The T2 Development Blog HOME BLOG CONTACT

GUIDE

Jailbreaking the T2 with

checkra1n
In this guide we walk you through using checkra1n with the T2.

RICK MARK, AUN-ALI ZAIDI, H0M3US3R, MRARM

13 OCT 2020 • 3 MIN READ

What is Jailbreaking a Mac Anyway?

This is a question we get a lot. What does it mean to “jailbreak” a Mac, since
you can already run any code you want (if you bypass code-signing, SIP,
SecureBoot and Gate Keeper anyway). When we say “jailbreak a Mac” what
we mean is jailbreaking the AppleSilicon T2 processor. This core runs a iOS
derivative called bridgeOS. Until now Apple has not allowed or supported
any non-Apple code executing on this core. Since this core comes up and aids
:
in the operation of the Intel processor, it allows for a bunch of possibilities
not possible before, such as completely replacing the Mac’s EFI.
An overview of the process is:

Get a copy of checkra1n and libimobiledevice

Place the Mac into DFU mode using the Apple support guide

Connect to the technician workstation (yes you need a second

computer)

Run checkra1n

Connect to SSH

checkra1n 0.11 and T2 Support

With the release of checkra1n 0.11 came support for the T2 and bridgeOS as a
target. You will need to have downloaded(and in the cases of a Mac, run at
least once to bypass Gate Keeper) the aforementioned tool before proceeding.
If you haven't done so go on over to https://checkra.in to get a copy. In
order to access SSH you’ll also need the tools from
https://libimobiledevice.org. If you’re on a Mac you can install this from
home-brew with brew install libimobiledevice and you can install on
Linux by installing the matching package for your distribution.

Placing the T2 Into DFU Mode

Fortunately for us, Apple have provided instructions on how to place a T2
based Mac into DFU. This is in their support guide “Revive or restore Mac
firmware in Apple Configurator 2”. Per their instructions, a USB-C to USB-C
or USB-C to USB-A cable is required. Thunderbolt is not supported. Once
you find the model of your Mac, connect the DFU port to the computer where
:
you have installed checkra1n. Follow the model specific guidance in that
support article to place the computer into DFU mode. Once that’s done, you
can verify by running lsusb on Linux and ioreg -p IOUSB from a Mac. You
should see an Apple Mobile Device (DFU Mode) mode attached if you
successfully entered DFU.

A DFU device in lsusb

A DFU device in ioreg -p IOUSB

Running checkra1n
Currently checkra1n can only be run in CLI mode (running any GUI mode
will inform you the device is not supported). If you have issues you can
increase the debug output with --verbose-boot and --verbose-logging

From a Mac: sudo ./checkra1n.app/Contents/MacOS/checkra1n --cli

From Linux: sudo ./checkra1n --cli
:
 A successful run of checkra1n for the T2

Connecting to SSH
Once the device has run checkra1n, it’s ready to accept a connection to
dropbear for SSH. You connect to the SSH server on a T2 by proxying the
connection over usbmuxd. The SSH server runs on port 44 due to specialized
handing of 22 in the kernel. Also you will have to remain tethered to the T2
for the duration of your SSH session because once the USB connection is
broken, it will release the port to the Intel host controller. As always, the
password like an iPhone, is alpine

$ iproxy 2202 44 &

:
 $ ssh -p 2202 root@localhost

Successfully connecting to the T2 over SSH

T2

Plug'nPwn - Connect to Jailbreak

Building on checkm8 and checkra1n, we demo real-world attack scenarios.

MULTIPLE AUTHORS
12 OCT 2020 • 4 MIN READ

The T2 Development Blog © 2020

Latest Posts Facebook Twitter Ghost
: