Managing nvram on a Mac

A number of settings on a Mac are stored in Non-Volatile RAM, or NVRAM. NVRAM has a number of keys that contain values that define how the hardware is configured on a device that aren’t otherwise stored in the settings of an operating system.

You can list all of the variables available using the -p option, as follows:

nvram -p

Variables in the available key pairs are managed using the nvram command as well. Each setting, which we’ll provide a list of below, can then be edited provided you have elevated privileges to do so, without any options defined. Most values are true and false and will need to be supplied as %01 for true and %00 for false. As an example, the following command will turn on Location Services on a Mac:

nvram LocationServicesEnabled =%01

And the following will turn it back off:

nvram LocationServicesEnabled=%00

Some settings won’t apply to certain models if the hardware doesn’t support that setting, but the following is a list of settings available on most models:

  • ac-rk-token
  • act-results: The results of the last Apple Diagnostics or Apple Hardware Test.
  • ALS_Data and Test_ALS_Data
  • AutoBoot: Defines how the system boots (e.g. %00-%03)
  • blacklight-level: Defines the level of the backlight (e.g. %d9%0a)
  • bluetoothActiveControllerInfo: Shows information about the active Bluetooth Controller (e.g. %8f%82%ac%05%02%00%00%003%14dv%ba%b5%c3A)
  • bluethoothInternalControllerInfo: Shows information about the internal Bluetooth Controller (e.g. %00%ac%05%00%00%00%00%00%00%8c%85%90@%a4k)
  • bodega-boot-to-black
  • boot-args: Provides for arguments for use when booting the kernel (or instructions sent to the kernel such as don’t bring any chicken, er, I mean don’t allow 32-bit software to be run or disable rootless (sudo nvram boot-args=“rootless=0″). Also includes:
    • debug=0x1d4e
    • debugshell=2
    • kdp_match_name=mojo
    • watchdog=0
    • smc=0x2
    • -pbmkp rtc=1
    • nvme=0x1
    • medetect_panic=1
    • dither=0
    • legacy_hda_tools_support=1
    • intcoproc_unrestricted=1
    • -tconpanic
    • -pbmkp
    • -v: boots in verbose mode
  • BootAudio: Indicates whether the startup chime will be played on models from 2017 or earlier (e.g. %00 or %01)
  • caterr-reset-disable:
  • csr-active-config: Shows the policy on third party kernel extensions (e.g. %ff)
  • csr-data: Defines a policy on third party kernel extensions
  • DisableEfiPackageCstates
  • display-config: Resolution for supported displays.
  • EFIBluetoothDelay: Time system waits for a wireless keyboard during boot (useful in data centers)
  • efi-Apple-payload0, eft-apple-payload0-data, efi-apple-payload1, and efi-apple-payload2: UUID, EFI path, etc (e.g. <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>7CD53879-001B-4AC9-8D3C-13768C6883B9</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\UPDATERS\MULTIUPDATER\ThorUtil.efi</string></dict></array>)
  • efi-apple-recovery: Path to firmware information
  • efi-backup-boot-device-data: path to a backup efi file
  • efi-backup-boot-device-data-data: Same as above but encoded (I think).
  • efi-boot-device: Path with efi but with last booted (BLLastBSDName)
  • efi-boot-device-data: Just the path to the efi file with the UUID directory
  • Eos-fdr-cache-uuid: The UUID, but not the useful one used elsewhere
  • eos-restore-failure-uuids
  • fmm-computer-name: The name given to the computer at boot time
  • gpu-policy: Enables the GPU on some models of computers
  • HW_BOOT_DATA: Hardware boot data
  • InstallWindowsUEFI
  • LocationServicesEnabled: Enables (e.g. %01) or disables (e.g. %00) location services
  • multiupdater-0: Encoded multi updater used in efi-apple-payload0
  • previous-system-uuid: Previous uuid used, if available.
  • prev-lang:kbd: The previously selected keyboard language (e.g. en-US:0, en:2, GB:2)
  • security-mode: Used on some models to enable firmware passwords
  • security-password: When security-mode is used, used to set the firmware password
  • SmcFlasherResult (e.g. %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00)
  • SystemAudioVolume: How loud the audio volume is (e.g. 7)
  • SystemAudioVolumeDB: Audio volume encoded %de which decodes to 222
  • ThorUpdateResult: Thunderbolt updater (e.g. %00%00%00%00%00%00%00%00)

The above list is not complete as I’ve not managed to change all of these in a useful manner. If you know what one is that I didn’t define, let me know! If you get in over your head, never fear, the following article will allow you to clear the values back to defaults:

Cisco, NetApp, Qlogic, the former Xserve RAID and a number of other appliances I’ve used over the years also use nvram to store similar variables. I’ll try and write up the similarities and discrepancies at some point. And good luck if you’re mucking around with this stuff.

Clear nvram In macOS Sierra

OS X has the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables: nvram -p If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): nvram -d boot-args But, if you run the -c you’ll wipe them all: nvram -c

Delete User Configurable nvram In Sierra (10.12)

A nifty little feature of nvram is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables:

nvram -p

If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args):

nvram -d boot-args

But, if you run the -c you’ll wipe them all:

nvram -c

Delete User Configurable nvram In El Capitan

A nifty little feature of nvram is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables: nvram -p If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): nvram -d boot-args But, if you run the -c you’ll wipe them all: nvram -c

Clear nvram

OS X has the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables: nvram -p If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): nvram -d boot-args But, if you run the -c you’ll wipe them all: nvram -c

Delete nvram

A nifty little new option that came in OS X 10.9 Mavericks and stays in Yosemite is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables: nvram -p If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): nvram -d boot-args But, if you run the -c you’ll wipe them all: nvram -c

OS X 10.9 Mavericks Gives nvram A Delete All Option

A nifty little new option in OS X 10.9 Mavericks is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables: nvram -p If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): nvram -d boot-args But, if you run the -c you’ll wipe them all: nvram -c Enjoy!

Those Pesky Firmware Passwords

The summer is upon us. Our users are watching videos like this one: While it’s actually way easier than what they show here, let’s look at stopping people from circumventing our admin goodness using the old school firmware password. Keep in mind, these passwords are somewhat easily reversible as they’re encrypted in a junior varsity way, so don’t use the same password that you use for anything else. To create our password in a script, we’re going to use EFIPW available http://code.google.com/p/efipw. Move the download to somewhere like /usr/local/bin folder. Then, to set the password to supah-secret: efipw_0.2b.py -p supah-secret -m command The client will now be in command mode, unless the password is typed in. This disables booting from anything but internal hard drives. Full mode is a bit more annoying as it requires a password every reboot: efipw_0.2b.py -p supah-secret -m full Now, we can take off our tin foil hats. Disabling EFI passwords is then as easy as sending the following through ARD: nvram -d security-mode nvram -d security-password The above would need to be part of any ARD templates that involve a bless command, etc… Now that we’ve used some of the worse encryption ever, I’ll queue up Dirty Deeds, Done Dirt Cheap and sip some Budweiser. Enjoy.

Use ARD to Restart to NetBoot Server

It’s summer! And at many schools that means that the kids are gone and it’s time to start imaging again. And imaging means a lot of rebooting holding down the N key. But wait, you have ARD access into all those computers. And you have automated imaging tools. This means you can image the whole school from the comfort of your cabin out by the lake. Just use ARD and a little automation and you’ll be fishing in no time! If you haven’t used the bless command to restart a client to NetBoot server then you’re missing out. The bless command is used to set the boot drive that a system will use. It comes with a nifty –netboot option. Define the –server and (assuming you have one nbi) you can reset the boot drive by sending a “Unix command” through ARD: bless --netboot --server bsdp://192.168.210.9; restart I added the restart for posterity. This is something everyone with an automated imaging environment really needs to put into their ARD command templates! Now, that all works fantastic in a vanilla environment. But in more complex environments you will need potentially more complex incantations of these commands. Well, Mike Bombich wrote all this up awhile back and so I’ll defer to his article on nvram and bless here to guide you through any custom settings you’ll need. It’s a quick read and really helpful. What else are you gonna’ do while you’re fishing anyway… BTW, if you have more than three beers, please put the MacBook down. And if you don’t, at least close both terminal and ARD. And email. And iChat. Actually, just close the machine now…