First, I looted a MacBook Pro from mid 2012, don’t ask where.

I wanted to use it, to learn macOS and try a new OS, even if my heart is dedicated to Linux. So, i erased the data on the disk to have it fresh clean. I booted on the Recovery Mode with CMD + R

So, right here, I deleted the content of the disk with Disk Utility and wanted to reinstall the OS with Reinstall MacOS. Funny isn’t it ?

The MacBook was on Sierra, which is a pretty old version of macOS. So I tried to reinstall but few seconds after launching the install, an non-cooperative error appeared : No bag entry.

What does it means ???

So I checked on the Internet, and the reason of this error was : When a Mac tries to reinstall himself, it ask to Apple’s server the OS (in fact, the .dmg file). Sierra was too old and the server won’t permit to download the OS.

The quest starts here. Now I have a MacBook who can’t download anything from the Apple’s server and I need to reinstall something on it.

I tried first to create a bootable USB with a macOS on it, but the way that we create a bootable USB on Windows/Linux don’t work at all for me. When I searched on the Apple forum, they told “Use another mac to create you bootable USB”. Thanks !

(to go in the bootable device, restart and press ALT)

No bag entry and the search for good

I search about everywhere on the internet on this error, and here’s the things that I found :

• This error is due to wrong date, and we need to change the date
• This error is due to expirated certificate and we need to trick it
• This error is due to a bug is the Sierra Installer and we can’t do anything about it (oh sweet)

The wrong date

Following some videos, I launched a terminal on the recovery mode, and change the date. Some videos told me to change it to 08010002023 with the command date 08010002023. Spoiler : It breaks the certificate and I got the error UNTRUSTED_CERT_TITLE. It means the certificate is broken due to time change.

Ok, but I also see a guy who changed the date with ntpdate -u time.apple.com and it worked for him. It almost worked but the installer crashed after a loooong computing time. Best way to get this thing working so far, but still not working. Setting the same date as Apple’s servers was a good thing but still not enough.

https://www.youtube.com/watch?v=KdO7X18X_xM

LAN Turtle

For xmas, I bought myself a LAN Turtle to try some things. I tried to sniff the packet from the Mac towards Apple Server, but in vain. I don’t know why the LAN Turtle wasn’t working. I was lazy so I didn’t want to investigate.

I tried the urlsnaf module to capture the Apple server URL with the ressource asked.

arpspoof

The LAN Turtle wasn’t working, so I tried to spoof my MAC adress to intercept the traffic.

The configuration :

• I was telling the MacBook that I was the internet box
• I was telling the box that I was the MacBook
• tcpdump in background
• Trying to reinstall Sierra from the installer to see where’s the ressource behind the Apple Update

Analyzing the pcap

Inside the pcap, I’ve seen this single clear TCP asking an IP.

Looking for this IP, it was indeed the Apple Updates server. A great catch

17.57.21.52 was our IP that the MacBook tried to join. One thing, the IP seems hardcoded because there was no DNS Query before/after the IP. An hardcoded IP to avoid the DNS spoofing ??? huuun

On the installer, we can see some logs and some ressources that the MacBook tried to join. That’s a good way to debug tho.

We can see ressources like this : http://oscdn.apple.com/content/downloads/11/58/062-53943/of12aseueo2jnehp03qh5g3o17lx4139t1/RecoveryImage/BaseSystem.dmg

Internet Archive

I found this Youtube tutorial Here where we download the dmg by ourselves and install it. All in CLI.

Here’s the step :

• curl -L https://archive.org/download/sierraurl/sierra.txt to get the instructions

It tells us that the InstallESD.dmg located in Apple’s macOS Sierra 10.12.6 Internet recovery & App Store is corrupted (and or additional issues), preventing install. This is not a time & date issue.

• ntpdate -u time.apple.com to set the right date
• cd /Volumes/Macintosh\ HD change to Macintosh hard drive. Beware, the hard drive may have another name
• curl http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg -o InstallOS.dmg Get the DMG
• hdiutil attach InstallOS.dmg mount the DMG
• installer -pkg /Volumes/Install\ macOS/InstallOS.pkg -target /Volumes/Macintosh\ HD Extract the “Install macOS Sierra.app”
• /Volumes/Macintosh\ HD/Applications/Install\ macOS\ Sierra.app/Contents/MacOS/Installassistant_springboard Start the installer

And now the right installer may have spawn behind your terminal, follow the instructions and it will reboot at the end of the installer.

For me, I tried to do the same thing but downloading macOS Catalina, and it Worked ! My MacBook is very slow and everytime I update it i’m scared because it blocks on the install screen for a while.

Now I have a MacBook Pro, I will probably do a Memory dump challenge on the laptop.