[MuffinFlavored]

How are these hackers modifying the EFI section without any kind of digital signature? It's really wide open for writing on all new Macs?

[zydeco]

The EFI firmware is validated by the T2, which then passes it on to the x86 CPU. I assume this modification would not persist after the T2 reboots.

[aunali1]

Unfortunately, this is not the complete picture. The T2 simply programs the embedded flash within the PCH over an eSPI interface. Meaning, a successful reprogram from the T2 WILL persist until the following occurs:

- A T2 Restore

- A macOS System Update

[penwellr]

rickmark here: Sorry no, that's inaccurate. The T2 provides MacEFI.im4 to the Intel processor by emulating a flash controller over eSPI. So by modifying this file, and removing signature checks you can run any payload you like (see the EFI replacement video)

[MuffinFlavored]

So there is some kind of signature defeat involved, correct?

[h0m3us3r]

Yes, sigchecks had to be patched out of the kernel. And yes, it does not persist T2 reboot, but T2 only reboots if you hold power button for 5 sec. MacOS "reboot" does _not_ reboot T2.