Apple’s T2 Security Chip Confirmed To Slap Handcuffs On Some Third-Party Repairs

By on December 17, 2018


Apple touts its T2 security chip as “the next generation of security” for its 13-inch and 15-inch MacBook Pro with Touch Bar models, pitching it as a feature and benefit to customers. Is it really, though? The T2 chip has come under fire for its ability to effectively thwart third-party repairs. The answer, as it turns out, is not a simple one.
First let’s talk about what the T2 security chip actually does. On Apple’s website, the company describes various functions of the chip, all of which sound like selling points for a potential buyer.
“The Apple T2 security chip includes a Secure Enclave co-processor that provides the foundation for secure boot and encrypted storage capabilities. It also consolidates many discrete controllers, including the system management controller, audio controller, and SSD controller, into one. And the Apple T2 security chip brings a familiar voice to MacBook Pro—Hey Siri is always ready to open apps, find documents, play music, or answer your questions,” Apple says.
That all sound well and good, but the problem as it pertains to the right-to-repair movement is that the T2 chip can prevent a MacBook Pro from booting if it detects an unauthorized repair.
Apple confirmed as much to The Verge, explaining that certain components like the logic board and Touch ID sensor will trigger the T2 chip to verify a repair if replaced. However, Apple wasn’t willing to share a full list of components that would trigger the security check, or a full list of affected devices—only that the T2 chip is present on newer Macs.
Now here’s where things get interesting. Teardown specialist Adam O’Camb at iFixIt decided to investigate how well the T2 chip works, as it pertains to preventing unauthorized repairs..
“According to an internal Apple service document, any Mac with an Apple T2 chip now requires the proprietary ‘Apple Service Toolkit 2 (AST 2) System Configuration Suite’ (whew, that’s a mouthful!) to complete certain repairs… After replacing a part, a technician must run the configuration suite, which connects to Apple’s Global Service Exchange (GSX) server to perform performance and compatibility checks for the new parts. Without this software, an internet connection, and approval from Apple’s servers, the repair is considered incomplete and the computer is rendered inoperative,” O’Camb explains.
In theory, replacing the logic board should trigger the T2 security chip to dial home, which would then prevent the system from booting. However, O’Camb was able to replace the logic board in a brand new 2018 13-inch MacBook Pro with Touch Bar purchased from his local Apple Store. He also swapped out the display and updated Mojave. In each case, the MacBook Pro booted normally.
It’s not clear why the T2 security chip didn’t prevent his system from booting. Apple told The Verge that swapping out the display assembly should not require the diagnostic tool, and we imagine that updating Mojave wouldn’t have any effect. But replacing the logic board is another matter. It’s possible that the logic board had already been validated with Apple, and therefore passed the security check. O’Camb has another theory.
“It could simply be a mechanism for tracking parts used by their authorized network, to check quality or replacement rates. It’s possible that units with swapped parts may operate normally, but still report a failure in Apple diagnostic tests for having ‘unauthorized’ components installed—much like earlier units did on earlier versions of AST for third party HDD/SSD, RAM and batteries,” O’Camb surmises.
The situation is all a bit murky, and also unsettling—even though O’Camb was able to swap out the logic board without issue, he also notes that a “future software update could render these ‘incomplete repairs’ inoperative, and who knows when, or if, a fix will follow.” Food for thought.


One Comment

  1. Jonathan

    March 31, 2020 at 12:07 am


Leave a Reply

Your email address will not be published. Required fields are marked *