Changing the Startup Chime on a T2 Mac

Written By Martin Nobel

Currently works on BridgeOS 4.x and 5.0.1. Any bridgeOS versions above 5.0.1 will not allow you to modify the snapshot. If you do modify it, it would mean your T2 chip will go into an infinite boot loop which will require a T2 chip ‘Revive’ via Apple Configurator 2.

IMPORTANT WARNING: I am not responsible for any damages, hardware bricks, voided warranties or loss of personal data. Please do some research if you have any concerns about this process before attempting this yourselves especially since the checkra1n jailbreak cripples a lot of the T2’s security features. YOU are choosing to make these modifications to your device, and if anything goes wrong, you should blame nobody but yourself. 

Intro:

Around the beginning of August of this year, I was doing an analysis of the BridgeOS 4.x firmware from an IPSW file in an attempt to find the new Mac startup chime. Surprisingly enough it was an .AIFF file in this location:

/System/Library/PrivateFrameworks/BridgeAccessibilitySupport.framework/AXEFIAudio_VoiceOver_Boot.aiff

The fact that it’s compressed in AIFF makes it much easier to replace as it’s a typical audio file format that can be played by music player apps such as iTunes. 

What you will need to do this yourself:

·      A Mac with T2 chip

·      Checkra1n jailbreak for the T2 Mac

·      A second Mac to send the checkra1n payload to the T2 Mac + copy the chime via SSH. 

·      A USB-C cable

Creating the custom boot chime file: 

To create a custom boot chime file, you need to use a program such as GarageBand or Logic Pro X, drag your preferred chime into the project, set the time limit to anywhere you prefer. A custom chime can be as long as 10 seconds and it doesn’t interrupt the startup process at all!

If you export with GarageBand, here’s a link on how to export for AIFF https://support.apple.com/kb/PH24969?locale=en_CA

If you export with Logic Pro X, click on the taskbar: File ->Bounce Project or Section and export with these settings:

  • PCM

  • AIFF as file format

  • 16-bit resolution

  • 44100 Sample Rate

  • File type: Interleaved

  • Dithering: None

When asked where to save the file, we will save it in the home folder for convenience and name it ‘AXEFIAudio_VoiceOver_Boot.aiff’.

After exporting, you then have your custom boot chime ready to copy to the T2 Mac!

Copying the custom chime (initially achieved by Zerish Prime + Adel Rai):

Assuming you have already jailbroken the T2 Mac via Checkra1n and entered SSH on the host Mac’s Terminal, we will be able to copy the custom chime. If you haven’t jailbroken + entered SSH yet, this link will explain how to do it: https://blog.t8012.dev/t2-checkra1n-guide/

This part has been initially achieved by security researchers Zerish Prime and Adel Rai, and I am just using their method to copy the chime into the T2. 

In SSH, type in mount -o rw,union,update /

This will modify the root drive from being read-only to being read-write. 

Finally, we can copy it using this command which we will open in another terminal window: 

scp -rP 2202 "/Users/[home folder]/AXEFIAudio_VoiceOver_Boot.aiff" root@localhost:/System/Library/PrivateFrameworks/BridgeAccessibilitySupport.framework

The program will request for a password, where you type in alpine

Finally, you can boot the T2 Mac, and if you have the chime enabled by nvram settings (sudo nvram StartupMute=%00), you should now have the custom chime in its full glory!

Making the custom chime persistent (ONLY WORKS ON BRIDGEOS 4.x and 5.0.1):

Any bridgeOS versions above 5.0.1 should not have a modified snapshot at all. If you do modify it, it would mean your T2 chip will go into an infinite boot loop which will require a T2 chip ‘Revive’ via Apple Configurator 2.

Fellow security researcher Checkm8.info provides a method to make the boot chime persistent so it survives a T2 reboot.

Assuming you still have SSH linked to the target T2 Mac, type:

snappy -f / -l

This will turn into a long string as the macOS snap is named, such as (com.apple.os.update-47B4872F1111CD3A9D9B6F5451673CB47C6F6F13518AF0C5FA3A0198CF1773B8E7B22D9FE42EC0C658715E10E3DFDC43)

The second command would be like this:

snappy -f / -r “here_long_snap_string_from_command_1” --to orig-fs

Where “here_long_snap_string_from_command_1” is, replace it with the long string generated from the first command.

You should then have the startup chime persistent. Have fun!

When the checkra1n jailbreak for Macs with T2 Chip was released in October, it meant changing the Mac startup sound was now possible for all Macs from 2018-2...

Martin Nobel
Previous

2006 iMac with hidden EFI menu