Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SECRET//NOFORN
- CENTRAL INTELLIGENCE AGENCY // INFORMATION OPERATIONS CENTER
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 1)
- (U)Sonic Screwdriver v1.0
- USER’s Guide
- November 29, 2012
- SECRET//NOFORN
- Classified BY: 4551015
- Reason: 1.4(c)
- Declassify ON: 25X1, 20620614
- Derived FROM: COL S06, MET S06
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 2)
- (U)TABLE OF Contents
- (U) INTRODUCTION .................................................................................................................................................4
- (S) NOTES ABOUT IMPLANTED ADAPTER....................................................................................................................4
- (U) TOOL REQUIREMENTS .....................................................................................................................................5
- (S) TARGET COMPUTER..............................................................................................................................................5
- (U) REQUIREMENTS FOR BUILDING.............................................................................................................................5
- (U) BUILDING AND CONFIGURING ......................................................................................................................6
- (S) IMPLANTING ETHERNET ADAPTER.........................................................................................................................6
- (S) CONFIGURING BOOT MEDIA FOR TARGET..............................................................................................................6
- (S) EXECUTING SONIC SCREWDRIVER ON TARGET MACHINE ................................................................7
- (U) STEPS TO GAIN EXECUTIONS..................................................................................................................................7
- (U) USING SONIC SCREWDRIVER WITH EDG TOOL DERSTARKE.................................................................................7
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 3)
- SECRET//NOFORN
- (U) Introduction
- (S//NF) Sonic Screwdriver IS a mechanism FOR executing code ON peripheral devices while a Mac laptop
- OR desktop IS booting. Normally, an Apple Firmware Password prevents alterations OF the boot path.
- Sonic Screwdriver’s mechanism FOR executing code will allow a USER TO boot TO a USB thumb stick, DVD/
- CD, OR external hard drive even WHEN a firmware password IS enabled.
- (S//NF) The code FOR Sonic Screwdriver IS stored ON the firmware OF an Apple Thunderbolt-to-Ethernet
- adapter (see Figure 1.1). The implant code will scan ALL internal AND external media devices FOR a device
- WITH a specific volume name. This includes USB thumb drives, CD/DVD disc, AND hard drives. IF the
- specific volume name IS found, it will EXECUTE a UEFI boot OF that device.
- (U) Figure 1.1: Apple Thunderbolt-to-Ethernet adapter
- (S//NF) The intended CONOP FOR Sonic Screwdriver IS TO be able TO install EDG/AED tools ON a Mac
- even IF a firmware password was enabled. EDG/AED tools usually requires an operator TO boot TO a
- specific device. IF a firmware password IS enabled, the operator will see a password prompt AS IN Figure
- 1.2 instead the list OF bootable devices. IF such a screen appears during the operation, the operator would
- THEN need TO reboot the machine WITH the implanted adapter plugged INTO the Thunderbolt port, AND
- continue WITH installation OF the EDG tool. See SECTION 4.2 FOR specific details.
- (U) Figure 1.2: Apple Firmware Password Prompt
- 1.1. (S) Notes About Implanted Adapter
- (U) Please note the following:
- o (S//NF) Once an adapter has been implanted, preboot functionality OF the device will be
- lost. Currently, the ONLY preboot functionality an Apple ethernet adapter serves IS FOR a
- machine TO do a netboot.
- o (S//NF) An implanted adapter will FUNCTION normally AS an ethernet adapter once OSX IS
- booted.
- o (S//NF) It has been observed that WHEN an EFI shell IS loaded FROM an implanted adapter,
- NOT ALL hard drive partitions are visible due TO how early the code gets loaded. Note that IF
- a Linux distro IS being loaded FROM the implanted adapter, Linux will initialize the hard
- drive itself AND ALL partitions will be visible TO inspect OR image.
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 4)
- SECRET//NOFORN
- (S//NF) Once an adapter has been implanted, it will NOT be possible TO restore it factory
- DEFAULT. Sonic Screwdriver uses a commercially available flashing tool form Broadcom
- TO flash the firmware OF the adapter. Since this tool does NOT have a READ functionality, a
- pristine bootrom was never obtained.
- 2. (U) Tool Requirements
- 2.1. (S) Target Computer
- o (U) Any Mac laptop OR desktop WITH Thunderbolt port, see Figure 2.1.
- The following are a list OF models that have been tested WITH Sonic Screwdriver:
- • MBA5,1 (Mid 2012 - 11”)
- • MBA5,2 (Mid 2012 - 13”)
- • MBA4,1 (Mid 2011 - 11”)
- • MBA4,2 (Mid 2011 - 13”)
- • MBP10,1 (Mid 2012 - 15” Retina)
- • MBP10,2 (Late 2012 - 13” Retina)
- • MBP9,1 (Mid 2012 - 15”)
- • MBP9,2 (Mid 2012 - 13”)
- • MBP8,1 (Late 2011 - 13”)
- • MBP8,2 (Late 2011 - 15”)
- 2.2. (U) Requirements FOR Building
- o MacBook Air 5,1 OR 5,2 (Mid 2012 - 11” OR 13”)
- o External USB DVD/CD-Rom drive TO boot the installer.
- o Apple Thunderbolt-to-Ethernet Adapter
- (U) Figure 2.1: Thunderbolt port
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 5)
- SECRET//NOFORN
- 3. (U) Building AND Configuring
- (S//NF) This SECTION contains instructions FOR building Sonic Screwdriver. The FIRST SECTION will discuss
- how TO flash the code onto a NEW Apple Thunderbolt-to-Ethernet adapter. The SECOND SECTION will discuss
- how TO configure the boot media intended TO be executed BY the implanted ethernet adapter.
- 3.1. (S) Implanting Ethernet Adapter
- (S//NF) The Apple Thunderbolt-to-Ethernet Adapter can ONLY be flashed IN a REAL mode operator system,
- such AS MS-DOS. A CD ISO image IS packaged WITH the tool TO make flashing the adapter AS seamless AS
- possible.
- 1. (U) Locate the following ISO image AND burn the image TO a DVD OR CD:
- UNCLASS_SonicScrewdriverInstall.iso
- 2. (U) Plug IN the ethernet adapter INTO the Thunderbolt port OF the MacBook Air mentioned IN
- SECTION 2.2. Also plug IN the external USB DVD/CD-ROM drive WITH the DVD/CD created
- FROM step 1.
- 3. (U) POWER up the MacBook Air holding down the ‘OPTION’ KEY.
- 4. (U) After a few seconds, a NUMBER OF boot options should START TO appear.
- 5. (U) SELECT ‘Windows’. This should be the ONLY OPTION WITH a DVD/CD icon above it.
- 6. (U) Let the installer fully boot. ALL the DEFAULT options should be fine.
- 7. (U) Once the DVD/CD boots INTO FreeDos, the installer will automatically run the Broadcom
- flash utility TO detect the flash IN the adapter. There should be ONLY one device listed at SIZE 64K.
- a. (U) IF there are no devices listed, ensure the adapter IS firmly plugged INTO the
- Thunderbolt port, AND repeat back TO step 3.
- 8. (U) TYPE the following at the command line:
- B57UDIAG.exe -ppxe x:\ss.rom
- 9. (U) It will take roughly 1-2 mins TO complete the reprogramming OF the adapter. Programming IS
- complete WHEN control IS passed back TO the command prompt. POWER down system BY holding
- the POWER button.
- 3.2. (S) Configuring Boot Media FOR Target
- (S//NF) Once the Thunderbolt-to-Ethernet adaptor has been implanted, it will SEARCH ALL media devices FOR
- a specific volume name AND a file path TO EXECUTE. This includes BOTH internal AND external hard drives,
- CD/DVD drives, AND USB thumb sticks. The external hard drives AND CD/DVD drives can be connected
- via USB, Firewire, OR Thunderbolt. Hard disk can be formatted FAT16, FAT32, OR HFS+. Hard disk
- formatted NTFS OR ext* will NOT be detected.
- SECRET//NOFORN
- Sonic Screwdriver USER’s Guide – Nov 2012 6
- SECRET//NOFORN
- (S//NF) The volume name that will be SEARCH FOR IS:
- FILER
- (S//NF) Please note that the volume name above IS CASE sensitive IN filesystems that allow FOR CASE
- sensitivity, such AS HFS+.
