Translate to Thunderbolt DFU to support T2 security chips

[rickmark]

The T2 processor is almost identical in DFU protocol to USB DFU, but instead uses Thunderbolt as the transport. Because of this sending the same payloads over Thunderbolt DFU will likely allow it to be used with the T2 chip as well.

[rickmark]

Sorry to top-post, but I did a bit of digging myself.

Turns out a T2 based MacBook will indeed work with only a USB controller to enter DFU mode (it seems the thunderbolt protocol is used at a later stage of restore).

For those interested, the reported DFU string states CPID:8012 - iBoot-3401.0.0.1.16

I think this is about enough to show that Checkm8 MAY work, but this is newer SecureROM; so that is assuming the USB heap issue wasn't patched in a later release. But at the same time the chip used is about an A10, which means it will not have ARM pointer authentication codes, making it more likely to be quick work then the XS and future...

[baconwaifu]

Try adding a config entry with some preexisting offsets, it should at the very least crash the target, which should confirm vulnerability to the exploit. It's a bit more work after that to twist it into actual code execution though.

[MCMrARM]

When booting my T2-powered MBP2018 to DFU: SerialNumber: CPID:8012 CPRV:10 CPFM:03 SCEP:01 BDID:0C ECID:#removed# IBFL:3C SRTG:[iBoot-3401.0.0.1.16] I tried adding a configuration identical to the 8011 or 8015 CPU, both quite obviously failed, but the chip rebooted from from DFU and showed as a rather weird device:

[ 7535.287769] usb 1-3: New USB device found, idVendor=05ac, idProduct=8600, bcdDevice= 2.01
[ 7535.287775] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 7535.287778] usb 1-3: Product: Apple T2 Controller
[ 7535.287781] usb 1-3: Manufacturer: Apple Inc.
[ 7535.287784] usb 1-3: SerialNumber: 000000000000

The computer itself did not reboot, but it seems that the T2 chip did.

I presume this means it's vulnerable, but I have no idea how to progress from there as it seems the offsets required are not easily obtainable.

[rickmark]

Curious @MCMrARM -

While the T2 isn't generally required for operation after boot, it does still handle in band encryption of the NVMe memory. If you have a file operation occurring as you trip the reboot, does your system indicate a pause in the block storage?? This may indicate that Apple has factored in some either resiliency for the T2 or that reboots for things like T2 upgrades are a occurrence which has been accounted for....

[MCMrARM]

If you panic the T2, the NVMe drive becomes immediately non-operational and the laptop reboots 10 seconds later.

[rickmark]

Damn watchdog X-D

[h0m3us3r]

Any new progress on T2 in the past 3 months?

[rickmark]

Has been working successfully from linux on the USB transport (thunderbolt may therefore unneeded). This is generally how to do a T2 restore...

Maybe we ought add the following to the wiki for the T2?

Building the world: https://gist.githubusercontent.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b/raw/5d0d4846ba98cf72f810cdf07b895131ef386075/gistfile1.txt

Cleaning the world: https://gist.githubusercontent.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b/raw/5d0d4846ba98cf72f810cdf07b895131ef386075/clean_t2_restore.sh

Doing a Restore:

Follow these instructions 1) https://support.apple.com/guide/apple-configurator-2/revive-firmware-in-mac-computers-apdebea5be51/mac 2) https://gist.githubusercontent.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b/raw/5d0d4846ba98cf72f810cdf07b895131ef386075/perform_t2_restore.sh

Locking down a Pi before hand (yes validated on x86_64 and arm) https://gist.githubusercontent.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b/raw/5d0d4846ba98cf72f810cdf07b895131ef386075/lockdown_pi.sh

In addition, it's related but not that I have reverse engineered Apple's USB Target Disk Mode and am currently working on pushing a driver to support to linux staging. Will update here when it's stable:

https://github.com/rickmark/apple_utdm

[h0m3us3r]

I apologize if I am misunderstanding something, but isn't that just a standard dfu restore procedure? I was mainly asking about pwndfu with checkm8, as both t8002 and the t8012 under question were confirmed to be doable by @axi0mX (in this tweet: https://twitter.com/axi0mX/status/1182915286858522624?s=20), but the payload seems to only exist for the t8002 unless I'm missing something...

[rickmark]

Oh shoot, I had supposed they were but hadn’t seen confirmation: given that his code is public I should be able to adapt it, but need an older T2 mac since it’s based on the iBoot secure rom version. I think this is why original iMac Pro’s are so expensive second hand...

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Sunday, February 23, 2020 11:45:02 PM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

I apologize if I am misunderstanding something, but isn't that just a standard dfu restore procedure? I was mainly asking about pwndfu with checkm8, as both t8002 and the t8012 under question were confirmed to be doable by @axi0mXhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035130147&sdata=e9I1IvLBLAdBjXISACsifnqJnsEPyyHjDAGw7173fqE%3D&reserved=0 (in this tweet: https://twitter.com/axi0mX/status/1182915286858522624?s=20https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Faxi0mX%2Fstatus%2F1182915286858522624%3Fs%3D20&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035140141&sdata=%2BauKWiEORA1DUwcezIvReM7CkcbkSCrcIPDZS%2FYA0ys%3D&reserved=0), but the payload seems to only exist for the t8002 unless I'm missing something...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TWZXMC74D7AP7G7ZHB3REN3H5A5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMW3VYY%23issuecomment-590199523&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035140141&sdata=4FHdRNg%2FTIhz0WqUQhTGbV%2FOT6qxyGmaBzzqc1yrJSc%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW5EENLG3YYJ7HLIXOTREN3H5ANCNFSM4I57JPEA&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035150137&sdata=MywGNFEsX10V4cntUavVE1bT%2BcM9U1V4IJSir1qsmdE%3D&reserved=0.

[rickmark]

Also this means that the T2 has become a GID Oracle for all T8012 (even with newer SecureROM). Since they share a group key and some are pwn-able

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Rick Mark rickmark@outlook.com Sent: Sunday, February 23, 2020 11:47:43 PM To: axi0mX/ipwndfu reply@reply.github.com; axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

Oh shoot, I had supposed they were but hadn’t seen confirmation: given that his code is public I should be able to adapt it, but need an older T2 mac since it’s based on the iBoot secure rom version. I think this is why original iMac Pro’s are so expensive second hand...

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Sunday, February 23, 2020 11:45:02 PM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

I apologize if I am misunderstanding something, but isn't that just a standard dfu restore procedure? I was mainly asking about pwndfu with checkm8, as both t8002 and the t8012 under question were confirmed to be doable by @axi0mXhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035130147&sdata=e9I1IvLBLAdBjXISACsifnqJnsEPyyHjDAGw7173fqE%3D&reserved=0 (in this tweet: https://twitter.com/axi0mX/status/1182915286858522624?s=20https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Faxi0mX%2Fstatus%2F1182915286858522624%3Fs%3D20&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035140141&sdata=%2BauKWiEORA1DUwcezIvReM7CkcbkSCrcIPDZS%2FYA0ys%3D&reserved=0), but the payload seems to only exist for the t8002 unless I'm missing something...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TWZXMC74D7AP7G7ZHB3REN3H5A5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMW3VYY%23issuecomment-590199523&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035140141&sdata=4FHdRNg%2FTIhz0WqUQhTGbV%2FOT6qxyGmaBzzqc1yrJSc%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW5EENLG3YYJ7HLIXOTREN3H5ANCNFSM4I57JPEA&data=02%7C01%7C%7Cca05e024368e43a392ec08d7b8fd7565%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181271035150137&sdata=MywGNFEsX10V4cntUavVE1bT%2BcM9U1V4IJSir1qsmdE%3D&reserved=0.

[h0m3us3r]

I thought all t8012s have 3401.0.0.1.16 bootrom. Are there ones with a newer version?

My understanding was that nobody had dumped 3401.0.0.1.16 to extract the offsets for the payload (or got the offsets by some other means), not that the payload did not work/only worked on some t8012s.

[rickmark]

Will confirm if this is true after BSides ...

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Monday, February 24, 2020 12:12:44 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

I thought all t8012s have 3401.0.0.1.16 bootrom. Are there ones with a newer version?

My understanding was that nobody had dumped 3401.0.0.1.16 to extract the offsets for the payload (or got the offsets by some other means), not that the payload did not work/only worked on some t8012s.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW2SOPZRKKANH6T3GATREN6PZA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMW5OQA%23issuecomment-590206784&data=02%7C01%7C%7C8ab39c0b7362428a87cb08d7b9015407%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181287656391227&sdata=UFZ5TJaU47ucbklr14k1XkwKP289hcqON7do2e6w%2Bk8%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW32W27TF2EVGMR3UOLREN6PZANCNFSM4I57JPEA&data=02%7C01%7C%7C8ab39c0b7362428a87cb08d7b9015407%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181287656391227&sdata=AjKMnCE8YIZgUtUv2hB8vwhJCWujDdyBXkv7GrR%2FJsM%3D&reserved=0.

