Decode pre-2011 Apple Mac EFI/Firmware Passwords

On Mac computers it is possible to prevent booting to alternative media which could get around OS X's security.

Post-2011, the only way to reset the password is to take it to Apple to be serviced–they will check the serial number to make sure has not been reported as stolen.

For pre-2011 machines, use the Decoder:

<script type="text/javascript">
	function decode()
	{
		// Get hash text from input
		var hashtext = document.inputform.hashinput.value;
		// Split hash text on % into array
		var hasharray = hashtext.split("%");
		// Remove the first (empty) array element
		hasharray.shift();
		// For each array element:
		// -- take the hex 2-character string and convert to int/binary
		// -- XOR (^) the int with 170 (10101010) (this reverses every other bit)
		// -- convert semi-XORed int to ASCII character
		// -- add the character to plainstring
		plainstring = "";
		hasharray.forEach(function(hashchar) {
		plainstring = plainstring + String.fromCharCode(parseInt(hashchar, 16)^170);
		});
		// Display plainstring
		document.inputform.plainoutput.value = plainstring;
	}
</script>

Decoder

  1. Boot up the Mac and log into an account with admin/root privileges
  2. Open the Terminal app
  3. Run the command:sudo nvram security-password
  4. You should get output like:security-password %fa%cb%d9%d9%dd%c5%d8%ce
  5. Enter the code as displayed (without ‘security-password ‘) into the Hash input text box below and press the Decode button
<form name="inputform">
Hash input <input type="textbox" name="hashinput"> <input type="button" onclick="decode();" value="Decode" /><br>
Plaintext output <input type="textbox" id="plainoutput" >
</form>

Reference

Developed using the information at c|net’s Use the Calculator to reveal a Mac’s firmware password