Jump to content

Mavericks - to be locked down (in the future)?


  • Please log in to reply
101 replies to this topic

#1
frankiee

frankiee

    InsanelyMac Geek

  • Members
  • PipPipPipPip
  • 203 posts
  • Gender:Male
  • Location:Earth
  • Interests:Everything

OK, so it seems that many of you already had success installing Mavericks on a hack, and the list of supported machines also indicates that everything that can run ML can also run Mavericks, but ...

 

will that still be true for the future, especially for a hackintosh?

 

I am on the verge of jumping into the cold water and want to build myself one, bc Apple does not seem to be able to offer me the hardware I need. But of course, I also want my "hack" to be future proof, and one of the worst things I can imagine is to be locked out of future OS updates.

 

One point that worries me is that Apple seems to use more and more proprietary hardware (especially for the new "Mac Pro"), but it was this article that almost scares me and makes me feel a bit uneasy about the future of hacks in general: http://pikeralpha.wo...10-9-mavericks/

 

In short, the poster claims that: "The /System directory will be locked in the near future and kext in /Library/Extensions must be signed. But more importantly. Kext editing (plists and bin files) will simply be impossible"

 

So, what's your take on this? Do you think this could become a real problem, or nothing to worry about?



#2
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

I read the same page today, and I don't understand how the /System/Library/Extensions will be locked down... I think this lock could be hacked/patched.

Btw this codesign security blocking could be in the final 10.9 (apple started to ask developers to register not only for apps, but anything)  :( They want to lock the whole thing... -_-

Well we will see...



#3
necrophagous

necrophagous

    InsanelyMac Protégé

  • Members
  • PipPip
  • 66 posts
  • Gender:Male
  • Location:3rd World Country

you might have to ask somebody like rampagedev or piker or other developers out there 

i'm sure they could give you an answer ( or answers)



#4
frankiee

frankiee

    InsanelyMac Geek

  • Members
  • PipPipPipPip
  • 203 posts
  • Gender:Male
  • Location:Earth
  • Interests:Everything

I read the same page today, and I don't understand how the /System/Library/Extensions will be locked down... I think this lock could be hacked/patched.

 

I also don't know, (so thats why I am asking) but I assume if Apple really wants, they will find a way. The question is: are they actually concerned about locking out hacks, or are these measures that won't affect us?

 

And, even if that could be bypassed, that also would mean even more patching, maybe using a custom kernel. But on the other hand, this might reduce compability and of course introduce more difficulties in general.

 

Btw this codesign security blocking could be in the final 10.9

 

Thats one thing I am afraid of ... so this could be a really important issue for everybody imho.



#5
Dr. Hurt

Dr. Hurt

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,456 posts
  • Gender:Male
  • Location:Cairo, Egypt and NYC, USA
  • Interests:Wandering around on the internet!! Politics, Sci/Tech, Medicine.

If Apple implements signature versification via the kernel, I think it'll be very difficult to bypass especially if the kernel itself becomes secured too somehow. 

 

Apple has generally been tolerant of the hackintosh community and I don't think they're trying to kill it, but rather limit it a bit by making it more difficult.

 

If Apple does indeed lockup everything in 10.9, it'll mean we'll have a much narrower range of supported hardware. We can still fake dev ids via DSDT to use some stock kexts but we will no longer be able to patch binaries. We'll have to depend more on 3rd party kexts which, unfortunately, won't cover our needs.

 

We can only wait and see. And I'm sure some brilliant hackers around here will find workarounds, eventually.



#6
eject

eject

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 250 posts
  • Location:germany; BW

wouldn't  this mean that 3rd party kexts wouldn't be allowed. This would however limit 3rd party hardware and can't be really in apples interest. If 3rd party hardware kexts are still allowed couldn't we just patch apple kexts an reintroduce them as 3rd party kexts?

 

I don't have much of an insight in such things though. 



#7
ZikPhil

ZikPhil

    InsanelyMac Protégé

  • Members
  • Pip
  • 34 posts

rampagedev already commented on the article itself, i think we are safe.



#8
Pike R. Alpha

Pike R. Alpha

    InsanelyMac Geek

  • Developers
  • 184 posts
  • Gender:Male

Having kexts signed itself should not be a problem as long as we can sign our own kexts. All it takes is an Apple Developer ID / certificate.

 

Also. Be careful with statement like: "I think we are safe" because that is based on thin air.



#9
theconnactic

theconnactic

    Stubborn AMD user

  • Local Moderators
  • 2,835 posts
  • Gender:Male

On the other hand, like meklort said: we have physical access to our machines, that's little we cannot do.

 

All the best!



#10
Zenith432

Zenith432

    InsanelyMac Sage

  • Developers
  • 416 posts
  • Gender:Male

There's a new kext AppleKextExcludeList with an Info.plist that looks a list for kexts allowed to load without a signature.  It's got an infinite list of kexts that looks like some huge database of all kexts ever made for the Mac.

Some stuff in there 

<key>OSKextSigExceptionList</key>
        <key>VoodooSDHC</key>
        <string>1.1d1</string>
        <key>com.AnV.Software.driver.PCGenRTL8139Ethernet</key>
        <string>1.4.1</string>
        <key>com.AnV_Software.driver.AnyAppleUSBKeyboard</key>
        <string>8.8.8</string>
        <key>com.AnV_Software.driver.AnyAppleUSBMouse</key>
        <string>8.8.8</string>
        <key>com.AnV_Software.driver.AnyCardReader</key>
        <string>8.8.8</string>
        <key>com.AnV_Software.driver.AnyiSightCam</key>
        <string>8.8.8</string>
        <key>com.AnV_Software.driver.BroadcomAppleBluetooth</key>
        <string>1111.0</string>
        <key>com.AnV_Software.driver.CustomPeripheral</key>
        <string>8.8.8</string>
        <key>com.AnV_Software.driver.DeviceMergeNub</key>
        <string>1111.0</string>
        <key>com.AnV_Software.driver.DeviceMergeNubAPM</key>
        <string>1.0</string>
        <key>com.Micky1979.plist.WifiInjector</key>
        <string>1.0</string>
        <key>com.Niresh12495.ExtraExtensions</key>
        <string>1.0</string>
        <key>com.Niresh12495.Hackintosh.AHCIPortInjector</key>
        <string>1.0</string>
        <key>com.Niresh12495.Hackintosh.ATAPortInjector</key>
        <string>1.0</string>
        <key>com.Niresh12495.Hackintosh.IOAHCIBlockStorageInjector</key>
        <string>1.1.1</string>
        <key>com.tonymacx86.AHCI_3rdParty_SATA</key>
        <string>1111.0</string>
        <key>com.tonymacx86.AHCI_3rdParty_eSATA</key>
        <string>0.3</string>
        <key>com.tonymacx86.ALC8xxHDA</key>
        <string>1111.0</string>
        <key>com.tonymacx86.ATI48xxController</key>
        <string>9.0.2</string>
        <key>com.tonymacx86.JMicron36xSATA</key>
        <string>0.8</string>
        <key>com.tonymacx86.JMicron36xeSATA</key>
        <string>0.8</string>
        <key>com.tonymacx86.Legacy889HDA</key>
        <string>0.3</string>
        <key>com.tonymacx86.ati6570pm</key>
        <string>3.0</string>
        <key>mohamed.ACPIPS2Nub</key>
        <string>1.0d1</string>
        <key>my.name.adlan.BCM5722D</key>
        <string>1111.0</string>
        <key>name.perrier.thomas.ATIcceleratorDriver</key>
        <string>1.0</string>
        <key>net.osx86.driver.EnsoniqAudioPCI</key>
        <string>1.0.3</string>
        <key>net.osx86.driver.VMsvga2</key>
        <string>1.3d7</string>
        <key>net.osx86.driver.VMsvga2Accel</key>
        <string>1.3d7</string>
        <key>net.osx86.kexts.GenericUSBXHCI</key>
        <string>1.2d11</string>
        <key>org.chameleon.plist.AHCIPortInjector</key>
        <string>1111.0</string>
        <key>org.chameleon.plist.AHCI_Intel_SATA</key>
        <string>1.0</string>
        <key>org.chameleon.plist.ATAPortInjector</key>
        <string>1.0</string>
        <key>org.chameleon.plist.AppleIntelSNBGraphicsFB</key>
        <string>1.0</string>
        <key>org.chameleon.plist.IOAHCIBlockStorageInjector</key>
        <string>1111.0</string>
        <key>org.chameleon.plist.JMicronATAInjector</key>
        <string>1.0</string>
        <key>org.netkas.FakeSMC</key>
        <string>1111.0</string>
        <key>org.netkas.HPETDevice</key>
        <string>1.0</string>
        <key>org.netkas.driver.FakeSMC</key>
        <string>1111.0</string>
        <key>org.netkas.fakesmc</key>
        <string>1111.0</string>
        <key>org.netkas.hda</key>
        <string>900.0</string>
        <key>org.slice.ACPIMonitor</key>
        <string>1111.0</string>
        <key>org.slice.ACPISensors</key>
        <string>1111.0</string>
        <key>org.slice.HWInfo</key>
        <string>1.0</string>
        <key>org.slice.IntelCPUMonitor</key>
        <string>1.1</string>
        <key>org.slice.NSCPC8739x</key>
        <string>1111.0</string>
        <key>org.slice.PC8739x</key>
        <string>1111.0</string>
        <key>org.slice.RadeonMonitor</key>
        <string>2.0</string>
        <key>org.slice.sensor.X3100</key>
        <string>1.0</string>
        <key>org.tgwbd.driver.ACPIPS2Nub</key>
        <string>1.0d1</string>
        <key>org.tgwbd.driver.ElliottForceLegacyRTC</key>
        <string>1111.0</string>
        <key>org.tgwbd.driver.LegacyAppleAHCIPort</key>
        <string>1.5.1</string>
        <key>org.tgwbd.driver.LegacyAppleIntelPIIXATA</key>
        <string>1.0d1</string>
        <key>org.tgwbd.driver.LegacyIOAHCIBlockStorage</key>
        <string>1.1.1</string>
        <key>org.tgwbd.driver.LegacyJMicronATA</key>
        <string>1.0d1</string>
        <key>org.tgwbd.driver.NullCPUPowerManagement</key>
        <string>1111.0</string>
        <key>org.tgwbd.iokit.AppleYukon2</key>
        <string>3.1.12b14</string>
        <key>org.tgwbd.iokit.LegacyAppleYukon2.10.5.7</key>
        <string>9.0</string>
        <key>org.voodoo.VoodooSDHC</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.PS2Controller</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.PS2Keyboard</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.PS2Mouse</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.PS2Trackpad</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.VoodooHDA</key>
        <string>1111.0</string>
        <key>org.voodoo.driver.VoodooPS2ElanTrackpad</key>
        <string>1.1.1</string>
        <key>org.voodoo.driver.VoodooTSCSync</key>
        <string>1111.0</string>

Even FakeSMC is in there :hysterical:



#11
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

I think Exclude means it will not load them... They basically blocking all those kexts with this thing.



#12
STLVNUB

STLVNUB

    InsanelyMac Legend

  • Coders
  • 1,098 posts
  • Gender:Male

I think Exclude means it will not load them...

Yeah but the list shown is from this key : OSKextSigExceptionList

Not this key : OSKextExcludeList



#13
Zenith432

Zenith432

    InsanelyMac Sage

  • Developers
  • 416 posts
  • Gender:Male

The list OSKextSigExceptionList is definitely the exception list, because I see some of the names when rebuilding kernelcache manually with kextcache.  OTOH, the OSKextExcludeList list only contains a few vmware kexts are not part of the public released distribution of VMware Fusion.



#14
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

So they basically made DP1 hackintosh compatible with this list? Uhm... lol?

 

And all I need to do is to rename any kext to the ones in the list and it will load? Nice security...  :whistle:  :P



#15
xpamamadeus

xpamamadeus

    InsanelyMac Legend

  • Donators
  • 580 posts
  • Gender:Male
  • Location:Croatia

So they basically made DP1 hackintosh compatible with this list? Uhm... lol?

 

And all I need to do is to rename any kext to the ones in the list and it will load? Nice security...  :whistle:  :P

No,they are forcing us to rename our kexts :D



#16
Zenith432

Zenith432

    InsanelyMac Sage

  • Developers
  • 416 posts
  • Gender:Male

I tried editing AppleKextExcludeList.kext/Contents/Info.plist and it works (!).  But then when I run 'kextcache -v -system-prelinked-kernel', it warns that AppleKextExcludeList in non-authentic.  However, the kext on my modified Info.list is reported as allowed.

And all I need to do is to rename any kext to the ones in the list and it will load? Nice security...  :whistle:  :P


#17
theconnactic

theconnactic

    Stubborn AMD user

  • Local Moderators
  • 2,835 posts
  • Gender:Male

It's proven now: Apple does want OSX86 alive and well.



#18
3.14r2

3.14r2

    The Round One

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,333 posts
  • Location:Molvania

There's a new kext AppleKextExcludeList with an Info.plist that looks a list for kexts allowed to load without a signature.  It's got an infinite list of kexts that looks like some huge database of all kexts ever made for the Mac.

Some stuff in there

 

Even FakeSMC is in there :hysterical:

it's good that it's not the April 1th, otherwise I'd consider this a joke (good one) :)



#19
Onixs

Onixs

    Since 2007

  • Members
  • PipPipPipPipPipPipPip
  • 709 posts
  • Gender:Male
So basically we add our own patched kext which are not included in the list so it will load even without a valid signature.

As for me, instead of editingAppleKextExcludeList, I added all the list to fakesmc so it wont get overwritten when update comes. Feel free where you want to put it.

Nice find Zenith432 :)

#20
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

So basically we add our own patched kext which are not included in the list so it will load even without a valid signature.

As for me, instead of editingAppleKextExcludeList, I added all the list to fakesmc so it wont get overwritten when update comes. Feel free where you want to put it.

Nice find Zenith432 :)

So you saying that the info plist can be in any kext, the OS will read that list from any kext? How did you test this? Btw if we edit the list in the original place, the AppleKextExcludeList will lose it's signature and that could cause problems too.







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

© 2014 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Mac Netbook  |   PHP hosting by CatN  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy