Operation Firmware Password Protection
by CodeSamurai of SecureMac.com
Disclaimer & Warning
Enabling the Open Firmware password protection feature is done so at your own risk; the author of this article and/or SecureMac will NOT be held accountable or responsible for whatever you do. Changes to Open Firmware that have not been explicitly endorsed by Apple may damage your computer’s logic board. Any repairs that are necessary because of this damage would not be covered under the terms of the Apple One-Year Limited Warranty, AppleCare Protection Plan, or other AppleCare agreement.
Also, updating the Open Firmware with security enabled has been reported to cause permanent password corruption (and the security-mode setting before the update stays). So disable password protection security before applying any Open Firmware update.
Information
Apple’s latest Open Firmware update introduces support for additional security options which allow the Open Firmware to be password protected. Similar to the typical PC BIOS password protection feature, this feature in Apple’s implementation of Open Firmware allows you to password protect your computer’s ability to boot. Furthermore, Apple went above and beyond the Open Firmware 1275 specification and added a progressive delay technique to discourage brute force hacking of the Open Firmware password. The delay itself increases in a pattern of 2^x seconds. If you don’t quite understand what the “progressive delay technique” is, you can check it out on a machine with password protection enabled by pressing the return key several times at the password request prompt. Also note, zapping the PRAM (through Command + Option + P + R or even TechTool’s “complete zap”) will not disable or remove the password protection.
The way this password protection feature works is that there’s an Open Firmware command “password” which will request you to set your password, and then on confirmation of what you typed as you password, it sets that as the password. Then, you must tell it to enable the security and specify which setting level of security you wish. This is stored as the “security-mode” variable which can be set to one of three modes: “none”, “command”, or “full”. The “none” mode effectively disables security. The “command” mode just restricts the commands that may be executed to “go” and “boot”. Additionally, under the “command” mode, the “boot” command may not have any arguments–that is, it will only boot the device specified in the boot device variable; no other command may be entered or any settings changed unless the password is supplied. Moreover, this password protection feature also applies to booting up with the option key held down (which allows you to choose from available bootable volumes through a built-in graphical user interface). Finally, in “full” mode, the machine is completely prohibited from booting until the password is entered.
Procedure
Enabling Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) At the command prompt, type “password” (without the quotes, of course). You will be prompted to enter in the password you wish to use. Type your password, press the return key, retype your password again, and press return to verify that that the first password you typed is indeed the password you want. (Note: the password is stored in the “security-password” variable, but the contents of this variable is never shown via the “printenv” command.)
3) Type “setenv security-mode full” OR “setenv security-mode command” OR “setenv security-mode none”, depending on which level of security you wish.
4) Then type “reset-all” to restart the computer.
Disabling Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) Type “setenv security-mode none” and press return.
3) Enter in the password at the password request prompt and press return.
4) Then type “reset-all” to restart the computer.
Force Removing Password Protection
1) Add or remove DIMMs to change the total amount of RAM in the computer.
2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).
Retrieving the Password Used with Software
If you are already booted into the MacOS the Open Firmware Password can be retrieved by using the application FWSucker created by mSec. We warn you of this program because many administrators believe that their Macs are secure at night when they shut them off just because they have the Open Firmware Password set. Be cautious of this application, and if you are using any desktop security software we suggest keeping this program restricted by it.
FWSucker.sit from SecureMac.com
Links
Power Mac G4 Firmware 4.1.8 Update
G4 Cube Firmware 4.1.8 Update
iMac Firmware 4.1.7 Update
iBook Firmware 4.1.7 Update
PowerBook Firmware 4.1.8 Update
Firmware Updates 4.1.7/4.1.8 May Disable Out-of-Spec Third-Party RAM
Apple Open Firmware Password Protection Notice
Apple Computer Open Firmware Home Page
Apple Open Firmware Technotes