Different solutions

[Slice]

These changes does not come from Clover's kernel patching?

[mhaeuser]

I used both files from the HDD, for the prelinkedkernel I removed the header and everything behind the length of the normal kernel.

[Pike R. Alpha]

FYI: I ran LZVN on the prelinkedkernel and compared it. Here's the result:

 

cmp -l prelinkedkernel_15A244d_unpacked /S*/L*/Kernels/kernel

3123 306 264
3130  40   0
3131  44   0
3132   2   0
3138 140   0
3139 243 214
3146  40   0
3147  44   0
3148   2   0
3203 306 264
3210  40   0
3211  44   0
3212   2   0
3218 140   0
3219 243 214
3506 120  60
3507 352 264
3508   2   0
3514 200   0
3515  53   0
3522 200   0
3523 307 214
3524   2   0
3529 315   0
3530 166   0
3531  53   0
3586 120  60
3587 352 264
3588   2   0
3593 315   0
3594 166   0
3595  53   0
3602 200   0
3603 307 214
3604   2   0l

Nothing fancy going on. Only the _PRELINKED_TEXT and _PRELINKED_INFO load commands changed. Of course.

[mhaeuser]

Oh yeah, of course. Got a little confused by Hex Workshop displaying a chunk that was barely altered entirely as 'replaced'. Thanks for clearing up.

[Shaneee]

Hi Andy. I still have the old EDID file you made for me but didn't have the kext. Downloaded the latest version of FixEDID and it doesn't detect my display. Can upload information if needed.

 

[THe KiNG]

Oh yeah, of course. Got a little confused by Hex Workshop displaying a chunk that was barely altered entirely as 'replaced'. Thanks for clearing up.

Yeah HexWorkshop even is the best windows hex editor(IMHO) sucks on compare function, use UltraCompare or other tool for windows...

[auxelis]

hi could anyone help me with macbook ME firmware flashing? i have macbook pro 17" i7 processor 2010 and it wont boot no chime just fan spins. tried another spi rom from another same year and model motherboard but i5 processor and it worked but it was running very slow as it was from different motherboard.i need to flash the ME region but not very sure how to do it.or maybe someone has a  EFI firmware .bin file for i7 17" macbook pro?

many thanks

hi could anyone help me with macbook ME firmware flashing? i have macbook pro 17" i7 processor 2010 and it wont boot no chime just fan spins. tried another spi rom from another same year and model motherboard but i5 processor and it worked but it was running very slow as it was from different motherboard.i need to flash the ME region but not very sure how to do it.or maybe someone has a  EFI firmware .bin file for i7 17" macbook pro?

many thanks

[Quattro74]

Hi,

 

Thanks for these great tools, I have a few questions. I have my files dumped and can look at them with your bioskeydump tool. I have keytool image on a usb drive and can add certs to the various keys etc. I Just need to know how to proceed. Do I use my current dumped files as the base then add the clover-exchange cert to KEK(the canonical-isle of man cert from your KEK?) and clover-signing cert(from src?) to db, then at the end put the PK you provided in place to secure it? Do I have to do anything else to the keys like sign one with another etc? I then just sign all of the .efi binary files from my boot loader and the boot.efi from apple, as described above? You also mentioned that the boot.efi wouldn't verify and might need stripped? IF so how to do that? Or, should boot.efi still run as is once signed?

 

thanks.

 

 

Q

[auxelis]

hi there has anyone got a clean ME region dump? need for  intel ME v6. . .please?

[Quattro74]

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

First I had to download the software provided above as I have Mavericks installed I chose version 3, should also work for Yosemite. I just used the pre-built executables by moving them into my /usr/bin I made sure to have newer versions of openssl, etc. installed. Any how once I signed all my Binaries in my Clover folder and Boot Folder. And added Policy <string>Deny</string> and Secure <true/> to by boot section of config.plist, I still couldn't figure out how to make it work.

 

So I installed the latest version of shim-signed from my ubuntu VM.

 

sudo apt-get install shim-signed

 

I copied over shim-signd.efi to my EFI/Microsoft/Boot folder

and named it bootmgfw.efi

 

I already had a copy of Cloverx64.efi there so I re-named that first to grubx64.efi which is what shim looks for.

 

The original microsoft bootmgfw.efi I renamed to bootmgfw-orig.efi, I created a custom entry in my config.plist that points to it.

 

Surface Pro 2 is tricky as it doesn't come with the UEFI 3rdParty CA installed so I had to find this tool online and download it. It is a series of scripts and files that you can use in windows to upgrade and add the 3rd party DBs so that you can use the signed shim to chain-load Clover.

 

It usually needs mokmanager to install its certificates. But I found it easier to use a keytool.efi USB key that I was able to create from an easy to find image that is out there.(Google)

 

I converted the clover signing certificate to a format that shim could use using openssl

 

openssl -x509 -in /path-to-clover-sign.pem -inform PEM -out /path-to-converted-clover-cert.cer -outform DER

 

or something like that.

 

Keytool needs the file to be named .cer in order to use it even though it is DER format.

 

So the procedure to lock down the surface pro 2 once all the binaries are signed is:

 

-Clear all of the secure boot section by disableing secure boot.

 

-Open the long named UEFI script that installs the microsoft dbs with right-click>edit,

 then in powershell eliminate the final line that talks about the PK. save as OnlyDBs.ps1

 

-Close and open the same long ass file as above, this time eliminate everything except the final line about the PK, save as OnlyPK.ps1

 

-Then run the OnlyDBs script with a comand prompt as admin. It should run without any errors.

 

-Copy over all of the .cer files you can find in the sbsigntool package. to the usb keytool stick including the new one that you created above.

 There should be one called cannonical that is used to sign the KEK and DB, another one under /src called Clover-signed.der(Re-name it to .cer)

 

-shutdown and boot up into the usb keytool. Use the Edit keys>Add to find the .cer files you copied over. The main cert that you used to sign the binaries then converted is the one to add to Mok db. Add all of them, one at a time, to DB, adding is the same as appending. Then the Kek is only getting the Canonical one added.

 

-Then reboot up into windows and run the OnlyPK.ps1 script. using the Admin Cmd prompt.

 

-Reboot into UEFI bios and enable secure boot. Save>Re-boot.

 

Should see black screen. then Clover.

 

The reason we have to use Shim is cuz it's one of the few trusted loaders that Microsoft decided to sign. So by chain loading Clover with it we can eliminate the red screen. Which we wouldn't be able to do using a self signed key of our own.

[yc_richard]

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

...

Awesome job, man! by chain loading Clover with Shim, it works in non secure boot at the moment for me. I signed Cloverx64.efi with sbsign and rename to grubx64.efi under the same folder of shim.efi, then enrolled the clover certificates using mokmanager. With secure boot on, it shows "binary is whitelisted" and does not load the secondary bootloader(clover in my case). You have any ideas?

 

Could you help me to about the long named UEFI script (OnlyDBs.ps1) you mention in the instruction please. I did not find it in any resources. I am also interested about what it does in windows's cmd.

Secondly, is it necessary to sign the boot.efi in /System/Library/CoreServices ?

Last, I am on a surface pro 3, it seems to come with the UEFI 3rdParty CA installed, does it mean I will only have to register the clover certificates using mokmanager (or keytool)?

[Quattro74]

Richard,

 

Hello, the script I edited with powershell to install only the DBs is originally named InstallSecureBootWithMsftUefiCertAuthToDB.ps1, so a long name for sure. Yes it is a part of the special tool MS came up with for the Surface Pros 1 & 2. Since you use a Pro 3 you may not need to find the special Tool for UEFI CA, but I like the control it gives us for customization. Keytool only lets you update .cer files to the DB while in setup mode. If your built in UEFI bios lets you add in the DBs separate from the PK, then no problem, otherwise do as I did above and find the tool to add CA to the early Surface Pros. Edit it similar to me then you can use keytool, which I find easier to use. Keytool will only allow adding certs in setup mode which means the system will be in un-secure mode. Once PK is added it will not allow you to add in the .cers to the Db and KEK.

 

Mokmanager may let you add the .cers to MOK and try that as an alternative, you never know it may work for the DBs to have then there instead of in the MS DBs? Then you can lock down everything and see if you have Clover and Black screen.

 

Yes you need to sign the boot.efi with sbsign as the example towards the top of this thread. Also any boot.efi you might have in a recovery partition.

 

Also, sbsign everything .efi under /EFI/Clover and /EFI/Boot

 

as far as shim-signed, make sure it's from a recent version of Ubuntu or equiv. 64 bit version. I used the one from 14.04, I had trouble with an earlier shim I originally found on the internet.

 

The UEFI CA tool from MS also has a savepk.ps1 script which can be edited to save all current DBs and the PK. That is usefull once you have all the cool new certs added and you want to save everything in the combined .bins it creates from the new combined dbs. The original script only saves the current dbx and PK.

 

You can then create a new lockdown.ps1 script that is based on the newly created combined db.bins. When you download the UEFI tool look at the documentation that comes with it and the scripts themselves to determine how to edit them for this type of customization. The new lockdown.ps1 could then have the PK line added back into it once all the newly combined DBs and Kek are created. Greatly simplifying application in the future.

 

I have since updated my machine to Windows 10 and both the upgrade, and a further update overwrote my shim-signed(re-named to bootmgfw.efi) in /EFI/Microsoft/boot. So keep a copy of it handy to move back over to SYSTEM each time.

[yc_richard]

I finally managed to secure boot CLOVER on surface pro 3, no more red screen. Thanks Andy for the amazing signing tool and Quattro for the detail instruction&help !!!

 

I boot directly from CLOVER, no shim.efi is required. (Specifically, chain loading with shim.efi dosen't work for me somehow, dunno why). And since sp3 already have the UEFI 3rdParty CA installed, one have to first delete all the platform key in order to start from scratch.

 

There are the steps I followed:

1. Use sbsigntool to sign all the necessary binary (*.efi) under /EFI/Clover (also /EFI/Boot/ if on a usb key), /System/Library/CoreServices/boot.efi, Recovery HD/com.apple.xx/boot.efi

2. Use Microsoft's OEM_PK_Surface to backup current dbs and PK.

3. go into bios and delete all the platform key.

4. back into window use modified Onlydbs.ps1 script to first append OEM db, KEK , dbx.

5. boot from keytool USB key and append all the cert files from sbsigntool into db and KEK. (one clover signing certificate convert from pem using openssl,  two *.der files under /src, and all the rest *.der is under /src/EFI_SECDB. change extension name from der to cer)

6. back into window use modified OnlyPK.ps1 script to add the finishing PK key.

7. use EasyUEFI to create a new entry pointing to /EFI/CLOVER/CLOVERX64.efi on SYSTEM partiotion, move it above Microsoft's boot entry. (This is a work around than renaming CLOVERX64.efi to bootmgfw.efi, so that future windows update will not break it)

8. reboot, voila! secure boot enabled and Clover is up.

9.(optional) as suggested by Quattro, in Windows backup the new KEK, db, dbx and PK using a modified SavePlatformKey.ps1 script.

[Quattro74]

Well done Richard,

 

You managed to get Clover working directly, something I struggled with so I went to use shim. I will eventually get around to trying it this way. : )

[wmrussell]

Hello. I have a surface pro 3 that i purchased from ebay. They never gave me the uefi password But I can install windows just fine. Should I be able to sign the clover bootloader and efi files to install osx and then boot off of the usb every time if I want to run osx? Many thanks.

[Quattro74]

WM,

 

Your best bet is to follow the instructions on Surface Pro OSX, android and Windows triple boot thread to get OSX installed and working correctly, which means dis-ableing secure boot for now. When all of those other things are working to your satisfaction then come back here to lock it down.

 

EDIT: or in your case one of the Surface Pro 3 OSX threads ; )

[wmrussell]

Thank you for your reply! But since i do not have the uefi password as stated in my first post.. I cannot disable secure boot :/ I can boot off usb.. (only in secure mode). I do not want a selectable system at boot.. only when i plug in the usb and boot from clover usb. so basically my osx partition will stay hidden or unused unless i plug in the propper usb. I have 7 100% running hackintosh systems so i will not have a problem installing once I get a clover usb to boot.. All i want to know is can i get an osx usb with the clover bootloader in the /efi partition to boot in secure mode. Thank you so much for your input.

[Quattro74]

Hi again WM,

 

If you can boot now off of USB in secure mode it is a secure USB key right? Then maybe all you need is a way to get a secured clover on a USB stick? Sounds to me like you'd have to do this anyway just to create the proper OS X insall USB key. So yeah once that is created installing OS X is the easy part. You may need another computer to help troubleshoot the USB key creation.

[wmrussell]

Correct. All I need is a secured clover on a usb stick. Since I have never created a "secure" version of clover for usb booting I gues that is where my problem lies. This secure business is where I am running into some confusion. I see where you daisy chained a few bootloaders to work on your surface pro.. but that was only to boot your system without any external drive right? I shouldn't have the same issues with a usb clover should I? Forgive my ignorance.. but I think all I have to do is run this tool on the clover efi files and I should be golden right? Or am I missing a big step(s)? Many thanks for your help and sorry for my lack of understanding in this. 

[yc_richard]

Hi WM,

My experience is that even on a usb drive if a bootloader is not properly signed (or signed but uncertificates in the uefi), my surface pro 3 won't be able to boot it. it will show binary unauthorized error and boot the second entry which is Windows. While getting Clover to boot in secure mode not only require a signed .efi, but also adding the certificates you use into UEFI databases. The latter step absolutely requires an access to uefi. I don't think there is much you can do if you can not go into bios to disable the secure boot or remove all the platform key.

Installing OSX will not be any issue after you fix the bios, i.e either by getting the uefi password, or maybe there is a hidden OEM way to do a hard reset.

[wmrussell]

I am actually able to boot ubuntu with a live usb (latest). I wonder if I daisy chain shim to clover if It will work Kinda like how quattro74 got his to work but just on the usb level. Does that make sense? Anyone else think I should go for it? I think I will try this weekend. Messy messy hack lol

[Quattro74]

Wm,

 

You still have no way to access the uefi and install the certificates to your db? If not you won't be able to get to clover regardless where it is installed. That is your main issue. Get the certificates into the db and you can do what you want. Having a working Ubuntu means you can get a working shim-signed and get that to boot OK from where-ever but you can't get past it w/o the clover certs being added.

[Mela quadrata]

Is there a way to overrides display also with El Capitan 10.11?

 

It seems Apple changed the path for display overrides

 

[PippoX0]

Good to try...

[Ramalama]

Exactly same as before, just the folder moved to /System/Library/Displays/Contents/ Resources/Overrides

 

Cheers :-)