Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Set a firmware password from the command line System 10.6
I am in the middle of mass deploying thousands of new MacBook Airs at work, and all my previous tools to set the firmware password no longer work in late 2010 or newer models of Macs. This was due to some sort of change on firmware, but I haven't dug deep enough to know what exactly changed.

I needed a work around fast so I was looking into the Firmware Password Utility found on the Installer DVDs. There is a tool called setregproptool inside the package contents of this utility. This command line tool can be used to set the firmware password on your Mac.

My problem of course was that I did not have a new Installer DVD at all, in fact all I had were a few thousand of the USB OS X installer disks that ship with Macbook Airs. So, if you open up Terminal and browse the Mac OS X Install USB stick, you will see these contents:
$ cd /Volumes/Mac\ OS\ X\ Install
$ ls -l
total 8254080
-rw-r--r--@ 1 hadmin  staff    13447709 Dec  8  2010 Extensions.mkext
-rw-r--r--@ 1 hadmin  staff      346540 Dec  8  2010 Install iLife.pkg
-rw-r--r--@ 1 hadmin  staff  4193180820 Dec  8  2010 MacOSX.dmg
-rw-r--r--@ 1 hadmin  staff       46401 Nov 19  2010 MacOSX_Media_Background.png
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 Packages
drwxr-xr-x  3 hadmin  staff         102 Aug 25  2010 SimpleInstallAssistant.app
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 System
-rw-r--r--@ 1 hadmin  staff      332464 Dec  8  2010 boot.efi
-rw-r--r--@ 1 hadmin  staff         361 Dec  8  2010 com.apple.Boot.plist
-rw-r--r--@ 1 hadmin  staff    18693813 Dec  8  2010 mach_kernel
You need to copy that MacOSX.dmg to your desktop or somewhere on your machine, then change the hidden flags via:

chflags nohidden ~/Desktop/MacOSX.dmg (if it is on your desktop).

Now you can mount the image and navigate into the /Applications/Utilities folder and find the Firmware Password Utility app, go into the package contents and find the proper version of the tool.
/Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

sudo ./setregproptool -h
Password:
setregproptool v 2.0 (7) Oct  3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o ]] [[-m  -p ] -o ]

    -c              Check whether password is enabled. 
                            Sets return status of 0 if set, 1 otherwise.
    -d              Delete current password/mode.
                            Requires current password on some machines.
    -p              Set password.
                            Requires current password on some machines.
    -m              Set security mode.
                            Requires current password on some machines.
                            Mode can be either "full" or "command".
                            Full mode requires entry of the password on
                            every boot, command mode only requires entry
                            of the password if the boot picker is invoked
                            to select a different boot device.

                    When enabling the Firmware Password for the first
                    time, both the password and mode must be provided.
                    Once the firmware password has been enabled, providing
                    the mode or password alone will change that parameter
                    only.

    -o              Old password.
                            Only required on certain machines to disable
                            or change password or mode. Optional, if not
                            provided the tool will prompt for the password.

[crarko adds: I haven't tested this one. Obviously handy of you need to do a mass deployment. If you get this (or something similar) working in Lion as well please mention so in the comments.]
    •    
  • Currently 2.77 / 5
  You rated: 1 / 5 (39 votes cast)
 
[15,783 views]  

10.6: Set a firmware password from the command line | 11 comments | Create New Account
Click here to return to the '10.6: Set a firmware password from the command line' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Set a firmware password from the command line
Authored by: Anonymous on Sep 12, '11 09:38:27AM
You need to copy that MacOSX.dmg to your desktop or somewhere on your machine, then change the hidden flags
Why? It's entirely optional. There's nothing stopping you from mounting the disk image directly. You don't even have to mess with diskutil -- just use the open command:
open  "/Volumes/Mac OS X Install/MacOSX.dmg"


[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:25:41PM

You can also use hdutil on this as well to mount the image. However, given my time crunch of it needed to be done yesterday this was my very first draft on how to do it. By all means you are correct, this could have been a bit smoother I won't argue that



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: aanti on Sep 12, '11 09:55:20AM

Hey dude, where do you work that every employee gets an MB Air? It must be a very good workplace then, I must apply there :)



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: agentx on Sep 12, '11 10:09:33AM

Very useful info, I have had to do this another way by downloading Mac Mini/Air Builds from App Store (Not forking out for Apple USB recovery keys!) using Recovery HD and hard shut down before it installs then extract the InstallESD.dmg file to create my images from and the firmware password tool and use the Magic of Deploystudio for the rest.



