diff --git a/CHANGELOG.md b/CHANGELOG.md
index 309cde8ae..76ba64ad7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,7 +32,7 @@
- Intel: Ivy Bridge, Haswell, Broadwell and Skylake
- Nvidia: Kepler
- AMD: GCN 1 through 3
- - Raise SIP requirement to 0xA03 for root patching
+ - Raise SIP requirement to 0x803 for root patching
- Add Ventura Boot Picker icons
- Implement KDK-less root patching for Metal Intel and Nvidia GPUs
- AMD GCN will still require a KDK installed for patching
diff --git a/data/sip_data.py b/data/sip_data.py
index f90d16550..393988d7e 100644
--- a/data/sip_data.py
+++ b/data/sip_data.py
@@ -134,6 +134,14 @@ class system_integrity_protection:
"CSR_ALLOW_UNAPPROVED_KEXTS", # 0x200 - Required for Aux Cache in Big Sur+
]
+ root_patch_sip_ventura = [
+ # Variables required to root patch in Ventura
+ "CSR_ALLOW_UNTRUSTED_KEXTS", # 0x1 - Required for Aux Cache in Big Sur+
+ "CSR_ALLOW_UNRESTRICTED_FS", # 0x2 - Required to mount and edit root volume, as well as load modded platform binaries
+ "CSR_ALLOW_UNAUTHENTICATED_ROOT", # 0x800 - Required to avoid KC mismatch kernel panic
+ ]
+
+
# CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (introduced with Mojave):
# This bit is quite strange and was originally assumed to be required for modded platform binaries
# However after extensive testing, this doesn't seem true. In addition, this bit is never flipped via
diff --git a/gui/gui_main.py b/gui/gui_main.py
index 11cf29f76..8feeff773 100644
--- a/gui/gui_main.py
+++ b/gui/gui_main.py
@@ -3108,7 +3108,7 @@ class wx_python_gui:
elif self.constants.sip_status is True:
self.sip_value = 0x00
else:
- self.sip_value = 0xA03
+ self.sip_value = 0x803
self.sip_label_2 = wx.StaticText(self.frame_modal, label=f"Currently configured SIP: {hex(self.sip_value)}")
self.sip_label_2.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_BOLD))
@@ -3124,21 +3124,21 @@ class wx_python_gui:
)
self.sip_label_2_2.Center(wx.HORIZONTAL)
- self.sip_label_3 = wx.StaticText(self.frame_modal, label="For older Macs requiring root patching, we set SIP to\n be partially disabled (0xA03) to allow root patching.")
+ self.sip_label_3 = wx.StaticText(self.frame_modal, label="For older Macs requiring root patching, we set SIP to\n be partially disabled (0x803) to allow root patching.")
self.sip_label_3.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
self.sip_label_3.SetPosition(
wx.Point(self.sip_label_2_2.GetPosition().x, self.sip_label_2_2.GetPosition().y + self.sip_label_2_2.GetSize().height + 10)
)
self.sip_label_3.Center(wx.HORIZONTAL)
- self.sip_label_4 = wx.StaticText(self.frame_modal, label="This value (0xA03) corresponds to the following bits in csr.h:")
+ self.sip_label_4 = wx.StaticText(self.frame_modal, label="This value (0x803) corresponds to the following bits in csr.h:")
self.sip_label_4.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
self.sip_label_4.SetPosition(
wx.Point(self.sip_label_3.GetPosition().x, self.sip_label_3.GetPosition().y + self.sip_label_3.GetSize().height + 5)
)
self.sip_label_4.Center(wx.HORIZONTAL)
- self.sip_label_5 = wx.StaticText(self.frame_modal, label=" 0x1 - CSR_ALLOW_UNTRUSTED_KEXTS\n 0x2 - CSR_ALLOW_UNRESTRICTED_FS\n 0x200 - CSR_ALLOW_UNAPPROVED_KEXTS\n 0x800 - CSR_ALLOW_UNAUTHENTICATED_ROOT")
