Today’s subject is a little delicate, and I hesitated a long time before writing this article. The product I’m going to talk about, the Matt Card, is originally used to help technicians, and I do not really like to explain how to override Apple’s protections. But I have to say the solution is a little too obvious and a little too easy.
First of all, the EFI protection. Using a password on the EFI prevents the Mac from booting on anything other than the system selected by default. You must type the password to choose another boot disk (for example an external one) or simply boot on the recovery partition. The password in question was stored in NVRAM on older Macs (a simple reset erased the password) and directly into the chip that contains the EFI in newer Macs. I had already mentioned it when I saved a MacBook Pro prototype: reflashing manually the EFI erases the password.
Then, the Find My Mac function. Basically, it will do the same thing. If you decide to lock a Mac from the Apple interface, you will set a password on the EFI (if one does not exist yet) and on the OS. Without this code, it is impossible to boot the machine. Pretty logically, the basic answer is the same: removing the password of the EFI allows you to boot externally and erase everything.
In theory, this is not within the reach of anyone and – on recent Macs – the chip is no longer accessible with conventional tools.
This is where the Matt Card comes in. This card can replace the EFI of the Mac quite easily, using a diagnostic connector on the Logic Board. Once installed, it replaces the original EFI by a password-free version with a new serial number (also stored in the EFI). The explanations on the seller’s website are quite hypocritical: a repairer can use the Matt card to unlock a Mac… And so can a thief! To be sure, I ordered one.
First, it exists for a lot of Apple models and is worth between ~60 and 100 €. The repairer offers the card for all MacBook Pro Retina (13 and 15 inches) between 2012 and 2017 (the T2 chip logically blocks this technique), MacBook Air (11 and 13 inches, 2008 to 2017), MacBook Retina (2015 2017), the Mac mini (some 2009, not the 2010, from 2011 to 2014) and the Mac Pro (2010 and 2013). For this test, I chose the MacBook Air 2012 (11 inches) one. Pay attention, the card is specific to each model of Mac, since it contains the EFI of the Mac in question.
The card is easy to install as the connector is accessible. Basically, open the Mac (10 pentalobe screws in my case), disconnect the battery, install the card, reconnect the battery. It takes less than 5 minutes for someone slow. Please don’t mind the internal state of my old MacBook Air…
I admit it, I had a surprise at the first boot: impossible to boot High Sierra or Mojave. Actually, the Matt Card EFI is not up to date and therefore does not start on APFS. I had a Sierra partition, so I could see that it worked: the Mac boots with another serial number and without EFI blocking. Then I updated the Matt Card (I shall explain one day how to do it without installing High Sierra) and began the test. Using Find My Mac on the Mac under Mojave, the Mac is locked. And after installing the Matt Card, I can boot the blocked Mac without any worries in a matter of minutes. For a good reason: once the card is installed, Apple considers it a whole new Mac.
I am not in the shoes of the repairer who created this card. But I see very well that the possibility of blowing up the iCloud protection of a Mac is a big issue, especially when the handling is that simple and affordable. Should I be talking about it? I considered that yes, although I know perfectly well that it will help thieves. Just like the person who made this card knows it.
In the meantime, do not consider that a Mac blocked by iCloud is safe. Just erase everything with Find My Mac if the Mac contains important data (unless you have FileVault). Or go buy a model with a T2 chip (even if it brings other problems).
Picks help thieves but also honest people that help you get back into your flat if you forgot your keys inside it. Should we ban picks?
I second Bastet’s comment. Well said.