Home > Uncategorized > efipw v0.2b Released

efipw v0.2b Released

February 11, 2010

Small update.  A few changes since v0.2:

  • if new password is set and mode is not, default mode to “command” (this will cause password to be enforced rather than ignored)
  • clarified usage
  • added ‘-c’ option

If you were getting a message like this:

sudo: ./efipw_0.2b.py: command not found

it’s because you hadn’t flagged the file as executable.  I neglected to mention this in the instructions before, but it’s in there now.  If you’re getting the above, just run:

chmod +x ./efipw*

…assuming efipw is in your working directory, of course.

I’ve also added a ‘-c’ option that disables the EFI password properly (or at least the way Apple does it).  When an EFI password is cleared with Apple’s GUI utility, ‘none’ is written to nvram as the password and the ‘none’ mode is selected.  Rather than forcing people to specify ‘none’ for both fields themselves, users can just do:

sudo ./efipw* -c

to disable the EFI password properly.

Get efipw

Comments/suggestions/bugs welcome.

  1. Jeff
    November 29, 2011 at 2:37 pm

    Thanks for this tool. I’m currently attempting to use it to replace the old OFPW tool for a new Lion image.

    Is there a command option to report what the mode is currently set to so that I can run an audit of machines with Apple Remote Desktop?

    Also I noticed a typo in the Usage section. It says ./efipy* -h when it should be ./efipw* -h

    • November 30, 2011 at 12:23 am

      @typo: Thanks; I’ll upload a new version when I get a chance.
      @audit: efipw does not offer this capability, but this can easily be accomplished on any machine supporting the nvram command (and, transitively, supported by efipw):
      $ sudo nvram -p | grep security-mode | awk ‘{ print $2 }’
      or as root:
      # nvram -p | grep security-mode | awk ‘{ print $2 }’

      • Jeff
        November 30, 2011 at 2:41 pm


        I tested efipw out yesterday on a new MacMini 2011 with Lion 10.7.2 and it doesn’t seem to be doing anything. I made sure it was executable and verified with the command line that the mode (command) and password were set. However when holding down the Option key during bootup, it doesn’t bring up the open firmware lock screen. So I booted with Command-R to set the firmware password manually and it asked me to turn it on and provide a password. I chose a different password than the one I had set through efipw to verify which one worked when prompted with the Lock icon during bootup. When I did this, it took the manually set password and not the efipw password. If I decode the password it still gives me my original (different) password that I set through efipw.

        I have my efipw_0.2b.py file located at /usr/local/bin which is where I used to put the OFPW tool.

        Any ideas?

      • November 30, 2011 at 5:43 pm

        I would actually be really surprised if it did work on your setup. The only Mac I have available to me ATM is a first-gen Macbook Pro (32bits), so I don’t even have the option of running Lion (requires 64bit CPU). I’ve heard from others that somewhere along the way, Apple stopped using the password stored in nvram for boot password purposes. They seem to have left the utilities to manage nvram in OS X, however. As stated on the efipw page (http://code.google.com/p/efipw/):

        Known to fail on: Macbook Air
        In newer hardware models, Apple appears to not consult the nvram for information on EFI passwords or password policy. Since I don’t have anything newer than a Macbook Pro (1st gen) available to me, I won’t be able to reverse engineer this. If someone else decides to do so and it makes sense to include that code in efipw, send me an email and I’ll incorporate it – with credit, of course :)

        So there you have it, I guess I’ve got confirmation on these other reports. If OFPW works for you on these new systems, this is likely because its developers update the tool to support the new systems; efipw is probably not going to help you. Unless you wanna buy me a new Mac.

  2. Jeff
    November 30, 2011 at 6:09 pm

    Thanks Paul,

    I appreciate your input. I wish I had a 64bit machine I could give you! I’ll mess around with OFPW and see if I can get it to work and also check on nvram commands.

  3. August 6, 2012 at 1:26 am

    Thanks a lot for making this, I managed to completely lock myself out of the firmware due to the all too common problem that apple has with handling + signs in passwords (app store, mail client, firmware ..)

  4. Jimmy Darmondy
    October 1, 2012 at 5:57 pm

    Hi all. New to this site. I’ve got a late 2010 Macbook pro with efi password. Will the efipw unlock the Macs w/ pw in the bios chip? also, how do i make it executable?

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: