How to Reveal Firmware Password in Terminal

How to Reveal Firmware Password in Terminal

A firmware countersign on Mac systems locks the hardware to prevent booting to alternative modes that could bypass Bone X security, only in lodge to access some of these modes you lot first have to disable the firmware password. While this can exist washed using Apple tree’s Firmware Countersign Utility on the recovery drive or OS X installation disc, there may be times when you lot practise not have admission to this bulldoze either considering it is missing or corrupted, and therefore cannot use the countersign utility.

Unfortunately in these cases for newer Mac systems shipped in 2011 or later, you take to become the system serviced to reset the countersign; however, if you own a system from before 2011, then you tin can retrieve a forgotten password, provided y’all have admin access to the system.


Firmware Password Utility in the Utilities menu
The Firmware Password Utility is by default in the Utilities menu on the recovery partition or on the OS X install disc, and may not exist available if you cannot kick to these volumes.

Screenshot by Topher Kessler/CNET

On these systems, the firmware password is stored as a PRAM variable in which the countersign is simply obfuscated. This means information technology is run through a very basic conversion that keeps the same character logic of the password and therefore makes the the password illegible without truly scrambling its sequence. In essence this hides the countersign without encrypting it to any degree, like to one typing by shifting keypresses to the correct by one grapheme to make the input text look garbled. For instance, in doing so if you were to blazon “MyPassword” so this basic obfuscation routine would produce “<u{sddeptf” as the password.

Read:  How to Update Firmware on Bose Qc35

In that location is no complex cypher or key used in this scheme, and every bit a consequence revealing the password is as simple as reversing this process and shifting each character over one character on the keyboard.

In a similar manner, Apple obfuscates the EFI firmware password when it is stored in the system’s PRAM, thereby making it relatively easy to uncover using a few steps, for which you just need the Terminal utility, the OS X Reckoner application, and perhaps a text editor depending on the length of the password.

Offset you will need to get the obfuscated password from the PRAM by running the following command in the Final:

sudo nvram security-countersign

This footstep requires administrative access, and ensures your password is secured from others who might endeavour accessing your system to get the password. At this point yous should see an output like to the post-obit:

security-countersign %fa%cb%d9%d9%dd%c5%d8%ce

In the password string, count the number of per centum symbols, which are separators for the hex codes that represent a character of your password, where ii hex code characters together represent one ASCII text character. Since the Calculator can simply handle words up to 8 characters (sixteen hex characters), if there are more than than 8 symbols, then you will have to split the password up and convert in sections.

Therefore, copy the security countersign output from the Terminal to a text editor and delete the percent symbols in it, followed by splitting the password string at every 16th character. After this, perform the following steps on each 16-character section:

  1. Open the Estimator and prepare it to Programmer mode in the View card or by pressing Control-3.
  2. Copy one 16-character section of your password and paste it into the calculator. You should come across its binary equivalent shown below the yellow-green display, and also see its ASCII-text representation at the bottom-left of the brandish (you may have to click the “ASCII” button to reveal this).
  3. Starting with the showtime bit in the binary output (the one furthest from the blue zero at the right), opposite every other bit by clicking its corresponding 1 or 0. For example, if you see “1010 0101” then change it to “0000 1111.”

    Each ASCII character of the countersign will be a group of 8 bits (a “byte”). Each of the ii hex values that represents one of these characters is a group of four $.25 (a “nibble”), giving 16 possible combinations for a nibble. Hexadecimal numbering goes from 0 through ix so continues with A through F, giving 16 possible values to represent the combinations of a nibble.

Read:  How to Find Firmware Vs Ilo 4

Firmware password decoding in the Calculator
In this example, half of the password has been converted by clicking every other bit in the binary code to convert it to the reverse value. To reveal the rest of the countersign (in this case being “Password”) one would continue at the indicate of the arrow (the one-half-way point) and click every other fleck to also switch it. When finished the password will be revealed in the ASCII text area of the figurer brandish.

Screenshot past Topher Kessler/CNET

Equally y’all practise this reversal of every other bit, you lot will see the ASCII output in the reckoner reveal your password, or at to the lowest degree the section of information technology that is represented by the 16-character segment beingness operated on. Write down the revealed text password and and then echo this process for additional segments of the password, after which you should have your firmware countersign.

Another method for doing this in Calculator is to enter the password hex string so click the “XOR” button, followed past typing in all “A” characters.

The ability to perform this procedure may at kickoff sound concerning since information technology can reveal a password and seems like a relatively easy manner to practise so; nevertheless, since information technology requires administrative access to go the obfuscated countersign in the start place, if you practice not want someone revealing it then do not give them administrative access to your computer.


Questions? Comments? Have a fix? Post them below or
electronic mail us!
Be sure to check united states out on
Twitter
and the
CNET Mac forums.

Read:  Firmware Samsung S5 Active Docomo Bahasa Indonesia

How to Reveal Firmware Password in Terminal

You May Also Like