Advanced Open Firmware Security

Low level security for PowerPC-based Macs

Triverio Marco
http://trive.110mb.com/
16th August 2006

This work is licensed under a Creative Commons

Attribution-NonCommercial-ShareAlike License

1
Contents
1 Introduction to Macintosh Security 3
1.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 The Security Pref Pane and FileVault . . . . . . . . . . . . . . . 4
1.3 A bullet-proof password . . . . . . . . . . . . . . . . . . . . . . . 5

2 Open Firmware 6
2.1 High-level security is almost useless . . . . . . . . . . . . . . . . . 6
2.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Working with Open Firmware . . . . . . . . . . . . . . . . . . . . 6
2.3.1 GUI tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2 Terminal.app . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.3 OF prompt . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Open Firmware: going deeper 7

3.1 Open Firmware password . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Some Open Firmware variables . . . . . . . . . . . . . . . . . . . 9
3.2.1 boot-volume and others . . . . . . . . . . . . . . . . . . . 9
3.2.2 Single-user mode . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Booting partitions . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.1 Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.2 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4 Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.1 OF Banners . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.2 Login banner . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.5 Attacking Open Firmware . . . . . . . . . . . . . . . . . . . . . . 13
3.5.1 Attacks through Terminal.app . . . . . . . . . . . . . . . 13
3.5.2 Physical access . . . . . . . . . . . . . . . . . . . . . . . . 14
3.5.3 Brute force won’t work . . . . . . . . . . . . . . . . . . . . 15
3.5.4 An amazing bug . . . . . . . . . . . . . . . . . . . . . . . 15
3.6 Troubleshooting your Mac with Open Firmware . . . . . . . . . . 15

2
1 Introduction to Macintosh Security
Security is something that deserves a lot of attention in order to avoid unex-
pected and unwanted situations. Mac OS X Tiger is a powerful OS which brings
security close to easyness-of-use as never before: a lot of interesting options are
just a click-away from the user.

1.1 Firewall
Let’s consider the firewall : open “System Preferences.ap” and choose the “Shar-
ing” pane. Through the “Service” tab it’s easy to allow or disallow FTP or SSH
access, SMB, Documents Sharing plus many other common services; in the
same easy way you can personalize the behavior of the firewall: just click on
the “Firewall” tab, and you will also be able to choose which ports ought to
be open or closed. The “Advanced” button lets you disallow UDP traffic and
turn on the “Stealth mode”, in which any unexpected packet is discarded (this
actually stops ping from working).
Apple’s solution is well integrated into the Operating System and easy to
use but does hide many useful options; as an alternative you may consider ipfw
(a command line tool to set up the firewall) or FireWalkX, a shareware GUI (
http://www.pliris-soft.com/products/firewalkx/index.html )

Figure 1: Sharing preferences pane

3
1.2 The Security Pref Pane and FileVault
Another interesting thing in Tiger is the “Security” preferences pane, which is a
sort of shortcut to many security options: through this pane you can make your
Mac ask for a password when awaking from sleep or exiting the screensaver.
Moreover, you might want to disable automatic login or make you Mac logout
automatically after N minutes of inactivity (5 <= N <= 960).
One of the most useful security options is FileVault which ciphers the user’s
home directory continously; this way, even if your hard drive gets stolen your
documents cannot be read without knowing the password: this is wonderful
since all the options considered before can be skipped given physical access
to the machine. The home directory is ciphered with AES-128 (Advanced
Encryption Standard with 128-bit key) which causes a difference in performance
which is hardly noticeable (except when using applications such as GarageBand,
which extensively uses the hard disk). To enable FileVault you first have to
set a Master Password (which can recover home directories of users who have
forgotten their password) and then click on “Turn on FileVault...”: all the files
in your home directory will be encrypted and will be automatically deciphered
after login. This feature is almost transparent to the user.
To tighten even more security of your Mac disable Automatic Login from
the Account preference pane (in the Login Options section).

Figure 2: Security preferences pane

4
1.3 A bullet-proof password
What about passwords? Good passwords usually are a good sign. How should
you choose a good password? Well, all you need is to be unpredictable and, of
course, not to tell your password to anyone.
Let’s see a few advices to get a password which:
• is long

• is pseudo-casual (or at least makes brute-force attacks useless)

• contains hard-to-guess symbols
An interesting idea is to find a sentence you like and build a password from it;
let’s say you like the sentence

"Life is too short to use Windows"

The first idea to make the password really hard to guess is to keep the
apostrophes; since the password would be very long to type we could also keep
only the initial letter of every word. So far we get
"LitstuW"
Modifying “to” and “too” in “2” we get:
"Li2s2uW"
To evaluate how strong a password is you can use a small utility by Apple;
open “Keychain Access” which is in /Applications/Utilities and select “Change
password for Keychain xxx...” from the Edit menu. Click on the little key on
the right and type the password whose strength you want to check: it will say
how safe it is and will even give a few advices! Our password is fine, but it
certainly could be longer; you could use another sentence, for instance one from
a song you like... the only limit is your fantasy!
Last but not least: it’s always good to change your password every now and
then.

Figure 3: Security preferences pane

5
2 Open Firmware
2.1 High-level security is almost useless
We have had a quick look at security options available from GUI: they can
be defined as “high-level options”. But they are not enough since they don’t
protect against physical threatens, for example:

• [power button held down for 5 seconds] resetting hardly a computer makes
sleep and screensaver passwords useless
• [pressing c during boot] booting your computer from a CD/DVD allows
to reset root/admin password; booting from the Mac OS X install disk
just click on the menu “Installer” > “Reset password...” and you’re done

• [pressing command+s] booting in Single User Mode allows an attacker to

browser the hard disk with root privileges
• [pressing t] booting in Target Disk Mode and connecting the attacked Mac
via FireWire to another Mac allows an attacker to browse the hard drive
comfortably from his Mac.
What to do to prevent all of this? You just need to turn FileValut on and
use OpenFirmware wisely.

2.2 History
Open Firmware was born in 1988 at Sun Microsystems and it is defined by the
standard IEEE 1275 ; it was adopted by Apple which has used it on its PowerPc-
based Macs. With the introduction of Intel-based Macs Open Firmware is
no longer used by Apple: it has been replaced by EFI (Extensible Firmware
Interface), which has similar features but offers a more granular architecture.

2.3 Working with Open Firmware

Open Firmware is to the Mac what the BIOS is for PCs: after hardware ini-
tialization, it handles the early stages of the boot process. But Open Firmware
offers a much broader environment where to work: it is possible to write appli-
cations for OF1 !
Open Firmware stores its settings in a non-volatile memory called NVRAM:
the default partition from which to boot, the level of sound output, the security
level (more on this later) and the OF password, etc . . . .
You have three options to interact with Open Firmware:
GUI tools let you only set the Open Firmware password
Terminal.app lets you set every NVRAM password
Open Firmware prompt lets you discover OF completely
1 www.macosxinternals.com

6
2.3.1 GUI tools
The most famous GUI tool to interact with Open Firmware has been devel-
oped by Apple: its only purpose is to set an Open Firmware password and
stop unauthorized access to the Mac. It can be download from http://-
docs.info.apple.com/article.html?artnum=120095
It’s an easy and well documented tool so we won’t cover it here.

2.3.2 Terminal.app
The nvram command can be used to show and set every Open Firmware variable;
the general syntax is:
sudo nvram variable="newvalue"
We will see an example of usage at the end of the article; you may obtain
more information typing
man nvram

2.3.3 OF prompt
Why should you limit yourself? Interacting directly with Open Firmware opens
many doors and that’s why we are analyzing the OF prompt in the next section.

3 Open Firmware: going deeper

3.1 Open Firmware password
The only way to really get in touch with OF is to gain access to its prompt.
To do this reboot your Mac and press, after hearing the startup sound, COM-
MAND+ALT+O+F.
On an iMac G4 this is what you should read on screen:
Apple PowerMac4,5 4.4.5f3 BootROM built on nn/nn/nn at hh:mm:ss
Copyright 1994-2002 Apple Computer, Inc.
All Rights Reserved.

Welcome to Open Firmware, the system time and date is: hh:mm:ss
nn/nn/nn
Command security mode.

To continue booting, type "mac-boot" and press return.

To shut down, type "shut-down" and press return.

ok
0 >

You can obtain nice information from this welcome screen such as what kind
of Mac you’re using, what security mode is set, etc...
Open Firmware also advises two commands: mac-boot and shut-down to
boot the OS or to turn the computer off. As you can see Open Firmware is not
password protected! What you need to do is to set a password; just type

7
 password

and enter the chosen password.

Enter a new password: **********
Enter password again: **********
Password will be in place on the next boot! ok
But this is not enough: you also have to set a level of security, which is
stored in a NVRAM variable called “security-mode”.
Three different levels are available:
no-password Access to Open Firmware is completely disabled.

none this is the default option for PowerPC-based Macs: OF password will
never be asked (even if it has been set with the password command)
command OF will ask for a password when trying to:
• boot from CD [C]
• boot from a NetBoot Server [N]
• boot in Target Disk Mode [T]
• boot in Single User Mode [COMMAND+S]
• reset PRAM or NVRAM (reset-nvram and reset-all from the OF
command line)
• enter bootloader [ALT]
full this is the option I have chosen for my Mac. OF will ask for a password
everytime the Mac is starting up or waking from hybernate (be careful:
not sleep!! )
We have said that security-mode is a NVRAM variable. The general syntax
to edit the value of a NVRAM variable is (spaces are highlighted):
setenv <variabile> <value>
for instance
setenv beans 3
That’s what we will write:
setenv security-mode command

or
setenv security-mode full
depending on the security-mode chosen.

8
3.2 Some Open Firmware variables
To show the complete list of NVRAM variable, type:
printenv
The output will be layed out on three columns: the first gives the name of the
variable, the second the current value and the third the default value.
DON’T EDIT NVRAM VARIABLES YOU DON’T KNOW THE
MEANING OF. YOU MIGHT DAMAGE THE LOGIC BOARD OF
YOU MAC.

3.2.1 boot-volume and others

As you might have noticed, there are many other variables which can be really
useful. Some of them are:
boot-volume This variable lets you modify the volume of the startup sound;
so, if you want to mute it, type:
setenv boot-volume 0
auto-boot? If set to true, regardless of the security-mode, this will make your
Mac boot into Open Firmware anytime you will turn it on (sleep excluded ).
security-#badlogins This variable (which exists only if security-mode is command
or full) counts the times someone has typed a wrong Open Firmware
password.
boot-script If use-nvramrc? is set to true, the script created using the Open
Firmware nvedit command will be executed: be very careful!

3.2.2 Single-user mode

The boot-args variables contains the arguments to be passed to the kernel
during the early stages of boot.
boot-args can have two values:
-s makes your Mac boot in single-user mode;
-v makes your Mac suppress the graphical startup in favor of white words on
a black background.
Booting in single-user mode is always possible given physical access to the
Mac and security-mode set to none (default on every PowerPC-based Mac)
or no-password: pressing command+s after hearing the startup sound gives the
user access to any file on the filesystem; you can even change a user’s password
typing
passwd username
For example:
# passwd root
Changing password for root.
New password:
Retype new password:

9
 Of course, this is a great option for forgetful users but, at the same time, it
represents a real security threaten.

3.3 Booting partitions

Let’s say you have multiple installations of Mac OS X (or Mac OS 9) or have
a dual-boot system with Linux; if security-mode is not set to full you can
simply press alt after the startup sound and, within a few seconds, you will be
able to select which OS to boot.
But if security-mode is set to full there’s not much you can do: you have
to use the Open Firmware prompt to choose which partition to boot from.

3.3.1 Aliases
The first important concept you have to learn is aliases.
Open Firmware keeps track of every device connected to the Mac in a struc-
ture called device tree; you can navigate through using dev and ls (similar to
cd and ls on a Unix box); for instance:
dev /
ls
shows the entire tree.
As you can see, devices have quite long names; the internal hard disk, on my
iMac G4, is called /pci@f2000000/mac-io@17/ata-4@1f000/disk@0. Luckily,
thanks to aliases I don’t have to remember it: /pci@f2000000/mac-io@17-
/ata-4@1f000/disk@0 can simply be called hd. This is true for almost any
device; you can obtain the whole list of aliases typing
devalias

3.3.2 Partitions
Now let’s imagine this is your partition table:
Partition map (with 512 byte blocks) on /dev/disk0
device type name
/dev/disk0s1 Apple partition map Apple
/dev/disk0s2 Apple Bootstrap bootstrap
/dev/disk0s3 Apple UNIX SVR2 swap
/dev/disk0s4 Apple UNIX SVR2 boot
/dev/disk0s5 Apple UNIX SVR2 debian
/dev/disk0s6 Apple UNIX SVR2 home
/dev/disk0s7 Apple HFS Macintosh HD
/dev/disk0s8 Apple HFS Share Partition
A short explanation:
disk0s1 Partition map
disk0s2 Bootloader: it is needed to boot Linux (which cannot be loaded directly
by Open Firmware); it basically shows the list of the available OSes and
lets you select the one you want to boot.

