Jump to content

Mavericks - to be locked down (in the future)?


  • Please log in to reply
101 replies to this topic

#21
frankiee

frankiee

    InsanelyMac Geek

  • Members
  • PipPipPipPip
  • 201 posts
  • Gender:Male
  • Location:Earth
  • Interests:Everything

Well, so Apple is managing a plist (within a kext) which is supposed to allow certain (3rd party) kexts to be loaded (without signing) and all of these "hack kexts" are in that list? Hmmmmm! Now that is interesting, but I am still not sure what that means. I really cannot imagine that Apple sort of inofficially supports Hacks by this way ... but why is all this stuff in there then? Because I think it would be more typical for Apple that this list is made for lockdown and exclusion of hacks, and not for (even unofficial) support.

 

Also, in a follow up comment to the article I mentioned above, the original poster stated that: The thing is that Apple has more on their sleeves but that info isn’t even shared, but I have said too much already – since this info was meant to be confidentially – so I just let them be what they are… uninformed.

 

I don't know if he is just making this up, but it sounds not completely uncredible - and quite mysterious - to me.



#22
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

I still don't get it... So they lock down the S/L/E/, and we can only use signed kexts in L/E/... So... I rename any kext to "org.netkas.hda" (I just picked one from the "allowed to load without signing" list) and it will load up? You just have to rename any kext and it will load up... I still don't get it why this feature will be then... Because then it's pointless.

 

Because if this is a security feature, then the hacker or the man who want his "bad" kext to be installed, he just rename his malicious kext to an allowed one and he infected osx like before.



#23
Maniac10

Maniac10

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 945 posts
  • Gender:Not Telling

Stop speculating, just wait till this is tested and explained properly. Pike said it was coming but it's not active yet so keep doing things like always and you'll be fine.



#24
frankiee

frankiee

    InsanelyMac Geek

  • Members
  • PipPipPipPip
  • 201 posts
  • Gender:Male
  • Location:Earth
  • Interests:Everything

Well, if I am about to shell out some thousand bucks for a new shiny "Hack Pro", it wouldn't be so nice if some months later it will be locked out of future updates. So, since there is a real possibilty of this happening, I think it would be better to  defer my investment at least until Mavericks comes out?



#25
Maniac10

Maniac10

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 945 posts
  • Gender:Not Telling

That's why I said to wait until it's explained properly. I'm sure it will be fine, there's always a way.



#26
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

...
As for me, instead of editingAppleKextExcludeList, I added all the list to fakesmc so it wont get overwritten when update comes. Feel free where you want to put it.
...

I tried this, I added the list to fakesmc, added my kexts to the list and it's not worked. Could you tell us how you exactly did that?

 

 

Edit: I edited the AppleKextExcludeList info.plist and added my modified kexts, then I added the AppleKextExcludeList too into itself, and not a single "WARNING" message on kextcache creation :D

 

Attached File  gsg.png   267.49KB   88 downloads



#27
iWin32

iWin32

    InsanelyMac Geek

  • Members
  • PipPipPip
  • 100 posts
  • Gender:Male

In short, the poster claims that: "The /System directory will be locked in the near future and kext in /Library/Extensions must be signed. But more importantly. Kext editing (plists and bin files) will simply be impossible"

I bolded the bin part on his post because that is one thing that scares me: With all the recent work that is done with the Intel HD Graphics Framebuffer, it may go down the drain...because the only way to get it done is to patch the bin file with a hex editor (or use Vertek's built patcher) of AppleIntelHDGraphicsFB.kext, otherwise, we'll be stuck in the dark with an empty screen.  Just curious: Will this be a problem?  DSDT hacks are useless until you get the framebuffer working!

 

Although I will say seeing FakeSMC in the exception list is a bit ironic for Apple!  That sure would serve a really useful purpose on a legit mac!!  Soon, they'll be starting their own Hackintosh help-line!!!   :hysterical:  :hysterical:  :hysterical:



#28
kitmac

kitmac

    InsanelyMac Geek

  • Members
  • PipPipPipPip
  • 209 posts
  • Gender:Male

I tried this, I added the list to fakesmc, added my kexts to the list and it's not worked. Could you tell us how you exactly did that?

 

 

Edit: I edited the AppleKextExcludeList info.plist and added my modified kexts, then I added the AppleKextExcludeList too into itself, and not a single "WARNING" message on kextcache creation :D

 

attachicon.gifgsg.png

awesome..... :thumbsup_anim:



#29
3.14r2

3.14r2

    The Round One

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,333 posts
  • Location:Molvania

 

Although I will say seeing FakeSMC in the exception list is a bit ironic for Apple!  That sure would serve a really useful purpose on a legit mac!!

I wonder if Apple is considering a very generous donation to the forum (who knows, even Tony can get a buck of two, if Apple be generous enough) :hysterical:



#30
GhostRaider

GhostRaider

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 357 posts
  • Gender:Male

I'm sure there are Apple engineers that read InsanelyMac and other hackintosh forums. I mean how else did Apple get that list? What I do believe is that as long as people pay for the operating system, they wouldn't really care. I mean that's extra money for them.

 

As for the discovery for the exclusion list, it could mean that Apple does indeed support hackintosh and wants it alive. They created a list so that there is no difficulty in installing and loading them up at startup. The only benefit would just be for security purposes. In case some person creates a malicious application and wants to install a malicious kext with it, then they will not be able to do that.

 

But the problem is when you have to modify an official Apple kext. I'm not sure what would happen there.



#31
Maniac10

Maniac10

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 945 posts
  • Gender:Not Telling

They probably collected that list from diagnostic and usage reports people with hacks have been sending.



#32
jamiethemorris

jamiethemorris

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 323 posts
  • Gender:Male
  • Location:San Rafael, CA
That would make sense. This whole thing is confusing... There's no way Apple would purposefully allow these kexts... Are you guys sure it doesn't mean the opposite? That these are kexts that aren't allowed?

#33
Maniac10

Maniac10

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 945 posts
  • Gender:Not Telling

For now it's a whitelist, it says so in the console:

 

com.apple.kextcache[449]: kext com.softraid.driver.SoftRAID  404009000 is in exception list, allowing to load


#34
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary
jamiethemorris: I got rid all the warning messages by adding my modified kexts to that list... so yes, that list is for allowing those kexts.

#35
jamiethemorris

jamiethemorris

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 323 posts
  • Gender:Male
  • Location:San Rafael, CA
Wow! How strange. Also, I'm curious... If you have a developer account and wanted to sign your own kext, does Apple have to approve that, or would you just do it? The article also mentioned that /system would be locked though, which would mean you couldn't modify the exception kext... The only thing is I don't see how it's possible to lock out the root user... Maybe I'm misunderstanding.

#36
nyolc8

nyolc8

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 802 posts
  • Gender:Male
  • Location:Budapest, Hungary

Wow! How strange. Also, I'm curious... If you have a developer account and wanted to sign your own kext, does Apple have to approve that, or would you just do it?

When you make the codesign for it, it communicate with apple servers and then the server gives you a token or something and then xcode build that into your kext/app. So you can't "just" sign it.

 

The article also mentioned that /system would be locked though, which would mean you couldn't modify the exception kext... The only thing is I don't see how it's possible to lock out the root user... Maybe I'm misunderstanding.

Now that is the thing I don't understand as well...

***

I read on another forum, someone tried to put modified (so codesign broken) kexts into Extra/Extenisons/ and osx loaded all of them from there without any message at kext cache creation  :lol:  They said, System/Extensions/ will be locked... but what about Extra/Extensions/? :P



#37
3.14r2

3.14r2

    The Round One

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,333 posts
  • Location:Molvania

 

I read on another forum, someone tried to put modified (so codesign broken) kexts into Extra/Extenisons/ and osx loaded all of them from there without any message at kext cache creation

Yet another curious (in scope of allow/forbid hackintoshing) feature :)



#38
Maniac10

Maniac10

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 945 posts
  • Gender:Not Telling

I read on another forum, someone tried to put modified (so codesign broken) kexts into Extra/Extenisons/ and osx loaded all of them from there without any message at kext cache creation  :lol:  They said, System/Extensions/ will be locked... but what about Extra/Extensions/? :P

OSX don't care about kexts there, it's a Chameleon thing only. And I think you don't see the warnings because they won't be included into the kext caches. (not sure, anyone?)



#39
jamiethemorris

jamiethemorris

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 323 posts
  • Gender:Male
  • Location:San Rafael, CA

OSX don't care about kexts there, it's a Chameleon thing only. And I think you don't see the warnings because they won't be included into the kext caches. (not sure, anyone?)

yeah that's true. It would make or boot really slow though without the cache.

#40
iFIRE

iFIRE

    InsanelyMacaholic

  • Moderators
  • 3,769 posts
  • Gender:Male
  • Location:Bcn-Spain

Like this: Yes we can!!!! :lol: The famous phrase   :P , but now this is : Yes we SCAN !!!!!! :hysterical:







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

© 2014 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Mac Netbook  |   PHP hosting by CatN  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy