How to: Unlock System Lock PIN Code

[J602]

Awesome

Great to hear people are having success!! I got my teensy 3.0 today...missing a mini b cable so I'm off to local radio shack.......I can't wait to get this teensy up and working....my fingers were sore from manually brute forcing lol thanx to all those who contributed I am and surely others are deeply greatful

 

[jharrison456]

Hey guys,

Just some information that I want to share with you lot.

When you get into the EFI, it only shows 2 partitions, the main drive and the recovery partition. But actually 3 partitions exist on the disk. One is a EFI partition, main HDD partition and recovery.

You need to buy yourself an adapter from eBay or whatever your local equivalent is, you should be able to find Macbook SSD to SATA Converters.

Take out the SSD, and delete both partitions through Windows 7 disk management. The EFI partition you won't be able to delete through Windows 7.

So you open up CMD with UAC rights then type these commands, press enter after each one

list disk

select disk number

clean

That will clean the entire drive, you now have a fully formatted drive.

Go ahead and re-install the operating system through a USB or external DVD drive.

(You need OS X to create a USB Installer, if you don't, set up a virtual machine and do it through that)

The iCloud information is stored in the NVRAM (Non-volatile random-access memory) so you need to "zap it" to clean it.

Whilst booting hold Command (⌘), Option, P and R until the machine boots up again. (I held these keys down until it did it so 4 times, just to be sure, I'm weird like that lol)

Congratulations, you now have a Macbook that will never be locked again (unless you lock it yourself ofcourse).

At this point you're free to use your own iCloud information with it!

I just want to say, the reason why I had to unlock my mac is because the previous owner, the person I bought it off, was extorting me for money, they locked it through iCloud then wrote "Send 300 to my bank account if you want it unlocked". I have a legitimate reason for doing this.

I do however know that this thread is now a goldmine to thieves. As we've pretty much cracked it.

On the bright side we've shown Apple the flaws, which they will probably eventually patch it so that Bruteforce doesn't work.

All they have to do is prevent sequential numbers and this will make it very hard to find out the code, or to make it a 6 digit code, that would take like 180 days! But as with everything else, there's always a way and no security is perfect.

That's awesome! We're u on 4 pin iCloud screen before? I'm thinking about ordering a teensy from somewhere ( Not sure where to get one lol) and trying this myself! Don't want to waste the money unless I know there's a working code though.

I was on the 4 pin iCloud screen before yes.

The EFI pin and the iCloud pin turned out to be the same,

Just google it, PJRC sell them.

They're cheap, I will defo keep using mine and learn the language, they're cool little things that you can like program and plug into a friends computer to run scripts and crash their computers

Great news!!! Did you go with the EFI or the iCloud method?

I went with the EFI. The iCloud wasn't really working for me. They both turned out to be the same in the end anyways.

 

[Queen6]

Open to Thieves

I do however know that this thread is now a goldmine to thieves. As we've pretty much cracked it.

On the bright side we've shown Apple the flaws, which they will probably eventually patch it so that Bruteforce doesn't work.

Yep great job, people are even starting to sell these devices on Ebay, by doing this completely open to all, you have done nothing more than open the door to any semi tech savvy thief to unlock stolen Mac`s and sell them on at a higher price, and or those happy to knowingly accept stolen goods; therefore encouraging ever more theft.

Apple will do nothing unless it gets on their "radar" and given that it took them over six months to patch an SMC issue for their premier notebook the 15" Retina`s, so nothing will be coming anytime soon. I seriously doubt those that have their Mac`s stolen, unlocked and sold on as genuine used items will see any bright side in this

I fully understand that a minority will have genuine reason, equally it`s rather self serving given the wider implications. I see the technical challenge, yet I see no need to publicise to "all in sundry".

For some a Mac is a very expensive purchase, some it`s there living, some it`s the culmination of several years study, and for others it`s a quick buck they can make by taking what doesn't belong, I wonder where some of you really stand...

 

[orvtech]

SUCCESSSSSSS!!!!!!!!

I'm in!

Thanks to @Orvtech.

Can you describe what you did to fix it when it was failing for you? We are taling about using the iCloud code against the iCloud lock, right?

----------

using orvtech's code can I add a key press here, so it doesn't sleep? Not sure if it does or not in the iCloud lock out

//lets wait 15 minutes and 30 second
if ((thirdloop >= 1) && (secondcompleted == true)){
delay(930000);
Keyboard.press(KEY_SPACE);
Keyboard.release(KEY_SPACE);
thirdloop = 0;
secondcompleted = false;
firstcompleted = false;
firstloop = 0;
secondloop = 0;
thirdloop = 0;
digitalWrite(ledPin, LOW);

We would need to break that wait in to multiple parts. I will do it for you as soon as you tell me how long does it take for your computer to go to sleep. Can you use a time it and tell me how long?

----------

...I do however know that this thread is now a goldmine to thieves. As we've pretty much cracked it.

On the bright side we've shown Apple the flaws, which they will probably eventually patch it so that Bruteforce doesn't work.

All they have to do is prevent sequential numbers and this will make it very hard to find out the code, or to make it a 6 digit code, that would take like 180 days! But as with everything else, there's always a way and no security is perfect...

The only way to stop this bruteforce is to force people to use alfa numeric characters longer than 8 digits.. if they dont do it might be still worth it to spend some weeks bruteforcing.

Regarding the sequential numbers attempts.. I al ready have a workaround.. I have spend some time analyzing over 3MM PINs from different databases and came up with with a solution... thats all I will say for now

 

[orvtech]

Yep great job, people are even starting to sell these devices on Ebay, by doing this completely open to all, you have done nothing more than open the door to any semi tech savvy thief to unlock stolen Mac`s and sell them on at a higher price, and or those happy to knowingly accept stolen goods; therefore encouraging ever more theft.

Apple will do nothing unless it gets on their "radar" and given that it took them over six months to patch an SMC issue for their premier notebook the 15" Retina`s, so nothing will be coming anytime soon. I seriously doubt those that have their Mac`s stolen, unlocked and sold on as genuine used items will see any bright side in this

Even the moderators also believe that this is ok, when clearly the vast majority who will benefit the most are thieves. I fully understand that a minority will have genuine reason, equally it`s rather self serving given the wider implications. I see the technical challenge, yet I see no need to publicise to "all in sundry".

For some a Mac is a very expensive purchase, some it`s there living, some it`s the culmination of several years study, and for others it`s a quick buck they can make by taking what doesn't belong, I wonder where some of you really stand...

I disagree, we are solving a problem that we as a community have and if you ask me the vast majority are legitimate owners of their equipment. I dont thing that the vast majority of the MacRumors participating in this post community are thieves as you seem to asume.

To answer your question, regarding where I stand, I strongly believe that knowledge should be free (as in freedom), I have also stated on which conditions you can use my code on my blog, if you decide not to comply to those terms it is not my task to prosecute you but I will not give you any support.


If I was a thieve I would not go this way, I would go with the PIC based re-programing, it takes 15 minutes to do it and since the MacBook Pro is not mine I wouldn't care if I brick it. From a business perspective you just want something that works fast and a good TOS/disclaimer.

 

[Queen6]

I disagree, we are solving a problem that we as a community have and if you ask me the vast majority are legitimate owners of their equipment. I dont thing that the vast majority of the MacRumors participating in this post community are thieves as you seem to asume.

To answer your question, regarding where I stand, I strongly believe that knowledge should be free (as in freedom), I have also stated on which conditions you can use my code on my blog, if you decide not to comply to those terms it is not my task to prosecute you but I will not give you any support.


If I was a thieve I would not go this way, I would go with the PIC based re-programing, it takes 15 minutes to do it and since the MacBook Pro is not mine I wouldn't care if I brick it. From a business perspective you just want something that works fast and a good TOS/disclaimer.

I don't by any means assume all, if any are thieves, equally it`s highly likely that some thieves will search and come across this post; implement and propagate this code/device, it would be naive to think otherwise.

The usage is obvious, if it works no need for your support. A thief by nature will always take the easiest route, with least risk and this one is out in the open for all with no traceability. Let`s be straight about it, a thief is hardly likely to offer full disclose with any questions

I also believe the knowledge should be free and open, equally it should be used responsibly, you can absolve yourself if you wish, equally there is a very high chance your code will be used by those with criminal intent, unfortunately we are not all open and honest, nor do we all strive for higher ground. Opening locked systems regardless of OS is relatively easy, spreading this by "Dummies" guides can help and equally hurt how would you feel i wonder if your system was stolen and this code used to unlock it and sell on to an unsuspecting member of the public? As you presently don't own a MBP, you likely don't care.

We can bang back and forward all day, the fact still stands all that`s been achieved here is breaking a security protocol designed to protect legitimate owners of Mac`s, and as with many situations in life serving the minority does not always serve the majority. The average owners Mac and Data is now far less secure thanks to this thread great job...

 

[J602]

Teensy 3.0 on Mac os X

For those having issues using their Teensy 3.0 on mac os x (10.7.5)

First download required software.....double click to extract Teensyduino software, unmount image

Then a dialog box appears with

"To add Teensy support to your Arduino Software,Just run this installer"

Double click the image, Open, choose Next in Installer,navigate to "downloads" folder (or wherever you downloaded the software) go and choose "Arduino.app/" hit Next

Select All or whatever you require and hit Next (I chose All)

Once done hit Done

Now open Arduino software

Navigate to Tools, then navigate to Serial Port and choose the correct port (hint mine was /dev/tty.usb.modem.11234)

Under Tools navigate to Board and choose your Board (Mine was Teensy 3.0)

And last In Tools Navigate to USB Type and choose Keyboard+Mouse+Joystick

Now you Copy and Paste your code in the sketch hit verify button (circle with check mark button top left)

follow the instructions in dialog boxes that pop up......

after that I let my macbook pro 2011 start up, I canceled the choose wireless network dialog box,I then pointed the cursor somewhere in the 4 pin boxes clicked on one and then plugged in the teensy 3.0.....that's how i got mine working after a lot of failed attempts......hope this helps someone....

 

[dancinsmurf]

You are the man!

J602 You are the man!!! I was trying to figure that out for days now! Got my teensy 3 days ago and abandoned the manual bruteforce, trying it now i guess ill post more info when it becomes available.
Thanks!!!

 

[cglinks]

Modifying for Arduino board

Hi,

I've placed an order for a Teensy 3 board, but as I am in the UK it will take a while for it to arrive from the US.

In the meantime I have an Arduino Mega 2560 board and was wondering if anybody could give me any pointers on how to start modifying orvtech's code so that it is compatible with an Arduino board.

Any help would be appreciated,
Thanks.

 

[trigga71]

I will lock my unit with icloud to see if there is a sleep time. So far the code seems to work. Last i checked it was about 1200 in. The 15 min wait time adds so much more time than EFI.

 

[fishmanstan]

Is the efi/icloud pin is the same number? If so, I would try the efi code and run it in small batches to narrow down to a small range then try the icloud with the known range.

 

[J602]

Efi = iCloud? I woud like to know 2

If anybody can confirm the efi being the same as iCloud pin please?? I am on 1200's but now on my 2011 macbook pro I notice sometimes it goes to sleep every minute (I am on iCloud pin).........I press the touch pad and wake it up and the numbers are still being input even though it is asleep....which I though it wouldn't.....I am using ungshungjiu's code,I started 9:34pm Friday night,if the iCloud is the same as the efi (screen with lock) it would be much faster to go with the efi......

 

[fishmanstan]

I just remote locked my macbook and tested out a few things.

The EFI/icloud pin is the same.

You can point a camera at the screen while running the efi brute force method. The computer will reboot to the icloud screen at some point once the right code is entered.

Once it reboots, the icloud lock reappears and the teensy resumes counting from pretty close to where it left off.

Find the point on your footage where it reboots, write down the first visible code recorded on the icloud screen, and work backward from there, should only be a few digits back....

You could probably set a webcam with motion recorder to capture the screen change upon reboot......

I'd also suggest running the efi code in smaller batches just in case.

Thanks to everyone for making this possible.

 

[dancinsmurf]

Had it!

Wow!!! I think I had it!! LOL!
Thanks to orvtech's EFI code on his blog I started friday morning around 3 am and it just now went to choose boot option screen. It showed a recover partition, the regular hard drive and a snow leopard disk that i had forced in and was unable to get out. Well I didnt kno what to do from there and i tried to get it to boot from the cd! Big mistake it failed! giving an error saying to hold down the power button! Sigh i guess i have to start from the start again. wish i could have reversed it to get it to count from up to down....

 

[J602]

Muchas Gracias!

I just remote locked my macbook and tested out a few things.

The EFI/icloud pin is the same.

You can point a camera at the screen while running the efi brute force method. The computer will reboot to the icloud screen at some point once the right code is entered.

Once it reboots, the icloud lock reappears and the teensy resumes counting from pretty close to where it left off.

Find the point on your footage where it reboots, write down the first visible code recorded on the icloud screen, and work backward from there, should only be a few digits back....

You could probably set a webcam with motion recorder to capture the screen change upon reboot......

I'd also suggest running the efi code in smaller batches just in case.

Thanks to everyone for making this possible.

Thanx man!!just what I wanted to hear.I started with the efi earlier and have been recording target macbook screen and my older macbook screen with time widget display to document time(even though I can probably go backwards from icloud pin once efi pin is entered).....shouldn't be much longer then,the icloud method takes way longer!

 

[razche1]

the leostick does support usb hid but i keep getting these errors when i try and compile the code

sketch_mar18b.ino: In function 'void loop()':
sketch_mar18b:11: error: 'keyboard_modifier_keys' was not declared in this scope
sketch_mar18b:39: error: 'KEY_ENTER' was not declared in this scope

 

[dancinsmurf]

EFI iCloud

Yep they are the same. after you bypass the EFI password you are still going to have to get pass the iCloud password.
So i guess it would only make sense to use the efi teensy bruteforce method to find the code. I noticed after passing the efi pin it let me select a drive but then it resumed to restart and put me right back at the icloud pin.
So to summarize, what im saying is that you ultimately have to enter the icloud pin to gain acess after efi is passed. So please make sure to find a method to keep track of the pins that the teensy is trying ....
Good luck..

 

[orvtech]

the leostick does support usb hid but i keep getting these errors when i try and compile the code

I just replied to this in my blog, I believe you are not including the proper libraries for this... I am not 100% sure how to include them but you could try enabling keyboard support before you compile it.

Since it is another board you might need to load other libraries too. If enabling keyboard support does not work, I would try seeking support on a "leo stick" community.

----------

Yep they are the same. after you bypass the EFI password you are still going to have to get pass the iCloud password.
So i guess it would only make sense to use the efi teensy bruteforce method to find the code. I noticed after passing the efi pin it let me select a drive but then it resumed to restart and put me right back at the icloud pin.
So to summarize, what im saying is that you ultimately have to enter the icloud pin to gain acess after efi is passed. So please make sure to find a method to keep track of the pins that the teensy is trying ....
Good luck..

I have been thinking on adding a "light sensor" to this project so that one can attach it with tape or something like that to the screen in a area that one knows it will change when the correct number is introduced.

It will increase the cost of this by no more than $5. I was thinking that if it detects significant change in light, then it will stop the count and repeat the last known number over and over again or until a button is pressed.

 

[fishmanstan]

----------

[/COLOR]
I have been thinking on adding a "light sensor" to this project so that one can attach it with tape or something like that to the screen in a area that one knows it will change when the correct number is introduced.

It will increase the cost of this by no more than $5. I was thinking that if it detects significant change in light, then it will stop the count and repeat the last known number over and over again or until a button is pressed.

This is a pretty good idea. I was wondering if a key logger may help but since it goes into a restart after the correct efi pw is entered, the teensy just keeps counting. My dvr cam pointed at the screen picks up the screen change when it reboots. A light sensor and code tweak could really be useful.

 

[razche1]

Those options aren't available for my device , but i managed to get the code to compile by deleting the keyboard_set_modifiers and changing key_enter to key_return. I tested it on notepad and it was working but when i tried on my mac it didn't input any codes.

 

[J602]

!!!!!!!

Woot woot! big ups to overtech and all those who helped!......

I used his updated efi code...my code is between 9500-9800<---guesstimated...I just modified the efi code from 9600-9700 hopefully it's in this first batch.....math=(hours it took teensy to find code x 60 min x 60 sec/15-17 second intervals for each code input= estimated code

Okay once the teensy 3.0 entered the right code my macbook started to chime....literally.....a choose network box popped up, then Internet Recovery, then a little globe popped up and started spinning...

will update once i got the code.....oh and I recorded it with an iSight and photobooth


EDIT! Found it!.....it was 9463! I miscalculated a little with my math it actually takes a little longer than 17 seconds for each code to be input (it was more like 17.3-17.5 sec each),but I was close enough to start testing with the Teensy 3.0 in smaller batches......

Once I found the range I manually entered in efi screen....once confirmed I restarted in iCloud pin screen entered pin and the macbook restarted.....all I have to do now is install a fresh copy of Mountain Lion or Lion..


Once again thanx to everyone! this headache is finally over.

Anybody else struggling I strongly recommend starting with overtech's updated efi code!

 

[orvtech]

Those options aren't available for my device , but i managed to get the code to compile by deleting the keyboard_set_modifiers and changing key_enter to key_return. I tested it on notepad and it was working but when i tried on my mac it didn't input any codes.

So in a note pat, it enters each digit and then sends enter or it sends all 4 digits?

In the your Mac, it sends none of the digits or just one? or all 4 but never sends enter?

 

[razche1]

notepad it sends all 4 digits and enter but mac sends no digits at all and no enter.

 

[Dyvurcz]

Woot woot! big ups to overtech and all those who helped!......

I used his updated efi code...my code is between 9500-9800<---guesstimated...I just modified the efi code from 9600-9700 hopefully it's in this first batch.....math=(hours it took teensy to find code x 60 min x 60 sec/15-17 second intervals for each code input= estimated code

Okay once the teensy 3.0 entered the right code my macbook started to chime....literally.....a choose network box popped up, then Internet Recovery, then a little globe popped up and started spinning...

will update once i got the code.....oh and I recorded it with an iSight and photobooth



EDIT! Found it!.....it was 9463! I miscalculated a little with my math it actually takes a little longer than 17 seconds for each code to be input (it was more like 17.3-17.5 sec each),but I was close enough to start testing with the Teensy 3.0 in smaller batches......

Once I found the range I manually entered in efi screen....once confirmed I restarted in iCloud pin screen entered pin and the macbook restarted.....all I have to do now is install a fresh copy of Mountain Lion or Lion..


Once again thanx to everyone! this headache is finally over.

Anybody else struggling I strongly recommend starting with overtech's updated efi code!

Got a question for you. If I'm on iCloud screen how
Do I get to efi screen to use the updated code? Just got my teensy today!

 

[J602]

Got a question for you. If I'm on iCloud screen how
Do I get to efi screen to use the updated code? Just got my teensy today!

Just hold down the option key when powering up