10
disk0s3-6 Linux partitions
disk0s7-8 Mac OS X partition and the share partition.
My default OS is Mac OS X; this means that typing
printenv boot-device
I get:
boot-device hd:07,\\:tbxi
This is because Mac OS X resides on the seventh partition of my hard disk.
Whenever I want to boot Linux I have two options:
1. To modify the boot-device variable and make Linux my default OS; this
is accomplished typing:
setenv boot-device /pci@f2000000/mac-io@17/ata-4@1f000/-
disk@0:02,\\:tbxi
or more simply:
setenv boot-device hd:02,\\:tbxi
I had to choose the bootloader partition becase the Linux kernel cannot
be loaded directly by Open Firmware. To boot Linux you still need to
type:
mac-boot
Or more simply:
boot
The big disadvantage of this option is that it makes a permanent modifi-
cation to the boot-device variable; what to do if you want to keep Mac
OS X as your default OS? Just use option #2!
2. To use the boot command specifying a parameter, for instance:
boot hd:2,\\:tbxi
This way the boot-device variable is not affected and you can boot Linux
with just one command.
What has been said also applies to the case in which you want to boot from
a CD or from an external hard drive. The general syntax of a bootable device
is:
<device>:<partition>,<path><filename>
in which
<device> is the start up device, which can be:
• hd (hard disk)
• cd (cd or dvd)

11
 • but even ultra0 (=first IDE disk) or scsi-int/sd@1 (=second SCSI
disk connected to the internal SCSI controller)
• any bootable device
<partition> which is the number of the partition, for instance ultra0:4
<path> specifies the path where to look for <filename>; it can be:
• a specific folder written in the form \path\to\folder\, for instance
\System\Library\CoreServices\
• \\, the root of the device.
<filename> can be:
• a file, for example BootX
• or ‘‘:tbxi’’ which doesn’t specify a boot file but just make OF
search for a file of type tbxi it in the folder <path>.

3.4 Banners
3.4.1 OF Banners
Two really interesting variables are oem-banner and oem-banner?, which makes
OF show a welcome message at the top of the screen: you can use it to print
your contact information; this way, if anyone finds your lost computer, he or
she may return it to you.
First of all, you have to enable the banner typing:
setenv oem-banner? true
Now enter the message you want to show:
setenv oem-banner <testo>
For example:
setenv oem-banner This Mac is Steve Jobs’ property. If
found, please call 555-NNNNNN and you’ll receive a reward
in golden iPods
If your security mode is set to full or if auto-boot? is set to false every time
your Mac starts up (or awakes from hibernation) the banner will be shown.

3.4.2 Login banner

You can also make your Mac show this text at every login; you just need to
edit the file /Library/Preferences/com.apple.loginwindow.plist adding
the text after <dict>:
...
<plist version=‘‘1.0’’>
<dict>
<key>LoginwindowText</key>
<string>This Mac is Steve Jobs’ property. If found, please

12
 call 555-NNNNNN and you’ll receive a reward in golden iPods
</string>
...

You can also modify the size of the font, just add:
<key>LoginwindowText-FontSize</key>
<real>24</real>
in which you can specify any number.

3.5 Attacking Open Firmware

3.5.1 Attacks through Terminal.app
Terminal.app doesn’t offer complete access to Open Firmware functions but it
has a powerful tool to handle NVRAM variables. The nvram command more or
less offers the same possibilities given by setenv and printenv; for example
setenv boot-volume 0
equals
2
sudo nvram boot-volume="0"
and
printenv
equals
nvram -p
...Yes, most (but not all!! ) of the variables can be accessed (but not edited)
without administration privileges.
Not all the NVRAM variables are show using nvram -p; typing:
sudo nvram -p
we will be shown the complete list plus one very interesting element, which is
not shown using printenv. Type:
sudo nvram security-password
You will get:
security-password %c3%c4%c4%c3%df
...The password is not ciphered, it has only been obfuscated!
Every character of character has been:
1. codified in ASCII
2. XORed with 0xAA.
2 sudo is needed to set variables (unless you’re root)

13
 ASCII creates a simple correspondence between characters and numbers.
For example the character i equals 105 in the ASCII table.
105 has the following binary representation: 0110 1001
0xAA has the following binary representation: 1010 1010
0110 1001 XOR 1010 1010 = 1100 0011
1100 0011 equals 195 which has the following hexadecimal representation:
0xC3

...The first character of the password is a i!

Use this table to decode the password:

sp %8a . %84 < %96 J %e0 X %f2 f %cc t %de

! %8b / %85 = %97 K %e1 Y %f3 g %cd u %df
" %88 0 %9a > %94 L %e6 Z %f0 h %c2 v %dc
# %89 1 %9b ? %95 M %e7 [ %f1 i %c3 w %dd
$ %8e 2 %98 @ %ea N %e4 \ %f6 j %c0 x %d2
% %8f 3 %99 A %eb O %e5 ] %f7 k %c1 y %d3
& %8c 4 %9e B %e8 P %fa ^ %f4 l %c6 z %d0
’ %8d 5 %9f C %e9 Q %fb %f5 m %c7 { %d1
( %82 6 %9c D %ee R %f8 ‘ %ca n %c4 | %d6
) %83 7 %9d E %ef S %f9 a %cb o %c5 } %d7
* %80 8 %92 F %ec T %fe b %c8 p %da ~ %d4
+ %81 9 %93 G %ed U %ff c %c9 q %db
, %86 : %90 H %e2 V %fc d %ce r %d8
- %87 ; %91 I %e3 W %fd e %cf s %d9

3.5.2 Physical access

As seen, anyone having administrative privileges (and many users at once can
be administrators in Mac OS X) has access to the Open Firmware password.
But what about non-admin users? Is it possible to skip the Open Firmware
password? Yes.
You have two options:

1. You can install this Mac OS 9 app which shows the password
http://www.securemac.com/openfirmwarepasswordprotection.php#fwsucker
2. Or, if you have physical access to the Mac, follow this steps:
• turn off your Mac and disconnect all the cables
• locate the RAM slots
• remove or add a RAM bank
• start up the Mac and press COMMAND+ALT+P+R (which resets
the PRAM)
• add or remove the RAM bank you have previously removed or added
• et voilá. . . no more Open Firmware password!

14
3.5.3 Brute force won’t work
Open Firmware has adopted a progressive delay technique to discourage brute-
force attacks.
Every time the password you type is wrong you will not be able to try again
until 2x seconds pass; x is the number of attempts made.
This is a very simple but effective way to make this kind of attack very rare.

3.5.4 An amazing bug

You must be careful choosing your Open Firmware password! Not only it must
be hard to guess (yet easy to remember) but, at least on some Macs, it also
must not contains the character “U”.
As explained on the Apple Knowledge Database (http://docs.info.apple.com/-
article.html?artnum=107666) some Macs are affected by this very strange
bug; the only solution to the problem is. . . avoid this particular character!
List of Macs which are affected by this bug:
• iBook (all models)
• iMac (Slot Loading) and later models
• eMac
• PowerBook (FireWire) and later models
• Power Mac G4 (AGP Graphics) and later models
• Power Mac G4 Cube (any model) - all models
If your Mac just can’t start because of this bug you have two options:
1. Use the method described in paragraph“Physical access”
2. Use the nvram command from Terminal.app
Let’s say you want to retain your old password but you want to make
every U become u. Type:
sudo nvram security-password
If your password is "Uboot" you should read:
security-password %ff%c8%c5%c5%de
To modify your password to "uboot" simply type:
sudo nvram security-password="%df%c8%c5%c5%de"
In fact %ff represents U and %df represents u.
If you prefer to use a completely new password you can compose one using
the previous table (page 14).

3.6 Troubleshooting your Mac with Open Firmware

From Open Firmware it is easy to reset , which might be useful troubleshooting
your Mac. Simply enter Open Firmware and type:
reset-nvram reset-all

15