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: agentx on Sep 12, '11 10:33:15AM

As such the lack of media is a problem for most users and I urge you to immediately create
1) A Lion recovery disk from USB Flash drive and put it somewhere safe http://support.apple.com/kb/dl1433
2) If you can make a proper install flash drive with full installer on then even better, so you do not have to wait for download again !
3) A complete TimeMachine backup before you do anything or a ASR disk image as it out of the box.
There are a few ways.... that Apple has made us jump through hoops for the privilege of installing their OS !

They really dropped the ball on this one. I managed to get into a right pickle (Bricked Mac) a few weeks ago after creating a RAID set on Mac Mini Server and the USB recovery disk did not work correctly (Kernal Panic), internet recovery from UK was not having it. Luckily i was only 15 mins walk from AppleStore. After an hour or so explaining my way up the chain of command past the super-genius's to the Manager.....he swapped it.

I might add most people had no idea what a machine specific build was and the fact that the key they were trying to sell me would not boot the Mac Mini or Air anyway.





[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: dzurn on Sep 12, '11 11:04:45AM
I am in the middle of mass deploying thousands of new MacBook Airs at work...

Is your company hiring? Please?

---
Madness takes its toll.
Please have exact change.


[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:29:25PM

I wish, I could actually use some help supporting these things



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:34:11PM

I copied the command line binary into my image and baked it with InstaDMG. I put the binary in the standard $PATH and kept all permissions the same, root:wheel 700, and now I can script out changes and deploy them while my Macs are in the field. I can also mass deploy during imaging.

Hope this helps



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: manicmoose on Sep 13, '11 03:56:06AM

This worked for me on my mid-2010 MBP running Lion.
Interestingly, running "setregproptool -c" *does* clear the password, and did *not* require me to authenticate in any way whatsoever.
Of course, I was already logged in, but still, if you run the GUI version it *does* make you enter your user password first.
Slack, apple, slack.



[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: martinv2 on Sep 13, '11 05:04:00AM
For Lion (the version downloaded from AppStore):

$ sudo hdiutil attach -readonly "Install Mac OS X Lion.app"/Contents/SharedSupport/InstallESD.dmg
$ sudo hdiutil attach -readonly /Volumes/"Mac OS X Install ESD"/BaseSystem.dmg
$ sudo /Volumes/"Mac OS X Base System"/Applications/Utilities/"Firmware Password Utility.app"/Contents/Resources/setregproptool -h
setregproptool v 2.0 (9) Jun 16 2011
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

    -c              Check whether password is enabled. 
                            Sets return status of 0 if set, 1 otherwise.
    -d              Delete current password/mode.
                            Requires current password on some machines.
    -p              Set password.
                            Requires current password on some machines.
    -m              Set security mode.
                            Requires current password on some machines.
                            Mode can be either "full" or "command".
                            Full mode requires entry of the password on
                            every boot, command mode only requires entry
                            of the password if the boot picker is invoked
                            to select a different boot device.

                    When enabling the Firmware Password for the first
                    time, both the password and mode must be provided.
                    Once the firmware password has been enabled, providing
                    the mode or password alone will change that parameter
                    only.

    -o              Old password.
                            Only required on certain machines to disable
                            or change password or mode. Optional, if not
                            provided the tool will prompt for the password.
$
P.S.: I've been lurking on Mac OS X Hints for a while now, and I must say, this is incredibly useful - thanks, guys!

[ Reply to This | # ]
10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 13, '11 07:47:33PM

Also, one caveat with this is that if you disable it, the last command output will still be 0 until you reboot. Since the binary itself should return 1 if the firmware password is not set with the -c option.



[ Reply to This | # ]