Bypass Mac Firmware Password
Need to get around the boot level Mac firmware password? You can bypass a firmware password by doing a little bit of a hardware hack. There’s many reasons you’d want to get around firmware protection, but here’s why we got the instructions:
This is a tutorial mainly for the people at my school who wish to hack their macbooks, leased by the school. These computers; the white plastic macbooks which are ****, are protected by the firmware password. This prevents you from booting up into Single User Mode, Verbose Mode, Safe Mode, Target Disk mode, and boot off of an external hard drive or network. There is a very simple way to remove these restrictions.
I don’t know what school they’re at but it’s pretty cool to have a MacBook of your own provided by a school. While I can’t condone this activity I must say as a curious and tech savvy student I would have done the exact same thing… with that in mind I have reproduced instructions below:
Get around a Mac Firmware Password
This should work on both EFI (Intel) and OFI (PPC) based Macs. This is a hardware based hack, proceed with caution! We are not responsible for anything that may go wrong in the process. Essentially you are removing the systems RAM and reinstalling it, here are the steps for a MacBook:
1) Shut down your computer
2) Remove the battery
3) Remove the three philips head screws that are on the L-bracket
4) Remove the L-bracket
5) Slide one of the levers (it doesnt matter which one) to the left. This will release the RAM
6) Gently wiggle the RAM card out and put it aside, you will put it back later(do NOT touch the gold bars on the front; you could break it)
7) Replace the L-bracket and put the battery back in
8 ) Boot up the computer while holding COMMAND+OPTION+P+R (this resets the parameter ram)
9) Wait for the startup chime to sound 3 times
10) Release the keys and shutdown the machine once you reach the login screen
11) Remove Battery and L-Bracket, replace the RAM module and slide the lever back while pushing it in until it does not wiggle anymore
12) Replace The battery and L-Bracket
13) Now if you boot up the machine you should bypass the Mac firmware password.
You can now use the machine as usual, boot from an external drive, or whatever else.
Remember, this is bypassing the boot-level firmware password. Most Macs have the software based password protection enabled only in the form of a user login and password. If this is the case, you can use methods to reset a forgotten Mac password to get around the user login completely (instructions for OS X Lion are slightly different).
I think you may be over complicating the procedure, I believe all you need to do is remove the ram and then put it back in to get around the firmware password but I could be wrong. Nice trick either way!
Depressing to read that tip. We think of our Macs as so secure (Unix, firmware password, etc), only to learn how easy they are to get at if someone has physical access. Granted, any machine is vulnerable with physical access, but more and more, it’s looking like FileVault or similar is a must if you value your data’s privacy.
actually, macs have some pretty startling security flaws. and while i love my macs more than a man should probably love a computer, i don’t think they the second coming of jesus. for right now, macs have security through obscurity more than anything else. once they become more and more popular, they will end up a more likely target.
but, as the article proves, with physical access to a machine, the sky is the limit.
hahah, COMMAND+OPTION+P+R is blocked from OpenFirmwarePassword
you’re smart fren.
@urpwnd: what startling security flaws? …
if command option p r is blocked from taking ram card out.then how can i get passed the firmwarepassword ..
please help
Just tried this on both a macbook and a macbook pro and this doesn’t work.
I believe this only works with PPC Macs only; Intel macs use EFI not OF so this would not work on a macbook or macbook pro. I have successfully used this trick on several old flowerpot iMacs in my lab. I assure the would-be tech that this does work on PPC machines.
forgot the relevant link:
http://support.apple.com/kb/ht1352
[...] disk, CD, or in single user mode. Someone with bad intentions could still bypass it, but it would quite a bit of alone time with your hardware. So, for best results, you’ll probably want to encrypt your files with FileVault and set up a [...]
[...] disk, CD, or in single user mode. Someone with bad intentions could still bypass it, but it would quite a bit of alone time with your hardware. So, for best results, you’ll probably want to encrypt your files with FileVault and set up a [...]
Just pull the Hard Disk and bypass all the bs.
usb to sata and everything that is not encrypted is yours to see.
this works when carried out exactly as stated. the last steps of putting back the RAM module are not even necessary:
the firmware-password is stored based on a combination of hardware. at the mac-repair-lab i work in, altering any kind of hardware, then resetting PRAM (3 times the chime=important) works any time! removing RAM is the easiest way:
remove one module, boot back up holding cmd-alt-p-r for three chimes, let boot up:firmware password deleted.
works on both intel and ppc by the way!
Can i just tell you how smart this “helpless” computer illiterate woman feeelsssss thanks to your advice on ram = out then pram ????? i am going to the hardware store now to fix a sink….. buwahahahahaahaha ty thomas
wait….once i get it to the whole purple screen with english at top for language, do i got to utility repair?
( which is what i did….then hit repair “mac” and then it took a while but i went BACK to restart in my “Mac” hardrive mode…now the white screen and wheels are a spinnin….should i have boot from network or the hitatchia drive??? please ….considering a year ago, i couldnt email….so no tossing tomatos!!! lol thanks for your help…just wanna get to log in screen
When you say “Pull the Hard Disk”, does this erase the firmware password. Or are you suggesting just buying another hard drive? Thanks, Gordon
Well all you have to do is just remove your L-Bracket and place the hard drive back in. The L-Bracket is what the firmware password is on so you can reset it
thanks dude… it work on me..
Thanks a lot to the poster for putting up this thread. I have solved a problem for a customer’s Mac BookPro. it was having the problem of booting to nothing but a grey folder with an question mark. [i run a hobby pc repair business]
Im new at macs but figured out how to bring up the boot menu. However it has (and still does) a password on it.
I drained the battry [the battry cannot be taken out] removed the ram and booted up without it. Then I put one stick back in and then turned it on and put in my OS X Snow leopard Disc. Then holding down control the boot menu came up. I booted from the disk and it all got sorted.
We had tried everything to fix this and thank god its over. I had given up several times. Thanks for the winning piece of reaserch that got me through it.
[I found all the torrents for the OS X useless and had to pay for a legit Disc. Im not sure on the .dmg files out there but they require a mac to burn. I couldnt get the burning programs like power ISO to do it on a pc. ]
This will work for PPC, because firmware lock does not block CMND+OPTION+P+R, however on intel this doesn’t work, checking on the apple website there is a chart that outlines what is blocked on intel and what is blocked on ppc, and unfortunately, it blocks every useful thing.
Macbook *white Late 2009 (INTEL)
Done as written above….
It works….
thanks man!!!
I really want to say thank you for this thread
I was desperate and didnt know what to do
I did what you and my macbook comes alive again
THANKS
HELP! I am on an EMac, with the padlock issue and firmware password request. I have not set up a firmware password, so is there a default one I need? Thanks to anyone who can help.
I’m pushin’ 60 and still tryin’ I could use a bit more information. I bought a headless Xserve (early 2008) with RAID and a blank 300GB SAS drive hoping to get Lion up and running. When I pop in an SL DVD, it gives me nada. I tried a Leopard Server disk and it presents me with eight steady system activity lights. I’m thinkin’ the EFI Firmware password is set and I can’t get this ballon to float (DVD offline). I tried pulling RAM and restarting with Command Option+P+R. I got all 16 lights on the front panel off then on several times, let go to restart, and then nada.
Is there some magic combo of “set the startup parameters (startup options using front panel button-ology), pull the RAM, hold down a bunch o’ keys, pull the button cell, win – win -win!? If you can help, I’d appreciate any hints ou can offer. dgarten at nova dot org. :-\
I love you
i was make the methods , imac work thanks a lot
[...] CD or even in single user mode. Someone with bad intentions could still bypass it, but it would require quite a bit of alone time with your hardware. So, for best results, you’ll probably want to have both layers of protection: encrypt your [...]
Thank you so much!!
Does not work with MacBook Pro A1278 Unibody(2010). I have tried at least 7 times and still not able. Followed instructions to a T. Please somebodyHELP!!!!
With the Thunderbolt models of Macs, this bypass feature is now gone. Sorry!
Is it possible to unlock the firmware password Macbook Pro(Late 2011)?
absolutely does not work on a unibody aluminum macbook – in fact the descriptions above don;t make any sense – if you pull the ram then the macbook beeps forever regularly regardless of any keys you press (by the way that alt command P R cobination is only for PPC Macs – if you think it worked on an Intel then you’re mistaken – it was some other action like just pulling the ram or battery – that command is for the open firmware version only on a ppc ) – and how would the Mac boot into a login screen before putting the ram back in???
come on guys , know your stuff before you advise !!!!
I’ve try many time with cmd option p r on the new imac mid 2011 unsuccessfully. Any other way around?
The new imacs/MBP’s are virtually impossible to get past the firmware-password point. But i have found out a way around this but it does require a ‘PC’ . First i saved everything i wanted off my mac externally. The reason i have involved a windows computer btw is that, the imac/MBP’s hdd use SATA cable connection. so i pulled it out of my macbook pro and put it in my PC. My macbook hdd is a seagate 320gb and what i did was, i dowbloaded UBCD and used that to wipe the macbook hdd with my PC. because i did not have the OSX anymore for my mac(because i had just wiped it) i just redownloaded it from thepiratebay.se. now i have a firmware password-free computer ^_^ and also no restrictions. Life Is Good.
Hey Coldhead, could you please elaborate how you or what you did. And does this work on 2011 Imac’s? thnx
I just tried doing exactly what you did. It doesn’t work!!
I heard the passwords are saved in the bios, so erasing the hard drive has no effects whatsoever.
Coldhead or Dave could you please describe step by step how you did that? I have macbook unibody and this firmware password and don’t know what should I do. thnx
Sorry folks but there is no way to by pass lock screen (EFI) if you have got a new mac (air, book pro, or what ever) since early 2011. The main reazon is that every singel password is saved in to the bios (i know, i know…) well the little chip that serves as a bios (still it is actually a bios) that you have to remove and then get a new flashed one.
All of you who are complaining that this is a security flaw on Macs are naive, and by making an accusation that Apple has somehow failed by allowing this is simply foolish.
It is very easy to get around the BIOS (firmware) passwords on PC’s, too.
Such “holes” have a purpose. For instance, an angry employee could set up such a password on a computer and disable various devices on it, making in effect making it an expensive pile of junk. Sure, you could pull the hard drive, but the rest of the computer would still be worthless as a machine. By being able to bypass the firmware password, one can prevent such a thing from ruining the computer.
The number one rule of computer security is to not allow physical access to your computer, because almost anything can be done to it then. Why else do you think businesses have locks on the doors to their server rooms?