It's complicated and involves editing firmware code

Jun 25, 2016 23:10 GMT  ·  By

A security engineer who goes by the name of fG!, specialized in Mac security and reverse engineering, has found a way to reset a Mac's firmware password without help from Apple's support team.

Apple allows iMac and MacBook users to set a password for their firmware so that no intruder can go in there and change core device settings.

Apple helps authorized users reset their firmware password

Just like any password, users tend to forget it once in a while. In case this happens, users can call Apple Support, and during boot-up, they're guided through the process of pressing five keys simultaneously [SHIFT + CONTROL + OPTION + COMMAND + S] to make a long code appear on their screen.

Users give this code to Apple's staff, and they receive back an SCBO file, which they can then put on a USB flash drive they insert into their device, and they can thus remove the password.

This is all fine and dandy, but only if you can prove ownership of your device with the original sales receipt. If you can't, then you're left on your own.

Crooks are selling SCBO files online for $100

fG! says he discovered shady online services that were providing SCBO files, but for a fee of $100. Since trusting this kind of services and running mysterious code on his laptop did seem like a good idea, the researcher set out to find out how SCBO and Apple's EFI (Extensible Firmware Interface) worked, and if he could find a way to bypass this process.

You can read the step-by-step reverse engineering process on fG!'s personal blog, but the good news is that he managed to find a way to do it. Below are the researcher's findings:

  My work helped me determine that the EFI variable that contains the firmware password information is 'CBF2CC32.'  

  If you have a SPI flasher and want to remove an Apple EFI firmware password, what you need to do is to dump the flash contents, remove the 'CBF2CC32' variable (you just need to flip a single bit on its name for example), and reflash the modified firmware. Or just locate the variable and erase or modify it directly without reflashing the whole contents.  

  There is also another way to do this. The '3E6D568B' variable is special because if you remove it, the NVRAM will be reset to a default state where the firmware password is not set anymore.  

Is Apple Support compromised?

Furthermore, the researchers also discovered that there was no way to generate an SBCO file without having access to Apple's private encryption keys.

The online services that were selling SBCO files were obviously fake, or downright illegal.

  So what is happening with all those videos and people claiming they were able to buy SCBO files from websites? My bet is that these guys somehow are able to submit illegitimate requests to Apple’s support system and then sell the SCBO files they receive for some nice fat profit. These could be insiders working at Apple support centers or even Apple itself. Only Apple has a real chance to investigate and track the source of these files.  

Remember that story from February? When the press discovered that hackers were offering Apple employees in Ireland thousands of euros for their enterprise passwords? We now may know why crooks are willing to pay so much for Apple employee credentials.

Warning: If it ever gets to the point of having to reset your firmware password, please consult a specialist before attempting any of the advice described in this article.