This is the string Apple support needs, and this is the same string we see inside the SCBO file. To obtain the necessary information, you must hold SHIFT + CONTROL + OPTION + COMMAND + S on the firmware password prompt screen and a string will be generated. How are the SCBO files generated? #Īs previously mentioned, Apple support is able to generate these files after you provide some key information. The rest of the string and binary data that follows are unknown for now.
This information can be verified because part of this string can be found in the motherboard of each Mac (my sample is only composed of MacBooks but I guess iMacs and others will contain the same information). It appears to be some kind of serial number. A couple of bytes later and we see another string. The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353). This picture shows us the full contents of the sample file. The sample file can be downloaded here SCBO_original.zip. So let’s start another EFI reversing engineering adventure…Īt the time I could only find a single SCBO file on the Internet, which is bad (impossible to visualise differences between files) but better than no file at all. Understanding how SCBO files work in the first place was also intriguing. If this were true, it would imply that Apple’s EFI contains a significant vulnerability. The core question I wanted to answer was if it was really possible for someone to build a SCBO file key generator. Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill. Since there was (stil holds true) virtually no information about the SCBO contents, this aroused my curiosity but I never followed up until now. There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs. Things got more interesting when I found a website that allegedly sold the SCBO files – just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. The normal process workflow is to first contact Apple support. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password. My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password.
0 kommentar(er)
