Sounds exciting, but I don’t know where to get eficheck. If someone knows, please leave a Comment to this post. Thanks!
“Patches iOS kernel to allow access to all NVRAM variables. This tool requires tfp0 kernel patch to work (I’m not quite sure if it works with host_get_special_port 4 workaround). If nvram_patcher doesn’t work for you consider using nonceEnabler by tihmstar.“[…]
It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:
macOS FileVault2 Password Retrieval
“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.
Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:
I’ll admit, I didn’t find any firmwaer information in their release:
Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.
OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
3. Reboot and load the driver
# kextutil chipsec.kext
4. Within the source/tool directory, run:
# python chipsec_util.py spi info
# python chipsec_util.py spi dump rom.bin
5. Unload the driver
With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂
WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!
As well, UEFITool has new maintainers, Alex and Dmytro!!