EFI and

[koushui]

Thanks ufrisk，Pcileech DMA and snare in 2012 backhat EFI described on the attack method principle is almost the same? (Http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf)?

MacOS released after the HT207423 patch, these two kinds of attacks are not all invalid?

[ufrisk]

Yes, DMA and doing evil to EFI and macOS is in no way a novel original idea. I never pretended it was either. It's been done before as you kindly point out by snare and also by others. Apple is more than aware of this.

My contribution is that I found it was possible to extract the FileVault 2 password this way from locked computers, and also that I've created what I hope is a low-cost easy to use attack framwork that everyone should be able to use.

The 10.12.2 (HT207423) update effectively blocked this attack, but since there are very minor improvements in the 10.12.4 patch released yesterday I'd still recommend applying it.

[koushui]

Still thank you for your work, recently saw CIA leaked Sonic Screwdriver, should be the use of EFI related technology, my question macOS update to the latest patch, these attacks are still valid?

[ufrisk]

I can't say for sure about the sonic screwdriver. It's not my thing to comment on.

But I know Apple employs absolutely top firmware security people and I'm very confident that they addressed those vulnerabilities a long time ago.

[ufrisk]

Closing issue due to old age.

[ByX54192]

what's problem?

Q:>pcileech.exe kmdload -kmd WIN10_X64

KMD: Failed. Error reading or interpreting memory #1. PCILEECH: Failed to load kernel module.

[ufrisk]

Hi,

• are you using the USB3380 or FPGA?

Sometimes that happens if you don't have DMA access. Can you try to do a pcileech.exe pagedisplay -min 0x1000 and see if you have DMA access at all? Also sometimes it helps rebooting the computer (hotplug is not always working).