PCIleech -vs- Apple Mac OS X

It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:


 macOS FileVault2 Password Retrieval

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.

Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:


Firmware passwords:

I’ll admit, I didn’t find any firmwaer information in their release:

CHIPSEC ported to Apple Mac OS X!

Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.

OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
3. Reboot and load the driver
   # kextutil chipsec.kext
4. Within the source/tool directory, run:
   # python chipsec_util.py spi info
   # python chipsec_util.py spi dump rom.bin
5. Unload the driver




With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂

Hex-Rays Decompiler plugin for IDA, updated for OS X

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.


The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)


Apple security updates for iOS and OSX

Apple has released security updates for iOS, OS X El Capitan, and Safari to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.





MacDBG: new Mac OS X debugger

Tyler Bohan has released a new debugging tool for Mac OS X, including a Capstone-based dissassembler:

Excerpt from readme:

Mac Debugger is simple easy to use C and python debugging framework for OSX. Mac Debugger was created with the focus on giving the programmer a powerful framework to programatically create scripts to debug programs on Mac OSX not found in other products for the platform. The core of macdbg, written in C, is kept as minimal as possible to provide enough basic interaction between the kernel and userland to create powerful features. Higher level functionality is left to the Python implementation such as stack tracing, dissasembly, watchpoints, thread state, and more. A wrapper class is provided for the programmer to create a scripting program. […]



OS X tool for dumping and reconstructing the IOKit classes hierarchy. iokit-dumper directly generates DOT files (see here, which can then be processed with dot tool. Keep in mind this tool is in its early release, so stuff may happen. Also, careful when playing with the code, since a wrong read in the kernel will cause a kernel panic. Remember to always slide kernel addresses before reading from them.





SummitRoute has a new Mac OS X security tool, OSXlockdown. Excerpt from readme follows, note especially the scarily-humorous warnings at the end. 🙂

osxlockdown was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan).

This checks and flips various configuration settings. This is a compilation of numerous resources listed in the Resources section which could be converted to bash scripts. This is different than those resources in that instead of requiring the user to read a 100+ page doc, click through numerous GUIs, and try to decide if some esoteric output is good or bad, this tool combines all the steps into a single command. This tool is focused on enterprise deployments of OSX with regard to what it does, but made to be usable for stand-alone home users as well. Running the command by itself will tell you which audit checks passed and failed. Adding the –remediate flag will fix the problems identified. The commands.json file may be edited to disable certain rules by setting enabled to false.

Warning: Many of the rules disable functionality in the name of security. This may make you sad.

Warning: System commands and dark arts are involved, so ensure you have your system backed up first.

RehabMan’s ACPI tools for OSX

I just noticed the project Laptop-DSDT-Patch, by RehabMan. It contains “Common DSDT patches for Ivy/Sandy/Haswell laptops for running OS X“, so it’s for ‘hackintosh’ hackers using non-Apple hardware to run Apple’s OS, OS X, and have to deal with non-Apple hardware/firmware, particularly ACPI’s DSDT table, a nice example of how the modding community generates some interesting firmware tools, if nothing else.

Quoting from from the beginning of RehabMan’s HP-ProBook-4x30s wiki on How to patch your DSDT (useful background even if you don’t this HP model):

Although there are pre-patched DSDTs available as downloads from the tonymacx86.com forums and in installer packages such as the HP ProBook Installer, there can be differences in individual DSDTs that can cause delays in booting and perhaps other problems. Perhaps there are slight differences in BIOS settings, memory installed, etc, that is causing these differences. It is best, therefore, to patch your own DSDT and install it into /Extra/dsdt.aml (Chameleon) or EFI/Clover/ACPI/patched (Clover). I have included five different methods for extracting your native DSDT. Just pick the method that seems easiest for you. The easiest one will depend on whether you still have Windows installed, whether you already have a Linux USB stick prepared, and just how familiar you are with both systems.

Quoting from the OSx86 wiki, for the Mac OSX-perspective on it, ACPI’s DSDT is:

The Differentiated System Description Table is the main table in the ACPI part of a computer’s BIOS. The Advanced Configuration and Power Interface (ACPI) defines a large number of tables that provide the interface between an ACPI-compliant operating system and system firmware. These allow description of system hardware in a platform-independent manner in ACPI Machine Language (AML). The problem is that OS X has an incomplete ACPI implementation which supports only a subset of DSDT. Modifying the DSDT allows the user to better support their hardware. For example, fixing Time Machine and the UUID 35 error is possible after modifying the DSDT. To patch your DSDT, you must either use a new table file that someone else has provided, or extract and modify your own. Then tell your bootloader to use the new DSDT file instead of the BIOS. On a few motherboards it is also possible to replace the BIOS with an updated BIOS with a patched DSDT. One of the simplest ways to extract your DSDT from your BIOS is by using DSDT Editor. Once you have downloaded DSDT Editor, open it and press File –> Extract DSDT. After 2-15 seconds, your DSDT should appear on the screen.

Look at the various ACPI-centric projects RepoMan has, there’re many! Also, the Ubuntu wiki and SmackerelOfOpinion blog are both excellent for ACPI diagnostic tips.

These ‘modding community’-based ACPI changes for OS X are educational, to see how people can extend their purchases for use cases beyond those that the vendor could imagine. As systems get more tamper-proof, it seems likely that users will have less and less ability to change things. [There also exists a HUGE modding community by photographers and their smartcameras (embedded devices). They add amazing new features. The other day I saw one talk about how they update the system to be able to take pictures of lighting better. Nice example of how owners can add features to their purchases, if able to update their firmware. 🙂 And of course there is custom ‘firmware’ for smartphones, entire distros.]

Personal modding hobbies aside, how much time, if any, do enterprise sysadmins currently spend fixing OEM ACPI tables and other firmware features, to make their systems work properly?

More Info: