Announcement

**curiositymaster** · 01-31-2022, 11:38 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

**SMDFlea** · 01-31-2022, 01:31 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by curiositymaster View Post

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Schematic requests go here: https://www.badcaps.net/forum/forumdisplay.php?f=41 .Use the forum search as well,it might be posted already

**Stephen** · 01-31-2022, 02:20 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Here we try to figure out a way to bypass activation lock (FMM) and password lock. Until now there is no method available, but we're working to figure it out.

What we know so far:

1. There is a W25Q64 8Mb 3x4mm wson8 chip on the back of the board with part of NVRAM ( some strings can be seen in its dump, eg: iBoot-6723.50.2, boot-args=.nonce-seeds=, luetoothInternalControllerInfo= bt mac, InstallPhase -> Boot 1 ) but no serial number in clear.

Other strings: Apple Secure Boot Root CA - G21.0, AppleStorageProcessorANS2-1161.40.21~221

2. Some suggest SN might be stored in ssd first nand, on hidden partition, some say it is tied to M1 processor itself ( which I doubt ).

3. Checkra1n / MinaTool / CheckM8 solution does not work on these devices, as there is newer iBoot version (T2 bios chip is just 4Mb vs M1 8Mb). An idea would be to downgrade iBoot so can be accessed on ssh. Good dump would be required here, maybe there are older versions we can use.

4. I have discovered a way to browse with safari if you boot into diagnostics mode ( hold on power until startup option is shown then press and hold Command-D, let it finish checking then click on find out more ), but from here you can't run any app, even if you can see it on usb mass storage attached. You can also download app but couldn't find a way to run it.

5. Now I have W25Q64 outside of locked macbook, wired to the board with long cable, so tests can be performed easier.
If you have dumps for 13"/14"/15" ( locked /unlocked ) please share them here for testing and comparation. Dump with secureboot disabled might help.

6. Other way around can be writing SN from locked M1 into unlocked T2 mac, register it to mdm/icloud then get code. Looking for volunteers.

Once we find out more interesting things will edit this first post to keep it simple. There is no doubt we'll find solution soon.

You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy

**RethoricalCheese** · 01-31-2022, 02:25 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Why would it be in the nand? Have you seen iPhones and iPads?

Apple has done it before so it might be same with M1 macbooks.

**Stephen** · 01-31-2022, 02:35 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by RethoricalCheese View Post

Why would it be in the nand? Have you seen iPhones and iPads?

Apple has done it before so it might be same with M1 macbooks.

Where would it be then? For sure not the nand I am sure...

**heatorious** · 01-31-2022, 02:51 PM

Re: Macbook M1 bypass FMM / EFI Unlock

To add on this would be MDM locks with fmm off. Is there a bypass or full removal option. I wrote a script back for 2015-2017 models before the usb thing to bypass the mdm prompts upon boot. Will be looking into getting a M1 and tweaking to see if i can get it to work on a M1.

**LEOMORALES** · 01-31-2022, 03:23 PM

Re: Macbook M1 bypass FMM / EFI Unlock

It's the Nand. The info is in the nand. We have lowered the nand and tried to read with irrepair 12 but it does not let me read, it is hidden in some way. If you could access that hidden info, it would be there like the iPad info.

**betonel** · 01-31-2022, 04:21 PM

Re: Macbook M1 bypass FMM / EFI Unlock

What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

**Stephen** · 01-31-2022, 11:13 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

What if you remove nand and run diagnostic mode, I guess you will be able to see SN there. Funny will be that SN is generated from bt mac + wifi mac, and we're looking for something that doesn't exist.

Need to compare dumps from SOC rom of M1, @Stephen, can you share some? Will upload mine tomorrow.

Sure I can get some M1 info for a locked device.

**betonel** · 02-01-2022, 01:58 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by curiositymaster View Post

Do you have boardview file/schematics for any 13" M1? I need to know where the w25q64 is located and how did you manage to read it?

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable

Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:

64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )

25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

Attached Files

**betonel** · 02-01-2022, 02:17 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by Stephen View Post

Sure I can get some M1 info for a locked device.

Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours..

Unlocked with Secure boot disabled is wanted.

btw: if you re not a bot, to get correct SN, xor all 1 with 1

Attached Files

W25Q64FV.zip (11.42 MB, 502 views)

**Stephen** · 02-01-2022, 08:54 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Attached is my SOC chip dump and multiple tests.
SN from this dump is FVFDV113Q05P.

Please upload yours..

Unlocked with Secure boot disabled is wanted.

btw: if you re not a bot, to get correct SN, xor all 1 with 1

How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.

**betonel** · 02-01-2022, 09:05 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by Stephen View Post

How did you get the serial number from the dump besides the bottom case from the MacBook? Was this from the chip or bottom case? This information will make M1 unlocks a piece of cake with a serial number change for MDMs.

Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

**imranromi** · 02-01-2022, 09:52 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

Here both file is M1
Mdm locked.

Attached Files

**heatorious** · 02-01-2022, 06:21 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Does any one have a working M1 FMM off and MDM locked. If so can ya pm me i want to try to see if i can do a decent bypass of the prompts thru updating until we have a more perm solution. I've only seen some things about editing the host file don't know how that would go thru updates.

**betonel** · 02-02-2022, 04:08 AM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by imranromi View Post

Here both file is M1
Mdm locked.

Please tell us SN for each dump and machine type. BTW..

Couldn't start my MBP M1 13" 2020 with your dumps. It will start DFU mode at least.

M1.bin -> iboot-6723.61.3
M2.bin -> iboot-6723.41.11
my.bin -> iboot-6723.50.2

**Nico Latour** · 02-02-2022, 03:11 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by Stephen View Post

You are on to something, however, the M1 Soc Rom chip does not have Serial Data on it. We have verified this with an MBA M1. No actual serial data on that, now I would not be surpised it is on the M1 itself...or the nand as you suggest, but why would it be in the nand is my question. It may be on something, if we can track that down, we just solved M1 locked devices that are MDM locked. Easy peasy

m1 bin is encrypt! when you decrypt you see serial!!! but change serial in this bin is not working for unlock icloud)

**curiositymaster** · 02-02-2022, 10:25 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Winbond chip is located on the back side of the board similar with T2 models. Attached you can find some pictures of what I've done. Be careful, it's 1.8V chip, so you need to use appropriate programmer adapter.
If you wonder what kind of wires I've used.. it's old pc IDE cable

Instead of wasting money on T203 (~$200) and get stuck with uson4*3 or DS809SE (~$200) which is exactly an R809F i use this:

64$ RT809F + 15 adapters ( 1.8V adapter required!)
https://s.click.aliexpress.com/e/_A6uAnD
Programmer ( same as DS809SE )

25$ MacBook Apple Notebook Maintenance Serial Number Modification Tool T2 Chip Unlock BIOS Read Adapter Board
https://s.click.aliexpress.com/e/_ApVJfz
Let us program USON2*3 U3750+U3710 Wifi+BT ROM, XSON4*4, Apple T2 ROM USON 4*3 and Macbook M1 SOC, WSON6*5, WSON**6 and WLCSP 16 ball used on A1534 bios or SSD rom.

$52 Sam Connector with Seat Socket Serial Line for DS809SE
https://s.click.aliexpress.com/e/_A0aPKx
Small mod is required to work with RT809F: undo all pins from connector and put it reverse way -> red will be on opposite side , and run a wire from PIN 8 (+) to pin 8 on the board , which you can hold it by hand, without needing to power on MB machine.

Thanks for this info. I have the DS809SE and t203.

**ebaymonster** · 02-02-2022, 11:35 PM

Re: Macbook M1 bypass FMM / EFI Unlock

Originally posted by betonel View Post

Unfortunately SN is from bottom case and/or from Diagnostics mode. Can you share your M1 SOC dumps ?

I have 5pcs MBA 2020 m1 and 1 MBP 13 m1 + t203. if you want i can desoldering and make dump.

Announcement

Macbook M1 bypass FMM / EFI Unlock

Macbook M1 bypass FMM / EFI Unlock

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment