Erasing firmware password

On some occasions, like myself, you may be forgetful, and forget what you set your bootup ("firmware") password to. Unfortunately for you, if you boot in recovery mode using Command-R, it still wants you to remember your original password to erase the old one. 

The proper way to do this is to take the computer to Apple with proof of purchase and they will do it for you. However, if like me you only buy their much older machines due to their upgradability, you may find that you don't have proof that you bought it in an apple store, e.g. second hand, or you lost the proof years ago. So, how do you reset it? The answer unfortunately, is with great difficulty. This blog page tells you how.

Please note that I disclaim responsibility for the below - if you blow up your Macbook it's your fault. Do not follow these instructions.

I followed these:

https://blog.wzhang.me/2017/10/29/removing-mac-firmware-password-without-going-to-apple.html

However, they are not 100% clear on all points. Hence, the below clarifies what he means. The below are not instructions intended for you to follow.


1. Software install

Software install 

sudo su 

apt-get install flashrom

reboot while plugged in to make sure the Pi creates the /dev/ devices to talk to the chip.

modprobe spi_bcm2835

You should see a device called spidev inside /dev/, like so:

ls -al /dev/spidev*

if you see two devices, your chip is probably the newer one, e.g. spidev0.1

2. The electronics components required: 

Each resistor must be 150 ohms, not all of them in sum. Total resistance must be 150 x 4 = 600 ohms. The capacitor is 47 uF (microfarads) but can be higher, e.g. 100 uF.  You also need male/female wires to connect the Pi to the breadboard and you need male/male wires to connect the breadboard to the clamp.

3. Which wire to join to which. 

The diagram that Zhang provides is not clear, this diagram is clearer.


The lines to plug the wires in are as follows:

a. Grey - to pin 1 on the clamp. To pin 24 on the Raspberry Pi.
b. Green - to pin 2 on the clamp. To pin 21 on the Raspberry Pi.
c. Red - to pins 7, 8 and 3 on the clamp. To pin 17 on the Pi. Obviously, pins 7 and 8 on the clamp go first to the "breadboard" as shown above, then through the capacitor, then to the red input line from pin 17 (power source).
d. Black - to pin 4 on the clamp. To pin 25 on the Pi.
e. Blue - to pin 5 on the clamp. To pin 19 on the Pi.

f. Purple - to pin 6 on the clamp. To pin 23 on the Pi.

To explain the above: pins 1, 2, 5 and 6 are data lines of sorts. Pins 3, 7 and 8 are power lines (positive). Pin 4 is negative/ground. 

The pins are numbered starting on the opposite side of the Pi's ethernet/USB plug sockets, so pin 1 and 2 are the two furthest pins. If you face the Pi away from you with the USB towards you, pin 1 is the first on the left and pin 2 is the first on the right. Even pins on the right, odd pins on the left.

The clamp pin holes are numbered top to bottom in a backwards-C shape (clockwise):

1  2  3  4

8  7  6  5

Ignore the pencil diagram a the bottom, it is wrong.

if the square end of the clamp cable is pointing towards you. Take the red-marked cable going into the clamp as 1, and go from there clockwise.

The above image may be incorrect, if in doubt, swap 7,8 and 5,6.

The final setup looks like this: Orange are pins 7,8 in series with the capacitor. Also note the long leg of the capacitor / stripe is the plus side which must be opposite the red line / on the red line.


4. Verify you have the right wiring

You can verify each pinout from the Raspberry pi using an LED, to make sure the lines are active and the circuit has electricity. 

Edit a new python script, called, for example, blink_led.py, and put the following code in it. If you change the value of "mypin" below it will allow you to send a signal down the pins. Note you can't test 17, 25 and 6 as those are live lines which always have power. In the below code you can omit the comments (#). Note that in python the indents with tab are important. To exit this code after running it, hit control-C.  You'd run it with 

        python blink_led.py 

import RPi.GPIO as GPIO    # Import Raspberry Pi GPIO library

from time import sleep     # Import the sleep function from the time module


mypin=23   # cant use 17, 25, 6 it is reserved

print "using pin"+str(mypin)


GPIO.setwarnings(False)    # Ignore warning for now

GPIO.setmode(GPIO.BOARD)   # Use physical pin numbering

GPIO.setup(mypin, GPIO.OUT, initial=GPIO.LOW)   # Set pin to be an output pin and set initial value to low (off)

while True: # Run forever

    GPIO.output(mypin, GPIO.HIGH) # Turn on

    sleep(1)                  # Sleep for 1 second

    GPIO.output(mypin, GPIO.LOW)  # Turn off

    sleep(1)                  # Sleep for 1 second

But be sure to put about two resistors inline with the LED or it will blow. (300 ohms at least). The following photo shows you how to wire the breadboard with one LED to test a single line. Move the red line from one pin to the next to test each one to make sure you are getting power out of it.


5. Verify the clamp is seated properly

When you clip the clip onto the motherboard chip, you must make 100% sure it is seated properly first. The chip is the one with 8 legs, quite large (not microscopic). On a 15" macbook it is UNDER the motherboard (hidden, you have to unscrew the whole board). On a 13" macbook it is visible by just removing the back cover. ALWAYS make sure the battery is removed/unplugged first.

Clamp like so:


Once you are sure it is all perfect, first test if the chip is there with 

flashrom -V -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 

This will give you your chip model name.


If you get a "eeprom not found" error as hown below it means your clamp is wrong or your wiring to the clamp is wrong. 


To test the seating, you can also use a multimeter. Put it onto 20V to measure the max 3.3V that should be coming from the Pi. Touch the BLACK cable onto the black cable from the Pi, and the red point - VERY carefully, onto pins 7,8, which should be facing you on the underside of the clamp. They should read 3.3V. Picture below shows how to wire the black wire from your voltmeter to the breadboard. Note how it's taped down onto a wire which is inserted into the black line in the bottom right corner of the breadboard.




6. Taking a copy

Now you shouild be ready to take a copy.

To get a copy of the chip, try:

flashrom -r read1.bin -c "MX25L6506E" -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000

the entry "spispeed" tells the Pi how fast to read the chip.
If you find that later on the md5sums don't match, try go down to spispeed=1000.

Note that the item "N25Q064..3E" is the chip model. I found that my chip was in fact "MX25L6406E/MX25L6408E".

7. Checking the copy size/integrity

I suggest you take at least two copies to make sure the clamp isn't loose and data is being copied off, accurately.

flashrom -r read1.bin -c "MX25L6506E" -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000

flashrom -r read2.bin -c "MX25L6506E" -V -p linux_spi:dev=/dev/spidev0.0,spispeed=8000

You can use 

ls -al *.bin

to check the block sizes of all copies you make of the chip, in particular, after you have edited it, you must make sure it is the same size (although the md5sum will differ).
In my case, the image of the chip was 8mb in size.

md5sum *.bin 

should return the same answer for every original copy of the chip.

8. Now do the edit on the image file of the chip:

When you remove the password by editing the hex dump, you can edit it on the Raspberry but use hexedit. There is a graphical app Ghex which doesn't seem to allow copy/paste to work properly or as expected, so you have to learn to use hexedit. Basically, as a clue:

  • tab switches you between sides (the "rendered" side of the screen and the raw hexadecimal)
  • as you type, it will change both sides of hexedit. You want to be in the "hex" side to type FF (255 in decimal) over the password. The passwords (there are two), commence directly after the string $SVS and end just before a batch of FF FF FFs. You must replace them using the exact same number of FFs, so just hold down F until you reach the FF FF FF part. If there are some 00s inside the password, ignore that, overwrite them with FFs. It should require about 300 FFs to overwrite the first password.
  • To search for $SVS, type a forwardslash when you are on the rendered side (not the hex side). There are two instances, and the second one only has about 100 FFs that are needed after it.
  • Oh, important because this is one of the things that's not clear: LEAVE the $SVS intact.
  • When you exit with control-X it will ask you if you want to save.

Suggest you call it newimage.bin

The picture below is of Ghex, I found it was too hard to use, ironically.


Once you have edited the file, saved it, and verified that it is exactly the same size as the original file, you can erase the chip and copy your edited version in place.

9. To erase the chip: WARNING: MAY TURN YOUR LAPTOP INTO A BRICK.

flashrom -E -V  -c "N25Q064..3E" -p linux_spi:dev=/dev/spidev0.0,spispeed=8000

Obviously, if your chipset is not N25... whatever, you must use the right chip identifier name.

10. To copy in the new image of the chip: WARNING: MAY TURN YOUR LAPTOP INTO A BRICK.

flashrom -w newimage.bin -V -c "N25Q064..3E" -p linux_spi:dev=/dev/spidev0.0,spispeed=8000

if it worked, it will look like this: note the "write done" comment at the bottom.


11. If it failed, that is, if your laptop doesn't boot, then copy the original chip image back:

flashrom -w read1.bin -V -c "N25Q064..3E" -p linux_spi:dev=/dev/spidev0.0,spispeed=8000


Here are some more links on EFI/SMC:

https://discussions.apple.com/thread/4855319

https://support.apple.com/en-gb/HT201518#mbp

https://superuser.com/questions/973693/how-to-recover-corrupted-macbook-pro-smc-firmware

https://www.insanelymac.com/forum/topic/299811-readsmc-for-efi-a-tool-to-enter-read-smc-keys-from-efi-shell-on-real-macs/?page=3

Popular posts from this blog

Chunk validation failed

When installing Mac OS from the command-R internet recovery boot up, you can use command-L to show the logs. Sometimes you will find that the installation does not happen and you see an error "Chunk validation failed". Apparently this means your SATA cable or hard drive is faulty.  https://apple.stackexchange.com/questions/258522/mountain-lion-reinstall-failure
Read more

The most useful defaults-write options

The following are really useful options to set system-wide for Mac OS X. I'd suggest reading them to guess what they do. You should be able to safely run all of them except the first one which tells spotlight (the search function) to ignore any attached drives forever. If you find that drives take a long time to unmount (eject), then usually it is because spotlight is indexing them (reading them in their entirety) to see what they contain. Hence if you find a disk doesn't want to eject, turn off spotlight for that drive. sudo defaults write /.Spotlight-V100/VolumeConfiguration Exclusions -array "/Volumes" defaults write com.apple.dock springboard-columns -int X defaults write com.apple.dock springboard-columns -int 10 defaults write com.apple.dock springboard-rows -int 7 defaults write com.apple.dock springboard-rows -int 5 defaults write com.apple.dock springboard-rows -int 5 springboard-columns -int 10 defaults write com.apple.dock springboard-rows -int X defaults w
Read more