Jamf Nation Community

lwindram · ‎04-21-2015

I'm looking for a little guidance on the new firmware password binary. Even Google can't provide much more than the man page:

Usage: firmwarepasswd [OPTION]

     ?                          Show usage
     -h                         Show usage
     -setpasswd                 Set a firmware password. You will be promted for passwords as needed.
                                   NOTE: if this is the first password set, and no mode is
                                   in place, the mode will automatically be set to "command"
     -setmode [mode]            Set mode to:
                                   "command" - password required to change boot disk
                                   "full" - password required on all startups
                                   NOTE: cannot set a mode without having set a password
     -mode                      Prints out the current mode setting
     -check                     Prints out whether there is / isn't a firmware password is set
     -delete                    Delete current firmware password and mode setting
     -verify                    Verify current firmware password
     -unlockseed                Generates a firmware password recovery key
                                   NOTE: Machine must be stable for this command to generate
                                         a valid seed.  No pending changes that need a restart.
                                   NOTE: Seed is only valid until the next time a firmware password
                                         command occurs.

My assumption is that the returned value when I run

firmwarepasswd -unlockseed

is intended to allow the removal of an unknown EFI password, but I can't figure out how to use this value to modify the firmware password. Using it in lieu of the actual password in

firmwarepasswd -delete

returns an incorrect password error.

We are in the process of switching EFI passwords as the old password was lengthy (>30 characters) and was an obstacle for helpdesk techs when they needed to EFI boot a device. I have written a script using firmwarepasswd that checks the actual password against a few supplied options, and sets some dummy receipts so that I can capture the EFI password in an EA. This has unearthed a handful of devices that have EFI enabled, but the password is set to a value that is not on my list.

Previously the EFI password was set via policy, but never verified. It appears that the policy failed on some devices and the students took it upon themselves to set the passwords. Hence the EA going forward.

Thanks in advance.

mthakur · ‎04-22-2015

@lwindram @mm2270 The firmwarepasswd command makes it much easier to retrieve the unlock seed. Previously, you had to press Control-Option-Command-Shift-S at the EFI password prompt at boot time to get the unlock seed.

As for how to use the seed: Officially, you can't.

Now, if you bring your Mac to an Apple store (or an Apple Authorized Service Provider), then they can use the unlock seed to get rid of the EFI password. (This essentially re-flashes the firmware.)

Of course, Apple will charge you for a fee (~$200) for the service.

See this discussion for some more information.

View solution in original post

mm2270 · ‎04-21-2015

I'm curious on this myself. I can't figure out how to actually use the -unlockseed command. It generates the same string on the Mac that I'm running it on, through restarts, etc. I had assumed it could be used to at least temporarily get past the Firmware Password screen by entering that password, but not actually remove the firmware pass, but it doesn't work, and is actually too long it seems for the field.

I've tried using it a few different ways as well but no luck - everything just generates an error. I have no idea what to do with that string it generates. As usual, Apple introduces new functions and features and no real documentation on how it should be used. The man page is more or less useless in figuring out what this does.

mthakur · ‎04-22-2015

@lwindram @mm2270 The firmwarepasswd command makes it much easier to retrieve the unlock seed. Previously, you had to press Control-Option-Command-Shift-S at the EFI password prompt at boot time to get the unlock seed.

As for how to use the seed: Officially, you can't.

Now, if you bring your Mac to an Apple store (or an Apple Authorized Service Provider), then they can use the unlock seed to get rid of the EFI password. (This essentially re-flashes the firmware.)

Of course, Apple will charge you for a fee (~$200) for the service.

See this discussion for some more information.

CasperSally · ‎06-22-2015

@lwindram - would you be willing to share your script you're using that checks the actual password against a few supplied options?

