How to Bypass an EFI password and boot any OS.

The situation: EFI password is set and unknown. We are not able to remove it. Can we boot other OS?

The EFI password in 'command' mode prevents a booting from disks and partitions other from the internal HD. It is not completely truth. It prevent a booting from disks and partitions which are not 'bless'-ed latter. What actually 'bless' do? It writes to the NVRAM (an EFI variable) a pointer to disk that machine should boot and what bootloader should be used. EFI is a mostly simple environment. It creates a map of memory, devices and drivers and links all together. According configuration stored in NVRAM select a device for booting, run bootloader and passes control to them.

Take a look how EFI sees a disks:

Part of the message is hidden for the guests. Please log in or register to see it.


As example. The 'bless' writes to NVRAM a record that boot device is a 'Acpi(PNP0A03,0)/Pci(1F|2)/Sata(0,0,0)' and bootloader file is a '/System/Library/CoreServices/boot.efi'. If you change an internal Mac OS X HD by any another one where bootloader is installed at '/System/Library/CoreServices/boot.efi' you'll be able to boot. Unfortunately, Apple EFI knows HFS+ and FAT filesystems only, and you can not just boot to the Linux for example.

Another interesting thing. In common case at startup '/System/Library/CoreServices/boot.efi' launches as an EFI application. This app loads a kernel and passes control to them. But if a hot-key is pressed EFI launches an application associated with a hot-key and only after continues a boot process. So, if you press 'Option' key during boot you will see disks selection menu first, '/System/Library/CoreServices/boot.efi' or other bootloader will launched after.

Well, on the basis of written above we can setup an EFI pointer to some bootmanager installed on the FAT filesystem of ANY disk even USB stick and make boot process controllable even EFI password is set.

Lets play...

Prepare an USB stick
Take an USB stick formatted with 'GUID Partition Scheme' or just make it by Disk Utility.

To check you can use 'diskutil'. Output should be like this:

The USB stick is a '/dev/disk1'. Every disk formatted with 'GUID Partition Scheme' has an EFI partition. The EFI partition is always FAT filesystem and not be mounted or shown by default. As 'diskutil' said is a '/dev/disk1s1'.

Mount EFI partition.

Easy. Just type:


The EFI partition of an USB stick will be mounted at /Volumes/EFI and if you do not did something with it before - will be empty. About 210 Megabytes of unused and invisible space!!!

The bootmanager installation.

You can use any EFI/UEFI bootmanager compatible with EFI 1.10 to your taste. I will use the 'rEFInd' bootmanager here by reason simple installation. The 'rEFInd' site: http://www.rodsbooks.com/refind/index.html . Get a copy of a Binary zip file and follows an installation instructions here: http://www.rodsbooks.com/refind/installing.html#osx

Actually you need to remove 32-bit applications from 'refind' folder of the 'rEFInd' archive (because your Mac is a 64-bit machine, I think... No?) and just copy files to the USB stick. '/Volumes/EFI/efi/refind' is a good place. Next, rename a '/Volumes/EFI/efi/refind/refind.conf-sample' to '/Volumes/EFI/efi/refind/refind.conf'

Someting like this:
Although I advise to read an installation documentation on 'rEFInd' site. Installation procedure described very well.
Note, if you also put a 'shellx64.efi' app (EFI shell version 1) to '/Volumes/EFI' you will able to launch an EFI shell too.

The 'bless'-ing.

Now we need tell a machine to perform booting from an EFI partition located on the USB stick. For this task we should use a 'bless' command.
It described in 'rEFInd' documentation, but a small note from me aka HUGE WARNING .

If EFI password is really unknown and you make a mistake at this point you will stumble upon the big problem. As I wrote before, 'bless' makes a record in the NVRAM. During startup EFI MUST TO FIND a bootloader or bootmanager application and if it not found Apple's EFI will show you the 'Question sign in floder icon' and no more. To fix up this problem you need to press-and-hold the 'Option' key at startup, but key is blocked by EFI password. Hello soldering iron!

So, check what are you do twice and once again. You have been warned.

For our example the 'bless' command will be:
Reboot now. Do not unplug USB stick and do not press anything. If all was done right you'll see 'rEFInd' menu and will have choice of boot.
You can connect a disk with any EFI compatible OS and boot it.

The un-'bless'-ing.

Is important. Right now our Mac's booting is sticked to the refind_x64.efi located at USB stick. If this device will be unavailable at startup EFI will be confused. Simplest way is run a 'Startup Disk' preference pane from 'System Preferences', select internal HD and reboot. Of course you should be run Mac OS X for this.

can i do this from say a virtual on my win machine to a usb and then use it to boot a MBP that is efi locked with a flashing question mark? or am i screwed for this method?

atrocityg1 wrote: can i do this from say a virtual on my win machine to a usb and then use it to boot a MBP that is efi locked with a flashing question mark? or am i screwed for this method?

You are already in situation described in the warning of this post. EFI blocked and boot pointer not found. I was faced with similar once when I played with iCloud locking.
To use this method Mac OS should be able to boot. Please start a new topic and tell what happened.