T2 Chip Programmer Tool

[Stephen]

Mina did this because you had a special someone in the thread tell them so they had to create a code to stop this since you know…people don’t want people to have nice things lol. I’m not worried about it. Our software is half way there.

[ugamazing]

Without being too informed on the current status/progress of a T2 bypass or unlock, can I ask a potentially-dumb question?

Would it be possible to somehow identify the contact information (name/email) of the iCloud account owner of a particular board, and then simply attempt to contact them to have the lock removed? Of course many people wouldn't respond, and you'd still be stuck with a locked board, but I was curious if that information would somehow be stored on the board. I'd imagine that info is securely stored/encrypted in the SE, so probably impossible to get to, but was just curious.

[lamo]

guys from mina also reading badcaps

[Stephen]

Quote:

Originally Posted by ugamazing

Without being too informed on the current status/progress of a T2 bypass or unlock, can I ask a potentially-dumb question?

Would it be possible to somehow identify the contact information (name/email) of the iCloud account owner of a particular board, and then simply attempt to contact them to have the lock removed? Of course many people wouldn't respond, and you'd still be stuck with a locked board, but I was curious if that information would somehow be stored on the board. I'd imagine that info is securely stored/encrypted in the SE, so probably impossible to get to, but was just curious.

Believe it or not it is stored into the T2 chip. That information is easily obtained if you had admin access to the board if bypassed. What do I mean?

When you bypass a board, sometimes a board will say at setup “find my mac” is enabled. And you see the actual email in result, I think this is a minor glitch in bypass but it happens sometimes and I write that information down. But it’s always not the case. Now when the computer is fully wiped and updated with iBridge, it will have to be a little more digging to figure out how to bypass it again. That is when checkrain comes into play (when they finally update it). I anticipate it happening soon since they have updated pongoOS and the libs files. Just a matter of time.

Nextly to the response saying Mina developers are on here. I am fairly certain the trolls that got banned were the ones by Mina. They want to make money let them. However they have no ownership to the jailbreak since it is open source and all it is a few key strokes in SSH control. Checkm8 and Mina use the exact same concept to remove the lock. It actually is just telling the device it is activated and you get OS install.

[ugamazing]

Thanks, Stephen! That's good information, thank you. I've had moderate success in just contacting the iCloud owners; some of them are happy to make a quick buck (we offer them a monetary incentive to remove, and explain that if it was stolen, we're happy to return, etc). Seems the way to go (if possible) until an actual unlocking process is discovered.

[anhbanxoi]

Quote:

Originally Posted by ugamazing

Thanks, Stephen! That's good information, thank you. I've had moderate success in just contacting the iCloud owners; some of them are happy to make a quick buck (we offer them a monetary incentive to remove, and explain that if it was stolen, we're happy to return, etc). Seems the way to go (if possible) until an actual unlocking process is discovered.

But how can you get the owner information to contact them?

[Pedro147]

Quote:

Originally Posted by anhbanxoi

But how can you get the owner information to contact them?

just read what was just posted

Quote:

Originally Posted by Stephen

Believe it or not it is stored into the T2 chip. That information is easily obtained if you had admin access to the board if bypassed. What do I mean?

When you bypass a board, sometimes a board will say at setup “find my mac” is enabled. And you see the actual email in result, I think this is a minor glitch in bypass but it happens sometimes and I write that information down. But it’s always not the case. Now when the computer is fully wiped and updated with iBridge, it will have to be a little more digging to figure out how to bypass it again. That is when checkrain comes into play (when they finally update it). I anticipate it happening soon since they have updated pongoOS and the libs files. Just a matter of time.

[Brais]

I was reading all posts here, very good and interesting information also.many thanks for share also.

I use to work with BIOS editing with TL866II -Plus and CH341-A , does anyone found any difference with another tools on T2 edition?

I want to try with some MAC mini (2018) , having a blocked model and the same unit unlocked for serial number collection if necessary.

Also i have Imac (2020) various units icloud locked, and other identic stuff unlocked and avaliable.

Anyone has access to the guide that was removed here with hardware modification methods?

I have access to other M1, locked and unlocked devices if someone needs more info or wants me to make any tests.

Kind Regards

[simplylcd]

I have tried the ufix u-bos2 to change serial number.
When soldered the T2 chip it was in DFu mode.
Tried a revive came on briefly and now nothing.
Any tips on what to do now ??

[Pedro147]

Quote:

Originally Posted by simplylcd

I have tried the ufix u-bos2 to change serial number.
When soldered the T2 chip it was in DFu mode.
Tried a revive came on briefly and now nothing.
Any tips on what to do now ??

Christopher, you were told on FB, the SN is stored in the SPI ROM chip so what are you talking about "When soldered the T2 chip" ?

That statement makes no sense

[lamo]

there's no need to change serial number to avoid icloud lock. icloud lock is connected to ECID of T2. so, only t2 replacement will helps.

[Stephen]

Quote:

Originally Posted by simplylcd

I have tried the ufix u-bos2 to change serial number.
When soldered the T2 chip it was in DFu mode.
Tried a revive came on briefly and now nothing.
Any tips on what to do now ??

Might have to do a restore, also if that doesn't help check the battery to make sure it is a good battery. Believe it or not a bad battery will not allow a proper restore or revive.

[ugamazing]

I just received my 1.8v level shifter and can now read/pull dumps from the T2+ models.

Confirmed it's quite easy to find the serial/MLB# as mentioned by others. Will now move onto comparing dumps from boards without lock (that I own), then locking to my own iCloud/FMM, then comparing dumps again.

Anyone have any ideas for additional things to check/try? I wish there was some way to reconcile iCloud ID with serial number, but I know that's likely not something that will easily be done.

Stephen, when you mentioned the bypass method sometimes producing/printing the full iCloud email address; is it theoretically possible to--somehow--modify the T2 ROM to produce this 'glitch' and instruct the T2 to print the full email (instead of the s*****@gmail.com or whatever)? Just spitballing, I have zero knowledge of how the actual data/encryption works or is stored/handled at all. I am a hardware guy, and getting down to these details is a learning experience, but I'm definitely willing to learn!

[simplylcd]

Quote:

Originally Posted by Pedro147

Christopher, you were told on FB, the SN is stored in the SPI ROM chip so what are you talking about "When soldered the T2 chip" ?

That statement makes no sense

I removed the chip put it in the programmer and then soldered back onto the board

[ugamazing]

Got my 1.8v ROM reader working well, and will begin pulling dumps from all T2/M1 models this weekend. Will then lock them, pull dumps again, compare, etc.

[Stephen]

I am not sure how we could read the T2 chip itself, it could be possible if we are able to remove the T2 chip and one day able to read it, nothing is impossible in this world remember that. However, even if we were able to read the T2, the serial of that T2 itself would tie to the iCloud that it is locked to, even if you were able to some how reset it which basically is a DFU, which means that serial still has to go through Activation on Apples servers, so if we are able to figure a way to read it before it is ERASED, maybe so? No idea, the glitch comes sometimes when you bypass the machine and then it has the email once you get to the setup screen when the OS is installed. I sometimes see an email and sometimes I don't , however if we are able to produce the glitch all the time that would be perfect after you bypass it so you can ask them to remove it for good.

Quote:

Originally Posted by ugamazing

I just received my 1.8v level shifter and can now read/pull dumps from the T2+ models.

Confirmed it's quite easy to find the serial/MLB# as mentioned by others. Will now move onto comparing dumps from boards without lock (that I own), then locking to my own iCloud/FMM, then comparing dumps again.

Anyone have any ideas for additional things to check/try? I wish there was some way to reconcile iCloud ID with serial number, but I know that's likely not something that will easily be done.

Stephen, when you mentioned the bypass method sometimes producing/printing the full iCloud email address; is it theoretically possible to--somehow--modify the T2 ROM to produce this 'glitch' and instruct the T2 to print the full email (instead of the s*****@gmail.com or whatever)? Just spitballing, I have zero knowledge of how the actual data/encryption works or is stored/handled at all. I am a hardware guy, and getting down to these details is a learning experience, but I'm definitely willing to learn!

[ugamazing]

Quote:

Originally Posted by Stephen

I am not sure how we could read the T2 chip itself, it could be possible if we are able to remove the T2 chip and one day able to read it, nothing is impossible in this world remember that. However, even if we were able to read the T2, the serial of that T2 itself would tie to the iCloud that it is locked to, even if you were able to some how reset it which basically is a DFU, which means that serial still has to go through Activation on Apples servers, so if we are able to figure a way to read it before it is ERASED, maybe so? No idea, the glitch comes sometimes when you bypass the machine and then it has the email once you get to the setup screen when the OS is installed. I sometimes see an email and sometimes I don't , however if we are able to produce the glitch all the time that would be perfect after you bypass it so you can ask them to remove it for good.

Hey Stephen, I'm shooting you a private message, thanks!

[lamo]

Quote:

Originally Posted by Stephen

I am not sure how we could read the T2 chip itself, it could be possible if we are able to remove the T2 chip and one day able to read it, nothing is impossible in this world remember that. However, even if we were able to read the T2, the serial of that T2 itself would tie to the iCloud that it is locked to, even if you were able to some how reset it which basically is a DFU, which means that serial still has to go through Activation on Apples servers, so if we are able to figure a way to read it before it is ERASED, maybe so? No idea, the glitch comes sometimes when you bypass the machine and then it has the email once you get to the setup screen when the OS is installed. I sometimes see an email and sometimes I don't , however if we are able to produce the glitch all the time that would be perfect after you bypass it so you can ask them to remove it for good.

according to my investigations, there're no useful information, except machine serial number and board number in t2 rom. t2 rom only need to boot into dfu. also, all known methods of jailbreak won't work, because of usb-c firmware patch in t2 chip. t2 chip also have small rom-memory inside. the only way to remove icloud lock is to modify ECID of t2. this operation isn't possible for current moment.

[LevanGood]

Hey guys!
Sorry for my english. I know it’s poor cuz I’m from Ukraine))

Look, I’ve got AppleID locked MB Pro A2141 and I wonder if I can unlock it.
As I know Apple blocked jailbreak ability on the last MacOS.
I’ve got another A2141 logic board with issues and it has FMM OFF.

So I wonder if it’s possible to replace some IC’s from the defective logic board with FMM off to my locked board? Has anybody done this before?
Should I replace T2 itself + SPI or should I replace WIFI+NANDs additionaly?

Thanks in advance!

[lamo]

i replaced about 20 t2's. it's very complicated procedure by itself. too many issues. but it's possible.