Swift-Apple-EFI-Patcher: Apple EFI Patcher written in Swift with Flashrom Integration

February 19, 2020 ~ hucktech ~ Leave a comment

Apple EFI Patcher written in Swift with Flashrom integration. This application was developed out of a need for a simple user-friendly and native macOS based approach to working with Apple EFI roms. The result is an all-in-one application capable of utilizing affordable SPI / eeprom chip reading hardware for reading/dumping from, patching and writing to EFI Rom chips. This application integrates flashrom support in order to communicate with hardware, thus incorporating a lot of the methodologies and current hardware already utilized by technicians.[…]

https://github.com/sadponyguerillaboy/Swift-Apple-EFI-Patcher

See-also:
https://github.com/sadponyguerillaboy/Python-Apple-EFI-Patcher

EFI-Firmware-Password-Simulator: macOS EFI Password Simulator

December 5, 2018 ~ hucktech ~ Leave a comment

A new macOS EFI password tool has appeared on Github today
…but I’ve no time today to look at how it works. 😦

CLOSED-SOURCE WARNING: The project includes a few pre-compiled .EFI binaries but no source, so be careful.

https://github.com/smileycreations15/EFI-Firmware-Password-Simulator

See-also:

Apple: set your firmware password

EFI_BruteForce: EFI PIN of Apple MacBooks

macOS EFI Unlocker V1.0 for VMware: allows non-server versions of MacOS to be run with VMWare

October 22, 2018 ~ hucktech ~ Leave a comment

The macOS EFI Unlocker removes the check for server versions of Mac OS X verisons:

* 10.5 Leopard
* 10.6 Snow Leopard

allowing the non-server versions of Mac OS X to be run with VMware products. Later versions of Mac OS X and macOS
do not need the modified firmware due to Apple removing the restrictions imposed on 10.5 and 10.6.

EFI Unlocker 1 is designed for the following products:

* VMware Workstation and Player versions 14/15
* VMware Fusion versions 10/11

The checks for the server versions are done in VMware’s virtual EFI firmware and looks for a file called
ServerVersion.plist in the installation media and the installed OS. The patch modifies the firmware to check
for a file present on all versions of Mac OS X called SystemVersion.plist.

The patch uses a tool called UEFIPatch to make the modifications.

Please note you may need to use macOS Unlocker version 3 to run on non-Apple hardware.

https://github.com/DrDonk/efi-unlocker

BootTo: A reboot menu for Windows

September 21, 2018 ~ hucktech ~ Leave a comment

As the tweet mentions, there is a disparity for OS-level access to UEFI runtime services.

そうやね "Ports to Linux, FreeBSD and macOS. (It appears that NetBSD and OpenBSD do not yet have the necessary APIs.)" | sjmulder/bootto: A reboot menu for Windows https://t.co/TdDQHJAPWq

— Kimihiro Nonaka/埜中公博 (@nonakap) September 20, 2018

https://github.com/sjmulder/bootto

Booting the Mac: bless, and what makes a volume bootable

August 30, 2018 ~ hucktech ~ 1 Comment

Booting the Mac: bless, and what makes a volume bootable https://t.co/ACNYgbeeYk

— Howard Oakley, Eclectic Light Co (@howardnoakley) August 30, 2018

The last piece in the puzzle that is the booting of a Mac is understanding how any given volume is made bootable, and how it can be made the next startup volume.[…]

Booting the Mac: bless, and what makes a volume bootable

mOSL: Bash script to audit and fix macOS High Sierra (10.13.x) security settings

August 14, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/0x0304/status/1028933297135661056

Settings that can be audited/ fixed:

enable automatic updates
enable gatekeeper
enable firewall
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable ipv6
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check SIP
check kext loading consent
check EFI integrity
check filevault
check firmware password set

https://github.com/0xmachos/mOSL

QuickESP: Minimal and discreet ESP/EFI Mounter application for macOS

August 1, 2018 ~ hucktech ~ Leave a comment

https://github.com/dkoluris/quickesp

Only 4 hours old, “Fresh Meat”, as they used to say in the olde days of the Interwebs.

extract-firmware: Extracts EFI firmware installer pkg from High Sierra installer

July 18, 2018 ~ hucktech ~ Leave a comment

Extracts EFI firmware installer pkg from High Sierra installer

https://github.com/jelockwood/extract-firmware

Apple: new/updated T2 chip and Secure Boot support articles

July 16, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/12/apple-releases-new-systems-with-t2-chip-and-uefi-secureboot/ and

Apple KB article on Secure Boot

the latter Apple support article on Secure Boot has been updated recently:

About Secure Boot

https://support.apple.com/en-us/HT208330

Mac computers that have the Apple T2 chip

https://support.apple.com/en-us/HT208862

Apple releases new systems with T2 chip and UEFI SecureBoot

July 12, 2018 ~ hucktech ~ 1 Comment

Looks like Apple released MacBookPros w/ T2 chip today. These support SecureBoot, and have enough under the hood security changes that it looks like it's time to update my personal laptop

— Xeno Kovah (@XenoKovah) July 12, 2018

Also, now that there's T2 stuff that's less than $5k hopefully people can poke at it a bit more 😉

— Xeno Kovah (@XenoKovah) July 12, 2018

Apple SecureBoot stoped being iMacPro exclusive today with a release of new MacBookPros. All features are available, including recently added UEFI SB compatibility.
Test it, poke it, break it, report the result, it's the best way for us to make it better.https://t.co/bTdEXBAZvZ

— Nikolaj Schlej (@NikolajSchlej) July 12, 2018

https://www.apple.com/newsroom/2018/07/apple-updates-macbook-pro-with-faster-performance-and-new-features-for-pros/

Apple macOS 10.13.6: UEFI SecureBoot support for iMac Pro

July 10, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/ and https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

there is more info on Apple Secure Boot:

macOS 10.13.6 update brings (limited) UEFI SecureBoot support for iMac Pro, so now if SecureBoot is enabled, Windows detects that and acts accordingly.

PK, KEK, db and dbx are read-only (hence limited), configured to trust MS 1st-party CA only. pic.twitter.com/M81xcJB1RG

— Nikolaj Schlej (@NikolajSchlej) July 9, 2018

UEFI CA is used to sign many things, none of which is supported.
We don't trust MS 1st-party by default too, BootCamp needs to be used to enable that first.

— Nikolaj Schlej (@NikolajSchlej) July 10, 2018

Send a bug report (https://t.co/NLzOFixGG7) stating that you need SecureBoot support for custom keys and/or 3rd-party OSes.

Right now the only way out for such OSes is to disable SecureBoot.

— Nikolaj Schlej (@NikolajSchlej) July 10, 2018

https://support.apple.com/en-us/HT208864
https://support.apple.com/en-us/HT208937

Apple: Using USB accessories with iOS 11.4.1 and later

July 9, 2018 ~ hucktech ~ Leave a comment

https://t.co/Wn3UNHjg5W

Using USB accessories with iOS 11.4.1 and later

— mikeymikey (@mikeymikey) July 9, 2018

https://twitter.com/zackwhittaker/status/1016396807440666626

https://support.apple.com/en-us/HT208857

Drop-EFI: Mac “droplet” GUI dock for EFI’s ESP

July 1, 2018 ~ hucktech ~ Leave a comment

Drop EFI is a super Droplet for Mount any EFI Partition on macOS
Working for HFS+J, APFS, NTFS GPT, Core Storage volumes.

https://github.com/chris1111/Drop-EFI

Modular Image Creation

Apple: periodic reminder: set your firmware password

June 29, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/05/02/apple-set-your-firmware-password/

periodic reminder: If you care about pre-OS security, you should set a firmware password on your Mac. "sudo firmwarepasswd -setpasswd" in Terminal, or from the GUI in the recovery OS: https://t.co/k9PY6EvnpO

— Xeno Kovah (@XenoKovah) June 29, 2018

Something you can't do from the GUI that you can do from CLI is set it so that it asks for the password *every* boot (even the ones where you're not changing your boot target): "sudo firmwarepasswd -setpasswd -setmode full"

— Xeno Kovah (@XenoKovah) June 29, 2018

https://support.apple.com/en-us/ht204455

Howard Oakley: Hidden caches in macOS: where your private data gets stored

June 26, 2018 ~ hucktech ~ Leave a comment

Hidden caches in macOS: where your private data gets stored https://t.co/dUHlayhl70

— Howard Oakley, Eclectic Light Co (@howardnoakley) June 26, 2018

Some time ago, I proposed that macOS 10.14 should be named Gormenghast, to reflect its many concealed and neglected features. These can trip up its own security and the protection of privacy when an old system within macOS is quietly storing sensitive data in an unprotected location. A good example is the latest vulnerability in QuickLook (or Quick Look, as Apple uses both forms). Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places. If you’re concerned about protecting the security of your data, these should be places to watch; if you’re a forensic analyst, these are often rewarding places to look.[…]

Hidden caches in macOS: where your private data gets stored

ApfsSupportPkg – Open source apfs.efi loader based on reverse-engineered Apple’s ApsfJumpStart driver

June 22, 2018 ~ hucktech ~ Leave a comment

Apple has a new file system, APFS. This causes Hackintosh people lots of grief. There are lots of Apple APFS binaries online, and now there’s this:

https://github.com/acidanthera/ApfsSupportPkg

Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware. Gives ability to use native ApfsJumpStart driver from Apple firmware

Credits:
cugu for awesome research according APFS structure
CupertinoNet and Download-Fritz for Apple EFI reverse-engineering
vit9696 for codereview and support in the development
savvas

xnumon – monitor macOS for malicious activity

June 20, 2018 ~ hucktech ~ Leave a comment

Released #xnumon 0.1.0, sysmon workalike for #macOS security monitoring; pkg at https://t.co/Xbq7lM3rJC code at https://t.co/cfBl18b7mn @a41con

— Daniel Roethlisberger (@droethlisberger) June 15, 2018

https://github.com/droe/xnumon

https://www.roe.ch/xnumon

On Intel not talking to OpenBSD about recent FPU vuln

June 14, 2018 ~ hucktech ~ Leave a comment

Chip vendors controlling the security of OSes should be more transparent in their selection process. They should maintain a list of OSVs that they maintain embargoed fixes. Then uses could determine if they want to trust the OS or not, or try to lobby to try and get the ISA vendor to support their OS. Is the OS on the list, ok then they may have some chance at fixing things. If not on the list I expect to be vulnerable until the embargo ends. There are MANY more OSes than Microsoft Windows, Apple macOS, a limited number of Linux distros, and sometimes FreeBSD.

Seriously folks. OpenBSD did not receive info about the FPU stuff. We asked. no answer. https://t.co/4S1i9cTU7B. Theo was pretty clear in his BOF. and here: https://t.co/H4yEoTvsHG

— Bob Beck (@bob_beck) June 14, 2018

In some forums, Bryan Cantrill is crafting a fiction. He is saying the FPU problem (and other problems) were received as a leak. He is not being truthful, inventing a storyline, and has not asked me for the facts. This was discovered by guessing Intel made a mistake. We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves. Bryan is just upset we guessed right. It is called science.

https://marc.info/?l=openbsd-tech&m=152894815409098&w=2

Apple macOS 10.13.5 EFI update, CVE-2018-4251

June 2, 2018 ~ hucktech ~ Leave a comment

Apple fixes vulnerability which we found in MacBook’s EFI. Great thanks to @NikolajSchlej. We will disclose details in the near future. https://t.co/l1MTWkW6yq

— Maxim Goryachy (@h0t_max) June 1, 2018

Today’s macOS 10.13.5 update includes an EFI update (CVE-2018-4251) which you want to apply soon. Make sure it’s done with softwareupdate and not a PKG install as previously noted! h/t @h0t_max and @_markel___ for finding the issue. #macadmins https://t.co/gO60oJzb13

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) June 1, 2018

Another release, another kudos to @h0t_max and @_markel___ for helping us improve ME security. Keep ‘em coming!

— Nikolaj Schlej (@NikolajSchlej) June 1, 2018

https://support.apple.com/en-us/HT208849

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251