How The T2 Chip Directly Affects Right To Repair

When Apple first announced their addition of the T2 chip in their machines, starting with the iMac Pro, then all machines starting from 2018, it was a big shock to many in the repair industry. Currently, the biggest resistance Apple have had in relation to their machines ‘repairability’ have been iFixit, who push service guides and push customers to complete their own repairs, and the ‘Right To Repair’ movement that started a few years ago and has been steadily gaining momentum.

When first releasing the spec sheet for the T2 chip, the main shock to the techie followers  (of Apple) is the fact that it is effectively designed to fully lock down the machine if needed. Apple countered this fear with the following statement:

“The Apple T2 Security Chip brings a new level of integration and security to Mac.”

Attached here is a link to their description of the T2 Chip – https://support.apple.com/en-gb/HT208862

We have been watching the back and forth intently, as being an independent parts provider and repair company, we need to know how to deal with these later models when they inevitably start coming in for repair, or customers start requesting we source parts for them.

Up until today, our concerns had been put on the back burner, as we had been comforted by the thought that the T2 Chip has been implemented to provide a wider level of security for the end user, as all the internal storage is integrated onto the logic board in the majority of these machines now. More security to the customer is always a good thing, right? (if you remember the passwords you set for them that is, but thats another story) It has now come to our attention today that the T2 Chip is, unfortunately, designed to do a bit more than just secure the customers data.

Without going into too much technical detail, the T2 Chip is effectively mapped to the other major components in the machine. Such parts as the main logic board, the complete display, the top case and the battery. (it may affect other parts as well, but these are the only ones known at the time of writing) Each individual part is internally serialised on the controller boards, and those serial numbers are logged on the T2 Chip. Now, the main fear that arose when the T2 Chip was announce, is that this would render a machine a non-starter (not functional) after any of these parts had been replaced if not fitted by Apple themselves. But recent information has confirmed that not to be the case.

Basically, you can replace parts within your machine all you want, but if you ever want to take your machine into Apple again to have any repair done, the T2 Chip will log that there is a serial number discrepancy, and your warranty will be marked as ‘void’, even if the part previously having been replaced is completely unrelated to the current fault. If you want to take it in for non warranty work, in most cases they will accept the job in. But the new internal GSX system will not allow them to complete an MRI test on the machine because of the serial number discrepancy, which means Apple will not allow any parts to be sold at the normal ‘Exchange’ price, which is the only way to get a service spare at a reasonable price from Apple. You’ll get quoted the outright purchase price of the parts in order for the job to be completed.

All in all, this seems not only counter intuitive, but completely against the Right-To-Repair movement. Apple have always said their machines are recyclable, but unfortunately, their understanding of the term goes against what we believe in so many ways. We believe in reusing, repairing and if all that fails, recycle efficiently (not into landfill). Making machines harder to repair, then making is so you can either pay extortionate prices on repairs or throw it away and get a new one is not a great solution.

Let us know what you think, and how this will affect you as either a user or a repair company, as it would be interesting to see some other experiences of this T2 Chip saga… As its likely to continue

Advertisements
Posted in Apple News, Questions and Answers | Tagged , , , , , , , , , , , , , | Leave a comment

iMac LCD Blemishes (2012-2019)

We have been seeing more and more of these later range iMacs with LCD blemishes, so we thought it was about time we cleared the air (so to speak), as there is a lot of uncertainty on a consumer level as to how these panels are built.

In 2012 Apple completely overhauled their iMac ranges. They slimmed it down, removed the optical drive, and in 2014 they released their first Retina display model. (5K in 27″ and 4K in 21.5″)

imac-21-retina-selection-hero-201903

These were the first model that didn’t have a separate glass panel over the top of the LCD panel, which was great from a repairers point of view, as our engineers no longer needed to clean the LCD and both sides of a glass panel to then rebuild a machine in a work zone that was not hermetically sealed!

Now, the troubling bit…
These are often referred to as a ‘bonded’ display. In reality, that is not the case. The LCD panel itself is bonded to the glass, but the main issue for dust ingress in displays is not between the glass and LCD surface, But rather, between the LCD and the backlight sheets. Tiny specs of dust show up as either dark patches, marks and occasionally are mistaken for dead pixels. As seen in the photo below, all that seals the edges besides what is seen is a single strip of tape. (not the definition of ‘bonded’ I’d use)

IMG_7424

Brown patches are a common occurrence on older panels (2007-2011 iMacs), as are minor patches and streaks to the lower corners. Apple even did an extended replacement programme for the LCD is the 2009 21.5″ iMac for brown patches in the upper left corner (right over the internal power supply).

But that brings us to the 21.5″ and 27″ later slim line iMacs (2012-2019). These have far less severe symptoms to the earlier ranges, but do sometimes suffer from darker ‘patches’ or ‘streaks’ in the lower 2 corners. The only explanation we can come up with is the tape in the corners of the LCD is weakened over time and a small amount of dust gets through from the air circulation generated by the internal fan. Its not a hardware fault, but is just dust under the surface that cannot be removed (without a clean room environment).

We often sell machines with these blemishes, but the extent of the ‘patching’ varies from one machine to the next. For that reason, we’ve provided a few photos showing a few different examples of the fault, but the severity will always differ.

As an additional reference, Apple look to have faced a class action lawsuit regarding this issue…

Class action lawsuit link

Posted in Uncategorized | Leave a comment

T2 Chip and Repair Work

T2-chip
According to Apple’s support page ‘The Apple T2 Security Chip brings a new level of integration and security to Mac’. This is all well and good for security if you carry around sensitive client data, as it adds a new layer of protection to Touch ID data and other drive related encryption, but it has added a whole new level of confusion for end users who are unsure of what security level to enable on their new machine and what each of them means. (The link can be found here)

The reason for this post is to first; give some clarity for the average user on what the different levels of security mean, and secondly; to provide some basis for the repair work carried out by TheBookYard, and the recycle/trade-in service offered by Mac2Cash, as both services are affected by this chip to a certain extent. But as they say, knowledge is power, and giving the details of each feature for you to decide how secure you’d like your machine to be is the best result all around.

Two such features relate to repairability from an engineering perspective, these are ‘encrypted storage’ and ‘secure boot’.

Old Systems
Up until now there were 2 different levels of protection. The first protects user data on the boot drive to as high a level as possible and is called FileVault. It not only encrypts the data so that it requires a password to unlock, but it also cannot be reset if you lose your password without going direct to Apple with a receipt and proof of ownership. But your data is all encrypted and protected. That’s a good thing, right?
So in theory, you can access a hard drive by means of a hack in a normal setup if you had the means, but this is not possible with FileVault enabled.
(Please note, the security password set for this is different to the admin password for the machine. It is typically set the same as the first admin user account when the machine is first setup, but if you ever change your password, or create a new admin account, the password is not carried over and will stay the same. This is the most common cause for loss of password by customers we’ve dealt with)

The other protects the machine from external access, and is known as ‘EFI firmware‘ level security. When enabled this prevented the machine from being able to boot to the disk selection screen (and other EFI screens), which is used to boot to an external hard drive. This is the way we carry out our repairs so no customer data is accessed, but it also allows you to boot to the recovery partition to run disk repairs, or to install a clean operating system if needed.
But unless FileVault is enabled, the internal customer drive will mount on the desktop while booted externally (although admin password access is still required to access the data if a password has been set, it is just more secure to have FileVault enabled). You also can’t carry out any major resets (such as SMC or PRAM resets, used in a lot of diagnostics situations), or create drive backups using certain applications with this enabled.

Effects on Repairs
So from a repair perspective, a machine cannot be repaired (or recycled through Mac2Cash) with an EFI password enabled, as a repairer would be unable to complete a full hardware test on the machine before and after, thus preventing any real diagnostics.
We have always been very good at diagnostics because of the extent we go through to ensure stability after a repair. Most repairers will offer low or free diagnostics (but then will charge a high fitting fee, or a charge if you decide not to repair), but their diagnostics are done by way of probability, because they wont order or fit parts until they have been paid for. Some repairers do it better than others, but that is mostly due to experience in identifying probable faults based on symptoms. Deduction becomes easier with experience, but it is not a confirmed diagnosis until the parts have been ordered and fitted, so it is always a bit of a gamble. Its not uncommon for more than one part to be faulty either.
Because we are a parts specialist. We have all parts required for most repairs in-house, so when completing a full diagnosis we don’t go with a ‘best guess’ approach, we fit the required parts, then complete a full hardware test to ensure stability after the fact. This enables us to be sure the fault has been fixed, which is why we offer 3-months warranty on repair work and diagnostics.
(intermittent faults, or software issues invariably add time to repairs)

With that being said, we are able to carry out a full hardware test with FileVault enabled (but not a full hard drive (or SSD) scan for a drive health checkup) but we cannot complete any hardware testing with an EFI password enabled. This goes for a Mac2Cash recycle as well. (a FileVaulted drive will not mount its partitions, but it can be securely sanitised from an external drive. It prevents data from being accessed but does not completely immobilise the SSD or HDD)
So if you have a repair that doesn’t need a drive scan, and/or you have no concerns over the health of your drive, FileVault can be left enabled. But if you have a drive related fault, it is best to disable FileVault before it comes in for repair. That way we can carry out a drive scan without needing to know your admin password for the machine, thus providing more security to you, the client. But if it comes in with FileVault enabled and it is decided afterwards that a drive scan is requested or required, the admin password for the machine would be needed by the engineer.

New System
With the new T2 chip enabled, security has been taken to a new level. Most of the security features go way beyond what most users would even think to enable, but they are enabled as standard. But we cannot carry out repairs, or recycle machines through Mac2Cash with these features enabled because the machine can not be booted via a test drive for a hardware test, but we also cannot securely erase the internal drive (in the case of a recycle). Because the T2 chip is on the main logic board, this renders the most valuable part of the machine completely unsellable, as according to ADISA regulation that we abide by (due to GDPR), ‘a drive that cannot be effectively sanitised must be physically destroyed.’ So dont be surprised when the value of your machine goes down dramatically when the condition is changed from ‘Fully Working’ to having a ‘locked T2 chip’ because you cannot remember the password you set for it.

The machines that have the new T2 chip in them as of the writing of this post (May 2019) are as follows:
iMac Pro (2017<)
Mac mini (2018<)
MacBook Air (2018<)
MacBook Pro (2018<)

Levels of Security
The new T2 chip has still allowed the enabling of a firmware password and FileVault separately, but it has enabled a new level of security known as ‘Secure Boot’. (Encrypted storage is the new name for FileVault)
Secure boot has 3 levels of security, but from what we can ascertain, it covers Apple more than the consumer, as it basically authenticates any boot source for genuine software before booting. This is a good thing if you worry about running a hacked or pirated version of an operating system, but the risk is very minimal if the OS was installed from Apple’s system in the first place and the user doesn’t alter their OS in anyway. The major risk is if it detects an alteration for some reason, this feature would render the machine un-bootable, as it completes the check at the start of each startup.

As described by Apple they cover the following setups:
1 – Full Security
Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.
2- Medium Security
Allows any version of signed operating system software ever trusted by Apple to run.
3 – No Security
Does not enforce any requirements on the bootable OS

macos-high-sierra-startup-security-utility

External Boot Enabler
The other feature that has been added is known as ‘External Boot’.
This simply allows the enabling and disabling of the ‘disk selection’ or external booting options noted above. For repair work carried out by TheBookYard, we need this option disabled so we can boot to an external test drive to complete diagnostics.

Summary
In brief, when they reference ‘security’ it doesn’t add any encryption or protection to your machine or personal data. It just ensures that your Mac is always started up from a legitimate, trusted Mac or Windows operating system. This effectively makes OSX machines run a lot like iOS devices, because customer data and its accessibility is controlled by the logic board instead of the end user. But because it authenticates the ‘legitimacy’ of the software on each boot, it doesn’t just fail when software fails verification. it also would fail if it cannot connect to the server to authenticate it, thus running a risk of making your machine a non-starter if access cannot be gained during a boot up if it fails to validate the authenticity of your boot OS. (from what we gather, it doesn’t need a network connection at every boot. it completes an authentication check on each boot internally, then if it doesn’t pass, it then requires network activity to fix it, or to re-install the OS)
This security setup has been known to directly prevent data migration from one machine to another, as well as a number of other issues, such as interfering with Thunderbolt accessories when used. But in essence, this chip is added to give more control to Apple over what software is put on the machine.
See this link for a description of what checks are carried out during a verification of the OS.

In short, there are now multiple security options you can enable, but hopefully you are now more educated in what they do so you can make a decision on whether its worth enabling.
The last thing you want to do is enable high levels of security, then in the event of a software or hardware failure, risk losing all your personal data, as would happen in an iOS device.
But as always, diligently backing up your data is the best way of eliminating that risk as well.

Posted in Apple News, Questions and Answers | Tagged , , , , , | Leave a comment