You can now remove the firmware password (+ erase all data) on a T2 Mac without Apple Support if you forgot it.如果您忘记了固件密码,现在可以在没有 Apple 支持的情况下删除 T2 Mac 上的固件密码(+ 抹掉所有数据)。
In this article, I will go over the history of the firmware password on Intel Mac computers. After that, I will show you a new way how to remove the firmware password (and erase your data) on a T2 Mac from 2018-2020. (Scroll to section 6).在本文中,我将介绍Intel Mac计算机上固件密码的历史记录。之后,我将向您展示一种新方法 2018-2020 年在 T2 Mac 上删除固件密码(并擦除您的数据)。(滚动到第 6 节)。
NOTE: This information is only for 2006-2020 Intel Mac computers. Apple Silicon M1 Mac Devices do not have a firmware password.注意:此信息仅适用于 2006-2020 Intel Mac 计算机。Apple Silicon M1 Mac 设备没有固件密码。
I will also go over my recommendations on how you can protect your data at the end of this article.在本文末尾,我还将介绍我关于如何保护数据的建议。
I will answer the following questions.我将回答以下问题。
- What does setting a firmware password on a Mac do?在 Mac 上设置固件密码有什么作用?
- What are the differences in firmware passwords from the following years – 2006-2010, 2011-2017 & 2018-2020?2006-2010年、2011-2017年和2018-2020年固件密码有什么区别?
- How to you set the firmware password in recovery.如何在恢复中设置固件密码。
- How to Enable & Disable Firmware Password in macOS.如何在macOS中启用和禁用固件密码。
- What can you do if you forget the firmware password?忘记固件密码怎么办?
- How to remove the firmware password with Apple Support.如何使用 Apple 支持删除固件密码。
Removing the firmware password on a T2 Mac with Apple Configurator 2.使用 Apple Configurator 2 在 T2 Mac 上删除固件密码。
- How long was this new way possible? Does anyone at AppleCare know about this?这种新方式可能持续了多长时间?AppleCare 有人知道这件事吗?
- What does this mean for education, small & large companies, home users, computer recyclers, and criminals?这对教育、小型和大型公司、家庭用户、计算机回收商和犯罪分子意味着什么?
- What does Apple think about this?苹果对此有何看法?
- How can I protect my Data on an Intel and M1 Mac?如何在 Intel 和 M1 Mac 上保护我的数据?
1. What does setting a firmware password on a Mac do?1. 在 Mac 上设置固件密码有什么作用?
The firmware password was designed to protect your Mac. This mode protects against someone who wants to get your data. They can’t boot into target disk mode or recovery to access your files.固件密码旨在保护您的 Mac。此模式可防止想要获取您的数据的人。它们无法启动到目标磁盘模式或恢复以访问您的文件。
Long story short, if your Mac lands in the wrong hands and you do NOT have the following items enabled below, all your data is at risk!.长话短说,如果您的 Mac 落入坏人之手,并且您没有在下面启用以下项目,那么您的所有数据都将面临风险!
- Firmware Password 固件密码
- FileVault 2 Encryption FileVault 2 加密
- Activation Lock / Find My Mac激活锁/查找我的 Mac
A person could access your data via Target disk mode or macOS Recovery, even if they do not know your user password!即使某人不知道您的用户密码,也可以通过目标磁盘模式或macOS Recovery访问您的数据!
When you set a firmware password, users who don’t have the password can’t start up from any disk other than the designated startup disk.设置固件密码后,没有密码的用户无法从指定启动磁盘以外的任何磁盘启动。
https://support.apple.com/en-us/HT204455
The Apple article below details different startup modes.下面的 Apple 文章详细介绍了不同的启动模式。
https://support.apple.com/en-gb/HT201255
If you enable the firmware password, the following startup items are disabled.如果启用固件密码,则会禁用以下启动项。
Target Disk Mode
– (T)目标磁盘模式 – (T)Netboot
(N) – (Remember Netboot?
)Netboot (N) – (还记得 Netboot 吗?Single User Mode
– (Command S)单用户模式 –(命令 S)Verbose Mode
– (Command V)详细模式 –(命令 V)Eject CD-ROM or DVD
– (Eject Key)弹出 CD-ROM 或 DVD –(弹出键)Safe Mode
– (Shift Key)安全模式 –(Shift 键)Reset PRAM
– (Option-Command-P-R)重置 PRAM –(Option-Command-P-R)Hardware Diagnostics
– (D) 硬件诊断 – (D)
The following startup options will work, but you will be prompted for the firmware password.以下启动选项将起作用,但系统将提示您输入固件密码。
Recovery Mode
– (Command R)恢复模式 –(命令 R)Internet Recovery
– (Command Option R
or Command Option Shift R
)Internet 恢复 –(命令选项 R 或命令选项 Shift R)
If you have the firmware password enabled and you hear someone say “I reset the PRAM” …. NOPE!!!如果您启用了固件密码,并且听到有人说“我重置了 PRAM”......不!!!
2. What are the differences in firmware passwords from the following years – (2006-2010), (2011-2017) & (2018-2020)?2. 以下年份(2006-2010年)、(2011-2017年)和(2018-2020年)的固件密码有什么区别?
- (2006-2010) – The firmware password could be removed by removing the battery, one stick of ram, and resetting the PRAM 3 times.(2006-2010) – 可以通过取出电池、一根内存棒并重置 PRAM 3 次来删除固件密码。
- (2011-2017) Apple changed this when they soldered the memory to the logic board. The only way to remove the firmware password was to contact Apple.(2011-2017) 苹果在将内存焊接到逻辑板上时改变了这一点。删除固件密码的唯一方法是联系 Apple。
- (2018-2020) Apple added the T2 security chip. The chip runs an operating system called BridgeOS.
This OS software can now be re-installed or updated using a 2nd Mac and Apple Configurator 2.
You now need to be an admin user that has a SecureToken to access the Startup Security Utility menu to set and remove the firmware password.(2018-2020)苹果增加了T2安全芯片。该芯片运行一个名为 BridgeOS 的操作系统。现在可以使用第二台 Mac 和 Apple Configurator 2 重新安装或更新此操作系统软件。现在,您需要是具有 SecureToken 的管理员用户才能访问“启动安全实用程序”菜单以设置和删除固件密码。
3. How do you set the firmware password?3. 如何设置固件密码?
The firmware password can be set in three different ways.固件密码可以通过三种不同的方式设置。
https://support.apple.com/en-us/HT204455
Enable from macOS Recovery. 从 macOS 恢复启用。
Start up from macOS Recovery
.从 macOS 恢复功能启动。- When the utilities window appears, click Utilities in the menu bar, then choose Startup Security Utility or Firmware Password Utility.当实用工具窗口出现时,点按菜单栏中的“实用工具”,然后选取“启动安全性实用工具”或“固件密码实用工具”。
- Click Turn On Firmware Password.单击打开固件密码。
- Enter a firmware password in the fields provided, then click Set Password.
Remember this password
.在提供的字段中输入固件密码,然后单击“设置密码”。记住这个密码。 - Quit the utility, then choose Apple menu > Restart.退出该实用程序,然后选取苹果菜单>重新启动。
2. Use the firmwarepasswd binary – sudo firmwarepasswd -setpasswd2. 使用二进制文件 –
3. Turn on “Find My” through iCloud, which enables the firmware password & Activation Lock.3.通过iCloud打开“查找我的”,这将启用固件密码和激活锁。
4. How to Enable & Disable Firmware Password in macOS?4.如何在macOS中启用和禁用固件密码?
You can enable and disable the firmware password inside macOS using terminal.app您可以使用 macOS 中的固件密码启用和禁用 terminal.app
- 1.
sudo firmwarepasswd -setpasswd
= Set a new password1. = 设置新密码 - 2.
sudo firmwarepasswd -check
= Check whether a password is set2. = 检查是否设置了密码 - 3.
sudo firmwarepasswd -verify
= Verify your password3. = 验证您的密码 - 4.
sudo firmwarepasswd -delete
= Disable the password4. = 禁用密码
5. What can you do if you forget the frmware password?5. 忘记固件密码怎么办?
You will need to contact Apple. Apple will verify proof of ownership and also ask to verify your identity.您需要联系 Apple。Apple 将验证所有权证明,并要求验证您的身份。
Let’s say a person sold you a Mac with a firmware password on craigslist. Sometime later you need to enter macOS recovery, only to find the firmware lock. You are out of luck if you have 2011-2017 Mac. You will not be able to find the previous owner and you do not have proof of ownership.假设有人在 craigslist 上向您出售了一台带有固件密码的 Mac。过了一段时间,您需要进入macOS恢复,才能找到固件锁。如果你有 2011-2017 Mac,你就不走运了。您将无法找到以前的所有者,并且您没有所有权证明。
6. How to remove the firmware password with Apple Support.6. 如何使用Apple支持删除固件密码。
If you have proof of ownership, Apple can remove the firmware password and retain your data for Mac Devices from 2011-2020. They will walk you through a process (Shift-Control-Option-Command-S) that will show you a code that you can give the Apple support agent. The agent will use that code to send you a file so you can create a USB boot disk that will remove the firmware password.如果您有所有权证明,Apple 可以删除固件密码并保留您在 2011 年至 2020 年期间的 Mac 设备数据。他们将引导您完成一个过程 (Shift-Control-Option-Command-S),该过程将向您显示您可以向 Apple 支持代理提供的代码。代理将使用该代码向您发送一个文件,以便您可以创建一个 USB 启动盘来删除固件密码。
You can take a look at this great article for a super deep dive into the firmware password setup. > https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/您可以查看这篇很棒的文章,以深入了解固件密码设置。> https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/
7. Removing the firmware password on a T2 Mac with Apple Configurator 2.7. 使用 Apple Configurator 2 删除 T2 Mac 上的固件密码。
Sorry that you had to scroll this far to get to the point of this article. With all the talk about how the firmware password option was removed from M1 Mac Devices, I wanted to explore a little history first.对不起,您必须滚动这么远才能到达本文的重点。随着所有关于如何从 M1 Mac 设备中删除固件密码选项的讨论,我想先探索一下历史。
If you need to remove the Firmware password from a T2 Mac, all you need to do is Restore BridgeOS with a 2nd Mac and Apple Configurator 2.如果您需要从 T2 Mac 中删除固件密码,您需要做的就是使用第二台 Mac 和 Apple Configurator 2 恢复 BridgeOS。
What does an Apple Configurator 2 “Restore” do on a T2 Mac?Apple Configurator 2“恢复”在 T2 Mac 上有什么作用?
- Erase the entire SSD (Macintosh HD & macOS Recovery)擦除整个SSD(Macintosh HD和macOS恢复)
- Clear Saved NVRAM Settings i.e stored WIFI清除保存的NVRAM设置,即存储的WIFI
- Reset any previous Secure Boot Settings back to default将任何以前的安全启动设置重置回默认值
- Reinstall BridgeOS with the latest version available from Apple.使用 Apple 提供的最新版本重新安装 BridgeOS。
Remove the Firmware Password, if it was previously set.删除固件密码(如果之前已设置)。
NOTE!!!! This only works with a “RESTORE FULL ERASE” not a “Revive”. A revive will retain your data and only reinstall BridgeOS. The option will not remove your firmware password.注意!!!!这仅适用于“RESTORE FULL ERAASE”,而不适用于“Revive”。恢复将保留您的数据,并且仅重新安装 BridgeOS。该选项不会删除您的固件密码。
You can follow my instructions here > https://mrmacintosh.com/how-to-restore-bridgeos-on-a-t2-mac-how-to-put-a-mac-into-dfu-mode/你可以按照我的指示在这里> https://mrmacintosh.com/how-to-restore-bridgeos-on-a-t2-mac-how-to-put-a-mac-into-dfu-mode/
This process is very close to the new M1 Apple Silicon Mac “Erase Mac Process” The difference is that macOS Recovery is still available after the process so you can easily reinstall macOS.这个过程非常接近新的M1 Apple Silicon Mac“擦除Mac进程”,不同的是,macOS Recovery在该过程之后仍然可用,因此您可以轻松重新安装macOS。
8. How long was this new way possible? Does AppleCare even know about this?8.这种新方法在多长时间内才成为可能?AppleCare甚至知道这一点吗?
I am always testing new ways to break and fix macOS. When I first confirmed that this new way worked, I was pretty surprised to say the least.我一直在测试破坏和修复 macOS 的新方法。当我第一次确认这种新方法有效时,至少可以说我很惊讶。
To find out, I tested with Apple Configurator 2 version 2.7.1 from 2019.为了找出答案,我使用 2019 年的 Apple Configurator 2.7.1 版本进行了测试。
Yup, worked 是的,工作
It is very possible that AC2 was removing the firmware password during the BridgeOS restore since the very beginning.AC2 很有可能从一开始就在 BridgeOS 恢复期间删除了固件密码。
After all this time, did AppleCare even know about this option? Apple’s own instructions only refer to the steps to contact CSS support to remove the password via firmware hash / USB drive.经过这么长时间,AppleCare甚至知道这个选项吗?Apple 自己的说明仅参考联系 CSS 支持以通过固件哈希/USB 驱动器删除密码的步骤。
9. What does this mean for education, small & large companies, home users, computer recyclers, and criminals?9. 这对教育、小型和大型公司、家庭用户、计算机回收商和犯罪分子意味着什么?
Let’s go over a few situations.让我们来看看几种情况。
This new process does NOT disable or remove Activation Lock.此新进程不会禁用或删除激活锁。
If you use the firmware password to protect your data? – Technically you are fine because the AC2 Restore process will remove the firmware password & erase all of your data.如果您使用固件密码来保护您的数据?– 从技术上讲,您没问题,因为 AC2 恢复过程将删除固件密码并删除所有数据。
If you are a small business or education institution that is relying on the firmware password but does not have Activation Lock enabled. – You are most likely trying to prevent students or employees from stealing the Mac and then erasing your configuration and reinstalling macOS. The other problem (unlike iOS) a person can bypass the Mobile device management screen. In this case, the Mac is long gone.如果您是依赖固件密码但未启用激活锁的小型企业或教育机构。– 您很可能试图阻止学生或员工窃取 Mac,然后擦除您的配置并重新安装 macOS。另一个问题(与iOS不同)一个人可以绕过移动设备管理屏幕。在这种情况下,Mac早已不复存在。
If you are a computer reseller or recycler. This is GREAT news for you. You can now wipe the firmware password and reinstall macOS.如果您是计算机经销商或回收商。这对你来说是个好消息。您现在可以擦除固件密码并重新安装 macOS。
10. What does Apple think about this?10. 苹果对此有何看法?
I reached out to Apple and asked them. The response was that this is expected.我联系了苹果,问他们。得到的答复是,这是意料之中的。
Apple recommends enabling Activation Lock on Macs with the T2 security chip (2018-2020)Apple 建议在配备 T2 安全芯片的 Mac 上启用激活锁 (2018-2020)
11. How can I protect my Data on an Intel and M1 Mac?11. 如何在 Intel 和 M1 Mac 上保护我的数据?
I agree with Apple’s recommendation, enable Activation Lock.我同意Apple的建议,启用激活锁。
Additionally, you should also enable FileVault 2.此外,您还应该启用 FileVault 2。
Enabling FileVault on a T2 Mac with macOS Catalina or newer will prevent an unwanted user from accessing your data in recovery.在装有 macOS Catalina 或更高版本的 T2 Mac 上启用 FileVault 将防止不受欢迎的用户在恢复过程中访问您的数据。
If you didn’t turn on a firmware password and did not enable FileVault Encryption, your data is WIDE open in macOS recovery. One interesting note, if FV2 is not enabled you will still be prompted for a password in Target Disk Mode.如果您没有打开固件密码,也没有启用文件保险箱加密,则您的数据在 macOS 恢复中处于完全打开状态。一个有趣的注意事项是,如果未启用 FV2,在目标磁盘模式下仍会提示您输入密码。
