You can now remove the firmware password (+ erase all data) on a T2 Mac without Apple Support if you forgot it.
Discover the evolution of firmware passwords on Intel Macs and learn a new method to remove the password and erase data on 2018-2020 T2 Macs. (Jump to section 6)
NOTE: This information is only for 2006-2020 Intel Mac computers. Apple Silicon M1 Mac Devices do not have a firmware password.
I will also go over my recommendations on how you can protect your data at the end of this article.
I will answer the following questions.
- What does setting a firmware password on a Mac do?
- What are the differences in firmware passwords from the following years – 2006-2010, 2011-2017 & 2018-2020?
- How to you set the firmware password in recovery.
- How to Enable & Disable Firmware Password in macOS.
- What can you do if you forget the firmware password?
- How to remove the firmware password with Apple Support.
- Removing the firmware password on a T2 Mac with Apple Configurator 2.
- How long was this new way possible? Does anyone at AppleCare know about this?
- What does this mean for education, small & large companies, home users, computer recyclers, and criminals?
- What does Apple think about this?
- How can I protect my Data on an Intel and M1 Mac?
1. What does setting a firmware password on a Mac do?
The firmware password was designed to protect your Mac. This mode protects against someone who wants to get your data. They can’t boot into target disk mode or recovery to access your files.
Long story short, if your Mac lands in the wrong hands and you do NOT have the following items enabled below, all your data is at risk!.
- Firmware Password
- FileVault 2 Encryption
- Activation Lock / Find My Mac
A person could access your data via Target disk mode or macOS Recovery, even if they do not know your user password!
When you set a firmware password, users who don’t have the password can’t start up from any disk other than the designated startup disk.
https://support.apple.com/en-us/HT204455
The Apple article below details different startup modes.
https://support.apple.com/en-gb/HT201255
If you enable the firmware password, the following startup items are disabled.
- Target Disk Mode – (T)
- Netboot (N) – (Remember Netboot?)
- Single User Mode – (Command S)
- Verbose Mode – (Command V)
- Eject CD-ROM or DVD – (Eject Key)
- Safe Mode – (Shift Key)
- Reset PRAM – (Option-Command-P-R)
- Hardware Diagnostics – (D)
The following startup options will work, but you will be prompted for the firmware password.
- Recovery Mode – (Command R)
- Internet Recovery – (Command Option R or Command Option Shift R)
If you have the firmware password enabled and you hear someone say “I reset the PRAM” …. NOPE!!!
2. What are the differences in firmware passwords from the following years – (2006-2010), (2011-2017) & (2018-2020)?
- (2006-2010) – The firmware password could be removed by removing the battery, one stick of ram, and resetting the PRAM 3 times.
- (2011-2017) Apple changed this when they soldered the memory to the logic board. The only way to remove the firmware password was to contact Apple.
- (2018-2020) Apple added the T2 security chip. The chip runs an operating system called BridgeOS. This OS software can now be re-installed or updated using a 2nd Mac and Apple Configurator 2. You now need to be an admin user that has a SecureToken to access the Startup Security Utility menu to set and remove the firmware password.
3. How do you set the firmware password?
The firmware password can be set in three different ways.
https://support.apple.com/en-us/HT204455
- Enable from macOS Recovery.
- Start up from macOS Recovery.
- When the utilities window appears, click Utilities in the menu bar, then choose Startup Security Utility or Firmware Password Utility.
- Click Turn On Firmware Password.
- Enter a firmware password in the fields provided, then click Set Password. Remember this password.
- Quit the utility, then choose Apple menu > Restart.
2. Use the firmwarepasswd binary – sudo firmwarepasswd -setpasswd
3. Turn on “Find My” through iCloud, which enables the firmware password & Activation Lock.
4. How to Enable & Disable Firmware Password in macOS?
You can enable and disable the firmware password inside macOS using terminal.app
- 1. sudo firmwarepasswd -setpasswd = Set a new password
- 2. sudo firmwarepasswd -check = Check whether a password is set
- 3. sudo firmwarepasswd -verify = Verify your password
- 4. sudo firmwarepasswd -delete = Disable the password
5. What can you do if you forget the frmware password?
You will need to contact Apple. Apple will verify proof of ownership and also ask to verify your identity.
Let’s say a person sold you a Mac with a firmware password on craigslist. Sometime later you need to enter macOS recovery, only to find the firmware lock. You are out of luck if you have 2011-2017 Mac. You will not be able to find the previous owner and you do not have proof of ownership.
6. How to remove the firmware password with Apple Support.
If you have proof of ownership, Apple can remove the firmware password and retain your data for Mac Devices from 2011-2020. They will walk you through a process (Shift-Control-Option-Command-S) that will show you a code that you can give the Apple support agent. The agent will use that code to send you a file so you can create a USB boot disk that will remove the firmware password.
You can take a look at this great article for a super deep dive into the firmware password setup. > https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/
7. Removing the firmware password on a T2 Mac with Apple Configurator 2.
Sorry that you had to scroll this far to get to the point of this article. With all the talk about how the firmware password option was removed from M1 Mac Devices, I wanted to explore a little history first.
If you need to remove the Firmware password from a T2 Mac, all you need to do is Restore BridgeOS with a 2nd Mac and Apple Configurator 2.
What does an Apple Configurator 2 “Restore” do on a T2 Mac?
- Erase the entire SSD (Macintosh HD & macOS Recovery)
- Clear Saved NVRAM Settings i.e stored WIFI
- Reset any previous Secure Boot Settings back to default
- Reinstall BridgeOS with the latest version available from Apple.
- Remove the Firmware Password, if it was previously set.
NOTE!!!! This only works with a “RESTORE FULL ERASE” not a “Revive”. A revive will retain your data and only reinstall BridgeOS. The option will not remove your firmware password.
You can follow my instructions here > https://mrmacintosh.com/how-to-restore-bridgeos-on-a-t2-mac-how-to-put-a-mac-into-dfu-mode/
This process is very close to the new M1 Apple Silicon Mac “Erase Mac Process” The difference is that macOS Recovery is still available after the process so you can easily reinstall macOS.
8. How long was this new way possible? Does AppleCare even know about this?
I am always testing new ways to break and fix macOS. When I first confirmed that this new way worked, I was pretty surprised to say the least.
To find out, I tested with Apple Configurator 2 version 2.7.1 from 2019.
Yup, worked
It is very possible that AC2 was removing the firmware password during the BridgeOS restore since the very beginning.
After all this time, did AppleCare even know about this option? Apple’s own instructions only refer to the steps to contact CSS support to remove the password via firmware hash / USB drive.
9. What does this mean for education, small & large companies, home users, computer recyclers, and criminals?
Let’s go over a few situations.
This new process does NOT disable or remove Activation Lock.
If you use the firmware password to protect your data? – Technically you are fine because the AC2 Restore process will remove the firmware password & erase all of your data.
If you are a small business or education institution that is relying on the firmware password but does not have Activation Lock enabled. – You are most likely trying to prevent students or employees from stealing the Mac and then erasing your configuration and reinstalling macOS. The other problem (unlike iOS) a person can bypass the Mobile device management screen. In this case, the Mac is long gone.
If you are a computer reseller or recycler. This is GREAT news for you. You can now wipe the firmware password and reinstall macOS.
10. What does Apple think about this?
I reached out to Apple and asked them. The response was that this is expected.
Apple recommends enabling Activation Lock on Macs with the T2 security chip (2018-2020)
11. How can I protect my Data on an Intel and M1 Mac?
I agree with Apple’s recommendation, enable Activation Lock.
Additionally, you should also enable FileVault 2.
Enabling FileVault on a T2 Mac with macOS Catalina or newer will prevent an unwanted user from accessing your data in recovery.
If you didn’t turn on a firmware password and did not enable FileVault Encryption, your data is WIDE open in macOS recovery. One interesting note, if FV2 is not enabled you will still be prompted for a password in Target Disk Mode.