For What Reasons to Change the Macbook Efi Firmware Chip

With Apple’south

firmware countersign feature

on Mac systems you can lock down the options to select an alternative startup disk, boot to Safety or Single User modes, reset the PRAM, and otherwise start the system in ways that can bypass the security features of Os X.

However, as a security mensurate the firmware password has been met with some criticism because it could hands be bypassed past someone who has concrete access to the system. In earlier Intel-based Macs the firmware countersign was stored in the PRAM of the organisation, and was simply read by the system’southward EFI firmware earlier other PRAM variables in social club to maintain the lock on the system; notwithstanding, this setup had drawbacks that allowed the firmware to be reset or fifty-fifty revealed.

Altering the organisation’due south hardware configuration, such as past removing or adding RAM modules, would articulate the security countersign and permit booting to alternative modes. Non only did this basic way of bypassing the password exist, simply the countersign was besides not stored very securely. While authoritative rights are required to uncover it, with these rights one can use included utilities in OS Ten to

reveal the countersign in the PRAM
, which is masked just by a elementary obfuscation routine.

These fallbacks fabricated the Mac’s firmware password almost laughable as a security measure, only this has changed with newer Mac systems. Starting in 2011, users began finding they could no longer reset their firmware passwords simply by modifying the hardware configuration. The systems would maintain the lock and forbid the employ of alternate boot modes, leaving no choice for those who had set the password then forgotten information technology only to bring their systems in to Apple tree for servicing.

In these newer systems, instead of using the PRAM to store the EFI firmware password, Apple has resorted to using a separate
programmable controller from Atmel
(PDF) that contains lockable flash memory used to shop the password. This tiny chip is tucked away on the motherboard and includes include a security feature that stores the password in ways that crave special programming with identifier numbers for both your motherboard and the Atmel chip to access and erase, which must done using special routines during the boot process.

As it’s not dependent on other system components to maintain this lock, this new bit therefore cannot exist unlocked simply by a hardware modify. The password is as well not available in the PRAM, and so it cannot be revealed to users, regardless of their authoritative status.

To reset the firmware password on newer Macs, you lot must now follow these steps:

1. Boot with Option fundamental held to display the boot menu’due south firmware password prompt.
2. Press Command-Option-Command-Shift-S to reveal a 33-digit hash (mixed letters and numbers) that contains an identifier for your specific motherboard and the Atmel chip used for your organisation. In this hash, the first 17 digits are an identifier for the system’s motherboard, and the last 16 digits are a hash for the password.
3. Submit the hash to Apple, where someone will put information technology through a special utility to create a keyfile that is specific for your auto.
4. Place the file on a special USB kicking bulldoze and hold Option to load the kick menu and select this drive.
5. The arrangement will read the file and properly reset the firmware password stored in the Atmel fleck.

This process may seem easy plenty, except that the utility for creating the keyfile is kept at Apple tree then you accept to get through an authorized service middle, which will contact technicians at Apple tree for this service. Secondly, the Apple technicians will not give yous the keyfile for unlocking your system, so you must get your system serviced to perform this pace.

Even if you were able to get the keyfile, information technology cannot be used on any other Mac system. The Atmel chip’s series number and motherboard identifier are factory-programmed, resulting in a pairing that is unique for your system. This is why the hash numbers for your organization must exist programmed into the keyfile, making it motorcar-specific.

Even so, in that location is ane way to bypass the Atmel chip, which is to manually remove information technology and solder a new, unlocked chip to your motherboard; however, without precise reflow soldering tools and techniques, this would likely outcome in an unmitigated disaster that not merely would void your warranty, but would very probable break your machine.

Coupled with Apple’south FileVault full-disk encryption to protect data should the hard drive exist removed, the firmware password in Apple tree’s latest systems provides a very effective hardware security lock. Setting information technology up involves the aforementioned steps every bit for all of Apple’due south hardware, but these advances make information technology then that to modify or remove information technology you need to either use the aforementioned firmware password utility and recollect the previous password, or have information technology serviced.

Questions? Comments? Have a fix? Post them beneath or
email united states!
Be sure to check us out on
Twitter
and the
CNET Mac forums.