int mac_iokit_check_nvram_delete(kauth_cred_t cred, const char *name); int mac_iokit_check_nvram_get(kauth_cred_t cred, const char *name); int mac_iokit_check_nvram_set(kauth_cred_t cred, const char *name, io_object_t value);
The last one is called by AppleEFINVRAM to block access to NVRAM for get/set/remove property functions, and the sandbox kext has hooks to it. The sandbox may have the platform profile, but AppleEFINVRAM acts as last defence. The guardian. So how do we bypass this you ask? For now we have three options on hack:
1.) Use FileNVRAM.kext to override the calls to get/set/remove property, and thus it won’t check for it.
2.) Replace AppleEFINVRAM.kext with an older version that does not call to checks. I used the one from 10.9.5 and it worked.
3.) Patch the AppleEFINVRAM.kext binary with:
perl -pi -e 's|\x0F\x85\x40\x01\x00\x00|\x90\x90\x90\x90\x90\x90|' AppleEFINVRAM
What this does is that it NOPs out the JNE instruction. The call to _mac_iokit_check_nvram_set in the kernel, and thus the check won’t be done. That’s all. Nothing more. Meaning that you can run
csrutil disable from the command line, without the need to boot into the Recovery HD, and still get:
Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.
nvram csr-active-config=%77%00%00%00 will fail due to the missing entitlement (com.apple.private.iokit.nvram-csr).
However. The fourth, and best option in my view, is to boot into the Recovery HD and be able to run
csrutil disable from there. One problem. On a hack you still need one of the above workarounds, and on unsupported hardware for El Capitan… we need to get
csrutil disable going. The problem is that I seem to be the last person willing to help others with running El Capitan on unsupported hardware. Like I did for Yosemite. And things are taking a lot of time. Tons of time… but we already made a lot of progress so hang in guys!!!
Anyway. Sure. Apple may not release all parts of the kernel, but what is the point of having an open source kernel, when almost everything that is interesting… is never released? Think about LZVN, XCPM and now this. Another one bites the dust. Yeah. Someone should kick Apple in the teeth for their lousy open source policy.
Note: I don’t know if
csrutil disable works on Clover, but I will add it when I get a confirmation about it.
Edit: I forgot to mention that there a six more routines in the kernel. Look here: