Skip to content

Commit 3f9fce8

Browse files
committed
Old notes
1 parent 0294199 commit 3f9fce8

File tree

43 files changed

+3120
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+3120
-0
lines changed
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
# Abusing the Titan
2+
3+
# tl;dr
4+
5+
A specially crafted version of ABOOT is capable of being installed to a device with critical flashing unlocked, and in doing so can suppress the insecure notification, modify the booted image, and lie about the unlock or lock status of the device. The only way to detect this for pixel devices is to enter EDL mode and run an image to validate the boot environment, which is not provided at this time. This may not be possible either, given that the DWC3 (USB-C controller) similar to the ACE in the Apple ecosystem, if corrupt, may prevent connection to EDL.
6+
7+
8+
# Method on Pixel 8
9+
## Theory 1
10+
- OEM Unlock
11+
- Access Fastboot
12+
- `fastboot oem gsc sjtag-cfg` - Provides JTAG
13+
- Reset
14+
- Flash to EVT before lockdown in RO region
15+
- Provides ripcurrent bootloader
16+
- Board 0?
17+
- Can read Dauntless with `fastboot oem gsc header <RO_A|RO_B|RW_A|RW_B>`
18+
- `fastboot oem gsc` - Access to Dauntless (Second Gen Titan-M)
19+
- `fastboot oem gsa` - Access to Titan-M trustee applets
20+
-
21+
## Theroy 2
22+
- OEM Unlock
23+
- fastboot flashing unlock_critical
24+
- Reboot to Exynos EBM
25+
- Stream sb1
26+
- ?
27+
- Get to Aboot or some other state
28+
- Stage evt.bin for Titan (having side-stepped anti rollback)
29+
- Recover titan
30+
- Now in factory mode
31+
- set new root of trust
32+
- EL2
33+
- ABOOT that lies
34+
- Remainder of image is blue pill
35+
36+
37+
38+
# Recommended Fix
39+
## PROM Fuse to Set Minimal Version (Epoch)
40+
41+
Apple has a similar concept but only roll this value when there is a known reason to do so. This is totally foolish as many exploits are not discovered for a number of years and rolling back is a simple attack. With only 16 bits of PROM you could easily increment every week to the current version of the Titan-M firmware.
42+
43+
44+
## Do not allow a MP AP to flash EVT Titan-M firmware
45+
46+
This seems like a simple statement, but the determination of what makes an MP is difficult. Similar to above, the determination of if the Titan-M is MP or EVT should not be based on the firmware but a PROM value that can only ever fuse downward from EVT → MP
47+
48+
## Support EDL / EUB modes on recovery / restore google sites
49+
50+
51+
## Properly Document the EVT → MP and Titan-M security functionality
52+
53+

_docs/rickmark/Is_This_Thing_On.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Is This Thing On?
2+
3+
## Photo of a microphone on a stand with a finger tapping it
4+
5+
As I sit here typing on my laptop, I look around. I can count microphones in my laptop (and countless others sitting in a pile nearby), my phone, tablet, watch, an Alexa and a HomePod, and even two remotes for the TV and satellite receivers. If you told this to someone from just a few decades ago they would have been incredulous or physically recoil. We’ve invited the vampire into our home.
6+
7+
- Faraday bag, think of a Maxwell Smart-esque cone of silence for digital devices
8+
- Turn your phone off, no really turn it off. Can you remove the battary. Is the screen black, do you believe it?
9+
- T2 and the always on processors
10+
-
11+
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
# Jailbreaking the T2 with checkra1n
2+
3+
## What is Jailbreaking a Mac Anyway?
4+
5+
This is a question we get a lot. What does it mean to “jailbreak” a Mac, since you can already run any code you want (if you bypass code-signing, SIP, SecureBoot and Gate Keeper anyway). When we say “jailbreak a Mac” what we mean is jailbreaking the AppleSilicon T2 processor. This core runs a iOS derivative called `bridgeOS`. Until now Apple has not allowed or supported any non-Apple code executing on this core. Since this core comes up and aids in the operation of the Intel processor, it allows for a bunch of possibilities not possible before, such as completely replacing the Mac’s EFI.
6+
7+
An overview of the process is:
8+
9+
- Get a copy of `checkra1n` and `libimobiledevice`
10+
- Place the Mac into DFU mode using the Apple support guide
11+
- Connect to the technician workstation (yes you need a second computer)
12+
- Run checkra1n
13+
- Connect to SSH
14+
15+
16+
## `checkra1n` 0.11 and T2 Support
17+
18+
With the release of 0.11 checkra1n began to support the T2 and bridgeOS as a target. You will need to have downloaded (and in the cases of a Mac, run at least once to bypass Gate Keeper) this tool before proceeding. If you haven't done so go on over to https://checkra.in to get a copy.
19+
20+
In order to access SSH you’ll also need the tools from https://libimobiledevice.org. If you’re on a Mac you can install this from home-brew with `brew install libimobiledevice` and you can install on Linux by installing the package for your distribution.
21+
22+
23+
## Placing the T2 Into DFU Mode
24+
25+
Fortunately for us, Apple has provided instructions on how to place a T2 based Mac into DFU. This is in their support guide “[Revive or restore Mac firmware in Apple Configurator 2](https://support.apple.com/guide/apple-configurator-2/revive-or-restore-mac-firmware-apdebea5be51/mac)”. Per their instructions a USB-C to USB-C or USB-C to USB-A cable is required. Thunderbolt is not supported. Once you find the model of your Mac, connect the DFU port to the computer where you have installed `checkra1n`. Follow the model specific guidance in that support article to place the computer into DFU mode. Once that’s done, you can verify by running `lsusb` on Linux and `ioreg -p IOUSB` from a Mac. You should see an `Apple Mobile Device (DFU)` mode attached if you successfully entered DFU.
26+
27+
A DFU device in `lsusb`
28+
29+
![](https://paper-attachments.dropbox.com/s_FA6AAA07030DF3145418B8DEBD132850C234EAA3DCDD633D14D24C758773CF23_1602572131766_t2_dfu_linux.png)
30+
31+
32+
**A DFU device in** `**ioreg -p IOUSB**`
33+
34+
![](https://paper-attachments.dropbox.com/s_FA6AAA07030DF3145418B8DEBD132850C234EAA3DCDD633D14D24C758773CF23_1602572421525_t2_dfu_mac.png)
35+
36+
## Running `checkra1n`
37+
38+
Currently checkra1n can only be run in CLI mode (running any GUI mode will inform you the device is not supported). If you have issues you can increase the debug output with `--verbose-boot` and `--verbose-logging`
39+
40+
**From a Mac**
41+
`sudo ./checkra1n.app/Contents/MacOS/checkra1n` `--``cli`
42+
43+
**From Linux**
44+
`sudo ./checkra1n` `--``cli`
45+
46+
![Running checkra1n against a T2](https://paper-attachments.dropbox.com/s_FA6AAA07030DF3145418B8DEBD132850C234EAA3DCDD633D14D24C758773CF23_1602572505677_t2_checkra1n_public.png)
47+
48+
## Connecting to SSH
49+
50+
Once the device has run checkra1n, it’s ready to accept a connection to dropbear for SSH. You connect to SSH with a T2 by proxying the connection over `usbmuxd`. The SSH server runs on the T2 on port `44` due to specialized handing of `22` in the kernel. Also you will have to keep connected to the T2 because once the USB connection is broken, it will return the port to the Intel. As always, the password like an iPhone is `alpine`
51+
52+
53+
$ iproxy 44 2202
54+
$ ssh root@localhost -P 2202
55+
![A successful SSH session to the T2](https://paper-attachments.dropbox.com/s_FA6AAA07030DF3145418B8DEBD132850C234EAA3DCDD633D14D24C758773CF23_1602572565080_ssh_checkra1n.png)
56+
57+
Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# Linux Command Parameters
2+
3+
- debug
4+
- nopv
5+
- ignore_loglevel
6+
- stacktrace
7+
- sched_debug
8+
- rootwait
9+
- ring3mwait=disable
10+
- retain_initrd
11+
- hibernate=no
12+
- rcutree.dump_tree=on
13+
- profile=schedule,sleep,kvm
14+
- printk.devkmsg=on
15+
- prink.always_kmsg_dump=y
16+
- pnp.debug
17+
- pci=earlydump,nodomains
18+
- noresume
19+
- no_console_suspend
20+
- nf_conntrac.acct=1
21+
- iwlwifi.blacklist=1
22+
- blueooth.blacklist=1
23+
- bthci.blacklist=1
24+
- hci_vhci.blacklist=1
25+
- nfs.blacklist=1
26+
- nfsd.blacklist=1
27+
- nfs4.blacklist=1
28+
- sunrpc.blacklist=1
29+
- xen.blacklist=1
30+
- kvm.blacklist=1
31+
- mce
32+
- lsm.debug
33+
- iomem=strict
34+
- iommu.strict=1
35+
- intel_pstate=disable
36+
- integrity_audit=1
37+
- initcall_debug
38+
- keep_bootcon
39+
- efivar_ssdt=off
40+
- efi=debug
41+
- earlyprintk=efi,keep
42+
- early_ioremap_debug
43+
- nopku
44+
- dma_denug=on
45+
- disable_ipv6=on
46+
- debugpat
47+
- debug_objects
48+
- earlycon=keep
49+
- audit=on
50+
- bootmem_debug
51+
- audit_backlog_limit=4096
52+
- acpi_osi=
53+
- acpi.debug_layer=0x02
54+
- acpi.debug_level=0xffffffff
55+
- acpi_enforce_resources=strict
56+
- acpi=strict
57+
- acpi_no_memhotplug
58+
- log_buf_len=256M
59+

_docs/rickmark/Loki.md

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
# Loki
2+
3+
- Disconnect battery and all devices technician
4+
- Disconnect antennas
5+
- Read firmware from technician via Medusa
6+
- Use off net loaner to read Medusa to cold storage
7+
- Use loaner to identity and locate clean FD file
8+
- Use loaner to identify and locate clean SMC & Updater
9+
- Use loaner to identify and locate clean Thunderbolt & Updater (From the AV adapter update)
10+
- Use loaner to prepare rEFInd and shell USB drive
11+
- Write FD from loaner to Medusa
12+
- Disconnect internal storage in technician
13+
- Read serial number from technician machine
14+
- Remove power technician
15+
- Write FD from Medusa to technician
16+
- Reset SMC using external contact switch
17+
- Write serial number to technician
18+
- Boot technician from reFINd
19+
- Reset SMC using external contact switch
20+
- Attach power
21+
- Perform SMC update
22+
- Perform Thunderbolt update
23+
- Power off technician
24+
- Verify technician via Medusa
25+
- ASSERT: Firmware should be clean
26+
- Attach persistent storage
27+
- Target disk mode technician
28+
- Read disk raw to backup
29+
- Zero disk
30+
- Power off technician
31+
- Attach other devices
32+
- Restore OS
33+
- Verify that KDP works
34+
35+
Purchase:
36+
Write-prevent USB (One of OS, one for rEFInd)
37+
Thunderbolt -> Firewire
38+
Sufficient size backup drive, mirror to DBX
39+
Remaining items:
40+
Disassemble SMCUpdater
41+
Disassemble ThorUtil
42+
Knowledge:
43+
TouchBar will not be online without persistent storage
44+
Concerns:
45+
After EFI clean, must make sure boot-device is external with rEFInd to prevent re-infection
46+
Assertion:
47+
Loaner is clean out of box
48+
Not on network (lateral movement via SSH)
49+
Secure Enclave will be off-line
50+
Places where persistence may occur: Thunderbolt, SMC, EFI
51+
Questions
52+
Can we remove keyboard and mouse from equation?
53+
Can we disable network via nvram (previous data suggests yes)
54+
Firmware for disk controller (NVM)
55+
Can we prove all bits of disk accessible, write byte stream of random and generate hash, then verify. Ensure number of bytes against another machine. What about bad pages? Do they have spare area?
56+
What if we restore to a clean external disk to verify firmware before trusting internal NVM
57+
Is booting from optical media still supported? (Read only, and or observable change)
58+
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# Modern Apple Threat Models
2+
3+
# Being Trapped in a Demoted Device Through the PMGR
4+
5+
6+
# Having a Device Swapped with a PVT (Production Validation Test Unit)
7+
8+
9+
# Being Enrolled in Sandbox APNS / MDM / DEP
10+
11+
12+
# Silent Application of MDM Settings
13+
14+
15+
# Kernel Personas
16+
17+
18+
# Various forms of Modern Trustjacking
19+
20+
21+
# Factory Restore Process
22+
23+
24+
# Abusing Backup / Data Migrators
25+
26+
27+
# Being Trapped in Recovery
28+
29+
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Modern Defense Against the Dark Arts (AKA 2024 SEC)
2+
Modern devices have adopted numerious technologies designed to defend against attackers, but the same such systems can be used to cover up evidence. We now need to look at how to balance the use of high integrity and security devices with those devices that are also subject to investigation and checking of integrity.
3+
4+
5+
6+
## The Loss of th SIM
7+
8+
We over the last five years have effectively phased out the SIM card for majority of US subscribers. But the issue at heart here is that there is not method to interrogate and validate the correctness of the eSIM since it is soldered onto the device.
9+
10+
11+
12+
## The Mis-Use of Enclaves
13+
14+
**Fixing Fasboot**
15+
16+
17+
18+
## Undocumented Boot Modes
19+
20+
**The world of USB-C and USB-PD**
21+
22+
23+
## Radios Everywhere
24+
25+
26+
27+
## Lack of Correlating Identifiers
28+
29+
30+
## Lack of Security and Integirty Training
31+
32+
**BMW and the Issues Related to Vehicle Integirty**
33+
34+
35+
36+
37+
38+
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# More Then SecureBoot - PKI Based Device Identity
2+
3+
# Let’s not get ahead of ourselves…
4+
5+
Today we have much larger problems in IoT devices such as the use of secure protocols, firmware SecureBoot and full encryption. Those issues do in fact need to be solved, and this paper is more about what to do next.
6+
7+
8+
9+
# If You Control the Ecosystem, Create a PKI
10+
11+
Let’s use Alarm / Camera company ACME Alarm. Since they know that ACME door sensors will be used with their own base stations, they should include a PUF (physically inclinable function) that provides the entropy for the private key of an EC key. The device should then have an x509 certificate burned into ROM providing a strong device identity. This key and certificate should be used only for the derivation of new credentials, not for the communication itself, as is required by PFS (perfect forward security).
12+
13+
14+
## You Can Warn or Deny When Out of Ecosystem
15+
16+
The ACME security base station could then throw up a caution screen if the pairing process results in a end to end security stance that indicates the device’s origin doesn’t come from ACME Inc. The Z-Wave initiative actually enforces that no provider can deny access to a Z-Wave network because it comes from outside the manufacturer ecosystem. This however does not prevent ACME from warning when it’s not ACME certified hardware, or from an ACME trusted partner.
17+
18+
19+
20+
## You Can Have a Hardware Key and a Use Key
21+
22+
While the hardware key should be based on both confidential private key and a burned in certificate, a good implementation should use this simply to be an attestation allowing the device to derive a private key for a particular user / session, and requesting a certificate for that to be stored in mutable storage. This prevents the general usage of hardware key for communication between nodes, while also providing a hardware based root-of-t
23+
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# NOTES: Crouching T2, Hidden Danger
2+
3+
- **completely exposing your macOS (and iPad Pro) - the debug cable may be compatible with the iPad Pro, but since checkm8 is not this isn’t the case**
4+
- The T2 is not the SEP, the T2 contains the SEP
5+
- The boot sequence fully brings up the T2 / bridgeOS before the Intel is released from reset and allowed to boot EFI at all
6+
- No T2 has SATA, it uses NVMe and PCIe to talk to NAND storage
7+
- The T2 / bridgeOS is fully booted and stays on even when the computer is off, so the boot sequence holds here for the power button
8+
- This is not the “next boot disk” since each processor has it’s own system volume, also replace “APFS encryption” with FileVault2 as that is a more accurate term
9+
- Read: http://michaellynn.github.io/2018/07/27/booting-secure/
10+
- The T2/bridgeOS is charged with approving kexts during load
11+
- Filesystem seals: correctly called SSV (Signed System Volumes) is a iOS 14/Big Sur feature
12+
- Break SSV and SIP apart
13+
- Debug cable requires demotion, which is possible with checkm8
14+
- I suggest leaving out the commands until checkra1n publishes the instructions since you have gaps in it
15+
- `smcutil` is for older T1 and prior
16+
- Cannot decrypt FV2, but likely can brute force it (waiting on PoC to confirm that though)
17+
-
18+

0 commit comments

Comments
 (0)