Advanced Open Firmware Security

Low level security for PowerPC-based Macs

Triverio Marcohttp://trive.110mb.com/

16th August 2006

This work is licensed under a Creative CommonsAttribution-NonCommercial-ShareAlike License

1

Contents

1 Introduction to Macintosh Security 31.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 The Security Pref Pane and FileVault . . . . . . . . . . . . . . . 41.3 A bullet-proof password . . . . . . . . . . . . . . . . . . . . . . . 5

2 Open Firmware 62.1 High-level security is almost useless . . . . . . . . . . . . . . . . . 62.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Working with Open Firmware . . . . . . . . . . . . . . . . . . . . 6

2.3.1 GUI tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.2 Terminal.app . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.3 OF prompt . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Open Firmware: going deeper 73.1 Open Firmware password . . . . . . . . . . . . . . . . . . . . . . 73.2 Some Open Firmware variables . . . . . . . . . . . . . . . . . . . 9

3.2.1 boot-volume and others . . . . . . . . . . . . . . . . . . . 93.2.2 Single-user mode . . . . . . . . . . . . . . . . . . . . . . . 9

3.3 Booting partitions . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3.1 Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3.2 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.4 Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.4.1 OF Banners . . . . . . . . . . . . . . . . . . . . . . . . . . 123.4.2 Login banner . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.5 Attacking Open Firmware . . . . . . . . . . . . . . . . . . . . . . 133.5.1 Attacks through Terminal.app . . . . . . . . . . . . . . . 133.5.2 Physical access . . . . . . . . . . . . . . . . . . . . . . . . 143.5.3 Brute force won’t work . . . . . . . . . . . . . . . . . . . . 153.5.4 An amazing bug . . . . . . . . . . . . . . . . . . . . . . . 15

3.6 Troubleshooting your Mac with Open Firmware . . . . . . . . . . 15

2

1 Introduction to Macintosh Security

Security is something that deserves a lot of attention in order to avoid unex-pected and unwanted situations. Mac OS X Tiger is a powerful OS which bringssecurity close to easyness-of-use as never before: a lot of interesting options arejust a click-away from the user.

1.1 Firewall

Let’s consider the firewall : open “System Preferences.ap” and choose the “Shar-ing” pane. Through the “Service” tab it’s easy to allow or disallow FTP or SSHaccess, SMB, Documents Sharing plus many other common services; in thesame easy way you can personalize the behavior of the firewall: just click onthe “Firewall” tab, and you will also be able to choose which ports ought tobe open or closed. The “Advanced” button lets you disallow UDP traffic andturn on the “Stealth mode”, in which any unexpected packet is discarded (thisactually stops ping from working).

Apple’s solution is well integrated into the Operating System and easy touse but does hide many useful options; as an alternative you may consider ipfw(a command line tool to set up the firewall) or FireWalkX, a shareware GUI (http://www.pliris-soft.com/products/firewalkx/index.html )

Figure 1: Sharing preferences pane

3

1.2 The Security Pref Pane and FileVault

Another interesting thing in Tiger is the “Security” preferences pane, which is asort of shortcut to many security options: through this pane you can make yourMac ask for a password when awaking from sleep or exiting the screensaver.Moreover, you might want to disable automatic login or make you Mac logoutautomatically after N minutes of inactivity (5 <= N <= 960).

One of the most useful security options is FileVault which ciphers the user’shome directory continously; this way, even if your hard drive gets stolen yourdocuments cannot be read without knowing the password: this is wonderfulsince all the options considered before can be skipped given physical accessto the machine. The home directory is ciphered with AES-128 (AdvancedEncryption Standard with 128-bit key) which causes a difference in performancewhich is hardly noticeable (except when using applications such as GarageBand,which extensively uses the hard disk). To enable FileVault you first have toset a Master Password (which can recover home directories of users who haveforgotten their password) and then click on “Turn on FileVault...”: all the filesin your home directory will be encrypted and will be automatically decipheredafter login. This feature is almost transparent to the user.

To tighten even more security of your Mac disable Automatic Login fromthe Account preference pane (in the Login Options section).

Figure 2: Security preferences pane

4

1.3 A bullet-proof password

What about passwords? Good passwords usually are a good sign. How shouldyou choose a good password? Well, all you need is to be unpredictable and, ofcourse, not to tell your password to anyone.

