after three weeks of being bought the seller desided that he wanted it back. He expressed this by locking it with a 4 digit PIN and a message that stated “Give me back the laptop and give you back the money”, with out calling or anything.
In other words, the seller somehow had remote control of the laptop and locked it remotely? Things like this are why you should always reformat and reinstall all the software on computers you buy...
Bruteforcing it is the long way, the fastest way would be to use an EEPROM programmer to clear the EEPROM and rewrite the BIOS. This can usually be done in-circuit without any soldering with a little clip that goes onto the chip. A lot of laptop repair shops have this setup. Some of the newer models store the password in TPM, which caused the shops to initially replace the TPM with a new blank one but some RE later revealed that many (not all) can be cleared in the same way as before.
The fact that BIOS/EFI passwords can be easily cleared must be one of the worst-kept secrets in the computer industry - the companies will often officially say that there is no way to reset them and that the whole motherboard has to be replaced in a not-so-successful attempt to propagate the myth that this protection is so secure that even they can't bypass it.
I did a low level reformat `dd if=/dev/random of=/dev/sdd` with the hard drive mounted on another machine before noticing that he seller had locked theachine EFI remotely.
>It sounds like the buyer did not re-register the device with their own Apple ID (assuming that is possible).
This is correct. You are supposed to set up your own iCloud account on the device, to make sure that no one else (except maybe Apple) has remote control over the device.
Actually, I don't remember reading about that in the Apple security whitepaper. Does Apple claim that they can't remote-lock your device without your password?
Well saw a spike in traffic to my site and traced the source to HN... Let's hope the migration from WordPress to Pelican pays out.
As mentioned by some of you this is from early 2013 but the code still works. Furthermore it has been tweaked (the timeouts and keypress duration) to be compatible with most Macs yet as efficient as possible.
For what it's worth, if you can produce some sort of proof-of-purchase, you can take it to an Apple Store and they can remove the EFI Pin. They tend to be pretty reasonable about this most of the time.
If the buyer had reformatted the HD immediately after buying it, would that have made it impossible for the seller to lock it? Could the buyer have changed the account which it was linked to without going through the seller?
Of course a bill of sale would also have been enough to get Apple to help, according to another comment. But even that is not hard forge.
I think so. The correct procedure would have been to assign another iCloud account and assign your self another PIN (lock it with your own PIN)... Then reformat it
It appears that the buyer didn't consider that they bought a stolen MBP. My first guess after reading this is that the real owner discovered their computer was stolen.
This is a good reason to test and change the iCloud account while the seller is standing there. I am not sure about the laptops, but an iPad/iPhone needs the same pin to change the account it is associated with, so you get some immediate evidence if you are buying something stolen.
The message on the first lock screen (iCloud padlock) read "Devuelve me la laptop y te devuelvo el dinero" which means "Give me back the laptop and I will return your money".
In other words, the seller somehow had remote control of the laptop and locked it remotely? Things like this are why you should always reformat and reinstall all the software on computers you buy...
Bruteforcing it is the long way, the fastest way would be to use an EEPROM programmer to clear the EEPROM and rewrite the BIOS. This can usually be done in-circuit without any soldering with a little clip that goes onto the chip. A lot of laptop repair shops have this setup. Some of the newer models store the password in TPM, which caused the shops to initially replace the TPM with a new blank one but some RE later revealed that many (not all) can be cleared in the same way as before.
The fact that BIOS/EFI passwords can be easily cleared must be one of the worst-kept secrets in the computer industry - the companies will often officially say that there is no way to reset them and that the whole motherboard has to be replaced in a not-so-successful attempt to propagate the myth that this protection is so secure that even they can't bypass it.