-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experiences with Macbook Pros #45
Comments
According to #3 and the issues, no one has tried me_cleaner on a Macbook so far. You can be the first one though ;) |
FYI, I tried your tool on EFI update image that I extracted manually on Linux, from https://support.apple.com/kb/DL1848 dmg and it says:
Also:
|
@hinxx |
Is there a way to extract scap files? Edit: Found something here: "It is also possible to use the scap files available on EFI firmware updates published by Apple. UEFITool is able to process and extract the files. You can find firmware updates for newer machines on Yosemite updates." Source: https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/ |
@archfan you should read the full SPI image from flash; the capsule contains the ME firmware but not in a form usable for flashing; besides the capsule is signed and replacing ME image inside it won't work; you likely need an external flasher (unless you installed Linux in which case flashrom might work). |
Yes, that makes perfect sense. I just wanted to take a look at the files in the capsule. |
You can use UEFITool to look at the stuff inside. The ME region image seems to be in the file with GUID |
Thanks @skochinsky! Got it:
|
Also got it out using flashrom-0.9.9 (I'm running Linux not OS X):
ifdtool reports:
|
The Intel ME region is read-only, you need an external programmer. Unfortunately the MX25L6406E/MX25L6408E are also available in non-SOIC8 packages, let's hope Apple didn't use some weird small footprint package. |
Looking at https://www.terapeak.com/worth/820-3787-a-apple-macbook-pro-retina-15in-late-2013-a1398-16gb-i7-logic-board/291664089801/ (2nd pic) my late 2013 A1398 model should be packing Micron 25Q064A SO8W powered by 1.8V. |
Big enough and it is supported by flashrom (N25Q064..3E), the only issue is the 1.8 V, which is not very common. You'll need either a 1.8 V programmer or a level shifter. |
Good to know it would be possible.. I will need to think this through if it is worth the risk, though. Thanks for the help all! |
IMO, it is worth the risk, but I'm the author of me_cleaner so my opinion is a bit biased ;) Consider that, once you have the external programmer and a valid dump (that you can do the first time you connect the programmer), you're safe (unless you break the hardware obviously). |
Hi guys. i am logicboard(Apple's motherboard) technician, i have experience with apple EFI BIOS flashing using external programmer(RT809F). For now, i still havent tried to remove the ME from the BIOS, i just Cleared the ME with RGN ME. I'll let you guys know if i get any results. |
@caingraywood Keep us updated, I'm really interested in this. |
Just chiming in... I'm planning on attempting this on my rather old MacbookPro5,1 which has an SST25VF032B flash chip, here on the right: |
Has anyone had success with just setting the HAP bit on a macbook? |
@p1g30n You could probably do that, and you might remove potential attack vectors (or you might not)... point being that setting the HAP bit alone means that you must still trust the ME to do what it says, and the base problem with ME is that it relies solely on trust to be secure. If you trust IME anyway... then you might as well not bother setting the HAP bit, I duno if that's an extreme view? but it seems pretty clear to me. |
@ThomasBrierley Good point. I assume there's no way to determine wether setting the bit actually consistently disables ME (and is unable to be reset)? |
I guess, you could periodically probe it with ifdtool? other people here will be able to answer this better than me. but (again from the more extreme point of view) you are still trusting ME that way (remember that as long as it's potentially running you can't even trust your OS), that's why using an external SPI programmer is the sure way to disable it because it's independent of ME. |
It seems to work guys! #76 |
Is there any data or reports on Macbook Pros?
I'm personally interested in experiences with i7-3720QM's but also generally if anyone has tried this on Macbooks in general.
The text was updated successfully, but these errors were encountered: