CheckM8 iCloud Activation Lock Bypass

Apple T2 Chip and How to Jailbreak It


What is Apple T2 Security Chip

The Apple T2 is a trusted security chip. We can easily explain its name. The T2 secures essential features, such as secure boot, Activation Lock, Touch ID, encrypted data storage, etc.

How does Apple T2 security chip work? The Apple T2 chip has control over the MacOS boot procedure. It makes sure that users install drives that Apple approves. Its work begins as soon as a power button is pressed on your Mac computer and lasts until you see MacOS desktop. In other words, one of its primary functions is to verify that Apple has signed your OS and bootloader.

The T2 is also responsible for all encryption data on the hard drive. In previous Mac versions, this function was performed by CPU, which loaded it heavily. By moving these features to the T2 Chip, Apple has significantly improved the newer Mac's performance. The T2 gives the CPU more resources. The Chip secures the Touch ID feature, which is available in MacBook Air and MacBook Pro. The fingerprint scanner in these devices gives a user a quick login option and approves the admin-level requests. The Apple T2 chip helps to store the fingerprint data securely.

It also handles verification requests from different apps. The T2 Chip makes sure that no applications get access to your fingerprint information through Touch ID or Face. When the verification is requested, the Apple T2 Security chip compares the fingerprint with data secured in the enclave coprocessor and notifies of the result.

Which devices have Apple T2 Security Chip

These Mac computers have the Apple T2 Security Chip:

  • iMac introduced in 2020
  • iMac Pro
  • Mac Pro introduced in 2019
  • Mac mini introduced in 2018
  • MacBook Air introduced in 2018 or later
  • MacBook Pro introduced in 2018 or later


If you match the Mac’s EMC number to one in the list below, it has a T2 Chip:

  • iMac Pro:
    • EMC – 3144 (Model A1862 – 2017)

  • Mac Pro:
    • EMC – 3203 (Model A1991 – 2019)
    • EMC – 3413 (Model A2304 (Rack) – 2019)

  • Mac Mini:
    • EMC – 3213 (Model A1993 – 2018)
    • EMC – TBD (Model TBD – 2020)

  • MacBook Pro:
    • EMC – 3214 (Model A1989 – 2018)
    • EMC – 3215 (Model A1990 – 2018)
    • EMC – 3358 (Model A1989 – 2019)
    • EMC – 3359 (Model A1990 – 2019)
    • EMC – 3301 (Model A2159 – 2019)
    • EMC – 3347 (Model A2141 – 2019)
    • EMC – 3348 (Model A2251 – 2020)
    • EMC – 3456 (Model A2289 – 2020)

  • MacBook Air:
    • EMC – 3184 (Model A1932 – 2018 & 2019)
    • EMC – 3302 (Model A2179 – 2020)


According to theiphonewiki these models are vulnerable to checkm8 exploit:


iBridge Product ID

Board ID

Board Minor

Description (Product ID)

checkm8/blackbird confirmed

iBridge2,1

J137AP

0x0A

Apple T2 iMacPro1,1 (j137)

yes

iBridge2,3

J680AP

0x0B

Apple T2 MacBookPro15,1 (j680)

yes

iBridge2,4

J132AP

0x0C

Apple T2 MacBookPro15,2 (j132)

yes

iBridge2,5

J174AP

0x0E

Apple T2 Macmini8,1 (j174)

yes

iBridge2,6

J160AP

0x0F

Apple T2 MacPro7,1 (j160)

yes

iBridge2,7

J780AP

0x07

Apple T2 MacBookPro15,3 (j780)

yes

iBridge2,8

J140kAP

0x17

Apple T2 MacBookAir8,1 (j140k)

yes

iBridge2,10

J213AP

0x18

Apple T2 MacBookPro15,4 (j213)

yes

iBridge2,11

J230AP

0x1F

?

?

iBridge2,12

J140aAP

0x37

Apple T2 MacBookAir8,2 (j140a)

yes

iBridge2,13

J214AP

0x1E

?

?

iBridge2,14

J152fAP

0x3A

Apple T2 MacBookPro16,1 (j152f)

yes

iBridge2,15

J230kAP

0x3F

Apple T2 MacBookAir9,1 (j223k)

yes

iBridge2,16

J214kAP

0x3E

?

?

iBridge2,19

J185AP

0x22

?

?

iBridge2,20

J185fAP

0x23

?

?

iBridge2,21

J223AP

0x3B

?

?

iBridge2,22

J215AP

0x38

?

?

T2 Chip BridgeOS

The Apple T2 Chip is running its unique OS called bridgeOS. It is the modified version of Apple watchOS, which can be updated when installing a new macOS version.

MacOS Secure Booting with T2 Chip Overview

According to guys from ironpeak, the boot process flows like this:

  1. The T2 chip is fully booted and stays on, even if your Mac device is shutdown.

  2. The press of the power button or the opening of the lid triggers the System Management Controller (SMC) to boot.

  3. The SMC performs a Power-On-Self-Test (POST) to detect any EFI or hardware issues such as bad RAM and possibly redirect to Recovery.

  4. After those basic sanity checks, the T2 chip is triggered and I/O connectors are setup. (USB, NVMe, PCIe, …) It will use NVMe and PCIe to talk to NAND storage.

  5. The applicable boot disk is selected and a disk encryption password is asked if enabled to mount APFS volumes possibly via FileVault2 disk encryption.

  6. /System/Library/CoreServices/boot.efi is located on your System APFS volume and depending on your secure boot settings is validated.

  7. boot.efi is ran which loads the Darwin kernel (throwback to BSD) (or Boot Camp if booting Microsoft Windows) & IODevice drivers. If a kernel cache is found in /System/Library/PrelinkedKernels/prelinkedkernel, it will use that.

  8. Any User Approved Kernel Extensions are initialized & added to the kernel space -if- they are approved by the T2 chip. This will go away with System Extensions.

Here is a useful infographic on how the secure booting works:



Find more info on Secure Booting here.

Apple MacOS T2 Chip Jailbreak

Learn how to jailbreak macbook and get over the T2 Chip root of trust.

The jailbreak mac OS is possible thanks to two teams. @T8012DevelopmentTeam successfully ported checkm8 exploit in T2 Chips. And the Checkra1n team added the T2 exploit to their Checkra1n Jailbreak tool.

Now we can easily jailbreak the T2 Chip with just a single command.

How to Jailbreak T2 Chip Using Checkra1n

Follow this guide on how to jailbreak the T2 security Chip with Checkra1n.

What you need:

  1. Mac with T2 Chip you wish to jailbreak;
  2. Another MacOS;
  3. USB-C to USB-C cable. The one which ships with Macbook is fine.


Follow these simple steps to perform the T2 Chip jailbreak successfully.

Step 1. Download the latest version of the Checkra1n T2 Jailbreak tool from the official website.

Step 2. Put your Mac into the DFU mode. Here is the guide on How to Enter MacOS DFU mode.

You can put this command to the macOS terminal if you wish to check whether the device has entered the DFU mode:

ioreg -p IOUSB


Step 3. As this guide is published, the Checkra1n GUI version 0.11.0 does not support the T2 jailbreak. If you connect your T2 Mac to the Checkra1n tool, you will see the following error message:

Sorry, your device is not supported.




But there is a workaround you can try in the next fourth-fifth steps, which can jailbreak your Apple T2 Chip anyways.

Step 4. Try the CLI, command-line version of Checkra1n. Open the Checkra1n app in Finder and right-click it to see the "Show Package Contents" menu (as shown in the screenshot).

Now go to folder Contents => MacOS. You will see the Checkra1n binary there. Open the Terminal app and drop the binary to "Terminal."



Alternatively, if you put the Checkra1n app into the Applications folder, you can type the following command in "Terminal:"

/Applications/checkra1n.app/Contents/MacOS/checkra1n


Step 5. As you remember, we need to launch the command-line version of Checkra1n. Do it by adding the following options to the command line:

-c


Also, we want to check the jailbreak log, so let's add another command option "-v" so the final command will look like this:

/Applications/checkra1n.app/Contents/MacOS/checkra1n -c -v




Step 6 (optional). Sometimes you might face the following error:

: Timed out waiting for bootstrap upload (error code: -20)




In this case, relaunch the Checkra1n CLI tool until you see the bootstrap successfully installed message:

: Bootstrap already installed, done


It might take a few retries till you get it done.

Step 7. SSH into your jailbroken Apple T2 Chip. Open a new Terminal window and enter this command:

iproxy 2222 44


Don't close this window and open one more Terminal window (Command + T). Enter this command:

ssh [email protected] -p 2222


The password is: alpine



Congratulations! Now you have successfully jailbroken the Apple T2 Security Chip. This jailbreak opens new opportunities for you!

Checkm8 Resellers Area

We value our customers and offer beneficial partnerships to wholesale and small businesses. We are happy to work with repair shops, workshops, GSM repair, etc. We offer flexible pricing on our services and software to our partners. At the moment, we are supporting some of the most popular GSM-services, including GMS Fusion and DHRU. We develop client's systems and connect reseller websites to our services through API connections or online.

Resellers

Official CheckM8 Telegram Channel

Stay on top of software updates, news, discounts, and more!