Badcaps.net Forum
Go Back   Badcaps Forums > Troubleshooting Hardware & Devices and Electronics Theory > Troubleshooting Laptops, Tablets, and Mobile Devices > BIOS Requests ONLY!
Register FAQ Calendar Search Today's Posts Mark Forums Read

 
Thread Tools Display Modes
Old 11-29-2021, 10:49 AM   #1
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Exclamation The T2 Unlocking Method (Hardware)

Ok guys this is the guide on how to unlock your MacBooks with the T2 Chip. Keep in mind that you cannot unlock the MacBook if you recently patched it VIA DFU with Apples most recent patch. Until then this is the method I would suggest.

First and foremost if the device has data on it and has a password and you LEGALLY obtained it, then you should go into OS recovery and use the method "ERASE THIS MAC" or you can just ignore that and wipe it naturally when we get into OS install.

Before Proceeding you will need to purchase the T203 Tool. Reason why is because they provide the Mina software with the tool on a USB stick. The software will have a serial programmed to it but that will be crossed later.

Where can you get the tool you may ask? Here:
https://www.unionrepair.com/by-t203-...ck-repair.html

Keep in mind this is one of the tools, I cannot guarantee when the tool will arrive since it is from china but hey its a handy tool we use! We have two on hand so its best to have backups!

You will need a Windows 10 laptop or Desktop. WinHex installed and ASProgrammer installed with all drivers.

Step 1:
Removal of the Winbond or Macronix chip off of a MacBook T2 board.




Step 2:

Placing the chip in the T203 Tool. Remember the red dot is where the dot on the chip needs to be aligned. Failure to do this will result in the chip not being read properly or worst!




Step 3:
Run the program ASProgrammer. This program should be included on your T203 device. Be sure to install all necessary drivers before proceeding for the tool. The drivers should be on the tool as well. The tool will not read unless these drivers are installed. Once the program is installed etc. run the program, and then click READ ID. You need to read the chip and click the appropriate setting for the chip to be read properly.



For this type of chip it is considered a Macronix, we will select 1.8V in the middle.

Stepe 4:

Now we need to read the IC of the chip we removed. This needs to be read and SAVED! So once the chip is read, save it as a file you will remember.
I tend to save the file like IE: A1990 Original Data 1.Bin (since we are working on an A1990 board).
This is the original data from that MacBook you removed. YOU NEED TO NOT DELETE THIS DATA WHATSOEVER or you will result in needing to result into DFU which will make this process null and void.


Step 5:

NOTE!!! Before moving forward make sure you already have WinHex installed.


Click and run WinHex! Simple right? SO far so good!

Ok we have WinHex Open now click OPEN... and open the folder in your T203 Unlock Data Folder (it should be included in the USB stick you received from your tool)

Open the file associated with your model device being unlocked (IE: A1990)


Step 6:
We now need to find the SERIAL associated with the Mina Tools registered serial number. So we click the RED Binoculars to find the serial in the code. I just usually type C02 (since this is common in all MacBooks)
REMEMEMBER THIS IS THE SERIAL LOCKED to the Mina Program so you will need this to get the program to recognize your device to be unlocked.






Step 7:

Copy this serial down, write it down or whatever just remember this exact SERIAL!

Step 8:

Remember that Original Bin File we saved back in Step 4? Yeah now open that file with WinHex and find the serial for that Original Bin file and change it to the MinaTool serial we just copied. AGAIN DO NOT CHANGE ANY OTHER DATA BUT THAT SERIAL!

Step 9

Save the Bin file. I would suggest saving it as A1990 Serial Change Mina or something. This will have all the data of the original Bin file minus the serial, changing the serial will not affect the Bin file whatsoever since it has all the proper data for your MacBook to turn on still.

Step 10:

Run ASProgrammer make sure to read the ID and then once the ID is read open the file we just saved with the Serial that was changed that matches the Serial for Mina. (READ ID! NOT READ IC! AGAIN READ ID!)

Open the file we saved with the Mina Serial changed to our original Bin file.


Step 11:

AUTO PROGRAM!


Step 12:
Voila Programming done. You should hear a ding when it completes. Make sure it is finished. It should take about 1-4 mins to program.
Now remove the chip and resolder it back to the board.

Step 13:
DO NOT I REPEAT TRY TO USE APPLE CONFIGURATOR WHATSOEVER!

Before turning on the MacBook, you must put it into DFU mode. Once it is in DFU, run Mina Tool. The Tool will recognize your device and ask to activate it, it will jailbreak the device. Again this will not work if you recently patched your devices. This is the hardware method without needing Apple Config 2.

SIDE NOTE: If you use the Unlock Bin file in the Mina tool from the T203 device you will be forced to use Restore with that data information, this is why we use the original data and just change the serial to the mina serial. Failure to follow this will lock your device and you will not be able to do this properly ever again until a new jailbreak is released.

Once the Mina tool Jailbreaks your device, you can turn it on and get into internet recovery. VOILA now you can wipe and install the OS! REMEMBER though that your Serial will not match the serial of the associated bottom case of your MacBook. I would advise once you install the OS and get passed the setup screen switch it back to the original serial UNLESS it is an MDM lock then I would change a few digits on the end.

Basically once you get all the OS installed new data information will be programmed to the chip, once that is all done we just need to change the serial.

Changing the serial once it is all installed can be tricky and lazy work arounds will cause you to do this process all over again! So heres how we revert it back

Step 14:

Remove the Chip off the board, make sure the board is disconnected from the battery etc.
Place the chip back in the T203 Tool, run ASProgrammer, READ ID, then once the ID is read then READ IC, Once the IC is read Save the information as a Bin file you will remember because we are reverting that serial back.

Run WinHex and open the Bin file we just saved, grab the bottom case or whatever the original serial is and change it to that, do not change any other information, Save that Bin file and save it as a different name that you can recognize. MAKE SURE TO save it as a BIN FILE!

Once that is all done, Open back ASProgrammer, OPEN the file we just saved with WinHex (which is the original serial of the locked device) and program it.

Solder Chip back on and verify. AND YOU ARE DONE!

Hope this helps! I will come back here and edit this here and there. Currently I have unlocked an M1 but that one is a little more tricky!
Attached Images
File Type: jpg T2-1.jpg (167.7 KB, 521 views)
File Type: jpg T2-2.jpg (155.6 KB, 506 views)
File Type: jpg T2-3.jpg (153.1 KB, 492 views)
File Type: jpg T2-4.jpg (172.1 KB, 493 views)
File Type: jpg T2-5.jpg (212.8 KB, 507 views)
File Type: jpg T2-6.jpg (206.2 KB, 497 views)
File Type: jpg T2-7.jpg (218.3 KB, 496 views)
File Type: jpg T2-8.jpg (124.8 KB, 495 views)
File Type: jpg T2-9.jpg (184.6 KB, 493 views)
File Type: jpg T2-10.jpg (222.8 KB, 492 views)
File Type: jpg T2-11.jpg (213.6 KB, 494 views)
File Type: jpg T2-12.jpg (251.4 KB, 487 views)
File Type: jpg T2-13.jpg (249.8 KB, 484 views)
File Type: jpg T2-14.jpg (242.7 KB, 493 views)
File Type: jpg T2-15.jpg (208.4 KB, 488 views)
File Type: jpg T2-16.jpg (247.7 KB, 484 views)
__________________

MEOWING IN THE IMPOSSIBLE UNIVERSE!
Stephen is offline   Reply With Quote
Old 11-29-2021, 11:36 AM   #2
imranromi
Badcaps Veteran
 
Join Date: Jan 2015
City & State: Rawalpindi
My Country: Pakistan
Line Voltage: 240Hz
I'm a: Knowledge Seeker
Posts: 1,273
Default Re: The T2 Unlocking Method (Hardware)

When you back program original bios with original Sn.After restore Apple configurator 2 will back activation iclouds.
What you think 4mb eeprom is T2 data?
As i use all trick before when change original Sn Macbook going to recovery mode.

Last edited by imranromi; 11-29-2021 at 11:40 AM..
imranromi is offline   Reply With Quote
Old 11-29-2021, 11:44 AM   #3
imranromi
Badcaps Veteran
 
Join Date: Jan 2015
City & State: Rawalpindi
My Country: Pakistan
Line Voltage: 240Hz
I'm a: Knowledge Seeker
Posts: 1,273
Default Re: The T2 Unlocking Method (Hardware)

You know where Store M1 macbook SN in eeprom 8mb?
imranromi is offline   Reply With Quote
Old 11-29-2021, 03:39 PM   #4
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Why are you using Apple Config 2? I specifically said not to use that! It will lock your device back. There is no need to run that TOOL whatsoever when unlocking the device.

