Apple EFI firmware passwords and the SCBO myth (opens in new tab)

(reverse.put.as)

177 pointshkr_mag10y ago36 comments

36 comments

29 comments · 8 top-level

dogber110y ago· 6 in thread

Apple is doing a much better job than all the rest of the PC vendors. Even those vendors that I haven't published keygens for [1] have just stupendously unsound bypass mechanisms for BIOS passwords.

[1] https://dogber1.blogspot.com/2009/05/table-of-reverse-engine...

userbinator10y ago

Nevertheless, physical access still means it's game over; and I consider that a feature, not a bug. Given that, it's actually a little amusing that Apple went to all that effort for something that can be defeated with nothing more than a full BIOS reflash.

Sidnicious10y ago

Maybe not so amusing! As far as I know, you’ll need to take the machine apart to reflash it, plus special hardware — because when a firmware password is set, a Mac requires the password to choose a different boot disk.

with this feature, Apple HQ can give a service center the ability to clear a particular firmware password without giving them a universal backdoor (hardware or software).

1 more reply

mrsaint10y ago

Your list is 7 years old and relates to non-EFI bios implementations. It's hardly a valid comparison to a modern Apple bios as looked at here.

dogber110y ago

The bypass algorithms have largely remained unchanged when the industry moved to EFI. Most vendors (Lenovo, Dell, Acer, Asus, Toshiba, Fujitsu, ...) simply wrapped their bypass algorithms into some DXE driver and called it a day.

themartorana10y ago

Seeing Compaq at the top of that table brought me all the way back...

Presario FTW!

yuhong10y ago

I wonder what PCs would be like if Intel bought Compaq in 1991 with people like Rod Canion and Jim Harris staying on. I think they were there when Compaq reverse engineered the IBM PC BIOS for example.

userbinator10y ago· 6 in thread

These could be insiders working at Apple support centers or even Apple itself.

It makes me somewhat happy in a weird way to think that, even in notoriously locked-down and secretive companies like Apple, there are individuals who don't believe in and subvert the company's attempts to have sole control of its products. We have these individuals to thank for schematics, parts, and a lot of other material that feeds the third-party repair industry.

Bluestrike210y ago

I'm not so sure the people selling SCBO files are the ones we'd consider the good guys. Or at least not based on their most likely buyers.

raverbashing10y ago

Correct, they're most likely allowing stolen computers to be used

Makes me wonder if their SCBO generating system is connected to their stolen serial number db (probably not)

1 more reply

Dylan1680710y ago

But these people are just signing password reset tokens. They're not in any way related to the people you're cheering for.

venomsnake10y ago

In every major company there is unofficial price list for "services" in the support departments. Most often they are motivated by good old profit.

eridius10y ago

If there are people inside Apple selling these SCBO files, I don't think they're doing so because they believe in subverting the control Apple has over their products, they're almost certainly just doing it because it's a simple way to make some extra money.

mikeash10y ago

The various iPhone unlock services are a big example of this. As far as I understand it, they all ultimately end up working with insiders who (mis)use the official unlock facility, for a price.

sigjuice10y ago· 5 in thread

TLDR? EFI password protection broken or not?

developer210y ago

Apple has a backdoor for resetting firmware passwords via a special unlock file that must be cryptographically signed using Apple's private key(s).

In theory only Apple employees can sign the unlock files. How many employees have access to sign these unlock files? 10? 100? Every low-level employee? There may be some "bad apple" employees selling the signing of unlock files, some social engineering to trick Apple into providing signed files they shouldn't be, or a vulnerability the researcher has not found that allows attackers to bypass the public-key crypto implementation.

dogma113810y ago

Since it's likely that every apple care center can perform this unlock there is a very good chance that there is a machine in virtually everyone of them that also has a service lab that makes these files.

The number of people that can unlock it is probably quite high, this isn't that different than removing an apple id from the device you need to go to the apple store with the device and proof of purchase and they do it for you.

1 more reply

A1kmm10y ago

Or the money-for-SCBO thing is a scam and you don't actually get a working SCBO. The YouTube video could easily be a fake by the scammer to trick people into thinking that they will work.

totoz10y ago

Yes.

TheTon10y ago

What? That's not what it says at all!

