What you need to know about the Apple firmware password
The Apple firmware password can be a very important tool to make your Mac more secure: it basically prevents anyone who does not know the password to reformat your hard disk. For Undercover users, this is particularly useful, since a reformat is the only way to disable Undercover. In spite of its usefulness, the firmware password utility is one of the most poorly understood Apple tools.
Before explaining how to enable the firmware password on your Mac, we first squash some common misconceptions.
Misconception 1: The firmware password does not work on Intel Macs.
This is absolutely untrue: Intel Macs use EFI (Extensible Firmware) and Apple has adapted the firmware password utility to work with EFI. For the end user, this is completely transparent: although the underlying technology is totally different on PPC (Open Firmware) and Intel Macs (Extensible Firmware), the firmware password utility looks and works the same way on every Mac.
Misconception 2: If I enable the firmware password, I will need to enter a password every time I boot my Mac.
Only when booting from *another* disk than your default startup disk, the firmware password needs to be entered. This is what makes the firmware password very convenient: since most of us boot from our default startup disk 99% of the time, one will rarely need to enter a password. At the same time, this prevents thieves from reformatting the HD, because the current startup disk cannot be formatted while in use and booting from another drive without entering the password is impossible.
Misconception 3: If I enable the firmware password, a thief cannot boot my Mac, making Undercover useless.
When enabling the password, a thief can still boot your Mac. The only restriction is that he can only boot your Mac from the default startup disk. As a result, a thief can still work and play with your Mac and Undercover can do its work.
In addition, we recommend to create a dummy user account that has no admin privileges and requires no password. That way, a thief can still login and connect to the net, while your personal files are hidden behind a password protected (admin) account.
Misconception 4: With the firmware password enabled, I will not be able to troubleshoot my Mac in case of a problem.
Since you know the password, you will still be able to boot your Mac from any drive you want, including CDs, DVDs, ... and troubleshoot or reformat your drive. You just need to enter the firmware password when prompted.
Enabling the firmware password on your Mac
- Locate the Mac OS X install CD/DVD that came with your Mac.
- In the Finder, locate the /Applications/Utilities folder on that disk.
- Double click the Firmware Password Utility application inside this folder.
- Click the icon to authenticate. Enter an administrator username and password when prompted.
- Click Change.
- Click to select the checkbox for "Require password to change Open Firmware settings".
- Type your password in the Password and Verify fields and click OK. A confirmation appears.
- Click the lock icon to prevent further changes.
- Quit from the Open Firmware Password application.
- Eject the Mac OS X install disk.
NOTE: It is important NOT to use a disk that came with another Mac model. Also, do NOT download the firmware password utility application from the Net! Use the disk that came with your Mac.
More information regarding the Apple firmware password is available on the Apple website at http://docs.info.apple.com/article.html?artnum=106482.
posted by Peter Schols @ 3:52 PM
27 Comments:
Perhaps there is a way around this issue: My experience has been that when enabled, the open firmware password will not allow you to boot the computer into target disk mode (for use as a slave device on another mac), even if you enter in the correct password. Perhaps I am just nuts and have missed something obvious, but is this indeed true? It does somewhat complicate troubleshooting my mac if the OS is damaged, since I need to be able to launch the application to remove the password in the first place (chicken and egg). Ideas? Thx!
The info you need seems to be available at the link Peter provided at the end of his post, on the Apple website.
Thanks Peter for a good post, I didn't know about the Firmware password but will now look into it.
Cheers
Ben
Peter,
I'm sorry but your answer to Misconception 4 only applies to PPC Macs. Those of us with Intel Macs do not currently have a way to bypass the firmware password without being able to boot our computers from the normal startup drive. Therefore, there is no option for troubleshooting.
Frank
On my iMac 2.16GHz 20" there is *no* applications/utilities folder on the installation disk... Therefore I am not able to set the firmware password. Anyone knows a workaround?
Ronald
I want to update that Peter helped me with troubleshooting an intel-based Mac with the Firmware Password set.
It turns out that all you have to do is hold down the option (alt) key during startup and once you enter your firmware password you will be able to select a disk.
Does the firmware password also prevent you from booting into Windows via Boot Camp?
Has anyone found a way to enable the password in Leopard? I am unable to locate the /Applications/Utilities on the Install DVD.
Use commandline to access it. The folder Applications and others are hidden in Finder.
With the Firmware Password set on my MacBook Pro, By holding down the option key, I've been given a choice of booting from my original Install Disk or the sytem installed on the MPro. However, when I try the same steps with Tech Tools Deluxe which has an operating system on the disk, the TTD disk is not shown as a choice option to boot from. Is there a way for me to boot from the TTD disk? Will I need to reset the Firmware Password to its default setting so that I can just hold the C key down when I boot from the TTD disk ? If so, what are the steps for getting the Firmware Password back to its unset mode? txs. Kent
Yeah dlanorpi is right it is there on the Leopard DVD... but hidden and unaccessible from the GUI... what a pain it a$$.
For people rusty at the CLI like me enter the DVD into the drive and then from the CLI:
cd /Volumes/Mac*/Applications/Utilities
then once there
open Firmware*
Good luck! And thanks for bringing this great security app to Leopard for no extra cost.. We'll continue to promote you. Thanks again.
For those using Leopard and nervous about using the command line, it may be easier to boot to the install disk (by restarting, holding the Option key at the startup tone and then selecting the install disk) and then running the Firmware Password Utility from the drop-down menu.
You can also use a wonderful program called TinkerTool to make the finder show hidden files and then change it back after you are done! TinkerTool has tons of other great features as well.
Another way of doing it is to open the cd and in the Go menu choose Go to Folder and type in Applications
Or you could go to an instance of Finder,
Press Command + Shift + G (Go To Folder) and type:
/Volumes/Mac OS X Upgrade DVD/Applications/Utilities
Would booting up in firewire disk mode, then installing the os from another computer bypass undercover & firmware password?
I have upgraded my Mac with OSX Leopard. I have the original DVD with OSX Tiger (10.4.10) - Can I use this one from the DVD or should I be abel to find this on the Upgrade DVD from Leopard?
I did the same thing, and I found the password utility on the upgrade DVD in Applications/Utilities using a terminal window. This directory is hidden, but you can get there quite easily from the command line.
Is it safe to copy the Firmware Password Utility from the install DVD to the HDD in my MBP and use it from there (in Leopard)?
Hi Tim,
Yes, that will definitely work.
Peter
Just bought the Undercover. Nice piece of software.
( Intel PowerBook Pro / OS 10.4.11)
After going through both Peter's article and Orbicule procedure on Open Firmware Pass, let me see if I got this right:
1. If you enter your OF password in the Startup Manager, ( holding alt at startup )
you can still use the "C" key to start up from an optical disc.
( Misconception #4 ) Right?
How about the rest of the list?
use the "N" key
use the "T" key to start up in Target Disk Mode
start up a system in Single-user
reset Parameter RAM (PRAM)
start up in Verbose mode
start up in Safe Boot ?
Does it still apply that all of the above are disabled UNLESS
you know your OF pass ?
2. I don't have a Open Firmware Password application in Apps > Utilities.There is a MacBook Pro EFI Firmware Update which tells me I am updated to the latest version ( 1.4 ). but there is no OFP application anywhere on this machine.
Could I copy it from the Mac X install DVD ?
3. If I use the Mac X install disk for setting up the OF password,
could I go back and disable the OF password by just un-checking
"Require password to change Open Firmware settings",
following the same path?
4. How about if I use a COPY of the Mac X install, would that make any difference as long I use it consistently for OF settings?
Many anticipated thanks,
VGP
VGP:
Here's a good overview of the firmware password:
http://docs.info.apple.com/article.html?artnum=106482
This may be different on a PPC mac, I sold my last PPC in December.
1) The only alternate to booting to login with firmware password enabled is holding down option. If you know the firmware password, this will send you to the startup manager, from which you can boot to another disk / cd / netboot. In order to access target disk / single user / etc, you must disable the firmware password. You can get to single user mode by shutting down into it, as documented here:
http://www.macosxhints.com/article.php?story=20020725085134490
2) The easiest way of enabling the OF password is (as documented earlier in this thread) through the utilities drop-down on OS X install CD. Your Macbook is OF password ready already.
3) yes
4) It would only make a difference if the copy has been tampered with.
(many anticipated welcomes, well at least 4)
If the firmware password is enabled will the theft be able to change the harddisk?
If you have a Leopard (Mac OS X 10.5) disc, included in your box of your new Mac, you would have to use this guidelines to change the firmware password:
- Insert the Mac OS X disc
- Go to any Finder window -->
Press Command + Shift + G (Go To Folder) and type:
- /Volumes/Mac OS X Install Disc 1/Applications/Utilities/
This worked for me, as my disc is a included disc and not a upgrade as other has used..
Good luck, and thanks Peter for your hint!
I just have the OSX 10.5 upgrade DVD, as my macbook was slightly older. How would I set up a firmware password? There doesn't seem to be an Applications directory on my DVD.
Peter... have just purchased Undercover and like it. Have set firmware password on my iMac G5 and find that no firmware password is required to change to a different boot partition on the same disk.
As I understand it, a savvy thief could copy a working system (without Undercover) onto an alternative partition and then boot from it thus circumventing Undercover.
Any comments? Tony
I am wondering how to set firmware password from a macbook air. I guess there would be an option using remote disc, but as it is, i don't have a desktop, nor an external disc drive.
Any suggestions? Frederic
Hi Frederic,
If you drop me an email, I'll send you the firmware password utility by email. It should work on the MBA.
Peter
Undercover developer
Post a Comment
Links to this post:
Create a Link
<< Home