10.6: Set a firmware password from the command line

Sep 12, '11 07:30:00AM

Contributed by: tom larkin

I am in the middle of mass deploying thousands of new MacBook Airs at work, and all my previous tools to set the firmware password no longer work in late 2010 or newer models of Macs. This was due to some sort of change on firmware, but I haven't dug deep enough to know what exactly changed.

I needed a work around fast so I was looking into the Firmware Password Utility found on the Installer DVDs. There is a tool called setregproptool inside the package contents of this utility. This command line tool can be used to set the firmware password on your Mac.

My problem of course was that I did not have a new Installer DVD at all, in fact all I had were a few thousand of the USB OS X installer disks that ship with Macbook Airs. So, if you open up Terminal and browse the Mac OS X Install USB stick, you will see these contents:

$ cd /Volumes/Mac\ OS\ X\ Install
$ ls -l
total 8254080
-rw-r--r--@ 1 hadmin  staff    13447709 Dec  8  2010 Extensions.mkext
-rw-r--r--@ 1 hadmin  staff      346540 Dec  8  2010 Install iLife.pkg
-rw-r--r--@ 1 hadmin  staff  4193180820 Dec  8  2010 MacOSX.dmg
-rw-r--r--@ 1 hadmin  staff       46401 Nov 19  2010 MacOSX_Media_Background.png
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 Packages
drwxr-xr-x  3 hadmin  staff         102 Aug 25  2010 SimpleInstallAssistant.app
drwxr-xr-x@ 3 hadmin  staff         102 Dec  8  2010 System
-rw-r--r--@ 1 hadmin  staff      332464 Dec  8  2010 boot.efi
-rw-r--r--@ 1 hadmin  staff         361 Dec  8  2010 com.apple.Boot.plist
-rw-r--r--@ 1 hadmin  staff    18693813 Dec  8  2010 mach_kernel
You need to copy that MacOSX.dmg to your desktop or somewhere on your machine, then change the hidden flags via:

chflags nohidden ~/Desktop/MacOSX.dmg (if it is on your desktop).

Now you can mount the image and navigate into the /Applications/Utilities folder and find the Firmware Password Utility app, go into the package contents and find the proper version of the tool.
/Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

sudo ./setregproptool -h
Password:
setregproptool v 2.0 (7) Oct  3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o ]] [[-m  -p ] -o ]

    -c              Check whether password is enabled. 
                            Sets return status of 0 if set, 1 otherwise.
    -d              Delete current password/mode.
                            Requires current password on some machines.
    -p              Set password.
                            Requires current password on some machines.
    -m              Set security mode.
                            Requires current password on some machines.
                            Mode can be either "full" or "command".
                            Full mode requires entry of the password on
                            every boot, command mode only requires entry
                            of the password if the boot picker is invoked
                            to select a different boot device.

                    When enabling the Firmware Password for the first
                    time, both the password and mode must be provided.
                    Once the firmware password has been enabled, providing
                    the mode or password alone will change that parameter
                    only.

    -o              Old password.
                            Only required on certain machines to disable
                            or change password or mode. Optional, if not
                            provided the tool will prompt for the password.

[crarko adds: I haven't tested this one. Obviously handy of you need to do a mass deployment. If you get this (or something similar) working in Lion as well please mention so in the comments.]

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20110720140521460