Professional Documents
Culture Documents
my 20%
hacking, breaking things, malware, free time, etc.
Home
About Me
Undergraduate Thesis (TRECC)
I read somewhere that Apple uses weak encryption on its firmware passwords for Intel/EFI based computers, so I
decided to take a look at it while on a long flight. I looked around for more specific discussion on the topic and didn’t
find anything, so I’ll share what I found along with a tool I wrote to automate the changing and decrypting of the
password. I wouldn’t consider the method that they employed encryption per se, but rather an obfuscation of the
password. In either case, what they did is certainly not cryptographically secure. It’s not immediately clear to me why
they didn’t just MD5 the password or something… the nvram appears to have sufficient space to store such a hashed
value.
Tested on:
Useful for:
pen tests
lab deployments
I take no responsibility with what you do with this information. Messing with the nvram can be potentially very
serious business. Don’t contact me if your mac stops booting.
The method I employed requires root access, either via the root account or single user mode. In a pen test scenario, it
may be possible to escalate to root via an exploit (as opposed to password compromise). If the firmware password is
the same or similar to another password in use, this may allow for further escalation of privilege / decryption of files /
access to other machines / etc. In a lab deployment scenario, it may be desirable to set a firmware password on
deployed machines. This process would be more easily automated with a CLI program like the one I’m providing. Of
course, there is the OFPW tool, but that was designed for the older Open Firmware and I’ve had problems running it on
under Leopard/EFI and am unclear as to whether or not it supports the new hardware. The OFPW binary seems to be
unnecessarily elusive and documentation even more so.
You can query the current password via Terminal (hex-ASCII encoding , %-delineated):
sudo nvram -p
… or you can get the contents of nvram in XML with the password in base64:
sudo nvram -x -p
Let’s run through an example. We’ll set our firmware password to:
jh376ds8
… which is a fairly random ASCII string. Let’s interpret it as ASCII and translate to binary:
… now we apply the magic formula of NOT’ting every other bit, beginning with an initial NOT:
http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 1 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23
c0 c2 99 9d 9c ce d9 92
… now we run:
sudo nvram security-password=%c0%c2%99%9d%9c%ce%d9%92
none: Firmware password is ignored, all boot actions allowed (single user, boot off external, etc). This is a
default setting.
command: Firmware password enforced if user requests to boot off another device by holding down ‘alt’ during
boot. Single user, target disk mode, etc disabled.
full: All actions are disallowed, unless correct password is entered (including normal boot to blessed drive).
Only ASCII characters with decimal values between 32 and 127 (inclusive) are allowed and the password cannot be
longer than 255 characters. If the password is empty, Apple’s GUI utility actually stores “none” as the password, so I
would recommend not using “none” as a password.
Takeaway: if you’re using an EFI password on your Apple computer, don’t use that password for anything else. It is
easily recovered (granted with root access), but even this recovery could allow for easy future access or further
compromise.
Tags: apple, efi, encoding, firmware, hacking, obfuscation, password, reverse engineering
1. No comments yet.
Leave a Reply
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 2 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23
Comment
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b>
<blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Post Comment
GDB Crackme
RSS feed
Google
Youdao
Xian Guo
Zhua Xia
My Yahoo!
newsgator
Bloglines
iNezha
Paul Makowski
I'm an MSISTM student at Carnegie Mellon's Information Networking Institute (INI). I enjoy
breaking things more than building them; I use this blog to publish my successes at putting
things back together.
Recent Posts
http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 3 of 4
Fun with Apple EFI Firmware Passwords « my 20% 28/02/2011 28 Feb 2011, 20:23
Archives
January 2011
July 2010
June 2010
May 2010
April 2010
February 2010
January 2010
September 2009
August 2009
July 2009
May 2009
March 2009
Email Subscription
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Sign me up!
Top WordPress
Copyright © 2009-2011 my 20%
Blog at WordPress.com. Theme: INove by NeoEase.
http://paulmakowski.wordpress.com/2009/03/30/fun-with-apple-efi-firmware-passwords/ Page 4 of 4