Jump to content
ErmaC

Chameleon 2.4svn Official PKG Installer

4,336 posts in this topic

Recommended Posts

Please submit a bug report that shows a usermode app having the ability to things it shouldn't with FileNVRAM.

Once you do, and I can reproduce the issue, then I can fix it.

 

I'm still not sure how you can call an arbitrary function in kernel mode from usermode... or how you are bypasssing the root check that is explicitly in filenvram, but if you submit a bug report, I'll look into it and fix it properly.

Share this post


Link to post
Share on other sites
Advertisement
I find using Chameleon today that device-properties from ioreg fail to be converted to xml by gfxutil with error message:



invalid hex inputfile (filesize dont match or zero)


 

Looking back, I found cparm's commit 2415 made changes to /i386/libsaio/device_inject.c. Reverting these changes allows gfxutil to convert device-properties from ioreg to xml.

 

I know cparm has committed many working solutions to lots of projects so I do not necessarily think his code is wrong, instead think maybe gfxutil cannot correctly convert the optimised device-properties generated by commit 2415?

Share this post


Link to post
Share on other sites

 

 

 

 

Messrs, I must admit I'm lost and I am not sure on what you want to demonstrate. If I understand correctly between user space and kernel space there can be an intermediary? If no, why Apple introduces things like task for pid limitation?
And then if a "rootkit" has root privileges what can stop it to write the nvram.plist directly? (another question should be why do that.. since only exist on a Hack... (ok why not...) )

 

 It seems like is not a big deal to have a configuration file on the file system, which can among other things not be owned by the root user if you played with him (w/o a check at boot time). So you are talking about worry about sophisticated techniques, when files are there ready to be handled? File with newer time stamp is loaded as I see in the module, so can be added to the EFI partition too w/o be root, and loaded at next reboot.
I hope not to be stupid saying this, because I would like to understand better. (why I did not understand anything :P )
Thanks

 

I find using Chameleon today that device-properties from ioreg fail to be converted to xml by gfxutil with error message:
invalid hex inputfile (filesize dont match or zero)
 
Looking back, I found cparm's commit 2415 made changes to /i386/libsaio/device_inject.c. Reverting these changes allows gfxutil to convert device-properties from ioreg to xml.
 
I know cparm has committed many working solutions to lots of projects so I do not necessarily think his code is wrong, instead think maybe gfxutil cannot correctly convert the optimised device-properties generated by commit 2415?

 

Hi, I have a newer version of gfxutil:gfxutil.zip if you want to try, but if reverting the changes works..probably is the new code

Share this post


Link to post
Share on other sites

Please submit a bug report that shows a usermode app having the ability to things it shouldn't with FileNVRAM.

Once you do, and I can reproduce the issue, then I can fix it.

 

I'm still not sure how you can call an arbitrary function in kernel mode from usermode... or how you are bypasssing the root check that is explicitly in filenvram, but if you submit a bug report, I'll look into it and fix it properly.

I was talking about the changes that I made. Not your v1.4 (using cached data, and that was wrong).

 

Anyway. Seems like we shouldn't call vfs_context_current() from kexts:

 

Kexts should not use this function--it is preferred to use vfs_context_create(NULL) and vfs_context_rele(), which ensure proper reference counting of underlying structures.
See vnode.h

Share this post


Link to post
Share on other sites

Hi, I have a newer version of gfxutil:attachicon.gifgfxutil.zip if you want to try, but if reverting the changes works..probably is the new code

Thanks for this new build Micky1979. Where did you get it? Can you point to McMatrix's source code?

 

Anyway, it has the same 'invalid hex inputfile (filesize dont match or zero)' result using cparm's commit 2415 so yes, I believe the commit maybe does not function correctly.

 

@cparm - Is this something you can fix for your commit or shall we revert to the previous code?

Share this post


Link to post
Share on other sites

Thanks for this new build Micky1979. Where did you get it? Can you point to McMatrix's source code?

Sorry  I get it google'ing until I found a Github repo searching for other stuff (probably was part of a largest project), but this happened some days ago, I dont have a link for you, but the source yes...BTW resolving some compiler warnings (casting).

gfxutil source.zip

Share this post


Link to post
Share on other sites

Anyway. Seems like we shouldn't call vfs_context_current() from kexts:

 

Kexts should not use this function--it is preferred to use vfs_context_create(NULL) and vfs_context_rele(), which ensure proper reference counting of underlying structures.
See vnode.h

 

 

Using vfs_context_current was done by design. If you use vfs_context_create, it'll use the current tasks permission. This becomes an issue when sandboxing is taken into account. Binaries like blued can no longer cause the nvram plist to be written, and things break. So, if you change it, yes, it'll usually work, but certain cases will break.

 

EDIT: Some further clarification: Using context_create / rele in the *current* location (where mCtx is set) would probably be fine. Using the functions when you call read/write_buffer would not would due to the above issue.

Share this post


Link to post
Share on other sites

 

I find using Chameleon today that device-properties from ioreg fail to be converted to xml by gfxutil with error message:
invalid hex inputfile (filesize dont match or zero)
 
Looking back, I found cparm's commit 2415 made changes to /i386/libsaio/device_inject.c. Reverting these changes allows gfxutil to convert device-properties from ioreg to xml.
 
I know cparm has committed many working solutions to lots of projects so I do not necessarily think his code is wrong, instead think maybe gfxutil cannot correctly convert the optimised device-properties generated by commit 2415?

 

cparm commit is good. The mistake was in previous code.

Should be

- int len = string->length * 2;
+ int len = string->length * 2 + 1;

because we should allocate an additional space for ascii string zero terminating.

Share this post


Link to post
Share on other sites

Thanks for taking the time to look in to it Slice.

It's good to know cparm's commit was good :D

 

I'll test your recommended fix later.


Sorry  I get it google'ing until I found a Github repo searching for other stuff (probably was part of a largest project), but this happened some days ago, I dont have a link for you, but the source yes...BTW resolving some compiler warnings (casting).

Thanks Micky1979

Share this post


Link to post
Share on other sites

cparm commit is good. The mistake was in previous code.

Should be

- int len = string->length * 2;
+ int len = string->length * 2 + 1;
because we should allocate an additional space for ascii string zero terminating.

 

Commit done 2757


New revision on the download section.

Enoch 2758.

- clang compilation fix (3.7 / xcode 7.0) errors on compiling interrupts.c (credits to cmf_)

- fix allocate space for ascii string zero terminating in device_inject.c (thx Slice and BlackOsx)

- Better SIP output in bdmesg

 

output ex:

System Integrity Protection status: disabled (Custom Configuration).
CsrActiveConfig = 0x77 (1110111)

Configuration:
Kext Signing: disabled
Filesystem Protections: disabled
Task for PID: disabled
Debugging Restrictions: enabled
Apple Internal: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
ErmaC

Share this post


Link to post
Share on other sites

Commit done 2757

 

Thanks for fixing cparm's error, with your commit, but may I give you an advise? Why not use this:

int len = (string->length * 2) + 1;
or this instead:

int len = ((string->length * 2) + 1);
Then people would know instantly what it does.

Share this post


Link to post
Share on other sites

hi guys,

 

Chameleon Enoch r2748 works fine with -f to load /Extra/Extensions/kexts with DB4~DB6 as Clover r3259's kernel patch. :thumbsup_anim: :thumbsup_anim:

sudo perl -pi -e 's|\xC3\x48\x85\xDB\x74\x70\x48\x8B\x03\x48\x89\xDF\xFF\x50\x28\x48|\xC3\x48\x85\xDB\xEB\x12\x48\x8B\x03\x48\x89\xDF\xFF\x50\x28\x48|g' /System/Library/Kernels/kernel

Is it possible to add to Chameleon code??  .... you know!! :D

 

crazybirdy

Hi crazybirdy you can do a test with the attached file in 10.10.5 and 10.11 with original kernel ??

This is an unstable version, so please try on USB, and if can boot (for me works) a bdmesg is appreciated. 
Thanks
Edited by Micky1979
attachment removed

Share this post


Link to post
Share on other sites

 

Hi crazybirdy you can do a test with the attached file in 10.10.5 and 10.11 with original kernel ??

This is an unstable version, so please try on USB, and if can boot (for me works) a bdmesg is appreciated. 
Thanks

 

I test it (-v -f, original kernel) with 1095, 10105, 1011DB7, and only 1095 works fine as bdmesg.txt show.

bdmesg-1095.txt

10105, and 1011DB7 get gray screen then reboot....as video below.

https://www.sendspace.com/file/rwy7c6

 

Thx, FYI.

 

BTW, I use boot1h2 from Clover to boot with boot1, boot2,....boot9...so, it's easy to test any boot file, you know!

Share this post


Link to post
Share on other sites

Thanks crazybirdy! Are you available for further attempts?

 The one you tested was an attempt to make the patch dynamically without depending on the kernel version ... apparently failed but not entirely anyway:

Loading kernel from: 'Mac1095' ()
Hi crazybirdy :-)

  :)


BTW, I use boot1h2 from Clover to boot with boot1, boot2,....boot9...so, it's easy to test any boot file, you know!

good trick!  ;)

Share this post


Link to post
Share on other sites

Thanks crazybirdy! Are you available for further attempts?

 The one you tested was an attempt to make the patch dynamically without depending on the kernel version ... apparently failed but not entirely anyway:

Loading kernel from: 'Mac1095' ()
Hi crazybirdy :-)

 good trick!  ;)

I didn't notice that funny string. :D

I can test further attempts if need. :thumbsup_anim:

Share this post


Link to post
Share on other sites

I didn't notice that funny string. :D

I can test further attempts if need. :thumbsup_anim:

There is a another funny string, if you can see it.....(it's a question and I need an answer :P )

Please try and report back in any OSes you have, thanks.

 

EDIT

I suppose you need -f because FakeSMC is not prelinked and not installed in SLE..so you can try also without -f?

Edited by Micky1979
boot file removed

Share this post


Link to post
Share on other sites

There is a another funny string, if you can see it.....(it's a question and I need an answer :P )

Please try and report back in any OSes you have, thanks.

 

EDIT

I suppose you need -f because FakeSMC is not prelinked and not installed in SLE..so you can try also without -f?

Hi Micky1979, now I am able to run /Extra/Extensions in all my OSes as 1095, 10105, and 1011db8. That's a good news.

:yes:

 

Test conditions:

-v, original kernel, all kexts as FakeSMC put to /Extra/Extensions for 1095, 10105, and 1011db8, rebuild kernel caches.

boot with -f, all work fine to load /Extra/Extensions with 1095, 10105, 1011db8, and boot successfully.

boot without -f, only 10105, and 1011db8 work fine to load /Extra/Extensions and prelink kernel, and boot successfully, 1095 didn't load /Extra/Extensions/FakeSMC.kext, load only kernelcaches, and can't boot to desktop.

 

bdmesg-all.zip

 

good job!!! :thumbsup_anim: :thumbsup_anim: :thumbsup_anim:

 

[edit]

Test conditions 2 for 1095 boot without -f :

-v, all kexts as FakeSMC put to /Extra/Extensions for 1095.

1.original mach_kernel + rebuild kernel caches. didn't load /Extra/Extensions/FakeSMC.kext, load only kernelcaches, and can't boot to desktop.

1.patched mach_kernel + rebuild kernel caches. load /Extra/Extensions/FakeSMC.kext with kernelcaches, and boot to desktop successfully.

patch code is the same as KBEMLReplace as Clover's kext_inject.c

perl -pi -e 's|\xC6\xE8\x30\x00\x00\x00\xEB\x08\x48\x89\xDF|\xC6\xE8\x30\x00\x00\x00\x90\x90\x48\x89\xDF|g' mach_kernel

Share this post


Link to post
Share on other sites

Really a  big thanks crazybirdy for the tests made.

This new build should be working fron 10.6 up to latest El Capitan. Patch was already included but this patch can slow the boot process so I made the statement "OSes conditional" and Mavericks was skipped by my mistake. 
If everything is ok then it will be even faster booting using Enoch, just make my ideas clearer, but right now I think things are sorted out  :D
New boot file attached.
Hi Micky1979, now I am able to run /Extra/Extensions in all my OSes as 1095, 10105, and 1011db8. That's a good news.

:yes:

 

Test conditions:

-v, original kernel, all kexts as FakeSMC put to /Extra/Extensions for 1095, 10105, and 1011db8, rebuild kernel caches.

boot with -f, all work fine to load /Extra/Extensions with 1095, 10105, 1011db8, and boot successfully.

boot without -f, only 10105, and 1011db8 work fine to load /Extra/Extensions and prelink kernel, and boot successfully, 1095 didn't load /Extra/Extensions/FakeSMC.kext, load only kernelcaches, and can't boot to desktop.

 

attachicon.gifbdmesg-all.zip

 

good job!!! :thumbsup_anim: :thumbsup_anim: :thumbsup_anim:

 

[edit]

Test conditions 2 for 1095 boot without -f :

-v, all kexts as FakeSMC put to /Extra/Extensions for 1095.

1.original mach_kernel + rebuild kernel caches. didn't load /Extra/Extensions/FakeSMC.kext, load only kernelcaches, and can't boot to desktop.

1.patched mach_kernel + rebuild kernel caches. load /Extra/Extensions/FakeSMC.kext with kernelcaches, and boot to desktop successfully.

patch code is the same as KBEMLReplace as Clover's kext_inject.c

perl -pi -e 's|\xC6\xE8\x30\x00\x00\x00\xEB\x08\x48\x89\xDF|\xC6\xE8\x30\x00\x00\x00\x90\x90\x48\x89\xDF|g' mach_kernel
Edited by Micky1979
boot file removed

Share this post


Link to post
Share on other sites

is to test with Maveriks...

ok, wait for a minute. just come home. :yes:

 

[edit]

Not work with 1095 as the same as below.

Test conditions 2 for 1095 boot without -f :

-v, all kexts as FakeSMC put to /Extra/Extensions for 1095.

1.original mach_kernel + rebuild kernel caches. didn't load /Extra/Extensions/FakeSMC.kext, load only kernelcaches, and can't boot to desktop.

 

video FYI.

https://www.sendspace.com/file/1futzf

 

PS: my CPU+MB can install 10411+1058+1068+1075+1085..and later..

I will reinstall all of these OSes, and test it later, will let you know the results. :D

Share this post


Link to post
Share on other sites

 

[edit]

Not

PS: my CPU+MB can install 10411+1058+1068+1075+1085..and later..

I will reinstall all of these OSes, and test it later, will let you know the results. :D

Wow! You are able to test Tiger 10.4.11 too???? Nice!

 

ErmaC

Share this post


Link to post
Share on other sites

PS: my CPU+MB can install 10411+1058+1068+1075+1085..and later..

I will reinstall all of these OSes, and test it later, will let you know the results. :D

Hey Bro, do not do this for me, I can not pay for your time! ^_^

Other people will benefit for your specific request, so they can test old OSes if they still have it ..
Personally I think OSX Lion already reeks of old (Snow was the magic OS, better than Lion anyway), ML is bad .. and we have three other recent Operating Systems.

Share this post


Link to post
Share on other sites

Can you post the 10.9.5 mach_kernel to see occurrences directly in the binary? I'll do that later because I'm not at Home...

 

patch code as #3375. :)

1095-org.zip

1095-patch.zip

 

Wow! You are able to test Tiger 10.4.11 too???? Nice!

 

ErmaC

Yes, also 10.4.11, all work fine with original kernel, still re-installing now.....need time. :yes:

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By dgsga
      Can I propose a new subforum be created for the new OpenCorePkg OpenCore front end being created by vit9696 and others, it is a fantastic piece of work:
      https://github.com/acidanthera/OpenCorePkg
      Even at version 0.1 it runs my Mojave 10.14.4 setup very nearly flawlessly. It consists of a 10KB bootstrap BootX64.efi and a 200KB OpenCore.efi OS loader. All configuration is done using a very well documented config.plist 
       
       
    • By kylon
      Cloud Clover Editor is an open source application that allows you to manage the configuration of various Hackintosh Bootloaders.

      Open Cloud Clover Editor
       
      Cloud Clover Editor Wiki
      Cloud Clover Editor Sources
       
       
      Features
      Supports Clover EFI, Ozmosis, Chameleon, OpenCore GUI and Text Editor Mode CCE Bank Mobile friendly and more...  
      Officially supported browsers
      Chrome 42+ Microsoft Edge 14+ Firefox 39+ Safari 10+ Opera 29+ Opera Mobile 12+ Chrome for Android 75+ Firefox for Android 67+  
       
      Credits
      mackie100 - took some ideas from his app Clover EFI dev team Eric Slivka - new serial number Virtual1 - new serial number cecekpawon - PHP 5.3.3 patch, , help with the ACPI Loader Mode flag and more Micky1979 - Clover flying editor  (Discontinued) crusher. - Help with the ACPI Loader Mode flag Download-Fritz - Help with the ACPI Loader Mode flag Pavo - Ozmosis fields and values stehor - Ozmosis fields and values Sherlocks - General help and support gujiangjiang - General help and support  
      Please let me know if i forgot you!
    • By cvad
      View File Bootdisk Utility
      Make bootable USB Flash Disk for MAC OS X with Latest Clover bootloader revision fast and easy by one click! under OS Windows.
      Special utility from cvad & russian MAC community for new hackintosh users.
       
      Enjoy...
       
      For more information and complete instructions please see this topic.
       
       
       
       
      Feel free to "Rate File"
      Submitter cvad Submitted 04/28/2013 Category Bootloaders  
    • By ErmaC
      Slice is glad to present a new EFI bootloader.

      CLOVER
      Now version 2 rEFIt based.


      It is open source based on different projects: Chameleon, rEFIt, XNU, VirtualBox. The main is EDK2 latest revision.
      I also want to thank all who help Slice with the development. Credits and copyrights remain in the sources.
      https://sourceforge.net/projects/cloverefiboot/?source=directory
      There is a WIKI 
      http://clover-wiki.zetam.org/
      Main features:


      If you have a question please provide outputs from DarwinDumper (formed from Trauma tool). Thanks Trauma!
      Continued by blackosx and STLVNUB.
      Post#2 CloverGrower - create Clover by yourself Post#3 Downloads Post#4 Installation of the bootloader Post#5 How to do UEFI boot Post#6 How to use - common words Post#7 Calculator for Automatic DSDT fix Post#8 Instructions for GraphicsInjector Post#9 ATIConnector patching Post#10 Any kexts patching with some Samples Post#11 CustomEDID Post#12 Hiding unnecessary menu entries Post#13 Instruction for DSDT corrections to do DeviceInjection works Post#14 Development Post#15 Themes Post#16 About kexts injection Post#17 Instructions for P- and C-states generator Post#18 Patching DSDT to get Sleep working Post#19 CPU settings and geekbench Post#20 ACPI tables loading Post#21 DSDTmini Post#22 Custom SMBios Post#23 F.A.Q. Post#24 iCloudFix Post#25 Using mouse. Post#26 How to make orange icons to be metallic Post#27 How to make software RAID (by Magnifico) Post#28 How to modify InstallESD.dmg (by shiecldk) Post#29 Config.plist settings Post#30 Using extra kexts and skipping kernelcache Post#31 Choosing EFI drivers Post#32 Configuration files Post#33 Automatic config.plist creating Post#34 Custom DSDT patches Post#35 How to do sleep/wake working with UEFI BOOT Post#36 DeviceID substitution (FakeID) Post#37 Using Custom OS Icons Post#38 Hibernation Post#39 Floating regions Post#41 Property List Editor Post#42 Blocking Bad Kext Post#43 AAPL,slot-name Post#44 FakeCPUID for unsupported CPU Post#45 Multiple Boot Options - to write into UEFI BIOS boot menu Post#46 How to install Windows UEFI Post#47 How to speedup Clover boot Post#48 Info.plist patching Post#49 Arbitrary device injection Post#50 Non-Standard Legacy Boot Files Post#51 Reboot to Windows UEFI from Mac OSX Post#52 Deprecated Features Post#53 Using UDK2018 Post#54 Device Properties Post#55 Scalable themes Post#56 How to search Clover mistakes (bisection) -----------------
       
      Slice:
      I edited all posts in the thread to correspond to actual Clover revision.
      Please install Clover at least 2652 and use new instructions.
×