- (S//NF) The file path TO be EXECUTE UNDER the volume FILER will be:
- /EFI/BOOT/BOOTX64.efi
- (S//NF) The file path above IS the specified DEFAULT boot path FOR EFI systems. FOR example, a EFI
- complaint Lunix distro DVD will have this path WITH the file BOOTX64.efi AS the Linux bootloader FOR
- that distro. IF it IS desired TO have the implanted ethernet adaptor launch this distro, one would ONLY need
- TO MODIFY its volume name TO be FILER. IF it IS desired TO have the implanted ethernet adapter launch an
- EFI implant, one would need TO RENAME the volume AND copy the EFI implant TO the file path above ON an
- appropriate media device.
- 4. (S) Executing Sonic Screwdriver ON Target Machine
- 4.1. (U) Steps TO gain executions
- (S//NF) The implanted ethernet adapter needs TO be plugged INTO the Thunderbolt port WHEN the computer
- IS powered ON IN ORDER FOR code TO be executed. IF the adapter IS plugged it after the machine IS powered
- ON, no implant code will be executed.
- 1. (U) Plug IN ethernet adapter TO Thunderbolt port.
- 2. (U) Plug IN boot media configured FROM SECTION 3.2.
- 3. (U) POWER ON machine.
- 4. (U) The device should automatically boot WITHOUT any KEY presses.
- a. (U) IF it does NOT, there has been observations that certain models OF Apple Macs does
- NOT pick up certain USB devices. Take the follow step IF this IS occurring.
- b. (S//NF) Repeat steps 1-3, but now hold the OPTION KEY while booting up. Once either
- a boot list OR firmware password screen boots, unplug the boot media device AND plug it
- IN again. It should THEN automatically GET loaded.
- 4.1..11. (U) USING Sonic Screwdriver WITH EDG Tool DerStarke
- (S//NF) DerStarke IS an EDG/AED EFI firmware implant against Apple Mac laptops AND desktops. It IS
- installed WITH physical access via a USB thumb stick OR CD/DVD disc. Please refer TO DerStarke 1.3
- USER’s Guide FOR information ON how TO build the USB thumb stick OR CD/DVD.
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- 6)
- SECRET//NOFORN
- (S//NF) BY DEFAULT, the DerStarke builder will define the volume name AND file path OF implant WITH the
- same VALUES AS listed IN SECTION 3.2. This means no other configuration will be needed WHEN executing
- Sonic Screwdriver AND DerStarke together.
- (S//NF) TO install DerStarke:
- 1. (S//NF) Plug IN the USB thumb stick OR CD/DVD WITH the DerStarke installer.
- 2. (U) Hold down the POWER button FOR 10 secs until the machine starts TO boot. IF sound was
- enabled, a loud bong will be audible. IF sound was disabled, a white screen will be the ONLY
- indicator.
- a. Holding the POWER button will boot the machine INTO a flash recovery mode that IS
- required TO install DerStarke. An error message will RESULT IF the POWER button IS NOT
- held down FOR 10 sec.
- 3. (U) Hold down the OPTION KEY IN ORDER see ALL the boot options
- 4. (S//NF) IF a list OF boot options appears, a firmware password was NOT enabled. Choose ‘EFI
- Boot’ WITH the USB OR CD icon (depending which media DerStarke was built TO). This will
- complete DerStarke installation.
- 5. (U) IF a prompt FOR a password appears, a firmware password was enabled.
- a. (U) Please note that the prompt should be SIMILAR TO Figure 1.2. IF the screen looks more
- complex, there IS a probability that the OPTION KEY did NOT register fast enough, AND
- the target machine booted INTO either an OSX OR a FileVault2 password screen.
- 6. (S//NF) POWER down the system, AND reboot WITH the implanted ethernet adapter AND the
- DerStarke media inserted. Do NOT forget TO hold down the POWER button FOR 10 secs. Holding
- down the OPTION KEY IS NOT required WHEN the implanted ethernet adapter IS plugged IN.
- a. (S//NF) DerStarke installation should automatically WITHOUT any KEY press interactions.
- IF it does NOT, it IS possible that Mac AND USB stick might required a unplug AND re-plug
- IN AS mentioned IN SECTION 4.1.
- b. (S//NF) Repeat steps 1-3, but now hold the OPTION KEY while booting up. Once the
- firmware password screen boots, unplug the boot media device AND plug it IN again. It
- should THEN automatically GET loaded.
- SECRET//NOFORN
- _______________________________________________________________________________________________________________________________________
- SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN // SECRET//NOFORN 22/03/2017.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement