mhaeuser Posted July 28, 2015 Share Posted July 28, 2015 I liked this post earlier but having reread it I feel it could be interpreted as liking Pike's retort back to Download-Fritz where infact I was liking Pike's description of his proof of concept. I have therefore quoted above only the part I liked. Haha, chill, it's all good. I just didn't see the direct purpose of this PoC to be honest. That kext signature is only checked when creating the cache and not from cache itself has been known since it was introduced in OS X Yosemite. You could boot with kext-dev-mode, create the cache with unsigned kexts and reboot without the flag fine. And in my opinion, the PoC is pretty much the same except for the fact that the file path is changed. No offense meant to anyone though, just my direct thoughts. Correct me all day if you want, but I ask you to do it in a proper way instead of accusing me of assuming things I did not, e.g. that the idea is not good which I said in no direct way. I will play around with stuff and see if I'm capable of writing up some code to append kexts to the prelinkedkernel in-memory, though don't count on me. Beside being a little busy with other stuff, I'm also mostly unexperienced. EDIT: I saw Mr. Alpha edited his blog post saying the information was pretty unknown and saying it after he published his post is unfair. If it was known, it would have been implemented in Chameleon or Clover, right? Well... I always wondered, what business do the boot solutions have setting or managing Apple NVRAM variables? They are supposed to deliver features that the user didn't have before, though editing NVRAM is not one of them in my opinion. If the user wants kext-dev-mode enabled, the user can set it (either via hardware NVRAM, FileNVRAM, EmuVariableDrv or whatever). If he doesn't want it, he can just not set it. I always hated it when the boot solution thought it knew better than me and didn't let me manage the setup the way I wanted it (though recently I'm quite happy ) Anyways, I didn't use Mavericks in ages and Yosemite not since El Capitan was out. I can't proof it, but I have no reason to lie. That piece of knowledge is not rocket science but an experiment of boredom maybe lasting 5 minutes. I saw quite a few users in chat saying they did it that way and being so happy they didn't need to use the flag after. 5 Link to comment Share on other sites More sharing options...
Popular Post blackosx Posted July 29, 2015 Popular Post Share Posted July 29, 2015 Thanks for the recent csr additions slice. After some testing this morning I can confirm the CsrActiveConfig settings are working. But I’m still not sure what the BooterConfig setting does, other than write the bootercfg nvram var which we see in the DumpUefiCalls log. EDIT: Actually BooterConfig can be set to 0x63 to enable black mode if you don't already have it. This is what i used for my testing: 0x00 (00000000) 0 CSR_ALLOW_UNTRUSTED_KEXTS 0 CSR_ALLOW_UNRESTRICTED_FS 0 CSR_ALLOW_TASK_FOR_PID 0 CSR_ALLOW_KERNEL_DEBUGGER 0 CSR_ALLOW_APPLE_INTERNA 0 CSR_ALLOW_UNRESTRICTED_DTRACE 0 CSR_ALLOW_UNRESTRICTED_NVRAM <key>RtVariables</key> <dict> <key>CsrActiveConfig</key> <string>0x00</string> <key>BooterConfig</key> <string>0x28</string> </dict> Security is enabled. I cannot edit a kext’s info.plist in S/L/E DarwinDumper’s memory dump (dtrace) and loading DirectHW.kext both fail. ================ 0x67 (01100111) 1 CSR_ALLOW_UNTRUSTED_KEXTS 1 CSR_ALLOW_UNRESTRICTED_FS 1 CSR_ALLOW_TASK_FOR_PID 0 CSR_ALLOW_KERNEL_DEBUGGER 0 CSR_ALLOW_APPLE_INTERNA 1 CSR_ALLOW_UNRESTRICTED_DTRACE 1 CSR_ALLOW_UNRESTRICTED_NVRAM <key>RtVariables</key> <dict> <key>CsrActiveConfig</key> <string>0x67</string> <key>BooterConfig</key> <string>0x28</string> </dict> Security is completely disabled. I can edit a kext’s info.plist in S/L/E DarwinDumper’s memory dump (dtrace) and loading DirectHW.kext both run. ================ 0x65 (01100101) 1 CSR_ALLOW_UNTRUSTED_KEXTS 0 CSR_ALLOW_UNRESTRICTED_FS 1 CSR_ALLOW_TASK_FOR_PID 0 CSR_ALLOW_KERNEL_DEBUGGER 0 CSR_ALLOW_APPLE_INTERNA 1 CSR_ALLOW_UNRESTRICTED_DTRACE 1 CSR_ALLOW_UNRESTRICTED_NVRAM <key>RtVariables</key> <dict> <key>CsrActiveConfig</key> <string>0x65</string> <key>BooterConfig</key> <string>0x28</string> </dict> Security is enabled for file system. I cannot edit a kext’s info.plist in S/L/E DarwinDumper’s memory dump (dtrace) and loading DirectHW.kext both run. 20 Link to comment Share on other sites More sharing options...
calibre™ Posted July 29, 2015 Share Posted July 29, 2015 Nice blackosx. does this also affect kext-dev-mode in yosemite? Link to comment Share on other sites More sharing options...
Slice Posted July 29, 2015 Share Posted July 29, 2015 Nice blackosx. does this also affect kext-dev-mode in yosemite? As far as I see yosemite kernel sources it affects. I still can't upload new installer because sf.net is still not full functional. Upload service is not working yet. Wait, please. 1 Link to comment Share on other sites More sharing options...
Riley Freeman Posted July 29, 2015 Share Posted July 29, 2015 You could always post it here while waiting for SF to get their act together. I haven't touched my laptop since everything went south on the Z68 with DP4. It's still running PB1. So if the current Clover will allow injection etc to work as before it would be nice to upgrade to that and try PB2. Although it's currently tied-up with the Windows 10 update. Link to comment Share on other sites More sharing options...
smolderas Posted July 29, 2015 Share Posted July 29, 2015 As far as I see yosemite kernel sources it affects. I still can't upload new installer because sf.net is still not full functional. Upload service is not working yet. Wait, please. I know how you feel about github.com. But I can only recommend to migrate to it or better to gitlab.com 1 Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted July 29, 2015 Share Posted July 29, 2015 Thanks for the recent csr additions slice. After some testing this morning I can confirm the CsrActiveConfig settings are working. But I’m still not sure what the BooterConfig setting does, other than write the bootercfg nvram var which we see in the DumpUefiCalls log. This is what i used for my testing:... You can run csrutil enable/disable/status/report Optionally with --no-internal. 2 Link to comment Share on other sites More sharing options...
WaldMeister Posted July 29, 2015 Share Posted July 29, 2015 You can run csrutil enable/disable/status/reportOptionally with --no-internal. Small correction: p70:~ Lex$ csrutil report csrutil: invalid command report usage: csrutil <command> Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine. Available commands: disable Disable the protection on the machine. Requires a reboot. enable Enable the protection on the machine. Requires a reboot. status Display the current configuration. Link to comment Share on other sites More sharing options...
pianman Posted July 29, 2015 Share Posted July 29, 2015 Hi everyone, I have a problem with AppleTYMCEdriver's patch with clover. I use a mac pro 4,1 as SMBIOS, because my GTX 760 is faster with a mac pro 4,1 than a mac pro 3,1. Now I see on clover wiki page that there is a patch for appleTYMCEdrive, now i use it but when I start yosemite i have a KP with AppleTYMCEdriver so I must delete file from windows. I hope someone can help me, because I every time upgrade Yosemite I have a Kp. This is my config.plist config.plist.zip Link to comment Share on other sites More sharing options...
blackosx Posted July 29, 2015 Share Posted July 29, 2015 You can run csrutil enable/disable/status/reportOptionally with --no-internal. Thanks for the tip. I'll try it this evening. Hi everyone, I have a problem with AppleTYMCEdriver's patch with clover. I use a mac pro 4,1 as SMBIOS, because my GTX 760 is faster with a mac pro 4,1 than a mac pro 3,1. Now I see on clover wiki page that there is a patch for appleTYMCEdrive, now i use it but when I start yosemite i have a KP with AppleTYMCEdriver so I must delete file from windows. I hope someone can help me, because I every time upgrade Yosemite I have a Kp. This is my config.plist You should be able to boot in to OS X's single-user mode using -s kernel flag Then I'm not entirely sure of the exact steps but you can remove the driver using something like this: mount -uw / rm -rf /system/library/extensions/appletymcedriver.kext exit Link to comment Share on other sites More sharing options...
mendietinha Posted July 29, 2015 Share Posted July 29, 2015 sip is down here. going to enable again next reboot. good job, fellas. Link to comment Share on other sites More sharing options...
polyzargone Posted July 29, 2015 Share Posted July 29, 2015 Thanks for the tip. I'll try it this evening. You should be able to boot in to OS X's single-user mode using -s kernel flag Then I'm not entirely sure of the exact steps but you can remove the driver using something like this: mount -uw / rm -rf /system/library/extensions/appletymcedriver.kext exit Correct me if I'm wrong but I think the exact syntax is : /sbin/mount -uw / rm -rf /System/Library/Extensions/AppleTyMCEDriver.kext exit Link to comment Share on other sites More sharing options...
blackosx Posted July 29, 2015 Share Posted July 29, 2015 Thanks of the correction polyzargone. I did say I wasn't entirely sure of the exact steps top of my head. 1 Link to comment Share on other sites More sharing options...
polyzargone Posted July 29, 2015 Share Posted July 29, 2015 Sure, I noticed that . Link to comment Share on other sites More sharing options...
WaldMeister Posted July 29, 2015 Share Posted July 29, 2015 Correct me if I'm wrong but I think the exact syntax is : /sbin/mount -uw / rm -rf /System/Library/Extensions/AppleTyMCEDriver.kext exit Thanks of the correction polyzargone. I did say I wasn't entirely sure of the exact steps top of my head. Mount -uw / works also, the path and filename are case sensitive though. 1 Link to comment Share on other sites More sharing options...
polyzargone Posted July 29, 2015 Share Posted July 29, 2015 Mount -uw / works also, the path and filename are case sensitive though. Ok, thanks for sharing . Link to comment Share on other sites More sharing options...
blackosx Posted July 29, 2015 Share Posted July 29, 2015 $ csrutil status System Integrity Protection status: disabled. I was hoping for something more detailed. EDIT: Welcome to DarwinDumper 2.9.9b3 Wed Jul 29 19:30:30 BST 2015 System Version: OS X 10.11 (15A235d) Security Integrity Configuration: Custom This is a little better. 1 Link to comment Share on other sites More sharing options...
Riley Freeman Posted July 29, 2015 Share Posted July 29, 2015 Can someone post an installer for Clover 3251 or 3252? I've been trying for the last couple of hours with CloverGrower and then CloverGrowerPro but each time it fails with one error or another. Link to comment Share on other sites More sharing options...
FredWst Posted July 29, 2015 Share Posted July 29, 2015 Can someone post an installer for Clover 3251 or 3252? I've been trying for the last couple of hours with CloverGrower and then CloverGrowerPro but each time it fails with one error or another. https://www.dropbox....51.pkg.zip?dl=0 Fred 2 Link to comment Share on other sites More sharing options...
Maniac10 Posted July 29, 2015 Share Posted July 29, 2015 Hi devs, I've been having some trouble building the installer lately but I'm not sure if it's a Clover or CloverGrowerPro issue. ld: file not found: /usr/lib/system/libsystem_stats.dylib for architecture x86_64 collect2: error: ld returned 1 exit status make[2]: *** [../bin/GnuGenBootSector] Error 1 make[1]: *** [GnuGenBootSector] Error 2 make: *** [source/C] Error 2 Cloverx64 release ERROR!! And indeed the file "libsystem_stats.dylib" doesn't exist in that folder in 10.11 beta5. Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted July 29, 2015 Share Posted July 29, 2015 EDIT: I saw Mr. Alpha edited his blog post saying the information was pretty unknown and saying it after he published his post is unfair. If it was known, it would have been implemented in Chameleon or Clover, right? Well... I always wondered, what business do the boot solutions have setting or managing Apple NVRAM variables? They are supposed to deliver features that the user didn't have before, though editing NVRAM is not one of them in my opinion. If the user wants kext-dev-mode enabled, the user can set it (either via hardware NVRAM, FileNVRAM, EmuVariableDrv or whatever). If he doesn't want it, he can just not set it. I always hated it when the boot solution thought it knew better than me and didn't let me manage the setup the way I wanted it (though recently I'm quite happy ) Anyways, I didn't use Mavericks in ages and Yosemite not since El Capitan was out. I can't proof it, but I have no reason to lie. That piece of knowledge is not rocket science but an experiment of boredom maybe lasting 5 minutes. I saw quite a few users in chat saying they did it that way and being so happy they didn't need to use the flag after. Well hello. Please read my blog post again (edited for clarity) and then remember that it is about kext injection in El Capitan with full SIP already in place. Also. I wasn't talking about implementing NVRAM settings. Just plain kext injection, but the proper way, which is still not done. Yes. I wonder why nobody told slice how he could fix it, but then again the DP4 that broke kext injection is how old again? About the people who told you that they had been using "this" (whatever that may be) before, is rubbish. My POC is about El Capitan, and I do this without kext-dev-mode (in Mavericks/Yosemite) and/or rootless=0 in El Capitan. Neither do I need any of the CSR flags. That makes it a totally different story. 4 Link to comment Share on other sites More sharing options...
naiclub Posted July 29, 2015 Share Posted July 29, 2015 I'm comflle work well https://www.dropbox.com/s/oru6n1wf08hxgty/Clover_v2.3k_r3252.pkg?dl=0 1 Link to comment Share on other sites More sharing options...
Riley Freeman Posted July 30, 2015 Share Posted July 30, 2015 Now that I was able to update Clover to r3251 thanks to FredWst sharing the installer I successfully updated to PB2 and then PB3. Kexts are in /L/E and CsrActiveConfig is set to 0x65. 2 Link to comment Share on other sites More sharing options...
arsradu Posted July 30, 2015 Share Posted July 30, 2015 Now that I was able to update Clover to r3251 thanks to FredWst sharing the installer I successfully updated to PB2 and then PB3. Kexts are in /L/E and CsrActiveConfig is set to 0x65. Will it work without doing those things and just updating Clover to 3251? Will Clover automatically set all those things up? Also, will the old method (adding the kexts in Clover/kexts) still work for the installer (assuming you want to start fresh with DP4 or PB2 and you need to create an USB installer with Clover as bootloader)? I'm currently on DP3, with the kexts in Clover/kexts, as usual and not necessarily looking for a fresh install right now. But it's still good to know for when I will need to make a fresh install. Also, will this method do any harm to the current Yosemite partitions? Also, if I do need to do those things (move kexts around and set things up), how do I set CsrActiveConfig to 0x65 (is it something in config.plist?) and what does that mean/do? Sorry for the noob questions but if I don't ask, I'll never understand. So I prefer to ask, understand, and become a little bit less of a noob. Link to comment Share on other sites More sharing options...
Riley Freeman Posted July 30, 2015 Share Posted July 30, 2015 It won't set up the RtVariables. These have to be added to your config.plist. Otherwise SIP is active and the kexts will be omitted from the post-update cache rebuild. This post from blackosx explains the CSR variables (I also added the BooterConfig one though I'm not really sure what it does). Look at the 8 digits in the brackets after 0x67. Now look at the list of CSR values from bottom to top and you'll see the matching pattern of the 0 and 1s. You enable or disable the values using 0 or 1 and list them in a string starting from the bottom of the list. When you convert the binary string to hex you get 0x67. Injection still doesn't work from EFI. So if (like me) you want to be able to boot a vanilla installer you'll have to stick with DB3 or PB1 and then copy the kexts to /L/E afterwards. Not ideal, but we just have to wait for the Clover guys to get injection working again. 2 Link to comment Share on other sites More sharing options...
Recommended Posts