Cracking the EFI Password on a MacBook

A little over a week ago, I stumbled across an interesting listing on Kleinanzeigen (essentially the German Craigslist). It was a used 2017 12" MacBook with an EFI password lock, being sold at a pretty good price.

Naturally, I couldn’t resist, so I went ahead and bought it. A few days later, it arrived.

The MacBook was running macOS Ventura, but the EFI password lock was preventing me from doing much of anything. I couldn’t boot into the OS or make changes, so I decided to get a little creative.

Brute-Forcing the EFI Password

Like any reasonable tech enthusiast, the first thing I did was try a few common passwords. After a couple of minutes, I said, “screw this,” and decided to take a more direct approach.

Reading the EFI Using a Programmer

I ended up buying a programmer (probably overpaid for it, but oh well). Once it arrived, it was time to open up the MacBook. After exposing the internals (Using my trusty iFixit toolkit), I connected the programmer to the debug connector and read the ROM.

With the ROM dump now ready, I used MacEFIToolkit to reset the password. Afterward, I flashed the modified ROM back onto the MacBook, reset the PRAM, and installed a fresh copy of macOS.

Lessons Learned and the Final Result

For around €100, I now have a fully functioning MacBook that’s decent for everyday tasks. Whether I keep it or sell it remains undecided.

One piece of advice: be careful when disassembling the MacBook. I managed to damage the trackpad cable during the process, which was a bummer. So, if you’re attempting this yourself, go slow!