Hack Your Way Into A Mac

I could start this post off with the usual warning of how you should only use this information for educational purposes and the only time this would be useful is when you forget your password that’s only 3 characters in length. Sure I could bore you with my half hearted attempt of justifying my actions, lying through my teeth, I only did this on a close friend’s Mac who really did forget his password fib. Screw it, once you have physical access to any Mac and eager ambitions whatever security barriers were set in place are instantly rendered null and void.

Now that the formalities are said and done, it’s time to get down and dirty with some low level mucking and Hardware hacking to force your way into a Mac.

1. Single User Mode

Everyone loves to flex their “hacking” muscles whenever they get a pair in a ego boasting competition but if you want to look extra geeky and throw off every onlooker with confusion (since you have no idea what you’re doing, after all, you had to hit up this guide for your certificate in Mac “Hacking” 101) just launch Single User Mode. Unbeknownst to you, a Mac has several methods of booting up from Verbose Mode which instead of comforting you with a normal GUI like always your false sense of computing ignorance will be ruined when a waterfall when text in white on black drips down the screen and gives you the run down of what really goes on when you boot a Mac. Sure the phrase “MAC Framework successfully initialized using 10485 bugger headers and 4096 cluster IO buffer headers.” doesn’t sound the least bit entertaining at all but hey, how else is that Mac going to boot? Oh and there’s also Safe Mode which disables a lot of plugins that might cause problems and neuters the startup process plus the one we’ll be using, Single User Mode which goes directly into a console instead of booting up the entire Operating System directly.

Now the fun really starts. Right after turning on your Mac hold down Command (that key with the Apple or four side clover) and S. The usual grey Apple logo will pop up and then a console will immediately start up and nag you for a command, keep in mind you have full Root privileges right now so you could wreak some more havoc if you’d like.

You’ll come to a Command Line Interface that lives outside of what you’d normally see in OS X and is meant to provide trouble shooting assistance. However, you can take advantage of the mighty powers bestowed upon you by modifying the password of a user account. You’d have to know the short user name for this work. When in the console interface type “sh /etc/rc” to boot up the OS but stay in single user mode. When you are able to type again, hit in “passwd shortusername” but you actually type in the short user name of the account you are trying to change the password for. The text prompt will ask you to enter a new password and to confirm it. Don’t worry if you can’t see it, just be careful and type it in slowly. You’ll know if you did this right or not if you when the command line spits out no errors. Type in “reboot” and log in with your new password.

2. Install Disc

The Install Disc does more than just upgrade your version of OS X or re-install, it provides a handy fail self mechanism should you lock yourself out of your Mac. Go ahead and grab your startup disc but make sure it corresponds to which Cat you’re running (you wouldn’t use a Leopard disc for your Tiger Install silly) and boot by holding down C while the disc is in the drive but this could take a while so grab a bite to eat, play some scrabble or solve a Rubik’s cube just keep your finger on that C key.

If you’ve plugged in a Tiger or Leopard install Disc click “Utilities” in the Menu Bar and hit “Reset Password” then select the Hard Drive that houses the user account you want access to and save your new password. Oh and one more thing, don’t jump the gun and automatically hit the Admin user. This guy is actually the Root user and you don’t want to mess with him.

Keep in mind you’ll seriously screw yourself over if you try this on an account with File Vault enabled, so much so that any hopes of reversing your “hack” will have been thrown out the window and beaten into a bloody pulp by a ruthless mugger. But you’ll still have to deal with that nagging Keychain Access demanding you for your Login password which really is a problem because you forgot that and changed it to something different. Just open up Keychain access and delete the login keychain

3. Open Firmware Password? Open Says Me!

Setting an Open Firmware password has been the traditional way for securing your Mac outside of your user account. In essence it works by denying a would be cracker an opportunity to modify the boot process like starting Target Disk Mode to raid a Hard Drive and sell your Social Security number to a group of Russian Spamlords, like that has ever happened right! The irony being an Open Firmware password is meant to secure your data if someone gains physical access to your machine but can be rendered void and you fucked through a few Hardware know how’s.

If you’ve tried the above attempts and have been met with failure and your Mac with some shattered emotions from being the receiving end of your anger it’s probably because of an Open Firmware password. Disabling it is very easy once again assuming you have physical access to the target Mac. Bust open the case so you can grab at the RAM and pull out or add in enough DIMMs (a.k.a those little green sticks with them memory chips on them) until you have a different amount that what you started with. Keep in mind you’ll have to keep enough so the Mac can boot properly, 128 MB for 10.0 (Cheetah, Puma & Jaguar) to 10.3 (Panther), 256 MB for 10.4 (Tiger) and double that for 10.5 (Leopard). From there boot up the Mac and reset the PRAM by holding Command + Option + P + R until the 3rd start up chime. With that out of the way you’re free to boot into Single User Mode, Verbose Mode or even startup from an Install Disc without any hassle and rock a bit.