EFIPW € Modify Apple EFI Firmware Passwords PORTABLE


EFIPW € Modify Apple EFI Firmware Passwords

It can be used to get all the credentials from the kernel for different accounts and roles on the system and local user accounts. The tool allows the hacker to populate the kernel memory with rootkit scripts to rootkit exploit, to modify the binary to install rootkit software, and, if need be, to append the rootkit to the end of the kernel image.

He said EFIPW, with the modified kernel image, looks similar to the original image when you look at the kernel images using a memory viewer. But, when you try to boot the firmware, it becomes a look-alike and feel-alike image that’s easy to boot like the original image. Of course, if you try to boot it, you get a boot error.

If the firmware password is the same or similar to another password in use, this may allow for further escalation of privilege / decryption of files / access to other machines / etc. In a lab deployment scenario, it may be desirable to set a firmware password on deployed machines. This process would be more easily automated with a CLI program like the one Im providing. Of course, there is the OFPW tool, but that was designed for the older Open Firmware and Ive had problems running it on under Leopard/EFI and am unclear as to whether or not it supports the new hardware. The OFPW binary seems to be unnecessarily elusive and documentation even more so.

Regardless, the real point of this post is to serve as an intro to my next post, where I use the harvested passwords to identify the tools used against me and attempt to track down those running the attacks. I hope to have that posted tomorrow.

after entering the apple password, the utility will ask for the esp password. at this point, you should provide the esp password that you would normally provide when booting the computer with the specified efi firmware password. when you are done, you should see the following in the terminal:
apple efi password: {your desired efi firmware password} if you are ready to attempt to write the efi firmware password to the efi firmware, you should now reboot the computer and attempt to boot the system using the efi firmware password that you entered.
if you are unsuccessful at booting the system using the efi firmware password that you entered, you will need to reboot the computer and attempt to boot the system using the efi firmware password that you entered again.
if you want to change the efi password, you need the following: a virus or other boot sector modification toolkit (like powerupsql) a windows computer where you can load the raw hex bytes of the efipw in the format you want to use
takeaway: if youre using an efi password on your apple computer, dont use that password for anything else. it is easily recovered (granted with root access), but even this recovery could allow for easy future access or further compromise.
after youve downloaded the efipw to a disk, you can use it from another computer with a virus or boot sector modification toolkit installed. the toolkit will allow you to load the efipw from the disk. you will need the.raw file you downloaded as a.bin or.txt file. if you are using a.bin file, you need to first load it in your virus toolkit, convert it to hex bytes, and then load it.


Leave a Reply