Are there any Hardware Hacks that can survive a DFU restore on a used Mac?

[UndercoverCroc]

Hello all,

I recently bought an open box 14in M3 Max MacBook on eBay. I got a fantastic deal on it and was excited to receive it. This will be my 3rd mac purchase on eBay (along with a few iPads and iPhones), and everything usually goes well, but I will be putting an end to this practice immediately as this one has really stressed me out!

The MacBook arrived and was indeed in a new condition, the laptop itself had been disturbed but it had been re-wrapped etc… the charger had clearly not been touched at all. All well, until I tried to turn it on… no juice. The battery was completely dead.

This was my first alarm bell. Simple fix, I plugged it in and phew, it began charging fine.

Next up, I got through to the recovery menu. Previous owner must have wiped it at an SSD level, so I hit ‘reinstall Sonoma’ and was confronted with…. An activation lock. Obviously the biggest alarm bell in my brain started to ring but I thought I’d calmly give the seller the benefit of the doubt and contacted them. The next day they apologised and explained it was a family member’s laptop and they were getting in touch for the Apple ID and password for me to unlock it (strange I thought) but I waited and eventually got a message saying it should work.

I assume they removed the activation lock remotely through Find My. Indeed- the lock was gone and I could re-install Sonoma.

By this point though I was at panic stations and the MacBook was tainted to me. I cancelled the Sonoma install and decided to use my MBA to do a DFU restore on the new MacBook. This was successful and completed… but I can’t shake the feeling this MacBook deal is going to bite me in the ass somehow. I wanted to re-sell it on eBay but the fees are way too high, I can’t return it because in fairness, the seller did everything to help me.

Say this seller WAS a bad egg, they activated the macbook 1 month prior to my purchase, could it be hacked in some way that would survive a DFU restore? Is there a chip you can replace on the logic board that might keep feeding some kind of malware regardless of the wipe? Can they do anything with the serial number etc?

It is not managed by any MDM profile and the activation lock appears to have been removed. For all intents and purposes it seems fine but I’m insanely paranoid about this cursed laptop now.

TL;DR Bought a used M3 MacBook, can anything bad survive a DFU restore?

 

[VineRider]

If you are concerned about residual software on the machine, then what I would do is to go into recovery mode and completely erase the SSD. You will then have to re-download Sonoma, and then you can set up as new.

The OS partition is read only, so even doing this is really not necessary, but for peace of mind you will know that the entire SSD has been erased.

There is nothing firmware wise that someone could maliciously install, so by erasing the SSD, restoring Sonoma from the internet, and setting up you will be fine.

I also think the seller was ok since they did remove the activation lock. That tells me that the device was indeed thiers, and not stolen.

 

[FreakinEurekan]

I don't know of anything that would survive a full restore.

Of course, just because I (or anyone else) doesn't "know of" anything doesn't mean it's completely impossible. At some point you'll have to trust the system is working for you, and/or trust that you're too small a target for the possible cost of such a scheme. That said - if you wanna sell me that M3 at a killer price, I'll gladly use it with no concerns

 

[Mike Boreham]

If the OP has already done a DFU Restore I don't think he needs to do an additional erase of the SSD. DFU Restore which also wipes the SSD and restores the firmware which is deeper than an erase of the SSD does. As you say, because the System volume of the SSD is read only there is isn't even a case for wiping the whole SSD...a simple and quick "Erase and Content and Settings" restores to factory condition.

It is normal to feel anxious about a new expensive purchase especially a second hand one, but it really sounds like the OP can relax on this one.

I usually buy all my Macs second hand and the things I want to discover on them are:-

1. Battery condition. From Settings > Battery > Battery Health >click the little 'i'

2. Any support remaining. (From Settings > About > Coverage) will tell you if any of the first year from new coverage remains, and whether it is still eligible to buy Applecare, which it has sometime been for me. Or even if it already is covered by Applecare, as has also happened to me. Coverage stays with the machine.

3. TBW written to disc. Most easily discovered by installing DriveDX but there are other ways using Terminal.

 

[UndercoverCroc]

Thanks for the reassurance so far forum, indeed I had erased the SSD as well as performing a DFU restore.

In fact before the restore I tried erasing it but was unable to:

In the recovery disc utility- by hitting ‘show all devices’ and trying to erase the root APPLE XXXX SSD, it kept throwing a ‘unable to erase because disc in use’ error which I figured was because the Recovery OS was running from it. At that point I made a Sonoma USB to try and run from USB, which I was also unable to do, this worried me but presumably it was because I didn’t have access to the Startup Security Utility (who does at the point of MacOS not being installed?)

It was then that I found out about the DFU restore Option. Which I completed, THEN with Sonoma installed, I was able to erase the root APPLE XXXX SSD in the recovery disc utility… At which point of course I had to do another DFU restore just to install Sonoma quicker.

