Hacked MBP - reinstall firmware

[Lamenito]

Hello,

I recently acquired a MPB 2017 13' function key - ( non touchbar) from Craigslist from a Shady character.

I suspect it to be hacked for many reasons.
I have reinstalled big sur and still feel the machine is compromised.

How do I reinstall/ flash the firmware ?

I suspect the firmware efi code has been tampered with. Or rootkit of some kind or potentially hardware hacked :|

 

[tormac21]

You can't flash the firmware - Apple doesn't make this available. Take your machine to an Apple Store if you think it's been tampered with.

It's extremely unlikely that your firmware has been compromised. You're talking nation-state level hacking to do that.

What symptoms is your machine showing? Why do you think the firmware has been hacked?

 

[hg.wells]

Hello,

I recently acquired a MPB 2017 13' function key - ( non touchbar) from Craigslist from a Shady character.

I suspect it to be hacked for many reasons.
I have reinstalled big sur and still feel the machine is compromised.

How do I reinstall/ flash the firmware ?

I suspect the firmware efi code has been tampered with. Or rootkit of some kind or potentially hardware hacked :|

This may sound stupid, but if you were concerned the person you brought the MacBook from was shady, and were going to have this issue, why did you buy it?

What makes you think they hacked the firmware, it’s not something the everyday user would be able to do.

 

[Apple_Robert]

Reinstall the OS and turn on FileVault. Go into recovery mode and erase the drive and reinstall the OS and set up as new. No worries moving forward about the computer being hacked, which I don't believe happened.

 

[goMac]

It’s extremely unlikely the computer was hacked, but if it was - there is no safe way to restore it. Computers that are actually firmware hacked should not be used and should be replaced.

 

[chabig]

I agree that it's unlikely to be hacked, but you can restore the firmware from scratch. Apple published instructions:

Revive or restore an Intel-based Mac using Apple Configurator 2

In rare circumstances, Apple computers may become unresponsive and the chip’s firmware must be revived.

support.apple.com

 

[Lamenito]

It’s extremely unlikely the computer was hacked, but if it was - there is no safe way to restore it. Computers that are actually firmware hacked should not be used and should be replaced.

Why can the firmware not be reflashed , what if I resolder the bios chip ?

 

[Lamenito]

You can't flash the firmware - Apple doesn't make this available. Take your machine to an Apple Store if you think it's been tampered with.

It's extremely unlikely that your firmware has been compromised. You're talking nation-state level hacking to do that.

What symptoms is your machine showing? Why do you think the firmware has been hacked?

Lol... "Nation state" any things possible.

 

[Lamenito]

I agree that it's unlikely to be hacked, but you can restore the firmware from scratch. Apple published instructions:

Revive or restore an Intel-based Mac using Apple Configurator 2

In rare circumstances, Apple computers may become unresponsive and the chip’s firmware must be revived.

support.apple.com

I believe that guide is for macs with the t2 chip if I'm correct ¿

 

[tormac21]

Why can the firmware not be reflashed , what if I resolder the bios chip ?

Sure, go for it.

 

[JPack]

SilentKnight, Skint, silnite, LockRattler, SystHist & Scrub

Skint – a watchful eye on security settings Updated! Checks key security settings and features including SIP, SSV, Gatekeeper, XProtect, XProtect Remediator and macOS security updates. Runs a…

eclecticlight.co

And if you install Monterey, it'll update your EFI firmware to 447.40.12.0.0.

 

[chabig]

I believe that guide is for macs with the t2 chip if I'm correct ¿

Yes. You are right. I shouldn't have suggested that approach for your machine.

 

[Lamenito]

So if corrupt memory has been soldered onto the logic board its basically garbage now

 

[tormac21]

So if corrupt memory has been soldered onto the logic board its basically garbage now

For all practical purposes, yes.

 

[Lamenito]

SilentKnight, Skint, silnite, LockRattler, SystHist & Scrub

Skint – a watchful eye on security settings Updated! Checks key security settings and features including SIP, SSV, Gatekeeper, XProtect, XProtect Remediator and macOS security updates. Runs a…

eclecticlight.co

And if you install Monterey, it'll update your EFI firmware to 447.40.12.0.0.

This looks interesting has anyone else used this software ? WordPress site ?

I will give that a try

 

[goMac]

So if corrupt memory has been soldered onto the logic board its basically garbage now

Once the firmware is controlled, you're basically pwned. You can't trust the firmware even actually refreshed because the entire machine is compromised. Any firmware state could be a lie, and it can just pretend to flash. There is not status that machine can give that is trustworthy.

Yeah, technically you can solder a new chip, but there's a lot of flashable parts and storage on the machine.

Like I said, highly unlikely the machine was hacked. But if you are actually concerned, the place that machine goes is a trash can. If this was a business machine and there was concern if would never be allowed to connect to the business network or access business information ever again.

(Don't literally belong in the trash though. E-waste is bad.)

 

[Lamenito]

Once the firmware is controlled, you're basically pwned. You can't trust the firmware even actually refreshed because the entire machine is compromised. Any firmware state could be a lie, and it can just pretend to flash. There is not status that machine can give that is trustworthy.

Yeah, technically you can solder a new chip, but there's a lot of flashable parts and storage on the machine.

Like I said, highly unlikely the machine was hacked. But if you are actually concerned, the place that machine goes is a trash can. If this was a business machine and there was concern if would never be allowed to connect to the business network or access business information ever again.

(Don't literally belong in the trash though. E-waste is bad.)

Yeah you are 110% right !

 

[Lamenito]

Once the firmware is controlled, you're basically pwned. You can't trust the firmware even actually refreshed because the entire machine is compromised. Any firmware state could be a lie, and it can just pretend to flash. There is not status that machine can give that is trustworthy.

Yeah, technically you can solder a new chip, but there's a lot of flashable parts and storage on the machine.

Like I said, highly unlikely the machine was hacked. But if you are actually concerned, the place that machine goes is a trash can. If this was a business machine and there was concern if would never be allowed to connect to the business network or access business information ever again.

(Don't literally belong in the trash though. E-waste is bad.)

What other parts are flashable ? , is it possible to corrupt the ssd and ram / would installing the new upgrade from big Sur via USB change the firmware ? To montarery or whatever its called or would that not make a difference. Curious how this firmware hack works exactly ????

 

[Apple_Robert]

I have yet to see any evidence that the Mac in question has had its hardware tampered with. Are you just being paranoid or do you have real evidence?

 

[Lamenito]

I have yet to see any evidence that the Mac in question has had its hardware tampered with. Are you just being paranoid or do you have real evidence?

Yes I have "evidence". Now I'm just wondering how " they" did it.

 

[Lamenito]

interface with a header on the board. remove the board, scratch back traces, and solder directly to them = hacked efi

 

[Lamenito]

Once the firmware is controlled, you're basically pwned. You can't trust the firmware even actually refreshed because the entire machine is compromised. Any firmware state could be a lie, and it can just pretend to flash. There is not status that machine can give that is trustworthy.

Yeah, technically you can solder a new chip, but there's a lot of flashable parts and storage on the machine.

Like I said, highly unlikely the machine was hacked. But if you are actually concerned, the place that machine goes is a trash can. If this was a business machine and there was concern if would never be allowed to connect to the business network or access business information ever again.

(Don't literally belong in the trash though. E-waste is bad.)

Hi goMac do you know how to verify an apple signature of the current firmware installed ?