Using the
EFI PIN BLASTER
www.TricksWithBits.com
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
Using the EFI PIN BLASTER version 3.x
The EFI PIN BLASTER version 3 is our latest brute-force EFI PIN code finder. The tool
you need when you forgot your EFI PIN and locked yourself out of your Mac.
It is very easy to use, and completely plug-and-play. Once it has found the right code it will
beep to let you know, and show you the found PIN on its LCD display.
Starting with version 3.0 the EFI PIN BLASTER is now suitable for both 4-Digit and 6-Digit
PIN codes. It works on all Mac models, also on 2015 and 2016 models!
The EFI PIN BLASTER v3
To get started there are just a few simple steps to follow which are explained below:
STEP 1: Select the operating mode using the four small DIP
switches on the front of the device according to the
instructions below:
SWITCH 1: 4-DIGIT OR 6-DIGIT PIN MODE
SW1 controls the PIN mode that is used for the attack. When set to the OFF position
the device will try all possible combinations for a 4-Digit PIN (0000…9999). Wen set
to the ON position it will switch to the 6-Digit PIN mode and try every 6-Digit combi–
nation (000000…999999). Most EFI locked Macs are protected with a 4-Digit PIN, so
the default setting for this switch is OFF.
SW1:
OFF = 4-Digit PIN mode
ON = 6-Digit PIN mode
Note: Apple limits the speed at which you can try different PINs by implementing a
delay before the next PIN is accepted. Running all 4-Digit codes can take up
to 2 days, and running all 6-Digit codes can take up to 200 days.
Using the EFI PIN BLASTER
www.trickswithbits.com
1
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
SWITCH 2: ENABLE / DISABLE THE DICTIONARY ATTACK
SW2 enables or disables the dictionary attack. The default setting for this switch is
OFF (which enables the dictionary attack). With the dictionary attack enabled, the
EFI PIN BLASTER will try a list of the most commonly used 4-Digit PINs first. This is
a list of about 25 frequently used PINs, and enabling it might help you find your PIN
faster.
SW2:
OFF = Dictionary attack enabled
ON = Dictionary attack disabled
Note: The dictionary attack can only be enabled while in 4-Digit PIN mode. This
switch is ignored when the device is set to operate in 6-Digit PIN mode.
SWITCH 3: INCREMENTAL / DECREMENTAL ATTACK MODE
SW3 controls the direction of the attack. When this switch is set to the OFF position, the
EFI PIN BLASTER will perform an incremental attack. The ON position of SW1 will force a
decremental attack. The default setting for SW3 is OFF, forcing an incremental attack.
When set to OFF, the PIN BLASTER will count UP when generating PINs, so when
starting at 0000, the next PIN will be 0001, 0002, 0003 etc. When set to ON, it will
count down, so when starting at 0000, the next PIN will be 9999, 9998, 9997 and so
on. This switch affects both the 4-Digit PIN mode and the 6-Digit PIN mode.
SW3:
OFF = Incremental attack (count UP)
ON = Decremental attack (count DOWN)
Note: No matter what starting point or direction is selected for the attack, the complete
range of possible PINs is tried until the correct PIN is detected or all possible PINs
have been tried.
SWITCH 4: OVERRULE SOME ERRORS
SW4 is not used to set the operating mode for the device, and can be ignored for
now. This switch is used to overrule certain errors that can occur in some
situations, and will be explained later in this manual.
We recommend that you try your first run in 4-Digit mode, with the dictionary attack
enabled and use an incremental attack. This means that all the switches are in the
OFF position. This is the default configuration the device ships with.
Using the EFI PIN BLASTER
www.trickswithbits.com
2
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
Note: The status of the DIP switches is only read during power-up. Changing the
settings while the device is active has no effect, and will NOT change the
operating mode. To change the operating mode, disconnect the device and
adjust the DIP switches as required, and plug the device back in.
Note: The meaning of the DIP switches has changed completely since the introduction of firmware version 3 to be able support of 6-Digit PINs, and the
instructions printed on the back of the device are no longer valid for this new
release (these were the settings for previous firmware versions that only
supported 4-Digit PINs).
STEP 2:
To begin with the Mac should be turned off. Connect the EFI PIN BLASTER directly to one
of the USB ports of your Mac using the Micro USB cable that came with your device. Do
NOT use a USB hub to connect the device to the computer. If you are unlocking a laptop,
make sure the laptop is connected to the power adapter to prevent it from falling asleep or
draining the battery completely and powering off.
Now there are two different ways to proceed:
STEP 3 - Option A:
Power ON the Mac with both the ‘Command’ + ‘R’ keys held down. This way the Mac will
try to boot into ‘Recovery Mode’. This is the way to go if you want to reformat the internal
hard drive and install fresh system software. This only works on Macs that have a recovery
partition installed, but this comes standard with Mac OS X 10.7 or newer.
STEP 3 - Option B:
Power ON the Mac with only the ‘alt’ or ‘option’ key held down. This way the Mac will try to
start up in the ‘Boot Manager’, and will automatically try to boot from the first available
drive with valid system software on it once the correct PIN has been found.
No matter which of the two options you chose, after a while you should see the EFI unlock
screen on your Mac. This is a screen with a padlock, and just one input box for the PIN. If
you see a screen with 4 or 6 separate input boxes you need to start over, since this is the
iCloud unlock screen, and this screen will NOT work for the device to unlock your Mac.
Note: The EFI PIN BLASTER will ‘smell’ that it has hit the right PIN code. But this only
works if there is a valid drive (internal or external) for the Mac to boot from. If there
is no bootable device connected, the EFI PIN BLASTER will still hit the correct PIN
and unlock the Mac sooner or later, but it won’t realize that it has hit the right code
and consequently won’t show the PIN on its display.
Using the EFI PIN BLASTER
www.trickswithbits.com
3
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
STEP 4:
Wait for the EFI PIN BLASTER to start up. During this process it will show the firmware
version, its serial number, the number of successful unlocks it has performed and it will
confirm the operating mode that was configured using the 4 DIP switches in STEP 1.
After the device has displayed its active operating mode, it will show you a screen that
enables you to set the first PIN to try. This can be useful when the approximate value of
the PIN is known, or if the process was interrupted because of a power loss, and you don’t
want to start all over again.
The ‘Adjust start PIN’ screen for 4-Digit mode
There are two small buttons on the bottom side of the device (just under the ‘+’ and ‘-‘
sign) which are used to set the start PIN for the attack. In the 4-Digit mode each press will
increase or decrease the value by 100, and in the 6-Digit mode a single press will increase
or decrease the value by a 1000. A long press will start an ‘auto-repeat’ mode to quickly
increase or decrease the starting PIN for the attack. If you don’t want to change the start
PIN, just wait a few seconds, and the device will exit the ‘Adjust start PIN’ screen
automatically and start the brute-force attack.
Note: No matter what starting point or direction is selected, the complete range of possible
PINs is tried until the correct PIN is detected or all PINs have been tried. When for
instance in 4-Digit mode you select ‘5000’ as the starting point, the device will wrap
around at ‘9999’ and continues at ‘0000’ till ‘4999’ is reached (unless of course the
correct PIN is found before it reaches ‘9999’).
STEP 5:
After a small delay (giving the Mac time to start up) it will start typing PIN codes, one by
one, with a delay after each one. Depending on the settings you chose it will start off with a
short dictionary attack to try the most commonly PINs first, followed by an attack that will try
every possible PIN with either 4-Digits or 6-Digits.
Using the EFI PIN BLASTER
www.trickswithbits.com
4
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
At this point you should see the EFI unlock screen on the Mac:
EFI unlock screen (correct)
iCloud unlock screen (wrong)
You should see the device typing ‘•’ characters in the EFI unlock screen. In the 4-Digit mode
you should see exactly 4 dots being typed, and when the 6-Digit mode is selected you
should see exactly 6 dots being typed.
STEP 6: Now all you have to do is patiently wait. The EFI PIN BLASTER will try all possible
combinations. It will take about two days to try all the possible combinations for the 4-Digit
mode, but with a bit of luck it will hit upon the correct code much earlier. If you selected the
6-Digit mode it can however take up to 200 days to find the right code.
When the EFI PIN BLASTER has entered the correct code the Mac will unlock. The EFI PIN
BLASTER will recognize that the Mac is booting. It will then stop trying further codes, and
display the found PIN on its display. It will also beep a couple of times to draw your attention
to its achievements. If for some reason power is lost after the EFI PIN BLASTER has found
the code, the device will show the last found PIN on its display the next time it starts up.
STEP 7: You need to clear the NVRAM / PRAM before connecting to the Internet, or you
could run the risk of your Mac being automatically locked again as soon as it has Internet
access!
Follow the next procedure to clear all the settings in the NVRAM. It is important to hold the
keys until you have heard the start-up chime at least three times for a ‘deep cleaning’. If
you fail to do this, only part of the NVRAM will be cleared, and for instance the iCloud
account information will remain.
1)
2)
3)
4)
Shut down your Mac.
Locate the following keys on the keyboard: Command (⌘), Option (⌥), P, and R.
Turn on your Mac.
Press and hold the Command-Option-P-R keys immediately after you hear the
startup sound.
Using the EFI PIN BLASTER
www.trickswithbits.com
5
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
5) Hold these keys until the computer restarts and you hear the startup sound for at
least three times.
6) Release the keys.
STEP 8: If you are now in ‘Recovery Mode’ you can erase the hard drive or SSD and
install a fresh copy of Mac OS X. If you are presented with an iCloud lock screen, simply
enter the same PIN that was found by the EFI PIN BLASTER. Because most Mac are
locked using the ‘Find my Mac’ tool from Apple, most of the times the iCloud PIN is the
same as the EFI PIN, but in some cases these might be different, and the found might not
work on the iCloud lock screen. If this happens you can still reboot your Mac in ‘Recovery
Mode’ and erase the hard drive and install new system software.
Note: The PIN for the iCloud lock screen is not the same as the iCloud password. These
are completely independent security keys. Recovering your iCloud PIN will not give
you access to your iCloud account.
Note: Finding the right PIN for the iCloud lock screen will not get you past the Mac OS X
account login screen if a user password has been set. For a quick tutorial on how to
reset the password for a user account or how to create a new administrator account
please check our website at:
https://www.trickswithbits.com/tips-and-tricks/resetting-the-administrator-password/
https://www.trickswithbits.com/tips-and-tricks/creating-a-new-administrator-account/
Note: Even though the EFI PIN BLASTER is protected with an insulated coating on the
backside, do not put the device on a conducting surface such as the metal case of a
MacBook Pro, as this can damage the device.
Using the EFI PIN BLASTER
www.trickswithbits.com
6
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
TROUBLESHOOTING:
In some occasions the EFI PIN BLASTER might show an error message on its screen.
The most common ones are listed here, and we will tell you what to do when you
encounter one of these errors:
ERROR 1007: BAD USB CABLE / NO DATA LEADS
Error 1007 will be shown on the EFI PIN BLASTER when a so called “charging-only” cable
or a defective USB cable is used to connect the device to the computer.
Error 1007: Bad USB cable!
This error tells you that EFI PIN BLASTER has power (obviously), but is unable to
communicate with the computer, and thus will not work to unlock your device.
The error is resolved by replacing the USB cable with a new Micro USB cable that has
“Data Sync” or sometimes called “Data Transfer” capabilities.
ERROR 1009: NOT IN EFI MODE
Error 1009 will be shown on the EFI PIN BLASTERs display when the device does not
recognize the usual USB initialization method that is used by Apple when the Mac boots
into EFI mode.
Error 1009: Not in EFI Mode!
Using the EFI PIN BLASTER
www.trickswithbits.com
7
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
This normally means that the Mac was not started while holding down the ‘alt’ key, or the
‘COMMAND’+’R’ key combination, and the Mac is booted into Mac OS X.
To resolve this error, turn off the computer, and hold down the ‘alt’ key, or the combination
of the ‘COMMAND’ + ‘R’ keys while turning the Mac back on (or just follow the instructions
given on the display).
If, in the future, Apple decides to change the start-up behavior by updating the firmware,
this could mean that the EFI PIN BLASTER would not recognize the EFI mode anymore,
and therefore refuses to work. We prepared for this situation by adding a hidden
procedure to bypass this error:
If you toggle SW4 of the DIP switch to the other position (regardless of what that position
was) while the EFI PIN BLASTER shows this error, it will show you a message to toggle it
back to the original position, and after it has been switched back, it will start its normal
operation, and ignore the error completely.
‘EFI error ignored’ screen
You can also use this trick to test the functionality of the device by letting it type the PINs
into for instance a text editor like Apple’s TextEdit, or to find out what PINs are used in the
dictionary attack.
For a complete walkthrough with pictures on how to bypass this error see our website at:
https://www.trickswithbits.com/tutorials/troubleshooting/error-1009/
Using the EFI PIN BLASTER
www.trickswithbits.com
8
EFI PIN BLASTER v3.x manual
©2016 trickswithbits.com
OPTIONAL CONFIGURATION:
The small blue potentiometer controls the contrast of the display. Please note that if this
potentiometer is set wrong there will be no image on the display. Turn this carefully with a
small screwdriver to get maximal contrast between the text on the display and the back–
ground. Normally there should be no need to change this, as we set it during testing of the
device.
IMPORTANT: Because of the nature of this product, returns will only be accepted if the
item is unused, or has been unsuccessful in finding the correct PIN. To prevent abuse of
our return policy, the device records the number of successful unlocks, and shows this
number on the screen during its start-up sequence.
For more information and Frequently Asked Questions (FAQ) please check our website at
https://www.trickswithbits.com or contact us at support@trickswithbits.com.
Using the EFI PIN BLASTER
www.trickswithbits.com
9