Jump to content

Clover General discussion


ErmaC
30,171 posts in this topic

Recommended Posts

Personally, I've never had a problem with security in OS X over the last ten years and even if we exclude this new SIP Mac OS is the most secure its ever been.

Yes You are right!

Link to comment
Share on other sites

Still can not disable csr using Clover 3253

shyhjie@temps-mbp ~ $ csrutil status
System Integrity Protection status: enabled.

nvram -p shows nvram is set correctly, also tried 0x55

shyhjie@temps-mbp ~ $ nvram -p
bootercfg   (%00
fmm-computer-name   temps-mbp
prev-lang:kbd   en:0
security-mode   none
efi-boot-device <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>AA82655B-00B3-4282-90D1-536D4EA6B3BB</string></dict></dict></dict></array>
backlight-level H%04
tbt-options %04
efi-boot-device-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%02%1f%03%12%0a%00%00%00%00%00%00%00%04%01*%00%03%00%00%00%00pV%09%00%00%00%00%e00%cd"%00%00%00%00[e%82%aa%b3%00%82B%90%d1SmN%a6%b3%bb%02%02%7f%ff%04%00
LocationServicesEnabled %01
csr-active-config   g%00%00%00

kernel version and boot param, with/without rootless = 0 doesn't matter.

shyhjie@temps-mbp ~ $ uname -a
Darwin temps-mbp 15.0.0 Darwin Kernel Version 15.0.0: Tue Jul 21 21:47:25 PDT 2015; root:xnu-3247.1.68~32/RELEASE_X86_64 x86_64
shyhjie@temps-mbp ~ $ bdmesg|grep kext-dev
16:447  6:016  EDITED: -v -xcpm kext-dev-mode=1
Link to comment
Share on other sites

 

Still can not disable csr using Clover 3253

shyhjie@temps-mbp ~ $ csrutil status
System Integrity Protection status: enabled.

nvram -p shows nvram is set correctly, also tried 0x55

shyhjie@temps-mbp ~ $ nvram -p
bootercfg   (%00
fmm-computer-name   temps-mbp
prev-lang:kbd   en:0
security-mode   none
efi-boot-device <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>AA82655B-00B3-4282-90D1-536D4EA6B3BB</string></dict></dict></dict></array>
backlight-level H%04
tbt-options %04
efi-boot-device-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%02%1f%03%12%0a%00%00%00%00%00%00%00%04%01*%00%03%00%00%00%00pV%09%00%00%00%00%e00%cd"%00%00%00%00[e%82%aa%b3%00%82B%90%d1SmN%a6%b3%bb%02%02%7f%ff%04%00
LocationServicesEnabled %01
csr-active-config   g%00%00%00

kernel version and boot param, with/without rootless = 0 doesn't matter.

shyhjie@temps-mbp ~ $ uname -a
Darwin temps-mbp 15.0.0 Darwin Kernel Version 15.0.0: Tue Jul 21 21:47:25 PDT 2015; root:xnu-3247.1.68~32/RELEASE_X86_64 x86_64
shyhjie@temps-mbp ~ $ bdmesg|grep kext-dev
16:447  6:016  EDITED: -v -xcpm kext-dev-mode=1

Are you using EmuVariableUEFI? 

Link to comment
Share on other sites

Are you using EmuVariableUEFI? 

No, I did not have EmuVariableUEFI.efi, but after I install EmuVariableUEFI-64.efi , and I saw EmuVariableUEFI-64.efi load success, initialize success... in my bdmesg.

 

csrutils status still enabled.

Link to comment
Share on other sites

No, I did not have EmuVariableUEFI.efi, but after I install EmuVariableUEFI-64.efi , and I saw EmuVariableUEFI-64.efi load success, initialize success... in my bdmesg.

 

csrutils status still enabled.

Did you try disabling it from recovery?

 

If not, you can try booting into your Recovery partition, opening up a Terminal window, and typing:

 

csrutil disable

Although adding

<key>RtVariables</key>
    <dict>
        <key>CsrActiveConfig</key>
        <string>0x67</string>
        <key>BooterConfig</key>
        <string>0x28</string>
    </dict>

in Clover config plist, should have the same effect.

 

Also, I've got a question: is anyone else having reboots almost immediately after successfully booting into EC? The system just reboots once, sometimes twice, then it's all fine. Is this from the update (running PB3 right now, build 15A234d), or something in Clover? Any idea?

 

I remember having these issues with Yosemite as well, back when it was in Beta. So...I wouldn't be surprised if it was something from the updates.

Link to comment
Share on other sites

No, I did not have EmuVariableUEFI.efi, but after I install EmuVariableUEFI-64.efi , and I saw EmuVariableUEFI-64.efi load success, initialize success... in my bdmesg.

 

csrutils status still enabled.

I do not use EmuVariableUEFI, but if installed it can cause problems reading from Nvram. 

 

Disabled csr with csrutil disable in PB2, do not know if it works with PB3, since enabling it will give an error.

p70:~ Lex$ csrutil enable
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

Not the way it was intended by Clover, but should be tested. I'm wondering if OS X even reads the values for csr from the Nvram in DP5 and PB3. 

Link to comment
Share on other sites

I do not use EmuVariableUEFI, but if installed it can cause problems reading from Nvram. 

 

Disabled csr with csrutil disable in PB2, do not know if it works with PB3, since enabling it will give an error.

p70:~ Lex$ csrutil enable
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

Not the way it was intended by Clover, but should be tested. I'm wondering if OS X even reads the values for csr from the Nvram in DP5 and PB3. 

 

csrutil disable works from Recovery, in PB3. Doesn't work from the OS though.

 

And I'm using EmuVariableUEFI-64 with no issues. 

  • Like 1
Link to comment
Share on other sites

csrutil disable works from Recovery, in PB3. Doesn't work from the OS though.

 

And I'm using EmuVariableUEFI-64 with no issues. 

Depends on the system i think, on the Acer and Toshiba in my sig, with it i could not store nvram variables, on the Dell it was a mandatory driver. 

Thank you for the feedback on the csrutil disable :)

  • Like 1
Link to comment
Share on other sites

Its where apple wants you to put 3rd party kexts. Stay out of SLE!

 

Okay, I'm really confused now. I thought the whole point of Clover was to keep any and all kexts away from S/L/E or L/E and to have them injected from EFI/CLOVER/kexts. Isn't that right? I have my FakeSMC.kext, realtekALC.kext, and RealtekRTL8111.kext in that folder and them seem to inject fine and work properly. Am I wrong to assume that?

 

Where is the proper place to put additional kexts when using Clover?

 

Thanks!

Link to comment
Share on other sites

hello

 

what u quote is related to 10.11 El Capo

 

if u don't are running that .. the kext should be in kexts/10.10 to be injected in cache ..

 

only is broken in 10.11

 

good hack

Link to comment
Share on other sites

At least there's less stuff in /L/E. If point upgrades don't mess with FakeSMC in /L/E, this will be just as good as being in the EFI.

Heck, I could even just reduce my CSR flag to unsigned kexts, 0x01. 

 

Scary having my Mackintosh hanging by a single bit, but there we are : )

Link to comment
Share on other sites

only is broken in 10.11

Dummy kexts/Info.plists work

Kext w/executable code do not (even with SIP completely disabled)

Aug  1 19:44:41 localhost kernel[0]: Not entitled to link kext 'org.netkas.driver.FakeSMC'
Aug  1 19:44:41 localhost kernel[0]: Failed to load executable for kext org.netkas.driver.FakeSMC.
Aug  1 19:37:59 localhost kernel[0]: Not entitled to link kext 'com.insanelymac.IntelMausiEthernet'
Aug  1 19:37:59 localhost kernel[0]: Failed to load executable for kext com.insanelymac.IntelMausiEthernet.
  • Like 1
Link to comment
Share on other sites

 

Hey Guys, can anyone explain me what do these three options?

 

CSR_ALLOW_TASK_FOR_PID
CSR_ALLOW_UNRESTRICTED_DTRACE
CSR_ALLOW_UNRESTRICTED_NVRAM

 

 

Not sure about the first one.... PID=Process Identifier? Setting it to 1 enables it to run tasks, and setting it to 0 disables it. Did I get this right? Can anyone confirm?

 

For the second one, setting it to 1 activates unrestricted access for DTrace. Setting it to 0 will disable it.

 

About DTrace (source: wiki):

DTrace is a comprehensive dynamic tracing framework created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released under the free Common Development and Distribution License (CDDL) and has been ported to several other Unix-like systems (that includes OS X).

 

For the third one, setting it to 1 activates unrestricted access to NVRAM editing. Setting it to 0 will disable it.

 

About NVRAM (source: wiki):

Non-volatile random-access memory (NVRAM) is random-access memory that retains its information when power is turned off (non-volatile). This is in contrast to dynamic random-access memory (DRAM) and static random-access memory (SRAM), which both maintain data only for as long as power is applied.

The best-known form of NVRAM memory today is flash memory.

 

Also, I've got one issue. I can't turn off my computer anymore. The display goes to idle, so I'm guess the video card is disabled, but the power is still provided to the board and I think the CPU is also running.

Before, I was having the same issue when setting the computer to Sleep (issue is still there). And to prevent that, I just set it to not go to Sleep automatically anymore. But I don't remember having that kind of issues for Shut Down. Looks like it tries to go into Sleep mode instead of shutting down.

 

Any idea?

  • Like 1
Link to comment
Share on other sites

 

Hey Guys, can anyone explain me what do these three options?

 

CSR_ALLOW_TASK_FOR_PID
CSR_ALLOW_UNRESTRICTED_DTRACE
CSR_ALLOW_UNRESTRICTED_NVRAM

 

 

 

Not sure about the first one.... PID=Process Identifier? Setting it to 1 enables it to run tasks, and setting it to 0 disables it. Did I get this right? Can anyone confirm?

 

For the second one, setting it to 1 activates unrestricted access for DTrace. Setting it to 0 will disable it.

 

About DTrace (source: wiki):

DTrace is a comprehensive dynamic tracing framework created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released under the free Common Development and Distribution License (CDDL) and has been ported to several other Unix-like systems (that includes OS X).

 

For the third one, setting it to 1 activates unrestricted access to NVRAM editing. Setting it to 0 will disable it.

 

About NVRAM (source: wiki):

Non-volatile random-access memory (NVRAM) is random-access memory that retains its information when power is turned off (non-volatile). This is in contrast to dynamic random-access memory (DRAM) and static random-access memory (SRAM), which both maintain data only for as long as power is applied.

The best-known form of NVRAM memory today is flash memory.

 

Also, I've got one issue. I can't turn off my computer anymore. The display goes to idle, so I'm guess the video card is disabled, but the power is still provided to the board and I think the CPU is also running.

Before, I was having the same issue when setting the computer to Sleep (issue is still there). And to prevent that, I just set it to not go to Sleep automatically anymore. But I don't remember having that kind of issues for Shut Down. Looks like it tries to go into Sleep mode instead of shutting down.

 

Any idea?

Thanks man but at the moment of usability how these three options benefit me. Ex. if I don't use CSR_ALLOW_UNRESTRICTED_NVRAM, NVRAM no longer works on the motherboars that use RTvariables ???

Link to comment
Share on other sites

Last login: Sun Aug  2 18:07:20 on ttys000
crushers-iMac:~ crusher$ csrutil status
System Integrity Protection status: enabled.
crushers-iMac:~ crusher$ 

always put on 0!!!!

 

Hi freind  :lol:  Five years  Hakintoshing and testing lots of thing, Never using Antivirus in my Mac and Hackintosh

I never have no Virus or something like that .

In  french  PAS DE BÉBITES  /    :D  :thumbsup_anim:

Link to comment
Share on other sites

Personally, I've never had a problem with security in OS X over the last ten years and even if we exclude this new SIP Mac OS is the most secure its ever been.

Me too, but what you say is like: "Hey. I never had problems with security holes so let's not care and apply any security patches (updates)."

  • Like 1
Link to comment
Share on other sites

Hi freind  :lol:  Five years  Hakintoshing and testing lots of thing, Never using Antivirus in my Mac and Hackintosh

I never have no Virus or something like that .

In  french  PAS DE BÉBITES  /    :D  :thumbsup_anim:

If you never used, you could never know. :lol:

Link to comment
Share on other sites

×
×
  • Create New...