equipmenttore.blogg.se

Uefitool macbooj efi firmaware
Uefitool macbooj efi firmaware











  1. UEFITOOL MACBOOJ EFI FIRMAWARE SERIAL
  2. UEFITOOL MACBOOJ EFI FIRMAWARE FULL
  3. UEFITOOL MACBOOJ EFI FIRMAWARE CODE
  4. UEFITOOL MACBOOJ EFI FIRMAWARE PASSWORD

UEFITOOL MACBOOJ EFI FIRMAWARE CODE

So if this is true then how is someone selling what appear to be fully working SCBO files? We need to dig deeper and reverse the EFI code responsible for processing this file.Īnd now let’s start the real reverse engineering fun! It would be a surprise if this kind of check wasn’t implemented and anyone could modify the SCBO contents. This provides us with another bit of information – that there is some kind of integrity check on the SCBO contents.

UEFITOOL MACBOOJ EFI FIRMAWARE PASSWORD

The computer will process the file and reset the system, but the password isn’t reset. If we set a firmware password on a test Mac, generate the necessary string, and modify the SCBO accordingly, nothing will happen. Now that we know a bit more about its contents, can the sample SCBO be modified and reused to reset any other Mac’s firmware password? I know this because I had already reversed Apple’s Firmware Password Utility and observed its communications with the kernel extensions that set the EFI NVRAM variables.

uefitool macbooj efi firmaware

Number as previously described, and the last sixteen digits are a nonce value regenerated every time the firmware password is set, removed, or modified.

uefitool macbooj efi firmaware

This is the string Apple support needs, and this is the same string we see inside the SCBO file. To obtain the necessary information, you must hold SHIFT + CONTROL + OPTION + COMMAND + S on the firmware password prompt screen and a string will be generated. How are the SCBO files generated? #Īs previously mentioned, Apple support is able to generate these files after you provide some key information. The rest of the string and binary data that follows are unknown for now. This information can be verified because part of this string can be found in the motherboard of each Mac (my sample is only composed of MacBooks but I guess iMacs and others will contain the same information).

UEFITOOL MACBOOJ EFI FIRMAWARE SERIAL

It appears to be some kind of serial number. A couple of bytes later and we see another string. The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353).

UEFITOOL MACBOOJ EFI FIRMAWARE FULL

This picture shows us the full contents of the sample file. The sample file can be downloaded here SCBO_original.zip. So let’s start another EFI reversing engineering adventure…Īt the time I could only find a single SCBO file on the Internet, which is bad (impossible to visualise differences between files) but better than no file at all. Understanding how SCBO files work in the first place was also intriguing. If this were true, it would imply that Apple’s EFI contains a significant vulnerability. The core question I wanted to answer was if it was really possible for someone to build a SCBO file key generator. Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill.

uefitool macbooj efi firmaware

Since there was (stil holds true) virtually no information about the SCBO contents, this aroused my curiosity but I never followed up until now. There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs. Things got more interesting when I found a website that allegedly sold the SCBO files – just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. The normal process workflow is to first contact Apple support. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password. My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password.













Uefitool macbooj efi firmaware