Hi guys, I am part of the team working on all things T2. [1]<p>The checkra1n support is just in a PoC state, it will successfully exploit and boot the T2. The payload support is partially broken, but being worked on.<p>Additionally, we have SSH working over usbmuxd from a tethered device [2] and SSH working from macOS on device, with an SDK in the works [3].<p>Some key takeaways from the T2 being jailbroken:<p>- Custom Bootloaders (OpenCore, Coreboot, etc) are now possible as the T2 validates/sends the UEFI payload to PCH using a bridgeOS binary called MacEFIUtil, which can trivially have its signature checks patched.<p>- Filevault and by extension Touch ID are more or less crippled, especially in light of the recent SEP exploits. Amusingly, Apple uses a hardcoded "passcode", analogous to an iDevice's unlock pin in plain text within the UEFI firmware.<p>- Support for In-System Debugging of the PCH/Intel processor over USB. This works in a similar fashion to those Bonobo cable used for debugging iDevices [4]. We are working on building an accessory that you can purchase and plug into your Mac with a USB male endpoint exposing Intel's DCI debugging protocol.<p>- Lightweight AppleSilicon Tinkering environment. With SSH support from macOS on device, and the T2's modest specs, its a nice sandbox for messing with arm64 stuff. It's a pretty peppy chip, at times coming close to my 8th gen i7...yikes.<p>1. <a href="https://www.theiphonewiki.com/wiki/T8012_checkm8" rel="nofollow">https://www.theiphonewiki.com/wiki/T8012_checkm8</a><p>2. <a href="https://twitter.com/qwertyoruiopz/status/1237904335184564224" rel="nofollow">https://twitter.com/qwertyoruiopz/status/1237904335184564224</a><p>3. <a href="https://twitter.com/su_rickmark/status/1286886010681462784" rel="nofollow">https://twitter.com/su_rickmark/status/1286886010681462784</a><p>4. <a href="http://bonoboswd.com/" rel="nofollow">http://bonoboswd.com/</a>
The fact that Apple uses this chip to, among other things, block "unauthorized repair" (can't change a freaking SSD in 2020, really), makes me very happy that people are finding ways to break this chip to make repairs more accessible.<p>On the other hand, this could have serious implications on the iOS security model for example.<p>And I'm pretty sure someone is gonna run Doom on the touchbar in some months.
I'm torn on this; on the one hand, the prospect of being able to circumvent things like unauthorized repair prevention down the line is neat, and who knows what people may be able to tease out of this (apparently quite powerful chip). So that's neat.<p>But it also breaks Apple's security platform in a big way, since this should make Apple's biometry scheme in their Macbooks much weaker and FileVault a lot easier to crack. That's a shame, because it's a very neat and cohesive security platform that gets out of one's way and works really well even for highly non-technical people. Their security stance is one of the things that keep me in Apple's ecosystem and I know a number of people and companies who feel alike. So, coming from that point of view, I do hope they fix this in time for their first round of ARM Macs.
I wonder if this has security implications. The T2 houses the "secure enclave" and that's where your private keys, certificates and passwords are stored.
If you follow the links you'll find <a href="https://checkra.in/" rel="nofollow">https://checkra.in/</a> which gives you a dmg download - however the release notes don't mention anything about a T2 jailbreak. I would treat this with skepticism.
This is huge! Does anyone know if Apple is able to ship updated software to patch this? I thought the T2 was fairly isolated from the rest of the system. If it’s not easy to fix OTA, this will be really painful for security.<p>Excited to see what sorts of things people build from this though! Would be cool to run a mini OS on the touch bar when the rest of the system is powered off.
Interesting. Does this mean that companies can now use this to unlock corp laptops that ex-employees have iCloud/activation-locked to their personal accounts without Apple's help? [+]<p>[+] Yes, I realize that this also applies to stolen laptops, but this is an actual pain point with running fleets of Macs, from what I've heard.
Does the T2 have any secure storage like the A12 and newer, or are all boot ROM exploits essentially unpatchable? And do we know if this specific exploit is a boot ROM exploit?
Given that T2 is basically and ARM processor + other stuff, I wonder if it's possible to have a separate dump kernel, like OpenVMS. Some watchdog that runs on the chip, and either gracefully shuts down or handles a kernel crash.
So as I recently got a Mac from a guy and he don’t remember the password and I’m stuck on activation lock should I keep it or should I sell it or throw it ! Thanks a lot
Bottom line, can you use this exploit to read the user data on a recent (2019+) iPhone or MacBook if you have possession of the device and it's locked? Yes or no?
Great day to be Apple I guess.<p>I imagine there’s no better incentive to get people to move en masse to your new architecture than an exploit for your old architecture that completely and irreparably breaks its security model showing up weeks before it’s released.
And so the futility of captured computing continues. I would love to write software for the Touch Bar that runs when I shut the MacBook down .. it'd be quite useful for some things, I imagine - such as using it for a remote control for other equipment I own.