datahas.blogg.se - Boot macbook to target disk mode

Boot macbook to target disk mode mac#

Boot macbook to target disk mode mac#

It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. This is a generally compliant SCSI disk.Can a Mac hard drive be easily removed for imaging with a forensic hardware imager?

The “standard” LUN3 - DISK endpoint with a little non-standard opcode magic.

Wiping this key should provide protection for the entire disk, because without it the volume data cannot be decrypted. This is to wipe the device key that is used in the wrapping process, stored in special NOR memory (the NVMe is NAND).

The Apple proprietary LUN2 - AppleEffaceableStorage endpoint.

This is for accessing a T2’s AppleKeyStore service to unwrap FileVault2 keys with a password.

The Apple proprietary LUN1 - AppleKeyStore endpoint.

The Apple proprietary LUN0 - CONTROL endpoint, for managing power, device information, read/write protect and a few other things.

SCSI sits on top of the BOT layer and provides basic commands, Apple extensions and LUN addressing. A device in UTDM has 4 addresses or in SCSI language LUNs (logical unit numbers). This is a simpler protocol to implement as it doesn’t permit more eccentric things like native command queueing. It should be noted that this is not UASP or USB attached SCSI protocol, but instead SCSI over the mass-storage BOT. Beyond this everything appears to be a superset of the standard SCSI command set. These pipes end up translating into LUNs at the next level up the stack. Think of this level as TCP with a set number of pipes. This provides basic framing/length, checksum, direction, logical targets, etc. This provides two `1024` byte bulk endpoints that communicate with the device in what is called USB MSD BOT (USB mass-storage device, bulk only transport ). When an Apple laptop is booted into TDM and a USB 3.0 cable is attached (it should be noted that the USB-C cable needs all USB3.0 pins connected, UTDM does not work with 1.0, 1.1 or 2.0 cables or controllers), it declares itself to be a Apple, PID_1800, implementing a Diagnostic Class ( 0xDC) device with subclass 0x02 and protocol 0x01. The first layer of the TDM onion is a simple obfuscation. This paper will be extended in the future to cover the slight differences when using Thunderbolt to replace USB mass-storage as an underlying transport. What follows is an analysis of the USB based target disk mode protocol, and also a revelation that the FileVault2 key may be extractable (albeit in wrapped form) from a machine without the OS booted. Moreover, Apple’s security features such as encryption and effaceable storage complicate the implementation. Modern USB and Thunderbolt based target disk mode requires a machine that is ordinarily a USB host to become a slave. Because of the peer-to-peer nature of FireWire and the standard SCSI command set, implementing a consumer in linux for this protocol was relatively straight forward. In earlier generations of Apple MacBook computers, TDM or Target Disk Mode was a boot mode that made all internal drives appear to an external FireWire capable system to be LUNs which could be consumed by another endpoint (This usually included the internal Hard Drive and CD/DVD-ROMs).