Home / Apple / Michael Tsai – Blog – checkra1n T2 Exploit

Michael Tsai – Blog – checkra1n T2 Exploit

Niels Hofmans (Hacker News, MacRumors):

Mini operating system on T2 (SepOS) suffers from a security vulnerability that is also present in the iPhone 7 since it contains a processor based on iOS A10. Utilization of this type of processors to install homebrew software is very actively discussed in / r / jailbreak subreddit.

So using the checkm8 exploit that was originally created for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, and exploit a bug. This can be used for e.g. Bypassing activation locks so that stolen iPhones or macOS devices can be reset and sold on the black market.

Normally the T2 chip will go out with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability from the Pangu team, we can completely bypass that check-in in SEP and do whatever we want.

Since sepOS / BootROM is Read only For security reasons, interestingly, Apple cannot fix this core issue without a new hardware version. Fortunately, this also means that this is not a persistent vulnerability, so it will require a hardware insert or other connected component, such as a malicious USB-C cable.


I have contacted Apple about this issue on several occasions[…]. Since I did not get an answer for several weeks […] I hereby reveal almost all the details. You can claim that I do not follow responsible disclosure, but since this issue has been known since 201

9, I think it is clear Apple does not plan to make a public statement and quietly develop a (hopefully) patched T2 in the newer Macs and the silicon. .

Dan Moren:

Strafach says that T2 is actually vulnerable to checkm8, and has been for some time, which means that those with physical access to your computer can essentially restart it in device firmware upgrade mode (DFU), and then execute arbitrary code.

on the other hand, Strafach also points out that what is less clear is whether the arbitrary code will last through a reboot:


People should really relax when it comes to T2 which is being utilized publicly. The vulnerability has been public for more than a year now and has always been there on T2. Furthermore, there are many other vulnerabilities, including external ones, which undoubtedly have a greater impact on security.

If anything, our exploit allows surveys to explore the in-depth, possibly uncovering other issues that could lead to greater security on the mac; in addition to allowing better repair capability for otherwise expensive repairs or worse, issues that Apple refuses to deal with.


The biggest problem with this is that Apple cannot patch it via an update like most other security issues

Apple A10 Apple T2 BridgeOS Bug FileVault Mac macOS 10.15 Catalina Security

Stay up to date by subscribing to the RSS feed for comments for this post.

Source link