penny for approximate scale - black hat briefings · pid 0 (launchd) macefiutil -i macefi.img4...
TRANSCRIPT
![Page 1: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/1.jpg)
![Page 2: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/2.jpg)
Penny for approximate scale
![Page 3: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/3.jpg)
![Page 4: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/4.jpg)
![Page 5: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/5.jpg)
![Page 6: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/6.jpg)
●●
●○○○○
![Page 7: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/7.jpg)
T2
SEP
Storage
Raw Storage
Intel Chipset
Camera/Mic
TouchID
Flash Controller
Display
ARM64
![Page 8: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/8.jpg)
Raw Storage
Intel Chipset
![Page 9: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/9.jpg)
![Page 11: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/11.jpg)
![Page 12: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/12.jpg)
![Page 13: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/13.jpg)
![Page 14: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/14.jpg)
![Page 15: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/15.jpg)
![Page 16: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/16.jpg)
![Page 17: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/17.jpg)
UEFI
tianocore.github.io/master/images/PI_Boot_Phases.JPG
![Page 18: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/18.jpg)
UEFI
tianocore.github.io/master/images/PI_Boot_Phases.JPG
![Page 19: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/19.jpg)
UEFI
tianocore.github.io/master/images/PI_Boot_Phases.JPG
![Page 20: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/20.jpg)
UEFI
tianocore.github.io/master/images/PI_Boot_Phases.JPG
![Page 21: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/21.jpg)
Intel Chipset
Flash Chip
UEFI FW
NVARS
![Page 22: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/22.jpg)
![Page 23: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/23.jpg)
Intel Chipset
Flash
UEFI FW
NVARS
Intel Chipset
T2
Internal Flash
UEFI FW
NVARS
![Page 24: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/24.jpg)
![Page 25: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/25.jpg)
T2Boot ROM T2 iBoot bridgeOS
KernelPID 0
(launchd)
![Page 26: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/26.jpg)
PID 0(launchd)
![Page 27: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/27.jpg)
PID 0(launchd)
MacEFIUtil -i
●
●
●○○○○○○
![Page 28: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/28.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
![Page 29: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/29.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
![Page 30: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/30.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
AFU.kext
![Page 31: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/31.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
AFU.kext
Internal Storage
![Page 32: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/32.jpg)
![Page 33: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/33.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
AFU.kext
Internal Storage
![Page 34: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/34.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
AFU.kext
Internal Storage
eSPI DMA
![Page 35: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/35.jpg)
PID 0(launchd)
MacEFIUtil -i
MacEFI.img4
MacEFIManager.kext
AFU.kext
Internal Storage
eSPI DMA
![Page 36: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/36.jpg)
AppleSMC.kextMacEFIUtil -i AppleSSM
.kextSMC
“NESN”
![Page 37: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/37.jpg)
AppleSSM.kext
MacEFIManager.kext
AppleSMC.kext
SMC “NESN”
![Page 38: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/38.jpg)
tianocore.github.io/master/images/PI_Boot_Phases.JPG
![Page 39: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/39.jpg)
On Die Boot ROM
iBootbridge
OS Kernel
UEFIFW
Internal Storage
eSPI DMA
Intel PCH
![Page 40: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/40.jpg)
On Die Boot ROM
iBootbridge
OS Kernel
UEFIFW
Internal Storage
eSPI DMA
Intel PCH
![Page 41: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/41.jpg)
On Die Boot ROM
iBootbridge
OS Kernel
UEFIFW
Internal Storage
eSPI DMA
Intel PCH
![Page 42: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/42.jpg)
On Die Boot ROM
iBootbridge
OS Kernel
UEFIFW
eSPI DMA
Intel PCH
Internal Storage
![Page 43: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/43.jpg)
On Die Boot ROM
iBootbridge
OS Kernel
UEFIFW
eSPI DMA
Intel PCH
Internal Storage
![Page 44: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/44.jpg)
![Page 45: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/45.jpg)
T2
Biometrics
Find My Device
Speech Recording
System Diagnostics
![Page 46: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/46.jpg)
$ remotectlusage: remotectl listusage: remotectl show (name|uuid)usage: remotectl get-property ... usage: remotectl dumpstateusage: remotectl browseusage: remotectl echo ...usage: remotectl eos-echousage: remotectl netcat ...usage: remotectl relay ...usage: remotectl loopback ... usage: remotectl convert-bridge-versionusage: remotectl heartbeat ... usage: remotectl trampoline ...
![Page 47: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/47.jpg)
$ remotectlusage: remotectl listusage: remotectl show (name|uuid)usage: remotectl get-property ... usage: remotectl dumpstateusage: remotectl browseusage: remotectl echo ...usage: remotectl eos-echousage: remotectl netcat ...usage: remotectl relay ...usage: remotectl loopback ... usage: remotectl convert-bridge-versionusage: remotectl heartbeat ... usage: remotectl trampoline ...
$ remotectl list2AC47A5D-E9EF localbridge iBridge ...
![Page 48: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/48.jpg)
$ remotectlusage: remotectl listusage: remotectl show (name|uuid)usage: remotectl get-property ... usage: remotectl dumpstateusage: remotectl browseusage: remotectl echo ...usage: remotectl eos-echousage: remotectl netcat ...usage: remotectl relay ...usage: remotectl loopback ... usage: remotectl convert-bridge-versionusage: remotectl heartbeat ... usage: remotectl trampoline ...
$ remotectl list2AC47A5D-E9EF localbridge iBridge ...
$ remotectl show localbridgeServices:
com.apple.CSCRemoteSupportdcom.apple.sysdiagnose.remotecom.apple.corespeech.xpc.remote.recordcom.apple.xpc.remote.multibootcom.apple.eos.LASecureIOcom.apple.osanalytics.logTransfercom.apple.eos.BiometricKitcom.apple.aveservicecom.apple.powerchime.remotecom.apple.bridgeOSUpdatedcom.apple.private.avvc.xpc.remote...
![Page 49: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/49.jpg)
$ remotectlusage: remotectl listusage: remotectl show (name|uuid)usage: remotectl get-property ... usage: remotectl dumpstateusage: remotectl browseusage: remotectl echo ...usage: remotectl eos-echousage: remotectl netcat ...usage: remotectl relay ...usage: remotectl loopback ... usage: remotectl convert-bridge-versionusage: remotectl heartbeat ... usage: remotectl trampoline ...
$ remotectl list2AC47A5D-E9EF localbridge iBridge ...
$ remotectl show localbridgeServices:
com.apple.CSCRemoteSupportdcom.apple.sysdiagnose.remotecom.apple.corespeech.xpc.remote.recordcom.apple.xpc.remote.multibootcom.apple.eos.LASecureIOcom.apple.osanalytics.logTransfercom.apple.eos.BiometricKitcom.apple.aveservicecom.apple.powerchime.remotecom.apple.bridgeOSUpdatedcom.apple.private.avvc.xpc.remote...
![Page 50: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/50.jpg)
![Page 51: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/51.jpg)
T2
![Page 52: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/52.jpg)
T2en6
USB PCIe
en6
✓
![Page 53: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/53.jpg)
T2
remotectl relay
✓remotectl
en6USB PCIe
![Page 54: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/54.jpg)
T2
remotectl relay
remotectl
en6USB PCIe
remotectl
![Page 55: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/55.jpg)
T2en6
VHC128
tcpdump
USB PCIe
VHC128
en6
![Page 56: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/56.jpg)
![Page 57: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/57.jpg)
![Page 58: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/58.jpg)
![Page 59: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/59.jpg)
![Page 60: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/60.jpg)
![Page 61: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/61.jpg)
![Page 62: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/62.jpg)
![Page 63: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/63.jpg)
HEADERS
DATA
![Page 64: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/64.jpg)
![Page 65: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/65.jpg)
0x29B00B92 Flag bits:00000000 00000000 00000000 00000001 - Always set00000000 00000000 00000001 00000000 - Data present00000000 00000001 00000000 00000000 - Heartbeat request00000000 00000010 00000000 00000000 - Heartbeat reply00000000 00010000 00000000 00000000 - Opening a new file_tx stream00000000 00100000 00000000 00000000 - Reply from file_tx stream00000000 01000000 00000000 00000000 - Sysdiagnose init handshake
![Page 66: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/66.jpg)
![Page 67: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/67.jpg)
![Page 68: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/68.jpg)
xpc_connection_t conn = xpc_connection_create(...);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
...
