ByPass Lost EFI Password for Post 2010 MacBooks

Posted: June 26th, 2016 | Author: | Filed under: EFI, Mac | Tags: , , , | No Comments »

Recently one of my friends encountered a problem (albeit a self inflicted one). My friend has a Macbook Air (late 2010) that was bought used. Unbeknownst to the purchaser, the EFI password had been set and wasn’t given at the time of purchase. Now the problem arises when my friend wants to sell the Macbook Air after years of service to upgrade to something better. You can’t wipe and reinstall the OS with the EFI password set (it won’t boot without the password even the USB or Recovery option) and yes, swapping out the SSD or reinstall MacOS on another machine won’t work either. Apple Store would not reset the EFI password without a proof of purchase (which is reasonable). So I investigated what other possible solutions.

EFI stores the password along with the system settings (e.g. SSD id etc) on a memory chip, which is on the Macbook board. It is probably one of the most out of place chip on the whole board, it is rather big, with 8 thick pins, vs other sleek BGA low profile chips on the Macbook board.

If the Macbook had been purchased second hand with EFI password set and the owner doesn’t have any Apple Store records here are some sensible ways* to bypass it. I am describing the procedure in general as each specific models have their own peculiarities and some not all methods work for all models:
1. Buy an adaptor that allows you to reprogram the EFI chip via the SPI debug port. There are plenty of youtube video demonstrating that. The problem is accessing the chip during the writing process might cook the whole board. I find this solution messy, as you sometimes have to flip over the board to proceed.
2. If you have access to a SMT rework tool, you can desolder the offending chip, dump its content, reprogram a new chip without the password and pop in a new one. It will leave chemical marks on the motherboard. In Canada, the service costs $120&up. That’s the most physically invasive method.
3. Purchase a bypass tool (called a Matt Card by the manufacturer). It is basically a compatible chip that piggy backs off the original EFI chip via the SPI port. It copies the original EFI content when first plugged in, removes the password in that copy and set the chip on the board to read only (via a fuse). The downside is the chip needs to be forever paired to the Macbook in order for the Macbook to boot. Not the most elegant solution, but installing it takes only 10 minutes and most of the time is unscrewing the pentalobe screws of the Macbook Air. It costs roughly $90CAD.

I went with method 3, since it is not my Macbook; I don’t want to be the person to explain to my friend that the Macbook got toasted during repair. As you can see from the picture, The card is a tight fit, but it seems to work well.

Conclusion: The best solution is prevention. If budget allows, always purchase your MacOS devices directly from Apple so your account information is on their system. If your budget is limited and you have to purchase any MacOS devices via non authorized Apple channels (second hand etc), make sure you check to see if EFI password is enabled by pressing Option key during boot up (or any of the combinations listed by Apple). If the screen is like the first picture below, then EFI password is enabled. I recommend not buy the item with the EFI password set.

Here are the pictures of the problem, chip pictures, installation and final results.

Link to Chipmunk International, the manufacturer of the Matt card.

* sensible as in not brute forcing the password, which I don’t think is worth while especially for EFI passwords that are not iCloud PIN locked.

Comments are closed.