Bypassing Open Firmware and Getting admin access on MacBook with LDAP

Hi,

Yeah, the longest title ever!
So, this was my challenge today… I needed to get admin access on a mates MacBook Pro. The MBP he has, he got from his work where they use LDAP, their IT department is not stupid and as all large companies usually do they lock the computer so much down you can barely read emails.
So, the quest for today was to flush the computer and re-install the OS… OR to gain admin access to the computer so one could be able to install and do everything anyways.

Well, at first it felt I was out of luck. This computer is a MacBook Pro 7,1 running OSX Snow Leopard 10.6.4. The IT department installed a firmware password so putting in the retail install disk I have and holding down the OPTION key didn’t help me a bit. It just shows the firmware password field. Also, I couldn’t get any root access because this user is not allowed to sudo or anything else remotely related to administrating functions.
Also, a firmware password is much like a BIOS password on a PC. BUT… you cannot reset it using some jumper.

So, what to do? Good thing I have a good friend called Google and search it for ever and ever. Now after 2 hours of searching and trying I finally had some luck. There are a lot of post all around on the internet which help. Many of them refer to the Open Firmware bootup using Command + Option + O + F. This didn’t work for me, neither did the flushing of the PRAM using Command + Option + P + R, because its using OPEN FIRMWARE YOU STUPID! But, it was a nice try. What happens when you refresh the PRAM is that the Open Firmware will be disabled, which is what I needed. More of what doesn’t work is explained here: http://support.apple.com/kb/ht1352

So, what to do? Most of the post found online are ages old and for OSX 10.4 or older. There was even some application called FWSucker, which didn’t help either because it’s to old. There was one post (this one: http://www.securemac.com/openfirmwarepasswordprotection.php) that got me thinking… what other ways would temporarly disable the OpenFirmware? Well, chaning the memory. When chaning the memory it flushes the PRAM

So I armed myself with a screwdriver and removed the 10 screws at the bottom of this beautiful MacBook Pro 13″. I removed 2GB out of 4GB of the memory, and started the machine with the OPTION button pressed down. Now I got the boot menu, BUT… when booting it enables the Open Firmware again. So when you choose the HD or the install disk and then restart the computer again, it will show the lock again asking you for the firmware password if you start holding the OPTION key again.

For some reason the installation didn’t want to start and I got the black screen showing the text that I should restart the computer holding down the power button. I got it after a few minutes. That really sucked, because that meant I couldn’t reinstall the machine.
So, my next option would be to reset the password… but because this machine uses LDAP it needs to send of some information to the server. Now, because Open Firmware was still activated I needed it to drop the password stuff because I removed and put back the memory 4 or 5 times now… this was getting annoying. So I though, if it removes the open firmware after the memory was changed, maybe I could do a reset the PRAM (Command + Option + P + R). So I did. I read that the computer needed to reboot 3 times to force dissable Open Firmware… so, i shutdown the computer, changed memory, held down COMMAND + OPTION + P + R and powered on the computer. The computer restarted 3 times rapidly. I tested to see if the Open Firmware was dissabled, and it was!

So, now I was able to boot into single user mode. I held down COMMAND + S when booting and the computer went straight to Single User mode, which is root automaticly.
I told you that you can’t change the admin or root password because it needs to send some stuff off? Well it couldn’t, BUT what I could do it to edit the /etc/sudoers file. Which I did. To edit this file I had to mount some stuff first… this is was I did:

Type

Type

Type

Type

Now in this file, find “

” and copy it directly beneath. Then change root to your username. I.e. paulp (for me). Save this file and reboot. Now when you login into OSX, open the terminal and write the following:

It will ask you for your password, enter it and you will see something like “

“. Now you are logged in as root. Now you can reset the root password by typing “passwd root”, and it will ask you for your new root password.
Now, you have root access. Whenever the computer asks you to enter the administrator login details, just enter “root” as username and the password you have chosen for root. A simple test would be to open “security” in the system preferences menus. Press the lock in the bottom left corner and try the login. Does it work?

Now I still have one problem left, and that is to format the harddrive… but the disk didn’t want to work… weird.

I hope I helped a lot of people with this.

Cheers,

Paul Peelen

Posted in Apple, Development, Mac, Private & Personal Tagged with: , , , , , , , ,
8 comments on “Bypassing Open Firmware and Getting admin access on MacBook with LDAP
  1. bacon says:

    I thought up the exact same thing a few weeks ago with my firmware locked, school-issued macbook. 2 great minds think alike

  2. Paul Peelen says:

    Yeah, but nice to fix. I heard there are other ways to remove open firmware without having admin access but haven’t found them myself.

  3. Juan says:

    hello paul, i have read your instruction on removing the firmware , but i have no luck, i have a mac-book pro i5 processes, i try to do it so many way and still can open it, i have also install it Ubuntu , and try to do it from the terminal. can you please help me

  4. Juan says:

    I can’t force disable the firmware

  5. Ezequiel says:

    THIS WORKS!!!

    I went to apple… they denied it. I asked if the laptop was
    stolen, the said NO. However, since I didn’t have a receipt it
    was paper weight! It wasn’t stolen… no help!

    I followed this guide and I am glad to say that my
    MacBookPro i7 15″ Mid 2010 now has a MY OWN firmware password!!!

    YOU ARE AMAZING!!!!!!!!

  6. Curt Owens says:

    I followed this but got no luck. I’ll try it again and post you an update if it will be successful the second time around.

  7. Paul Peelen says:

    Thnx! Glad I could help out =)

  8. Paul Peelen says:

    I hope you have found a solution. If not, good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

 

Categories