MacOS 10.13 High Sierra Clean Install Gotchas

Posted: October 18th, 2017 | Author: | Filed under: Mac | Tags: , , , , , | No Comments »

MacOS High Sierra introduced the new file system APFS. I encountered some perplexing bugs.

When you are doing clean setup with a machine equipped with SSD, DO NOT be a smart alec and reformat your SSD to APFS!!! IT WILL NOT WORK! The setup will just try install and reboot back to where you had started. If you click on the log setting you will notice the installer times out complaining that the file system is not HFS+ and can’t convert to APFS. So if you are going to clean install, format in HFS+ then let the installer convert it (counterintuitive I know). Oh Disk Utility will unhelpfully NOT let you revert back to HFS+

If you read this, because you are stuck.. Open Terminal. Use diskutil list to figure out the name of your SSD drive. Use diskutil eraseDisk APFS to delete the drive, then try Disk Utility again.

Oh yeah, once you finish the install process LET FILEVAULT FINISH BEFORE REBOOT!! If not eg applying the “Supplemental Update etc”, you will have to reinstall the whole thing again!! You can check the encryption status under Preferences -> Security & Privacy -> Filevault.. for my 500MB SSD drive it takes 12 hours. First time around, I got the “Failed to open OS X Installer. the Path /System/Installation Packages/OSInstall.mpkg appears to be missing or damaged.” message.

ByPass Lost EFI Password for Post 2010 MacBooks

Posted: June 26th, 2016 | Author: | Filed under: EFI, Mac | Tags: , , , | No Comments »

Recently one of my friends encountered a problem (albeit a self inflicted one). My friend has a Macbook Air (late 2010) that was bought used. Unbeknownst to the purchaser, the EFI password had been set and wasn’t given at the time of purchase. Now the problem arises when my friend wants to sell the Macbook Air after years of service to upgrade to something better. You can’t wipe and reinstall the OS with the EFI password set (it won’t boot without the password even the USB or Recovery option) and yes, swapping out the SSD or reinstall MacOS on another machine won’t work either. Apple Store would not reset the EFI password without a proof of purchase (which is reasonable). So I investigated what other possible solutions.

EFI stores the password along with the system settings (e.g. SSD id etc) on a memory chip, which is on the Macbook board. It is probably one of the most out of place chip on the whole board, it is rather big, with 8 thick pins, vs other sleek BGA low profile chips on the Macbook board.

If the Macbook had been purchased second hand with EFI password set and the owner doesn’t have any Apple Store records here are some sensible ways* to bypass it. I am describing the procedure in general as each specific models have their own peculiarities and some not all methods work for all models:
1. Buy an adaptor that allows you to reprogram the EFI chip via the SPI debug port. There are plenty of youtube video demonstrating that. The problem is accessing the chip during the writing process might cook the whole board. I find this solution messy, as you sometimes have to flip over the board to proceed.
2. If you have access to a SMT rework tool, you can desolder the offending chip, dump its content, reprogram a new chip without the password and pop in a new one. It will leave chemical marks on the motherboard. In Canada, the service costs $120&up. That’s the most physically invasive method.
3. Purchase a bypass tool (called a Matt Card by the manufacturer). It is basically a compatible chip that piggy backs off the original EFI chip via the SPI port. It copies the original EFI content when first plugged in, removes the password in that copy and set the chip on the board to read only (via a fuse). The downside is the chip needs to be forever paired to the Macbook in order for the Macbook to boot. Not the most elegant solution, but installing it takes only 10 minutes and most of the time is unscrewing the pentalobe screws of the Macbook Air. It costs roughly $90CAD.

I went with method 3, since it is not my Macbook; I don’t want to be the person to explain to my friend that the Macbook got toasted during repair. As you can see from the picture, The card is a tight fit, but it seems to work well.

Conclusion: The best solution is prevention. If budget allows, always purchase your MacOS devices directly from Apple so your account information is on their system. If your budget is limited and you have to purchase any MacOS devices via non authorized Apple channels (second hand etc), make sure you check to see if EFI password is enabled by pressing Option key during boot up (or any of the combinations listed by Apple). If the screen is like the first picture below, then EFI password is enabled. I recommend not buy the item with the EFI password set.

Here are the pictures of the problem, chip pictures, installation and final results.

Link to Chipmunk International, the manufacturer of the Matt card.

* sensible as in not brute forcing the password, which I don’t think is worth while especially for EFI passwords that are not iCloud PIN locked.

Some tips on compiling NeoOffice 3.2.1 Intel for Mac OSX

Posted: June 19th, 2012 | Author: | Filed under: Mac, NeoOffice, Virtual Box | Tags: , , , | No Comments »

If you are following the NeoOffice’s build instructions.. Here are a few extra tips:

  1. Use 10.5 and old XCode 3.14. Yes, it will only generate 32bit binary.
  2. Replace “My_Untested_Office_Suite” and “My Untested Office Suite” strings in neojava/makefile.
  3. Make sure your networking is in Bridged mode.. instead of NAT. NAT will break cURL which the makefile needs for to grab Mozilla source.
  4. It helps if you update your PERL CPAN to the latest version. Use sudo cpan.
  5. Subversion is part of Macports now so you don’t need to install it separately (vs what they say).
  6. The Makefile is very long (about 20 hours on my i series imac to complete its run). If something stops and get stuck. eg for me, adiumapplescriptrunner kept dying when it was compiling language packs (it just freezes), just kill the process under Activity Monitor. Then the makefile itself will continue on. You will need to pay attention as you might be asked to authenticate sudo via CLI.

Once everything has been setup. It is a rather simple compile, so enjoy! You final product will be called rather unimaginatively My_Untested_Office_Suite-3.2.1-intel.dmg and can be found underneath the $neojava/install directory.

If your iMac i3 won’t power up…

Posted: January 16th, 2012 | Author: | Filed under: Mac | Tags: , , , , , , , | No Comments »

I had recently upgraded my iMac to 10.7 but I didn’t realise I should have cleared the PRAM and NVRAM. After a while, I noticed the iMac won’t power up after a shutdown. Removing the power cord as per Apple Support doesn’t do crap. Since the machine wont’ power up I can’t execute Command-Option-P-R either.

I consulted the iFixit guide on how to remove PRAM battery.. for PC people it is the battery that stores the BIOS setting. For the iMac, the battery is stored in literally the belly of the beast. It is one of the last pieces you get to after you have completely disassembled the iMac. After planning the disassembly, I realised that the power supply is one of the first pieces you remove. I took it out, discharged the caps, replaced it back into the iMac, I reasoned if it doesn’t work, I am back to square one..

Voila.. the iMac powered up. It is still rather cumbersome, the LCD cable is REALLY delicate.. I thought this might help someone who might be in the same situation as I was.

More Netatalk Debugging and Solutions

Posted: August 24th, 2011 | Author: | Filed under: Mac, netatalk, Time Machine, Ubuntu | Tags: , , , , , , , | No Comments »

I had to reinstall my Ubuntu system because my Seagate drive died of a horrible and quick death. I replaced the drives with WD Greens. Since the Seagate had a SMART error, bad sectors were growing every second, basically the data on the OS drive was spinning to pieces.

When I reinstalled netatalk; I installed the self compiled netatalk package (that was mentioned previous). However I encounter the following error:

afpd {cnid_dbd.c:314} (E:CNID): dbd_rpc: Error reading header from fd (db_dir /var/dbd/AppleDB/tm): Connection reset by peer
afpd {cnid_dbd.c:400} (E:CNID): transmit: Request to dbd daemon (db_dir /var/dbd/AppleDB/tm) timed out.

That is relatively simple. I just had to make sure the dbpath in AppleVolumes.default exists.

Another error message I got:

afpd {volume.c:1907} (W:AFPDaemon): volume "usr" does not support Extended Attributes, using ea:ad instead

I made sure cnidscheme is set to dbd and ea is set to sys in AppleVolume.default.

:DEFAULT: cnidscheme:dbd ea:sys

Netatalk manual’s coverage on AppleTalk.default.

Creating a Debian VirtualBox VM

Posted: January 7th, 2011 | Author: | Filed under: Debian, Mac, Virtual Box | Tags: , , , , , , , , | No Comments »

In the past, I used to use Parallels 5 for my VM needs (and I still do). Recently I have found out that in order to install the Parallel Guest Tools on the latest Ubuntu (10.10); I have to upgrade Parallels from version 5 to 6. Since Ubuntu updates every 6 month, it means that there is a good chance that I have to update Parallels every year on order for the latest version of Ubuntu to work. I have decided to check out VirtualBox and see how well it works with my Development environment.

To create a basic Debian VirtualBox image:

  1. Grab the latest netinst image
  2. For typical development use, I don’t think one will use more than 8GB of disc space.
  3. Use the Guided hard disc setup and use the whole drive
  4. Deselect everything else and only install Standard System
  5. Install GRUB to your bootloader
  6. Go through the system setup and reboot
  7. Install OpenSSH server by apt-get install openssh-server
  8. Run apt-get upgrade
  9. Run apt-get update
  10. Do a ACPI Shutdown via the Machine menu or run shutdown now
  11. Edit the VM’s Settings via the Oracle VM VirtualBox Manager
    I typically set:

    • Hardware clock in UTC time. This is to make sure that clocks are in sync so things like ssh won’t misbehave.
    • Disable Audio
    • Change Network -> Adapter 1 -> Attached to: Bridged Networking
    • Disable the Ports (both serial and USB)
    • Leave Shared Folders option unset, I just use SSH for everything.
  12. Reboot, Login
  13. Run ifconfig, the ip address will now be in your home network’s subnet (for me it is So you can ssh into the machine via ssh username@ipaddress
  14. Shutdown again and select Export Appliance under File in the VirtualBox Manager. Now, whenever you need a debian vm, you just have to import the appliance. At this stage. I also highly recommend you take a snapshot of the image before you do any tinkering.
  15. Start the machine again, if you want to give the vm a static IP run nano /etc/network/interfaces

    allow-hotplug eth0
    iface eth0 inet dhcp

    with (IP Address and Gateway adjusted to taste)

    iface eth0 inet static

    Run /etc/init.d/networking restart

  16. Next time, you can start the Virtual Machine via commandline by using VBoxHeadless -startvm “machinename”

How to setup MacOSX 10.6 for freeRADIUS TLS or WPA2 Enterprise access

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS, Mac | Tags: , , , , , , , , , , | No Comments »

Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.

  1. Go to Applications -> Utilities -> Keychain Access
  2. Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
  3. Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
  4. Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
  5. Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
    openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
  6. Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt

Setup 802.1X or WPA2 Enterprise access on the guest’s machine:

  1. Open Keychain Assistant (if you have closed it)
  2. Click the user’s keychain, if the padlock is closed, click on it.
  3. Drag the certificates generated above into the keychain
  4. Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
  5. Quit Keychain Assistant
  6. Open Preferences -> Network
  7. Select Airport -> Advanced..
  8. Select 802.1X tab
  9. Create a new User Profile via the + icon on the lower left hand corner of the window.
  10. Give the profile any name you like
  11. Check the TLS box under Authentication
  12. Click on Configure Trust
  13. Select the Certificates tab
  14. On the lower left hand corner, click on the + and select Select Certificate From Keychain
  15. Click OK and the window will close
  16. Select the SSID from the Wireless Network: drop down list
  17. Select WPA2 Enterprise from the Security Type: drop down list
  18. Click OK and you will be back in the Network window
  19. The profile name should appear now next to 802.1X
  20. Click on Turn Airport On
  21. The 802.1X should automatically connect, if not click on the Connect button
  22. To disconnect, click on Disconnect or Turn Airport Off.

Additional Reading:
Apple’s Resources with pretty pictures.

launchctl Tutorial

Posted: December 5th, 2010 | Author: | Filed under: launchctl, Mac | Tags: , , , , , , , , , , , , , , , | No Comments »

launchctl allows users to start / stop applications that is typically processed via launchd. (MacOS’s equivalent of cron).

launchctl command configurations are stored as XML formatted .plist files located in directories /System/Library/LaunchAgents or /System/Library/LaunchDaemons for system wide start items, for user specific items the plist files are stored in ~/Library/LaunchAgents or ~/Library/LaunchDaemons directories.

Agents or Daemons?
An agent is a program that requires access to specific users’ information. A daemon is a program that runs in the background and requires generally no input from any user.

For more a comparison between Agents and Daemons refer to this Apple technote.

What is in a .plist?
A .plist file must contain at the very least the keys Label, ProgramArguments array and a key to tell launchd how the application is run eg KeepAlive, RunAtLoad for one time operations. or StartonMount, StartInterval, StartCalendarInterval for repeating occurrences.

A complete dictionary of all the property keys can be found here. A few things it can do is to monitor modified paths (via the key WatchPath), HardResourceLimits etc.

Here is an example for com.companyname.agentorapplicationname.plist, which runs the application full/path/to/binary every 60 seconds:

< ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" \

<plist version="1.0">
  <key>StartInterval 60</key>
  <true />

launctl operations

Command Description
launchctl list Lists the PID, status and name of loaded processes
launchctl list Output the runtime information (eg. PATH) of
launchctl start Starts
launchctl stop Stop
launchctl loads -w /path/example.plist Loads a process by its plist filename
launchctl unloads /path/example.plist Stop and unload a process by its plist filename
submit -l labelname -p /path/eg/binary -o /path2/stdout -e /path2/sterr Manually run binary under the label labelname with to specified stdout and sterr devices/files

How to start / stop AppleVNCServer via command line properly!

Posted: December 2nd, 2010 | Author: | Filed under: Mac, VNC | Tags: , , , , , | No Comments »

The recent versions of Apple MacOSX (10.5+) come with built in VNC Server which allows users to remote access the Mac graphically. With 10.5 there is a weird bug in the VNCServer, where in mid session, the process will increases its CPU load from a typical ~1 – 10% to 60%+ and locking up the session while it is at it. Typically AppleVNCServer can take about 25% CPU time on a G5 during normal Window dragging etc.

One can terminate the thread brutishly by issuing the command ps -ax | grep AppleVNCServer to find the offending PID and then kill it. The AppleVNCServer will restart assuming your Screen Sharing option is turned on.

However one can also do it elegantly via the launhctl interface.

The actual AppleVNCServer binary is buried in /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/. However it is controlled via the /System/Library/LaunchAgents/

AppleVNCServer doesn’t seem to accept any runtime flags.

To see if it is actually running run launchctl list.

To STOP a run away AppleVNCServer process: launchctl stop
To START AppleVNCServer via command line: launchctl start

If you reach this far, I assume you also know how to remote access a mac via ssh.