Let’s see a few advices to get a password which:

• is long

• is pseudo-casual (or at least makes brute-force attacks useless)

• contains hard-to-guess symbols

An interesting idea is to find a sentence you like and build a password from it;let’s say you like the sentence

"Life is too short to use Windows"

The first idea to make the password really hard to guess is to keep theapostrophes; since the password would be very long to type we could also keeponly the initial letter of every word. So far we get

"LitstuW"

Modifying “to” and “too” in “2” we get:

"Li2s2uW"

To evaluate how strong a password is you can use a small utility by Apple;open “Keychain Access” which is in /Applications/Utilities and select “Changepassword for Keychain xxx...” from the Edit menu. Click on the little key onthe right and type the password whose strength you want to check: it will sayhow safe it is and will even give a few advices! Our password is fine, but itcertainly could be longer; you could use another sentence, for instance one froma song you like... the only limit is your fantasy!

Last but not least: it’s always good to change your password every now andthen.

Figure 3: Security preferences pane

5

2 Open Firmware

2.1 High-level security is almost useless

We have had a quick look at security options available from GUI: they canbe defined as “high-level options”. But they are not enough since they don’tprotect against physical threatens, for example:

• [power button held down for 5 seconds] resetting hardly a computer makessleep and screensaver passwords useless

• [pressing c during boot] booting your computer from a CD/DVD allowsto reset root/admin password; booting from the Mac OS X install diskjust click on the menu “Installer” > “Reset password...” and you’re done

• [pressing command+s] booting in Single User Mode allows an attacker tobrowser the hard disk with root privileges

• [pressing t] booting in Target Disk Mode and connecting the attacked Macvia FireWire to another Mac allows an attacker to browse the hard drivecomfortably from his Mac.

What to do to prevent all of this? You just need to turn FileValut on anduse OpenFirmware wisely.

2.2 History

Open Firmware was born in 1988 at Sun Microsystems and it is defined by thestandard IEEE 1275 ; it was adopted by Apple which has used it on its PowerPc-based Macs. With the introduction of Intel-based Macs Open Firmware isno longer used by Apple: it has been replaced by EFI (Extensible FirmwareInterface), which has similar features but offers a more granular architecture.

2.3 Working with Open Firmware

Open Firmware is to the Mac what the BIOS is for PCs: after hardware ini-tialization, it handles the early stages of the boot process. But Open Firmwareoffers a much broader environment where to work: it is possible to write appli-cations for OF1!

Open Firmware stores its settings in a non-volatile memory called NVRAM:the default partition from which to boot, the level of sound output, the securitylevel (more on this later) and the OF password, etc . . . .

You have three options to interact with Open Firmware:

GUI tools let you only set the Open Firmware password

Terminal.app lets you set every NVRAM password

Open Firmware prompt lets you discover OF completely1www.macosxinternals.com

6

2.3.1 GUI tools

The most famous GUI tool to interact with Open Firmware has been devel-oped by Apple: its only purpose is to set an Open Firmware password andstop unauthorized access to the Mac. It can be download from http://-docs.info.apple.com/article.html?artnum=120095

It’s an easy and well documented tool so we won’t cover it here.

2.3.2 Terminal.app

The nvram command can be used to show and set every Open Firmware variable;the general syntax is:

sudo nvram variable="newvalue"

We will see an example of usage at the end of the article; you may obtainmore information typing

man nvram

2.3.3 OF prompt

Why should you limit yourself? Interacting directly with Open Firmware opensmany doors and that’s why we are analyzing the OF prompt in the next section.

3 Open Firmware: going deeper

3.1 Open Firmware password

The only way to really get in touch with OF is to gain access to its prompt.To do this reboot your Mac and press, after hearing the startup sound, COM-MAND+ALT+O+F.

On an iMac G4 this is what you should read on screen:

Apple PowerMac4,5 4.4.5f3 BootROM built on nn/nn/nn at hh:mm:ss

Copyright 1994-2002 Apple Computer, Inc.

All Rights Reserved.

Welcome to Open Firmware, the system time and date is: hh:mm:ss

nn/nn/nn

Command security mode.

To continue booting, type "mac-boot" and press return.

To shut down, type "shut-down" and press return.

ok

0 >

You can obtain nice information from this welcome screen such as what kindof Mac you’re using, what security mode is set, etc...

Open Firmware also advises two commands: mac-boot and shut-down toboot the OS or to turn the computer off. As you can see Open Firmware is notpassword protected! What you need to do is to set a password; just type

7

password

and enter the chosen password.

Enter a new password: **********Enter password again: **********Password will be in place on the next boot! ok

But this is not enough: you also have to set a level of security, which isstored in a NVRAM variable called “security-mode”.

Three different levels are available:

no-password Access to Open Firmware is completely disabled.

none this is the default option for PowerPC-based Macs: OF password willnever be asked (even if it has been set with the password command)

command OF will ask for a password when trying to:

• boot from CD [C]

• boot from a NetBoot Server [N]

• boot in Target Disk Mode [T]

• boot in Single User Mode [COMMAND+S]

• reset PRAM or NVRAM (reset-nvram and reset-all from the OFcommand line)

• enter bootloader [ALT]

full this is the option I have chosen for my Mac. OF will ask for a passwordeverytime the Mac is starting up or waking from hybernate (be careful:not sleep!! )

We have said that security-mode is a NVRAM variable. The general syntaxto edit the value of a NVRAM variable is (spaces are highlighted):

setenv <variabile> <value>

for instance

setenv beans 3

That’s what we will write:

setenv security-mode command

or

setenv security-mode full

depending on the security-mode chosen.

8

3.2 Some Open Firmware variables

To show the complete list of NVRAM variable, type:

printenv

The output will be layed out on three columns: the first gives the name of thevariable, the second the current value and the third the default value.

DON’T EDIT NVRAM VARIABLES YOU DON’T KNOW THEMEANING OF. YOU MIGHT DAMAGE THE LOGIC BOARD OFYOU MAC.

3.2.1 boot-volume and others

As you might have noticed, there are many other variables which can be reallyuseful. Some of them are:

boot-volume This variable lets you modify the volume of the startup sound;so, if you want to mute it, type:

setenv boot-volume 0

auto-boot? If set to true, regardless of the security-mode, this will make yourMac boot into Open Firmware anytime you will turn it on (sleep excluded).

security-#badlogins This variable (which exists only if security-mode is commandor full) counts the times someone has typed a wrong Open Firmwarepassword.

boot-script If use-nvramrc? is set to true, the script created using the OpenFirmware nvedit command will be executed: be very careful!

3.2.2 Single-user mode

The boot-args variables contains the arguments to be passed to the kernelduring the early stages of boot.

boot-args can have two values:

-s makes your Mac boot in single-user mode;

-v makes your Mac suppress the graphical startup in favor of white words ona black background.

Booting in single-user mode is always possible given physical access to theMac and security-mode set to none (default on every PowerPC-based Mac)or no-password: pressing command+s after hearing the startup sound gives theuser access to any file on the filesystem; you can even change a user’s passwordtyping

passwd username

For example:

# passwd rootChanging password for root.New password:Retype new password:

9

Of course, this is a great option for forgetful users but, at the same time, itrepresents a real security threaten.

3.3 Booting partitions

Let’s say you have multiple installations of Mac OS X (or Mac OS 9) or havea dual-boot system with Linux; if security-mode is not set to full you cansimply press alt after the startup sound and, within a few seconds, you will beable to select which OS to boot.

But if security-mode is set to full there’s not much you can do: you haveto use the Open Firmware prompt to choose which partition to boot from.

3.3.1 Aliases

The first important concept you have to learn is aliases.Open Firmware keeps track of every device connected to the Mac in a struc-

ture called device tree; you can navigate through using dev and ls (similar tocd and ls on a Unix box); for instance:

dev /ls

shows the entire tree.As you can see, devices have quite long names; the internal hard disk, on my

iMac G4, is called /pci@f2000000/mac-io@17/ata-4@1f000/disk@0. Luckily,thanks to aliases I don’t have to remember it: /pci@f2000000/mac-io@17-/ata-4@1f000/disk@0 can simply be called hd. This is true for almost anydevice; you can obtain the whole list of aliases typing

devalias

3.3.2 Partitions

Now let’s imagine this is your partition table:Partition map (with 512 byte blocks) on /dev/disk0

device type name/dev/disk0s1 Apple partition map Apple/dev/disk0s2 Apple Bootstrap bootstrap/dev/disk0s3 Apple UNIX SVR2 swap/dev/disk0s4 Apple UNIX SVR2 boot/dev/disk0s5 Apple UNIX SVR2 debian/dev/disk0s6 Apple UNIX SVR2 home/dev/disk0s7 Apple HFS Macintosh HD/dev/disk0s8 Apple HFS Share Partition

A short explanation:

disk0s1 Partition map

disk0s2 Bootloader: it is needed to boot Linux (which cannot be loaded directlyby Open Firmware); it basically shows the list of the available OSes andlets you select the one you want to boot.

10

disk0s3-6 Linux partitions

disk0s7-8 Mac OS X partition and the share partition.

My default OS is Mac OS X; this means that typing

printenv boot-device

I get:

boot-device hd:07,\\:tbxi

This is because Mac OS X resides on the seventh partition of my hard disk.Whenever I want to boot Linux I have two options:

1. To modify the boot-device variable and make Linux my default OS; thisis accomplished typing:

setenv boot-device /pci@f2000000/mac-io@17/ata-4@1f000/-disk@0:02,\\:tbxi

or more simply:

setenv boot-device hd:02,\\:tbxi

I had to choose the bootloader partition becase the Linux kernel cannotbe loaded directly by Open Firmware. To boot Linux you still need totype:

mac-boot

Or more simply:

boot

The big disadvantage of this option is that it makes a permanent modifi-cation to the boot-device variable; what to do if you want to keep MacOS X as your default OS? Just use option #2!

2. To use the boot command specifying a parameter, for instance:

boot hd:2,\\:tbxi

This way the boot-device variable is not affected and you can boot Linuxwith just one command.

What has been said also applies to the case in which you want to boot froma CD or from an external hard drive. The general syntax of a bootable deviceis:

<device>:<partition>,<path><filename>

in which

<device> is the start up device, which can be:

• hd (hard disk)

• cd (cd or dvd)

11

• but even ultra0 (=first IDE disk) or scsi-int/sd@1 (=second SCSIdisk connected to the internal SCSI controller)

• any bootable device

<partition> which is the number of the partition, for instance ultra0:4

<path> specifies the path where to look for <filename>; it can be:

• a specific folder written in the form \path\to\folder\, for instance\System\Library\CoreServices\

• \\, the root of the device.

<filename> can be:

• a file, for example BootX

• or ‘‘:tbxi’’ which doesn’t specify a boot file but just make OFsearch for a file of type tbxi it in the folder <path>.

3.4 Banners

3.4.1 OF Banners

Two really interesting variables are oem-banner and oem-banner?, which makesOF show a welcome message at the top of the screen: you can use it to printyour contact information; this way, if anyone finds your lost computer, he orshe may return it to you.

First of all, you have to enable the banner typing:

setenv oem-banner? true

Now enter the message you want to show:

setenv oem-banner <testo>

For example:

setenv oem-banner This Mac is Steve Jobs’ property. Iffound, please call 555-NNNNNN and you’ll receive a rewardin golden iPods

If your security mode is set to full or if auto-boot? is set to false every timeyour Mac starts up (or awakes from hibernation) the banner will be shown.

3.4.2 Login banner

You can also make your Mac show this text at every login; you just need toedit the file /Library/Preferences/com.apple.loginwindow.plist addingthe text after <dict>:

...<plist version=‘‘1.0’’><dict><key>LoginwindowText</key><string>This Mac is Steve Jobs’ property. If found, please

12

call 555-NNNNNN and you’ll receive a reward in golden iPods</string>...

You can also modify the size of the font, just add:

<key>LoginwindowText-FontSize</key><real>24</real>

in which you can specify any number.

3.5 Attacking Open Firmware

3.5.1 Attacks through Terminal.app

Terminal.app doesn’t offer complete access to Open Firmware functions but ithas a powerful tool to handle NVRAM variables. The nvram command more orless offers the same possibilities given by setenv and printenv; for example

setenv boot-volume 0

equals

sudo nvram boot-volume="0" 2

and

printenv

equals

nvram -p

...Yes, most (but not all!! ) of the variables can be accessed (but not edited)without administration privileges.

Not all the NVRAM variables are show using nvram -p; typing:

sudo nvram -p

we will be shown the complete list plus one very interesting element, which isnot shown using printenv. Type:

sudo nvram security-password

You will get:

security-password %c3%c4%c4%c3%df

...The password is not ciphered, it has only been obfuscated!Every character of character has been:

1. codified in ASCII

2. XORed with 0xAA.2sudo is needed to set variables (unless you’re root)

13

ASCII creates a simple correspondence between characters and numbers.For example the character i equals 105 in the ASCII table.

105 has the following binary representation: 0110 10010xAA has the following binary representation: 1010 10100110 1001 XOR 1010 1010 = 1100 00111100 0011 equals 195 which has the following hexadecimal representation:

0xC3

...The first character of the password is a i!Use this table to decode the password:

sp %8a! %8b" %88# %89$ %8e% %8f& %8c’ %8d( %82) %83* %80+ %81, %86- %87

. %84/ %850 %9a1 %9b2 %983 %994 %9e5 %9f6 %9c7 %9d8 %929 %93: %90; %91

< %96= %97> %94? %95@ %eaA %ebB %e8C %e9D %eeE %efF %ecG %edH %e2I %e3

J %e0K %e1L %e6M %e7N %e4O %e5P %faQ %fbR %f8S %f9T %feU %ffV %fcW %fd

X %f2Y %f3Z %f0[ %f1\ %f6] %f7^ %f4

%f5‘ %caa %cbb %c8c %c9d %cee %cf

f %ccg %cdh %c2i %c3j %c0k %c1l %c6m %c7n %c4o %c5p %daq %dbr %d8s %d9

t %deu %dfv %dcw %ddx %d2y %d3z %d0{ %d1| %d6} %d7~ %d4

3.5.2 Physical access

As seen, anyone having administrative privileges (and many users at once canbe administrators in Mac OS X) has access to the Open Firmware password.

But what about non-admin users? Is it possible to skip the Open Firmwarepassword? Yes.

You have two options:

1. You can install this Mac OS 9 app which shows the passwordhttp://www.securemac.com/openfirmwarepasswordprotection.php#fwsucker

2. Or, if you have physical access to the Mac, follow this steps:

• turn off your Mac and disconnect all the cables

• locate the RAM slots

• remove or add a RAM bank

• start up the Mac and press COMMAND+ALT+P+R (which resetsthe PRAM)

• add or remove the RAM bank you have previously removed or added

• et voila. . . no more Open Firmware password!

14

3.5.3 Brute force won’t work

Open Firmware has adopted a progressive delay technique to discourage brute-force attacks.

Every time the password you type is wrong you will not be able to try againuntil 2x seconds pass; x is the number of attempts made.

This is a very simple but effective way to make this kind of attack very rare.

3.5.4 An amazing bug

You must be careful choosing your Open Firmware password! Not only it mustbe hard to guess (yet easy to remember) but, at least on some Macs, it alsomust not contains the character “U”.

As explained on the Apple Knowledge Database (http://docs.info.apple.com/-article.html?artnum=107666) some Macs are affected by this very strangebug; the only solution to the problem is. . . avoid this particular character!

List of Macs which are affected by this bug:

• iBook (all models)

• iMac (Slot Loading) and later models

• eMac

• PowerBook (FireWire) and later models

• Power Mac G4 (AGP Graphics) and later models

• Power Mac G4 Cube (any model) - all models

If your Mac just can’t start because of this bug you have two options:

1. Use the method described in paragraph“Physical access”

2. Use the nvram command from Terminal.appLet’s say you want to retain your old password but you want to makeevery U become u. Type:

sudo nvram security-password

If your password is "Uboot" you should read:

security-password %ff%c8%c5%c5%de

To modify your password to "uboot" simply type:

sudo nvram security-password="%df%c8%c5%c5%de"

In fact %ff represents U and %df represents u.If you prefer to use a completely new password you can compose one usingthe previous table (page 14).

3.6 Troubleshooting your Mac with Open Firmware

From Open Firmware it is easy to reset , which might be useful troubleshootingyour Mac. Simply enter Open Firmware and type:

reset-nvram reset-all

15