Wikileaks: How The CIA Hacks Your Mac: Sonic Screwdriver v1.0 User’s Guide

1. Introduction

Sonic Screwdriver is a mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting. Normally, an Apple Firmware Password prevents alterations of the boot path. Sonic Screwdriver’s mechanism for executing code will allow a user to boot to a USB thumb stick, DVD/ CD, or external hard drive even when a firmware password is enabled.
The code for Sonic Screwdriver is stored on the firmware of an Apple Thunderbolt-to-Ethernet adapter (see Figure 1.1). The implant code will scan all internal and external media devices for a device with a specific volume name. This includes USB thumb drives, CD/DVD disc, and hard drives. If the specific volume name is found, it will execute a UEFI boot of that device.
The intended CONOP for Sonic Screwdriver is to be able to install EDG/AED tools on a Mac
even if a firmware password was enabled. EDG/AED tools usually requires an operator to boot to a
specific device. If a firmware password is enabled, the operator will see a password prompt as in Figure 1.2 instead the list of bootable devices. If such a screen appears during the operation, the operator would then need to reboot the machine with the implanted adapter plugged into the Thunderbolt port, and continue with installation of the EDG tool. See Section 4.2 for specific details.

1.1. Notes About Implanted Adapter

Please note the following:
  • Once an adapter has been implanted, preboot functionality of the device will be lost. Currently, the only preboot functionality an Apple ethernet adapter serves is for a machine to do a netboot.
  • An implanted adapter will function normally as an ethernet adapter once OSX is booted
  • It has been observed that when an EFI shell is loaded from an implanted adapter, not all hard drive partitions are visible due to how early the code gets loaded. Note that if a Linux distro is being loaded from the implanted adapter, Linux will initialize the hard drive itself and all partitions will be visible to inspect or image
  • Once an adapter has been implanted, it will not be possible to restore it factory
    default. Sonic Screwdriver uses a commercially available flashing tool form Broadcom
    to flash the firmware of the adapter. Since this tool does not have a read functionality, a
    pristine bootrom was never obtained.

    2. Tool Requirements

    2.1. Target Computer

    Any Mac laptop or desktop with Thunderbolt port, see Figure 2.1.
The following are a list of models that have been tested with Sonic Screwdriver:
• MBA5,1 (Mid 2012 – 11”)
• MBA5,2 (Mid 2012 – 13”)
• MBA4,1 (Mid 2011 – 11”)
• MBA4,2 (Mid 2011 – 13”)
• MBP10,1 (Mid 2012 – 15” Retina)
• MBP10,2 (Late 2012 – 13” Retina)
• MBP9,1 (Mid 2012 – 15”)
• MBP9,2 (Mid 2012 – 13”)
• MBP8,1 (Late 2011 – 13”)
• MBP8,2 (Late 2011 – 15”)

2.2. Requirements for Building

MacBook Air 5,1 or 5,2 (Mid 2012 – 11” or 13”)
External USB DVD/CD-Rom drive to boot the installer.
Apple Thunderbolt-to-Ethernet Adapter

3. Building and Configuring

This section contains instructions for building Sonic Screwdriver. The first section will discuss how to flash the code onto a new Apple Thunderbolt-to-Ethernet adapter. The second section will discuss how to configure the boot media intended to be executed by the implanted ethernet adapter.

3.1. Implanting Ethernet Adapter

The Apple Thunderbolt-to-Ethernet Adapter can only be flashed in a real mode operator system, such as MS-DOS. A CD ISO image is packaged with the tool to make flashing the adapter as seamless as possible.
  1. Locate the following ISO image and burn the image to a DVD or CD UNCLASS_SonicScrewdriverInstall.iso
  2. Plug in the ethernet adapter into the Thunderbolt port of the MacBook Air mentioned in Section 2.2. Also plug in the external USB DVD/CD-ROM drive with the DVD/CD created from step 1.
  3. Power up the MacBook Air holding down the ‘option’ key.
  4. After a few seconds, a number of boot options should start to appear.
  5. Select ‘Windows’. This should be the only option with a DVD/CD icon above it.
  6. Let the installer fully boot. All the default options should be fine.
  7. Once the DVD/CD boots into FreeDos, the installer will automatically run the Broadcom flash utility to detect the flash in the adapter. There should be only one device listed at size 64K.
    1. a. If there are no devices listed, ensure the adapter is firmly plugged into the Thunderbolt port, and repeat back to step 3.
  8. Type the following at the command line: B57UDIAG.exe -ppxe x:\ss.rom
  9. It will take roughly 1-2 mins to complete the reprogramming of the adapter. Programming is complete when control is passed back to the command prompt. Power down system by holding the power button.

3.2. Configuring Boot Media for Target

Once the Thunderbolt-to-Ethernet adaptor has been implanted, it will search all media devices for a specific volume name and a file path to execute. This includes both internal and external hard drives, CD/DVD drives, and USB thumb sticks. The external hard drives and CD/DVD drives can be connected via USB, Firewire, or Thunderbolt. Hard disk can be formatted FAT16, FAT32, or HFS+. Hard disk formatted NTFS or ext* will NOT be detected.
The volume name that will be search for is: FILER
Please note that the volume name above is case sensitive in filesystems that allow for case
sensitivity, such as HFS+.
The file path to be execute under the volume FILER will be: /EFI/BOOT/BOOTX64.efi
The file path above is the specified default boot path for EFI systems. For example, a EFI
complaint Lunix distro DVD will have this path with the file BOOTX64.efi as the Linux boot loader for that distro. If it is desired to have the implanted ethernet adaptor launch this distro, one would only need to modify its volume name to be FILER. If it is desired to have the implanted ethernet adapter launch an EFI implant, one would need to rename the volume and copy the EFI implant to the file path above on an appropriate media device.

4. Executing Sonic Screwdriver on Target Machine

4.1. Steps to gain executions

The implanted ethernet adapter needs to be plugged into the Thunderbolt port when the computer is powered on in order for code to be executed. If the adapter is plugged it after the machine is powered on, no implant code will be executed.
  1. Plug in ethernet adapter to Thunderbolt port.
  2. Plug in boot media configured from Section 3.2.
  3. Power on machine.
  4. The device should automatically boot without any key presses.
    1. If it does not, there has been observations that certain models of Apple Macs does not pick up certain USB devices. Take the follow step if this is occurring.
    2. Repeat steps 1-3, but now hold the OPTION key while booting up. Once either a boot list or firmware password screen boots, unplug the boot media device and plug it in again. It should then automatically get loaded.


1&1 Hosting

4.1.11. Using Sonic Screwdriver with EDG Tool DerStarke

DerStarke is an EDG/AED EFI firmware implant against Apple Mac laptops and desktops. It is
installed with physical access via a USB thumb stick or CD/DVD disc. Please refer to DerStarke 1.3
User’s Guide for information on how to build the USB thumb stick or CD/DVD
By default, the DerStarke builder will define the volume name and file path of implant with the
same values as listed in Section 3.2. This means no other configuration will be needed when executing Sonic Screwdriver and DerStarke together.
To install DerStarke:
  1. Plug in the USB thumb stick or CD/DVD with the DerStarke installer.
  2. Hold down the power button for 10 secs until the machine starts to boot. If sound was enabled, a loud bong will be audible. If sound was disabled, a white screen will be the only indicator.
    1. Holding the power button will boot the machine into a flash recovery mode that is required to install DerStarke. An error message will result if the power button is not held down for 10 sec.
  3. Hold down the OPTION key in order see all the boot options
  4. If a list of boot options appears, a firmware password was not enabled. Choose ‘EFI Boot’ with the USB or CD icon (depending which media DerStarke was built to). This will complete DerStarke installation.
  5. If a prompt for a password appears, a firmware password was enabled.
    1. Please note that the prompt should be similar to Figure 1.2. If the screen looks more complex, there is a probability that the OPTION key did not register fast enough, and the target machine booted into either an OSX or a FileVault2 password screen.
  6. Power down the system, and reboot with the implanted ethernet adapter and the DerStarke media inserted. Do not forget to hold down the power button for 10 secs. Holding down the OPTION key is not required when the implanted ethernet adapter is plugged in.
    1. DerStarke installation should automatically without any key press interactions. If it does not, it is possible that Mac and USB stick might required a unplug and re-plug in as mentioned in Section 4.1.
    2. Repeat steps 1-3, but now hold the OPTION key while booting up. Once the firmware password screen boots, unplug the boot media device and plug it in again. It should then automatically get loaded.


Comments are Closed