+ self.sip_label_5 = wx.StaticText(self.frame_modal, label=" 0x1 - CSR_ALLOW_UNTRUSTED_KEXTS\n 0x2 - CSR_ALLOW_UNRESTRICTED_FS\n 0x800 - CSR_ALLOW_UNAUTHENTICATED_ROOT")
self.sip_label_5.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
self.sip_label_5.SetPosition(
wx.Point(self.sip_label_4.GetPosition().x, self.sip_label_4.GetPosition().y + self.sip_label_4.GetSize().height + 7)
@@ -3192,7 +3192,7 @@ OpenCore Legacy Patcher by default knows the most ideal
if hex(self.sip_value) == "0x0":
self.constants.custom_sip_value = None
self.constants.sip_status = True
- elif hex(self.sip_value) == "0xA03":
+ elif hex(self.sip_value) == "0x803":
self.constants.custom_sip_value = None
self.constants.sip_status = False
else:
diff --git a/payloads/Config/config.plist b/payloads/Config/config.plist
index 7c2e583e9..c2186148f 100644
--- a/payloads/Config/config.plist
+++ b/payloads/Config/config.plist
@@ -1787,6 +1787,36 @@
Skip
0
+
+ Arch
+ x86_64
+ Base
+ __ZL22_vnode_check_signatureP5vnodeP5labeliP7cs_blobPjS5_ijPPcPm
+ Comment
+ Disable _csr_check() in _vnode_check_signature
+ Count
+ 1
+ Enabled
+
+ Find
+ AQAAAOgAAAAAhcB1
+ Identifier
+ com.apple.driver.AppleMobileFileIntegrity
+ Limit
+ 0
+ Mask
+ //////8AAAAA////
+ MaxKernel
+
+ MinKernel
+ 22.0.0
+ Replace
+ AQAAALgBAAAAhcB1
+ ReplaceMask
+
+ Skip
+ 0
+
Quirks
diff --git a/resources/amfi_detect.py b/resources/amfi_detect.py
new file mode 100644
index 000000000..94fb61388
--- /dev/null
+++ b/resources/amfi_detect.py
@@ -0,0 +1,107 @@
+# Determine AppleMobileFileIntegrity's OS configuration
+
+from resources import utilities
+
+class amfi_configuration_detection:
+
+ def __init__(self):
+ self.AMFI_ALLOW_TASK_FOR_PID = False
+ self.AMFI_ALLOW_INVALID_SIGNATURE = False
+ self.AMFI_LV_ENFORCE_THIRD_PARTY = False
+ self.AMFI_ALLOW_EVERYTHING = False
+ self.SKIP_LIBRARY_VALIDATION = False
+
+ self.boot_args = []
+ self.oclp_args = []
+
+ self.init_nvram_dicts()
+
+ self.parse_amfi_bitmask()
+ self.parse_amfi_boot_args()
+ self.parse_oclp_configuration()
+
+
+ def init_nvram_dicts(self):
+ boot_args = utilities.get_nvram("boot-args", decode=True)
+ oclp_args = utilities.get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
+
+ if boot_args:
+ self.boot_args = boot_args.split(" ")
+
+ if oclp_args:
+ self.oclp_args = oclp_args.split(" ")
+
+
+ def parse_amfi_bitmask(self):
+ # See data/amfi_data.py for more information
+ amfi_value = 0
+ for arg in self.boot_args:
+ if arg.startswith("amfi="):
+ try:
+ amfi_value = arg.split("=")
+ if len(amfi_value) != 2:
+ return
+ amfi_value = amfi_value[1]
+ if amfi_value.startswith("0x"):
+ amfi_value = int(amfi_value, 16)
+ else:
+ amfi_value = int(amfi_value)
+ except:
+ return
+ break
+
+ if amfi_value == 0:
+ return
+
+ if amfi_value & 0x1:
+ self.AMFI_ALLOW_TASK_FOR_PID = True
+ if amfi_value & 0x2:
+ self.AMFI_ALLOW_INVALID_SIGNATURE = True
+ if amfi_value & 0x4:
+ self.AMFI_LV_ENFORCE_THIRD_PARTY = True
+ if amfi_value & 0x80:
+ self.AMFI_ALLOW_EVERYTHING = True
+ self.SKIP_LIBRARY_VALIDATION = True
+ self.AMFI_ALLOW_INVALID_SIGNATURE = True
+
+
+ def parse_amfi_boot_args(self):
+ for arg in self.boot_args:
+ if arg.startswith("amfi_unrestrict_task_for_pid"):
+ value = arg.split("=")
+ if len(value) == 2:
+ if value[1] in ["0x1", "1"]:
+ self.AMFI_ALLOW_TASK_FOR_PID = True
+ elif arg.startswith("amfi_allow_any_signature"):
+ value = arg.split("=")