I'm looking to create a script that

verifies if password is not set (a new machine, run firmwarepasswd -check to verify), then set it to newpassword

if -check returns yes, then run -verify to check if it's the oldpassword (machine not yet reimaged this year)
if oldpassword, set to new password
if newpassword (machine reimage), exit

plawrence · ‎10-04-2015

@CasperSally Sorry to dredge up an old thread, but I was working on setting firmware passwords today using the new firmwarepasswd utility and used my terrible scripting skills (read: copy/paste from the internet) to get the following working to check and set firmware passwords:

#!/usr/bin/expect

set verifyPassword [exec firmwarepasswd -check]

#if no password
if {$verifyPassword eq "Password Enabled: No"} {

    spawn firmwarepasswd -setpasswd
    expect "Enter new password:"
    send "password1
";
    expect "Re-enter new password:"
    send "password1
";
    expect eof
    puts "New Firmware Password Set"

#if password already exists
} elseif { $verifyPassword eq "Password Enabled: Yes" } {

#check the current password
   spawn firmwarepasswd -verify
   expect "Enter password:"
   send "password1
"
   expect {
      "Correct" {
         puts "Firmware Password Already Current"
         expect eof
       }
      "Incorrect" {
         puts "Trying Older Firmware Password"
         expect eof
         spawn firmwarepasswd -setpasswd
         expect "Enter password:"
         send "password2
";
         expect "Enter new password:"
         send "password1
";
         expect "Re-enter new password:"
         send "password1
";
         expect eof
         puts "Firmware Password Set using older password"
       }
   }
}

exit 0

CasperSally · ‎10-05-2015

thanks @plawrence, I'll check this out

I ended up using @ktappe script below to get me by from this thread

#!/usr/bin/expect
spawn firmwarepasswd -setpasswd
expect {
    "Enter password:" {
        send "Password
"
        exp_continue
    }
    "Enter new password:" {
        send "Password
"
        exp_continue
    }
    "Re-enter new password:" {
        send "Password
"
        exp_continue
    }
}

urbanatross · ‎11-24-2015

I'll throw this up here for anyone that might be looking for it. A variation that deletes the firmware password.

BACKSTORY: We were "exit imaging" machines to sell and wanted to automate the removal of firmware passwords. Since we're using Deploy Studio from an external drive to quickly restore the "as it came" disk image I wanted to run it on login and be able to use more than one possible firmware password. Here is what worked for us:

#!/usr/bin/expect
# Hacked together by Urban Reininger for removing multiple firmware passwords 2015-11-23
# @UrbanAtWork

spawn firmwarepasswd -check
expect {
    "Password Enabled: No" {
        puts "No Firmware Password Set!!!"
        exp_continue
    }
    "Password Enabled: Yes" {
        spawn firmwarepasswd -delete
        expect "Enter password:"
        send "PASSWORDTRY1
"
        expect {
            "Password removed" {
                puts "Firmware pw1 removed. Restart!!!"
                exp_continue
                }
            "Password incorrect" {
                spawn firmwarepasswd -delete
                expect "Enter password:"
                send "PASSWORDTRY2
"
                expect {
                    "Password removed"
                    puts "Firmware pw2 removed. Restart!!!" 
                    exp_continue
                    }
                }
            }      
    }   
}
exit 0

burenik · ‎12-10-2015

Made an adjustment so the script:
a) sets a password if no FW password is set
b) if a password is set, verify whether it is a known password
c) change a known password
d) exit with error code if an unknown password is set

#!/usr/bin/expect
# Hacked together by Urban Reininger for removing multiple firmware passwords 2015-11-23
# @UrbanAtWork; adjusted by burenik December 09 2015

spawn firmwarepasswd -check
expect {
    "Password Enabled: No" {
         spawn firmwarepasswd -setpasswd
         expect "Enter new password:"
         send "CurrentPassword
";
         expect "Re-enter new password:"
         send "CurrentPassword
";
         expect eof
    }
    "Password Enabled: Yes" { #if password is set - check whether this is a known password
   spawn firmwarepasswd -verify
   expect "Enter password:"
   send "CurrentPassword
"
   expect {
      "Correct" {
         #puts "Correct password identified"
         #######
         #  use this part to change a known password
         #spawn firmwarepasswd -setpasswd
         #expect "Enter password:"
         #send "YourCurrentPassword
";
         #expect "Enter new password:"
         #send "YourNewPassword
";
         #expect "Re-enter new password:"
         #send "YourNewPasswordd1
";
         ########
       expect eof
       }
      "Incorrect" {
        # puts "Password incorrect"
         exit 1
            }      
    }   
    }
    }
exit 0

Jamf Nation Community

firmwarepasswd binary