BIC Firmware Passwords Editor

 

Firmware Security Changes

Starting with BIC 3.0, you MUST keep track of ALL old AND new firmware passwords that you use. It's VERY important that you understand how Firmware passwords in BIC v3 (and Apple's new Macs for that matter) are managed or else you could lock yourself out from resetting the firmware security and have to contact an Apple repair shop to reset it for you, which may not be a pleasant experience. This is a change due to Apple and NOT Blast Image Config.

BIC v3.0 has a completely new way of managing the Firmware Security, due to changes that Apple made in the EFI Firmware Security of Macs starting in late 2010. Apple has a knowledge base article titled Recovering a lost firmware password which details which Mac models have the new firmware security requirements. In addition, JamF Software has an excellent support article on this firmware security change.

In a nutshell, here's how BIC v3.0 and later differ from versions 2.9 and earlier:

The FWPW (formerly OFPW) command line tool has been removed. In late 2010 Apple changed the way that firmware security is managed which requires the use of a new Apple command line tool named 'setregproptool.' Unfortunately, I can't legally include this tool with the download on BIC 3.0, but you can easily obtain it from Apple's Firmware Password Utility.

In BIC versions prior to v3.0 you did not need to keep track of the PREVIOUS Firmware Security password. Firmware Passwords were updated by BIC running with admin (root) privileges and calling the 'FWPW' command line tool.

The FWPW tool worked fine on Macs shipping before late 2010. Apple created a new command line tool ("setregproptool") that is buried in the 'Firmware Password Utility' application that can set the firmware security mode and password on all old AND newer Macs.

On Macs prior to late 2010 you could reset/erase the firmware security by either using the nvram command line tool OR removing some memory stick(s) and zapping the PRAM. These methods will no longer work on the late 2010 and later Macs.

Turns out that these methods might have been too easy to by-pass for some folks, so Apple now requires that Macs shipping after mid 2010 require the OLD firmware password before allowing it to be updated to a new password or mode. If the security is NOT enabled at boot up then you do not need to supply the old password.

Now that Apple requires the old password to change the firmware security I developed a new application included with Blast Image Config to edit an encrypted passwords database file: "BIC Firmware Passwords Editor.app."

You will need to use this application to add or remove all new and previous firmware passwords that you've used.

The passwords are stored in an encypted (AES 128 Bit) SQLite3 database file named "BICFirmwarePasswords.bicdb." Using this encrypted DB means that the firmware passwords will never be in the clear on disk. Whenever BIC needs to update the firmware password and/or mode it will try each of the passwords in the database file until one works.

If this database file does not exist when BIC first launches it will create it and the encryption password to the file will be set to the admin password supplied at launch time (or from the KeyChain, if it was added there.)

To enable BIC v3 to launch without asking for the admin password you now have the option for BIC to store the admin password in the OS X KeyChain for the logged in admin user. This will greatly speed up the process of launching BIC, AND also as the password to decrypt the Firmware Passwords database file.

Install Apple's setregproptool

For Snow Leopard (Mac OS X 10.6):

Watch the demo video of the install process on Snow Leopard.

Or if you are comfortable at the command line: Insert the Mac OS X Snow Leopard (10.6) Install DVD. Launch the Terminal.app and then enter in this to install the setregproptool into your BIC folder, and enter in your admin password when prompted:

sudo cp -p /Volumes/Mac\ OS\ X\ Install\ DVD/Applications/Utilities/Firmware\ Password\ Utility.app/Contents/Resources/setregproptool /Path/To/BlastImageConfigFolder/Resources/setregproptool/

For Lion (OS X 10.7):

Watch the demo video of the install process on Lion, which is the method detailed below.

Since it's a bit more work to get the setregproptool in the OS X Lion installer, I've created a command line script to aid in the process of extracting and installing the 'setregproptool' tool. (If you'd like to contribute to the development of the script we are hosting it on GitHub.) Here's how to run the script:

  1. Open the 'Resources' folder,
  2. Open the 'setregproptool' folder,
  3. Run the 'setregproptool-install.pl' script via sudo in the terminal.app and supply the path to the "Install Mac OS X Lion.app", and enter in your admin password when prompted:

    sudo /Applications/Blast\ Image\ Config/Resources/setregproptool/setregproptool-install.pl /Applications/Install\ Mac\ OS\ X\ Lion.app

Return to main BIC Documentation

Last Updated August 6, 2015