Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
-
Hmm… for the hardware firmware I’d still want to have to unlock it on device rather than having an attack surface/backdoor from the internet to exploit. Apple had the issue a couple years ago with thieves exploiting the remote password change to workaround the phone protections.
But I get how it sucks for this use case.
Like a lot of things, for 99% of users who don’t care they should default to a version that’s secure from most thieves but not totally secure from government and then let the users who really care opt in to the stronger lockdown mode.
@HitokiriEric @coldclimate yeah. I mean look. You can unsolder the t2 chip and reprogram it etc. Motivated thiefs can still do it.
But was this when a problem? I really don't think it was.
Again. Look at Chromebooks. They have a firmware level lock too that can't be hacked. And yet it can be decomissioned remotely when the org releases it.
You're telling me apple couldn't do this?! For regular users? Its a racket
-
@oscherler @codemonkeymike IME Android tablets don't even have serious bootloader locking, unlike phones. You can basically do whatever with them.
@dalias @oscherler @codemonkeymike
Well, you're still probably getting dropped in EL1, so you're not truly free. The freest device you can buy is a used Chromebook, as they use Coreboot, so you can just compile and flash your own firmware. Thanks to the weird CR50 TPM thingy, if you've got a SuzyQAble, you can even get RW access to the AP firmware and a serial console without having to open the device, provided you run a command and assert your presence (once) with timed power button presses -
@HitokiriEric @coldclimate yeah. I mean look. You can unsolder the t2 chip and reprogram it etc. Motivated thiefs can still do it.
But was this when a problem? I really don't think it was.
Again. Look at Chromebooks. They have a firmware level lock too that can't be hacked. And yet it can be decomissioned remotely when the org releases it.
You're telling me apple couldn't do this?! For regular users? Its a racket
@codemonkeymike @coldclimate Well. When that generation of laptops was new, that was a big feature that Apple was selling hard on. They kept trying to lock them down more and more to attempt to be as secure as possible by default and were so proud of how hard it was to defeat.
I’m not saying they couldn’t do better and better consider different choices to improve the balance for different types of users. Which they have done since then.
I’m just saying that back then, the discussion was all about making them as secure as they could think to make them and that’s what they optimized for. It’s not a surprise they went too far back then when that was top of mind for them.
-
@codemonkeymike Suspect you are talking about two different things. For a machine owned by an end user, removing the iCloud account and performing a factory reset absolutely makes that Mac available for activation and use by a new user, T2 or no. However, if the device is owned by the end user’s school or employer and enrolled by that organization to their device management, they would have to unenroll it.
@miked1112 @codemonkeymike you have to specifically remove the iCloud account using these steps, logging out of iCloud and reseting the device is not enough. it's a (purposely?) confusing end user experience. https://support.apple.com/en-us/102773
-
@codemonkeymike @coldclimate Well. When that generation of laptops was new, that was a big feature that Apple was selling hard on. They kept trying to lock them down more and more to attempt to be as secure as possible by default and were so proud of how hard it was to defeat.
I’m not saying they couldn’t do better and better consider different choices to improve the balance for different types of users. Which they have done since then.
I’m just saying that back then, the discussion was all about making them as secure as they could think to make them and that’s what they optimized for. It’s not a surprise they went too far back then when that was top of mind for them.
@codemonkeymike @coldclimate Keep in mind how proud they were of resisting government attempts to access devices and saying that they would design them so that Apple would have no ability to unlock them for governments.
-
@brandonscript @codemonkeymike while they could simply give, don’t know, a certain number of years out of production and, honestly, they call them unsupported, so why not nuke the T2 on these? You know how many Macs I’ve seen that ended up being trashed because of this? It’s entirely irresponsible and yes they ought to be forced to back down a bit. We’re not suggesting that delicate and precious Mac users have their data stolen, nor their computing devices.
@csgraves yeah, resetting after a time limit without a claimant would be great. @codemonkeymike
-
@Victorsigmoid have you seen the video of that? I just watched it and holy shit its intense haha.
I mean I AM considering it.. but what a nightmare.. its' super time consuming.. and you still need another up to date mac to hook it up to in DFW mode..
So even after ALL that.. you still end up needing a current Mac.. god i hate them
@codemonkeymike @Victorsigmoid
Fun fact: you don't actually need a Mac for a DFU restore: https://github.com/libimobiledevice/idevicerestore -
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike @bigzaphod So your problem is that Apple is prioritizing the hardware and data integrity of THE OWNER and the owner did not properly unlock the device before it was recycled (or stolen). Sorry, but that doesn’t sound like an Apple problem. As an owner, that is what I want.
I understand that I sucks to be in your position, but Apple is doing the right thing here.
-
@richardazia but you can't even boot to USB without unlocking it.
That's the issue. Id love to install Linux on it. But i can't
@codemonkeymike look up target mode. There is a key combination that allows to recover macs. You can choose to reinstall macos, safe boot or install another OS.
-
@richardazia but you can't even boot to USB without unlocking it.
That's the issue. Id love to install Linux on it. But i can't
@codemonkeymike https://support.apple.com/en-ie/guide/mac-help/mh21245/mac look for the startup options process. That is what i use.
-
@codemonkeymike @bigzaphod So your problem is that Apple is prioritizing the hardware and data integrity of THE OWNER and the owner did not properly unlock the device before it was recycled (or stolen). Sorry, but that doesn’t sound like an Apple problem. As an owner, that is what I want.
I understand that I sucks to be in your position, but Apple is doing the right thing here.
@maverick604 @codemonkeymike @bigzaphod and I think you really don't understand what your planet is and why Appel sucks on all levels. They just want to keep your datas in their datacenters.
-
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike I've had to give this same bad news to more than one person who bought a used Apple computer. Somebody will sell their Mac or iPad or whatever to a pawn shop or something without doing a reset and there you go. My brother managed to unlock one he got used from Rent-A-Center, but had to spend over an hour on the phone with Apple customer support to do it. I have a feeling if he'd gotten it from Facebook marketplace or a pawn shop or something he'd have been out of luck.
-
@magnetic_tape @codemonkeymike I watched the ifixit video, https://www.ifixit.com/Guide/How+to+Remove+MacBook+ID+Activation+Lock+by+T203/143072
@Victorsigmoid @magnetic_tape @codemonkeymike
Have you looked at the price for the T203 unlock kit? AliExpress has them for $275 and upwards.
Probably makes more sense when recovering quite some devices. But nothing likely what someone does for a 2-5 Macs. And then you need the appropriate hotglue gun and a functional Mac along side to reprogram the T2 chip.
Might be worth it if you got a pile of macs which the OP picture shows.
But it is clearly not good for the ability to repair/fix used machines. Quite good for device security though.
Just wondering if this approach renders previous data completely unreadable or if it's possible to scrape off data from the device somewhere in this process.
-
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike what is the correct process that I should follow if I am about to donate a Mac with T2 chip in order to avoid this?
-
@noodlemaz Apple will just shred it.. so it's "recycled" for the metal.. but they're not re-using it.
In my experience, it's best to wipe it, then set it up with a new local account with a dummy admin password.. then put it as a sticky note on the keyboard.
If you plan for it to be useful again. You don't need an icloud password, just a local admin password.
Hope that helps!
@codemonkeymike the battery is dead, it doesn't hold charge. So not sure it can be?
-
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike I do appreciate that T2 chips make my macBook basically not a good target for thieves though: They by know understand that stealing these devices is not worth it and don't even attempt.
But it will take time until donors understand that they need to do EACS, which is quite simple:
Erase your Mac and reset it to factory settings - Apple Support
Use the Erase All Content and Settings feature to quickly and securely erase all settings, data, and apps, while maintaining the operating system currently installed.
Apple Support (support.apple.com)
But this isn't widely known yet. There's been some people who had luck with going to Apple Stores and providing some kind of guarantee that these are donated pieces but it's a hassle. But for such a big stack, buying a T203 would potentially make sense, could perhaps even be part of a hacker space's tools.
-
@yama @codemonkeymike @paulywill
It's in non-volatile memory (EEPROM) embedded in the chipset. It won't forget for 100 years.@RealGene @codemonkeymike @paulywill Is that an actual number ? Well that sucks. Then there have to be other ways of fooling it
-
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike Hmm, I’m about to donate a bunch of MacBooks. All personal devices that were collecting dust. I’ve reset them and reinstalled the latest macOS possible.
Any way to check if they’re still locked?
-
@nicolas17 @yama @codemonkeymike @paulywill this, most modern machines use NVRAM for variable store. You can't reset it by just yoinking the power.
Not sure how it's done on T2-based x86 (assuming T2 acts as ROT), x86 itself isn't fused so firmware isn't tamper-protected but it could be done by T2 (from what I remember, T2 emulates SPI to the x86 host and actual x86 UEFI lives in dedicated portion of an "SSD".
T2 should be vulnerable to checkra1n though, so it should be possible to fool the ROT and at least modify NVRAM variables to change security policy but it would require some research.@elly @codemonkeymike @paulywill Apparently "google is not your friend" as i cant seem to find anything that concretely tells me how nvram stores data "without power". The web truly is dogcrap theese days...
-
@miked1112 @codemonkeymike you have to specifically remove the iCloud account using these steps, logging out of iCloud and reseting the device is not enough. it's a (purposely?) confusing end user experience. https://support.apple.com/en-us/102773
@ben @miked1112 @codemonkeymike It seems pretty easy to me — go to settings > Erase > follow the guide.
