Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23

my 20%
hacking, breaking things, malware, free time, etc.

Home
About Me
Undergraduate Thesis (TRECC)

Type text to search here...

Home > Uncategorized > Fun with Apple EFI Firmware Passwords

Fun with Apple EFI Firmware Passwords

March 30, 2009 Leave a comment Go to comments

I read somewhere that Apple uses weak encryption on its firmware passwords for Intel/EFI based computers, so I
decided to take a look at it while on a long flight. I looked around for more specific discussion on the topic and didn’t
find anything, so I’ll share what I found along with a tool I wrote to automate the changing and decrypting of the
password. I wouldn’t consider the method that they employed encryption per se, but rather an obfuscation of the
password. In either case, what they did is certainly not cryptographically secure. It’s not immediately clear to me why
they didn’t just MD5 the password or something… the nvram appears to have sufficient space to store such a hashed
value.

Tested on:

OS X 10.5.6 on a 1st Gen (Core Duo) Macbook Pro

OS X 10.5.6 on a Core 2 Duo Macbook Pro

Useful for:

pen tests
lab deployments

I take no responsibility with what you do with this information. Messing with the nvram can be potentially very
serious business. Don’t contact me if your mac stops booting.

The method I employed requires root access, either via the root account or single user mode. In a pen test scenario, it
may be possible to escalate to root via an exploit (as opposed to password compromise). If the firmware password is
the same or similar to another password in use, this may allow for further escalation of privilege / decryption of files /
access to other machines / etc. In a lab deployment scenario, it may be desirable to set a firmware password on
deployed machines. This process would be more easily automated with a CLI program like the one I’m providing. Of
course, there is the OFPW tool, but that was designed for the older Open Firmware and I’ve had problems running it on
under Leopard/EFI and am unclear as to whether or not it supports the new hardware. The OFPW binary seems to be
unnecessarily elusive and documentation even more so.

Here’s now the obfuscation works:

1. a <= 255 character ASCII string is accepted by Firmware Password Utility

2. string is viewed as binary (ASCII decoded)
3. every other bit is NOT’ted, beginning with a NOT (i.e. NOT, passthru, NOT, passthru, etc)
4. resulting bitstream is stored as the password.

You can query the current password via Terminal (hex-ASCII encoding , %-delineated):

sudo nvram -p

… or you can get the contents of nvram in XML with the password in base64:

sudo nvram -x -p

Let’s run through an example. We’ll set our firmware password to:

jh376ds8

… which is a fairly random ASCII string. Let’s interpret it as ASCII and translate to binary:

01101010 01101000 00110011 00110111 00110110 01100100 01110011 00111000

… now we apply the magic formula of NOT’ting every other bit, beginning with an initial NOT:

http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 1 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23

11000000 11000010 10011001 10011101 10011100 11001110 11011001 10010010

… then we hex-ify it:

c0 c2 99 9d 9c ce d9 92

… and finally add ‘%’ delimitors:

%c0%c2%99%9d%9c%ce%d9%92

… now we run:
sudo nvram security-password=%c0%c2%99%9d%9c%ce%d9%92

… and our firmware password has been updated to jh376ds8.

Obviously the reverse could be employed to reveal a firmware password.

Note: there are three security levels included in Apple’s EFI:

none: Firmware password is ignored, all boot actions allowed (single user, boot off external, etc). This is a
default setting.
command: Firmware password enforced if user requests to boot off another device by holding down ‘alt’ during
boot. Single user, target disk mode, etc disabled.
full: All actions are disallowed, unless correct password is entered (including normal boot to blessed drive).

Only ASCII characters with decimal values between 32 and 127 (inclusive) are allowed and the password cannot be
longer than 255 characters. If the password is empty, Apple’s GUI utility actually stores “none” as the password, so I
would recommend not using “none” as a password.

Get the code

Takeaway: if you’re using an EFI password on your Apple computer, don’t use that password for anything else. It is
easily recovered (granted with root access), but even this recovery could allow for easy future access or further
compromise.

Share this: StumbleUpon Digg Reddit

Tags: apple, efi, encoding, firmware, hacking, obfuscation, password, reverse engineering

Like Be the first to like this post.

Comments (0) Trackbacks (2) Leave a comment Trackback

1. No comments yet.

1. January 30, 2010 at 7:12 pm | #1

efipw v0.2 Released « my 20%
2. January 8, 2011 at 7:57 am | #2
Восстановление забытого пароля прошивки Apple EFI « INFSECURITY.RU

Leave a Reply
Your email address will not be published. Required fields are marked *

Name *

Email *

Website

http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 2 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b>
<blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Comment

Notify me of follow-up comments via email.

Notify me of site updates

GDB Crackme
RSS feed

Google
Youdao
Xian Guo
Zhua Xia
My Yahoo!
newsgator
Bloglines
iNezha

Paul Makowski

I'm an MSISTM student at Carnegie Mellon's Information Networking Institute (INI). I enjoy
breaking things more than building them; I use this blog to publish my successes at putting
things back together.

things worth reading

Exploitation - it-sec-catalog - References to vulnerability exploitation stuff. - Project Hosting on

Google Code February 4, 2011
Microsoft releases Attack Surface Analyzer tool January 19, 2011
Carnegie Mellon Professor Backs PlayStation 3 Hackers January 14, 2011
folklore fun - thinkst.com January 10, 2011
(title unknown) January 10, 2011
Documentation - 27C3 public wiki January 8, 2011
When A DoS Isn't A DoS | BreakingPoint January 2, 2011
Light Blue Touchpaper » Blog Archive » A Merry Christmas to all Bankers January 2, 2011
The Official Lookout Blog | Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild January 2,
2011
Index of /cross_fuzz January 2, 2011

Recent Posts

Smashing the Stack in 2011

Chaocipher: Now with ASCII Support
Woohoo! I Graduated. Here’s my thesis.
Senior Thesis (TRECC) Presentations
Metasploit Plugin for EasyFTP Server Exploit
Increasing Payload Size w/ Return Address Overwrite
efipw v0.2b Released
efipw v0.2 Released
From pass_file to Script Kiddies
Hacking sshd for a pass_file
A Closer Look at the Twitter-Controlled Botnet (Part 1)
HTTP POST -> HTTPS = Bad Idea®
GDB Crackme
Fun with Apple EFI Firmware Passwords

http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 3 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23

Archives
January 2011
July 2010
June 2010
May 2010
April 2010
February 2010
January 2010
September 2009
August 2009
July 2009
May 2009
March 2009

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Sign me up!

Top WordPress
Copyright © 2009-2011 my 20%
Blog at WordPress.com. Theme: INove by NeoEase.

http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 4 of 4