Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Protect your Mac using an Open Firmware banner System
This article discusses a technique of installing personal contact information into your Mac in such a way that you have a good chance of getting it back in the even of theft. Password protection is a great feature of OS X and if used properly, will protect your files to some degree from intruders. It's well known how to override and change the password with an OS X boot CD. If you're smart, you're using Apple's Open Firmware (OF) Password protection on your notebook (or desktop for that mater!) to prevent access from any intruders. Now your files are safe. But what about your Mac?

If someone steals your Mac, if you have a password to keep them from using the computer and you've installed the OF Password, what they've acquired is little more that a very pretty doorstop! They can't even replace the hard drive since, without the OF Password, they're locked out of initializing it. And yet, with all this protection, there's no simple method for anyone to get it back to you, its rightful owner!

Open Firmware has a rarely used variable called oem-banner that, when activated, displays a single line of text at the top of the Open Firmware screen. This is where we're going to place our information. This can be done from a Terminal window or from within Open Firmware itself.

First decide on your string of text. Don't give so much info that your identity is at risk, but give enough that you can be contacted when the Mac is recovered. I recommend that you turn off Open Firmware protection until you have the string installed and working. This is for the not-so-rare case that something goes wrong and you need to Reset the PRAM (Command-Option-R-P at startup). If your password is set, this cannot be done!

From a Terminal window, enter your string using the following command:
Macintosh:~ lasvegas$ sudo nvram oem-banner?=true
password:
Macintosh:~ lasvegas$ sudo nvram oem-banner="This computer is the property
 of LasVegas. If found, please call 702-555-1212 or email las_vegas@here.net"
Note: the last line (which stores the actual text string) has been shown on two lines. It should be entered as one long line. And you will need to enter your Administrator's password at the password: prompt above. If using Open Firmware instead (Command-Option-O-F at startup), use:
0: setenv oem-banner? true
 ok
0: setenv oem-banner This computer is the property of LasVegas. If found,
please call 702-555-1212 or email las_vegas@here.net<br>
 ok
Note again that the above lines are typed unbroken (no returns).

You can test your banner by rebooting into Open Firmware. Hold Command-Option-O-F at startup. This will display your Open Firmware screen with your banner at the top. To exit Open Firmware, even if your OF Password is set, just type "boot" at the prompt. No password is needed. Once the message is verified as you want it to be, use Apple's Open Firmware Password utility to set your password and your set!

Now if your Mac is found, and the finder has the thought of trying Open Firmware, you just might get it back!
    •    
  • Currently 1.67 / 5
  You rated: 1 / 5 (6 votes cast)
 
[37,053 views]  

Protect your Mac using an Open Firmware banner | 30 comments | Create New Account
Click here to return to the 'Protect your Mac using an Open Firmware banner' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Protect your Mac using an Open Firmware banner
Authored by: rattler14 on Jan 04, '05 08:51:34AM

Note: The top commands only work in bash. Zsh or Tcsh requires a different format.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: GaelicWizard on Jan 05, '05 11:44:05PM

Actually, you're wrong.

None of those commands envolve any action on the part of the shell, except invoking a program ("sudo") with a set of arguments ("nvram blah blah"). sudo then, in turn, runs "nvram" as root, with a set of arguments ("oem-banner blah"). nvram then interprets those arguments. At this point, it is way past shell interpretation.

The lines beginning with "setenv" are meant to be typed in OpenFirmware, as an alternative to the sudo commands. OpenFirmware does not run a shell, as it is at a much lower layer in the computer hardware. It has something that looks similar to a shell, which uses a syntax more similar to [t]csh than bash.

JP

---
Pell



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: kps on Jan 07, '05 03:57:43PM
Actually, he's right.

In csh, by default, it is an error for a glob pattern not to match any file names, and oem-banner?=true is a glob pattern because it contains a question mark. The solution is simply to put quotes around it:


sudo nvram 'oem-banner?=true'
(which also works in sh of course.)

[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: fabrizio on Jan 04, '05 09:06:28AM

It's not so hard to override the OF password protection:

1) Add or remove DIMMs to change the total amount of RAM in the computer.

2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: mbenchoff on Jan 04, '05 10:58:46AM

This method of blowing away the OF password doesn't work on all Macs -- specifically, the "table lamp" G4 iMacs. I did everything that I could think of and could find online, including removing the memory overnight, but nothing worked.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: simonpie on Jan 04, '05 05:05:40PM

It worked very well for me. I was able to reset the OF of a 17" imac.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: gpturismo on Jan 04, '05 06:04:41PM

You have to be sure to remove the system memory chip as well as the user memory chip. This requires you opening up your case, so be weary.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: mbenchoff on Jan 04, '05 06:14:09PM

I must have had a unique iMac then, as I opened the case, removed both sticks of memory, disconnected every wire and connector, removed the battery, left it open overnight, and it still wouldn't forget the OF password.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: designr on Jan 04, '05 06:57:26PM

The RAM config must change: i.e.: the total amount of RAM must change between cold restarts AND hold cmnd-opt-p-r for 3+ chimes.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: gpturismo on Jan 05, '05 04:41:45PM

What you are suppose to do is take out all the memory, and then boot the machine without any memory. Shutdown by holding the power key for 5 seconds, re-insert memory and it should work.



[ Reply to This | # ]
Password hint, too
Authored by: dlong on Jan 04, '05 09:33:42AM

Something that goes along nicely with this is to set your password hint to your contact information. Not my idea... I think I got it from http://www.appleturns.com/scene/?id=4358

If I found a powerbook on the side of the road, I'd call the police before trying to boot to open firmware, but I might try a few easy passwords to see if I could get the owner's contact information first...

---
~dlong



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: cmdahler on Jan 04, '05 09:36:43AM

Just pointing out the fact that setting an OF password doesn't really do diddly to protect your files. It may keep your average joe from being able to use your computer, but there are a couple of ways around the OF password to get at your sensitive stuff.

1. Just pull the hard drive out and mount it on some other computer.

2. Remove or add memory to the computer. This activates a quirk in OF that puts it into a mode in which the PRAM can be reset with Option-Command-O-F. After the PRAM is reset three times, OF password protection is removed.

3. If your computer is swiped by someone who previously had access to it by logging in and was able to get administrative privileges (say, a co-worker), using the Terminal command "sudo nvram -p" will display the entire contents of OF, including the OF password. The password is not cryptographically stored - it's just presented in hexadecimal form.

All of this underscores one of the fundamentals of computer security: no matter how secure your computer may be, if someone gets physical access to it for even a short time, you're hosed. If you've got sensitive data, put it on a FireWire drive or other removable storage device like a USB keychain drive and either use FileVault or PGPDisk to strongly encrypt it, and don't ever let that storage device out of your sight.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: Raven on Jan 04, '05 10:02:27AM

The fact remains that the average person who will find your computer will not know Macs and neither will his/her friends...
But just to add to the "putting the HD in another computer" part... Just use filevault... It'll make it alot harder to get to your files even if they do get onto your computer....



[ Reply to This | # ]
Bad attitude
Authored by: porkchop_d_clown on Jan 04, '05 10:05:43AM

I'm sorry but this is like saying that there's no point in locking your bicycle because the thief might have bolt cutters.

A bios password isn't perfect but it is still an obstacle to be overcome.

---
Everyone loves a clown, but no one will lend him money!



[ Reply to This | # ]
Bad attitude
Authored by: Oops on Jan 04, '05 12:29:55PM

I agree with porkchop_d_clown. My father had a way of saying this: "It'll keep the honest person honest." That never made sense to me as a young kid who saw things as very black and white (the way kids do), but it does now that I am older.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: kirkmc on Jan 04, '05 10:10:11AM

If I were to travel regularly with a portable computer (which I don't) I'd just stick a label on its underside with my name, address and phone number, then cover it with transparent tape so the text doesn't get worn off.

---
Read my blog: Kirkville -- http://www.mcelhearn.com
Musings, Opinion and Miscellanea, on Macs, iPods and more



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: houplagrundle on Jan 04, '05 12:17:16PM

Or scratch the details on the base with a sharp implement like a scriber (if you were sure you weren't going to sell it on at some point). It'd be inconspicous in normal use, and impossible to remove.
It wouldn't stop it getting stolen though.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: foilpan on Jan 04, '05 12:56:31PM

i've thought about setting an OF password, but i have two main problems with it:

1. i never shut off my powerbook, so i'm not sure how useful it would be in the first place. if the thing gets stolen, the thief might restart it. in that case the OF password might help. but what if he/she doesn't? a thief might not even try to use the laptop before selling it or otherwise unloading the hot merchandise. who cares if it boots? thieves aren't necessarily computer techs, after all.

2. the OF password is easily overridden or circumvented. like others said, just pull some RAM and zap PRAM. or pull the HD and forget the rest.

physical access to the laptop pretty much means any security you have in place is dead in the water anyway. back up your stuff, keep it encrypted, keep the laptop at home if possible... otherwise, there's always a risk it will be stolen.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: ibroughton on Jan 04, '05 03:06:11PM

I agree with the thought of using a banner, and using Open Firmware to protect your machine.

Also, the thought of using your password hint to display contact information.

Is there no way of combining these elements to display a banner every time the machine boots, rather than having to go into OF to see the banner?

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Displaying a more-visible note
Authored by: ClassicUser on Jan 04, '05 03:56:08PM
Regarding:
Is there no way of combining these elements to display a banner every time the machine boots, rather than having to go into OF to see the banner?
Well, you could add a custom string to the login window, as discussed in this previous hint.

Not incredibly elegant, but it gets the job done...

[ Reply to This | # ]

Displaying a more-visible note
Authored by: ibroughton on Jan 04, '05 06:13:22PM

I agree, it gets the job done. I just wish that there was a way that would make this process more pleasing to the eye! :-(

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: Fofer on Jan 04, '05 08:27:10PM

Feh. I just use Imagine BootX to change my boot image. I've changed to to a graphic that has basically the same Apple logo, but with my contact info underneath.

http://chezjd.free.fr/Creation/logiciel.php?sign=ImBX&lang=1

I recognize it's not providing extra security, but if a kind soul found my machine and rebooted, at least they'd see a way to contact me for a reward. :D



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: Eric-Hints on Jan 04, '05 10:35:03PM

This is a cool hint. Does anyone know how to take it the next step and get the open firmware oem-logo (custom monochrome logo) to work? I googled and saw some hints for how to do it on Sun machines, but I could not figure it out on my PowerBook.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: kps on Jan 10, '05 01:04:01PM
Suns display a Sun logo by default, and you normally see the logo and OF messages, followed by kernel messages to the OF console, while booting. Since that's not the case for Macs, I suspect they didn't bother implementing oem-logo just for the three geeks who would try it.

I've changed the logo on Suns so I'm pretty sure I had the method right.

[ Reply to This | # ]

Not working
Authored by: pheed on Jan 05, '05 12:32:28AM

It took two attempts to actually write my contact information to NVRAM. Now when I run nvram -p from Terminal, it shows up properly. However, when I boot using Command+Option+O+F, the banner does not show up. Any ideas as to why this is?

---

E-mail me: moc.cam@deehp



[ Reply to This | # ]
Not working
Authored by: las_vegas on Jan 05, '05 02:30:21AM
You didn't forget to nvram oem-logo?=true did you?

[ Reply to This | # ]
Didn't forget - Still doesn't work.
Authored by: pheed on Jan 05, '05 06:00:43PM

No, I didn't forget to run that command. I've run it a couple of times now. Again, running nvram -p in the Terminal shows my OEM banner, but when I boot to Open Firmware, nothing out of the ordinary is seen. I have a dual 2 GHz Power Mac G5 with OS 10.3.7.

---

E-mail me: moc.cam@deehp



[ Reply to This | # ]
It causes a problem
Authored by: schawimo on Jan 10, '05 06:24:56AM

After I did this, I began to have a message at my login screen, appearing always when I've typed my name and password and confirm with the return key. It sais (translated): "You cannot continue to login at this point of time, because of a problem. Please contact your system administrator."
I resetted the "oem-banner"-entry, but the message remains now. After confirming this message, the system continues to log-in with this name. And other users on this system also have the problem.
Ever seen this?



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: tgunr on Jan 11, '05 11:19:17AM

To all the folks trying to use the Open Firmware password protection let me make this perfectly clear; to quote Richard Nixon. :)

Numero Uno, Open Firmware password protection is dependent upon the physical security of the unit. Since the password can be reset by changing the physical RAM size it is fairly obvious that in order to prevent changing the size the unit must be in a secure location e.g. locked in a cabinet.

Second, once invoked the boot-device is locked down and there is no way to change booting to a different device since the search algorithm is disabled along with all snag keys that can modify the boot-device. This severely limits the booting flexibility Mac users enjoy over their PC brethren.

Password protection was primarily implemented to protect units in environments where the computer can be physically locked. This means towers and and iMacs that can be locked to prevent access to the RAM.

Any other environment will at best only prevent casual attempts at breaking the security. At worst, if you need to switch boot devices or want to use the unit in target disk mode it is a pain to have to go into Open Firmware every time.

I personally have never used it nor ever will until the RAM override mechanism is removed which will never be since Apple was concerned about thousands of units which could potentially be locked forever if someone tried to use password protection and subsequently forgot their password.



[ Reply to This | # ]
Protect your Mac using an Open Firmware banner
Authored by: limbo on Jan 21, '05 06:03:00PM

I've dealt with enough clients that have lost their regular login passwords to know this is a big possibility.

And really the open firmware password is going to screen out quite a few people. There is no reason that the person who steals your laptop is going to be tech savvy.



[ Reply to This | # ]