Factory reset macmini M1 2020 is not like the others

It is a shame given the reach this affects as there are many others too, that assistance cannot be provided by the manufacturer. Professional intervention understandably comes with a hefty price tag.

But at least now I know that my instincts were correct. It is wild that there is no apparent way to wipe the slate clean. Compromising people’s tech, including a heart defibrillator implant, is not cool. Until the security hole is plugged, the saga continues.

Thanks, I have posted above, I don't have any other additional apps that I have installed, apart from EtreCheck which I just added.

I did try Malwarebytes previously when I couldn't find any answers, but it hasn't picked anything up.

Hi MrHoffman, *grin, yes I’ve seen the three volume books is highly recommended around here, but has it been updated since the mid 2000’s I wonder.

Thanks for your reply, yes digital forensics wouldn’t come cheap I’m sure. I guess that’s why us little people resort to the community forums :)

I ended up installing Little Snitch.

My internet IP address is connected via UDP on port 68 Bootstrap Protocol (BOOTP) client - not listed on TCP and UDP ports used by Apple software products – Apple Support (AU) 

and also another connection by netbiosd on port 137 Windows Internet Naming Service (WINS) - odd because I have WINS disabled on my new router modem. 

Does my machine think it’s an OS X Server, I wonder? The presence and actions of AFP, SMB, POSIX, XSAN (that would explain rapportd connecting on port 49152), ASR (Apple Software Restore), (TFTP Trivial File Transfer Protocol).

Is there a way of knowing where the boot image is being loaded from? There are NetBoot files on here as well.

Other things: 

SMB/CIFS

PPPController

From logs:

opendirectoryd modifying a record for a CIFServer

NotificationCentre: [com.apple.unc:application] Found system centre _SYSTEM_CENTER_:com.apple.mdmclient (also say I’m running mdmclient on user 501/ - me)

wifianalytics (Security) Recording an MDS plugin /System/Library/Security/ldapdl.bundle

CommCentre (Security) Recording an MDS plugin /System/Library/Frameworks/Security.frame

containermanagerd creating a new POSIX user, name = [root] dir: /private/var/root (also created a lot of others)

It’s very frustrating I can’t get rid of whatever it is, everything was bought new from Apple directly and I’m not sloppy installing just anything. I can’t pin it to anything but my Mac mini and MacBook Pro are not operating standard.

MrHoffman wrote:

There is no need to have a Developer ID to enable Developer mode.

It is not typical for developer mode to be “forced on” without the developer mode toggle being activated though.

kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform

Nor should there be TestFlight and Xcode app activity when neither app is even installed on the Mac or iOS device. Beta versions of applications can’t randomly appear without them which suggests they are being loaded some alternative way as it is my understanding the regular AppStore does not carry beta versions. Even ‘SpringBoard’ is a beta version.

MrHoffman wrote:

There are always data communications with servers whenever iPhone is connected to a network, as an iPhone is a so-called client device.

This is true, but macOS should not be sending FaceTime messages when a) it’s not active (ie toggled off in all relevant places) and b) it is in lockdown mode.

imagent: (FaceTime) [com.apple. Messages :FaceTimePushHandler] Accepting Incoming pushes

launchd: [pid/425/com.apple. FaceTime.FTConversationService [503]:] service state: running

com.apple.FaceTime.FTConversationService: [com.apple. FaceTime:FTConversationService] Asked to accept connection <private>

com.apple.FaceTime.FTConversationService: [com.apple. FaceTime:FTConversationService] Entitlement found; accepting connection <private>

callservicesd: (TelephonyUtilities) [com.apple.calls.telephonyutilities:Default] Cloud calling devices changed

callservicesd: (TelephonyUtilities) [com.apple.calls.telephonyutilities:Default] FaceTime availability changed from (audio=0 video=0) to (audio=1 video=1)

identityservicesd: (FTServices) [com.apple.IDS:FaceTime] Created URL Request: ‹private> from URL: <private>

identityservicesd: (FTServices) [com.apple.IDS:FaceTime] Sent outgoing message: <private> to command: (Request 1D: <private> Connection: <private>)

Similarly, rapportd should not be directly connecting from the Mac to other devices (an iPad in this case) on the same network when all relevant settings have been turned off.

rapportd: (CoreUtils) [com.apple.CoreUtils:AsyncCnx] CLinkCnx-1: Connected to [xxxx:xxxx:ed27:1::4]:58219 (Reach=0.00 ms, SRV=0.00 ms, DNS=0.00 ms, Connect=5.58 ms, Total=112.65 ms)

I just had another look at the log snippets I posted:

kernel: initialized XNU provisioning profile data

This indicates that the kernel has processed XNU provisioning profiles specifically related to kernel extensions/kexts, my understanding is they are deprecated for developer content.

No matter what I do I can’t resolve it, whoever it is has gone to a lot of effort. The list gets longer each day as I discover more. I’m disappointed the latest update didn’t help. I honestly don’t know what to do.

Following up with more information on this issue as it’s still unresolved, but at least I have an idea of what is going on now (and that something is actually awry).

Some issues identified so far:

1. Developer mode has been enabled without a valid developer ID (I’m not a developer)
2. Modification of the boot process that removes users ability to choose which operating system to boot into (I didn’t set up two!)
3. HMAC invalidation has been disabled
4. The use of a fake key for AppleSEPStore
5. SMMachine (system management) interference
6. arm64e_plugin_host process running various binaries (bash, login, zsh, sudo) in keys off mode due to their identities. Code signature validation is being skipped because they’ve been modified or are not signed with a valid certificate
7. Potential compromise of iPhones and iPads by Mac Mini and MacbookPro, AppleImage4 sysctl hook, a security measure of iOS devices suggests the Macs have interacted with them and logs on all devices further suggest data communication between the two (meant to be disabled) as well as many security violations
8. ANECompilerService active in security processes, issue with root certificate or verification.

There is also evidence data is being sent to a server.

The Mac machines are unable to be physically accessed which suggests remote access through any number of security holes which have been active. Security updates haven’t solved anything nor has rebooting, as there have been modifications made.

I have idea where to from here though. Over six thousand dollars worth of Apple products between the devices and Apple don’t want to dive any deeper than a reset which solves nothing.

I’m a very sad insignificant little panda to the world, but in my world this has affected my family and I greatly.

My scan of the executable file within the Calculator.app was tagged by Total Virus and OSX Sandbox as matching two 2019 CVE exploits. Wasn't sure if external links were allowed so haven't posted a link.

Attempted another factory reset tonight but it's still there. I can't find any way to remove the disk image it is defaulting back to.

kernel: vm_page_bootstrap: 995728 free pages, 13694 wired pages, (up to 0 of which are delayed free)

kernel: VM boostrap: 97 maps, 204 entries and 512 holes available

kernel: Maximum number of VM swap files: 100

kernel: "vm_compressor_mode" is 4

kernel: VM bootstrap done: 84 maps, 165 entries and 503 holes left

kernel: IOKit IOMD setownership ENABLED

I contacted the "Apple" chat help (on the malware machine so what did I expect I guess), they didn't know what a bootstrap was. So they got my number and a "senior technician rang" who also didn't know what it was for either.

How do I get rid of this?

I have only used Time Machine a few times just after I bought it and then didn't need it so I turned it off, that was 11 months ago and I didn't save the backups.

I ran Malwarebytes about 4 reinstalls ago because I was getting desperate and it seemed generally accepted here if you *had* to do something that was the better option but it showed nothing. I also tried Etrecheck which showed my apps I downloaded from the AppStore, were not, and there was nearly 500 Apple apps on the system, 4 were not even able to run on the M1.

When I erase the hard drive (it won't left me touch the system snapshot/image which is mounted). So I have no idea how I can get rid of this.

Even when I run commands as root to delete folders that I know for sure have nothing to do with the latest Apple - I am unable to delete them.

Of the many issues the ones of most concern are that it looks as though its under the control of someone else, and firewall/steath is being disabled and control centre being added. I change it and it just goes back once the window is closed. Even if the options show one thing, System Report says different.

I am running in lockdown mode. No idea if it makes a difference or not.

As a side note, I would think these things below would not be relevant to a non business user using a standard install of Ventura on a MacBook Pro 2021 and Mac mini 2020 purchased directly from Apple is:

SMBRID opendirectoryd: [com.apple.opendirectoryd:session] dsAttrTypeStandard:SMBRID

AltSecurityIdentities opendirectoryd: [com.apple.opendirectoryd:session] dsAttrTypeStandard:AltSecurityIdentities

Smart Card ctkahp: [com.apple.CryptoTokenKit:AHP] Invoking SmartCard agent for uid 501

Open Directory sudo: (CFOpenDirectory) Open a given node & opendirectoryd: (PlistFile) [com.apple.opendirectoryd:session] found via filename '<private>'

Multipeer kernel: (IO80211Family) com.apple.p2p

kernel (InvalidateHmac) Finished SIO HMAC invalidation.

Credential Manager

AppleCredentialManagerDaemon: ACMTRM-D: -[TransportRestrictedModeService entryPoint_onDaemonStarted]: acmd started, handing control over to kext (TRM allowed by ManagedConfiguration: YES, disabled by AppleSetup: NO).

kernel: (AppleCredentialManager) ACMTRM: init: called, starting TRM service.; kernel: (AppleCredentialManager)

AppleCredentialManager: startImpl: will join SEPManager's PM tree in getSEPEndpoint().

Managed Client launchd: [system:] Service "com.apple.ManagedClient.startup" tried to register for endpoint "com.apple.ManagedClient.agent" already registered by owner: com.apple.ManagedClient

WindowServer

WindowServer: (SkyLight) [com.apple.SkyLight:default] Server is starting up

WindowServer: (SkyLight) [com.apple.SkyLight:default] Session 257; WS port 14603, launchd-launched workspace/session manager

Early Boot

kernel: (Sandbox) Sandbox apply: auearlyboot[11] <bytes>

kernel: (Sandbox) Sandbox: auearlyboot(11) allow iokit-get-properties iokit-class:IOService property:aud-early-boot-critical

kernel: (AppleInputDeviceSupport) Unserializing payload with 2314220 bytes