2020-19-11 Bypassing Macbook Air Firmware Passwords                  xkp
========================================================================

DISCLAIMER: I DID THIS ON MY 2015 MACBOOK AIR. I KNOW WHAT I'M DOING
YMMV, AND IF YOU BRICK YOURS ITS NOTHING TO DO WITH ME. ALSO NO I WILL
NOT FIX YOUR COMPUTER FOR YOU.

It started with a phone call. It always starts with a phone call.

This phone call was to Apple's support line. After an hour of
waiting I was put through to someone who was supposed to help me.
I say supposed, they didn't.

Years ago, my partner's laptop was part of a standard build at work.
As part of that build we put a firmware password on the laptop to
stop being able to boot from an external device. It had slowed
over 5 years of upgrades and rather than go Big Sur we thought we'd
try ElementaryOS.

The password was long gone, lost in a long expired PGP archive
somewhere. Trying to boot to recovery mode or from USB just asked
for a long forgotten password.

On the phone the gentleman pretended to try to be helpful, but
wanted me to travel an hour to a specific Apple Store
rather than my local one to do a physical verification of ownership,
in the middle of a national COVID lockdown. Alternatively an
authorised partner could have the laptop couriered to them and they
could do the verification. How someone is supposed to do a physical
verification with a couriered laptop I don't know.

What I do know is that it was possible to remove the password, but
Apple's business policies presented me with unworkable options. As
such my business policies preclude me from buying Apple products in
the future from now on.

I'm an hacker, I hack stuff. I decided I would find the code that
handles the password and fix it myself.

gopher://republic.circumlunar.space/I/~xkp/img/1_connector.jpg

The first thing was to identify how I could dump the chip. Thankfully
the A1466 Macbook Air has a small 12dp connector that hooks into the
bios firmware chip's SPI interface. Using this and a CH341a programmer
I was able to dump the chip ID and information. A bit of googling and
I had a dump of the Macbook Air's EFI firmware.

gopher://republic.circumlunar.space/I/~xkp/img/2_programmer.jpg

I used a dodgy tool called CH341a programmer. I could've used
flashrom instead but most of the stuff I found online used the CH341a
tool. First I clicked on detect next to chip search. Then I whittled
down the options to the MX25L6473E, then read and save.

EFI is a complicated system used to manage bootup. Thankfully I was
able to use UEFITool to inspect the firmware in depth.

https://github.com/LongSoft/UEFITool

gopher://republic.circumlunar.space/I/~xkp/img/3_UEFITool.png

This let me dump out EFI binaries that I could then load into Radare
for reversing. Part way through this process I came across a dear
friend's excellent writeup:

https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/

gopher://republic.circumlunar.space/I/~xkp/img/4_hexedit-dec-1-byte.png

After looking through the code using this as a map, I was able to find
the password routines he'd found, and also the variables that could be
patched to fix them. Surprisingly, one variable, 3E6D568B, if not
present will reset the NVRAM to a default state.

gopher://republic.circumlunar.space/I/~xkp/img/5_reflashing.png

I found the 3E6D568B reference and changed it to 3E6D568A with a hex
editor. I flashed the binary back onto the Macbook air and the password
was gone! Again I used CH341a programmer, this time just loading the
new firmware in and hitting auto.

gopher://republic.circumlunar.space/I/~xkp/img/6_recovery.jpg

Moral of the story, just because a company has a policy doesn't mean your
general purpose computer can't general purpose compute. Don't let other
people tell you what you can and can't do with your hardware.