/apple_net_recovery

Primary LanguageRubyMIT LicenseMIT

Disection of the Apple Internet Recovery protocol and Security Analysis

NOTE: The authors machine always downgrades from 10.15.3 to 10.13.0 via internet recovery, therefore some experiments may not be working the same due to a network issue with an attacker at a position of privilege on the network.

Verification of BaseSystem.dmg and OSDInstall.dmg

See doc/chunklist_v1.md and [https://github.com/t8012/cnklverify]

Request / Response of Internet Recovery image location

PAW and ruby code

doc/Apple Internet Recovery.paw lib/request_recovery.rb

It seems that it is impossible to fake a response from the Apple Internet recovery server, but since the forgery token is not mixed in with the signed response it opens up the case where a man-in-the-middle attack on the request may occur. This leads to the potential to downgrade an operating system.

This may be in part due to the age of the IR protocol and lack of stronger PKI based crypto in older (read Lion 10.9) versions of IR.

Request Format

A session cookie is requestd from http://osrecovery.apple.com/ then A request is made to http://osrecovery.apple.com/InstallationPayload/RecoveryImage

A request is in the form of:

cid=A64F96125D28533D
sn=C079442000SJRWLAX
bid=Mac-7BA5B2DFE22DDD8C
k=CF4EF754A68299485E52179B73382421FDBE38BAA06C7CE518A9A4BA91E3C96D
os=latest
bv=17.16.11081.0.0,0
fg=9ECA302EC3E25279AA80C088EF82A821DAD22197B8516F2E9966CC462B524393

An analysis of variables comes to these assumed names

  • cid - The T2 ECID
  • sn - Motherboard Serial number
  • bid - Board ID (BDID)
  • k - Key or some form of challenge (unknown, server accepts any value)
  • os - The requested OS
  • bv - Version of bridgeOS
  • fg - Anti forgery challenge (unknown, server accepts any value)

Response Format

A response is in the form of

AP: 041-76812
AU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg
AH: 0DD88446D924DC180B25085F53BEA4A2B148024F69EA93E265AEC2F1102E4CB4
AT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg~md5=aade63d0bf105b660880b522ee16276f
CU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist
CH: 791BD581006AD8147F988138B434A2CB792D87F4C2187BD992CC06B64234CA4A
CT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist~md5=7b7ae5fd362c4ff1b216016121f6cb87

An analysis shows the following values

  • AP - Apple's update ID for the packge, from the software update catalog
  • AU - base system URL to download from (dmg)
  • AH - Some form of hash for the base system URL / content
  • AT - BaseSystem url token cookie (Passed in the next request as a cookie header)
  • CU - chunklist URL (this becomes dangerous if downgrade attacked to v1)
  • CH - Chunklist url hash / content
  • CT - Chunklist url token cookie (Passed in the next request as a cookie header)