Bypass Mac Firmware Password

Oct 19, 2009 - 75 Comments

bypass firmware password

Need to get around the boot level Mac firmware password? You can bypass a firmware password by doing a little bit of a hardware hack. There’s many reasons you’d want to get around firmware protection, but here’s why we got the instructions:

This is a tutorial mainly for the people at my school who wish to hack their macbooks, leased by the school. These computers; the white plastic macbooks which are ****, are protected by the firmware password. This prevents you from booting up into Single User Mode, Verbose Mode, Safe Mode, Target Disk mode, and boot off of an external hard drive or network. There is a very simple way to remove these restrictions.

I don’t know what school they’re at but it’s pretty cool to have a MacBook of your own provided by a school. While I can’t condone this activity I must say as a curious and tech savvy student I would have done the exact same thing… with that in mind I have reproduced instructions below:

Get around a Mac Firmware Password

This should work on both EFI (Intel) and OFI (PPC) based Macs. This is a hardware based hack, proceed with caution! We are not responsible for anything that may go wrong in the process. Essentially you are removing the systems RAM and reinstalling it, here are the steps for a MacBook:

1) Shut down your computer

2) Remove the battery

3) Remove the three philips head screws that are on the L-bracket

4) Remove the L-bracket

5) Slide one of the levers (it doesnt matter which one) to the left. This will release the RAM

6) Gently wiggle the RAM card out and put it aside, you will put it back later(do NOT touch the gold bars on the front; you could break it)

7) Replace the L-bracket and put the battery back in

8 ) Boot up the computer while holding COMMAND+OPTION+P+R (this resets the parameter ram)

9) Wait for the startup chime to sound 3 times

10) Release the keys and shutdown the machine once you reach the login screen

11) Remove Battery and L-Bracket, replace the RAM module and slide the lever back while pushing it in until it does not wiggle anymore

12) Replace The battery and L-Bracket

13) Now if you boot up the machine you should bypass the Mac firmware password.

You can now use the machine as usual, boot from an external drive, or whatever else.

Remember, this is bypassing the boot-level firmware password. Most Macs have the software based password protection enabled only in the form of a user login and password. If this is the case, you can use methods to reset a forgotten Mac password to get around the user login completely (instructions for OS X Lion are slightly different).

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: David Mendez in Mac OS X, Security, Tips & Tricks, Troubleshooting

75 Comments

» Comments RSS Feed

  1. bassface says:

    I think you may be over complicating the procedure, I believe all you need to do is remove the ram and then put it back in to get around the firmware password but I could be wrong. Nice trick either way!

  2. DistortedLoop says:

    Depressing to read that tip. We think of our Macs as so secure (Unix, firmware password, etc), only to learn how easy they are to get at if someone has physical access. Granted, any machine is vulnerable with physical access, but more and more, it’s looking like FileVault or similar is a must if you value your data’s privacy.

    • nobody says:

      i challenge you to name one file on your computer that ANYONE would be interested in stealing. your data is safe.

      • Yeah well says:

        Ah it’s not always about the data. For example, I used to have an iMac, with the findmymac-thing active. The thing got stolen, and probably with above mentioned method erased and sold through to someone who doesn’t have a clue the mac is stolen. I will never see it in the findmymac thing since it’s prbably been erased and reinstalled…

  3. urpwnd says:

    actually, macs have some pretty startling security flaws. and while i love my macs more than a man should probably love a computer, i don’t think they the second coming of jesus. for right now, macs have security through obscurity more than anything else. once they become more and more popular, they will end up a more likely target.

    but, as the article proves, with physical access to a machine, the sky is the limit.

  4. kacpi says:

    hahah, COMMAND+OPTION+P+R is blocked from OpenFirmwarePassword

  5. S says:

    @urpwnd: what startling security flaws? …

  6. jayson says:

    if command option p r is blocked from taking ram card out.then how can i get passed the firmwarepassword ..
    please help

  7. Casey says:

    Just tried this on both a macbook and a macbook pro and this doesn’t work.

  8. scott says:

    I believe this only works with PPC Macs only; Intel macs use EFI not OF so this would not work on a macbook or macbook pro. I have successfully used this trick on several old flowerpot iMacs in my lab. I assure the would-be tech that this does work on PPC machines.

  9. [...] disk, CD, or in single user mode. Someone with bad intentions could still bypass it, but it would quite a bit of alone time with your hardware. So, for best results, you’ll probably want to encrypt your files with FileVault and set up a [...]

  10. [...] disk, CD, or in single user mode. Someone with bad intentions could still bypass it, but it would quite a bit of alone time with your hardware. So, for best results, you’ll probably want to encrypt your files with FileVault and set up a [...]

  11. joe says:

    Just pull the Hard Disk and bypass all the bs.
    usb to sata and everything that is not encrypted is yours to see.

  12. thomas says:

    this works when carried out exactly as stated. the last steps of putting back the RAM module are not even necessary:
    the firmware-password is stored based on a combination of hardware. at the mac-repair-lab i work in, altering any kind of hardware, then resetting PRAM (3 times the chime=important) works any time! removing RAM is the easiest way:
    remove one module, boot back up holding cmd-alt-p-r for three chimes, let boot up:firmware password deleted.

    • flitspuit says:

      Can you help with another step by step guide and maybe some pictures to go along with the guide

      • TB says:

        The precise process varies greatly between each Mac, but if a user is not comfortable with that sort of thing in general no amount of photos or pictures will do the job. This is the only way to bypass a firmware password outside of entering the password itself. Perhaps Apple has another solution themselves for Macs that are in their support or genius bar.

    • flitspuit says:

      Maybe a link with pictures

    • Knowing says:

      Removing the Ram does not reset the PRAM on macs 2010 and newer.
      Firmware password will prevent startup functions like resetting the PRAM too.

  13. thomas says:

    works on both intel and ppc by the way!

  14. laceymacker says:

    Can i just tell you how smart this “helpless” computer illiterate woman feeelsssss thanks to your advice on ram = out then pram ????? i am going to the hardware store now to fix a sink….. buwahahahahaahaha ty thomas
    wait….once i get it to the whole purple screen with english at top for language, do i got to utility repair?
    ( which is what i did….then hit repair “mac” and then it took a while but i went BACK to restart in my “Mac” hardrive mode…now the white screen and wheels are a spinnin….should i have boot from network or the hitatchia drive??? please ….considering a year ago, i couldnt email….so no tossing tomatos!!! lol thanks for your help…just wanna get to log in screen

  15. Gordon G says:

    When you say “Pull the Hard Disk”, does this erase the firmware password. Or are you suggesting just buying another hard drive? Thanks, Gordon

    • Cody says:

      Well all you have to do is just remove your L-Bracket and place the hard drive back in. The L-Bracket is what the firmware password is on so you can reset it

  16. hilmela says:

    thanks dude… it work on me..

  17. Trevwa says:

    Thanks a lot to the poster for putting up this thread. I have solved a problem for a customer’s Mac BookPro. it was having the problem of booting to nothing but a grey folder with an question mark. [i run a hobby pc repair business]
    Im new at macs but figured out how to bring up the boot menu. However it has (and still does) a password on it.

    I drained the battry [the battry cannot be taken out] removed the ram and booted up without it. Then I put one stick back in and then turned it on and put in my OS X Snow leopard Disc. Then holding down control the boot menu came up. I booted from the disk and it all got sorted.

    We had tried everything to fix this and thank god its over. I had given up several times. Thanks for the winning piece of reaserch that got me through it.

    [I found all the torrents for the OS X useless and had to pay for a legit Disc. Im not sure on the .dmg files out there but they require a mac to burn. I couldnt get the burning programs like power ISO to do it on a pc. ]

  18. Luc says:

    This will work for PPC, because firmware lock does not block CMND+OPTION+P+R, however on intel this doesn’t work, checking on the apple website there is a chart that outlines what is blocked on intel and what is blocked on ppc, and unfortunately, it blocks every useful thing.

  19. shuiji says:

    Macbook *white Late 2009 (INTEL)

    Done as written above….

    It works….

    thanks man!!!

  20. Christian says:

    I really want to say thank you for this thread
    I was desperate and didnt know what to do
    I did what you and my macbook comes alive again
    THANKS

  21. olly says:

    HELP! I am on an EMac, with the padlock issue and firmware password request. I have not set up a firmware password, so is there a default one I need? Thanks to anyone who can help.

  22. Dave Garten says:

    I’m pushin’ 60 and still tryin’ I could use a bit more information. I bought a headless Xserve (early 2008) with RAID and a blank 300GB SAS drive hoping to get Lion up and running. When I pop in an SL DVD, it gives me nada. I tried a Leopard Server disk and it presents me with eight steady system activity lights. I’m thinkin’ the EFI Firmware password is set and I can’t get this ballon to float (DVD offline). I tried pulling RAM and restarting with Command Option+P+R. I got all 16 lights on the front panel off then on several times, let go to restart, and then nada.
    Is there some magic combo of “set the startup parameters (startup options using front panel button-ology), pull the RAM, hold down a bunch o’ keys, pull the button cell, win – win -win!? If you can help, I’d appreciate any hints ou can offer. dgarten at nova dot org. :-\

  23. Greg says:

    I love you

  24. Ariel Arias says:

    i was make the methods , imac work thanks a lot

  25. [...] CD or even in single user mode. Someone with bad intentions could still bypass it, but it would require quite a bit of alone time with your hardware. So, for best results, you’ll probably want to have both layers of protection: encrypt your [...]

  26. Parker says:

    Thank you so much!!

  27. mac.since.2010 says:

    Does not work with MacBook Pro A1278 Unibody(2010). I have tried at least 7 times and still not able. Followed instructions to a T. Please somebodyHELP!!!!

  28. Scoot K says:

    With the Thunderbolt models of Macs, this bypass feature is now gone. Sorry!

  29. Valer says:

    Is it possible to unlock the firmware password Macbook Pro(Late 2011)?

  30. Troy says:

    absolutely does not work on a unibody aluminum macbook – in fact the descriptions above don;t make any sense – if you pull the ram then the macbook beeps forever regularly regardless of any keys you press (by the way that alt command P R cobination is only for PPC Macs – if you think it worked on an Intel then you’re mistaken – it was some other action like just pulling the ram or battery – that command is for the open firmware version only on a ppc ) – and how would the Mac boot into a login screen before putting the ram back in???
    come on guys , know your stuff before you advise !!!!

    • Leland Hendrix says:

      “absolutely does not work on a unibody aluminum macbook – in fact the descriptions above don;t make any sense – if you pull the ram then the macbook beeps forever regularly regardless of any keys you press (by the way that alt command P R cobination is only for PPC Macs”

      I’m afraid you’re wrong.

      COMMAND+ALT+P+R actually DOES work on intel-based, EFI machines. My Unibody MacBook Pro, 27″ iMac, Unibody Mac Mini, and MacBook Air, ALL USE this boot command. It resets PRAM–also known as PARAMETER RAM SETTINGS.

      It is the COMMAND+ALT+N+V that works only on PPC, and that is known as resetting NVRAM, or Non-Volatile Ram Setrings, for older machines’ logic boards.

      When you boot an Intel/EFI Mac holding cmd alt p r, you get a chime, indicating that the contents have been reset. Repeating the process three times, clears even more parameters.

      However, clearing the PRAM does not specifically mean that you have cleared a firmware password. Also, the RAM on the MacBook Air is non-removable.

      This, however, does NOT

    • Leland Hendrix says:

      Also, when they describe the login screen, I believe they are referring to the firmware password login and not the actual Mac OS X login screen. But you’re right about leaving out the RAM, the machine isn’t going ANHWHERE without RAM installed.

  31. iMac mid 2011 says:

    I’ve try many time with cmd option p r on the new imac mid 2011 unsuccessfully. Any other way around?

    • Coldhead says:

      The new imacs/MBP’s are virtually impossible to get past the firmware-password point. But i have found out a way around this but it does require a ‘PC’ . First i saved everything i wanted off my mac externally. The reason i have involved a windows computer btw is that, the imac/MBP’s hdd use SATA cable connection. so i pulled it out of my macbook pro and put it in my PC. My macbook hdd is a seagate 320gb and what i did was, i dowbloaded UBCD and used that to wipe the macbook hdd with my PC. because i did not have the OSX anymore for my mac(because i had just wiped it) i just redownloaded it from thepiratebay.se. now i have a firmware password-free computer ^_^ and also no restrictions. Life Is Good.

      • Dave says:

        Hey Coldhead, could you please elaborate how you or what you did. And does this work on 2011 Imac’s? thnx

        • Leland Hendrix says:

          I agree…that doesn’t make a lot of sense to me. Doing something to the HDD doesn’t change the firmware…

      • Alex says:

        I just tried doing exactly what you did. It doesn’t work!!

        I heard the passwords are saved in the bios, so erasing the hard drive has no effects whatsoever.

  32. Kay says:

    Coldhead or Dave could you please describe step by step how you did that? I have macbook unibody and this firmware password and don’t know what should I do. thnx

  33. Biocobi says:

    Sorry folks but there is no way to by pass lock screen (EFI) if you have got a new mac (air, book pro, or what ever) since early 2011. The main reazon is that every singel password is saved in to the bios (i know, i know…) well the little chip that serves as a bios (still it is actually a bios) that you have to remove and then get a new flashed one.

  34. Nathan says:

    All of you who are complaining that this is a security flaw on Macs are naive, and by making an accusation that Apple has somehow failed by allowing this is simply foolish.

    It is very easy to get around the BIOS (firmware) passwords on PC’s, too.

    Such “holes” have a purpose. For instance, an angry employee could set up such a password on a computer and disable various devices on it, making in effect making it an expensive pile of junk. Sure, you could pull the hard drive, but the rest of the computer would still be worthless as a machine. By being able to bypass the firmware password, one can prevent such a thing from ruining the computer.

    The number one rule of computer security is to not allow physical access to your computer, because almost anything can be done to it then. Why else do you think businesses have locks on the doors to their server rooms?

  35. jdub says:

    worked like a charm on my mac mini!!!!

    thanks!!!!!

    • Leland Hendrix says:

      Could you please post the year/model of your Mini? That would help folks determine if it might work on theirs.

  36. Big_DEvil says:

    It is not working at all..
    I have Macbook pro, this process is not working.
    cmd+p+r after removing the Ram. re install the Ram after the beb sound. it is not working.

  37. Vino says:

    I spent more than 24 hours whith issue. I did remove the logic bord battery, hard disk and almost deassemble the whole iMac but unfortunately nothing happened.

    Finally removed all the ram and power on the iMac then hold the power to off then put the ram back and powered on now every think clear :)
    Thank God

  38. Chris says:

    Seems to have worked on a Black 2007 MacBook or at least I can get to the Options screen now to select a startup disk. I think the HD crapped out and the firmware password is unknown on this teachers MacBook, before my time and not documented anywhere. Now if only I can get it to boot off disk or external drive to backup her files. She may have to learn another lesson! They never learn!

  39. Sweat says:

    Great writeup I have tried alot of other fixes and none of them mentioned taking the battery out. It worked like a charm. Thanks again and great , great, great…

  40. Rob says:

    I have a Macbook Pro 15inch Mid-2012 macbook pro. I purchased from the auction a while back, but after fixing the LCD now and turning it on for the 1st time, I just saw a screen where it tells;

    “Enter your system lock PIN code to unlock this Mac.”

    I look in box but cannot locate a pin.
    Does anyone know how to fix it?

    My closest Apple store is 3 hours away and I am located in Abu Dhabi

    Model – Apple MacBook Pro (15-inch, mid 2012)

    All help is greatly appreciated

    Thanks

    • nacerabdrabou says:

      hey rob, all you need is just :
      1-remove a stick of ram
      2-remove battery
      3-stick the ram back in
      4-battery back in
      5-boot back up by: turned on your Mac computer then: holding cmd+alt+p+r for three times, let boot up.
      oups firmware password deleted :D
      here we go salem alikoum greeting from Algerian muslim ;)

  41. Marcos says:

    anyone know what to do in case of macbooks where memory is soldered on the motherboard?

  42. Samir says:

    Dear Nacer and others,

    I also have the same problem as described above. I bought a Macbook Air 2012 from a auction. I tried it and everything seems to be well. But after using it one day I tried to log in to iCloud and the Macbook Air shutted down and started up with the message: ‘Enter you system……….Mac”

    I really hope someone can help me as I can’t get in contact with the previous owner anymore. I have been searching for a week on the internet for a solution but couldn’t find an answer. Could you pleasseeee tell me how to solve this problem.

    In case (it would be easier or)I would need another Macbook air to use for solving this problem I could borrow the one of a friend (2011).

    PLEASE help me as I really need to use the Macbook soon and it already cost me a lot.

    Thanks a lot,

    Salam ou allaykum

    Samir

  43. Samir says:

    By the way,

    I got it with a clean install of OSX Lion so I didn’t had to Install OSX again. But now as it is locked I tried to boot from an external drive, I also get an Firmware password that have to be used. So this means I have the Pinlock and the Firmware password that are blocking me from using the Macbook air (2012)

    Samir

  44. Marcos says:

    Hello Samir, got anything?

    Thanks

  45. Samir says:

    No, nothing at all….

    I really don’t know what to do to solve this problem.

    can someone help me?!?!?!

    Samir

  46. AlexNik says:

    Learn what to do if you no longer remember the firmware password that you’ve set or if you see a password dialog when you try to select a startup volume on a MacBook Air (Late 2010) and later, MacBook Pro (Early 2011) and later, iMac (Mid 2011) and later, or Mac mini (Mid 2011) computer.

    Only Apple retail stores or Apple Authorized Service Providers can unlock these computers protected by a firmware password.

    If you cannot remember the firmware password for your Mac, schedule a service appointment with either an Apple Retail Store or an Apple Authorized Service Provider. If you plan to visit an Apple Retail store, please make a reservation at the Genius Bar using http://www.apple.com/retail/geniusbar/ (available in some countries only).

    For the MacBook Air (Late 2010) and later, MacBook Pro (Early 2011) and later, iMac (Mid 2011) and later, and Mac mini (Mid 2011):

    Use the new Firmware Password Reset scheme:

    Start up the computer to the password entry screen by pressing and holding the Option key.
    Press the key sequence Shift + Control + Command + Option + S at this screen. A one-time use “Hash” code will appear. The code is case-sensitive, so provide TSPS with the Hash exactly as it appears on the customer’s screen.
    Shut down the customer’s computer.
    Contact TSPS via chat. Select Yes for the pre-chat question regarding firmware reset and provide the Hash to the advisor assisting you.
    TSPS will provide a signed binary file to be copied to a USB storage device (such as a flash formatted FAT or a USB hard drive with Mac OS Extended with GUID partition table).
    Insert the drive into the computer while it is off.
    Start up the computer while pressing and holding the Option key. Continue holding the Option key until the boot picker in EFI appears and confirm the password has been removed.
    Note: If the computer does not start up without the password prompt after following these steps and while you are holding down the Option key, either the Hash was provided incorrectly to TSPS or the file did not read off the drive successfully. The file may have been read correctly but confirmed it does not belong in the computer. Work with TSPS to troubleshoot these issues if necessary.
    This process is completely non-destructive to data or settings on the target computer.

    Note: If a customer has multiple computers with this issue, TSPS can handle up to 500 in one file. To escalate multiple computers, follow the steps above with the following additional step:

    Provide all the Hash keys in a new-line delimited text file (not RTF, but pure plain text) with no new line at the end. These files can be produced in TextEdit on Mac OS X, or files with multiple entries using vim on the command line.
    For example:
    V400300C1231MED144431A4F414420DDE5F1
    C455300Z555ABJ1118713148F413390ACE341
    C891200J18334D1099A3B6DD004E3F1A0122
    (No new line after the last entry.)

    After you receive the signed binary file from TSPS, use this procedure to reset the EFI firmware password:

    Format a Flash drive GUID partition scheme and Mac OS Extended format. Name it Firmware.
    Drag the binary file named “SCBO” to your Desktop.
    Open Terminal.
    Execute this command in Terminal:
    cp ~/Desktop/SCBO /Volumes/Firmware/.SCBO
    You should get a new line, no errors.
    Execute this command in Terminal:
    cp ~/Desktop/SCBO /Volumes/Firmware/._SCBO
    You should get a new line, no errors.
    Eject the Flash drive.
    Turn off the customer’s computer.
    Insert the Flash drive into the customer’s computer.
    Turn on the customer’s computer while pressing and holding the Option key.
    You should see the lock symbol for a moment, and then the computer should restart to the Startup Manager.
    If you still see a four-digit passcode lock after these steps at startup, reset the NVRAM by holding down Command-Option-P-R while restarting the computer.
    The EFI password is now removed.

  47. StephenJ says:

    I had a 2009 MacBook Pro with this problem. After trying a numb of the techniques mentioned above, without going to the more complex TSPS solution mentioned, I finally came on a combination that worked. I basically removed the two memory chips and then only returned one of them into the other one’s memory slot. This mean’t that I took out half of the memory of the computer. This was obviously enough of a change to the hardware configuration for the computer not to lock up. Consequently I could boot up and get the computer working. My plan is to swap another stick of ram to replace the one I had to take out. Interestingly enough, if I put both memory cards back in the computer still reverts to being locked. When I get around to putting a different memory card in to replace the one I had to take out I will post back here to let you know if it worked. Cheers.

  48. mcmac says:

    To AlexNik and all,

    Hello.

    What is TSPS by the way ?
    Thank you.

    mcmac

  49. Damiani says:

    iUnlockEFI.com can unlock it fast!

  50. Snooper69 says:

    Sorry, this did not work for me. I have tried 3 times accordinbg to the list, but when the three chimes is sounded and let of the keys, it just continues to chime… when connecting it together again the Firmware password dialogue box reappears???

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates