Skip to content

Target Mac EFI FileVault2

Jump to bottom
Ulf Frisk edited this page Mar 9, 2019 · 1 revision

Target system: mac FileVault2 (EFI)

PCILeech together with USB3380 hardware is able to recover FileVault2 passwords from macs by rebooting them in versions prior to 10.12.2 (macOS Sierra released Dec. 13 2016). The mac EFI FileVault2 attack is also known as CVE-2016-7585.

For additional information please see the blog entry about it here.

Please check out the YouTube video below for a quick 1 minute demonstration how an attack may look like:

Examples:

Connect the PCILeech device to a vulnerable running macs Thunderbolt port and run the command below to exploit it and retrieve the FileVault2 password. (USB3380 only).

  • pcileech.exe mac_fvrecover

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

Links

Targets

Clone this wiki locally