blackosx Posted July 24, 2015 Share Posted July 24, 2015 Maybe it would be better to put the rather hacky ideas to solve this aside and try to cleanly mod prelinkedkernel. Catching it in-memory would be very hard, but I guess we could overwrite the file protocol, load prelinkedkernel, mod it and then return it already modded to boot.efi. Would save kernel patches, kicks the abandoned kext injection method and works as people are used to till Apple changes the format of prelinkedkernel. What you say sounds great. I only play with the hacky stuff as I don't have the talent to do what you talk about. If I can be of any assistance then let me know, otherwise I will watch this space 2 Link to comment Share on other sites More sharing options...
blackosx Posted July 24, 2015 Share Posted July 24, 2015 Hi STLVNUB UEFI shell is great on my hack, but how can I load it on my real mac without using refit/refind? EDIT: I'll try that %11 - thanks. Link to comment Share on other sites More sharing options...
WaldMeister Posted July 24, 2015 Share Posted July 24, 2015 Great to hear you got it to work without error.. I wonder what's different on your system to allow it to work? EDIT: I booted in to the recovery HD earlier from Ozmosis without issue but still had the same error once applying the setting. There were instructions on projectosx but I'm thinking you could load it through refind. I have a Insydeh20 bios, but doubt that makes a difference. Only thing i can think of is that i'm not on DP4 but on the Public Beta 2. And i'm using the Clover.efi from a few posts back, but without the config.plist changes. Before a reboot into recovery i did clear my nvram with sudo nvram -c. The settings apply, but it changes nothing. Edit: Did another reboot in Recovery, and the checkbox was marked again, nvram value is still there. system.log.zip Link to comment Share on other sites More sharing options...
mhaeuser Posted July 24, 2015 Share Posted July 24, 2015 What you say sounds great. I only play with the hacky stuff as I don't have the talent to do what you talk about. If I can be of any assistance then let me know, otherwise I will watch this space I doubt I have the talent to do it either, but creativity is never wrong haha 2 Link to comment Share on other sites More sharing options...
Fabio1971 Posted July 24, 2015 Share Posted July 24, 2015 Your message contains zero useful information to resolve our problem. DP4 boot in verbose mode It can serve EfiCalls.log Fabio Link to comment Share on other sites More sharing options...
THe KiNG Posted July 24, 2015 Share Posted July 24, 2015 UEFI shell is great on my hack, but how can I load it on my real mac without using refit/refind? Extract HermitShellX64 uncompresed, then on hex editor cut everything till MZ, save it as BOOTX64.efi and put it on FAT32 formatted USB stick as /EFI/BOOT/BOOTX64.efi Put it on your mac and you will get a new EFI entry on boot manager, if your mac is old(32BIT EFI) then you have to use refind. 5 Link to comment Share on other sites More sharing options...
Slice Posted July 24, 2015 Share Posted July 24, 2015 Clover repository already contains Shell.efi without complex exercises with hex editing. 1 Link to comment Share on other sites More sharing options...
blackosx Posted July 24, 2015 Share Posted July 24, 2015 Thanks The KiNG. I already have that on a USB stick for my hack but never thought of using it on my mac. I'll try it next week. EDIT: Works great. Thank you Clover repository already contains Shell.efi without complex exercises with hex editing. Yeah but I believe Hermitshell is different/better to the one in Clover repo and contains more tools. That was just an example. Don't think it does anything. edit: I'm writing this from an image of an unbootble Beta2 in VM Fusion with unlocker Ah. Okay. Cool. I've never really played too much with OS X in a VM. I have a Insydeh20 bios, but doubt that makes a difference. Only thing i can think of is that i'm not on DP4 but on the Public Beta 2. And i'm using the Clover.efi from a few posts back, but without the config.plist changes. Before a reboot into recovery i did clear my nvram with sudo nvram -c. The settings apply, but it changes nothing. Edit: Did another reboot in Recovery, and the checkbox was marked again, nvram value is still there. Thanks for the details. It would be interesting to hear from others to find out of they can apply changes from the recovery HD->security app successfully. 1 Link to comment Share on other sites More sharing options...
mhaeuser Posted July 24, 2015 Share Posted July 24, 2015 I doubt HermitShell has more tools, but certainly it does not enter a dead-loop when loading a driver... Furthermore I'm not sure how opening a file and deleting a few characters is complex. Link to comment Share on other sites More sharing options...
THe KiNG Posted July 24, 2015 Share Posted July 24, 2015 Clover repository already contains Shell.efi without complex exercises with hex editing. Clover repository is down... 4 Link to comment Share on other sites More sharing options...
wern apfel Posted July 24, 2015 Share Posted July 24, 2015 DP4 boot in verbose mode It can serve EfiCalls.log Fabio I think that i have the same problem on my desktop. Move the fakesmc from /S/L/E ,start in single user mode and load the fakesmc manually. After you rebuild the cache your issue starts again Link to comment Share on other sites More sharing options...
joe75 Posted July 24, 2015 Share Posted July 24, 2015 Clover repository already contains Shell.efi without complex exercises with hex editing. http://www.mediafire.com/download/ama4dflost2f92z/HermitShell.efi No need for "complex exercises or hex patching" Can also be renamed to ShellU64.efi and placed in tools folder or detailed in config to replace existing clover shell 6 Link to comment Share on other sites More sharing options...
tluck Posted July 24, 2015 Share Posted July 24, 2015 well, I am not running the DP versions but Public Beta 1 and just upgraded to PB2. everything seems fully functional for me. Notes: I put all the custom kexts in /Library/Extensions vs /S/L/E Clover 3248 with boot args: slide=0 rootless=0 and kext_dev_mode=1 USB 2 and sleep fixed with DSDT patches. So after reading all this hub-bub i was curious about SIP stuff and Recovery HD... I was able get into the Recover HD. and then changed (disabled) security without issue. now i see a new nvram variable: csr-active-config g%00%00%00 1 Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted July 25, 2015 Share Posted July 25, 2015 Had another look, and I may be wrong, but I think that booting with -x (with extra kexts in /S*/L*/E* and/or /L*/E*) will end in the same kind of error: "Not entitled to link kext: com.apple...". Correct? In that case it isn't limited to kexts located in EFI 1 Link to comment Share on other sites More sharing options...
Slice Posted July 25, 2015 Share Posted July 25, 2015 One more test, please <key>RtVariables</key> <dict> <key>BooterConfig</key> <string>0x28</string> </dict> Bit definitions are #define kBootArgsFlagRebootOnPanic (1 << 0) #define kBootArgsFlagHiDPI (1 << 1) #define kBootArgsFlagBlack (1 << 2) #define kBootArgsFlagCSRActiveConfig (1 << 3) #define kBootArgsFlagCSRPendingConfig (1 << 4) #define kBootArgsFlagCSRBoot (1 << 5) #define kBootArgsFlagBlackBg (1 << 6) #define kBootArgsFlagLoginUI (1 << 7) 2 Link to comment Share on other sites More sharing options...
chris1111 Posted July 25, 2015 Share Posted July 25, 2015 Slice Testing here and Failed to load FakeSMC Sorry Edit Ho !! I am not ad this <key>RtVariables</key> <dict> <key>BooterConfig</key> <string>0x28</string> </dict> I am back Sorry failed to load Fakesmc Failed El Capitan Developer Beta 4 and Beta Public 2 1 Link to comment Share on other sites More sharing options...
blackosx Posted July 25, 2015 Share Posted July 25, 2015 Hi Slice I’m not sure what exactly I’m supposed to be testing. But I’ve tested booting with prelinked kernel and not injecting kexts at boot. BooterConfig 0x28 | nvram shows: csr-active-config (%00%00%00 BooterConfig 0x00 | nvram shows: csr-active-config %00%00%00%00 BooterConfig 0x20 | nvram shows: csr-active-config %00%00%00 In all cases boot is successful, and Security is on However, unlike Enoch branch of Chameleon: - Cannot edit system files. - DarwinDumper does not load DirectHW.kext Am I testing the wrong thing? I ask because I’ve been used to seeing different bits for security settings: https://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/sys/csr.h #define CSR_VALID_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \ CSR_ALLOW_UNRESTRICTED_FS | \ CSR_ALLOW_TASK_FOR_PID | \ CSR_ALLOW_KERNEL_DEBUGGER | \ CSR_ALLOW_APPLE_INTERNAL | \ CSR_ALLOW_UNRESTRICTED_DTRACE | \ CSR_ALLOW_UNRESTRICTED_NVRAM) Here I see: #define kBootArgsFlagCSRActiveConfig (1 << 3) Is that just on and off? 1 Link to comment Share on other sites More sharing options...
Fabio1971 Posted July 25, 2015 Share Posted July 25, 2015 I think that i have the same problem on my desktop. Move the fakesmc from /S/L/E ,start in single user mode and load the fakesmc manually. After you rebuild the cache your issue starts again eliminating DumpUefiCalls.efi to boot no problem Fabio 1 Link to comment Share on other sites More sharing options...
Slice Posted July 25, 2015 Share Posted July 25, 2015 Sorry, it was just a mistake (misprint) New version Test, please, different bits. CLOVERX64.efi-3248С.zip 2 Link to comment Share on other sites More sharing options...
WaldMeister Posted July 25, 2015 Share Posted July 25, 2015 Sorry, it was just a mistake (misprint) New version Test, please, different bits. CLOVERX64.efi-3248С.zip No changes here. Tried booting with and without caches, with and without the RT variables. Nvram value is still the same: P70:~ Lex$ nvram -p efi-boot-device <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>89405C34-F6F2-4528-B423-78AF12238763</string></dict></dict></dict></array> fmm-computer-name P70 security-mode none SystemAudioVolumeDB %ed IOHibernateRTCVariables AAPL%01%00%00%00cAQ%c9%03%fe%fdV%d9%fc%0c%c6v%156%91:w%0ee%98w%8c%a1>%eb%cbv%d3%dea%9axn%c1 SystemAudioVolume 7 efi-boot-device-data %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%02%1f%03%12%0a%00%04%00%00%00%00%00%04%01*%00%02%00%00%00(@%06%00%00%00%00%00p%f9o%11%00%00%00%004\@%89%f2%f6(E%b4#x%af%12#%87c%02%02%7f%ff%04%00 backlight-level %d8%0a csr-active-config g%00%00%00 P70:~ Lex$ Boot.log and Syslog attached. logs.zip Link to comment Share on other sites More sharing options...
blackosx Posted July 25, 2015 Share Posted July 25, 2015 Tested three different BootConfig values so far BooterConfig 0x28 (00101000) $ nvram -p bootercfg (%00 csr-active-config g%00%00%00 sudo nano /System/Library/Extensions/ALF.kext/Contents/Info.plist = Saving allowed DarwinDumper LSPCI dump works. DarwinDumper memmap dump works. BooterConfig 0x20 (00100000) $ nvram -p bootercfg %00 csr-active-config g%00%00%00 sudo nano /System/Library/Extensions/ALF.kext/Contents/Info.plist = Saving allowed DarwinDumper LSPCI dump works. DarwinDumper memmap dump FAILS. (so the dtrace security is enabled) BooterConfig 0x00 (00000000) $ nvram -p bootercfg %00%00 csr-active-config g%00%00%00 sudo nano /System/Library/Extensions/ALF.kext/Contents/Info.plist = Saving allowed DarwinDumper LSPCI dump works. DarwinDumper memmap dump works. Should 00 enable full security so nothing is allowed? 1 Link to comment Share on other sites More sharing options...
mhaeuser Posted July 25, 2015 Share Posted July 25, 2015 Had another look, and I may be wrong, but I think that booting with -x (with extra kexts in /S*/L*/E* and/or /L*/E*) will end in the same kind of error: "Not entitled to link kext: com.apple...". Correct? In that case it isn't limited to kexts located in EFI I suppose you tested with Chameleon? In that case, this error seems to happen to all drivers loaded via 'Driver-' entires. boot.efi no longer creates them, but I think Chameleon still does. I'm pretty sure safe boot with boot.efi uses prelinkedkernel now as well, though I cannot test - though there's no other logical way in my scope without 'Driver-'. Edit: Nevermind... you didn't test Link to comment Share on other sites More sharing options...
blackosx Posted July 25, 2015 Share Posted July 25, 2015 I've just booted El Capitan DP4 using Clover with -v -x kernel flags with FakeSMC in S/L/E. Jul 25 11:44:06 localhost kernel[0] <Notice>: Darwin Kernel Version 15.0.0: Sun Jul 12 07:47:20 PDT 2015; root:xnu-3247.1.56~16/RELEASE_X86_64 Jul 25 11:44:06 localhost kernel[0] <Notice>: vm_page_bootstrap: 962225 free pages and 78159 wired pages Jul 25 11:44:06 localhost kernel[0] <Notice>: kext submap [0x<ptr> - 0x<ptr>], kernel text [0x<ptr> - 0x<ptr>] Jul 25 11:44:06 localhost kernel[0] <Notice>: zone leak detection enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: "vm_compressor_mode" is 4 Jul 25 11:44:06 localhost kernel[0] <Notice>: multiq scheduler config: deep-drain 0, ceiling 47, depth limit 4, band limit 127, sanity check 0 Jul 25 11:44:06 localhost kernel[0] <Notice>: standard timeslicing quantum is 10000 us Jul 25 11:44:06 localhost kernel[0] <Notice>: standard background quantum is 2500 us Jul 25 11:44:06 localhost kernel[0] <Notice>: WQ[lt_init]: init linktable with max:262144 elements (8388608 bytes) Jul 25 11:44:06 localhost kernel[0] <Notice>: WQ[wqp_init]: init prepost table with max:262144 elements (8388608 bytes) Jul 25 11:44:06 localhost kernel[0] <Notice>: mig_table_max_displ = 15 Jul 25 11:44:06 localhost kernel[0] <Notice>: TSC Deadline Timer supported and enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: kdp_core zlib memory 0x7000 Jul 25 11:44:06 localhost kernel[0] <Notice>: SAFE BOOT DETECTED - only valid OSBundleRequired kexts will be loaded. Jul 25 11:44:06 localhost kernel[0] <Notice>: Can't load kext com.apple.kec.Libm - not loadable during safe boot. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.kec.Libm failed to load (0xdc008012). Jul 25 11:44:06 localhost kernel[0] <Notice>: Failed to load kext com.apple.kec.Libm (error 0xdc008012). Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.pmtelemetry is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.filesystems.ntfs is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.filesystems.msdosfs is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.LuaHardwareAccess is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.iokit.IOUserEthernet is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleSMCPDRC is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.iokit.IOHIDUserClient is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.iokit.IOBluetoothSerialManager is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.CoreCaptureResponder is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.vecLib.kext is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.iokit.IOAudioFamily is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AudioAUUC is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleUpstreamUserClient is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleTyMCEDriver is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleOSXWatchdog is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleIntelSlowAdaptiveClocking is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleIntelHD3000Graphics is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleHWAccess is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleHV is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.iokit.IOHDAFamily is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleHDAHardwareConfigDriver is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleHDAController is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.kext.OSvKernDSPLib is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.DspFuncLib is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleHDA is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.driver.AppleFIVRDriver is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: Kext com.apple.AMDRadeonX3000 is not loadable during safe boot; omitting its personalities. Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=1 LocalApicId=0 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=2 LocalApicId=2 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=3 LocalApicId=4 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=4 LocalApicId=6 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=5 LocalApicId=1 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=6 LocalApicId=3 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=7 LocalApicId=5 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: AppleACPICPU: ProcessorId=8 LocalApicId=7 Enabled Jul 25 11:44:06 localhost kernel[0] <Notice>: calling mpo_policy_init for TMSafetyNet Jul 25 11:44:06 localhost kernel[0] <Notice>: Security policy loaded: Safety net for Time Machine (TMSafetyNet) Jul 25 11:44:06 localhost kernel[0] <Notice>: calling mpo_policy_init for AMFI Jul 25 11:44:06 localhost kernel[0] <Notice>: Security policy loaded: Apple Mobile File Integrity (AMFI) Jul 25 11:44:06 localhost kernel[0] <Notice>: calling mpo_policy_init for Sandbox Jul 25 11:44:06 localhost kernel[0] <Notice>: Security policy loaded: Seatbelt sandbox policy (Sandbox) Jul 25 11:44:06 localhost kernel[0] <Notice>: calling mpo_policy_init for Quarantine Jul 25 11:44:06 localhost kernel[0] <Notice>: Security policy loaded: Quarantine policy (Quarantine) Jul 25 11:44:06 localhost kernel[0] <Notice>: Copyright (c) 1982, 1986, 1989, 1991, 1993 Jul 25 11:44:06 localhost kernel[0] <Notice>: The Regents of the University of California. All rights reserved. Jul 25 11:44:06 localhost kernel[0] <Notice>: MAC Framework successfully initialized Jul 25 11:44:06 localhost kernel[0] <Notice>: using 16384 buffer headers and 10240 cluster IO buffer headers Jul 25 11:44:06 localhost kernel[0] <Notice>: IOAPIC: Version 0x20 Vectors 64:87 Jul 25 11:44:06 localhost kernel[0] <Notice>: ACPI: sleep states S3 S4 S5 Jul 25 11:44:06 localhost kernel[0] <Notice>: pci (build 08:04:55 Jul 12 2015), flags 0xe3000, pfm64 (36 cpu) 0xf80000000, 0x80000000 Jul 25 11:44:06 localhost kernel[0] <Notice>: FakeSMC: opensource SMC device emulator by netkas (C) 2009 Jul 25 11:44:06 localhost kernel[0] <Notice>: FakeSMC: plugins & plugins support modifications by mozodojo, usr-sse2, slice (C) 2010 Jul 25 11:44:06 localhost kernel[0] <Notice>: FakeSMCDevice: 18 preconfigured key(s) added Jul 25 11:44:06 localhost kernel[0] <Notice>: FakeSMCDevice: successfully initialized Jul 25 11:44:06 localhost kernel[0] <Notice>: [ PCI configuration begin ] Jul 25 11:44:06 localhost kernel[0] <Notice>: console relocated to 0xf90000000 2 Link to comment Share on other sites More sharing options...
mhaeuser Posted July 25, 2015 Share Posted July 25, 2015 I would happily be using Oz if it wasn't for the need to reflash my BIOS module everytime I used it. Can't you just create a driver entry via bcfg driver like you would for Clover via bcfg boot? File system drivers are recommended to be flashed, but the Ozmosis driver itself is happy on HDD as well... and the flashed FS drivers also comfort Clover. Link to comment Share on other sites More sharing options...
The Real Deal Posted July 25, 2015 Share Posted July 25, 2015 Added new card names. Added possibility to rename cards. But nothing about functionality. Check is your config.plist changed. Alright... For people who used to boot with clover r3050 or close revisions, if you get a black screen with newer clover (r3241 in my case): The solution is from now on to inject CustomEDID (briefly : ioreg -lw0 | grep IODisplayEDID + plisteditpro to BASE64 or an online HEX to BASE64 editor). Bye. Link to comment Share on other sites More sharing options...
Recommended Posts