Open Firmware and Intel-based Macs

Discussion in 'macOS' started by MacDann, Apr 7, 2007.

  1. MacDann macrumors 6502a

    MacDann

    Joined:
    Mar 27, 2007
    Location:
    Can see the end of the Earth from here
    #1
    I feel stupid asking this, as I'm a longtime Mac person and feel pretty proficient, but the information I'm finding on Apple's Web site is confusing to me. Here's the question:

    I want to enable the Open Firmware password on my 15" MBP to protect it from being started up from anything other than the internal HD. Yes, I know you can get around OF, however, it's a decent deterrent to all but the most savvy users.

    In the docs Apple posts regarding Open Firmware passwords, they say that Intel-based Macs can have firmware passwords, but they never go into detail regarding firmware passwords using EFI with Intel-based Macs.

    So I guess I'm trying to find out how to set up password protection for the EFI based firmware used on Intel-based Macs.

    Thanks in advance for any help you can offer.

    MD
     
  2. pip11 macrumors member

    Joined:
    Apr 29, 2005
    #2
    Hardening Mac OS X says to use the Open Firmware Password app that is in Applications/Utilities on the install DVD that came with your Mac. It's too bad Apple didn't rename the app to make it less confusing, but its still the one to use, even for an EFI Mac.
     
  3. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #3
    My intel Imac came with 2 install DVDs and I can't seem to find an Applications/Utilities folder on the DVD.

    it just pops up with a "Install Mac OS X and Bundled Software" icon and an "Install Bundled Software Only". Am I missing something? How do I browse the DVDs file structure?
     
  4. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #4

    Nevermind. I had to force Finder to browse the DVD.
    Sorry. New to this OS X stuff but I'm confused as to why Apple didn't include the updated app on the website instead of forcing you to get out the DVD.
     
  5. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #5
    Wait. You'd rather download an application, rather than have it already on the DVD???

    That doesn't make much sense.
     
  6. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #6
    Can't you just boot into Open Firmware and use the commands to set the password there? At least that's how I thought you did it.
     
  7. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #7
    Open Firmware and EFI are two different things. I don't think EFI offers a shell.

    EDIT: Yes, there is no shell being distributed by Apple with the EFI. There are instructions to download a shell, but this is not for the faint of heart. Even I'm not too crazy about doing it.
     
  8. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #8
    why doesn't it make much sense?
    it's a 516k file. my internet is 6000 kb/s.
    i could have it downloaded and installed before i even get the DVD out of the sleeve.
     
  9. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #9
    I thought the had EFI set up to basically emulate the old Open Firmware shell. I get it.
     
  10. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #10
    It is never smart to rely on an exclusive internet-only distribution of a vital system component, when you distribute a DVD with the computer.
     
  11. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #11
    I never said internet-only. In addition to.

    Why?

    It is never smart to rely on an exclusive DVD-only distribution of a vital system component.
     
  12. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #12
    Ok, so that's why everyone doesn't get restore CDs and driver CDs when they buy a computer, by your logic.
     
  13. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #13

    um, no. I was replicating your sentence structure to help you see the silliness of relying upon any one distribution system.

    I think restore CD/DVDs are a good backup and are just as important as providing online sources. After all, what do we do after installing something? Go online and check for updates. You don't want online sources? Fine, that's your preference. But I travel a lot for work and it's good to have access to stuff if I don't have the CD or DVD with my laptop.

    Why are you arguing this with me? I think you're more interested in feeling right than you are in the logic of redundancy.

    The question is moot, anyway. I have the app now.
     
  14. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #14
    I wouldn't rely on the DVD's as well. It could be out of date.
     
  15. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #15
    Well, in all technicality you can do it via /usr/sbin/nvram (on either a PPC-based Macintosh or an Intel-based Macintosh) by applying the variables "security-mode" equal to "command", and "security-password" to the a "hex+XOR against string 'AA'" representation of the password.

    Code:
    sudo nvram security-mode="command" security-password="%fa%cb%d9%d9%dd%c5%d8%ce"
    would set the password to be "Password", and set the mode to be on when switching boot devices. Changing security-mode to equal "full" would set the password prompt to be on every time the machine is booted.

    There are also some third party compiled batch scripts that will allow you to set the password from command line, and will do the "heavy" work for you. It's mainly used when implementing standardized images to push out to machines. Mike Bombich's NetRestore allows use of the OFPW tool to accomplish this. Anyroad, as you can see there is a tool available for download, but 99% of the time it's just easier to use the tool off the DVD.

    EDIT: Apple hasn't changed these variables in quite some time (if ever?) and since the GUI tool is the same as the third-party CLI tool -- a wrapper for nvram variables -- I wouldn't imagine there being an issue with being out of date.

    EDIT 2: I do agree, though, that having the GUI app available for download is a good idea. I mean, they used to...
     
  16. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #16
    This is for PPC Macs, which have Open Firmware.

    EFI is for intel macs and cannot be booted into
     
  17. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #17
    If you're referring to me, I never disputed the fact that Apple left out the optional EFI shell. I was referring to setting the relevant variables using the bundled command "nvram" from within Mac OS X itself using Terminal. Apple's implementation of EFI and OF both recognize most of the same firmware variables, and so setting the password works the same way on both machine types.

    I was giving a, "Well, you don't technically need to boot into any firmware shell to do this" and not a solution for a standard user to follow under normal circumstances. Moreover it was an elaboration on the response I quoted. I also was saying that while there is a solution available it's almost always better to just use the GUI app from the DVD.
     
  18. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #18
    Nope, wasn't referring to your comments, just clarifying so that if someone does a search for booting into EFI.
     

Share This Page