Vault 7 Project (Sonic Screwdriver)

1. SECRET//NOFORN
2.  
3. CENTRAL INTELLIGENCE AGENCY // INFORMATION OPERATIONS CENTER
4.  
5. SECRET//NOFORN
6. _______________________________________________________________________________________________________________________________________
7. 1)
8. (U)Sonic Screwdriver v1.0
9.  
10. USER’s Guide
11.  
12. November 29, 2012
13.  
14. SECRET//NOFORN
15.  
16. Classified BY: 4551015
17.  
18. Reason: 1.4(c)
19.  
20. Declassify ON: 25X1, 20620614
21.  
22. Derived FROM: COL S06, MET S06
23.  
24. SECRET//NOFORN
25. _______________________________________________________________________________________________________________________________________
26. 2)
27. (U)TABLE OF Contents
28.  
29. (U) INTRODUCTION .................................................................................................................................................4
30.  
31. (S) NOTES ABOUT IMPLANTED ADAPTER....................................................................................................................4
32.  
33. (U) TOOL REQUIREMENTS .....................................................................................................................................5
34.  
35. (S) TARGET COMPUTER..............................................................................................................................................5
36.  
37. (U) REQUIREMENTS FOR BUILDING.............................................................................................................................5
38.  
39. (U) BUILDING AND CONFIGURING ......................................................................................................................6
40.  
41. (S) IMPLANTING ETHERNET ADAPTER.........................................................................................................................6
42.  
43. (S) CONFIGURING BOOT MEDIA FOR TARGET..............................................................................................................6
44.  
45. (S) EXECUTING SONIC SCREWDRIVER ON TARGET MACHINE ................................................................7
46.  
47. (U) STEPS TO GAIN EXECUTIONS..................................................................................................................................7
48.  
49. (U) USING SONIC SCREWDRIVER WITH EDG TOOL DERSTARKE.................................................................................7
50.  
51. SECRET//NOFORN
52. _______________________________________________________________________________________________________________________________________
53. 3)
54. SECRET//NOFORN
55.  
56. (U) Introduction
57. (S//NF) Sonic Screwdriver IS a mechanism FOR executing code ON peripheral devices while a Mac laptop
58. OR desktop IS booting. Normally, an Apple Firmware Password prevents alterations OF the boot path.
59. Sonic Screwdriver’s mechanism FOR executing code will allow a USER TO boot TO a USB thumb stick, DVD/
60. CD, OR external hard drive even WHEN a firmware password IS enabled.
61.  
62. (S//NF) The code FOR Sonic Screwdriver IS stored ON the firmware OF an Apple Thunderbolt-to-Ethernet
63. adapter (see Figure 1.1). The implant code will scan ALL internal AND external media devices FOR a device
64. WITH a specific volume name. This includes USB thumb drives, CD/DVD disc, AND hard drives. IF the
65. specific volume name IS found, it will EXECUTE a UEFI boot OF that device.
66.  
67. (U) Figure 1.1: Apple Thunderbolt-to-Ethernet adapter
68.  
69. (S//NF) The intended CONOP FOR Sonic Screwdriver IS TO be able TO install EDG/AED tools ON a Mac
70. even IF a firmware password was enabled. EDG/AED tools usually requires an operator TO boot TO a
71. specific device. IF a firmware password IS enabled, the operator will see a password prompt AS IN Figure
72. 1.2 instead the list OF bootable devices. IF such a screen appears during the operation, the operator would
73. THEN need TO reboot the machine WITH the implanted adapter plugged INTO the Thunderbolt port, AND
74. continue WITH installation OF the EDG tool. See SECTION 4.2 FOR specific details.
75.  
76. (U) Figure 1.2: Apple Firmware Password Prompt
77. 1.1. (S) Notes About Implanted Adapter
78.  
79. (U) Please note the following:
80. o (S//NF) Once an adapter has been implanted, preboot functionality OF the device will be
81. lost. Currently, the ONLY preboot functionality an Apple ethernet adapter serves IS FOR a
82. machine TO do a netboot.
83. o (S//NF) An implanted adapter will FUNCTION normally AS an ethernet adapter once OSX IS
84. booted.
85.  
86. o (S//NF) It has been observed that WHEN an EFI shell IS loaded FROM an implanted adapter,
87. NOT ALL hard drive partitions are visible due TO how early the code gets loaded. Note that IF
88. a Linux distro IS being loaded FROM the implanted adapter, Linux will initialize the hard
89. drive itself AND ALL partitions will be visible TO inspect OR image.
90. SECRET//NOFORN
91. _______________________________________________________________________________________________________________________________________
92. 4)
93. SECRET//NOFORN
94.  
95. (S//NF) Once an adapter has been implanted, it will NOT be possible TO restore it factory
96. DEFAULT. Sonic Screwdriver uses a commercially available flashing tool form Broadcom
97. TO flash the firmware OF the adapter. Since this tool does NOT have a READ functionality, a
98. pristine bootrom was never obtained.
99. 2. (U) Tool Requirements
100. 2.1. (S) Target Computer
101. o (U) Any Mac laptop OR desktop WITH Thunderbolt port, see Figure 2.1.
102.  The following are a list OF models that have been tested WITH Sonic Screwdriver:
103. • MBA5,1 (Mid 2012 - 11”)
104. • MBA5,2 (Mid 2012 - 13”)
105. • MBA4,1 (Mid 2011 - 11”)
106. • MBA4,2 (Mid 2011 - 13”)
107. • MBP10,1 (Mid 2012 - 15” Retina)
108. • MBP10,2 (Late 2012 - 13” Retina)
109. • MBP9,1 (Mid 2012 - 15”)
110. • MBP9,2 (Mid 2012 - 13”)
111. • MBP8,1 (Late 2011 - 13”)
112. • MBP8,2 (Late 2011 - 15”)
113. 2.2. (U) Requirements FOR Building
114. o MacBook Air 5,1 OR 5,2 (Mid 2012 - 11” OR 13”)
115. o External USB DVD/CD-Rom drive TO boot the installer.
116. o Apple Thunderbolt-to-Ethernet Adapter
117. (U) Figure 2.1: Thunderbolt port
118. SECRET//NOFORN
119. _______________________________________________________________________________________________________________________________________
120. 5)
121. SECRET//NOFORN
122.  
123. 3. (U) Building AND Configuring
124. (S//NF) This SECTION contains instructions FOR building Sonic Screwdriver. The FIRST SECTION will discuss
125. how TO flash the code onto a NEW Apple Thunderbolt-to-Ethernet adapter. The SECOND SECTION will discuss
126. how TO configure the boot media intended TO be executed BY the implanted ethernet adapter.
127. 3.1. (S) Implanting Ethernet Adapter
128. (S//NF) The Apple Thunderbolt-to-Ethernet Adapter can ONLY be flashed IN a REAL mode operator system,
129. such AS MS-DOS. A CD ISO image IS packaged WITH the tool TO make flashing the adapter AS seamless AS
130. possible.
131. 1. (U) Locate the following ISO image AND burn the image TO a DVD OR CD:
132.  UNCLASS_SonicScrewdriverInstall.iso
133. 2. (U) Plug IN the ethernet adapter INTO the Thunderbolt port OF the MacBook Air mentioned IN
134. SECTION 2.2. Also plug IN the external USB DVD/CD-ROM drive WITH the DVD/CD created
135. FROM step 1.
136. 3. (U) POWER up the MacBook Air holding down the ‘OPTION’ KEY.
137. 4. (U) After a few seconds, a NUMBER OF boot options should START TO appear.
138. 5. (U) SELECT ‘Windows’. This should be the ONLY OPTION WITH a DVD/CD icon above it.
139. 6. (U) Let the installer fully boot. ALL the DEFAULT options should be fine.
140. 7. (U) Once the DVD/CD boots INTO FreeDos, the installer will automatically run the Broadcom
141. flash utility TO detect the flash IN the adapter. There should be ONLY one device listed at SIZE 64K.
142. a. (U) IF there are no devices listed, ensure the adapter IS firmly plugged INTO the
143. Thunderbolt port, AND repeat back TO step 3.
144. 8. (U) TYPE the following at the command line:
145.  B57UDIAG.exe -ppxe x:\ss.rom
146. 9. (U) It will take roughly 1-2 mins TO complete the reprogramming OF the adapter. Programming IS
147. complete WHEN control IS passed back TO the command prompt. POWER down system BY holding
148. the POWER button.
149. 3.2. (S) Configuring Boot Media FOR Target
150. (S//NF) Once the Thunderbolt-to-Ethernet adaptor has been implanted, it will SEARCH ALL media devices FOR
151. a specific volume name AND a file path TO EXECUTE. This includes BOTH internal AND external hard drives,
152. CD/DVD drives, AND USB thumb sticks. The external hard drives AND CD/DVD drives can be connected
153. via USB, Firewire, OR Thunderbolt. Hard disk can be formatted FAT16, FAT32, OR HFS+. Hard disk
154. formatted NTFS OR ext* will NOT be detected.
155. SECRET//NOFORN
156. Sonic Screwdriver USER’s Guide – Nov 2012 6
157. SECRET//NOFORN
158. (S//NF) The volume name that will be SEARCH FOR IS:
159. FILER
160. (S//NF) Please note that the volume name above IS CASE sensitive IN filesystems that allow FOR CASE
161. sensitivity, such AS HFS+.
162. (S//NF) The file path TO be EXECUTE UNDER the volume FILER will be:
163. /EFI/BOOT/BOOTX64.efi
164. (S//NF) The file path above IS the specified DEFAULT boot path FOR EFI systems. FOR example, a EFI
165. complaint Lunix distro DVD will have this path WITH the file BOOTX64.efi AS the Linux bootloader FOR
166. that distro. IF it IS desired TO have the implanted ethernet adaptor launch this distro, one would ONLY need
167. TO MODIFY its volume name TO be FILER. IF it IS desired TO have the implanted ethernet adapter launch an
168. EFI implant, one would need TO RENAME the volume AND copy the EFI implant TO the file path above ON an
169. appropriate media device.
170. 4. (S) Executing Sonic Screwdriver ON Target Machine
171. 4.1. (U) Steps TO gain executions
172. (S//NF) The implanted ethernet adapter needs TO be plugged INTO the Thunderbolt port WHEN the computer
173. IS powered ON IN ORDER FOR code TO be executed. IF the adapter IS plugged it after the machine IS powered
174. ON, no implant code will be executed.
175. 1. (U) Plug IN ethernet adapter TO Thunderbolt port.
176. 2. (U) Plug IN boot media configured FROM SECTION 3.2.
177. 3. (U) POWER ON machine.
178. 4. (U) The device should automatically boot WITHOUT any KEY presses.
179. a. (U) IF it does NOT, there has been observations that certain models OF Apple Macs does
180. NOT pick up certain USB devices. Take the follow step IF this IS occurring.
181. b. (S//NF) Repeat steps 1-3, but now hold the OPTION KEY while booting up. Once either
182. a boot list OR firmware password screen boots, unplug the boot media device AND plug it
183. IN again. It should THEN automatically GET loaded.
184. 4.1..11. (U) USING Sonic Screwdriver WITH EDG Tool DerStarke
185. (S//NF) DerStarke IS an EDG/AED EFI firmware implant against Apple Mac laptops AND desktops. It IS
186. installed WITH physical access via a USB thumb stick OR CD/DVD disc. Please refer TO DerStarke 1.3
187. USER’s Guide FOR information ON how TO build the USB thumb stick OR CD/DVD.
188. SECRET//NOFORN
189. _______________________________________________________________________________________________________________________________________
190. 6)
191. SECRET//NOFORN
192.  
193. (S//NF) BY DEFAULT, the DerStarke builder will define the volume name AND file path OF implant WITH the
194. same VALUES AS listed IN SECTION 3.2. This means no other configuration will be needed WHEN executing
195. Sonic Screwdriver AND DerStarke together.
196. (S//NF) TO install DerStarke:
197. 1. (S//NF) Plug IN the USB thumb stick OR CD/DVD WITH the DerStarke installer.
198. 2. (U) Hold down the POWER button FOR 10 secs until the machine starts TO boot. IF sound was
199. enabled, a loud bong will be audible. IF sound was disabled, a white screen will be the ONLY
200. indicator.
201. a. Holding the POWER button will boot the machine INTO a flash recovery mode that IS
202. required TO install DerStarke. An error message will RESULT IF the POWER button IS NOT
203. held down FOR 10 sec.
204. 3. (U) Hold down the OPTION KEY IN ORDER see ALL the boot options
205. 4. (S//NF) IF a list OF boot options appears, a firmware password was NOT enabled. Choose ‘EFI
206. Boot’ WITH the USB OR CD icon (depending which media DerStarke was built TO). This will
207. complete DerStarke installation.
208. 5. (U) IF a prompt FOR a password appears, a firmware password was enabled.
209. a. (U) Please note that the prompt should be SIMILAR TO Figure 1.2. IF the screen looks more
210. complex, there IS a probability that the OPTION KEY did NOT register fast enough, AND
211. the target machine booted INTO either an OSX OR a FileVault2 password screen.
212. 6. (S//NF) POWER down the system, AND reboot WITH the implanted ethernet adapter AND the
213. DerStarke media inserted. Do NOT forget TO hold down the POWER button FOR 10 secs. Holding
214. down the OPTION KEY IS NOT required WHEN the implanted ethernet adapter IS plugged IN.
215. a. (S//NF) DerStarke installation should automatically WITHOUT any KEY press interactions.
216. IF it does NOT, it IS possible that Mac AND USB stick might required a unplug AND re-plug
217. IN AS mentioned IN SECTION 4.1.
218. b. (S//NF) Repeat steps 1-3, but now hold the OPTION KEY while booting up. Once the
219. firmware password screen boots, unplug the boot media device AND plug it IN again. It
220. should THEN automatically GET loaded.
221. SECRET//NOFORN
222. _______________________________________________________________________________________________________________________________________
223.  
224. SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN 22/03/2017.