FYI: I committed the first changes for El Capitan support into a new branch – El Capitan – for the macosxbootloader.
Month: August 2015
LZVN command line tool updated
A new version of LZVN is available for download – the source code that is. You can compile LZVN by running make in the project directory. Do note that you need the Xcode command line utilities.
Unpacking of a prelinkedkernel can be done with
./lzvn -d /System/Library/Prelinkedkernels/prelinkedkernel prelinkedkernel_unpacked
Repacking of a prelinkedkernel can be down with
./lzvn prelinkedkernel_unpacked prelinkedkernel_repacked
This will inject a new (fixed up) mach header, which is stripped off when you unpack the prelinkedkernel. The end result should be the same as the factory kernel. You can verify this with
cmp -l /System/Library/Prelinkedkernels/prelinkedkernel prelinkedkernel_repacked
Yes of course! You can still unpack/repack any file with LZVN.
Update You can now also extract the kernel from a prelinkedkernel. For this you use:
./lzvn -d <path/prelinkedkernel> kernel
Have fun with it!
csrutil updated in DP7
New version
The seventh Developer Preview (build number 15A263e) comes with version 13 with a couple of alterations.
New allowed netboot source list
csrutil usage: csrutil Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine. Available commands: clear Clear the existing configuration. Only available in Recovery OS. disable Disable the protection on the machine. Only available in Recovery OS. enable Enable the protection on the machine. Only available in Recovery OS. status Display the current configuration. netboot add <address> Insert a new IPv4 address in the list of allowed NetBoot sources. list Print the list of allowed NetBoot sources. remove <address> Remove an IPv4 address from the list of allowed NetBoot sources.
Improved output of csrutil status
I’m sure that this is something that people have been waiting for
csrutil status System Integrity Protection status: enabled (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: enabled Debugging Restrictions: enabled DTrace Restrictions: enabled NVRAM Protections: enabled
With netboot setup you get something like this:
System Integrity Protection status: enabled. Allowed NetBoot sources: 10.10.0.1 10.10.0.2 10.10.0.3 10.10.0.4 10.10.0.5
At least now you know what is enabled, and what not – on a Mac. I like it. Much better like this. But on a hack on the other hand this should be taken with a grain of salt. The reason for this is that the output of csrutil status may lie. That is. It may tell you that SIP if fully enabled, when in fact it is not. This because boot loaders may get out-of-sync with the setting.
Additionally. You may see this note
This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
There is also a new NVRAM variable called csr-data. No data. Just <> May only be there after I changed the configuration. I’m not sure yet.
Update: This variable is used for netboot setups.
Here is an example of the output you’ll get with: nvram -p
<dict><key>netboot-sources</key><array><string>10.10.0.1</string><string>10.10.0.2</string><string>10.10.0.3<string>10.10.0.4</string><string>10.10.0.5</string></array></dict>%00
For this I ran: sudo csrutil netboot add 10.10.0.x
To remove the last IP4 address you enter: sudo csrutil netboot remove 10.10.0.5
You can verify if the change(s) were done correctly with either: csrutil netboot list
or csrutil status
.
Edit: csrutil status first reads csr-data and if that is zero (0) then the value of csr-active-config is used.
And last but not least. This is what I get – from the command prompt on a hack – with:
csrutil enable --no-internal csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.
sudo csrutil enable --no-internal Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
sudo csrutil enable --without kext csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
sudo csrutil enable --without fs csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
sudo csrutil enable --without debug csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
sudo csrutil enable --without nvram csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
csrutil report
This command is also still supported. Also. There is a launch daemon called com.apple.csrutil.report.plist in /System/Library/LaunchDaemons and that is configured for a timed job i.e. set to run on the fourth day of the week at 3:20 Here is the content of the plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.apple.csrutil.report</string> <key>ProgramArguments</key> <array> <string>/usr/bin/csrutil</string> <string>report</string> </array> <key>StartCalendarInterval</key> <dict> <key>Minute</key> <integer>20</integer> <key>Hour</key> <integer>3</integer> <key>WeekDay</key> <integer>4</integer> </dict> </dict> </plist>
See also: my csrstat.c to show CSR/SIP status and Apple’s Configuring System Integrity Protection
Update: When I run csrutil status
, then I get a Segmentation fault: 11 No error with sudo.
AppleIntelInfo.kext updated to v1.2
Here is another quick update:
I updated the source code of AppleIntelInfo.kext to version 1.2 and one of the improvements is that it no longer uses /var/log/system.log but /tmp/AppleIntelInfo.dat (see README.md
I know. This has been on my TODO list for ages, but here it is. Have fun now!
ssdtPRGen.sh v15.8 released
I found some time to update ssdtPRGen.sh (now version 15.8 Beta) and added initial support for the new Intel Skylake processors, including a first set of processor data, and I also added a whole bunch of Intel Broadwell processors.
If there is anything missing/not yet working, then please let me know and I will try to fix it. Thanks.
Update: The links to the Broadwell and Skylake processor data files where broken, but are now fixed thanks to Toleda. He also caught errors in the Broadwell processor data, that I also fixed. You can now also use -t or -tdp so that is also fixed.