CRN Dead Wrong About Macintel Exploits

CRN’s security analyst Kevin Finisterre seems to believe that Mac is "more hackable" on Intel… for the wrong reasons. 

Apple’s switch from PowerPC to Intel-based Macs could lead to more attacks and cross-platform exploits, according to some researchers and solution providers.OS X includes features that make it a target for malware, and the Intel-based Macs may be even more vulnerable than their PowerPC predecessors, according to security researcher Kevin Finisterre, who created the three recent versions of InqTana, a proof-of-concept worm that spreads through a vulnerability in the Bluetooth feature of OS X."I honestly think that the general "script kiddie" crowd is more familiar and comfortable on an Intel processor versus a PowerPC," said Finisterre. Simply moving from the 4-byte instructions that PowerPCs use to the 1-byte instructions Intel processors use lowers the bar for exploits, he added.

It’s been a while since I last had to cut and paste articles for debunking, but this one is an interesting article, comes from a well established source, and has a lot more to it than meets the eye.

Starting off with the most obvious fallacies in his statement, hackers write exploits, "script kiddies" download and run them. People don’t hack Mac because its not worth it, not because PPC makes it impossible to do. If you can write code for x86, you can write code for PPC. PPC is not bulletproof, and 4 bytes is not an impregnable armor… else the rest of the world would have used it too.

Continue reading

Making XP work with Apple’s EFI

Macintel Articles @ NeoSmart:

What’s wrong with us!? With me? Windows was my first OS, yet it never crossed my mind to modify Windows to work on EFI? Instead I’ve been taking the super-long, weary, and winding road of getting an iMac to become BIOS compatible. Well, I’m back on familiar terrain, modding XP is where I think I can make it work. Instead of using BIOS emulators or chain-bootloaders and what not, how about just making XP run on EFI? What is NTLDR??

To put it real simple, the NTLDR is activated by the BIOS in order to boot an NT-based OS. NT based OSes include Windows XP, our current focus. NTLDR requires a bootsector in the MBR. EFI requires that a null MBR exist, so using fixntfs as highlighted in my previous post activates the MBR, and allows the booting of XP. After you activate NTLDR, ntdetect.com is run, which gathers hardware information and creates the low-level hardware information layer, which in turn is where Windows XP sends its BIOS-related commands! From Wikipedia:

NTLDR runs ntdetect.com, which gathers information about the computer’s hardware (if ntdetect hangs during hardware detection there is a debug version called ntdetect.chk which can be found on Microsoft support […] Starts ntoskrnl.exe, passing to it the information returned by ntdetect.com.

Continue reading

Hardware Hacks: Macintel XP

Macintel Articles @ NeoSmart:

What started off as a simple post with my ponderings has kicked off quite a stir and now I am deeply motivated to find a fix.. Call it OCD, call it perfectionism, call it (uber)geekiness, I need to find out what can be done to make it work….

Hardware Background

What I am trying to do here is to find a way to do this short of adding another motherboard to the box. Obviously a cheap hardware solution is better than an extremely time consuming software fix, which is still better than buying another mobo just for Windows :) OK.. First let’s establish some facts on the mobo used in the MacBook Pro and the iMac Core Duo (sorry about the naming confusion earlier guys!).

  1. Intel makes the chips. 100% of them. Nothing on it is made by Mac. Maybe programmed by Mac, but not made by Mac. Why? The only reason they switched to Intel was because the cost of making anything compared to Apple’s share of the market nowhere near justified the price. So Apple uses boards made by Intel. Not even customized Intel boards, because that was their gripe with IBM. Apple just doesn’t have enough demand for them to give them customized chips. Also Intel stated that the boards for Apple were just like any other board.
  2. EFI. Currently the biggest obstacle. Intel stated it uses standard boards for Apple (see point 1). From what I have managed to gather the only Intel board with EFI support is the 945 chipset. Not even the 955 or 975 has EFI support. All 945 chipsets currently sold to the public (besides Apple obviously) use BIOS, not EFI. Now that is something interesting to take note of!
  3. The rest of the hardware is one hundred percent PC (ergo, Windows) compatible.

So VERY simply from what I have been able to determine… Mac programmed the EFI and flashed it to a EPROM/Chip on a mobo that supports EFI and/or BIOS. The solution to booting XP on a Macintel is one step:

  1. Grab the BIOS chip from a 945 motherboard and replace the EFI Chip on the 945 in the iMac with it…

But, there are obviously (immediately visible) issues.

  1. It’s an original Intel mobo, not a rebranded (like Chaintech or Abit) so it should technically work….
  2. But at the same time it is a desktop chip which means you lose the APM (advanced power management) features for a Mac.. Or do you?
  3. Well, even assuming it works and you get BIOS onto that mobo of yours (no mean task by itself); congratulations you now have a PC. Not a Macintel. A PC!!!!

Obviously that is not what we want…. But then there is more that can be done to make it work… Now I *presume* OS X won’t boot on a non-EFI platform.. But I highly doubt that Apple would be so naive as to use security via obscurity. After all, soon enough EFI is coming to the PC world too (hurry up Dell!). I believe the key to stopping people from using Macintosh on a PC is the TPM chips encrypted with Apple’s private key. But nevertheless, it boils down to one question: When they compiled the BSD kernel for Mac OS X for Macintel, did they just add EFI support or actually go back and strip out BIOS commands?

Logic would say that they only added EFI and not removed BIOS, simply for compatibility reasons; and should they ever want a BIOS Macintel, they have the compatible code already. What’s more, to actually remove BIOS support from the BSD kernel is like finding needle splinters in a haystack. So long as the code is in an IF bracket that is only activated if BIOS=true it doesn’t slow done the operating system any. So assuming the above is true, you should be able to boot Mac OS X on a BIOS’d version of an iMac or MacBook. Now what if it isn’t true? This is a “guaranteed to work & much work required solution.”

  1. Get a blank EPROM BIOS/EFI chip.. Or just wipe an existing 945 chip clear.
  2. Use asm to write a very simple menu where upon boot you are asked to select EFI or BIOS.
  3. Copy the original EFI code and the legacy BIOS code to the chip. They should fit, it’s a 4MB chip.
  4. Upon selecting EFI or BIOS you get forwarded to the respective code.

Now where to find someone that knows asm that well? Intel, AMD, Apple, Soyo, Award, or AMI would be my guess, but why should they make it anyway? Yeah, so the above was how to do a hardware base solution for XP on Macintel. Why a Hardware Solution is Best

  1. You don’t mess with HD images to get XP installed.. You just get the BIOS working then install from CD
  2. Minimal trouble for the final user… Just get a chip, replace, and boot.
  3. Most likely to work and “failproof”

Why NOT a Hardware Solution

  1. End users will have to buy a chip.. And as far as I know, they are hard to get.
  2. Takes the most time to get working, and most amount of “Hackers’ R&D”
  3. Immediate compatibility with any BIOS based programs.

Actually, so long as Mac OS X runs on BIOS as well as EFI it’s quite easy to implement… If it doesn’t.. Well I told you what needs to be done, the problem is implementing it.

Windows XP on Mac?

This solution is outdated. Use EasyBCD instead.

Macintel Articles @ NeoSmart:

The Problems

  • Macintosh uses a different MBR
  • MacBooks use EFI, XP x86 uses BIOS
  • The modified Darwin Bootloader is made for EFI w/ EFI supporting operating systems

OK… So step by step. Where is the BIOS used? For what? How? The OS sends low-level calls to the BIOS that tell it exactly how to deal with the hardware. Now I don’t have the Windows XP source code at hand.. so all I can tell you for a fact is that NTLDR uses it to access the drive at first to boot Windows, and Windows uses it at *least* once more when it is mounting the drives.

The Required Programs and Stuff

  • Acronis Disk Director Bootable CD
  • Acronis True Image
  • Another computer with a clean install of XP. No programs installed at all.
  • A MacBook obviously!
  • A Windows Vista DVD (not for installation purposes!)
  • Vista boot files
  • bcdedit.exe
  • BCDedit restore file

Most of the problems can be theoretically quickly dealt with.

  1. Using the Bootable Acronis Disk Director CD on the MacBook, shrink the Mac partition. Create a new partition of type NTFS/HPFS in the remaining space.
  2. Setup a clean version of XP on a PC.
  3. Extract Boot.7z to the root drive of your XP installation.. So you have C:\Boot\
  4. Copy bcdedit.exe to the root drive of your XP installation. C:\BCDedit.exe
  5. Copy MacBook.bcd to the root drive of your XP installation
  6. Use sysprep to “reseal” your XP install and remove all hardware info from the setup
  7. Use Acronis TrueImage CD to make an image of your XP install.
  8. Use the bootable Acronis True Image CD to recreate the image on the partition you just made on your MacBook.
  9. Use the Bootable Vista DVD to boot on the MacBook.
  10. Select “Repair Startup” -> Next -> CMD -> Run too.
  11. Browse to drive C:\Boot (which is the partition you created on the MacBook and then extracted the Acronis TrueImage file to). (cd C:\boot)
  12. Run “fixntfs.exe -lh” without the quotes
  13. Browse back to drive C:\ (cd \)
  14. Run “bcdedit.exe /import MacBook.bcd” without the quotes
  15. Eject the CD and restart.
  16. In Mac now, hack the Darwin Bootloader to add another entry that chainloads Drive(0) Partition(2). With GRUB it would look something like this… I’m not sure if Darwin is the same, but this step is very simple, and has nothing to do with EFI.

    title Windows XP rootnoverify (hd0,1) chainloader +1
  17. Restart
  18. By selecting “Windows XP” on the Darwin Bootloader you should be chainloaded to the Vista bootloader, which should in turn boot the entry “NeoSmart Windows XP”
  19. If everything has gone well, XP will boot!!