[h0m3us3r]

Let me know if I can be of any use, as I have a 2019 macbook, but I need to figure out how to boot the damned thing into dfu first. The apple-provided key-combo boots mine into internet recovery for some absurd reason...

[MCMrARM]

pretty sure the iMac Pro also has 3401.0.0.1.16: https://twitter.com/axi0mx/status/958054470537043968

[h0m3us3r]

Finally managed to boot my MBP2019 into DFU, and I can confirm that it still has CPID:8012 CPRV:10 CPFM:03 SCEP:01 BDID:18 ECID:### IBFL:3C SRTG:[iBoot-3401.0.0.1.16]

[rickmark]

Awesome!!! Now just need to find the offsets from a SecureROM dump, or brute force?!

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Monday, February 24, 2020 10:05:57 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

Finally managed to boot my MBP2019 into DFU, and I can confirm that it still has CPID:8012 CPRV:10 CPFM:03 SCEP:01 BDID:18 ECID:### IBFL:3C SRTG:[iBoot-3401.0.0.1.16]

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW4EU7IG6F7JWKTGC3LREQEALA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMY5UQY%23issuecomment-590469699&data=02%7C01%7C%7Ca270bc804b0f489617ef08d7b95432f4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181643583105185&sdata=fcpIawzlZhYzU%2FhKsVbUOpLob8zyz7h8qCWpB3JZDN8%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW3OEJYUKRLVK34SBXTREQEALANCNFSM4I57JPEA&data=02%7C01%7C%7Ca270bc804b0f489617ef08d7b95432f4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181643583115189&sdata=CjtZ%2Fm%2ByjeMCUybTA9EQQ6M6oFGgiurTw%2FC7jyVvdWE%3D&reserved=0.

[h0m3us3r]

The dump is not available anywhere I could think of looking. That only leaves guestimated bruteforce as far as I know.

[rickmark]

I’m sure it’s available somewhere, maybe someone with a copy floating around can let us know the offsets >.<

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Monday, February 24, 2020 12:42:30 PM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

The dump is not available anywhere I could think of looking. That only leaves guestimated bruteforce as far as I know.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW3PVWWCIEYY6DPHINTREQWLNA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMZOQCA%23issuecomment-590538760&data=02%7C01%7C%7C113b899ad4f846102cb508d7b96a11ba%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181737514975298&sdata=x%2FeyHBgsACasDU%2FJgejJoA8%2F9OjhidDGPgHyAsZG7rQ%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW2CGCLIGR66SPNMTBLREQWLNANCNFSM4I57JPEA&data=02%7C01%7C%7C113b899ad4f846102cb508d7b96a11ba%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637181737514975298&sdata=fVy3EAK%2Fn3a43eSLYaPCZepaC6pNQBRa5B%2FzVnRQBSw%3D&reserved=0.

[h0m3us3r]

Quick (and probably stupid) question: can the offsets be brute-forced one-by-one, or is there no way of verifying one without all others?

[h0m3us3r]

I can also confirm the behavior observed by @MCMrARM. Use of any configuration crashes t8012 straight out of dfu into the default "always-on" Apple T2 Controller mode (which is the mode the machine enumerates as when idle, and even when turned off).

[rickmark]

This is great news, means we have no HI for a brute

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Monday, February 24, 2020 11:11:47 PM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

I can also confirm the behavior observed by @MCMrARMhttps://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMCMrARM&data=02%7C01%7C%7C2a818aa5464f42c51f3708d7b9c1faa7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637182115086749218&sdata=H%2BPYW7C8w%2FVwZPWjGnwsPPQVO1zHHbHVf%2FH4e7BH2mc%3D&reserved=0. Use of any configuration crashes t8012 straight out of dfu into the default "always-on" Apple T2 Controller mode (which is the mode the machine enumerates as when idle, and even when turned off).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW7HEF4JLX5DPUWEH2TRETADHA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM22LEQ%23issuecomment-590718354&data=02%7C01%7C%7C2a818aa5464f42c51f3708d7b9c1faa7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637182115086749218&sdata=lcZiKKuLAVxg44liNYPHvo34o7d%2FD9Wkpbak7m2sH5U%3D&reserved=0, or unsubscribehttps://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW57GBYTCBPY3HHMVL3RETADHANCNFSM4I57JPEA&data=02%7C01%7C%7C2a818aa5464f42c51f3708d7b9c1faa7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637182115086759205&sdata=cIHEZZZ5OO1OwATua9DPFqDjPW97b9a5mev0wE3S1sw%3D&reserved=0.

[MCMrARM]

I considered doing a brute; I think it might be doable. It's not obvious how to brute the offsets independently though, but what I thought of is something like the following: First of all, jump into every possible address on a known vulnerable device which we have a dump of and do the same on the T2. This would let us find addresses that "don't crash" and probably should leak quite a bit of information about the code structure as well as limit down the amount of additional brute force needed (jumping into garbage will usually crash immediately due to stack misalignment and bad arguments; it only shouldn't crash when we're near a return). Then I'd try to look up and see if we can manage to find the subs in question already based on this info or not.

The main issue is that for this the T2 would need to be looped into DFU. There's a pinout on the motherboard that AFAIK could be used for this, but I don't want to lose Apple Care yet and I don't really have time to attempt it right now.

[h0m3us3r]

I thought of doing something similar, but I have a question. Why is the A11 (t8015) payload so drastically different from A10 (t8010, t8011)? Is it because of architectiral changes of A10 -> A11, thus needing different stuff to be done beforehand or is ot due to bootrom changes?(A10 achieves code execution by first disabling wnx with a "disable_wnx" section that is able to be run as memory is remapped in the call-chain. A11 does everything from the call-chain, what exactly, I am not sure yet) Meaning, do you expect the process for t8012 to be similar to t8010/t8011 or t8015? In t8010's case we only need 4 pointers to get minimal code execution about 30% of the time; in t8015, we need way more. Also, comparing t8010 with t8011, those 4 pointers are in a very close proximity, which could even make manual brute possible if it's the same case for t8012. We can then use that minimal code exec to dump rom through side channel.

I am totally willing to use hardware "FORCE_DFU" method for looping into DFU myself, but unfortunately there is no schematic available for MBP2019, and that is the only T2 machine that I have.

[h0m3us3r]

A simplest B 0 payload is confirmed to stall a vulnerable device forever without crashing. This payload needs minimum number of offsets (4 on t8010: nop_gadget, func_gadget, write_ttbr0, and tlbi) and can be used to validate code execution. I will try to jerry rig some brute forcing method later to find those 4 offsets for t8012.

All of the above is only valid if t8012 code injection procedure is same as for t8010/t8011.

[h0m3us3r]

After a bit more digging, it seems like we only need 2 offsets since nop_gadget is a part of func_gadget, and tlbi seems to be at a constant offset from write_ttbr0 across all versions.

[MCMrARM]

Try to look at the schematic for the 2018, it's very likely in a similar location because the Force DFU is actually a button.

[aunali1]

@h0m3us3r Its located here on the 13'inch models

[aunali1]

Here are also some more interesting debug interfaces/connectors that are left on the production board but not soldered. For the 15'inch models:

[rickmark]

To answer the questions of why the processors after T2 are so different, I’d guess both the bug got fixed, and that the introduction of ARM pointer authentication codes / KTRR (read only text regions) are the big causes...

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Aun-Ali Zaidi notifications@github.com Sent: Wednesday, February 26, 2020 1:43:56 PM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

Here are also some more interesting debug interfaces/connectors that are left on the production board but not soldered. [Screen Shot 2020-02-26 at 3 42 21 PM]https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2416915%2F75390905-c459e180-58ae-11ea-8dff-e0d45e2c2a7a.png&data=02%7C01%7C%7C57f866daa21648228a5e08d7bb04fbb2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637183502376940325&sdata=8QsQ%2B3WPP7DdFQwBO%2FbutylH%2BL5XOiC6G5Th1iwLIew%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW5ZPPWEP2FEN6VQMGTRE3PBZA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENCAF3Y%23issuecomment-591659759&data=02%7C01%7C%7C57f866daa21648228a5e08d7bb04fbb2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637183502376950354&sdata=ME4ystFDPBgCrKaLl2HMIaUYfBXJXW95G5B9HurHBGc%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW76AZWOKCKKOFCEFDLRE3PBZANCNFSM4I57JPEA&data=02%7C01%7C%7C57f866daa21648228a5e08d7bb04fbb2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637183502376960359&sdata=r%2BnPhYVuIHNPfBsJjk5KAJBnaIrWOvb2F2Gh4r5MHJ8%3D&reserved=0.

