Jailbreaking the T2 with checkra1n

In this guide we walk you through using checkra1n with the T2.

Jailbreaking the T2 with checkra1n

What is Jailbreaking a Mac Anyway?

This is a question we get a lot. What does it mean to “jailbreak” a Mac, since you can already run any code you want (if you bypass code-signing, SIP, SecureBoot and Gate Keeper anyway).  When we say “jailbreak a Mac” what we mean is jailbreaking the AppleSilicon T2 processor.  This core runs a iOS derivative called bridgeOS.  Until now Apple has not allowed or supported any non-Apple code executing on this core.  Since this core comes up and aids in the operation of the Intel processor, it allows for a bunch of possibilities not possible before, such as completely replacing the Mac’s EFI.
An overview of the process is:

  • Get a copy of checkra1n and libimobiledevice
  • Place the Mac into DFU mode using the Apple support guide
  • Connect to the technician workstation (yes you need a second computer)
  • Run checkra1n
  • Connect to SSH

checkra1n 0.11 and T2 Support

With the release of checkra1n 0.11 came support for the T2 and bridgeOS as a target.  You will need to have downloaded(and in the cases of a Mac, run at least once to bypass Gate Keeper) the aforementioned tool before proceeding.  If you haven't done so go on over to https://checkra.in to get a copy.  In order to access SSH you’ll also need the tools from https://libimobiledevice.org.  If you’re on a Mac you can install this from home-brew with brew install libimobiledevice and you can install on Linux by installing the matching package for your distribution.

Placing the T2 Into DFU Mode

Fortunately for us, Apple have provided instructions on how to place a T2 based Mac into DFU.  This is in their support guide “Revive or restore Mac firmware in Apple Configurator 2”.  Per their instructions, a USB-C to USB-C or USB-C to USB-A cable is required.  Thunderbolt is not supported.  Once you find the model of your Mac, connect the DFU port to the computer where you have installed checkra1n.  Follow the model specific guidance in that support article to place the computer into DFU mode.  Once that’s done, you can verify by running lsusb on Linux and ioreg -p IOUSB from a Mac.  You should see an Apple Mobile Device (DFU Mode) mode attached if you successfully entered DFU.

A DFU device in lsusb

A DFU device in ioreg -p IOUSB

Running checkra1n

Currently checkra1n can only be run in CLI mode (running any GUI mode will inform you the device is not supported).  If you have issues you can increase the debug output with --verbose-boot and --verbose-logging
From a Mac: sudo ./checkra1n.app/Contents/MacOS/checkra1n --cli
From Linux: sudo ./checkra1n --cli

A successful run of checkra1n for the T2

Connecting to SSH

Once the device has run checkra1n, it’s ready to accept a connection to dropbear for SSH.  You connect to the SSH server on a T2 by proxying the connection over usbmuxd.  The SSH server runs on port 44 due to specialized handing of 22 in the kernel.  Also you will have to remain tethered to the T2 for the duration of your SSH session because once the USB connection is broken, it will release the port to the Intel host controller.  As always, the password like an iPhone, is alpine

$ iproxy 2202 44 &
$ ssh -p 2202 [email protected]
Successfully connecting to the T2 over SSH