Research about malware that infects the EFI and SMC of Apple MacBooks.
Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks.
It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)
5CE0F1
, 5CECE9
, 5CFAB5
, 5D1751
and a few submodules.UPDATERS\\TBTH\\ThorUtil
efivalidate
Open source version of eficheck
peiutil
Tool to convert this to something Hopper understands: http://wiki.phoenix.com/wiki/index.php/Terse_Executable_Format
smcutil
Tooling for extracting and examining the Apple SMC image.huffdiff
lokiremove
eficheck
/usr/libexec/firmwarecheckers/eficheck/eficheck
- High Sierra utility to extract and redact your firmware image.eficheck
Reinstalling macOS changed with 10.12.4
ifdtool
utility code and tools
unhuffme
tool for decoding the Intel ME regions of the flash. unhuffme
ioreg | grep MojoKDP
sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
eficheck
or efivalidate
on another machine/dev/tty.MALS
and /dev/tty.SOC
as the serial connection to MojoKDP (previous versions of macOS showed this as two LPSS Serial Adapter connections). SOC is likely a connection to the SMC.eficheck
now offering to allow you to submit samples is not lost on me. (The original submission number is 671195078)