[h0m3us3r]

So far:

write_ttbr0 = None  # most likely within range: 0x1000003E4 ... 0x1000004AC (~~200~~ 50 possibilities)
tlbi = write_ttbr0 + 0x50

func_gadget = None  # most likely within range: 0x10000A404 ... 0x10000A9AC (362 possibilities)
nop_gadget = func_gadget + 0x18

Still can't come up with a method of brutting them one by one, and 72,400 18,100 possible combinations is still too much.

[N00byEdge]

0x1000003E4 to 0x1000004AC is definitely 50. Still a little bit of a large space, so I would try to guess that they're really close to the t8010 offsets.

[h0m3us3r]

Yes, my bad. It's totally 50. The range is taken from t8015 and t8020 bootroms, based on bootrom version.

[h0m3us3r]

I think I have an idea that will let to brute them one by one. The idea is to modify call-chain to [(func_gadget, nop_gadget + 0x4)]. That will in theory lead to almost no crashes if func_gadget pointer is correct, and almost guaranteed crashes if it is not.

Finding write_ttbr0 after knowing func_gadget is trivial.

tried that, didn't work.

[h0m3us3r]

Ok, I brought the iteration time down to 1.5 seconds on average (on t8010). Bruting all likely pointers should only take about 8 hours. Just need to find the FORCE_DFU test point. (@aunali1, unfortunately, mpb2019 mlb is a complete redesign, and I couldn't find the needed tp based on those photos)

[rickmark]

This is incredible news... (doh, read t8010 as t8012, the following refers to progress made on the T2 chip)

I have a MacMini I can use to confirm you're offsets / run a brute as well.

The consequences here are deep and profound:

• Exposure / reset of the Firmware password in SCfg
• Exposure of WPA-PSK stored in NVRAM
• Full control of the bridgeOS including early load EFI for the main processor (thereby affecting secure boot / internet recovery)
• Reset of FindMyMac
• Changing the serial of the device in SCfg? (Unless it's in OTP memory??)
• Modifying both NVRAM of the x86 processor, as well as changing NVRAM for the T2, including debug flags (I've seen T2's with boot-args="debug=0x104c0c" be used)
• Modifying any byte on the NVMe disk

So this will clearly be a win for transparency, but also shows a capability that has been used for some time now by government / bad actors.

[rickmark]

/article-new/2018/11/mac-mini-teardown-3.jpg)

Hopefully someone knows the pins on that...

[h0m3us3r]

Modifying any byte on the NVMe disk

I didn't really look into it much, but Isn't nvme read/write managed by sep?

[rickmark]

The T2 contains the SEP (and bootstraps it just like the iPhone does during boot), the AP makes PCIe requests for disk I/O to the T2, which then get passed to the backing store. This is why disk is always bound to the T2 by way of the UID key

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Friday, February 28, 2020 12:03:46 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

Modifying any byte on the NVMe disk I didn't really look into it much, but Isn't nvme read/write managed by sep?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW7ZENQX27FEV7TF3ALRFDAOFA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENHUIQI%23issuecomment-592397377&data=02%7C01%7C%7Cc8db41282b6d427166e208d7bc24bccb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184738272105209&sdata=TXeK3w%2F97OM0WxkpbxGSgYB8A7qFRIq6IIQRlFLd4ik%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW64IZXDTYYDUSOR2GDRFDAOFANCNFSM4I57JPEA&data=02%7C01%7C%7Cc8db41282b6d427166e208d7bc24bccb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184738272115205&sdata=%2FtDnqrr9GYY3k5GUOKEi5jKO4odlVc1aDxGwFDJSJho%3D&reserved=0.

[h0m3us3r]

Also,

Changing the serial of the device in SCfg? (Unless it's in OTP memory??)

It is not in OTP on all iDevices (iPhone, iPad)

[h0m3us3r]

Found the test point. I think I might be blind... it is a button. In my defense, it is on the opposite side of the board from where T2 is.

[h0m3us3r]

Brute running. Unfortunately, it is up to 2.5 sec per iteration, so ~12 hours worst case. (Not considerimg an even worse case of ranges being wrong...)

