The initial best clue is the magic value from the SCBO file, since it should be checked somewhere in the code.My preliminary research found references to a magical SCBO file that could be loaded onto a USB flash drive and booted to remove the password.The normal process workflow is to first contact Apple support.
Unlimited Apple Efi Firmware Unlock Tool Book Pro I Air Mini Mac Could GetSince I dont have the original sales receipt of this specific Mac, I assume this option isnt possible, since anyone with a stolen Mac could get the password reset. Things got more interesting when I found a website that allegedly sold the SCBO files just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs. Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill. If this were true, it would imply that Apples EFI contains a significant vulnerability. Understanding how SCBO files work in the first place was also intriguing. The sample file can be downloaded here SCBOoriginal.zip. SHA256(SCBOoriginal) fad3ea1c8ffa710c243957cc834ac1427af0ea19503d9fc7839626f6cac4398b). The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353 ). This information can be verified because part of this string can be found in the motherboard of each Mac (my sample is only composed of MacBooks but I guess iMacs and others will contain the same information). The rest of the string and binary data that follows are unknown for now. To obtain the necessary information, you must hold SHIFT CONTROL OPTION COMMAND S on the firmware password prompt screen and a string will be generated. This is the string Apple support needs, and this is the same string we see inside the SCBO file. I know this because I had already reversed Apples Firmware Password Utility and observed its communications with the kernel extensions that set the EFI NVRAM variables. If we set a firmware password on a test Mac, generate the necessary string, and modify the SCBO accordingly, nothing will happen. The computer will process the file and reset the system, but the password isnt reset. This provides us with another bit of information that there is some kind of integrity check on the SCBO contents. It would be a surprise if this kind of check wasnt implemented and anyone could modify the SCBO contents. So if this is true then how is someone selling what appear to be fully working SCBO files We need to dig deeper and reverse the EFI code responsible for processing this file. I maintain an up-to-date Apple firmware update repository, which you can use to easily download EFI updates or verify the contents of your EFI flash if you fear nation states are attacking you. The great UEFITool can easily extract contents from dumps and SCAP (to mass extract all the files use UEFIExtract utility instead). You will need UEFITools newengine branch if you want support for NVRAM partition contents (which is super useful feature, thanks Nikolaj ).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |