Posted on 04-21-2015 07:50 AM
I'm looking for a little guidance on the new firmware password binary. Even Google can't provide much more than the man page:
Usage: firmwarepasswd [OPTION]
? Show usage
-h Show usage
-setpasswd Set a firmware password. You will be promted for passwords as needed.
NOTE: if this is the first password set, and no mode is
in place, the mode will automatically be set to "command"
-setmode [mode] Set mode to:
"command" - password required to change boot disk
"full" - password required on all startups
NOTE: cannot set a mode without having set a password
-mode Prints out the current mode setting
-check Prints out whether there is / isn't a firmware password is set
-delete Delete current firmware password and mode setting
-verify Verify current firmware password
-unlockseed Generates a firmware password recovery key
NOTE: Machine must be stable for this command to generate
a valid seed. No pending changes that need a restart.
NOTE: Seed is only valid until the next time a firmware password
command occurs.
My assumption is that the returned value when I run
firmwarepasswd -unlockseed
is intended to allow the removal of an unknown EFI password, but I can't figure out how to use this value to modify the firmware password. Using it in lieu of the actual password in
firmwarepasswd -delete
returns an incorrect password error.
We are in the process of switching EFI passwords as the old password was lengthy (>30 characters) and was an obstacle for helpdesk techs when they needed to EFI boot a device. I have written a script using firmwarepasswd that checks the actual password against a few supplied options, and sets some dummy receipts so that I can capture the EFI password in an EA. This has unearthed a handful of devices that have EFI enabled, but the password is set to a value that is not on my list.
Previously the EFI password was set via policy, but never verified. It appears that the policy failed on some devices and the students took it upon themselves to set the passwords. Hence the EA going forward.
Thanks in advance.
Solved! Go to Solution.
Posted on 04-22-2015 12:26 PM
@lwindram @mm2270 The firmwarepasswd command makes it much easier to retrieve the unlock seed. Previously, you had to press Control-Option-Command-Shift-S at the EFI password prompt at boot time to get the unlock seed.
As for how to use the seed: Officially, you can't.
Now, if you bring your Mac to an Apple store (or an Apple Authorized Service Provider), then they can use the unlock seed to get rid of the EFI password. (This essentially re-flashes the firmware.)
Of course, Apple will charge you for a fee (~$200) for the service.
See this discussion for some more information.
Posted on 04-21-2015 08:16 AM
I'm curious on this myself. I can't figure out how to actually use the -unlockseed command. It generates the same string on the Mac that I'm running it on, through restarts, etc. I had assumed it could be used to at least temporarily get past the Firmware Password screen by entering that password, but not actually remove the firmware pass, but it doesn't work, and is actually too long it seems for the field.
I've tried using it a few different ways as well but no luck - everything just generates an error. I have no idea what to do with that string it generates. As usual, Apple introduces new functions and features and no real documentation on how it should be used. The man page is more or less useless in figuring out what this does.
Posted on 04-22-2015 12:26 PM
@lwindram @mm2270 The firmwarepasswd command makes it much easier to retrieve the unlock seed. Previously, you had to press Control-Option-Command-Shift-S at the EFI password prompt at boot time to get the unlock seed.
As for how to use the seed: Officially, you can't.
Now, if you bring your Mac to an Apple store (or an Apple Authorized Service Provider), then they can use the unlock seed to get rid of the EFI password. (This essentially re-flashes the firmware.)
Of course, Apple will charge you for a fee (~$200) for the service.
See this discussion for some more information.
Posted on 06-22-2015 08:52 AM
@lwindram - would you be willing to share your script you're using that checks the actual password against a few supplied options?
I'm looking to create a script that
verifies if password is not set (a new machine, run firmwarepasswd -check to verify), then set it to newpassword
if -check returns yes, then run -verify to check if it's the oldpassword (machine not yet reimaged this year)
if oldpassword, set to new password
if newpassword (machine reimage), exit
Posted on 10-04-2015 08:16 PM
@CasperSally Sorry to dredge up an old thread, but I was working on setting firmware passwords today using the new firmwarepasswd utility and used my terrible scripting skills (read: copy/paste from the internet) to get the following working to check and set firmware passwords:
#!/usr/bin/expect
set verifyPassword [exec firmwarepasswd -check]
#if no password
if {$verifyPassword eq "Password Enabled: No"} {
spawn firmwarepasswd -setpasswd
expect "Enter new password:"
send "password1
";
expect "Re-enter new password:"
send "password1
";
expect eof
puts "New Firmware Password Set"
#if password already exists
} elseif { $verifyPassword eq "Password Enabled: Yes" } {
#check the current password
spawn firmwarepasswd -verify
expect "Enter password:"
send "password1
"
expect {
"Correct" {
puts "Firmware Password Already Current"
expect eof
}
"Incorrect" {
puts "Trying Older Firmware Password"
expect eof
spawn firmwarepasswd -setpasswd
expect "Enter password:"
send "password2
";
expect "Enter new password:"
send "password1
";
expect "Re-enter new password:"
send "password1
";
expect eof
puts "Firmware Password Set using older password"
}
}
}
exit 0
Posted on 10-05-2015 04:32 AM
thanks @plawrence, I'll check this out
I ended up using @ktappe script below to get me by from this thread
#!/usr/bin/expect
spawn firmwarepasswd -setpasswd
expect {
"Enter password:" {
send "Password
"
exp_continue
}
"Enter new password:" {
send "Password
"
exp_continue
}
"Re-enter new password:" {
send "Password
"
exp_continue
}
}
Posted on 11-24-2015 09:15 AM
I'll throw this up here for anyone that might be looking for it. A variation that deletes the firmware password.
BACKSTORY: We were "exit imaging" machines to sell and wanted to automate the removal of firmware passwords. Since we're using Deploy Studio from an external drive to quickly restore the "as it came" disk image I wanted to run it on login and be able to use more than one possible firmware password. Here is what worked for us:
#!/usr/bin/expect
# Hacked together by Urban Reininger for removing multiple firmware passwords 2015-11-23
# @UrbanAtWork
spawn firmwarepasswd -check
expect {
"Password Enabled: No" {
puts "No Firmware Password Set!!!"
exp_continue
}
"Password Enabled: Yes" {
spawn firmwarepasswd -delete
expect "Enter password:"
send "PASSWORDTRY1
"
expect {
"Password removed" {
puts "Firmware pw1 removed. Restart!!!"
exp_continue
}
"Password incorrect" {
spawn firmwarepasswd -delete
expect "Enter password:"
send "PASSWORDTRY2
"
expect {
"Password removed"
puts "Firmware pw2 removed. Restart!!!"
exp_continue
}
}
}
}
}
exit 0
Posted on 12-10-2015 08:06 AM
Made an adjustment so the script:
a) sets a password if no FW password is set
b) if a password is set, verify whether it is a known password
c) change a known password
d) exit with error code if an unknown password is set
#!/usr/bin/expect
# Hacked together by Urban Reininger for removing multiple firmware passwords 2015-11-23
# @UrbanAtWork; adjusted by burenik December 09 2015
spawn firmwarepasswd -check
expect {
"Password Enabled: No" {
spawn firmwarepasswd -setpasswd
expect "Enter new password:"
send "CurrentPassword
";
expect "Re-enter new password:"
send "CurrentPassword
";
expect eof
}
"Password Enabled: Yes" { #if password is set - check whether this is a known password
spawn firmwarepasswd -verify
expect "Enter password:"
send "CurrentPassword
"
expect {
"Correct" {
#puts "Correct password identified"
#######
# use this part to change a known password
#spawn firmwarepasswd -setpasswd
#expect "Enter password:"
#send "YourCurrentPassword
";
#expect "Enter new password:"
#send "YourNewPassword
";
#expect "Re-enter new password:"
#send "YourNewPasswordd1
";
########
expect eof
}
"Incorrect" {
# puts "Password incorrect"
exit 1
}
}
}
}
exit 0