A security engineer that goes by the name fG!, specilized in Mac security and reverse engineering, has found a way to reset a Mac’s firmware password without help from Apple’s support team.
Apple allows iMac and MacBook users to set a password for their firmware, so no intruder can go in there and change core device settings.
Apple helps authorized users to reset their firmware password
Just like any password, users tend to forget it, once in a while. In case this happens, users can call Apple Support, and during boot-up, they’re guided through a process of pressing five keys simultaneously [SHIFT + CONTROL + OPTION + COMMAND + S] to make a long code appear on their screen.
Users give this code to Apple’s staff, and they receive back an SCBO file. Users can then put this file on a USB flash drive, insert it into their device and remove the password.
This is all fine and dandy, but only if you can prove ownership of your device with the original sales receipt. If you can’t, then you’re left on your own.
Crooks are selling SCBO files online for $100
fG! says he discovered shady online services that were providing SCBO files, but for a fee of $100. Since trusting this kind of services and running mysterious code on his laptop did seem like a good idea, the researcher set out to find out how SCBO and Apple’s EFI (Extensible Firmware Interface) worked, and if he could find a way to bypass this process.
You can read theon fG!’s personal blog, but the good news is that he managed to find a way to do it. Below are the researcher’s findings:
“ My work helped me determine that the EFI variable that contains the firmware password information is “CBF2CC32”. ”
“ If you have a SPI flasher and want to remove an Apple EFI firmware password, what you need to do is to dump the flash contents, remove the “CBF2CC32” variable (you just need to flip a single bit on its name for example), and reflash the modified firmware. Or just locate the variable and erase or modify it directly without reflashing the whole contents. ”
“ There is also another way to do this. The “3E6D568B” variable is special because if you remove it, the NVRAM will be reset to a default state where the firmware password is not set anymore. ”
Is Apple Support compromised?
Furthermore, the researchers also discovered that there was no way to generate an SBCO file without having access to Apple’s private encryption keys.
The online services that were selling SBCO files were obviously fake, or downright illegal.
“ So what is happening with all those videos and people claiming they were able to buy SCBO files from websites? My bet is that these guys somehow are able to submit illegitimate requests to Apple’s support system and then sell the SCBO files they receive for some nice fat profit. These could be insiders working at Apple support centers or even Apple itself. Only Apple has a real chance to investigate and track the source of these files. ”
Remember? When the press discovered that hackers were offering Apple employees in Ireland thousands of euros for their enterprise passwords? We now may know why crooks are willing to pay so much for Apple employee credentials.
Warning: If it ever gets to the point of having to reset your firmware password, please consult a specialist before attempting any of the advice described in this article.