Use the Calculator to reveal a Mac's firmware password

In Mac systems prior to 2011, you can uncover the Mac's firmware password using the Calculator's ability to manipulate binary numbers.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

A firmware password on Mac systems locks the hardware to prevent booting to alternative modes that could bypass OS X security, but in order to access some of these modes you first have to disable the firmware password. While this can be done using Apple's Firmware Password Utility on the recovery drive or OS X installation disc, there may be times when you do not have access to this drive either because it is missing or corrupted, and therefore cannot use the password utility.

Unfortunately in these cases for newer Mac systems shipped in 2011 or later, you have to get the system serviced to reset the password; however, if you own a system from before 2011, then you can retrieve a forgotten password, provided you have admin access to the system.

Firmware Password Utility in the Utilities menu
The Firmware Password Utility is by default in the Utilities menu on the recovery partition or on the OS X install disc, and may not be available if you cannot boot to these volumes. Screenshot by Topher Kessler/CNET

On these systems, the firmware password is stored as a PRAM variable in which the password is simply obfuscated. This means it is run through a very basic conversion that keeps the same character logic of the password and therefore makes the the password illegible without truly scrambling its sequence. In essence this hides the password without encrypting it to any degree, similar to one typing by shifting keypresses to the right by one character to make the input text look garbled. For instance, in doing so if you were to type "MyPassword" then this basic obfuscation routine would produce "<u{sddeptf" as the password.

There is no complex cypher or key used in this scheme, and as a result revealing the password is as simple as reversing this process and shifting each character over one character on the keyboard.

In a similar manner, Apple obfuscates the EFI firmware password when it is stored in the system's PRAM, thereby making it relatively easy to uncover using a few steps, for which you only need the Terminal utility, the OS X Calculator application, and perhaps a text editor depending on the length of the password.

First you will need to get the obfuscated password from the PRAM by running the following command in the Terminal:

sudo nvram security-password

This step requires administrative access, and ensures your password is secured from others who might try accessing your system to get the password. At this point you should see an output similar to the following:

security-password %fa%cb%d9%d9%dd%c5%d8%ce

In the password string, count the number of percent symbols, which are separators for the hex codes that represent a character of your password, where two hex code characters together represent one ASCII text character. Since the Calculator can only handle words up to 8 characters (16 hex characters), if there are more than 8 symbols, then you will have to split the password up and convert in sections.

Therefore, copy the security password output from the Terminal to a text editor and delete the percent symbols in it, followed by splitting the password string at every 16th character. After this, perform the following steps on each 16-character section:

  1. Open the Calculator and set it to Programmer mode in the View menu or by pressing Command-3.
  2. Copy one 16-character section of your password and paste it into the calculator. You should see its binary equivalent shown below the yellow-green display, and also see its ASCII-text representation at the bottom-left of the display (you may have to click the "ASCII" button to reveal this).
  3. Starting with the first bit in the binary output (the one furthest from the blue zero at the right), reverse every other bit by clicking its corresponding 1 or 0. For example, if you see "1010 0101" then change it to "0000 1111."
    Each ASCII character of the password will be a group of eight bits (a "byte"). Each of the two hex values that represents one of these characters is a group of four bits (a "nibble"), giving 16 possible combinations for a nibble. Hexadecimal numbering goes from 0 through 9 and then continues with A through F, giving 16 possible values to represent the combinations of a nibble.
Firmware password decoding in the Calculator
In this case, half of the password has been converted by clicking every other bit in the binary code to convert it to the opposite value. To reveal the rest of the password (in this case being "Password") one would continue at the point of the arrow (the half-way point) and click every other bit to likewise switch it. When finished the password will be revealed in the ASCII text area of the calculator display. Screenshot by Topher Kessler/CNET

As you do this reversal of every other bit, you will see the ASCII output in the calculator reveal your password, or at least the section of it that is represented by the 16-character segment being operated on. Write down the revealed text password and then repeat this process for additional segments of the password, after which you should have your firmware password.

Another method for doing this in Calculator is to enter the password hex string and then click the "XOR" button, followed by typing in all "A" characters.

The ability to perform this procedure may at first sound concerning since it can reveal a password and seems like a relatively easy way to do so; however, since it requires administrative access to get the obfuscated password in the first place, if you do not want someone revealing it then do not give them administrative access to your computer.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.