{"id":30373,"date":"2020-10-07T12:59:47","date_gmt":"2020-10-07T16:59:47","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=30373"},"modified":"2025-07-30T14:27:48","modified_gmt":"2025-07-30T18:27:48","slug":"checkra1n-t2-exploit","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/10\/07\/checkra1n-t2-exploit\/","title":{"rendered":"checkra1n T2 Exploit"},"content":{"rendered":"<p><a href=\"https:\/\/ironpeak.be\/blog\/crouching-t2-hidden-danger\/\">Niels Hofmans<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=24705645\">Hacker<\/a> <a href=\"https:\/\/news.ycombinator.com\/item?id=24636166\">News<\/a>, <a href=\"https:\/\/www.macrumors.com\/2020\/10\/06\/apples-t2-chip-unpatchable-security-flaw\/\">MacRumors<\/a>):<\/p>\n<blockquote cite=\"https:\/\/ironpeak.be\/blog\/crouching-t2-hidden-danger\/\"><p>The mini operating system on the T2 (<em>SepOS<\/em>) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10. Exploitation of this type of processor for the sake of installing homebrew software is very actively discussed in the <a href=\"https:\/\/reddit.com\/r\/jailbreak\/\">\/r\/jailbreak<\/a> subreddit.<\/p><p>So using the <a href=\"https:\/\/checkm8.info\">checkm8 exploit<\/a> originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.<\/p><p>Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the <a href=\"https:\/\/github.com\/windknown\/presentations\/blob\/master\/Attack_Secure_Boot_of_SEP.pdf\">blackbird vulnerability<\/a> by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.<\/p><p>Since sepOS\/BootROM is <em>Read-Only Memory<\/em> for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision.\nThis thankfully also means that this is not a persistent vulnerability, so it will require a hardware insert or other attached component such as a malicious USB-C cable.<\/p><p>[&#8230;]<\/p><p>I&rsquo;ve reached out to Apple concerning this issue on numerous occasions[&#8230;]. Since I did not receive a response for weeks [&#8230;] I am hereby disclosing almost all of the details. You could argue I&rsquo;m not following responsible disclosure, but since this issue has been known since 2019, I think it&rsquo;s quite clear Apple is not planning on making a public statement and quietly developing a (hopefully) patched T2 in the newer Macs &amp; Silicon.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/sixcolors.com\/post\/2020\/10\/the-macs-t2-chip-is-vulnerable-but-how-vulnerable\/\">Dan Moren<\/a>:<\/p>\n<blockquote cite=\"https:\/\/sixcolors.com\/post\/2020\/10\/the-macs-t2-chip-is-vulnerable-but-how-vulnerable\/\"><p>Strafach says that <a href=\"https:\/\/twitter.com\/chronic\/status\/1313483471101267974\">the T2 is indeed vulnerable to checkm8<\/a>, and has been for some time, meaning that those with <em>physical<\/em> access to your computer can essentially reboot it into the device firmware upgrade (DFU) mode, and then execute arbitrary code.<\/p>\n<p><em>However<\/em>, Strafach also points out that what&rsquo;s less clear is whether the arbitrary code will will last through a reboot:<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/DanyL931\/status\/1313405426571112448\">DanyL<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/DanyL931\/status\/1313405426571112448\">\n<p>People should really chill down regarding T2 publicly exploited. The vulnerability has been public for more than a year now and always been there on T2. Moreover, there are plenty of other vulnerabilities, including remote ones that undoubtedly have more impact on security.<\/p>\n<p>If anything, our exploit enables researches to explore the internals more closely, possibly uncovering other issues that may lead to greater security on the mac; as well as allowing better repairability for otherwise pricy repairs or worse, issues Apple bluntly refuses to handle.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/peterindark\/status\/1313416680417234946\">peterindark<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/peterindark\/status\/1313416680417234946\">\n<p>The biggest issue with this is that Apple cannot patch it via an update like most of other security issues<\/p>\n<\/blockquote>\n\n<p id=\"checkra1n-t2-exploit-update-2020-10-09\">Update (2020-10-09): See also: <a href=\"https:\/\/twitter.com\/macosken\/status\/1314252651757002752\">Patrick Wardle<\/a>.<\/p>\n\n<p id=\"checkra1n-t2-exploit-update-2020-10-14\">Update (2020-10-14): <a href=\"https:\/\/9to5mac.com\/2020\/10\/13\/t2-exploit-team\/\">Ben Lovejoy<\/a> (<a href=\"https:\/\/twitter.com\/9to5mac\/status\/1316009609417625600\">tweet<\/a>, also: <a href=\"https:\/\/www.macrumors.com\/2020\/10\/13\/apples-t2-security-chip-vulnerable-to-usb-attack\/\">MacRumors<\/a>):<\/p>\n<blockquote cite=\"https:\/\/9to5mac.com\/2020\/10\/13\/t2-exploit-team\/\"><p>The <a href=\"https:\/\/9to5mac.com\/guides\/t2\/\">T2<\/a> exploit team who found a way to <a href=\"https:\/\/9to5mac.com\/2020\/10\/06\/t2-security-chip-on-macs-can-be-hacked-to-plant-malware-cannot-be-patched\/\">take over the security chip in modern Macs<\/a> has demonstrated a way to do so without user intervention &mdash; using nothing more than a modified USB-C cable.<\/p><p>The ad-hoc team, who call themselves Team t8012 after Apple&rsquo;s internal name for the chip, believe that nation-states may already be using this approach.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Niels Hofmans (Hacker News, MacRumors): The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10. Exploitation of this type of processor for the sake of installing homebrew software is very actively discussed in the \/r\/jailbreak subreddit.So [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-10-07T16:59:50Z","apple_news_api_id":"7d5e2c4f-fef3-4a67-92b4-3c1b5217ad0c","apple_news_api_modified_at":"2025-07-30T18:27:51Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/AfV4sT_7zSmeStDwbUhetDA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1510,1607,1871,131,2806,2095,706,30,1666,48],"class_list":["post-30373","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-a10","tag-apple-t2","tag-bridgeos","tag-bug","tag-dfu-mode","tag-exploit","tag-filevault","tag-mac","tag-macos-10-15","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/30373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=30373"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/30373\/revisions"}],"predecessor-version":[{"id":30443,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/30373\/revisions\/30443"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=30373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=30373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=30373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}