Apple T2

A team of engineers working on the security and development of the t8012

Revealing and Extending the T2

When Apple integrated their iPhone SoC into the Mac the goal was to create a more secure device. We have performed thoughtful, complete analysis of the T2 and it creates more problems then it solves. Now thanks to axi0mX's checkm8 we are opening research and development on the T2 platform.

This is the result of a years work of research and development, read our story here

Projects

checkm8 for the T2

Based on the work of axi0mX, the T2 development team was able to gain full execute on the T2. This work was subsequently integrated into checkra1n which is a complete jailbreak tool.


efivalidate for T1 and Prior Macs

Verifying the security of the EFI firmware of Mac's prior is just as important. While it requires a specialzed cable and removing the back cover, efivalidate makes it possible to check the SPI flash chip of these Macs.


cnklverify Apple File Verification

The security of the macOS boot process relies on "chunklist" files such as BaseSystem.chunklist. This tool allows for the extraction of public keys from the kernel and verification of a chunklist signed file.


bridgeOS.sdk in development a Toolchain for bridgeOS

Apple may not have intended developers to target the T2 as a development platform, but that doesn't mean it cant be one.


wiki coming soon T2 and bridgeOS Development Resources

Knowledge is power. The collection of secret knowledge related to the Mac and the T2.


Members

CS/Neuroscience pre-med student. Involved with T2/Linux drivers and support and current maintainer prior to T2 exploitation. Analyzed Apple hardware designs to determine points of infiltration. Developed toolchain/SDK for bridgeOS and SSH from host macOS using NCM interface. Created keylogger PoC and zero-click DFU PoC. Currently completing hardware design of retail USB-C debug probe.
An EE student, newcomer to iOS prior to this project. Brute-forced the offsets in the T2 BootROM needed for checkm8 exploit. Started USB-C debug probe research and was first to SWD the T2 from a homemade probe. Currently works on a retail version of USB-C debug probe.
Computer Engineering student with an interest in reverse engineering. Helped in getting Linux running on T2 Macs by reverse engineering important T2 Mac OS drivers and communication protocols, later implementing them for Linux. Helped with the T2 BootROM bruteforce. Reverse engineered parts of T2 boot chain, kernel and user-space for how they are designed and in search of attack vectors.
History as an internal security engineer at tech companies. In this role his assessment of the workstations, phones and other systems was a key concern. He worked generally on macOS integrity, EFI and idevicerestore concerns.