scanasfen.blogg.se

1. Uefitool mac serial#
2. Uefitool mac update#
3. Uefitool mac full#
4. Uefitool mac code#
5. Uefitool mac password#

You will need UEFITool’s new_engine branch if you want support for NVRAM partition contents (which is super useful feature, thanks Nikolaj!). The great UEFITool can easily extract contents from dumps and SCAP (to mass extract all the files use UEFIExtract utility instead).

Uefitool mac update#

I maintain an up-to-date Apple firmware update repository, which you can use to easily download EFI updates or verify the contents of your EFI flash if you fear nation states are attacking you.

The first thing we need to do is to extract all the EFI binaries either from a flash chip dump that holds EFI contents or from a SCAP file found in EFI updates (for unknown reasons the fd format is also used for some Macs).

Uefitool mac code#

So if this is true then how is someone selling what appear to be fully working SCBO files? We need to dig deeper and reverse the EFI code responsible for processing this file.Īnd now let’s start the real reverse engineering fun! It would be a surprise if this kind of check wasn’t implemented and anyone could modify the SCBO contents. This provides us with another bit of information – that there is some kind of integrity check on the SCBO contents.

Uefitool mac password#

The computer will process the file and reset the system, but the password isn’t reset. If we set a firmware password on a test Mac, generate the necessary string, and modify the SCBO accordingly, nothing will happen. Now that we know a bit more about its contents, can the sample SCBO be modified and reused to reset any other Mac’s firmware password? I know this because I had already reversed Apple’s Firmware Password Utility and observed its communications with the kernel extensions that set the EFI NVRAM variables. Number as previously described, and the last sixteen digits are a nonce value regenerated every time the firmware password is set, removed, or modified. This is the string Apple support needs, and this is the same string we see inside the SCBO file. To obtain the necessary information, you must hold SHIFT + CONTROL + OPTION + COMMAND + S on the firmware password prompt screen and a string will be generated. How are the SCBO files generated?Īs previously mentioned, Apple support is able to generate these files after you provide some key information. The rest of the string and binary data that follows are unknown for now. This information can be verified because part of this string can be found in the motherboard of each Mac (my sample is only composed of MacBooks but I guess iMacs and others will contain the same information).

Uefitool mac serial#

It appears to be some kind of serial number. A couple of bytes later and we see another string. The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353).

Uefitool mac full#

This picture shows us the full contents of the sample file. The sample file can be downloaded here SCBO_original.zip. So let’s start another EFI reversing engineering adventure…Īt the time I could only find a single SCBO file on the Internet, which is bad (impossible to visualise differences between files) but better than no file at all. Understanding how SCBO files work in the first place was also intriguing. If this were true, it would imply that Apple’s EFI contains a significant vulnerability. The core question I wanted to answer was if it was really possible for someone to build a SCBO file key generator.

Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill. Since there was (stil holds true) virtually no information about the SCBO contents, this aroused my curiosity but I never followed up until now.

There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs. Things got more interesting when I found a website that allegedly sold the SCBO files – just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. The normal process workflow is to first contact Apple support. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password. My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password.