Password cracking on Mac with Arduino and OpenCV
How to break poppy password with Arduino and OpenCV. Based on the article Brutforsim EFI with Arduino .
It all started as usual - my friend was blocked by Mac Air, taking away an account. And if the iPhone can be restored, then the Mac is blocked from the ends. Contacting technical support did not lead to anything, the service center offered to unlock for 1000 rubles and 1 day. True, they discovered a marriage of the motherboard, which did not allow them to do it.
After reading the article Brutforsim EFI with Arduino , we decided to repeat the experience. True, there was no display, but there were two Arduins - Uno and Mega2560. And the laptop, which is not very sorry for ~ 33 hours to leave to sort out the password. We decided to do a brute force with preference and poetess - let the automatics watch the brute force while we drink tea.
')
For a start - briefly about what we decided at all. This section is for those who do not want to carefully read the article to which I referred.
If your Apple account is hijacked, a hacker can block your Mac remotely by setting a four-digit numeric password of your choice. After that, it is impossible to turn on the Mac without entering this password, and this password can be entered in two different places - before entering your account (there are 4 empty single-character input fields closed with asterisks) and when you try to enter UEFI (in this case, field for entering any number of characters, also closed with asterisks). If you enter the wrong password many times in 4 fields, the input is blocked first for 5 minutes, then for 10, and so on until an hour. For busting is not very suitable. In the case of UEFI, you can repeat the entry about every 12 seconds (a little less, in fact). If we calculate the maximum search time, we get 33, (3) hours of search, without taking into account the time for entering characters and “entering”. Not deadly, in principle. It seems Apple has something to think about in terms of security.
We are, however, such negligence in choosing the complexity of the password (or the delay between inputs) only at hand.
I note that when you enter the correct password, the input is not blocked at all, that is, these ~ 12 seconds are not the time to check the password, but an artificial delay. It seems that you can get somewhere for this delay and sort out much faster. We did not do that, but the idea is interesting.
Everything that happens in this article was legal (because it was produced with its own poppy), aimed at combating fraudsters, whose contact information has already gone where it should. The use of materials of this article for illegal (as well as legitimate) actions under no circumstances is the responsibility of the author or the site. Everything that you do, you do at your own peril and risk. The author or the site is not responsible for any damage, direct or indirect, caused by the materials of the article. In short, who did not hide, I'm not guilty.
The author of the article “Brutforsim EFI with Arduino” suggested a wonderful way to select a password - Arduino pretends to be a USB keyboard and sequentially sorts through passwords. I will not repeat all the details of the approach, the link to the article above. I will describe what we decided to do differently and why
We are going through this scheme:
Data was transferred via USB, became serial, then became keystrokes. There was nothing particularly interesting here, except for shocked characters. By debugging, we determined that the characters are lost in the last stage. That is, the character from the keyboard goes away, but is not registered in the poppy. Why, remains a mystery. We did not understand, just checked that everything was entered.
While the poppy is locked, a lock is drawn. Here is this:
Let's look for it with OpenCV! This is such a suitable use for a microscope (in fact, not).
Surprisingly, OpenCV under .NET wound up with a half-kick and two NuGet packages (OpenCV.NET, OpenCV). Next is some code.
This simple code looks for an image of a lock on the screen. Finds great:
The green rectangle is a found lock. This section has not caused any difficulties. OpenCV was very surprised and pleased.
If we found a lock on the screen, you can search for the password field below it. This is done relatively easily with the usual manipulation of image pixels. Or done, if not for the camera. There are two problems. First, the camera resolution was 640 * 480, which is terrible for analysis. Secondly, with inconsistent lighting, the camera behaved completely unpredictable. That something was lit, something disappeared. The second problem was solved by stable lighting conditions, the first one - by binding to sizes in pixels and filters.
So, there is a castle, you can find its center and go down until we meet two peaks of brightness.
In the figure - the brightness of the pixels under lock.
Having found two maxima at a sufficient distance, you can take the center between them and go left (we assume that the password field is horizontal). When they found a bright pixel, either the input field ended, or they stumbled upon an asterisk.
Entry field. Green - frame lock. White - line down, which are looking for two maxima. Red - maximums found and the first bright pixel on the left in the center.
Now, if the first bright pixel on the left is “left” enough, then the input field is empty. If “right” is enough, 4 characters are entered. Calibration is needed, however.
