Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

I have a FileVault firmware password protected MacBook Air 2015, can I recover the SSD data from it?

MacCheetah3 said:
As @nathansz stated, the storage device doesn’t matter. Presumably, here’s all of what Apple’s servers need to know (with example):

Account > Device > Username
----------------------------------
johnny5@icloud.com > John’s MacBook Air > john
jane99@icloud.com > John’s MacBook Air > jane

So, if John needs to reset his macOS account password, he logs in iCloud, selects his MBA, then selects his username and follows the instructions to create a new password.
Click to expand...
I understand that, but what I am proposing is:

johnny5@icloud.com > John’s MacBook Air (SN 123456) > john

Now, the item "John’s MacBook Air (SN 123456)" gets broken by wine spillage. You take out the still working SSD that contains user "john", user that's linked to Apple ID "johnny5@icloud.com".

If you enter the Apple ID web and try to recover the local password for user john, I am guessing it will fail as the item "John’s MacBook Air (SN 123456)" does not exist anymore.

And my question is... what if create a local account with the name john, in my new "John’s MacBook Air (SN 456123)", same model, different SN and HW, link to that user the "johnny5@icloud.com" Apple ID, now I will own 2 different MacBook Airs (SN 123456 and SN 456123), then I plug the SSD from the broken one and plug it into the new one, and click on recover the password?

According to you If I understood you correctly, Apple should check if that MBA "John’s MacBook Air (SN 456123)" is owned by "johnny5@icloud.com", that will be correct, then will search for user name john, that will be correct too, and then will check if that user john had "johnny5@icloud.com" linked to it, which will be correct too?

So I don't need anymore the original broken motherboard?
 
Last edited:
nathansz said:
Mostly yes

It MAY BE possible, if you know the serial number and other identifiers of the original machine to assign then to a different motherboard and reset it that way

I don’t know if that would work but it would be worth a try if you happened to know those identifying numbers

But if you don’t know the password I’m guessing you don’t know those
Click to expand...
So, can you tell me what's wrong in my post up here #51, if it turns out you are right and I need mandatory the original broken mobo?
 
nathansz said:
You would need to know the original:

Serial number
Board serial
SMUUID

To be clear, even this might not work
Click to expand...
But wasn't this relation of components AFTER MBA 2017 and later?

That UID was mentioned earlier that it was implemented after my MBA 2015, check:
"On Macs with Apple silicon and those with a T2 chip, a unique hardware UID (Unique Identifier) stored in the Secure Enclave plays a crucial role in encrypting and protecting the volume encryption key (VEK). This UID, along with the user's password, is essential for decrypting the volume and accessing the data on the SSD. The UID is permanently embedded in the chip and is not accessible outside the Secure Enclave"
 
Last edited:
alexmartinpc said:
And my question is... what if create a local account with the name john, in my new "John’s MacBook Air (SN 456123)", same model, different SN and HW, link to that user the "johnny5@icloud.com" Apple ID, now I will own 2 different MacBook Airs (SN 123456 and SN 456123), then I plug the SSD from the broken one and plug it into the new one, and click on recover the password?

According to you If I understood you correctly, Apple should check if that MBA "John’s MacBook Air (SN 456123)" is owned by "johnny5@icloud.com", that will be correct, then will search for user name john, that will be correct too, and then will check if that user john had "johnny5@icloud.com" linked to it, which will be correct too?

So I don't need anymore the original broken motherboard?
Click to expand...
Yes.

EDIT:
After a walk away and now a reread… Your idea is to temporarily install a fresh SSD, install a fresh copy of macOS, setup the Mac with an account with the same err previous username and Apple ID. Then, swap to the previous SSD and use the cloud-related password reset function(s).

I’m going to stick with my yes, it could/should work; however, I can’t say with certainty as I’ve never encountered or read about quite that scenario. But in theory...
 
Last edited:
alexmartinpc said:
So MacCheetah3 says I can recover it using Apple ID web and no need the original MoBo, and nathansz says I DO need the original motherboard. Who's right?
Click to expand...

Well I guess we will find out when you try to do it with the Apple ID?

And to be clear. I’m not saying you need the original motherboard

I am saying that you would probably need to the apply the original:

Serial number
Board serial number
SMUUID

To the alternate motherboard

Maybe

Maybe it wouldn’t work at all
 
I’m a little lost reading back

Are we talking about a FileVault password or a firmware password
 
nathansz said:
I’m a little lost reading back

Are we talking about a FileVault password or a firmware password
Click to expand...
What we don't know: local user account password (which I guess is the same as the FileVault password)
What we know: the Apple ID linked to that local account password, both account and password of the Apple ID

What we want: recover the local account password using Apple ID, from the web

The problem: the original MBA 2015 got the MoBo broken, hence that MBA shown in the Apple ID "My devices" no longer exists.

What can I do: plug the SSD that has the pass unknown local account, into any other MBA and try to recover that local account password using the known Apple ID.

I mean check post #51, it's very clear the way I explain it there.
 
alexmartinpc said:
If you enter the Apple ID web and try to recover the local password for user john, I am guessing it will fail as the item "John’s MacBook Air (SN 123456)" does not exist anymore.

And my question is... what if create a local account with the name john, in my new "John’s MacBook Air (SN 456123)", same model, different SN and HW, link to that user the "johnny5@icloud.com" Apple ID, now I will own 2 different MacBook Airs (SN 123456 and SN 456123), then I plug the SSD from the broken one and plug it into the new one, and click on recover the password?
Click to expand...
Sorry to be the bearer of bad news but this is all a waste of time. First off, that's not how accounts are registered or even identified by macOS (or Apple). If that's how it worked, I could spoof your SN and make an account with the same name to claim your stuff 😅. Upon creation, the account name is irrelevant. What matters is both the keychain (as it has access to low level security) and the account hash (a string of random numbers and letters). This is then paired with a ton of additional data and low level checks to protect its privacy. Even if you remade the account using the exact same username and password, it still wouldn't matter. Macs are far more sophisticated, even back in 2015. That account, even if called the same, has nothing to do with the old one. It's like calling your son after yourself. Two different people.

Second, touching accounts that aren't your own has been tricky since 2010-12 when Apple moved to a much stronger algorithm and began using a stronger series of locks to protect user data (from basically what you want to do). You can't simply access the contents of a drive that are owned by another user. Even if FV was not enabled. It's possible, but it will require a level of forensics.

I would suggest you make a clone of it and work off that. It will be much easier and safer. Moreover, I think enclosures that support Apple SSDs (they don't have their own controller boards) start at around $100 USD. So not cheap. You're better off getting a 1TB external and working off there.

You can check if FV is enabled on the drive by connecting it and opening DU, then selecting the main container. If FV is enabled, you'll see something like: APFS Volume Group • APFS (Encrypted). If not, then it will be listed as APFS (or I suppose HFS+ for you). If it is encrypted, the data is gone. You'll need CIA level tech to recover, some of it.
 
  • Love
  • Like
Reactions: redcarian and nathansz
ultratiem said:
Sorry to be the bearer of bad news but this is all a waste of time. First off, that's not how accounts are registered or even identified by macOS (or Apple). If that's how it worked, I could spoof your SN and make an account with the same name to claim your stuff 😅. Upon creation, the account name is irrelevant. What matters is both the keychain (as it has access to low level security) and the account hash (a string of random numbers and letters). This is then paired with a ton of additional data and low level checks to protect its privacy. Even if you remade the account using the exact same username and password, it still wouldn't matter. Macs are far more sophisticated, even back in 2015. That account, even if called the same, has nothing to do with the old one. It's like calling your son after yourself. Two different people.

Second, touching accounts that aren't your own has been tricky since 2010-12 when Apple moved to a much stronger algorithm and began using a stronger series of locks to protect user data (from basically what you want to do). You can't simply access the contents of a drive that are owned by another user. Even if FV was not enabled. It's possible, but it will require a level of forensics.

I would suggest you make a clone of it and work off that. It will be much easier and safer. Moreover, I think enclosures that support Apple SSDs (they don't have their own controller boards) start at around $100 USD. So not cheap. You're better off getting a 1TB external and working off there.

You can check if FV is enabled on the drive by connecting it and opening DU, then selecting the main container. If FV is enabled, you'll see something like: APFS Volume Group • APFS (Encrypted). If not, then it will be listed as APFS (or I suppose HFS+ for you). If it is encrypted, the data is gone. You'll need CIA level tech to recover, some of it.
Click to expand...
"If that's how it worked, I could spoof your SN and make an account with the same name to claim your stuff 😅"

Your statement there is wrong, but I can accept that my explanation is not how it works.

You could spoof my serial number, okay, you can create a john local account too, that's fine, although Apple would not let you claim that SN because it's already being used by another Apple ID, there's your first error. Anyways, if that was still possible, you would STILL try to recover a john local account password using an Apple ID that's not linked to that john local account (in my theory, the SSD has data to check if the Apple ID used to recover john password is the one Apple ID linked to that john account), so your plan would not work in my previous explanation, that I repeat, can be wrong and not how it works.

Anyways, tomorrow I will get the MacBook Air and will check all this stuff. So, you are saying that I can NOT plug in the SSD to this new motherboard?

Previous users said I would boot perfectly from it, and if I remember the local account password, I should be able to access the local account and data, even if it's encrypted, because I entered the user password, which is the one FileVault uses, right?

And if I don't remember the local account, but it happens to be linked to an Apple ID I know, you say, what, that I wouldn't be able to use the known Apple ID to recover the local Account Password because I would need the original motherboard to do it this way?
 
alexmartinpc said:
You could spoof my serial number, okay, you can create a john local account too, that's fine, although Apple would not let you claim that SN because it's already being used by another Apple ID,
Click to expand...

Ya if you just want to keep making stuff up go ahead. At the end of the day, argue with all the people you want. You will never touch a single byte on that drive.

Cheers.
 
ultratiem said:
Ya if you just want to keep making stuff up go ahead. At the end of the day, argue with all the people you want. You will never touch a single byte on that drive.

Cheers.
Click to expand...
Why you mad, lol?

First, I didn't make up anything, I just put an example BASED on what others said before me. If they are wrong, that's fine. I'm not arguing with anyone, we are talking normally, sharing knowledge. I don't know why you have to come with that bad vibing tone "go ahead make stuff up, argue with everyone, you'll never touch a single byte"... it's so extra.

So according to you how does it work then?

You have a MacBook Air 2015 with FW pass you don't remember and a local account with a pass you don't remember, with FileVault enabled. The motherboard gets broken.

How do you recover the data from the SSD?

Scenario 1: there was an Apple ID linked to that local account, that you of course have access to.

Scenario 2: no Apple ID linked.

Scenario 2 is easy: plug to any MBA 2015, boot and you either enter correctly the password or don't get the data. But what about Scenario 1?
 
Last edited:
alexmartinpc said:
Why you mad, lol?

First, I didn't make up anything, I just put an example BASED on what others said before me. If they are wrong, that's fine. I'm not arguing with anyone, we are talking normally, sharing knowledge. I don't know why you have to come with that bad vibing tone "go ahead make stuff up, argue with everyone, you'll never touch a single byte"... it's so extra.

So according to you how does it work then?

You have a MacBook Air 2015 with FW pass you don't remember and a local account with a pass you don't remember, with FileVault enabled. The motherboard gets broken.

How do you recover the data from the SSD?

Scenario 1: there was an Apple ID linked to that local account, that you of course have access to.

Scenario 2: no Apple ID linked.

Scenario 2 is easy: plug to any MBA 2015, boot and you either enter correctly the password or don't get the data. But what about Scenario 1?
Click to expand...

I think you’ve got this all completely wrong

Please do let us know how your experiment goes
 
alexmartinpc said:
I am well aware of that, good luck trying to impose that correct view to friends and relatives that barely know what is an OS.

Anyways, if somehow FileVault is not enabled, I think I could access the data if I connect the SSD via USB adapter, via MTP.

If I'm not wrong, Apple can help you, with a proof of purchase, disable the firmware password so you can use the MacBook again, BUT, what Apple can't do is remove the password of a local account, right?
Click to expand...
Apple can remove a Firmware Passcode. Which is entirely different from disabling FileVault.

Nothing Apple can do will retrieve the data from this Mac.
 
FreakinEurekan said:
Apple can remove a Firmware Passcode. Which is entirely different from disabling FileVault.

Nothing Apple can do will retrieve the data from this Mac.
Click to expand...
I know, but what I can do is put the original SSD inside the new motherboard, boot normally and try to insert the correct password, right?

Or the original SSD will only be able to boot from the original motherboard (which is broken now)?
 
alexmartinpc said:
I know, but what I can do is put the original SSD inside the new motherboard, boot normally and try to insert the correct password, right?

Or the original SSD will only be able to boot from the original motherboard (which is broken now)?
Click to expand...
So you HAVE the password now? Guess I’ve lost track…

¯\_(ツ)_/¯ give it a try, I guess.
 
  • Like
Reactions: DCIFRTHS and nathansz
FreakinEurekan said:
So you HAVE the password now? Guess I’ve lost track…

¯\_(ツ)_/¯ give it a try, I guess.
Click to expand...
TRY to insert. Try. If I knew the pass I would say "and insert the password".


Anyways, my relative just wanted to use the MBA rn and we've scheduled the "put the old SSD inside and try to guess the pass or see if it's encrypted for later".

If I am not wrong, I think someone put here that you can boot the MBA from recovery and type some commands to check if the SSD is encrypted, if the user has an Apple ID linked, etc... I will try that.
 
alexmartinpc said:
If I am not wrong, I think someone put here that you can boot the MBA from recovery and type some commands to check if the SSD is encrypted, if the user has an Apple ID linked, etc... I will try that.
Click to expand...

If FileVault is enabled, you can't get into macOS Recovery without an account password or recovery key.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back