Setting a firmware password

Currently trying to use a script (preferably shell) to setup the firmware password on a fresh OSX install. I obviously found this:

http://osxdaily.com/2014/01/06/set-firmware-password-mac/

which would work during a manual install, but we would like to automate this as much as possible. I can't seem to find any documentation on writing a script to setup a (dynamic) firmware password.

My question is:

Is it possible to use a script or program to setup a dynamic firmware password on OSX 10.8/10.9? If so, do you know how? Do you know of any documentation?

Solution 1:

If you mount the hidden "Recovery HD" partition in Terminal:

sudo diskutil mount Recovery\ HD

and then again mount the "BaseSystem.dmg" by double clicking it:

then you should be able to use the setregproptool, located inside "Firmware Password Utility.app":

To get to the folder containing setregproptool right-click (or Control click) "Firmware Password Utility.app", select "Show Package Contents" and navigate to Contents/Resources.

Alternatively to the description in this link:

Set a firmware password from the command line - (see post from "Sep 13, '11 05:04:00AM ")

you can copy the "Firmware Password Utility.app" to a more acceptable location (for example on your local drive) and then use it from there.

These are the options of setregproptool:

$ sudo Firmware\ Password\ Utility.app/Contents/Resources/setregproptool -h
Password:
setregproptool v 2.0 (9) Aug 24 2013
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

-c              Check whether password is enabled.
                        Sets return status of 0 if set, 1 otherwise.
-d              Delete current password/mode.
                        Requires current password on some machines.
-p              Set password.
                        Requires current password on some machines.
-m              Set security mode.
                        Requires current password on some machines.
                        Mode can be either "full" or "command".
                        Full mode requires entry of the password on
                        every boot, command mode only requires entry
                        of the password if the boot picker is invoked
                        to select a different boot device.

                When enabling the Firmware Password for the first
                time, both the password and mode must be provided.
                Once the firmware password has been enabled, providing
                the mode or password alone will change that parameter
                only.

-o              Old password.
                        Only required on certain machines to disable
                        or change password or mode. Optional, if not
                        provided the tool will prompt for the password.

Solution 2:

I made an shell script that does the trick

#!/bin/sh    
diskutil mount Recovery\ HD & wait
hdiutil attach -quiet -nobrowse /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg & wait
echo "What is the current Firmware password?"
read -s OLDPASSWORD
echo "What is the NEW Firmware password?"
read -s NEWPASSWORD
echo "Confirm the NEW Firmware password?"
read -s CONFIRMPASSWORD
while [ "$NEWPASSWORD" != "$CONFIRMPASSWORD" ]; 
    do
        read -s -p $'\x0aPasswords don\'t match. What is the NEW Firmware password?' NEWPASSWORD
        read -s -p $'\x0aConfirme the NEW Firmware password?' CONFIRMPASSWORD
    done

echo $'\x0aEnter the computer\'s admin password'
sudo /Volumes/OS\ X\ Base\ System/Applications/Utilities/Firmware\ Password\ Utility.app/Contents/Resources/setregproptool -m command -p $CONFIRMPASSWORD -o $OLDPASSWORD
diskutil unmount force Recovery\ HD & wait
echo "New Password is Set"

The only issue I found with it is that it is writing back the password to the console log in plain text.

Any one know how to prevent logging it in the console logs?