Unfortunately, this is not the complete picture. The T2 simply programs the embedded flash within the PCH over an eSPI interface. Meaning, a successful reprogram from the T2 WILL persist until the following occurs:
> Selling a device to automagically hack a key logger into a modern Mac goes over their ‘line in the sand’,
No, there is a clear distinction between what is being sold and what is being demonstrated. The latter requires additional hardware and software NOT provided with the advertised USB-PD probe being sold. Reading the end of the blog or even the product page immediately makes that distinction clear.
I would say it is persistent enough to be malicious. The T2 does not reboot, with the exception occuring during a DFU restore, extremely drained battery, or firmware update. With that in mind, a party intending harm would have more than enough time.
Mostly synthetics and some program compilation (configure+make) tests. Yes, it is passively cooled. To clarify, it does not match the host Intel CPU (i7-8750H @ 2.2GHz) but in some synthetics, i.e. Coremark, the T2 does come close. I would attribute the i7's lackluster performance mainly to thermal throttling issues.
Unfortunately, physically obstructing the primary port would not completely prevent DFU from being accessed. With the aforementioned accessory device, the ACE Type-C controllers within Macs can automatically reroute the DFU, DCI, and PCH/T2 UARTs to any of the other ports, irrespective of the T2 and PCH. Apple uses this technique as part of their factory test harness.
The T2 was more or less a stopgap solution between their current Intel-based offerings and the AppleSilicon devices in regards to their security aspirations. My understanding is that there will be no T3, as evidenced in the DTK, which makes a lot of sense considering how identical these chips will be to their mobile counterparts.
Hi guys, I am part of the team working on all things T2. [1]
The checkra1n support is just in a PoC state, it will successfully exploit and boot the T2. The payload support is partially broken, but being worked on.
Additionally, we have SSH working over usbmuxd from a tethered device [2] and SSH working from macOS on device, with an SDK in the works [3].
Some key takeaways from the T2 being jailbroken:
- Custom Bootloaders (OpenCore, Coreboot, etc) are now possible as the T2 validates/sends the UEFI payload to PCH using a bridgeOS binary called MacEFIUtil, which can trivially have its signature checks patched.
- Filevault and by extension Touch ID are more or less crippled, especially in light of the recent SEP exploits. Amusingly, Apple uses a hardcoded "passcode", analogous to an iDevice's unlock pin in plain text within the UEFI firmware.
- Support for In-System Debugging of the PCH/Intel processor over USB. This works in a similar fashion to those Bonobo cable used for debugging iDevices [4]. We are working on building an accessory that you can purchase and plug into your Mac with a USB male endpoint exposing Intel's DCI debugging protocol.
- Lightweight AppleSilicon Tinkering environment. With SSH support from macOS on device, and the T2's modest specs, its a nice sandbox for messing with arm64 stuff. It's a pretty peppy chip, at times coming close to my 8th gen i7...yikes.
- A T2 Restore
- A macOS System Update