Jailbreaking T2 Chip

I haven’t seen much in the way of jailbreaking, or Apple security in general. As that is that I’ve been focusing on a lot recently, I will be making posts from time to time about it, as well as tutorials.

What is the T2 Security Chip

The Apple T2 is a trusted security chip. It secures essential features, such as Secure Boot, Activation Lock, Touch ID, encrypted data storage, etc.

How does Apple T2 security chip work?
The T2 chip has control over the MacOS boot procedure. It makes sure everything that runs on the Mac hardware is Apple-approved. Its work begins as soon as a power button is pressed on your Mac computer and lasts until you see MacOS desktop. In other words, one of its primary functions is to verify that Apple has signed your OS and boot loader. The T2 chip, which runs a software called BridgeOS (heavily modified version of WatchOS) never turns off, except for when the battery is dead (obviously).

The T2 is also responsible for all encryption data on the hard drive. In previous Mac versions, this function was performed by CPU, which slowed down the Mac as a whole. By moving these features to the T2 Chip, Apple has significantly improved the newer Mac’s performance, as well as allows for the security of TouchID. The fingerprint scanner in these devices gives a user a quick login option and approves the admin-level requests.

It also handles verification requests from different apps. The T2 Chip makes sure that no applications get access to your fingerprint information through Touch ID. When the verification is requested, the Apple T2 Security chip compares the fingerprint with data secured in the enclave coprocessor and notifies of the result.

The T2 is based on the A9 iPhone ARM processor, which makes it vulnerable to the same checkm8 exploit that Apple devices with A6-A11 processors are. I will be making a separate post as to how the checkm8 exploit actually works, and how it was integrated into checkra1n, the tool for jailbreaking the vulnerable devices.

How to Jailbreak T2 Chip using Checkra1n

Before you go about jailbreaking the T2 chip, you first need:

  • Mac with T2 chip capable of being jailbroken
  • Another computer running MacOS (NOT an M1 Mac)
  • USB-C to USB-C cable

Step 1. Download the latest checkra1n software on the MacOS you are not jailbreaking. This can be done by visiting the official site here, or, if using Homebrew, by simply typing brew install --cask checkra1n

Step 2. Put your Mac in DFU mode. This is a manual process that can take some time and effort to get right. I created a quick guide on my website, linked here.

Step 3. As of right now, the GUI version of checkra1n does not support T2 jailbreak. As such, we have to use the cli version. In order to do so, open the terminal, and type /Applications/checkra1n.app/Contents/MacOS/checkra1n -c -v

This will open checkra1n in cli mode and it will start searching for a DFU device. Once one is found, it will complete the jailbreak, and you have root access of your T2 chip! Sometimes, checkra1n with throw error code 20. If so, just relaunch checkra1n until it says Bootstrap already installed.

Step 4. SSH into your T2 chip by iproxy.
iproxy 2222 44
Do NOT close the window, just open a new one, and type:
ssh root@localhost -p 2222
with the root password of alpine. You now have an SSH shell into your chip!

What can I do with this?

Now is time for some practical examples of what can be done with a T2 chip jailbreak. The issue is that this is where ALL of Mac’s security is, meaning that the drive can be unencrypted, a malicious EFI could be installed, etc. There was a PoC of a BridgeOS keylogger listening to MacOS at all times. Since it was considered completely trusted by MacOS, it could not possibly be detected by the user. I am doing more and more research and testing every day, and will post updates of cool things you can do as I go along. I will, at some point, be posting how to change the boot sound on Mac by using this method. Thanks for reading!

6 Likes

I can’t get past the part where it says DFU device disconnected, everytime it keeps saying error 20

1 Like

Same thing happening to me, and it says to relaunch checkra1n but anytime I try… same text “waiting for dfu device”

Could you make a guide on removing MDM and firmware passwords? I have a T2 machine I bought that is locked with a firmware password and MDM. It would be a great help.

i can do that if you need it.