Jump to content

Clover: iMessage/Facetime Fix for Yosemite


leodaniel
 Share

252 posts in this topic

Recommended Posts

That's was the only thing I actually changed. That worked for me all the other Ids were generated

 

Ok, thank you for response. But it's not very informative.

 

Please can you explain "That worked". Did you called to Apple support too or activation went without any issues?

 

Whats the length of used MLB and also Mac model you used?

 

Please can you explain your procedure step by step?

Link to comment
Share on other sites

Yes I called apple and told them I recently updated to 10.10.1 and when I try to log in my iMessage it gave a customer and then gave them the code. I tried same procedure with any MLB from a real Mac but that didn't work

 

Whats the length of used MLB and also Mac model you used? Did your Mac models match on genuine mac and hack?

Link to comment
Share on other sites

Whats the length of used MLB and also Mac model you used? Did your Mac models match on genuine mac and hack?

I can only tell you what worked for myself. I used the MLB and ROM from my old macbook pro (2008 or 2009 model) on my Hack (MacPro 6.1 SmBios, all IDs generated). And it worked.

What I don't know and will try this weekend (not home, don't have access to my hack) is with just the MLB.

Link to comment
Share on other sites

I can only tell you what worked for myself. I used the MLB and ROM from my old macbook pro (2008 or 2009 model) on my Hack (MacPro 6.1 SmBios, all IDs generated). And it worked.

What I don't know and will try this weekend (not home, don't have access to my hack) is with just the MLB.

 

Cool, thank you

 

Seems that, if you have genuine MLB/ROM pair, iMessage activates without any issues.

If you have genuine MLB (or, which follows certain pattern) you can still use Apple Support to activate the iMessage.

Otherwise you are out of game.

 

Whats the length of MLB? Which version of OS X?

Link to comment
Share on other sites

Cool, thank you

 

Seems that, if you have genuine MLB/ROM pair, iMessage activates without any issues.

If you have genuine MLB (or, which follows certain pattern) you can still use Apple Support to activate the iMessage.

Otherwise you are out of game.

 

Whats the length of MLB? Which version of OS X?

Oh yes you figured it out. I already told you I used 13 characters of MLB lol
Link to comment
Share on other sites

Cool, thank you

 

Seems that, if you have genuine MLB/ROM pair, iMessage activates without any issues.

If you have genuine MLB (or, which follows certain pattern) you can still use Apple Support to activate the iMessage.

Otherwise you are out of game.

 

Whats the length of MLB? Which version of OS X?

OSX 10.10.1 (actually the OS version has nothing to do with it. The Problem is across all versions starting by Mavericks.) and I don't remember the length. Like I said before, I'm not home and don't have access to my hack before this weekend.

Link to comment
Share on other sites

OSX 10.10.1 (actually the OS version has nothing to do with it. The Problem is across all versions starting by Mavericks.) and I don't remember the length. Like I said before, I'm not home and don't have access to my hack before this weekend.

 

Thank you! ;) 

 

I suspect there is a certain pattern in MLB. I have compared several values and seems there is a certain pattern in MLB. I suspect that MLB is reversible as Serial Number.

Link to comment
Share on other sites

Actually it's not reversible I remember only the first 4 numbers of the serial number and ROM were the same but they are not reversible

Sorry first 4 characters of Serial number and MLB are the same in the case on a real Mac but that's nothing I guess it looks totally different on my hack

Yes I agree with you, they are not reversible in any way, just checked my MBPr and they have nothing in common. 

Link to comment
Share on other sites

Actually it's not reversible I remember only the first 4 numbers of the serial number and ROM were the same but they are not reversible

Sorry first 4 characters of Serial number and MLB are the same in the case on a real Mac but that's nothing I guess it looks totally different on my hack

 

Thx! But do you have a proof? 

 

Plenty of product ids / serials etc are reversible on certain way. It's my hypothesis thats MLB is reversible. Even MD5 hash is "reversible" by using brute-forcing. 

 

After examination of several values, I can see there is a certain common pattern. There is some sort of algorithm used to generate MLB's. if there is algorithm, it's reversible  on certain way.

 

I' have hypothesis, that if you generate proper MLB based on algorithm, you will get iMessage still activated trough Apple support. 

Link to comment
Share on other sites

Thx! But do you have a proof? 

 

Plenty of product ids / serials etc are reversible on certain way. It's my hypothesis thats MLB is reversible. Even MD5 hash is "reversible" by using brute-forcing. 

 

After examination of several values, I can see there is a certain common pattern. There is some sort of algorithm used to generate MLB's. if there is algorithm, it's reversible  on certain way.

 

I' have hypothesis, that if you generate proper MLB based on algorithm, you will get iMessage still activated trough Apple support. 

MD5 is in no way reversible! EVERY MD5 has the same length, this means that there are an infinite inputs that result in the same hash.

Link to comment
Share on other sites

MD5 is in no way reversible! EVERY MD5 has the same length, this means that there are an infinite inputs that result in the same hash.

 

I said: "Even MD5 hash is "reversible" by using brute-forcing." Common use of quotation marks is to indicate or call attention to the word itself rather than its associated concept. So, I hoped you notice the irony here.  Of course cryptography is a science, and each cryptographic method have its own principles. I used brute-forced MD5 just as an example in this context. If I have time and appropriate tools, I can brute-force weak password from MD5 hash. So, it's "reversible". PERIOD.

 

But Apple's MLB isn't hash for sure, maybe only some part of it. But I see, that there is a pattern used for MLB. 

Link to comment
Share on other sites

It didn't take me even more than a minute or so to run iMessage debug on a friends MacBook Pro lol. Don't you think that's easier than trying to figure out the pattern of MLB ?

 

teddybearapple, I suspect you have missed the entire point of hacking :D

 

Hacker is a person who enjoys exploring the limits of what is possible, in a spirit of playful cleverness. Copying some values from somewhere isn't hacking.

 

Of course i can steal the bread from shop. But if I have a recipe, I can bake it.

Link to comment
Share on other sites

teddybearapple, I suspect you have missed the entire point of hacking :D

 

Hacker is a person who enjoys exploring the limits of what is possible, in a spirit of playful cleverness. Copying some values from somewhere isn't hacking.

 

Of course i can steal the bread from shop. But if I have a recipe, I can bake it.

Oh I get your point now. You're right anyway, that's all about hacking it's good to come out the right pattern to understand how these Ids are generated by apple and stuff

Link to comment
Share on other sites

How to Extract MLB/ROM from older Macs running OSX Lion or Snow Leopard
 
A few of you may have older Macs running Snow Leopard or Lion that have been "retired" from service.  
These make good candidates for borrowing their MLB and ROM for the purpose of activating iMessage on your own hacks.

Notes

  • iMessage was introduced in "beta" phase on OSX Lion and only officially supported from Mountain Lion onwards
  • Older Macs had shorter MLBs eg MBP 6,2 has 13 character MLB (still 12 character ROM)
  • Macs as old as a 2006 MBP 2,2 have been used for MLB/ROM to validate iMessage
  • ElNono_'s iMessage_debug tool only works on systems running Mountain Lion or later so how to extract MLB/ROM without upgrading to ML or later?

On Lion, MLB and ROM were introduced as NVRAM variables so can be extracted from your real Mac's NVRAM using Darwin Dumper by @BlackOSX:

Run Darwin Dumper and tick the following dumps - DMI Tables (SMBIOS), I/O Kit Registry, NVRAMMake sure that "Make Dumps Private" is unticked.


post-846696-0-27485300-1417563049_thumb.png


The following are EXAMPLES only from my hack using GENERATED serials but give you an idea on what to look for on a real Mac....

under the section NVRAM/uefi_firmware_vars/4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM &
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
 

------------------------------------------------------------------------------
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM
------------------------------------------------------------------------------
000000: 34 4f c0 d5 6c 38                                |..&T.n|

------------------------------------------------------------------------------
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
------------------------------------------------------------------------------
000000: 43 4b 39 34 38 34 32 37 31 47 30 31 32   |CK9484271G012|
 

On Snow Leopard, MLB and ROM don't exist in NVRAM so the values must be extracted from the DMI Tables and I/O Kit Registry...

MLB=Main Logic Board Serial Number found in the section DMI Tables/DMI type 2: Base Board/Serial Number

Handle 0x0200, DMI type 2, 16 bytes
0000: 02 10 00 02 01 02 03 04 05 09 06 00 03 0a 00 00
0010:

Base Board Information
    Manufacturer: Apple Computer, Inc.
    Product Name: Mac-F42D86C8
    Version: MacBookPro5,1
    Serial Number: CK9484271G012
    Asset Tag:           
    Features:
        Board is a hosting board
        Board is replaceable
    Location In Chassis: Part Component
    Chassis Handle: 0x0300
    Type: Motherboard
    Contained Object Handles: 0

In the section IORegistry/IOService:
ROM=Firewire IOMACAddress (format xxxxxxyyyyxxxxxx) 8 bytes with the middle 2 bytes removed to leave 6 byte/12 character serial: xxxxxxxxxxxx

eg search for "Firewire"

 

post-846696-0-53238300-1417563353_thumb.png

fw IOMACAddress = 344fc00035d56c38
ROM = 344fc0d56c38

 

or on other Macs, ROM is sometimes reported as the Ethernet IOMACAddress so in this case, search for "Ethernet".

 

You can also determine the MAC addresses of all your Mac's network interfaces by running the following command in OSX terminal:

networksetup -listallhardwareports

Alternative if DDumper doesn't work:  procedure from post#171:

1.  Boot your Mac in single user verbose mode (Command-S) with a Mavericks or Yosemite Installer USB created with "createinstallmedia" method

2.  After the white text has finished scrolling type the following lines (pressing <Enter> after each)

/sbin/fsck -fy
/sbin/mount -uw /
nvram 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
nvram 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM 

3.  Record the output.  Note the ROM value shown with the NVRAM command can be a mix of HEX and ASCII:

'%xx' values are HEX-Values, the other characters have to be converted from ASCII to HEX to get the right ROM value.

  • Like 6
Link to comment
Share on other sites

 Share

×
×
  • Create New...