Reverse Engineering Team Board

Reverse Engineering Team Board (
-   OSX Reverse Engineering (
-   -   Bypass filevault, admin, all passwords (

mazuki 05-20-2008 06:40 PM

Bypass filevault, admin, all passwords
Please anyone offer insight into this, i tested it myself but would like your thoughts on my work, as i only figured it out after playing on a mac for a couple weeks

tools: usb drive and two files, easily created with mac OS on any mac computer that is filevault capable.

the beauty of this fix is that it doesn't require you to enable anything on the computer, or look for anything, it just requires the placing of 2 small files on it, and you can successfully circumvent any filevault encryptions, account passwords and system keychains. so in essence, with this hack you get not only the users account and files, but access to any stored passwords they use, email, chat, everything.

the method:

there are two files that are created when enabling a master password on mac OS X



the placement of these files in the proper folder (either /Library/Keychains/ or /System/Library/Keychains) will enable a master password, overwrite an old one, or deleting them will disable master password. you would think that this is locked to only a single mac computer, but surprisingly it doesn't. all you need to do is boot to single user mode, mount your usb drive, cp the files to that location, reboot like normal, enter a password incorrectly 3-5 times and then use the master password to reset it, all while keeping the user's keychains intact and not causing the filevault encryption to lock the users files to be inaccessible.

i didn't walk through every step because it will depend on the filesystem of the USB drive you use, whether it's ntfs, hfs, ext3 or FAT

and this works across 10.4 and 10.5 (i tested both) and possible back to 10.0, whenever filevault master password was implemented, this should work

of course, you can also use the same method for user accounts, just create your own password, and then take the file that is the same name as the GUID of your user in the shadow hash folder (forgot the location) and replace any of the users, will work the same way, but i prefer the master password as it will keep keychains in effect, i.e. you have access to the emails, chat programs, and encrypted files/folders

dlawsond84 05-30-2008 07:02 PM

Not working for me...
Has anyone else been successful with this? I was able to enter my new Master Password, which took me to the screen to change the user password, but it would not accept the user password change.

mazuki 05-31-2008 06:26 AM

what version are you on? and what user are you trying to change?

i tested with admin accounts as well as regular users and all was fine, but this was on 10.5.1 i have no mac to test any later versions

there is another option, but i'm not sure if it resets the keychain files and keeps encrypted files intact

dlawsond84 06-02-2008 09:54 AM

The version on the computer I'm trying to access is 10.4.10, and I'm trying to change the sole user (with Admin priv) on the computer. The only other user is the guest account. I realized after I posted previously that I was using the FileVaultMaster keys from a later version (Leopard). I will have to find a 10.4 and try again. Or do you think that it will work as long it's Tiger?

Thanks for your response!

dlawsond84 06-02-2008 11:29 AM

Ok, this time I used another 10.4.10, but it was from an Intel-based Mac, and my target computer is an iBook G4 and is Motorola-based. So, still no success. I have another Mac that is a 10.3.9 Motorola. Do you think that will work?

I know the FileVaultMaster keys are copying over correctly, because it is accepting my password to get me to the next screen to reset the user's password, but it still won't let me change it.


mazuki 06-03-2008 01:03 AM

the tested machines for this was intel based only, try it on your intel mac and if it works, then i apologize that i did not state that earlier, as i had nothing but intel macs to play with for a while

Claudia54 07-13-2011 09:44 PM

instructions removed because they refer to a software they are copying

All times are GMT -4. The time now is 01:05 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.