new Apple tools: eficheck (and nvm)

August 31, 2017 ~ hucktech ~ 1 Comment

Apple has apparently created a tool for examining Apple Mac EFI firmware, called eficheck. As I understand things, it was released, then pulled due to some issues (bugs?), and is apparently now avabilable in latest macOS updates. Also, it sounds like there might be another tool for NVMe diagnostics.

It returned in 10.13 b5 after showing up on and off in earlier 10.12 betas: /usr/libexec/firmwarecheckers

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) August 14, 2017

https://twitter.com/al3xtjames/status/874764154745368576

usage: eficheck: [–save -b] [ –cleanup -b] [–generate-hashes [-b] [-p]] [–integrity-check [-h [-b]]] [–show-hashes [-h] | [-b]]

Apple’s eficheck…

https://www.apple.com/macos/sierra/
https://en.wikipedia.org/wiki/MacOS_High_Sierra
https://www.macrumors.com/roundup/macos-10-13/

eficheck

Maybe someday there’ll be more info on eficheck, if you find any manpage or other info, please leave a Comment.
https://www.apple.com/us/search/eficheck
https://twitter.com/search?q=eficheck&src=typd

Apple Secure Enclave team hiring multiple roles

August 25, 2017 ~ hucktech ~ Leave a comment

The Secure Enclave team at Apple is hiring. SW engineering and manager roles. Send a resume here or feel free to DM! https://t.co/WaWRkKdxQn

— Jacques Fortier (@jacquesgt) August 21, 2017

5 job posts:

https://jobs.apple.com/us/search?jobFunction=SFWEG#&ss=%22trusted%20kernel%22&t=1&so=&j=SFWEG&lo=0*USA&pN=0

Apple Secure Enclave Processor (SEP) firmware hacked

August 17, 2017August 17, 2017 ~ hucktech ~ 1 Comment

“Hacker xerub has posted the decryption key for Apple’s Secure Enclave Processor (SEP) firmware.”

https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/SecureKeyGen.html

key is fully grown https://t.co/MwN4kb9SQI use https://t.co/I9fLo5Iglh to decrypt and https://t.co/og6tiJHbCu to process

— ~ (@xerub) August 16, 2017

https://www.theiphonewiki.com/wiki/Greensburg_14G60_%28iPhone6,1%29

http://www.techrepublic.com/article/hacker-claims-to-have-decrypted-apples-secure-enclave-destroying-key-piece-of-ios-mobile-security/

http://www.iclarified.com/62025/hacker-decrypts-apples-secure-enclave-processor-sep-firmware

new book on Apple reversing/debugging

August 11, 2017 ~ hucktech ~ Leave a comment

Advanced Apple Debugging & Reverse Engineering https://t.co/tqiJX8MOPP

— VulWar (@riusksk) August 11, 2017

Advanced Apple Debugging & Reverse Engineering
Explore code through LLDB, Python and DTrace, to discover more about any program than you ever thought possible.

https://store.raywenderlich.com/products/advanced-apple-debugging-and-reverse-engineering?_ga=2.129698885.852507492.1502412840-255700375.1502412840

Mac’s Firmware Password

July 25, 2017 ~ hucktech ~ Leave a comment

Mac Observer has an article about Apple’s Firmware Password security feature:

Want to make your Mac more secure? Enable the firmware password #mac #security #tips https://t.co/7EhFtidmm7 pic.twitter.com/Jxpiw191s1

— The Mac Observer (@MacObserver) July 25, 2017

Firmware Password Utility shows password protection Enabled

macOS: Turning on Your Firmware Password

Apple on Secure Kernel Extension Loading

July 25, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/macOS_adm/status/889901131316559872

https://twitter.com/Contains_ENG/status/889878399195459589

On June 19th, Apple released a document describing how loading secure kernel extensions (.kext) would change with High Sierra and how this would impact enterprise customers.[…]

System Extension Blocked

http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/

https://developer.apple.com/library/content/technotes/tn2459/_index.html

Porting UEFI to Apple PowerPC…

July 23, 2017 ~ hucktech ~ 1 Comment

Porting UEFI to a new architecture:
So it turns out that blogging about something after the fact is pretty tough. I really wanted to blog about my PoC port of UEFI to the OpenPower ecosystem, but it’s incredibly difficult to go back and try to systematize something that’s been a few years back. So let’s try this again. This time, our victim will be a G4 12″ PowerBook6,8 with a 7447A. That’s a 32-bit PowerPC. Now, I’ll go in small steps and document everything. For added fun, we’ll begin porting on the target itself, at least until that gets too tedious. Also, I’ve a few OldWorld machines, a spare G4 12″ for parts and a G5, so hopefully this odyssey won’t be interrupted by old and failing hardware ;-). Keep in mind that each part is checked in along with the source code, so look at the entire commit. Each blog post will focus on the most important details.[…]

http://osdevnotes.blogspot.com/2017/07/porting-uefi-to-xxx-step-1.html
https://github.com/andreiw/ppcnw-edk2
https://github.com/andreiw/ppcnw-edk2/blob/master/PortingHowTo_p1.md

See-also:

Interview with Andrei Warkentin, OpenPOWER UEFI porter

Tianocore for OpenPOWER

OSX Book: Vol1 Update (and Vol3 on security)

July 19, 2017 ~ hucktech ~ Leave a comment

#MOXiI Vol. 1 Status update https://t.co/1vPTroBqrZ
Detailed ToC: https://t.co/HAkVKqsedN.
Last minute requests : https://t.co/0SYtqt7C2S pic.twitter.com/1hyMmjpEPH

— I don't talk about Darwin, no, no, no… (@Morpheus______) July 11, 2017

http://newosxbook.com/2ndUpdate.html

In addition to update of Vol1, I just noticed there’s a Volume 3 on security:
http://newosxbook.com/toc3.html

Dmytro on Apple PCI-E Thunderbolt

July 16, 2017 ~ hucktech ~ Leave a comment

SP605 fits just perfect into it's HighPoint Thunderbolt 2 enclosure 👌
Finally can check how good IOMMU is configured on Apple machines pic.twitter.com/h7dJ7wf6bD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 15, 2017

An interesting finding while playing with PCI-E on OS X: different Thunderbolt devices can access the same DMA buffers mapped by IOMMU [1/2] pic.twitter.com/TbMSYhkl1F

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 15, 2017

It's HTTP traffic that going over my Thunderbolt to Ethernet adapter, it was intercepted by FPGA connected to other Thunderbolt port [2/2]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 15, 2017

Yay, evil Thuderbolt device also can access I/O buffers of disk controller which talks to internal SSD of my MacBook Pro pic.twitter.com/nsqUJa6brN

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 15, 2017

By the way, I have enabled FileVault which encrypts that SSD, but rogue device somehow is able to see unencrypted filesystem data 😬 #wtf pic.twitter.com/VV6Qo0Y7Hn

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 15, 2017

This issue is confirmed for fully patched OS X Sierra, even physical locations of DMA buffers are the same [1/x]https://t.co/2tWLt3rZoD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 16, 2017

OS X offers improper IOMMU support which isolates PCI-E devices from OS, but not from I/O buffers of each others [2/x]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 16, 2017

So, evil PCI-E device can intercept and modify the data which going over your network card or disk controller [3/3] https://t.co/5D3zTcM9Os

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 16, 2017

Yes, boot chain level attack is related only for Macs because technically they doesn't have secure boot

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 16, 2017

Device still can poison the data of some binary, script or config file to gain code exec at OS level, FileVault doesn't helps

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 16, 2017

Setting up Mac for EFI development

July 11, 2017 ~ hucktech ~ Leave a comment

Setup EFI Development environment on Mac OSX Sierra (10.12.X) – https://t.co/b0eXPiEMWV #osx #uefi #programming #security

— Mikal/Meeh (@mikalv) July 11, 2017

Setup EFI Development environment on Mac OSX Sierra (10.12.X)

Mikal Villa Mikal Villa • 07/10/2017

Oh no! a lot of text. Well, luckly half of the post is troubleshooting. EFI development setup is easy 🙂

Okay, before starting this guide you should have some tools installed already.[…]

https://0xcc.re/setup-efi-development-environment-on-mac-osx-sierra-10-12-x/

Apple seeks UEFI engineers

June 9, 2017 ~ hucktech ~ Leave a comment

Apple's looking to hire more UEFI engineers in Cupertino CA or Austin TX. If you're interested, hit me up at xeno at apple

— Xeno Kovah (@XenoKovah) June 8, 2017

Most job offers are from headhunters. This one comes from one of the pioneers of firmware security research!

