Comment


                                        Re: Macbook M1 bypass FMM / EFI Unlock

                                        I think he found out a way but it requires a MDM server, so... Nothing is happening in the near future I guess.

                                        Comment


                                          Re: Macbook M1 bypass FMM / EFI Unlock

                                          hi I'm glad to follow this excited thread ,changing M1 serial will be useful only if apple didn't change activation method

                                          Comment

                                          Working...
                                          X