Need to remove Firmware Password

Hmm. I don't think there is a way without knowing the current password. The whole point of it is that its not easily circumvented with a command. I'm pretty sure the setregproptool needs the current password to remove it or set a new one.

In the past it would be a simple matter of yanking out some RAM in the Mac and that would remove the firmware password. No longer the case though with Macs made over the last couple of years.

You may have to take it in to an Apple Store or service center.

another method, but only works on machines manufactured BEFORE 2011 unfortunately:
http://reviews.cnet.com/8301-13727_7-57521667-263/use-the-calculator-to-reveal-a-macs-firmware-password/?part=rss&tag=feed&subj=MacFixIt

For your machines, I believe you're going to have to get them serviced to reset the password.

Way late to this one, but there is a different process for firmware password removal on post-2011 machines. It requires GSX access as far as I know. Anyway, here it is... enjoy!

For the MacBook Air (Late 2010) and later, MacBook Pro (Early 2011) and later, iMac (Mid 2011) and later, and Mac mini (Mid 2011): Use the new Firmware Password Reset scheme: 1. Start up the computer to the password entry screen by pressing and holding the Option key. 2. Press the key sequence Shift + Control + Command + Option + S at this screen. A one-time use "Hash" code will appear. The code is case-sensitive, so provide TSPS with the Hash exactly as it appears on the customer's screen. 3. Shut down the customer's computer. 4. Contact TSPS via chat. Select Yes for the pre-chat question regarding firmware reset and provide the Hash to the advisor assisting you. 5. TSPS will provide a signed binary file to be copied to a USB storage device (such as a flash formatted FAT or a USB hard drive with Mac OS Extended with GUID partition table). 6. Insert the drive into the computer while it is off. 7. Start up the computer while pressing and holding the Option key. Continue holding the Option key until the boot picker in EFI appears and confirm the password has been removed. ?Note: If the computer does not start up without the password prompt after following these steps and while you are holding down the Option key, either the Hash was provided incorrectly to TSPS or the file did not read off the drive successfully. The file may have been read correctly but confirmed it does not belong in the computer.  Work with TSPS to troubleshoot these issues if necessary. This process is completely non-destructive to data or settings on the target computer. Note: If a customer has multiple computers with this issue, TSPS can handle up to 500 in one file. To escalate multiple computers, follow the steps above with the following additional step: Provide all the Hash keys in a new-line delimited text file (not RTF, but pure plain text) with no new line at the end. These files can be produced in TextEdit on Mac OS X, or files with multiple entries using vim on the command line. For example:? V400300C1231MED144431A4F414420DDE5F1?C455300Z555ABJ1118713148F413390ACE341? C891200J18334D1099A3B6DD004E3F1A0122? (No new line after the last entry.) After you receive the signed binary file from TSPS, use this procedure to reset the EFI firmware password: 1. Format a Flash drive GUID partition scheme and Mac OS Extended format. Name it Firmware. 2. Drag the binary file named "SCBO" to your Desktop. 3. Open Terminal. 4. Execute this command in Terminal: cp ~/Desktop/SCBO /Volumes/Firmware/.SCBO You should get a new line, no errors. 5. Execute this command in Terminal: cp ~/Desktop/SCBO /Volumes/Firmware/._SCBO You should get a new line, no errors. 6. Eject the Flash drive. 7. Turn off the customer's computer. 8. Insert the Flash drive into the customer's computer. 9. Turn on the customer's computer while pressing and holding the Option key. 10. You should see the lock symbol for a moment, and then the computer should restart to the Startup Manager. 11. If you still see a four-digit passcode lock after these steps at startup, reset the NVRAM by holding down Command-Option-P-R  while restarting the computer. The EFI password is now removed.

Thanks for your advice but where the link for Contact TSPS via chat
So i can contact them

Hi.

Firmware passwords can be removed by changing the configuration of the RAM installed in the machine. I have done it on iMac's, MacBooks & MacBook Pro's and works every time.

Shut down the computer
Remove one RAM chip
Start the computer up and zap the PRAM (3 times after the initial startup chime)
Shut the computer down again
Reinstall the RAM chip

Firmware password should be gone!

Hope that helps.

Changing RAM config does not work on 2011 and newer Macs, which is a relief, really. You will have to contact TSPS via chat in GSX.

@dgreening wrote:

Changing RAM config does not work on 2011 and newer Macs, which is a relief, really. You will have to contact TSPS via chat in GSX.

+1

Any AASP can unlock the firmware, in your case I don't think you have to worry about their looking up the Serial Number to ensure it's not stolen. :)

Anyone ever get any info to contact TSPS or GSX?

here is the GSX link

https://gsx.apple.com/WebApp/signout.htm

In case there are some that are looking here and asking "What is GSX and TSPS?", GSX is a portal for those who have been granted status as a SSA (Self Servicing Account) or AASP (Apple Authorized Service Professional). You have to meet certain requirements such as number of devices, Apple ACMT certification and insurance coverages to be an SSA and the application process for AASP accounts has been closed. TSPS is the technical support chat system that allows a GSX member to chat directly with an apple employee.

Posted 2/21/13 at 9:50 AM by andyinindy -Thanks - that was the answer!

FYI, we have released a new python script that allows management of the firmware password, called Firmware Password Manager. it works using a JAMF JSS extention attribute.

For more info, see web page:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

We can leverage the nvram string and smart groups in JAMF Casper to automate the distribution of an updated keyfile package and direct clients to change their firmware passwords. We do this by defining an extension attribute (EA) in the JSS. We've included the script we run in the repository for FWPM 2.0.

The EA script runs during recon and pushes the hash up to the JSS. We then define a smart group that contains any machine not sharing the same hash as the current keyfile. This makes it possible to apply a policy directing those machines to download the new keyfile package and run FWPM.

Try it out and let us know.

I had the same thing (firmware-lock and Icloud-lock) and I use a lot of linux distro’s, so I had the feeling of a procedure that would probably work. We’ll it did!

Important! Only if u don’t mind losing the files on your ssd or hd!

1. Download a fedora workstation live-iso https://getfedora.org/





2. Burn the .iso to a usb-stick. With Etcher https://etcher.io/ it will probably always burn successful, and available for win10, mac and linux.

1. Burn it also to a usb-stick with Etcher.


5. Fedora uses also efi, like macOS. So if ubuntu will not show up as a, .Windows install-disc when pressing the alt-key at start-up. Then first boot in fedora live. If u can boot straight to ubuntu you can go to step 7, but it can’t harm to follow step 6 also.


1. Use the Disks utility in Fedora Live and delete all the partitions on the ssd/hd. Reboot.





2. Boot into ubuntu. And actual install it on the whole ssd/hd. Because we still need to replace the apple-efi-recovery with grub2-bootloader. In the install-proces you will get a warning like: “When proceeding you will delete efi. It can be difficult to install another OS later on the machine” We’ll just press ok, and accept the grub2-install of ubuntu. Reboot.

1. Open disk-utility and just format the ssd/hd back to 1 Apple journaled GUID-partition





2. Select fresh OSX install. Done! A fresh MacBook Air that u can register with your own Apple-ID.

Please add comments, when u run into some kind of trouble! Good luck!

Unfortunately I'm having similar problems. My iCloud was hacked and they remotely locked it, leaving a nice message to email 'applecode@email.com'. This email no longer exists. I've tried Apple but without proof of purchase, they refuse to help me, which is frustrating, but I kinda understand if thats policy.

I'm trying to follow DrAmsterdam's instructions, but trying to figure out how I boot from Ubuntu or Fedora? I cant get to the boot drive selection screen because it asks for my firmware password (iCloud PIN) every time.

Any tips?

I was able to create a script that removes the current firmware password. I modified some scripts that I found in the thread that @Chris posted. Hopefully this helps people!

#!/bin/bash
#
/usr/bin/expect<<EOF

spawn firmwarepasswd -delete
expect {

"Enter password:" {
        send "YOUR_CURRENT_PASSWORD
"
        exp_continue
    }

}
EOF
echo "Firmware Password Has Been Removed"
echo "Now sleep"
sleep 5
echo "Initiating Reboot. . ."
reboot

rmorse,

Can you confirm whether this script is working? I copied it into script editor and tried to save it, and it keeps giving me an unexpected end error.

I just used the script on a MBA 11in 2013 running OS X 10.12.6 and it worked perfectly.

Well, I'm a student in a international school with jss macbook airs. So basically u can install rEFInd on a external usb drive with EFI partition and overwrite the boot directory with sudo bless. simply boot from the usb and u can access single user mode without touching any hardware. You know what to do after u have single user mode access. Other way is a bit hard. mount he recovery HD partition on to the macintosh HD disk and there will be reset firmware password application. use dictionary attack, yes, i meant DICTIONARY!!!! it takes ages but u can know it and help your friends... I suggest u get more protection on the school computers, buddy... students are more clever than u think.

any link ? i would go with the first method

@TapeTheEscape Were you able to figure out a way?

@rattler Were you able to figure out a way?

@rmorse Can this script be used from a USB during bootup to remove the firmware password?

@rmorse How can I run this script on a mba I can not login too? With everything on lockdown, he cant access anything on his computer and there is a firmware password. Mid 2012 so ram trick wont work?

@rmorse i want to take existing firmware password in a variable and reset it.. is that possible in your script?
Since Firmware passwords are different in few macs in my environment.