Today's rain forecast : clear with a chance of apples - mac pro Jailbroken

[williamcll]

Macs, like other apple devices have some hardware restrictions that prevent unauthorized modifications to the hardware, such as the T2 Chip. However last week iOS jailbreaking team checkra1n claimed that they have managed to bypass this restriction on the expensive desktop.

Quote

But when gifted hackers began experimenting with the powerful checkm8 hardware-based bootrom exploit earlier this year, things got more interesting. In March, for example, checkra1n team member Luca Todesco demonstrated nifty hacks on the OLED Touch Bar of a T2 chip-equipped MacBook Pro. But the MacBook Pro isn’t the only Apple computer that sports a T2 chip. As a matter of fact, many do, and with that in mind, it may not come as much of a surprise that the checkra1n team has taken things a step further by jailbreaking yet another T2-equipped Mac – the elaborate and expensive Mac Pro:

 

The captivating feat was shared first via Twitter by checkra1n team member Rick Mark Monday afternoon and later Retweeted by Luca Todesco. The Tweet contained an impact that appeared to depict Apple’s latest Mac Pro being given the checkm8 bootrom exploit treatment with the help of an accompanying MacBook Pro. It’s worth noting that a Mac’s T2 chip manages its security in terms of the secure enclave, which involves Touch ID authentication, encrypted SSD storage, and secure boot-ups, among other things. Apple also says that a Mac’s T2 chip is responsible for managing its System Management Controller, image signal processor, and SSD controller on top of that. It remains to be seen what types of benefits someone might gain from hacking their T2-equipped Mac, but given just how much of our lives are stored on our computers these days, it’s also worth mentioning that such hacks could potentially impose security implications. The crucial types of information that a Mac’s T2 chip handles only reaffirms this concern.

 

Moreover, the Mac Pro doesn’t even have a Touch Bar like the previously demonstrated MacBook Pro-centric hacks, so there’s potentially even fewer benefits in this particular case.  Nevertheless, the feat earns the checkra1n team bragging rights, as this very well could be the most expensive device ever jailbroken, and that’s not to be taken lightly. As of now, this doesn’t look like much else than just a proof of concept intended to demonstrate the capabilities of the powerful checkm8 exploit, and so we don’t expect to see any tools released to the general public anytime soon. Regardless, it’s still awesome to see what’s possible with just a single widely available hardware exploit that Apple can’t patch without releasing new hardware for future machines.

Source: https://www.idownloadblog.com/2020/05/07/checkra1n-jailbreak-mac-pro-t2/

Thoughts: This would be particularly useful for anyone that needs to do a SSD swap or get Linux to install better on their computer. I expect apple to not be happy about this.

[jagdtigger]

7 minutes ago, williamcll said:

I expect apple to not be happy about this.

Like anyone cares about that....

[Guest]

Apple will be so mad that this guy can now swap out an ssd in a Mac Pro

[Bombastinator]

My memory is that many years ago some apple employee said that their anti hackintosh campaign was going to take many years.  All they could do is wait for someone to break the system, find out how it was done, and change it so it couldn’t be done again.  It’s been slowly bearing fruit.  Macs have slowly gotten harder and harder to break into.  It’s kind of like a bug bounty program where the reward is free OS rather than money.  I suspect Apple is more concerned about what the hack is so they can fix it in the next iteration.  Not telling how it was done, now that might make them mad.

[Curious Pineapple]

13 minutes ago, Bombastinator said:

My memory is that many years ago some apple employee said that their anti hackintosh campaign was going to take many years.  All they could do is wait for someone to break the system, find out how it was done, and change it so it couldn’t be done again.  It’s been slowly bearing fruit.  Macs have slowly gotten harder and harder to break into.  It’s kind of like a bug bounty program where the reward is free OS rather than money.  I suspect Apple is more concerned about what the hack is so they can fix it in the next iteration.  Not telling how it was done, now that might make them mad.

Apple could always sell an installable version of MacOS, maybe even a few version out of date but still supported. No need to break the OS and hardware if they bother to cater to those that would use the OS and ecosystem if it wasn't for the restrictive hardware.

[TetraSky]

Good. Apple, in the quest to control everything, has become this evil entity that's literally worst than Google at this point.

[Bombastinator]

6 minutes ago, Curious Pineapple said:

Apple could always sell an installable version of MacOS, maybe even a few version out of date but still supported. No need to break the OS and hardware if they bother to cater to those that would use the OS and ecosystem if it wasn't for the restrictive hardware.

I remember vaguely an article where they talked about that.  They said the problem was they’d have to sell it for $400 just to recoup their costs.  Number may have changed.  It was many years ago.  I personally think they should do it.  OSX is the best part of their ecosystem.  They’re basically a phone company these days though. 

[Curious Pineapple]

Just now, Bombastinator said:

I remember vaguely an article where they talked about that.  They said the problem was they’d have to sell it for $400 just to recoup their costs.  Number may have changed.  It was many years ago.

Sounds like an excuse to me, they make zero off me downloading the DMG and installing it inside a virtual machine. They want to be a hardware company, and selling MacOS on it's own instead of getting that sweet markup and guarenteed future custom for repairs and new hardware isn't what they want to do.

[suicidalfranco]

excellent

[Curufinwe_wins]

 

Obviously not the only comment I've mentioned on it... but still.

[mr moose]

1 minute ago, Curufinwe_wins said:

 

That was my very first thought.  People love to be wax lyrical about how good mac security is and shit on MS for doing things supposedly in the name of security, but at the end of the day neither company deserves the shit flung at them for trying.  They deserve the shit for other reasons.

[suicidalfranco]

1 minute ago, Curufinwe_wins said:

 

Obviously not the only comment I've mentioned on it... but still.

Apple is perfect and the exception to every rule

[Commodus]

1 hour ago, TetraSky said:

Good. Apple, in the quest to control everything, has become this evil entity that's literally worst than Google at this point.

Really?  Really?  Apple is not crushing you with the iron boot of oppression even if this was meant solely to protect the company's hardware ecosystem (and it isn't).  At worst, T2 is a hassle for people who might want to do a few specific things, like replacing the built-in storage.

[Bombastinator]

1 hour ago, Curious Pineapple said:

Sounds like an excuse to me, they make zero off me downloading the DMG and installing it inside a virtual machine. They want to be a hardware company, and selling MacOS on it's own instead of getting that sweet markup and guarenteed future custom for repairs and new hardware isn't what they want to do.

Might be. It was Avery long time ago.   Well Over 10 years.  Maybe over 20.  They had a really really small market percentage which was apparently a lot of the issue.  OS costs are largely fixed, and at the time MacOS development costs were higher than Windows development costs partially because they had to develop both OS X gui and command line BSD stuff.  That kind of thing changes though.  This was before the iPod even existed.

[hishnash]

4 hours ago, RorzNZ said:

Apple will be so mad that this guy can now swap out an ssd in a Mac Pro

This does not let you swap out the ssd the reason you cant swap out the SSD is due to the x86 UEFI is stored on the ssd. When you swap it out you need that SSD to be loaded with you UEFI otherwise your not going to boot.

[mr moose]

3 minutes ago, hishnash said:

This does not let you swap out the ssd the reason you cant swap out the SSD is due to the x86 UEFI is stored on the ssd. When you swap it out you need that SSD to be loaded with you UEFI otherwise your not going to boot.

Why in earth would any company do that?  It seems like making things necessarily harder.

 

Maybe if they were making machines for the NSA or CIA or something like that they can be that fucking tight, but the for the average consumer that is just some bullshit levels of complexity that essential do nothing for 99% of users other than make life harder and more costly when something goes wrong.

 

 

[hishnash]

10 minutes ago, mr moose said:

Why in earth would any company do that?  It seems like making things necessarily harder.

The reason is that for a secure boot you need to be able to validate the UEFI before it is sent to the x86 cpu, also to protect against the PCIe DMA attacks (like the one that came out yesterday) you need to have the T2 started before the x86 chips starts so that you can init VT-d before system memory starts up.

 

Protecting against TB3 DMA attacks is not just for NSA but also for normal users, it is interesting that the T2 chip came out just as TB3 came to macs, I expect someone in the security team said "we can not ship TB3 unless we can full protect against these attackers."
 

10 minutes ago, mr moose said:

99% of users other than make life harder and more costly when something goes wrong.

what apple should have done is put the UEFI on a separate, small (removable, since its useful for diagnostics to be able to easily load a different UEFI) SSD. That ssd could also include the recovery partition maybe. Then if you replace your main ssd you could boot to the recovery ssd and install the OS/copy over a backup image.

 

 

1 hour ago, mr moose said:

That was my very first thought.  People love to be wax lyrical about how good mac security is and shit on MS for doing things supposedly in the name of security, but at the end of the day neither company deserves the shit flung at them for trying.  They deserve the shit for other reasons.

It is worth noting that this attack does not brake into the secure enclave so does not expose the users data, the main usecase of this attack on macs is to able able to use the touch-bar from linux. It does not give you access to the fingerprint sensor just like on iOS. The T2 chip (it is a lower binned ipad chip) has 2 parts all the security operations are in the secure enclave portion that has not been breached on any iOS device, what this attack lets you do is run un-signed code on the user-space potion of the T2, in a mac that just is used for displaying graphics on the touchBar.

 

[TetraSky]

3 minutes ago, hishnash said:

what apple should have done is put the UEFI on a separate, small (removable, since its useful for diagnostics to be able to easily load a different UEFI) SSD. That ssd could also include the recovery partition maybe. Then if you replace your main ssd you could boot to the recovery ssd and install the OS/copy over a backup image.

What blasphemy are you spouting here. That would be way too consumer friendly. 

[mr moose]

10 minutes ago, hishnash said:

The reason is that for a secure boot you need to be able to validate the UEFI before it is sent to the x86 cpu, also to protect against the PCIe DMA attacks (like the one that came out yesterday) you need to have the T2 started before the x86 chips starts so that you can init VT-d before system memory starts up.

 

Protecting against TB3 DMA attacks is not just for NSA but also for normal users, it is interesting that the T2 chip came out just as TB3 came to macs, I expect someone in the security team said "we can not ship TB3 unless we can full protect against these attackers."
 

 

It really does seem massive overkill for 99% of users.  The average video producer, sound engineer, office worker etc is not the target of such attacks.  It's like trying to implement military security to protect a stuffed toy as it transit through the mail to a new owner.

 

10 minutes ago, hishnash said:

what apple should have done is put the UEFI on a separate, small (removable, since its useful for diagnostics to be able to easily load a different UEFI) SSD. That ssd could also include the recovery partition maybe. Then if you replace your main ssd you could boot to the recovery ssd and install the OS/copy over a backup image.

 

What apple should have done is just leave thing the way they were for domestic consumers. Essentially they are doing their damndest to make it so we can;t fix our own shit.  that's all.

 

10 minutes ago, hishnash said:

It is worth noting that this attack does not brake into the secure enclave so does not expose the users data, the main usecase of this attack on macs is to able able to use the touch-bar from linux. It does not give you access to the fingerprint sensor just like on iOS. The T2 chip (it is a lower binned ipad chip) has 2 parts all the security operations are in the secure enclave portion that has not been breached on any iOS device, what this attack lets you do is run un-signed code on the user-space potion of the T2, in a mac that just is used for displaying graphics on the touchBar.

 

Like I said earlier, there are other reasons to attack apple or MS,  but trying to implement better security is not one of them.  How far they go with that only to fail in the end (because when you build a better mouse trap they build a better mouse), and how much it negatively effects end consumers.

[Curious Pineapple]

It seems to me that the solution for repairing and hacking a Mac is to reverse engineer the T2 pinout and build a replacement module that takes over the basic sysinit functions. I'd guess it contains the bootcode similar to how Microsoft booted the original Xbox from the southbridge, initalising the hardware, running a hash on the bootloader and passing over execution if valid. If the initial code the CPU executes is stored on a removable IC then there is a way to take control of the entire system. Granted it's not an easy solution (unless there happens to be a way of forcing the T2 into a permanent reset state and taking over its functions piggyback style). Modchips for Macs!

[hishnash]

11 minutes ago, TetraSky said:

What blasphemy are you spouting here. That would be way too consumer friendly. 

For the macPro were price and space is not limited they should have done this 100%. 

for other macs like a macBookAir there are downsides to doing this, less battery (or larger heavier device) and higher price. You then need to consider the trade off for users what % of them would have this as a positive and what % would see it as a negative.

 

 

2 minutes ago, mr moose said:

It really does seem massive overkill for 99% of users.  The average video producer, sound engineer, office worker etc is not the target of such attacks.

Video produces can be very worried about security, the amount a hacker can get paid for getting the next Jame Bond film script let alone footage etc is a lot of money! if you can do that buy just getting them to stick in the wrong USB-C cable (it looks like a cable) then that is an easy attack to do.  Or maybe they have a PCIe card in thier system that is not secure and the hacker manages to replace its firmware, (not impossible to do). DMA protections keep the system secure even when there are legacy *insecure* things attached. Sometimes these legacy systems are needed since you need to interface with other old hardware for your job but you dont want your system to be hacked.
 

6 minutes ago, mr moose said:

What apple should have done is just leave thing the way they were for domestic consumers.

 

Domestic consumers are that the most risk of being hacked. NSA etc will have secure networks, and security policies about what hardware enters a building. But regulare consumers are the ones that are venerable to these types of attacks much more so than gov agencies.

 

 

8 minutes ago, mr moose said:

Essentially they are doing their damndest to make it so we can;t fix our own shit.  that's all.

Not quite true, the only thing the T2 stops you doing is replacing the SSD (note since the T2 is the SSD controller you are talking about replacing the SSD chips themselves these do not fail very often normally it is the controller). The T2 has not impact on any other hardware within the system. 

 

[hishnash]

3 minutes ago, Curious Pineapple said:

It seems to me that the solution for repairing and hacking a Mac is to reverse engineer the T2 pinout and build a replacement module that takes over the basic sysinit functions. I'd guess it contains the bootcode similar to how Microsoft booted the original Xbox from the southbridge, initalising the hardware, running a hash on the bootloader and passing over execution if valid. If the initial code the CPU executes is stored on a removable IC then there is a way to take control of the entire system. Granted it's not an easy solution (unless there happens to be a way of forcing the T2 into a permanent reset state and taking over its functions piggyback style). Modchips for Macs!

the issue is the T2 is also used for companion compute (it is a very fast crypto and video codec SOC), it might be possible for the T2 to tell the OS that these functions are not avoidable.  if you wanted to replace the T2 with a chip that did what it does it would cost a lot to make. This replacement chip would also need to be an SSD controller if you wanted to use the internal ssd sytem.

 

[DrMacintosh]

3 hours ago, Curious Pineapple said:

Apple could always sell an installable version of MacOS

Apple tried that once , it almost drove them out of business....

[Bombastinator]

25 minutes ago, DrMacintosh said:

Apple tried that once , it almost drove them out of business....

I didn’t know they tried it.  Only that they talked about it.

[mr moose]

1 hour ago, hishnash said:

 

 

Video produces can be very worried about security, the amount a hacker can get paid for getting the next Jame Bond film script let alone footage etc is a lot of money! if you can do that buy just getting them to stick in the wrong USB-C cable (it looks like a cable) then that is an easy attack to do.  Or maybe they have a PCIe card in thier system that is not secure and the hacker manages to replace its firmware, (not impossible to do). DMA protections keep the system secure even when there are legacy *insecure* things attached. Sometimes these legacy systems are needed since you need to interface with other old hardware for your job but you dont want your system to be hacked.
 

 

Big studios have 24/7 security guards and can just not connect to the internet.  It's not that big of a deal.

1 hour ago, hishnash said:

Domestic consumers are that the most risk of being hacked. NSA etc will have secure networks, and security policies about what hardware enters a building. But regulare consumers are the ones that are venerable to these types of attacks much more so than gov agencies.

 

Yep but nope.  The regular consumer has nothing of value to warrant the NSA spending that much time to gain physical access to your PC.

 

1 hour ago, hishnash said:

 

 

Not quite true, the only thing the T2 stops you doing is replacing the SSD (note since the T2 is the SSD controller you are talking about replacing the SSD chips themselves these do not fail very often normally it is the controller). The T2 has not impact on any other hardware within the system. 

 

For now,   and replacing your hard drive is still stopping the consumer form repairing their own machine.  What if they want to put in a bigger one, what if it fails?  a whole lot more headaches that are unnecessary.