Question

Tips and Tricks: setregproptool

Forum|Forum|14 years ago
December 5, 2011
28 replies
108 views

+31

tlarkin
Honored Contributor

So, if you are missing the setOFP ability from the Casper Suite, and want to automate firmware passwords at either post image or in the field with scripts you can do so with this command. This is due to Apple changing the hardware and firmware on all Macs in late 2010 and newer models. The example I will give in this is that I am plugging in a USB OS X drive that shipped with our current Macbook Airs. I think the drives shipped with OS X 10.6.6 or 10.6.4. You always want to use the newest version of the tool you can, and so you want to grab it off the newest restore disk or USB drive (or I suppose if you download it via app store that works too).

So first thing is first is we need to mount the OS image of your USB stick. Open up terminal and type this command:

open /Volumes/Mac OS X Install/MacOSX.dmg

This will mount the disk image and you will now be able to view it's entire contents from the command line. Note that some files are hidden so doing this from terminal really is the easiest way.

Now that the install image is mounted lets take a look at the password reset utility for firmware. It is located here:

cd /Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

Once in this directory you will see setregproptool. This is the tool you use to set the firmware password from the command line:

bash-3.2# ./setregproptool -h
setregproptool v 2.0 (7) Oct  3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

    -c              Check whether password is enabled. 
                            Sets return status of 0 if set, 1 otherwise.
    -d              Delete current password/mode.
                            Requires current password on some machines.
    -p              Set password.
                            Requires current password on some machines.
    -m              Set security mode.
                            Requires current password on some machines.
                            Mode can be either "full" or "command".
                            Full mode requires entry of the password on
                            every boot, command mode only requires entry
                            of the password if the boot picker is invoked
                            to select a different boot device.

                    When enabling the Firmware Password for the first
                    time, both the password and mode must be provided.
                    Once the firmware password has been enabled, providing
                    the mode or password alone will change that parameter
                    only.

    -o              Old password.
                            Only required on certain machines to disable
                            or change password or mode. Optional, if not
                            provided the tool will prompt for the password.

Now if you want to copy that tool, you can do so by doing this, but we want to make sure we preserve the permissions here. Take a loot at the current permissions:

ls -al setregproptool 
-rwxr-xr-x  1 root  wheel  115696 Oct  3  2010 setregproptool

Now we will use cp with the -p switch to preserve everything:

cp -p setregproptool ~/Desktop/

and now to verify permissions/ownership were preserved:

ls -al ~/Desktop/setregproptool 
-rwxr-xr-x  1 root  wheel  115696 Oct  3  2010 /Users/tlarkin/Desktop/setregproptool

So, what I do is I copy this binary into the /usr/sbin directory of my OS image. So, now I can script setting the firmware password via post image shell scripts, or deploy a policy to reset it in the field.

Caveats I have found:

1 - anytime you modify or change the password you will be required to provide the old one. If you do not it will automatically go into interactive mode and halt your script and demand user input. So for example, in my script it looks like this, and remember I put the binary in /usr/sbin in my image so it is on all my Macs:

/usr/sbin/setregproptool -m command -p "newpassword" -o "oldpassword"

2 - if you clear the firmware password out, the binary states it will return a status of 0 when using the -c switch to check if firmware is enabled or not. If you clear it, it will not return 1 (disabled status) until you reboot the client. I tried getting fancy with my scripting and had it check status first then run a command based on if it was enabled or not.

3 - Software update WILL NOT update this binary. You must always pull the newest one out of the newest retail disk or recovery DVD/USB drive and use it. If you are on 10.7 this shouldn't be an issue since you can always pull down the newest build from the app store.

Hope this helps you guys. It is also present in 10.7 confirmed but but not tested by me personally.

Show first post

1
2

Forum|pagination.label 2 / 2

S

smurf729
New Contributor
Forum|Forum|12 years ago
February 10, 2014

I am on 10.9 and my computer has the six digit passcode. I am firmiliar with the terminal but how do i get to it with the firmware passcode locked

Like

R

+5

rmaldonado
Contributor
Forum|Forum|11 years ago
January 22, 2015

Does anyone here know if this would work on a 10.10 machine? I know it uses the new binary "firmwarepasswd" but I was wondering if anyone has tried copying the setregproptool to a 10.10 machine and scripting this