Apple ships development iBoot on AppleTV?

June 6, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/stroughtonsmith/status/871587009713889280

See tweet for full details. 🙂

https://www.theiphonewiki.com/wiki/IBoot_(Bootloader)

Microsoft Surface devices and Intel AMT

June 1, 2017 ~ hucktech ~ Leave a comment

During the initial Intel AMT bug report, Xeno of Apple tweeted that Apple didn’t use AMT.

Recently, Microsoft has also stated that the Surface devices don’t use AMT:

https://blogs.technet.microsoft.com/surface/2017/06/01/intel-amt-vulnerability-and-surface-devices/

Surface Devices Are Not Vulnerable to Intel AMT Exploit

Apple to prevent future firmware modifications?

May 10, 2017 ~ hucktech ~ Leave a comment

” I have just come accross a piece of news on a German tech news site that states that Apple is working on anti-firmware modifications that may affect future installations od MacOS on Hackintosh: https://www.heise.de/newsticker/mel…r-Firmware-Modifikationen-warnen-3708495.html (if anyone has an alternative source in English please post it).”

https://www.tonymacx86.com/threads/anti-firmware-modification-from-apple.221647/

https://www.heise.de/security/meldung/macOS-Sierra-Apple-will-vor-Firmware-Modifikationen-warnen-3708495.html?wt_mc=rss.security.beitrag.rdf

apple_set_os.efi: unlock Intel IGD on MacBook Pro

April 17, 2017 ~ hucktech ~ Leave a comment

apple_set_os.efi: Tiny EFI program for unlocking the Intel IGD on the Macbook Pro 11,3 for Linux and Windows. It has been made to be easily chainloaded by unmodified EFI bootloader like Grub, rEFInd etc. The Macbook Pro 11,3 model’s EFI is switching off the Intel GPU if you boot anything but Mac OS X. So a little trick by faking the OS identifiction is required to make all hardware accessible. All credits belong to Andreas Heider who originally discovered this hack.[…]

https://github.com/0xbb/apple_set_os.efi

More info:
https://lists.gnu.org/archive/html/grub-devel/2013-12/msg00442.html

alloc8 untethered bootrom exploit for iPhone 3GS

April 17, 2017 ~ hucktech ~ Leave a comment

Write-up for alloc8 untethered bootrom exploit for iPhone 3GS : https://t.co/9FKjUttT1P

— Binni Shah (@binitamshah) April 13, 2017

Write-up for alloc8: untethered bootrom exploit for iPhone 3GS
alloc8 brings freedom to millions of iPhone 3GS devices, forever, by exploiting a powerful vulnerability in function malloc in the bootrom. Both revisions of iPhone 3GS bootrom are vulnerable, but old bootrom is also vulnerable to 24Kpwn, which is faster than alloc8.[…]

https://github.com/axi0mX/alloc8

Apple GPU?

April 5, 2017 ~ hucktech ~ Leave a comment

Apple is developing its own GPU for the iPhone and iPad. https://t.co/8WoUv9VbHA

— HardwareZone (@hardwarezone) April 4, 2017

http://www.hardwarezone.com.sg/tech-news-apple-developing-its-own-gpu-iphone-and-ipad

Apple is developing its own graphics chips for iPhones

macOS Security and Privacy Guide

April 2, 2017 ~ hucktech ~ Leave a comment

If you are have an Apple system, here’s a guide to hardening macOS. Unlike most hardening guides, this one covers some aspects of firmware. I wish each OS vendor maintained a document like this.

https://github.com/drduh/macOS-Security-and-Privacy-Guide#firmware

Apple EFI firmware update spreadsheet

March 31, 2017 ~ hucktech ~ Leave a comment

This is an interesting twitter thread, if you have a Mac:

Just about every 10.12.4-supported Mac got a firmware update today too: https://t.co/GqPUh75rTn Notable are new MBP7,1 MM4,1 and MBA3,1 EFI.

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) March 27, 2017

https://support.apple.com/en-us/HT201518

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

See-Also Firmware_Vault: https://firmwaresecurity.com/2015/07/15/tool-review-uefi-spider-and-firmware_vault/