10.6: Set a firmware password from the command line

I am in the middle of mass deploying thousands of new MacBook Airs at work, and all my previous tools to set the firmware password no longer work in late 2010 or newer models of Macs. This was due to some sort of change on firmware, but I haven't dug deep enough to know what exactly changed.

I needed a work around fast so I was looking into the Firmware Password Utility found on the Installer DVDs. There is a tool called setregproptool inside the package contents of this utility. This command line tool can be used to set the firmware password on your Mac.

My problem of course was that I did not have a new Installer DVD at all, in fact all I had were a few thousand of the USB OS X installer disks that ship with Macbook Airs. So, if you open up Terminal and browse the Mac OS X Install USB stick, you will see these contents:

$ cd /Volumes/Mac\ OS\ X\ Install
$ ls -l
total 8254080
-rw-r--r--@ 1 hadmin  staff    13447709 Dec  8  2010 Extensions.mkext
-rw-r--r--@ 1 hadmin  staff      346540 Dec  8  2010 Install iLife.pkg
-rw-r--r--@ 1 hadmin  staff  4193180820 Dec  8  2010 MacOSX.dmg
-rw-r--r--@ 1 hadmin  staff       46401 Nov 19  2010 MacOSX_Media_Background.png
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 Packages
drwxr-xr-x  3 hadmin  staff         102 Aug 25  2010 SimpleInstallAssistant.app
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 System
-rw-r--r--@ 1 hadmin  staff      332464 Dec  8  2010 boot.efi
-rw-r--r--@ 1 hadmin  staff         361 Dec  8  2010 com.apple.Boot.plist
-rw-r--r--@ 1 hadmin  staff    18693813 Dec  8  2010 mach_kernel

You need to copy that MacOSX.dmg to your desktop or somewhere on your machine, then change the hidden flags via:

chflags nohidden ~/Desktop/MacOSX.dmg (if it is on your desktop).

Now you can mount the image and navigate into the /Applications/Utilities folder and find the Firmware Password Utility app, go into the package contents and find the proper version of the tool.

/Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

sudo ./setregproptool -h
Password:
setregproptool v 2.0 (7) Oct 3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o ]] [[-m -p ] -o ]

-c Check whether password is enabled.
Sets return status of 0 if set, 1 otherwise.
-d Delete current password/mode.
Requires current password on some machines.
-p Set password.
Requires current password on some machines.
-m Set security mode.
Requires current password on some machines.
Mode can be either "full" or "command".
Full mode requires entry of the password on
every boot, command mode only requires entry
of the password if the boot picker is invoked
to select a different boot device.

When enabling the Firmware Password for the first
time, both the password and mode must be provided.
Once the firmware password has been enabled, providing
the mode or password alone will change that parameter
only.

-o Old password.
Only required on certain machines to disable
or change password or mode. Optional, if not
provided the tool will prompt for the password.

[crarko adds: I haven't tested this one. Obviously handy of you need to do a mass deployment. If you get this (or something similar) working in Lion as well please mention so in the comments.]

$ sudo hdiutil attach -readonly "Install Mac OS X Lion.app"/Contents/SharedSupport/InstallESD.dmg $ sudo hdiutil attach -readonly /Volumes/"Mac OS X Install ESD"/BaseSystem.dmg $ sudo /Volumes/"Mac OS X Base System"/Applications/Utilities/"Firmware Password Utility.app"/Contents/Resources/setregproptool -h setregproptool v 2.0 (9) Jun 16 2011 Copyright (C) 2001-2010 Apple Inc. All Rights Reserved. Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>] -c Check whether password is enabled. Sets return status of 0 if set, 1 otherwise. -d Delete current password/mode. Requires current password on some machines. -p Set password. Requires current password on some machines. -m Set security mode. Requires current password on some machines. Mode can be either "full" or "command". Full mode requires entry of the password on every boot, command mode only requires entry of the password if the boot picker is invoked to select a different boot device. When enabling the Firmware Password for the first time, both the password and mode must be provided. Once the firmware password has been enabled, providing the mode or password alone will change that parameter only. -o Old password. Only required on certain machines to disable or change password or mode. Optional, if not provided the tool will prompt for the password. $

Hints by Topic

10.6: Set a firmware password from the command line | 11 comments | Create New Account

Click here to return to the '10.6: Set a firmware password from the command line' hint

The following comments are owned by whoever posted them. This site is not responsible for what they say.

10.6: Set a firmware password from the command line
Authored by: Anonymous on Sep 12, '11 09:38:27AM

You need to copy that MacOSX.dmg to your desktop or somewhere on your machine, then change the hidden flags

Why? It's entirely optional. There's nothing stopping you from mounting the disk image directly. You don't even have to mess with diskutil -- just use the open command:

open  "/Volumes/Mac OS X Install/MacOSX.dmg"

10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:25:41PM

You can also use hdutil on this as well to mount the image. However, given my time crunch of it needed to be done yesterday this was my very first draft on how to do it. By all means you are correct, this could have been a bit smoother I won't argue that

10.6: Set a firmware password from the command line
Authored by: aanti on Sep 12, '11 09:55:20AM

Hey dude, where do you work that every employee gets an MB Air? It must be a very good workplace then, I must apply there :)

10.6: Set a firmware password from the command line
Authored by: agentx on Sep 12, '11 10:09:33AM

Very useful info, I have had to do this another way by downloading Mac Mini/Air Builds from App Store (Not forking out for Apple USB recovery keys!) using Recovery HD and hard shut down before it installs then extract the InstallESD.dmg file to create my images from and the firmware password tool and use the Magic of Deploystudio for the rest.

10.6: Set a firmware password from the command line
Authored by: agentx on Sep 12, '11 10:33:15AM

As such the lack of media is a problem for most users and I urge you to immediately create
1) A Lion recovery disk from USB Flash drive and put it somewhere safe http://support.apple.com/kb/dl1433
2) If you can make a proper install flash drive with full installer on then even better, so you do not have to wait for download again !
3) A complete TimeMachine backup before you do anything or a ASR disk image as it out of the box.
There are a few ways.... that Apple has made us jump through hoops for the privilege of installing their OS !

They really dropped the ball on this one. I managed to get into a right pickle (Bricked Mac) a few weeks ago after creating a RAID set on Mac Mini Server and the USB recovery disk did not work correctly (Kernal Panic), internet recovery from UK was not having it. Luckily i was only 15 mins walk from AppleStore. After an hour or so explaining my way up the chain of command past the super-genius's to the Manager.....he swapped it.

I might add most people had no idea what a machine specific build was and the fact that the key they were trying to sell me would not boot the Mac Mini or Air anyway.

10.6: Set a firmware password from the command line
Authored by: dzurn on Sep 12, '11 11:04:45AM

I am in the middle of mass deploying thousands of new MacBook Airs at work...

Is your company hiring? Please?

---
Madness takes its toll.
Please have exact change.

10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:29:25PM

I wish, I could actually use some help supporting these things

10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 12, '11 03:34:11PM

I copied the command line binary into my image and baked it with InstaDMG. I put the binary in the standard $PATH and kept all permissions the same, root:wheel 700, and now I can script out changes and deploy them while my Macs are in the field. I can also mass deploy during imaging.

Hope this helps

10.6: Set a firmware password from the command line
Authored by: manicmoose on Sep 13, '11 03:56:06AM

This worked for me on my mid-2010 MBP running Lion.
Interestingly, running "setregproptool -c" *does* clear the password, and did *not* require me to authenticate in any way whatsoever.
Of course, I was already logged in, but still, if you run the GUI version it *does* make you enter your user password first.
Slack, apple, slack.

10.6: Set a firmware password from the command line
Authored by: martinv2 on Sep 13, '11 05:04:00AM

For Lion (the version downloaded from AppStore):

P.S.: I've been lurking on Mac OS X Hints for a while now, and I must say, this is incredibly useful - thanks, guys!

10.6: Set a firmware password from the command line
Authored by: tom larkin on Sep 13, '11 07:47:33PM

Also, one caveat with this is that if you disable it, the last command output will still be 0 until you reboot. Since the binary itself should return 1 if the firmware password is not set with the -c option.

Hint Options

Search

From our Sponsor...

Latest Mountain Lion Hints

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

Hints by Topic

News from Macworld

From Our Sponsors