xpc_connection_send_message(conn, message);
![Page 69: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/69.jpg)
xpc_connection_t conn = xpc_connection_create(...);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_bool(message, "bool", true);
xpc_dictionary_set_int64(message, "int64", -1);
xpc_dictionary_set_uint64(message, "uint64", 0xdeadbeef);
xpc_connection_send_message(conn, message);
![Page 70: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/70.jpg)
xpc_connection_t conn = xpc_connection_create(...);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_bool(message, "bool", true);
xpc_dictionary_set_int64(message, "int64", -1);
xpc_dictionary_set_uint64(message, "uint64", 0xdeadbeef);
xpc_connection_send_message(conn, message);
![Page 71: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/71.jpg)
xpc_connection_t conn = xpc_connection_create(...);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_bool(message, "bool", true);
xpc_dictionary_set_int64(message, "int64", -1);
xpc_dictionary_set_uint64(message, "uint64", 0xdeadbeef);
xpc_connection_send_message(conn, message);
![Page 72: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/72.jpg)
(lldb) x -c 0x120 0x0000000103800fbc0x103800fbc: 43 50 58 40 05 00 00 00 00 f0 00 00 08 01 00 00 [email protected]: 0b 00 00 00 66 64 00 00 00 b0 00 00 63 6f 6e 6e ....fd......conn0x103800fdc: 65 63 74 69 6f 6e 00 00 00 20 01 00 73 74 72 69 ection... ..stri0x103800fec: 6e 67 00 00 00 90 00 00 0b 00 00 00 74 65 73 74 ng..........test0x103800ffc: 73 74 72 69 6e 67 00 00 64 6f 75 62 6c 65 00 00 string..double..0x10380100c: 00 50 00 00 cd cc cc cc fc ff ef 40 64 61 74 61 .P.........@data0x10380101c: 00 00 00 00 00 80 00 00 0a 00 00 00 74 68 69 73 ............this0x10380102c: 69 73 64 61 74 61 00 00 75 69 6e 74 36 34 00 00 isdata..uint64..0x10380103c: 00 40 00 00 ef be ad de 00 00 00 00 62 6f 6f 6c [email protected]: 00 00 00 00 00 20 00 00 01 00 00 00 76 61 6c 75 ..... ......valu0x10380105c: 65 00 00 00 00 f0 00 00 28 00 00 00 01 00 00 00 e.......(.......0x10380106c: 73 74 72 69 6e 67 5f 69 6e 5f 76 61 6c 75 65 00 string_in_value.0x10380107c: 00 90 00 00 0c 00 00 00 76 61 6c 75 65 73 74 72 ........valuestr0x10380108c: 69 6e 67 00 69 6e 74 36 34 00 00 00 00 30 00 00 ing.int64....0..0x10380109c: ff ff ff ff ff ff ff ff 75 75 69 64 00 00 00 00 ........uuid....0x1038010ac: 00 a0 00 00 31 32 33 34 35 36 37 38 2d 61 62 63 ....12345678-abc0x1038010bc: 64 2d 31 32 64 61 74 65 00 00 00 00 00 70 00 00 d-12date.....p..0x1038010cc: 00 18 9c 46 ae 9e 5c 15 00 00 00 00 00 00 00 00 ...F..\.........
![Page 73: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/73.jpg)
![Page 74: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/74.jpg)
type
XPC_ARRAY = 0x0000e000XPC_DICTIONARY = 0x0000f000XPC_ERROR = 0x00010000XPC_CONNECTION = 0x00011000XPC_ENDPOINT = 0x00012000XPC_SERIALIZER = 0x00013000XPC_PIPE = 0x00014000XPC_MACH_RECV = 0x00015000XPC_BUNDLE = 0x00016000XPC_SERVICE = 0x00017000XPC_SERVICE_INSTANCE = 0x00018000XPC_ACTIVITY = 0x00019000XPC_FILE_TRANSFER = 0x0001a000
Types:XPC_NULL = 0x00001000XPC_BOOL = 0x00002000XPC_INT64 = 0x00003000XPC_UINT64 = 0x00004000XPC_DOUBLE = 0x00005000XPC_POINTER = 0x00006000XPC_DATE = 0x00007000XPC_DATA = 0x00008000XPC_STRING = 0x00009000XPC_UUID = 0x0000a000XPC_FD = 0x0000b000XPC_SHMEM = 0x0000c000XPC_MACH_SEND = 0x0000d000
![Page 75: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/75.jpg)
type
XPC_ARRAY = 0x0000e000XPC_DICTIONARY = 0x0000f000XPC_ERROR = 0x00010000XPC_CONNECTION = 0x00011000XPC_ENDPOINT = 0x00012000XPC_SERIALIZER = 0x00013000XPC_PIPE = 0x00014000XPC_MACH_RECV = 0x00015000XPC_BUNDLE = 0x00016000XPC_SERVICE = 0x00017000XPC_SERVICE_INSTANCE = 0x00018000XPC_ACTIVITY = 0x00019000XPC_FILE_TRANSFER = 0x0001a000
Types:XPC_NULL = 0x00001000XPC_BOOL = 0x00002000XPC_INT64 = 0x00003000XPC_UINT64 = 0x00004000XPC_DOUBLE = 0x00005000XPC_POINTER = 0x00006000XPC_DATE = 0x00007000XPC_DATA = 0x00008000XPC_STRING = 0x00009000XPC_UUID = 0x0000a000XPC_FD = 0x0000b000XPC_SHMEM = 0x0000c000XPC_MACH_SEND = 0x0000d000
![Page 76: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/76.jpg)
uint64
00 40 00 00 05 00 00 00 00 00 00 00|___type__| |________value________|
uint64 5 _
![Page 77: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/77.jpg)
string
00 90 00 00 09 00 00 00 64 75 6f 6c 61 62 73 21 00 00 00 00|___type__| |__length_| |d__u__o__l__a__b__s__!_\0_padding|
string 9 duolabs!\0 _
![Page 78: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/78.jpg)
dictionary
00 f0 00 00 28 00 00 00 02 00 00 00|___type__| |__length_| |num_entry| dictionary 40 266 69 76 65 00 00 00 00 00 40 00 00 05 00 00 00 00 00 00 00 |f__i__v__e_\0_padding| |___type__| |________value________| “five” uint64 573 69 78 00 00 40 00 00 06 00 00 00 00 00 00 00|s__i_x_\0| |___type__| |________value________| “six” uint64 6
{“five”: 5, “six”: 6}
![Page 79: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/79.jpg)
file_transfer
file_transfer
![Page 80: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/80.jpg)
![Page 81: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/81.jpg)
-c
VHC128
![Page 82: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/82.jpg)
$ sysdiagnose -c &$ tcpdump -nni VHC128 -w dump.pcap$ wireshark dump.pcap
![Page 83: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/83.jpg)
![Page 84: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/84.jpg)
$ sysdiagnose -c &$ tcpdump -nni VHC128 -w dump.pcap$ wireshark dump.pcap
$ sniffer.py
![Page 85: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/85.jpg)
$ sniffer.py...imac opening stream 1 for communication on port 49155....New HTTP/2 frameNew XPC Packet imac->t2 on HTTP/2 stream 1 TCP port 49155XPC Wrapper: { Magic: 0x29b00b92 Flags: 0b 00000000 00000000 00000001 00000001 (0x101) BodyLength: 0x30 MessageId: 0x1}{ "REQUEST_TYPE": uint64 0x0000000000000001: 1}
{“REQUEST_TYPE”: 1}
![Page 86: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/86.jpg)
![Page 87: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/87.jpg)
![Page 88: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/88.jpg)
![Page 89: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/89.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
![Page 90: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/90.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
$ netstat -ant | grep 49923tcp4 0 0 127.0.0.1.49923 *.* LISTEN
![Page 91: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/91.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
$ netstat -ant | grep 49923tcp4 0 0 127.0.0.1.49923 *.* LISTEN
![Page 92: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/92.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
$ netstat -ant | grep 49923tcp4 0 0 127.0.0.1.49923 *.* LISTEN
![Page 93: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/93.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
$ netstat -ant | grep 49923tcp4 0 0 127.0.0.1.49923 *.* LISTEN
![Page 94: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/94.jpg)
$ remotectl relay localbridge com.apple.sysdiagnose.remote49923
$ netstat -ant | grep 49923tcp4 0 0 127.0.0.1.49923 *.* LISTEN
sudo
![Page 95: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/95.jpg)
# remotectl relay localbridge com.apple.sysdiagnose.remoteremotectl: Unable to connect to localbridge/com.apple.sysdiagnose.remote: No such process
SIP
![Page 96: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/96.jpg)
remotectl
![Page 97: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/97.jpg)
`remotectl relay` remotectl relay
com.apple.private.network.intcoproc.restricted
remotectl
amfid remotectlremotectl
signature
entitlements entitlements
# csrutil disable # in recovery mode
# nvram boot-args=”amfi_get_out_of_my_way=0x01” # reboot
# cp /usr/libexec/remotectl /tmp/# cat << EOF > /tmp/entitlements.ent... com.apple.private.network.intcoproc.restricted ... EOF# jtool --sign --ent /tmp/entitlements.ent --inplace /tmp/remotectl
![Page 98: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/98.jpg)
![Page 99: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/99.jpg)
$ sysdiagnose -c
...{ "REQUEST_TYPE": uint64 0x0000000000000001: 1}
{ "RESPONSE_TYPE": uint64 0x0000000000000001: 1 "FILE_TX": MessageId: 0x5 File transfer size: 0x00000000005b49d7 5982679 "FILE_NAME":
"bridge_sysdiagnose_2019.01.18_16-57-46+0000_Bridge_OS_Bridge_16P375.tar.gz"
}
![Page 100: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/100.jpg)
$ sysdiagnose -cup
...{ "disableUIFeedback": True "shouldRunOSLogArchive": False "shouldRunLoggingTasks": False "shouldDisplayTarBall": False "shouldRunTimeSensitiveTasks": True "REQUEST_TYPE": uint64 0x0000000000000001: 1}
![Page 101: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/101.jpg)
$ sysdiagnose -cup
...{ "disableUIFeedback": True "shouldRunOSLogArchive": False "shouldRunLoggingTasks": False "shouldDisplayTarBall": False "shouldRunTimeSensitiveTasks": True "REQUEST_TYPE": uint64 0x0000000000000001: 1}
getMetrics booldiagnosticID string
baseDirectory stringrootPath string
archiveName stringembeddedDeviceType string
coSysdiagnose stringgeneratePlist bool
quickMode boolshouldDisplayTarBall boolshouldCreateTarBall bool
shouldRunLoggingTasks boolshouldRunTimeSensitiveTasks bool
