Level 1

144 points

Factory reset macmini M1 2020 is not like the others

My Apple devices (less than a year old) have got issues I can't match to anything. I checked the Apple Boot Process guide and my boot appears to be a deviation?

Despite having this particular macmini factory reset at the Apple Store a few weeks ago, it will often run deprecated commands or invoke applications and processes that are a part of the Apple Open Source archive and behave like it is 2023 on the outside and 2004 on the inside.

First time the using in-built Apple apps like TextEdit there was irregular network activity. So I checked them in a sandbox and they contacted a lot of domains and IP addresses via TCP and UDP, added files, edited existing files including RemoteConfiguration.plist - amongst other things.

The firewall and stealth keeps getting turned off, or it will show as enabled in the control panel but disabled in the system report.

I've compared my files against unrelated external machines with the same specs and version there is a great deal of difference between them.

The new updates haven't improved anything. Have checked all the usual things. The Apple guy wouldn't say much other than it had been factory reset now, I waited 7 hours. He suggested I get a cyber security company, but I can't afford one and I'm out of ideas.

start up log

bootstrap path

Mac mini (M1, 2020)

Posted on Apr 5, 2023 8:11 AM

Top-ranking reply

James Brickley

Level 5

5,680 points

Posted on Apr 15, 2023 8:26 PM

When you say 'factory reset' how was that actually performed? Was it the 'Erase all Content and Settings'? To be entirely sure install Apple Configurator from the Mac App Store on your second Mac. Obtain a Thunderbolt 4 USB-C cable. Use this guide to put the Mac Mini into DFU mode and use Apple Configurator to Restore the Mac to factory. It will download the signed Ventura IPSW file from Apple and then fully reset the Mac to factory. This should provide some peace of mind. Revive or restore a Mac with Apple silicon using Apple Configurator – Apple Support (AU)

The Apple logs are deeply confusing and full of a massive amount of debug detail that mostly internal Apple engineers can decipher. The logs are also scrubbed of sensitive data to protect privacy. This changed when Apple introduced the Unified Logging functionality. To learn more than you ever wanted to know about reading and parsing the logs see Howard Oakley's blog: https://eclecticlight.co/2021/09/27/explainer-logs/

He has several utilities to help with parsing and reading logs. Lots of posts that deep dive and provide useful insights.

In addition, there is the packet filter PF firewall that is ported over from BSD UNIX. A handy utility to help with configuring the arcane pf.conf is https://murusfirewall.com it's just a GUI to make things easier. Worth every penny in my opinion. Certainly easier than hard coding the rules in ViM. The PF firewall is built-in to the kernel and you can utilize both firewalls. The PF firewall is off by default. Murus has another app called Valium that can help with the Application Firewall. Another 3rd party firewall is Little Snitch.

As others have mentioned, it's highly unlikely your Mac has been compromised. It sounds more like you are accustomed to Linux and macOS is considerably different. Malware does exist but it's far more rare than other operating systems. You will find things are locked down tight with macOS. The System volume is entirely immutable. It starts with a read only volume locked with System Integrity Protection (SIP) then an APFS snapshot is made which is signed only by Apple and sealed. The OS actually boots from the snapshot. Apple Silicon Macs are using their own form of secure boot and don't suffer from the issues with secure boot on PC's. The SSD is factory encrypted out of the box. When you turn on FileVault you are merely generating some public / private keys, sticking the private key in the Secure Enclave within the SoC and using the public key to generate the recovery code. The disk is already encrypted. The built-in Apps such as Calculator are all coming from a signed installer and are entirely immutable. There is no way for malware or any user including root to alter the contents of Calculator.app/. Malware can infect a user profile but not the System and certainly not install a rootkit, etc. Apple's built-in malware tools autoupdate and can block malware. In the distant past it was first used to block vulnerable versions of Adobe Flash and Java. Prompting the user to go upgrade them before they would be allowed to execute.

View in context

Similar questions

36 replies

May 4, 2023 9:19 AM in response to gravityfed

There is no need to have a Developer ID to enable Developer mode.

There are always data communications with servers whenever iPhone is connected to a network, as an iPhone is a so-called client device.

I’ll not try a point-by-point on the rest, as there’s not enough included to tell what is or is not happening.

Jul 6, 2023 2:23 PM in response to gravityfed

Is the Mac mini working as expected?

I haven’t seen a complaint about its function, only about what has been reported in telemetry.

Your preference and your approach here—firewalls, stealthing, etc—is probably better served by Linux or BSD than by macOS. With the former, you have much better visibility into what the platform is doing, and why.

As for stealthing, I do not recommend blocking or disabling any ICMP traffic.

More generally, you are headed for forensics, and—given your remediation sequences already performed and your concerns—wholesale replacement—and replacement of what is likely a normal and working Mac mini, too.

gravityfed Author

Level 1

144 points

Sep 25, 2023 5:01 PM in response to MrHoffman

It is a shame given the reach this affects as there are many others too, that assistance cannot be provided by the manufacturer. Professional intervention understandably comes with a hefty price tag.

But at least now I know that my instincts were correct. It is wild that there is no apparent way to wipe the slate clean. Compromising people’s tech, including a heart defibrillator implant, is not cool. Until the security hole is plugged, the saga continues.

Nov 4, 2023 12:26 PM in response to gravityfed

I am, and have been for a couple years, experiencing almost the same thing and was wondering what to do. Most everyone says it impossible but looks like the community is showing otherwise. Is there a way to get everyone's data together and start compiling the info in one place? Or at least connecting everyone together since Apple is not addressing anything? With all the money spent on new devices, iclopud data lost, etc., the fact that they continue to deny any issue or put out security warnings is opening them up for class action, which I am happy to initiate. Their denial and lack of direction is a complete violation of consumer protection (what little the US supplies). anyway, Im beyond trying to troubleshoot devices and more into the next steps of getting this more public attention.

May 9, 2024 10:01 AM in response to gravityfed

Hi Gravityfed, what was your ultimate fix for this? I’ve spent the last few months researching these exact issues and have purchased multiple new macbooks and devices and they all end up the same. I’ve hired multiple IT professionals and they all end up saying i need to find somebody with more knowledge than them. I dont have the money to keep hiring professionals and Apple has been no help.

I really appreciate any insight you can provide. Thank you!

gravityfed Author

Level 1

144 points

Apr 13, 2023 5:32 PM in response to dialabrain

I don't have Total Virus installed, previously I just used the website. On this wipe I haven't added or changed anything.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Factory reset macmini M1 2020 is not like the others