Edit: I guess this is the slightly better answer than simply yes or no:

"If you lost your firmware password you can now reset it yourself as long the SPI flash chip is not the new BGA type (newer Macs are using them but there is a sneaky debug port that can be used for this same purpose!). You just need a device to dump the flash chip, remove the variable and reflash the modified version, or directly remove the variable (I always prefer to full dump and reflash). Of course this information can be used by thieves selling stolen Macs, but given that there are already defeat devices being sold all over the web, this post does not reveal any previously-unknown secrets."

thought_alarm10y ago· 2 in thread

Can someone please cut me to the chase?

__david__10y ago

Apple can create a file to reset the flash password (it does not require tampering with the physical flash chip). This password reset file is RSA signed, so third parties can't create one from scratch unless they have stolen Apple's private key (unlikely), or have contacts inside Apple willing to make the file for them (more likely—all it takes is one unscrupulous employee with access to the reset file generation program).

lisper10y ago

You can work around a Mac firmware lock by reflashing the boot ROM.

SCBO10y ago· 1 in thread

What the hell does SCBO even mean?

kalleboo10y ago

Dunno but Apple's EFI firmware files use the extension SCAP

mschuster9110y ago· 1 in thread

Hmm... what about bugs in the USB / FireWire implementation of the EFI?

Or the good old FireWire DMA trick?

duskwuff10y ago

With the exception of the non-Retina MacBook Pro (which is due to be discontinued any day now), none of Apple's computers have FireWire anymore.

Even when they did, enabling a firmware password disabled FireWire DMA, even after boot. (And I'm not sure it was ever active during preboot.)

joelhaasnoot10y ago

This article is the kind that makes me sit down with a cup of coffee and read it top to bottom, even though I don't understand all of the low-level assembler details (but it's understandable without that). Security is important for everyone, not just security researchers.

kalleboo10y ago

I wonder if we can expect this to change if Apple add a TouchID reader (and accompanying Secure Enclave) to the next generation of MacBooks

j / k navigate · click thread line to collapse

36 comments

29 comments · 8 top-level

dogber110y ago· 6 in thread

Apple is doing a much better job than all the rest of the PC vendors. Even those vendors that I haven't published keygens for [1] have just stupendously unsound bypass mechanisms for BIOS passwords.

[1] https://dogber1.blogspot.com/2009/05/table-of-reverse-engine...

userbinator10y ago

Sidnicious10y ago

with this feature, Apple HQ can give a service center the ability to clear a particular firmware password without giving them a universal backdoor (hardware or software).

1 more reply

mrsaint10y ago

Your list is 7 years old and relates to non-EFI bios implementations. It's hardly a valid comparison to a modern Apple bios as looked at here.

dogber110y ago

themartorana10y ago

Seeing Compaq at the top of that table brought me all the way back...

Presario FTW!

yuhong10y ago

userbinator10y ago· 6 in thread

These could be insiders working at Apple support centers or even Apple itself.

Bluestrike210y ago

I'm not so sure the people selling SCBO files are the ones we'd consider the good guys. Or at least not based on their most likely buyers.

raverbashing10y ago

Correct, they're most likely allowing stolen computers to be used

Makes me wonder if their SCBO generating system is connected to their stolen serial number db (probably not)

1 more reply

Dylan1680710y ago

But these people are just signing password reset tokens. They're not in any way related to the people you're cheering for.

venomsnake10y ago

In every major company there is unofficial price list for "services" in the support departments. Most often they are motivated by good old profit.

eridius10y ago

mikeash10y ago

The various iPhone unlock services are a big example of this. As far as I understand it, they all ultimately end up working with insiders who (mis)use the official unlock facility, for a price.

sigjuice10y ago· 5 in thread

TLDR? EFI password protection broken or not?

developer210y ago

Apple has a backdoor for resetting firmware passwords via a special unlock file that must be cryptographically signed using Apple's private key(s).

dogma113810y ago

1 more reply

A1kmm10y ago

Or the money-for-SCBO thing is a scam and you don't actually get a working SCBO. The YouTube video could easily be a fake by the scammer to trick people into thinking that they will work.

totoz10y ago

Yes.

TheTon10y ago

What? That's not what it says at all!

Edit: I guess this is the slightly better answer than simply yes or no:

thought_alarm10y ago· 2 in thread

Can someone please cut me to the chase?

__david__10y ago

lisper10y ago

You can work around a Mac firmware lock by reflashing the boot ROM.

SCBO10y ago· 1 in thread

What the hell does SCBO even mean?