Why are you restoring the device? You should not even have Apple Config even open during all these steps. You did not follow the steps properly.
Stephen is offline   Reply With Quote
Old 11-29-2021, 03:41 PM   #5
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Adding to this...

If you have Apple Config 2 open whatsoever you are doing this wrong and you will lock your device. DO NOT USE APPLE CONFIG 2 WHATSOEVER.
Stephen is offline   Reply With Quote
Old 11-29-2021, 04:09 PM   #6
unilock01
New Member
 
unilock01's Avatar
 
Join Date: Jun 2021
City & State: Fort Mill, SC
My Country: United States of America
I'm a: Knowledge Seeker
Posts: 19
Default Re: The T2 Unlocking Method (Hardware)

So your method is almost identical to what "repairmen" on YouTube have been doing for months.
Only difference is you replace only the serial number in the T2 SPI ROM instead of the entire ROM, and you write the original serial number back to the T2 SPI ROM once you're done.
That's clever; Apple probably gets suspicious of the hundreds of "activation unlocked" Macs all running with the same serial number.

I've simplified your guide a bit, for the more "technically inclined":
  1. Power off the Mac, open it up, desolder the T2 ROM, etc.
  2. Read the T2 ROM to a BIN file.
  3. Replace the serial number in the BIN with one accepted by minaT2Activator.app. (see here)
  4. Write the modified BIN back to the T2 ROM.
  5. Solder the T2 ROM back in, etc.
  6. Enter DFU mode and run minaT2Activator.app on another Mac.
    It will jailbreak the device, most likely using checkm8 (the SecureROM exploit), then it does something that activates your Mac. Not sure what the special sauce here is, but I'll figure it out...
  7. Reboot the Mac, reinstall macOS, set it up until you get to the desktop.
  8. Power off the Mac, open it up, desolder the T2 ROM, etc.
  9. Write the original BIN (from Step 2) back to the T2 ROM.
  10. Solder the T2 ROM back in, etc.
  11. Tada.

Note that if you use Internet Recovery to reinstall macOS at any point after following the above instructions, it's likely that your Mac will lock itself again due to the serial number being marked as "locked" on Apple's servers.
You can probably get around this caveat by using a valid serial number generated by OpenCore's `macserial` or what have you in place of your original serial number (see Step 9).
Of course, I can't confirm any of that.

I wonder if minacriss is legally required to upload the source to minaT2Activator.app due to its inclusion of a few opensource libraries? I'm not sure what the individual licenses permit.
As if anyone could contact minacriss in the first place XP
unilock01 is offline   Reply With Quote
Old 11-29-2021, 04:17 PM   #7
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Thank you for that! You helped those that are technically inclined! Haha ��
Stephen is offline   Reply With Quote
Old 11-29-2021, 04:33 PM   #8
nikey22
Member
 
Join Date: Aug 2021
City & State: ON
My Country: Canada
Line Voltage: PPBUS_G3H
I'm a: Knowledge Seeker
Posts: 22
Default Re: The T2 Unlocking Method (Hardware)

Excellent work @Stephen, and thank you @unilock01 for the summary!
nikey22 is offline   Reply With Quote
Old 11-29-2021, 06:04 PM   #9
unilock01
New Member
 
unilock01's Avatar
 
Join Date: Jun 2021
City & State: Fort Mill, SC
My Country: United States of America
I'm a: Knowledge Seeker
Posts: 19
Default Re: The T2 Unlocking Method (Hardware)

Quote:
Originally Posted by imranromi View Post
You know where Store M1 macbook SN in eeprom 8mb?
The 8Mb ROM in M1 Macs is the Thunderbolt ROM. It doesn't contain anything interesting for us, as far as I know.
unilock01 is offline   Reply With Quote
Old 11-29-2021, 08:43 PM   #10
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Quote:
Originally Posted by unilock01 View Post
So your method is almost identical to what "repairmen" on YouTube have been doing for months.
Only difference is you replace only the serial number in the T2 SPI ROM instead of the entire ROM, and you write the original serial number back to the T2 SPI ROM once you're done.
That's clever; Apple probably gets suspicious of the hundreds of "activation unlocked" Macs all running with the same serial number.

I've simplified your guide a bit, for the more "technically inclined":
  1. Power off the Mac, open it up, desolder the T2 ROM, etc.
  2. Read the T2 ROM to a BIN file.
  3. Replace the serial number in the BIN with one accepted by minaT2Activator.app. (see here)
  4. Write the modified BIN back to the T2 ROM.
  5. Solder the T2 ROM back in, etc.
  6. Enter DFU mode and run minaT2Activator.app on another Mac.
    It will jailbreak the device, most likely using checkm8 (the SecureROM exploit), then it does something that activates your Mac. Not sure what the special sauce here is, but I'll figure it out...
  7. Reboot the Mac, reinstall macOS, set it up until you get to the desktop.
  8. Power off the Mac, open it up, desolder the T2 ROM, etc.
  9. Write the original BIN (from Step 2) back to the T2 ROM.
  10. Solder the T2 ROM back in, etc.
  11. Tada.

Note that if you use Internet Recovery to reinstall macOS at any point after following the above instructions, it's likely that your Mac will lock itself again due to the serial number being marked as "locked" on Apple's servers.
You can probably get around this caveat by using a valid serial number generated by OpenCore's `macserial` or what have you in place of your original serial number (see Step 9).
Of course, I can't confirm any of that.

I wonder if minacriss is legally required to upload the source to minaT2Activator.app due to its inclusion of a few opensource libraries? I'm not sure what the individual licenses permit.
As if anyone could contact minacriss in the first place XP
Actually do not rewrite the original BIN it will remove the OS password etc. you must read the ROM again and put in the original serial. You basically are repeating steps 1-6 all over again. If you rewrite with the original BIN file the computer will assume there is no OS with a login and password. You just have to follow my guide all the way through.
Stephen is offline   Reply With Quote
Old 11-30-2021, 03:04 PM   #11
unilock01
New Member
 
unilock01's Avatar
 
Join Date: Jun 2021
City & State: Fort Mill, SC
My Country: United States of America
I'm a: Knowledge Seeker
Posts: 19
Default Re: The T2 Unlocking Method (Hardware)

Quote:
Originally Posted by Stephen View Post
If you rewrite with the original BIN file the computer will assume there is no OS with a login and password.
Ah, you're right; I forgot that the T2 is in charge of disk encryption.
Restoring the original BIN would replace the encryption keys associated with the new macOS installation with those of the old one, leading to the Mac being unable to decrypt the former. Thus leading it to believe the data on the internal disk is corrupt or simply not there - resulting in the infamous "blinking folder".
unilock01 is offline   Reply With Quote
Old 11-30-2021, 03:39 PM   #12
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Exactly! So you will have to follow my guide to the T. But the good news is this unlocking method works always as long as you do not restore via DFU. Honestly DFU restore is a desperate measure if the computer refuses to turn on, in most cases you can solve that with another Rom Chip and it can turn on again SOMETIMES.

I have trialed and erred this multiple times and the unlock is flawless hence the guide.
Stephen is offline   Reply With Quote
Old 12-01-2021, 09:57 AM   #13
curiositymaster
Member
 
Join Date: Apr 2021
City & State: Lagos
My Country: Nigeria
I'm a: Knowledge Seeker
Posts: 47
Default Re: The T2 Unlocking Method (Hardware)

Hey Stephen, thanks for sharing this idea for the community. I'm looking forward to when you'll share the M1 solution as well.
Cheers.

Last edited by SMDFlea; 12-01-2021 at 10:50 AM.. Reason: Removed full OP quote......
curiositymaster is offline   Reply With Quote
Old 12-01-2021, 12:02 PM   #14
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Yes of course! Also I saw your PM. You can remove the EFI Firmware lock easily via DFU but then you would come across an Activation lock. I will get a bin file uploaded for all models created so you can use that Bin file to remove the Firmware lock then use this guide after IF there is an Activation lock. I have a solution for both. Firmware lock will be easy once I have a fully unlocked MacBook Pro 16" MacBook Pro 15" and MacBook Pro 13" etc. I will create a bin file that will allow you to remove the Firmware, once that is done the T2 system and OS will create new data and you will be able to follow this guide for the Activation lock. I have a solution for all of this.
Stephen is offline   Reply With Quote
Old 12-01-2021, 12:11 PM   #15
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

Good news, I do have a MacBook Pro 16" fully unlocked on hand, A MacBook Pro 15" A1990 on hand a MacBook Pro 13" 2019 fully unlocked on hand, and a few MacBook Air 13" 2018-2020 on hand. I will get all the bin files from all these devices sine they have no firmware or activation lock. These bin files will be utilized for firmware lock unlocks but will not work for Activation HENCE the guide. Yes you have to do more stuff but this is part of the process of the T2 Chip.
Stephen is offline   Reply With Quote
Old 12-01-2021, 01:05 PM   #16
lrservicios
New Member
 
Join Date: May 2016
City & State: sevilla
My Country: españa
I'm a: Knowledge Seeker
Posts: 18
Default Re: The T2 Unlocking Method (Hardware)

Good morning, can i use your guide using a ch341a to read wirte the chip ? i got ezp2019 programmer too as well?
lrservicios is offline   Reply With Quote
Old 12-01-2021, 03:19 PM   #17
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

I mean I would see no issue if you can properly read the chip but your process would look way differently than mine for sure since you are using different programs. it could be confusing for you but may work. The guide is using the T203 tool. I would honestly use that tool since it comes with all the programs you need to follow the guide to the T. But it is your risk. I wouldn't see why your programming tool would not work as long as you can read the data on the chip.
Stephen is offline   Reply With Quote
Old 12-01-2021, 03:43 PM   #18
andriyd1
New Member
 
Join Date: Dec 2013
City & State: new york
My Country: USA
I'm a: Knowledge Seeker
Posts: 9
Default Re: The T2 Unlocking Method (Hardware)

Quote:
Originally Posted by Stephen View Post
Yes of course! Also I saw your PM. You can remove the EFI Firmware lock easily via DFU but then you would come across an Activation lock. I will get a bin file uploaded for all models created so you can use that Bin file to remove the Firmware lock then use this guide after IF there is an Activation lock. I have a solution for both. Firmware lock will be easy once I have a fully unlocked MacBook Pro 16" MacBook Pro 15" and MacBook Pro 13" etc. I will create a bin file that will allow you to remove the Firmware, once that is done the T2 system and OS will create new data and you will be able to follow this guide for the Activation lock. I have a solution for all of this.
I'm a bit confused here, if you were to program rom data from a different machine to get rid of EFI lock , wouldn't that force you to do a DFU restore? Which in turn will patch jailbreak and make it impossible to do activation lock part?
andriyd1 is offline   Reply With Quote
Old 12-02-2021, 12:08 AM   #19
Stephen
Meow Meow MEOW!
 
Stephen's Avatar
 
Join Date: Apr 2020
City & State: Atlanta, GA
My Country: United States
Line Voltage: 120VAC 60hz
I'm a: Hardcore Geek
Posts: 395
Default Re: The T2 Unlocking Method (Hardware)

It’s possibility but I’m going to test this before I fully confirm this. For now this is the only method. I’ll confirm this week with the ROM Data.
Stephen is offline   Reply With Quote
Old 12-02-2021, 01:06 AM   #20
curiositymaster
Member
 
Join Date: Apr 2021
City & State: Lagos
My Country: Nigeria
I'm a: Knowledge Seeker
Posts: 47
Default Re: The T2 Unlocking Method (Hardware)

Quote:
Originally Posted by Stephen View Post
Yes of course! Also I saw your PM. You can remove the EFI Firmware lock easily via DFU but then you would come across an Activation lock. I will get a bin file uploaded for all models created so you can use that Bin file to remove the Firmware lock then use this guide after IF there is an Activation lock. I have a solution for both. Firmware lock will be easy once I have a fully unlocked MacBook Pro 16" MacBook Pro 15" and MacBook Pro 13" etc. I will create a bin file that will allow you to remove the Firmware, once that is done the T2 system and OS will create new data and you will be able to follow this guide for the Activation lock. I have a solution for all of this.
Thanks for your usual feedback Stephen, you’re a rare gem.
I have one MacBook Pro 15” at the moment that has firmware lock as well as iCloud lock, can you suggest a solution for me on this? Cheers
curiositymaster is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Badcaps.net Technical Forums © 2003 - 2022
Powered by vBulletin ®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
All times are GMT -6. The time now is 01:25 AM.
Did you find this forum helpful?