shouldRunOSLogArchive boolshouldRemoveTemporaryDirectory bool
shouldGetFeedbackData booldisableStreamTar bool
disableUIfeedback boolsetNoTimeOut boolpidOrProcess stringcapOverride NSData
warnProcWhitelist string
![Page 102: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/102.jpg)
getMetrics booldiagnosticID string
baseDirectory stringrootPath string
archiveName stringembeddedDeviceType string
coSysdiagnose stringgeneratePlist bool
quickMode boolshouldDisplayTarBall boolshouldCreateTarBall bool
shouldRunLoggingTasks boolshouldRunTimeSensitiveTasks bool
shouldRunOSLogArchive boolshouldRemoveTemporaryDirectory bool
shouldGetFeedbackData booldisableStreamTar bool
disableUIfeedback boolsetNoTimeOut boolpidOrProcess stringcapOverride NSData
warnProcWhitelist string
$ sysdiagnose_client.py
...{ "REQUEST_TYPE": uint64 0x0000000000000001: 1 "archiveName": "duolabs"}
![Page 103: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/103.jpg)
$ sysdiagnose_client.py
...{ "REQUEST_TYPE": uint64 0x0000000000000001: 1 "archiveName": "duolabs"}
{ "RESPONSE_TYPE": uint64 0x0000000000000001: 1 "MSG_TYPE": uint64 0x0000000000000002: 2 "FILE_TX": MessageId: 0x58 File transfer size: 0x00000000004a22b6 4858550 "FILE_NAME": "duolabs.tar.gz"}
![Page 104: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/104.jpg)
com.apple.CSCRemoteSupportdcom.apple.sysdiagnose.remotecom.apple.corespeech.xpc.remote.recordcom.apple.xpc.remote.multibootcom.apple.eos.LASecureIOcom.apple.osanalytics.logTransfercom.apple.eos.BiometricKitcom.apple.aveservicecom.apple.powerchime.remotecom.apple.bridgeOSUpdatedcom.apple.private.avvc.xpc.remotecom.apple.corecaptured.remoteservicecom.apple.icloud.findmydeviced.bridgecom.apple.mobileactivationd.bridgecom.apple.sysdiagnose.stackshot.remotecom.apple.multiverse.remote.bridgetimecom.apple.logd.remote-daemoncom.apple.corespeech.xpc.remote.control
![Page 106: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/106.jpg)
The T2 is a significant step forward towards bringing the same security properties of iOS to macOS.
The UEFI firmware images are still mutable by design and only validated on “first-boot” scenarios.
Hardware attacks appear to still be feasible, albeit through a new (eSPI) interface.
![Page 108: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/108.jpg)
![Page 109: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/109.jpg)
{ "REQUEST_TYPE": uint64 0x0000000000000001: 1}
switch ( REQUEST_TYPE ) { case 1u: sd_ops_sysdiagnose(...); case 2u: sd_ops_stackshot(...); case 4u: sd_ops_cancel(...); case 5u: sd_ops_cancelAll(...); case 6u: sd_ops_userinterrupt(...); case 7u: sd_ops_statusPoll(...); case 8u: sd_ops_airdrop(...); case 9u: sd_ops_watchList(...); case 10u: sd_ops_deleteArchive(...);
![Page 110: Penny for approximate scale - Black Hat Briefings · PID 0 (launchd) MacEFIUtil -i MacEFI.img4 MacEFIManager.kext AFU.kext Internal Storage eSPI DMA](https://reader030.vdocuments.net/reader030/viewer/2022041102/5edd3f4bad6a402d666845d5/html5/thumbnails/110.jpg)
switch ( REQUEST_TYPE ) { case 1u: sd_ops_sysdiagnose(...); case 2u: sd_ops_stackshot(...); case 4u: sd_ops_cancel(...); case 5u: sd_ops_cancelAll(...); case 6u: sd_ops_userinterrupt(...); case 7u: sd_ops_statusPoll(...); case 8u: sd_ops_airdrop(...); case 9u: sd_ops_watchList(...); case 10u: sd_ops_deleteArchive(...);
{ "REQUEST_TYPE": uint64 0x0000000000000001: 1}