Air Gapping a MacBook Air: The Great BCM15700A2 Mystery

JJ Citron
2018-07-13

As we fact-checked our previous post – “Air Gapping for Fun and Non-Profit” – we noticed that the iFixit MacBook Air 13" Early 2015 Teardown pointed out a “wireless networking chipset” integrated into the underside of the Air’s main logic board. The chip was identified as a “Broadcom BCM15700A2”.

Broadcom BCM15700A2 on the MacBook Air logic board

iFixit had never steered us wrong when we followed their hardware repair instructions in the past, so we deemed this information reliable and immediately raised some critical questions: Is there a wireless chipset soldered onto the MacBook Air’s logic board that we didn’t know about? If so, is it not actually possible to properly air gap a MacBook Air?

To answer these questions, we looked to the Internet for other mentions of BCM15700A2. We found there was no general consensus about the chip’s function – only mixed signals from various sources:

  • The iFixit teardown linked to a reddit post claiming that the chip was causing a networking problem between the Airs and Microsoft Active Directory
  • We found several listings for the chip on eBay, so we emailed a seller and asked about the chip’s functionality. They replied promptly: “I guess it’s [a] Radio Network Controller”. ( The chip’s function even seemed to be a mystery to the seller! )
  • And we found a “MacBook Webcam Teardown” by Matthew Petroff that said the chipset could be connected to the webcam processor, but he also wrote: “The camera board connects directly to the main logic board, which just so happens to contain a Broadcom BCM15700A2 chip that no one seems to know the purpose of” (emphasis added). Petroff goes on to say, “As the part number contains the camera controller’s PCIe bus ID, it is very likely the chip in question, particularly since there are no other mysterious Broadcom chips on the logic board.” This was encouraging, but not definitive, so we continued our investigation looking for additional web cam references.
  • We found a repo on GitHub that is a “Reverse engineered Linux driver for the FacetimeHD (Broadcom 1570) PCIe webcam”
  • We found a blog post by Chris Jones titled “How to get the broadcom pci 1570 web cam working in Linux using qemu with OS X VM"
  • But we didn’t find any mention of the chip using Broadcom’s own product search tool

The information we found was pointing to the mystery chip being an innocuous camera controller, but there were enough mixed signals that we felt we needed to take matters into our own hands and definitively determine the chip’s function.

Hardware Testing for Noobs

Our first step in testing was asking the system what Broadcom chips it knew about. To do this, we booted the machine into Kali Linux using a “live” USB stick and we ran lspci.

lspci is part if of the pciutils package and “is a utility for displaying information about PCI buses in the system and devices connected to them”.

Our first run gave us the following:

root@kali:~# lspci | grep Broadcom
02:00.0 Multimedia controller: Broadcom Limited 720p Facetime HD Camera
03:00.0 Network controller: Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev 03)

We then removed the wireless card ( as we did in the video from part one! ) and re-ran lspci:

root@kali:~# lspci | grep Broadcom
02:00.0 Multimedia controller: Broadcom Limited 720p Facetime HD Camera

This output made sense so we continued by unplugging the camera ribbon from the logic board and re-running lspci again. There was no change in the output:

root@kali:~# lspci | grep Broadcom
02:00.0 Multimedia controller: Broadcom Limited 720p Facetime HD Camera

This made sense because there’s not much room around the camera in the bezel of the MacBook Air and it would be reasonable to have the camera controller on the logic board away from the camera itself.

But after this step we realized that we needed to physically remove the chip from the board if we were going to fully determine that the BCM15700A2 is the same as the “Broadcom Limited 720p Facetime HD Camera” – and is in-fact a multimedia controller and not a wireless networking device.

MacBook Air internals with wireless card removed and camera cable disconnected; A defective SSD was previously removed.

Calling in the Professionals

We took out the Air’s logic board to see if we could pry the chip off with a screwdriver. We quickly decided this was a bad idea. We also considered “disabling” the chip by drilling a few holes through it with a Dremel tool or by melting it a bit with a soldering iron. Both of those ideas felt too destructive, though – even if they would have been fun to try!

A colleague suggested that a nearby mobile phone repair shop might have a good heat gun and be willing to help us desolder the chip. This sounded reasonable, so I ventured to the streets of New York City to seek the help of some professionals!

I was optimistic walking up 5th Avenue clutching the board safely sheltered from the elements in an anti-static bag, but within thirty minutes, I had been turned away from two different repair shops and was starting to feel discouraged.

I reached out to our IT team to see if they had suggestions, and after some bargaining and the calling in of a favor, they managed to convince a friend at another nearby computer repair shop to help us out.

I dropped the board off with the technicians and a few hours later they emailed to say they had removed the chip!

We’re not sure exactly what the technicians did to remove the chip – heat gun, maybe? – but it came off cleanly and you wouldn’t notice it was missing unless you were specifically looking for it on the board.

Broadcom BCM15700A2 desoldered from MacBook Air logic board

Mystery Solved

Once we put the now modified board back in the Air, we ran lspci again and got:

root@kali:~# lspci | grep Broadcom

Eureka! The “Broadcom Limited 720p Facetime HD Camera” device was no longer listed. As we hoped!

To be thorough, and setting our joy aside, we reconnected the camera cable and re-inserted the wifi card. We ran lspci one more time and got:

root@kali:~# lspci | grep Broadcom
03:00.0 Network controller: Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev 03)

This was exactly what we were hoping we’d see! The wireless network adapter was back now that the wireless card was re-inserted, but mystery Broadcom chip was still absent.

To make sure we really covered all our bases, we booted to macOS from an external recovery disk to see if the camera and/or the Wi-Fi were working:

  • The Wi-Fi worked with the wireless card inserted, and then stopped working when we removed it again. We found no problems using Wi-Fi with the BCM15700A2 removed
  • The camera was no longer working at all. In fact, macOS’s Photo Booth reported “No Camera Available”
macOS Photo Booth reporting “No Camera Available” after desoldering the Broadcom BCM15700A2

Conclusion

We are confident to say that the Broadcom BCM15700A2 chipset on the MacBook Air 2015 logic board is a multimedia controller, and not a wireless network controller as a few sites say.

We hope this post helps others interested in air gapping or MacBook Air internals correctly identify the chip, and avoid turning the misidentification into a self-perpetuating error.

And most importantly, we hope this post is a reminder that you should never trust what you read on the Internet – maybe not even this post….

Removed wireless card and desoldered Broadcom BCM15700A2 from MacBook Air