El Capitan support for macosxbootloader

FYI: I committed the first changes for El Capitan support into a new branch – El Capitan – for the macosxbootloader.

LZVN command line tool updated

A new version of LZVN is available for download – the source code that is. You can compile LZVN by running make in the project directory. Do note that you need the Xcode command line utilities.

Unpacking of a prelinkedkernel can be done with

./lzvn -d /System/Library/Prelinkedkernels/prelinkedkernel prelinkedkernel_unpacked

Repacking of a prelinkedkernel can be down with

./lzvn prelinkedkernel_unpacked prelinkedkernel_repacked

This will inject a new (fixed up) mach header, which is stripped off when you unpack the prelinkedkernel. The end result should be the same as the factory kernel. You can verify this with

cmp -l /System/Library/Prelinkedkernels/prelinkedkernel prelinkedkernel_repacked

Yes of course! You can still unpack/repack any file with LZVN.

Update You can now also extract the kernel from a prelinkedkernel. For this you use:

./lzvn -d  <path/prelinkedkernel> kernel

Have fun with it!

csrutil updated in DP7

New version

The seventh Developer Preview (build number 15A263e) comes with version 13 with a couple of alterations.

New allowed netboot source list

csrutil
usage: csrutil
Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.
Available commands:

clear
	Clear the existing configuration. Only available in Recovery OS.

disable
	Disable the protection on the machine. Only available in Recovery OS.

enable
	Enable the protection on the machine. Only available in Recovery OS.

status
	Display the current configuration.

netboot
	add <address>
		Insert a new IPv4 address in the list of allowed NetBoot sources.
	list
		Print the list of allowed NetBoot sources.
	remove <address>
		Remove an IPv4 address from the list of allowed NetBoot sources.

Improved output of csrutil status

I’m sure that this is something that people have been waiting for

csrutil status
System Integrity Protection status: enabled (Custom Configuration).

Configuration:
	Apple Internal: disabled
	Kext Signing: disabled
	Filesystem Protections: enabled
	Debugging Restrictions: enabled
	DTrace Restrictions: enabled
	NVRAM Protections: enabled

With netboot setup you get something like this:

System Integrity Protection status: enabled.

Allowed NetBoot sources:
    10.10.0.1
    10.10.0.2
    10.10.0.3
    10.10.0.4
    10.10.0.5

At least now you know what is enabled, and what not – on a Mac. I like it. Much better like this. But on a hack on the other hand this should be taken with a grain of salt. The reason for this is that the output of csrutil status may lie. That is. It may tell you that SIP if fully enabled, when in fact it is not. This because boot loaders may get out-of-sync with the setting.

Additionally. You may see this note

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

There is also a new NVRAM variable called csr-data. No data. Just <> May only be there after I changed the configuration. I’m not sure yet.

Update: This variable is used for netboot setups.

Here is an example of the output you’ll get with: nvram -p

<dict><key>netboot-sources</key><array><string>10.10.0.1</string><string>10.10.0.2</string><string>10.10.0.3<string>10.10.0.4</string><string>10.10.0.5</string></array></dict>%00

For this I ran: sudo csrutil netboot add 10.10.0.x

To remove the last IP4 address you enter: sudo csrutil netboot remove 10.10.0.5

You can verify if the change(s) were done correctly with either: csrutil netboot list or csrutil status.

Edit: csrutil status first reads csr-data and if that is zero (0) then the value of csr-active-config is used.

And last but not least. This is what I get – from the command prompt on a hack – with:

csrutil enable --no-internal
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

sudo csrutil enable --no-internal
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

sudo csrutil enable --without kext
csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state.
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

sudo csrutil enable --without fs
csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state.
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

sudo csrutil enable --without debug
csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state.
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

sudo csrutil enable --without nvram
csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state.
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

csrutil report

This command is also still supported. Also. There is a launch daemon called com.apple.csrutil.report.plist in /System/Library/LaunchDaemons and that is configured for a timed job i.e. set to run on the fourth day of the week at 3:20 Here is the content of the plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.apple.csrutil.report</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/csrutil</string>
		<string>report</string>
	</array>
	<key>StartCalendarInterval</key>
	<dict>
		<key>Minute</key>
		<integer>20</integer>
		<key>Hour</key>
		<integer>3</integer>
		<key>WeekDay</key>
		<integer>4</integer>
	</dict>
</dict>
</plist>

See also: my csrstat.c to show CSR/SIP status and Apple’s Configuring System Integrity Protection

Update: When I run csrutil status, then I get a Segmentation fault: 11 No error with sudo.

AppleIntelInfo.kext updated to v1.2

Here is another quick update:

I updated the source code of AppleIntelInfo.kext to version 1.2 and one of the improvements is that it no longer uses /var/log/system.log but /tmp/AppleIntelInfo.dat (see README.md

I know. This has been on my TODO list for ages, but here it is. Have fun now!

ssdtPRGen.sh v15.8 released

I found some time to update ssdtPRGen.sh (now version 15.8 Beta) and added initial support for the new Intel Skylake processors, including a first set of processor data, and I also added a whole bunch of Intel Broadwell processors.

If there is anything missing/not yet working, then please let me know and I will try to fix it. Thanks.

Update:  The links to the Broadwell and Skylake processor data files where broken, but are now fixed thanks to Toleda. He also caught errors in the Broadwell processor data, that I also fixed. You can now also use -t or -tdp so that is also fixed.