Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

cba20k

macrumors newbie
Original poster
Sep 27, 2018
12
2
I went away for the Christmas holiday only to return to days later to see that my Mac mini head crashed and on the screen was displayed the boot loader screen for the clover efi. I believe clover is related to running macOS on a hackintosh. I don’t know much more about it than that. My internal hard drive is no longer accessible, and my research on the Internet suggests that this may have been a boot loader attack. But I cannot find any information on this specifically. I don’t see anything in the forums here about this either but wanted to bring attention to it in case anybody else has experienced this. My research tells me that somebody would have to have root access to pull something like this off but I can’t figure out how any hacker would have gotten that far with my Mac mini to begin with. Any and all thoughts, sage wisdom, advice, or experiences related to this are welcome. Thanks in advance for any help, and happy holidays!
 
I went away for the Christmas holiday only to return to days later to see that my Mac mini head crashed and on the screen was displayed the boot loader screen for the clover efi. I believe clover is related to running macOS on a hackintosh. I don’t know much more about it than that. My internal hard drive is no longer accessible, and my research on the Internet suggests that this may have been a boot loader attack. But I cannot find any information on this specifically. I don’t see anything in the forums here about this either but wanted to bring attention to it in case anybody else has experienced this. My research tells me that somebody would have to have root access to pull something like this off but I can’t figure out how any hacker would have gotten that far with my Mac mini to begin with. Any and all thoughts, sage wisdom, advice, or experiences related to this are welcome. Thanks in advance for any help, and happy holidays!
Wow, someone tried to run Clover on a Mac Mini. First, Clover is part of Hackintoshing. If you hackintosh a Mac you will probably brick it. People edit their “SMBIOS” using Clover and OpenCore to change specs, (not recommended at all) and OpenCore tends to be safer but still do not do it! If you install Clover Bootloader on a Mac you will probably brick it unless you can flash the Mac... They bricked their Mac.. Definitely return it ASAP!
 
I know right? It appears to of happened sometime in the early hours of Christmas morning when I was somewhere completely different, not that the details of my personal life are important here, but, I know enough to know that clover has nothing to do with oem Macs. I have read about boot loader attacks though. I think that is what happened here, but I cannot find anything specific to clover being used for a boot loader attack, or how I opened myself up to one.
 
I know right? It appears to of happened sometime in the early hours of Christmas morning when I was somewhere completely different, not that the details of my personal life are important here, but, I know enough to know that clover has nothing to do with oem Macs. I have read about boot loader attacks though. I think that is what happened here, but I cannot find anything specific to clover being used for a boot loader attack, or how I opened myself up to one.
Where did you get it?
 
I never downloaded clover to use with a Mac Mini. That’s what’s so strange.
 
Did anyone else have access to your mini while you were away? Have checked your network log for unusual traffic? Do you have FileVault enabled?
I did have FileVault enabled or so I thought. Also on the afflicted Mini I had chrome Remote Desktop installed but also two factor authentication and I didn’t get any notifications about unauthorized logins.
 
I did have FileVault enabled or so I thought. Also on the afflicted Mini I had chrome Remote Desktop installed but also two factor authentication and I didn’t get any notifications about unauthorized logins.
If you had FV on and not logged in, and your remote requires 2FA to finish the login to the affected Mac, I don't see how someone could have infected the Mac remotely, unless I have got my facts wrong, which does happen on here.

Was anyone else in the home at the time and able to log into the Mac? Did you check browser history? When was the last time your Mac was accessed by you before leaving?
 
If you had FV on and not logged in, and your remote requires 2FA to finish the login to the affected Mac, I don't see how someone could have infected the Mac remotely, unless I have got my facts wrong, which does happen on here.

Was anyone else in the home at the time and able to log into the Mac? Did you check browser history? When was the last time your Mac was accessed by you before leaving?
FV was most likely on. The mini was logged in to but screen saver was active. The ssd is likely toast based on research into bootloader hacks but there was no odd activity that I’m aware of although if there’s a way check in terminal (if I can access the ssd)or my WiFi (a linksys velop) I’m open to instructions. :).
 
Are you the first owner of this Mac? Perhaps you bought it with Clover installed but weren't aware?
 
Shoot, I got a little trigger happy and jumped a couple steps but can update with this.
1) After several attempts to reboot from Macintosh HD (which stalled), I ran diagnostics and all my hardware came back fine
2) I then booted holding down the option key and this is where things get interesting. I then got as options for startup disks, the Macintosh HD, and EFI Boot, which I had never seen before. When clicking on that, it takes me to an EFI screen of sorts and that is where I was given the option of loading clover, or booting from Macintosh HD (which when selected freezes the computer). I don't dare try the Clover option. The thing is, I had to select EFI Boot to get to this point, which seemed to have happened on its own over Christmas (ie my Mini mysteriously restarted, and loaded EFI Boot).
3). Since then, I've created a bootable Big Sur drive and am attempting to reinstall the OS.
 
Weird happenings with your mini.

Anyhoo, googled and found this thread with similar problem and the recovery.

Worth trying, I think.

 
I wound up trying the following:
1) Booted the Mini in target disk mode and plugged into a newer T2 Mini via TB2 to TB3 adapter. It proceeded to kernel panic the T2 mini repeatedly.
2) pulled the SSD and tried running disk first aid via a SATA to USB cable. It crashed disk first aid and unmounted repeatedly.
3) Gave up, installed a new SSD in the 2014 mini and restored from a time machine back up.

The EFI Boot image still showed when starting the 2014 mini with the option key held down and a new SSD installed, even with no bootable volume. However a fresh install of Big Sur along with a time machine restore appears to have worked.

I remain baffled as to how this all went down (hyperbolic speculation warning: some bratty kid down the block might have hacked their way into my wifi and had fun with something like Thunderstrike 2). Needeless to say, the previous SSD is toast and it has me wary of SSDs as a reliable alternative to spinning drives (although the pros do still outweigh the cons).

I'm eliminating Chrome Remote Desktop from this Mini (And changed my Google password) as that's the only way I can think of that something like this would have gone down. But I could be wrong...
 
I wound up trying the following:
1) Booted the Mini in target disk mode and plugged into a newer T2 Mini via TB2 to TB3 adapter. It proceeded to kernel panic the T2 mini repeatedly.
2) pulled the SSD and tried running disk first aid via a SATA to USB cable. It crashed disk first aid and unmounted repeatedly.
3) Gave up, installed a new SSD in the 2014 mini and restored from a time machine back up.

The EFI Boot image still showed when starting the 2014 mini with the option key held down and a new SSD installed, even with no bootable volume. However a fresh install of Big Sur along with a time machine restore appears to have worked.

I remain baffled as to how this all went down (hyperbolic speculation warning: some bratty kid down the block might have hacked their way into my wifi and had fun with something like Thunderstrike 2). Needeless to say, the previous SSD is toast and it has me wary of SSDs as a reliable alternative to spinning drives (although the pros do still outweigh the cons).

I'm eliminating Chrome Remote Desktop from this Mini (And changed my Google password) as that's the only way I can think of that something like this would have gone down. But I could be wrong...
Must’ve been chrome remote desktop. Someone must have connected to it... That’s scary! You can delete the files in the hidden EFI partition but you might have to show hidden files if you haven’t and mount it externally.
 
Wow, someone tried to run Clover on a Mac Mini. First, Clover is part of Hackintoshing. If you hackintosh a Mac you will probably brick it. People edit their “SMBIOS” using Clover and OpenCore to change specs, (not recommended at all) and OpenCore tends to be safer but still do not do it! If you install Clover Bootloader on a Mac you will probably brick it unless you can flash the Mac... They bricked their Mac.. Definitely return it ASAP!
Actually, OpenCore doesn't "tend to be safer," it doesn't brick Macs. Clover's garbage NVRAM handling is what causes it, while OpenCore has good NVRAM handling. OpenCore was designed for both Hackintoshing and patching real Macs, to the point that there is a very reliable patcher dedicated to running it on real macs.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.