[rickmark]

Care to share the brute code? Either public or DM so I can confirm on a different T2 model?

https://mobile.twitter.com/almightylinuxgo

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Friday, February 28, 2020 12:57:36 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

Brute running. Unfortunately, it is up to 2.5 sec per iteration, so ~12 hours worst case. (Not considerimg an even worse case of ranges being wrong...)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TWZ35MOQ2ND5PWFUY6LRFDGYBA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENHYZ2Y%23issuecomment-592415979&data=02%7C01%7C%7C843610bcb2dd46f3dc0108d7bc2c4256%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184770578392047&sdata=8emHgJ4qOHXN1dS53AhGIkOxGK2sHizNDBwPC%2Br08lo%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TWZB3UIE6FPVPGXUZWDRFDGYBANCNFSM4I57JPEA&data=02%7C01%7C%7C843610bcb2dd46f3dc0108d7bc2c4256%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184770578392047&sdata=jOP0DC8ScFp6nUxJ0IrPJbggvX2AgVgbAB91ZS%2ByunI%3D&reserved=0.

[h0m3us3r]

I dont mind sharing, but you'll need some hardware too, as T2 needs to be power cycled from time to time.

[rickmark]

I’ve got a 2019 Air and 2019 Mini, the Mini should be super easy to cycle (since it lacks battery)

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Friday, February 28, 2020 1:01:02 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

I dont mind sharing, but you'll need some hardware too, as T2 needs to power circled from time to time.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW5VLMARUNP4CZTCWATRFDHE5A5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENHZEEQ%23issuecomment-592417298&data=02%7C01%7C%7Cf3ffe3531afb48d4a34908d7bc2cbd24%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184772636889095&sdata=Y12406rhEmLvZHBgM6PALCKsPz7xwbNNHRAI%2B8fcgek%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW5C6OWB4RA2XVIRQPLRFDHE5ANCNFSM4I57JPEA&data=02%7C01%7C%7Cf3ffe3531afb48d4a34908d7bc2cbd24%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184772636899104&sdata=W9eeTZuRvKA3sEpN%2FkgZBU%2FO2GhZ5Nk%2Flp9COLXwXXo%3D&reserved=0.

[h0m3us3r]

My brute is here https://github.com/h0m3us3r/ipwndfu

[rickmark]

Awesome, thanks for the contribution. I’ll either port the code to a Pi or pick up an arduino this weekend

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: h0m3us3r notifications@github.com Sent: Friday, February 28, 2020 1:25:58 AM To: axi0mX/ipwndfu ipwndfu@noreply.github.com Cc: Rick Mark rickmark@outlook.com; Author author@noreply.github.com Subject: Re: [axi0mX/ipwndfu] Translate to Thunderbolt DFU to support T2 security chips (#141)

My brute is here https://github.com/h0m3us3r/ipwndfuhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fh0m3us3r%2Fipwndfu&data=02%7C01%7C%7Ceaec60f2278e4fc7d51a08d7bc30384b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184787589911256&sdata=ITrhkM6z3ajlPuWrOCD52P8fPB7UzrwVqLwgh8uk%2F8A%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faxi0mX%2Fipwndfu%2Fissues%2F141%3Femail_source%3Dnotifications%26email_token%3DAAA6TW2W6AMSX7NMEJ4YQBTRFDKCNA5CNFSM4I57JPEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENH3OLA%23issuecomment-592426796&data=02%7C01%7C%7Ceaec60f2278e4fc7d51a08d7bc30384b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184787589911256&sdata=kTr3G84pgQG%2Bw2HCNKWbvkCUTxhV6bpfsXIVQj%2B64Tk%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAA6TW7OO7ZBOQ34TCYTIYLRFDKCNANCNFSM4I57JPEA&data=02%7C01%7C%7Ceaec60f2278e4fc7d51a08d7bc30384b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637184787589921257&sdata=Wo3Nh%2Ber%2BaYP3LB8PZkUmEzbxN1D84ynnGCOwcVwayg%3D&reserved=0.

[h0m3us3r]

Actually battery needs to be disconnected xD

T2 still boots into dfu with just usb power, and powercycling is done by splicing an arduino controlled rellay straight into usb cable...

[h0m3us3r]

Arduino code is trivial, it's just what I had lying on my desk. All it's doing is turning on the relay on 'P' from serial, and turning it off on 'p'. Initially it could control the force_dfu, but I deemed it useless and not using that feature.

Tbf, everything can be done from a pi, including brute itself, I was just too lazy to dig in the drawer for mine.

[aunali1]

@h0m3us3r Sorry, should have been clear about which side of the board that was. So to be clear, the T2 will stay in DFU mode as long as battery is not connected and USB power is supplied, irrespective of FORCE_DFU?