During calibration, the position of the bright pixel was searched with an empty input field, then 4 characters were entered, and the position of the bright pixel was searched. These values ​​were saved and further used as reference.
This ends the part on working with the image, and indeed it is time to move on to the results.
Lock not found! After 33 hours of operation, the password was chosen. Despite randomization, the correct password was number 35 from the end. The password value was 2605 . The probability of this event was 0.35%.
The article used:
Apple Mac Air
Lenovo Thinkpad T510
Arduino Uno (compatible)
Arduino Mega 2560 (compatible)
Literature:
EFI brute force with Arduino - from here everything is taken about working with Arduino as with a keyboard and the principle of locking poppy. Thanks to the author!
Of Arduino website
Of OpenCV website
Code. Attention, the code is terrible. It is written ad hoc and contains traces of experiments. In addition, it is tied to the size of my camera, so it may require modification.
You can do anything with the code, if it is not prohibited by law.
Story
It all started as usual - my friend was blocked by Mac Air, taking away an account. And if the iPhone can be restored, then the Mac is blocked from the ends. Contacting technical support did not lead to anything, the service center offered to unlock for 1000 rubles and 1 day. True, they discovered a marriage of the motherboard, which did not allow them to do it.
After reading the article Brutforsim EFI with Arduino , we decided to repeat the experience. True, there was no display, but there were two Arduins - Uno and Mega2560. And the laptop, which is not very sorry for ~ 33 hours to leave to sort out the password. We decided to do a brute force with preference and poetess - let the automatics watch the brute force while we drink tea.
')
Description of the problem
For a start - briefly about what we decided at all. This section is for those who do not want to carefully read the article to which I referred.
If your Apple account is hijacked, a hacker can block your Mac remotely by setting a four-digit numeric password of your choice. After that, it is impossible to turn on the Mac without entering this password, and this password can be entered in two different places - before entering your account (there are 4 empty single-character input fields closed with asterisks) and when you try to enter UEFI (in this case, field for entering any number of characters, also closed with asterisks). If you enter the wrong password many times in 4 fields, the input is blocked first for 5 minutes, then for 10, and so on until an hour. For busting is not very suitable. In the case of UEFI, you can repeat the entry about every 12 seconds (a little less, in fact). If we calculate the maximum search time, we get 33, (3) hours of search, without taking into account the time for entering characters and “entering”. Not deadly, in principle. It seems Apple has something to think about in terms of security.
We are, however, such negligence in choosing the complexity of the password (or the delay between inputs) only at hand.
I note that when you enter the correct password, the input is not blocked at all, that is, these ~ 12 seconds are not the time to check the password, but an artificial delay. It seems that you can get somewhere for this delay and sort out much faster. We did not do that, but the idea is interesting.
Disclaimer
Everything that happens in this article was legal (because it was produced with its own poppy), aimed at combating fraudsters, whose contact information has already gone where it should. The use of materials of this article for illegal (as well as legitimate) actions under no circumstances is the responsibility of the author or the site. Everything that you do, you do at your own peril and risk. The author or the site is not responsible for any damage, direct or indirect, caused by the materials of the article. In short, who did not hide, I'm not guilty.
How to sort through?
The author of the article “Brutforsim EFI with Arduino” suggested a wonderful way to select a password - Arduino pretends to be a USB keyboard and sequentially sorts through passwords. I will not repeat all the details of the approach, the link to the article above. I will describe what we decided to do differently and why
- Use the computer constantly. We did not have a display, so there was nothing to write a log of what was entered. Therefore, the computer will remember what was entered
- Recognize the image on the monitor poppy. It seemed to us relatively simple to check if the poppy was still cracked, and to enter passwords only if it was not cracked. Anyway, the computer is used.
- Check that exactly four characters are entered. This was the most unexpected change for us. It was found that sometimes a bunch of computer - arduino - arduino - poppy did not enter all the characters. Sometimes input was skipped, and it was not very scary (you can add 3-4 inputs after the password, they do not interfere). But sometimes the password was omitted. Why - a mystery. We decided to look at the picture and make sure that all the characters are entered. If not, repeat the entry.
- Enumerate passwords in random order. Passwords in the article moved from 0000 to 9999, we did not like it. Most likely, the attacker chose a password, far from both 0000 and 9999, so that the picker would suffer. Therefore, we decided to make a randomized search. What a cruel joke it played with us, read on.
Let's get to the point!
We are going through this scheme:
- The computer generates a list of passwords for busting
- The computer checks that the poppy is still locked.
- The computer sends the next password to the Arduine Uno, which, in fact, is used as a USB <-> SERIAL adapter and has a simple program that does nothing
- With Uno, the data reads Mega over Serial1. That is why they used the order Uno -> Mega, and not vice versa.
- Mega enters data into a Mac, considering itself a keyboard.
- The computer checks that 4 characters are entered on the screen. If not, the password is marked as not entered.
- In the same way, the input is pressed.
- While the password field is not empty, do nothing
- As soon as the entry field is empty, go to the second step.
Data transfer
Data was transferred via USB, became serial, then became keystrokes. There was nothing particularly interesting here, except for shocked characters. By debugging, we determined that the characters are lost in the last stage. That is, the character from the keyboard goes away, but is not registered in the poppy. Why, remains a mystery. We did not understand, just checked that everything was entered.
Lock recognition
While the poppy is locked, a lock is drawn. Here is this:
Let's look for it with OpenCV! This is such a suitable use for a microscope (in fact, not).
Surprisingly, OpenCV under .NET wound up with a half-kick and two NuGet packages (OpenCV.NET, OpenCV). Next is some code.
lck = CV.LoadImage("D:\\mac-unlock\\lock.png", LoadImageFlags.Unchanged); //Load lock image file Capture camera = Capture.CreateCameraCapture(-1); //Create camera object to capture image. Don't care about device index as the notebook has 1 camera device var img = camera.RetrieveFrame(); //get camera image IplImage res = new IplImage(new OpenCV.Net.Size(img.Width - tpl.Width + 1, img.Height - tpl.Height + 1), IplDepth.F32, 1); //Create image for matching results OpenCV.Net.CV.MatchTemplate(img, lck, res, TemplateMatchingMethod.CorrelationCoefficientNormed); //Find lock image in camera image double min, max; OpenCV.Net.Point minloc; OpenCV.Net.Point maxloc; CV.MinMaxLoc(res, out min, out max, out minloc, out maxloc); if (max < 0.88) //No lock image on the screen! Wow! ... This simple code looks for an image of a lock on the screen. Finds great:
The green rectangle is a found lock. This section has not caused any difficulties. OpenCV was very surprised and pleased.
Password field
If we found a lock on the screen, you can search for the password field below it. This is done relatively easily with the usual manipulation of image pixels. Or done, if not for the camera. There are two problems. First, the camera resolution was 640 * 480, which is terrible for analysis. Secondly, with inconsistent lighting, the camera behaved completely unpredictable. That something was lit, something disappeared. The second problem was solved by stable lighting conditions, the first one - by binding to sizes in pixels and filters.
So, there is a castle, you can find its center and go down until we meet two peaks of brightness.
In the figure - the brightness of the pixels under lock.
Having found two maxima at a sufficient distance, you can take the center between them and go left (we assume that the password field is horizontal). When they found a bright pixel, either the input field ended, or they stumbled upon an asterisk.
Entry field. Green - frame lock. White - line down, which are looking for two maxima. Red - maximums found and the first bright pixel on the left in the center.
Now, if the first bright pixel on the left is “left” enough, then the input field is empty. If “right” is enough, 4 characters are entered. Calibration is needed, however.
During calibration, the position of the bright pixel was searched with an empty input field, then 4 characters were entered, and the position of the bright pixel was searched. These values ​​were saved and further used as reference.
This ends the part on working with the image, and indeed it is time to move on to the results.
results
Lock not found! After 33 hours of operation, the password was chosen. Despite randomization, the correct password was number 35 from the end. The password value was 2605 . The probability of this event was 0.35%.
Literature, equipment and code
The article used:
Apple Mac Air
Lenovo Thinkpad T510
Arduino Uno (compatible)
Arduino Mega 2560 (compatible)
Literature:
EFI brute force with Arduino - from here everything is taken about working with Arduino as with a keyboard and the principle of locking poppy. Thanks to the author!
Of Arduino website
Of OpenCV website
Code. Attention, the code is terrible. It is written ad hoc and contains traces of experiments. In addition, it is tied to the size of my camera, so it may require modification.
You can do anything with the code, if it is not prohibited by law.
Source: https://habr.com/ru/post/250347/
All Articles