duo-labs/apple-t2-xpc

Stars
152
Rank 239,460 (Top 5 %)
Language
Python
License
Other
Created over 5 years ago
Updated almost 5 years ago

duo-labs/apple-t2-xpc

duo-labs

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Tools to explore the XPC interface of Apple's T2 chip

Apple T2 XPC

This project is an exploration of the network communications between macOS and the T2 chip. It can be used to decode and print the XPC messages, and provides an example of building a protocol-compliant client to communicate with a service on the T2 chip.

More information can be found in our report.

Install

This is a Python3 project.

Python 3.6

One of the changes in 3.7 was how python handles multiple inheritance, particularly with method resolution order (MRO). Because the h2 library has a bug with this new method resolution order, we need to use Python 3.6.

On a mac, to do this we need to use pyenv. (use brew to install it if you don't have it) pyenv install 3.6.7

And then every time you want to run it (or pip3 install stuff), you'll need to run this from the project directory: eval "$(pyenv init -)"

pip3 stuff

To install, you will need to install: pip3 install -r requirements.txt

h2 module

The hyper-h2 module is HTTP/2 spec-compliant. Unfortuantely, Apple communications are not. We have included a slightly-modified copy of the h2 module, still under its original MIT license.

Running it

There are currently two main utilities contained in this repo:

vhc128sniff.py will listen on the VHC128 interface and decode as many XPC messages as it can between the t2 chip and the mac. It can also be run with the -f flag and a file path to read from a tcpdump-format packet capture.
sysdiagnose_client.py will attempt to connect to the t2 chip and initiate a sysdiagnose connection.

Update: getting `remotectl` working again

csrutil disable # (in recovery)

nvram boot-args=”amfi_get_out_of_my_way=0x01” # (reboot)

cp /usr/libexec/remotectl /tmp/

cat << EOF > /tmp/entitlements.ent 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.RemoteServiceDiscovery.device-admin</key>
	<true/>
	<key>com.apple.private.network.intcoproc.restricted</key>
	<true/>
</dict>
</plist>
EOF

jtool --sign --ent /tmp/entitlements.ent --inplace /tmp/remotectl

/tmp/remotectl relay localbridge com.apple.sysdiagnose.remote

cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

webauthn

WebAuthn (FIDO2) server library written in Go

parliament

AWS IAM linting library

cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

py_webauthn

Pythonic WebAuthn

webauthn.io

The source code for webauthn.io, a demonstration of WebAuthn.

EFIgy

A small client application that uses the Duo Labs EFIgy API to inform you about the state of your Mac EFI firmware

dlint

Dlint is a tool for encouraging best coding practices and helping ensure we're writing secure Python code.

markdown-to-confluence

Syncs Markdown files to Confluence

isthislegit

Dashboard to collect, analyze, and respond to reported phishing emails.

idapython

A collection of IDAPython modules made with 💚 by Duo Labs

chrome-extension-boilerplate

Boilerplate code for a Chrome extension using TypeScript, React, and Webpack.

secret-bridge

Monitors Github for leaked secrets

twitterbots

The code used in the "Don't @ Me: Hunting Twitter Bots at Scale" Black Hat presentation

cloudtrail-partitioner

phish-collect

Python script to hunt phishing kits

phinn

A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network.

xray

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.

android-webauthn-authenticator

A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.

appsec-education

Presentations, training modules, and other education materials from Duo Security's Application Security team.

mysslstrip

CVE-2015-3152 PoC

EFIgy-GUI

A Mac app that uses the Duo Labs EFIgy API to inform you about the state of your EFI firmware.

lookalike-domains

generate lookalike domains using a few simple techniques (homoglyphs, alt TLDs, prefix/suffix)

journal

The boilerplate for a new Journal site

srtgen

Automatic '.srt' subtitle generator

apk2java

Automatically decompile APK's using Docker

neustar2mmdb

Tool to convert Neustar's GeoPoint data to Maxmind's GeoIP database format for ease of use.

markflow

Make your Markdown sparkle!

narrow

Low-effort reachability analysis for third-party code vulnerabilities.

tutorials

duo-blog-going-passwordless-with-py-webauthn

datasci-ctf

A capture-the-flag exercise based on data analysis challenges

Jupyter Notebook

chain-of-fools

A set of tools that allow researchers to experiment with certificate chain validation issues

sharedsignals

Python tools for using OpenID's Shared Signals Framework (including CAEP)

journal-cli

The command-line client for Journal

Jupyter Notebook

unmasking_data_leaks

The code from the talk "Unmasking Data Leaks: A Guide to Finding, Fixing, and Prevention" given at BSides SATX 2019.

journal-theme

The Hugo theme that powers Journal

golang-workshop

Source files for a Golang Workshop

journal-docs

The documentation for Journal

dlint-plugin-example

An example plugin for dlint

vimes

A local DNS proxy based on CoreDNS.

twitterbots-wallpapers

Wallpapers created from the crawlers in our "Don't @ Me" technical research paper

holidayhack-2019

Scripts and artifacts used to solve the 2019 SANS Holiday Hack Challenge