SO it appears to me that without a MacOS installed, you can erase Macintosh HD fine, but you can’t erase the root ‘show all devices APPLE XXXX SSD’. Nor can you run the system from a USB. Is this correct?

 

[Mike Boreham]

SO it appears to me that without a MacOS installed, you can erase Macintosh HD fine, but you can’t erase the root ‘show all devices APPLE XXXX SSD’. Nor can you run the system from a USB. Is this correct?

I sometimes get a "could not unmount" message when erasing, but manually unmounting before erasing fixes this. Or use Terminal instruction diskutil umountDisk /dev/disk.... Might have to use diskutil list to discover correct disk ID to unmount.

Not sure what you meant by "made a Sonoma USB". Did you mean a separate full install of Sonoma on an external USB, or a bootable Sonoma installer on USB. Anyway both are quite possible. Many people run all the time from an external, and a bootable installer on a USB stick is useful to have around...just like Recovery but with the installer on board.

 

[UndercoverCroc]

I sometimes get a "could not unmount" message when erasing, but manually unmounting before erasing fixes this. Or use Terminal instruction diskutil umountDisk /dev/disk.... Might have to use diskutil list to discover correct disk ID to unmount.

Not sure what you meant by "made a Sonoma USB". Did you mean a separate full install of Sonoma on an external USB, or a bootable Sonoma installer on USB. Anyway both are quite possible. Many people run all the time from an external, and a bootable installer on a USB stick is useful to have around...just like Recovery but with the installer on board.

Yes precisely, being unable to unmount or wipe that drive also had me thinking there was a bad actor afoot. A reminder that I’m talking about the root ‘APPLE SSD AXXXX Media’ drive under ‘show all devices’ in the disk utility, not Macintosh HD (which I was able to clear).

I could only clear the root drive once I had Sonoma installed (through the first DFU restore), which was strange.

Yes I made a Sonoma bootable installer, but again, before the first Restore it wouldn’t show in the bootup process, the startup list was empty.


After the first restore, I COULD then erase the root drive, doing so took me back to recovery where I tried to erase it again but found the same previous ‘could not unmount’ prompt. That lead me to think that some remnant of a MacOS install must be present for that to work?

 

[UndercoverCroc]

There was something odd about the partition list as well, it went from disk0 to disk3 on the left, something I couldn’t find another example of online. I was worried this meant hidden partitions.

I noted too that my SSD was named Apple SSD AP1024Z Media instead of the usual Q or J.

 

[diamond.g]

There was something odd about the partition list as well, it went from disk0 to disk3 on the left, something I couldn’t find another example of online. I was worried this meant hidden partitions.

I noted too that my SSD was named Apple SSD AP1024Z Media instead of the usual Q or J.

My synthesized disk starts at 3, the physical disk is 0.

 

[Krevnik]

There is nothing firmware wise that someone could maliciously install

And with Apple Silicon, much of what would be considered firmware lives on the SSD, which the DFU can wipe and replace with a known good copy. Hardware peripherals get their software loaded at boot, rather than having NVRAM which contains it.

Yes precisely, being unable to unmount or wipe that drive also had me thinking there was a bad actor afoot. A reminder that I’m talking about the root ‘APPLE SSD AXXXX Media’ drive under ‘show all devices’ in the disk utility, not Macintosh HD (which I was able to clear).

Part of the issue is that the SSD contains this additional data used for pre-booting. So when in the restore tools, the SSD is in use depending on what you are doing. There are three APFS containers on the internal SSD (as your screenshot shows). The "machine level" recovery partition + pre-boot environments live on two of those containers, and then the OS, your data, and that OS' recovery volume live in the third container (disk3). It also contains security settings for each OS you've "blessed" to allow booting, which includes external drives.

The structure of the internal drive these days is quite a bit different than it was even 10 years ago, and there's quite a bit more going on when trying to restore one of these machines. So it's not surprising to me that it is easy to get into a state that you can't erase the internal SSD while booted into recovery.

As long as you did a DFU restore rather than a revive, I wouldn't be too worried. The restore does wipe the SSD by smashing the encryption keys (SSDs on Apple Silicon are always encrypted, even with FileVault disabled), which has the nice advantage of rendering any malicious code unreadable that may have existed on the drive previously.

 

[VineRider]

If OP is interested, here is a great article that details Apple's Platform Security.

It would be very, very difficult for someone to put low level code that is not signed by Apple onto an Apple Silicon device and have it run. There are multiple checks that ensure only signed Apple code runs at boot time.

Apple Platform Security

Learn how security is implemented in Apple hardware, software, apps, and services.

support.apple.com

 

[UndercoverCroc]

Thanks everyone, this information is all really appreciated.

