Support decoding SIP value

2026-04-14 04:38:20 +10:00 · 2021-03-20 14:56:58 -06:00
parent 4f8748932d
commit 21277e5738
5 changed files with 69 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@
 - Add Root Volume patching for older machines
  - AppleHDA Patch for 2011 and older (Excluding MacPro4,1+)
  - AppleBCM5701Ethernet patch for certian 2009-2011 Macs
+- Fix CPU Speed reporting
+- Increment binaries
+  - OpenCore c92bcb7 (0.6.8 rolling - 2021-03-20)

 ## 0.0.18
 - Disable Vault by default due to breaking installations
--- a/Resources/Constants.py
+++ b/Resources/Constants.py
@@ -9,7 +9,7 @@ from pathlib import Path
 class Constants:
    def __init__(self):
        self.patcher_version = "0.0.19"
-        self.opencore_commit = "7bb41aa - 2021-03-06"
+        self.opencore_commit = "c92bcb7 - 2021-03-20"
        self.opencore_version = "0.6.8"
        self.lilu_version = "1.5.1"
        self.whatevergreen_version = "1.4.8"
@@ -205,4 +205,19 @@ class Constants:
    @property
    def gpusupport_path(self): return self.payload_apple_private_frameworks_path / Path("GPUSupport.framework")
    @property
-    def skylight_path(self): return self.payload_apple_private_frameworks_path / Path("SkyLight.framework")
+    def skylight_path(self): return self.payload_apple_private_frameworks_path / Path("SkyLight.framework")
+
+    csr_values = [
+        "CSR_ALLOW_UNTRUSTED_KEXTS           ",# 0x1   - Introduced in El Capitan
+        "CSR_ALLOW_UNRESTRICTED_FS           ",# 0x2   - Introduced in El Capitan
+        "CSR_ALLOW_TASK_FOR_PID              ",# 0x4   - Introduced in El Capitan
+        "CSR_ALLOW_KERNEL_DEBUGGER           ",# 0x8   - Introduced in El Capitan
+        "CSR_ALLOW_APPLE_INTERNAL            ",# 0x10  - Introduced in El Capitan
+        "CSR_ALLOW_UNRESTRICTED_DTRACE       ",# 0x20  - Introduced in El Capitan
+        "CSR_ALLOW_UNRESTRICTED_NVRAM        ",# 0x40  - Introduced in El Capitan
+        "CSR_ALLOW_DEVICE_CONFIGURATION      ",# 0x80  - Introduced in El Capitan
+        "CSR_ALLOW_ANY_RECOVERY_OS           ",# 0x100 - Introduced in Sierra
+        "CSR_ALLOW_UNAPPROVED_KEXTS          ",# 0x200 - Introduced in High Sierra
+        "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",# 0x400 - Introduced in Mojave
+        "CSR_ALLOW_UNAUTHENTICATED_ROOT      ",# 0x800 - Introduced in Big Sur
+    ]
--- a/Resources/SysPatch.py
+++ b/Resources/SysPatch.py
@@ -1,4 +1,9 @@
 # Framework for mounting and patching macOS root volume
+# Missing Features:
+# - Full System/Library Snapshotting (need to research how Apple achieves this)
+# - Work-around battery throttling on laptops with no battery (IOPlatformPluginFamily.kext/Contents/PlugIns/ACPI_SMC_PlatformPlugin.kext/Contents/Resources/)
+# - csr-active-config parsing
+# - Add kmutil error checking
 from __future__ import print_function

 import binascii
@@ -18,6 +23,21 @@ class PatchSysVolume:
        self.model = model
        self.constants: Constants.Constants = versions

+    def csr_decode(self, sip_raw, print_status):
+        sip_int = int.from_bytes(sip_raw, byteorder='little')
+        i = 0
+        for current_sip_bit in self.constants.csr_values:
+            if sip_int & (1 << i):
+                temp = True
+                # The below array are values that don't affect the ability to patch
+                if current_sip_bit not in ["CSR_ALLOW_TASK_FOR_PID              ", "CSR_ALLOW_KERNEL_DEBUGGER           ", "CSR_ALLOW_APPLE_INTERNAL            ", "CSR_ALLOW_ANY_RECOVERY_OS           ",]:
+                    self.sip_patch_status = False
+            else:
+                temp = False
+            if print_status is True:
+                print(f"- {current_sip_bit}\t {temp}")
+            i = i + 1
+
    def find_mount_root_vol(self):
        root_partition_info = plistlib.loads(subprocess.run("diskutil info -plist /".split(), stdout=subprocess.PIPE).stdout.decode().strip().encode())
        self.root_mount_path = root_partition_info["DeviceIdentifier"]
@@ -175,8 +195,8 @@ class PatchSysVolume:
            print("Root Patching must be done on target machine!")
        elif self.model in ModelArray.NoRootPatch11:
            print("Root Patching not required for this machine!")
-        elif self.model not in ModelArray.SupportedSMBIOS:
-            print("Cannot run on this machine!")
+        elif self.model in ModelArray.SupportedSMBIOS:
+            print("Cannot run on this machine, model is unsupported!")
        elif self.constants.detected_os < 10.16:
            print(f"Cannot run on this OS: {self.constants.detected_os}")
        else:
@@ -184,28 +204,46 @@ class PatchSysVolume:
            try:
                sip_status = nvram_dump["csr-active-config"]
            except KeyError:
-                print("- csr-active-config var is missing")
                sip_status = b'\x00\x00\x00\x00'

            smb_model: str = subprocess.run("nvram 94B73556-2197-4702-82A8-3E1337DAFBFB:HardwareModel	".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.decode()
            if not smb_model.startswith("nvram: Error getting variable"):
                smb_model = [line.strip().split(":HardwareModel	", 1)[1] for line in smb_model.split("\n") if line.strip().startswith("94B73556-2197-4702-82A8-3E1337DAFBFB:")][0]
                if smb_model.startswith("j137"):
-                    smb_status = "Enabled"
+                    smb_status = True
                else:
-                    smb_status = "Disabled"
+                    smb_status = False
            else:
-                smb_status = "Disabled"
+                smb_status = False
+            fv_status = True
+            fv_status: str = subprocess.run("fdesetup status".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.decode()
+            if fv_status.startswith("FileVault is Off"):
+                fv_status = False
+            else:
+                fv_status = True

-            if (sip_status == b'\xef\x0f\x00\x00') and (smb_status == "Disabled"):
+
+            self.sip_patch_status = True
+            self.csr_decode(sip_status, False)
+            utilities.cls()
+            if (self.sip_patch_status is False) and (smb_status is False):
                print("- Detected SIP and SecureBootModel are disabled, continuing")
                input("\nPress [ENTER] to continue")
                self.find_mount_root_vol()
                self.unmount_drive()
                print("- Patching complete")
                print("\nPlease reboot the machine for patches to take effect")
-            else:
-                print("- SIP and SecureBootModel set incorrectly, unable to patch")
-                print("\nPlease disable SIP and SecureBootModel in Patcher Settings")
-                print("Then build OpenCore again, reinstall OpenCore to your drive and reboot.")
+            if self.sip_patch_status is True:
+                print("SIP set incorrectly, cannot patch on this machine!")
+                print("Please disable SIP and SecureBootModel in Patcher Settings")
+                self.csr_decode(sip_status, True)
+                print("")
+            if smb_status is True:
+                print("SecureBootModel set incorrectly, unable to patch!")
+                print("Please disable SecureBootModel in Patcher Settings")
+                print("")
+            if fv_status is True:
+                print("FileVault enabled, unable to patch!")
+                print("Please disable FileVault in System Preferences")
+                print("")
        input("Press [Enter] to go exit.")
--- a/payloads/OpenCore/OpenCore-DEBUG-v0.6.8.zip
+++ b/payloads/OpenCore/OpenCore-DEBUG-v0.6.8.zip
--- a/payloads/OpenCore/OpenCore-RELEASE-v0.6.8.zip
+++ b/payloads/OpenCore/OpenCore-RELEASE-v0.6.8.zip