The normal process workflow is to first contact Apple support. My preliminary research found references to a âmagicalâ SCBO file that could be loaded onto a USB flash drive and booted to remove the password. Now since you forgot your password, just enter wrong passwords many times on the login screen, and you will see a message just as you can see in the screenshot below that states that you can reset the password using the Apple ID.My original goal when I started poking around Appleâs EFI implementation was to find a way to reset a MacBookâs firmware password. One of the simplest and easiest ways to reset Mac OS X password is resetting by using your Apple ID.The Mobile Plans app lets you add your PC to your current mobile operator account, so you can get online using mobile data with the same account you use today.To reset your superuser password, login to any other Admin account, enable root user, then su, then sudo passwd Note: Blank or empty password for root will not allow sudo or su commands will simply give error: 'Sorry' To enable root user via terminal: dsenableroot To disable root user: dsenableroot -d. There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs.Mobile Plans. Things got more interesting when I found a website that allegedly sold the SCBO files â just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return.
Reset Forgotten On Sierra Emulator Mac OS XSo letâs start another EFI reversing engineering adventureâ¦At the time I could only find a single SCBO file on the Internet, which is bad (impossible to visualise differences between files) but better than no file at all. Understanding how SCBO files work in the first place was also intriguing. If this were true, it would imply that Appleâs EFI contains a significant vulnerability. Native support for macOS Big Sur (11.2) and Apple M1 hardware.The core question I wanted to answer was if it was really possible for someone to build a SCBO file key generator. Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill.Previously, a Recovery One Time Password was only captured if a LastPass user logged in. It appears to be some kind of serial number. A couple of bytes later and we see another string. The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353). To obtain the necessary information, you must hold SHIFT + CONTROL + OPTION + COMMAND + S on the firmware password prompt screen and a string will be generated. How are the SCBO files generated?As previously mentioned, Apple support is able to generate these files after you provide some key information. The total file length is 324 bytes. The rest of the string and binary data that follows are unknown for now. ![]() The initial best clue is the magic value from the SCBO file, since it should be checked somewhere in the code. You can use other firmware files â the GUIDs will still be the same but addresses and some content might differ.With the payload extracted we can finally try to find where to start reversing. You will need UEFIToolâs new_engine branch if you want support for NVRAM partition contents (which is super useful feature, thanks Nikolaj!).The target Mac used on this post is a MacBook Pro 8,2 and the files were all extracted from this firmware update file, MBP81_0047_2CB_LOCKED.scap. The great UEFITool can easily extract contents from dumps and SCAP (to mass extract all the files use UEFIExtract utility instead). Office 2016 vs 2011 for macWhat is the procedure to use the SCBO file?To assist our reversing engineering effort it is important to collect as much data as possible about our target works. In (U)EFI world there are no filenames, everything is referenced by a 128 bits GUID.This means that we have a good entrypoint into this problem and now need to reverse backwards to understand what this function is trying to accomplish and how is it called. If you want to grep for strings please remember that most strings in EFI binaries are Unicode (two bytes wide).There is only a single hit, a DXE phase binary with GUID 9EBA2D25-BBE3-4AC2-A2C6-C87F44A1278C. The bytes we want to grep for are 5343424F, the SCBO magic value. It allows us to grep files for specific byte sequences, an extremely useful feature to locate binary data. Turn on the customerâs computer while pressing and holding the Option key. Insert the Flash drive into the customerâs computer. Drag the binary file named âSCBOâ to your Desktop.Cp ~/Desktop/SCBO /Volumes/Firmware/.SCBOCp ~/Desktop/SCBO /Volumes/Firmware/._SCBO Name it Firmware (note: doesnât really need to be Firmware!). Format a Flash drive GUID partition scheme and Mac OS Extended format. Snare created ida-efiutils, a set of scripts that improve the disassembly output by trying to rename function pointers, offsets, and structures. SCBO filename that is copied into the flash drive is referenced in the strings, althought IDA is unable to find any string references to it (IDA bug? most probably!).Reversing (U)EFI binaries is quite annoying because every external function is a function pointer, so the disassembly output is not very clear and needs some assistance to improve it. If we look at the strings of current disassembled binary we can see we are on the right track.The. ![]() SCBO_0000 variable is set succcessfully then the system will be reset via ResetSystem service.The event notification code can be found at start(). The variable can be observed in NVRAM when a new password is set, changed, or removed by Firmware Password Utility. This GUID is not unique to this variable and it is used for other variables, e.g. Any video downloader for macThis means we are on the right track.Now Iâm just rewriting the story, because what I initially did before starting to reverse everything was to use Trammellâs infinite loop trick on each function of 75FAB4B4-6AC1-429A-A000-6B0B95E71CA1 protocol, and after finding the interesting ones I patched them to return zero and found out which function verifies the password, the first one from the protocol.
0 Comments
Leave a Reply. |
AuthorTim ArchivesCategories |