I guess I’m pretty certain the DFU restore has obliterated any potential software malevolence but what about hardware?

Would it be possible for someone to replace the T2 chip or somehow solder something untoward onto the logic board?

Can activation ever be reinstated or has the seller now lost all connection possible to the MacBook? Is there anything that can be done if they took down serial numbers and other identifiers?

 

[hobowankenobi]

If you are concerned about residual software on the machine, then what I would do is to go into recovery mode and completely erase the SSD. You will then have to re-download Sonoma, and then you can set up as new.

The OS partition is read only, so even doing this is really not necessary, but for peace of mind you will know that the entire SSD has been erased.

There is nothing firmware wise that someone could maliciously install, so by erasing the SSD, restoring Sonoma from the internet, and setting up you will be fine.

I also think the seller was ok since they did remove the activation lock. That tells me that the device was indeed thiers, and not stolen.

This.

All modern devices can be associated with a recovery account like iCloud, or and enterprise org at a firmware level (erasing the storage drive will not remove this), but once removed from either group, they cannot be "reenrolled" without user consent.

If this device came from an org and they were unaware (as in stolen), you would either not be able to wipe and restore, or you would be greeted by the org's info, and you would see Profiles installed to manage the Mac. If you don't see any of that, you are good. It all happens automatically once any internet connection is available.

 

[diamond.g]

Thanks everyone, this information is all really appreciated.

I guess I’m pretty certain the DFU restore has obliterated any potential software malevolence but what about hardware?

Would it be possible for someone to replace the T2 chip or somehow solder something untoward onto the logic board?

Can activation ever be reinstated or has the seller now lost all connection possible to the MacBook? Is there anything that can be done if they took down serial numbers and other identifiers?

Apple Silicon doesn't have a separate T2 (the functionality is embedded in the SoC).

 

[mr_roboto]

Thanks everyone, this information is all really appreciated.

I guess I’m pretty certain the DFU restore has obliterated any potential software malevolence but what about hardware?

Would it be possible for someone to replace the T2 chip or somehow solder something untoward onto the logic board?

Can activation ever be reinstated or has the seller now lost all connection possible to the MacBook? Is there anything that can be done if they took down serial numbers and other identifiers?

Just going to try to provide some more detail on a few things for extra reassurance. Apple's platform security design actually provides you with much firmer ground to stand on than pretty much anything else on the market.

First, with Apple Silicon, full disk encryption is always on. Performing a DFU Restore wiped the disk encryption key stored inside the M3 chip's Secure Enclave, then enrolled a newly generated key that will be used for your data going forward. These keys are generated inside the Secure Enclave by a true random number generator, and are never allowed to leave the Secure Enclave. Replacing the old key with a new random one instantly and irreversibly turned all the old data stored on the SSD into random noise.

As others covered, there is no separate T2 chip in an Apple Silicon Mac. All functions of the T2 are integrated into the M3 chip.

There isn't anything anyone could do on the motherboard. Apple's security design puts the root of trust inside the M3 chip itself. As it goes through each stage of booting an OS, it cryptographically verifies that the next stage of boot is an unmodified binary created by Apple.

There is one exception to that - on Macs, users are allowed to reduce the security level. You can run Startup Security Utility to verify that your macOS is configured for Full Security (or edit its security configuration); see the directions here:

Change security settings on the startup disk of a Mac with Apple silicon

On a Mac with Apple silicon, use the Startup Security Utility to change the level of security used on your startup disk.

support.apple.com

Since you did a DFU restore and installed a new macOS, it should be in Full Security already, since that's what Apple's tools default to. In Full Security mode, you have very strong guarantees that your Mac is running an unmodified Apple macOS release.

On activation lock - you should be good. AFAIK, Apple made this asymmetric. If you control an iCloud account and have enrolled a Mac or iPhone for Activation Lock with that account, it's possible to un-enroll that device remotely (as your seller did for you), but enrolling a device for Activation Lock must be done from that device.

For extra reassurance, you can always turn activation lock on so it's definitely enrolled with your iCloud account. But if you ever sell it, don't forget to unenroll it first!

Bottom line, I think your seller just made a couple innocent mistakes. Packed it up without topping off the battery, and didn't realize they needed to un-enroll it from their iCloud account.

 

[UndercoverCroc]

There is one exception to that - on Macs, users are allowed to reduce the security level. You can run Startup Security Utility to verify that your macOS is configured for Full Security (or edit its security configuration); see the directions here:

Reminded me here that this is where I stumbled with the original set up (before I performed the first DFU restore) as there was no admin account on the Mac I couldn’t access the Startup Security Utility. I tried to change this so I could boot from the USB as I thought RecoveryOS was preventing me from erasing the root drive.

Pulling it up just brought up a blank window. It was odd behaviour… I haven’t tried to look yet but now I’ve installed Sonoma and added an admin account I’m sure I can confirm it to be on Full Security.

Thank you however, Mr Roboto for the lengthy reassurance.

I do wonder how the seller managed to wipe the Mac without de-activating it as ‘erase all content and settings’ immediately prompts you to do so. Perhaps they did it through recovery themselves, which would make sense as no OS was installed.

 

[hobowankenobi]

The activation and related tracking has nothing to do with the OS, or even the drive...which is why it really prevents stolen Macs from being easily cleaned and resold. It does not need an account (admin or otherwise), an OS, or even a drive (on Macs that have removable drives).

 

[chrfr]

Thanks everyone, this information is all really appreciated.

I guess I’m pretty certain the DFU restore has obliterated any potential software malevolence but what about hardware?

Would it be possible for someone to replace the T2 chip or somehow solder something untoward onto the logic board?

Can activation ever be reinstated or has the seller now lost all connection possible to the MacBook? Is there anything that can be done if they took down serial numbers and other identifiers?

There’s no T2 chip in an Apple Silicon Mac. When doing a DFU restore everything is signed and verified with Apple. There’s nothing a previous owner can do with that computer once it’s removed from iCloud and activation lock is turned off.
It’s also unnecessary to both erase the disk and do a DFU restore. The DFU process in an Apple Silicon Mac gets rid of the encryption keys so the disk is as erased as it would be in Disk Utility.

 

[boomspot]

Just remember, it’s not paranoia when you know they are out to get you. 👀

 

[UndercoverCroc]

My only other worry on this was that I opened it up and spotted this pull tab seemed to have been disturbed. Could this be a factory thing?

 

[AAPLGeek]

My only other worry on this was that I opened it up and spotted this pull tab seemed to have been disturbed. Could this be a factory thing?

Okay now that right there is the smoking gun. Underneath that disturbed pull tab is an embedded tracking chip that bypasses the Secure Enclave and uploads literally everything you do on that machine. Destroy the whole thing as quickly as possible or better yet, ship the machine to me. I have access to an industrial incinerator and I can do it for you. Totally free of charge of course.

 

[Isamilis]

If possible, return it. It looks like a stolen device and you’re now playing with Apple security which is hard to break (unless you’re specialist in that area). Save your time, sell the components instead if the return is not possible, and buy the new one.

 

[mr_roboto]

If possible, return it. It looks like a stolen device and you’re now playing with Apple security which is hard to break (unless you’re specialist in that area). Save your time, sell the components instead if the return is not possible, and buy the new one.

Nonsense. The original poster's story is completely consistent with the legitimate owner of the machine selling it to the OP, but failing to do all the steps needed to remove the activation lock prior to shipping the computer. This is understandable! Not everyone really knows how to do it properly, or follows Apple's directions.

If it was actually stolen, the seller would not have been able to easily log in to the iCloud account associated with the activation lock and remove it. Since they were able to do so quickly on request, it follows that it probably was not stolen. And since the activation lock was in fact removed, there is nothing for the OP to break - it's a great mystery why you decided that was a huge issue when it was already resolved.

Please don't give such bad advice.

 

[Isamilis]

Nonsense. The original poster's story is completely consistent with the legitimate owner of the machine selling it to the OP, but failing to do all the steps needed to remove the activation lock prior to shipping the computer. This is understandable! Not everyone really knows how to do it properly, or follows Apple's directions.

If it was actually stolen, the seller would not have been able to easily log in to the iCloud account associated with the activation lock and remove it. Since they were able to do so quickly on request, it follows that it probably was not stolen. And since the activation lock was in fact removed, there is nothing for the OP to break - it's a great mystery why you decided that was a huge issue when it was already resolved.

Please don't give such bad advice.

You’re correct. Sorry I didn’t read your solution properly. Just be calm as this is a discussion forum not a chat with technical support.

 

[Mike Boreham]

Nonsense. The original poster's story is completely consistent with the legitimate owner of the machine selling it to the OP, but failing to do all the steps needed to remove the activation lock prior to shipping the computer. This is understandable! Not everyone really knows how to do it properly, or follows Apple's directions.

If it was actually stolen, the seller would not have been able to easily log in to the iCloud account associated with the activation lock and remove it. Since they were able to do so quickly on request, it follows that it probably was not stolen. And since the activation lock was in fact removed, there is nothing for the OP to break - it's a great mystery why you decided that was a huge issue when it was already resolved.

Please don't give such bad advice.

Pretty sure @Isamilis post was intended to be humorous, as was the previous one (smoking gun), always risks being missed in an international forum. He could have added a