I just noticed an old article and tool by Kooftness, for brute-forcing the (or an) Apple EFI firmware password. As I understand the article, the original code didn’t generate results while they had access to the laptop, but since then the code has been revised (7 months ago) and others claim success with the code. I am unclear if this is a 3rd party PIN tool or the main Apple Firmware Password feature.
These Teensyduino sketches (for Teensy embeded boards) and shell scripts are tools to bruteforce EFI or iCloud locks.
Recently I got my hands on a MacBook Pro that after three weeks of being bought the seller desided that he wanted it back. He expressed this by locking it with a 4 digit PIN and a message that stated “Give me back the laptop and give you back the money”, with out calling or anything. […] I was told that an alternative solution would be to get a fresh MBP, extract its firmware and flash it using a PIC programmer. He also told me that there are ways to get around this attacking the thunderbolt port but these two options have a high risk in bricking the $2.000 laptop. […] I have received confirmation that this code is working, as we can see in this thread at MacRumors […]
http://orvtech.com/atacar-efi-pin-macbook-pro-en.html
https://github.com/Kooftness/efi_bruteforce
https://github.com/Kooftness/efi_bruteforce/blob/master/efi_attack_modifyed
https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409
“If you can’t remember the firmware password for your Mac, schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider.”
It appears that any current/former Apple Store “genius” can most likely bypass the Apple Firmware Password protection. 😦 I suppose any vendor who can reset the PIN can use it like the above merchant, to blackmail the customer for access to their device.
I look forward to seeing the results of LegbaCore working at Apple …though I am afraid that their new models will become less configurable, more like modern Windows boxes, unable to run anything but Apple-approved OSes and pre-OS code (eg, rEFInd).
Firmware Security 