+ if len(value) == 2:
+ if value[1] in ["0x1", "1"]:
+ self.AMFI_ALLOW_INVALID_SIGNATURE = True
+ elif arg.startswith("amfi_get_out_of_my_way"):
+ value = arg.split("=")
+ if len(value) == 2:
+ if value[1] in ["0x1", "1"]:
+ self.AMFI_ALLOW_EVERYTHING = True
+ self.SKIP_LIBRARY_VALIDATION = True
+ self.AMFI_ALLOW_INVALID_SIGNATURE = True
+
+
+ def parse_oclp_configuration(self):
+ if "-allow_amfi" in self.oclp_args:
+ self.SKIP_LIBRARY_VALIDATION = True
+
+
+ def check_config(self, level):
+ # Levels:
+ # - 1. Library Validation (Monterey and Older)
+ # - 2. Library Validation and Signature Checks (Ventura and Newer)
+
+ if level > 2 or level < 1:
+ raise ValueError("Invalid AMFI Configuration Level")
+
+ if level == 1:
+ return self.SKIP_LIBRARY_VALIDATION
+ if level == 2:
+ return bool(self.SKIP_LIBRARY_VALIDATION and self.AMFI_ALLOW_INVALID_SIGNATURE)
+
+ return False
\ No newline at end of file
diff --git a/resources/build.py b/resources/build.py
index 3e2ab2e4b..40f0ca7e9 100644
--- a/resources/build.py
+++ b/resources/build.py
@@ -995,7 +995,7 @@ class BuildOpenCore:
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = utilities.string_to_hex(self.constants.custom_sip_value.lstrip("0x"))
elif self.constants.sip_status is False:
print("- Set SIP to allow Root Volume patching")
- self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030A0000")
+ self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("03080000")
# if self.constants.amfi_status is False:
# print("- Disabling AMFI")
@@ -1004,8 +1004,9 @@ class BuildOpenCore:
print("- Disabling Library Validation")
# In Ventura, LV patch broke. For now, add AMFI arg
# Before merging into mainline, this needs to be resolved
- # self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
- self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=0x1"
+ self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
+ self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable _csr_check() in _vnode_check_signature")["Enabled"] = True
+ self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi=0x2"
self.config["NVRAM"]["Add"]["4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102"]["OCLP-Settings"] += " -allow_amfi"
# CSLVFixup simply patches out __RESTRICT and __restrict out of the Music.app Binary
# Ref: https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html
diff --git a/resources/cli_menu.py b/resources/cli_menu.py
index feae96e79..6cedd9c1a 100644
--- a/resources/cli_menu.py
+++ b/resources/cli_menu.py
@@ -173,7 +173,7 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
print(
f"""SIP is used to ensure proper security measures are set,
however to patch the root volume this must be lowered partially.
-Only disable is absolutely necessary. SIP value = 0xA03
+Only disable is absolutely necessary. SIP value = 0x803
Valid options:
@@ -819,7 +819,7 @@ Note: This option should only be flipped under the following circumstances:
print(
"""
By default OCLP will use the SIP value of 0x00 as the enabled and
-0xA03 for machines that require root patching. For users who wish
+0x803 for machines that require root patching. For users who wish
to flip additional bits in SIP may use this option.
To disable SIP outright, set it to 0xFEF
diff --git a/resources/defaults.py b/resources/defaults.py
index 25ccd6012..f1b376ec1 100644
--- a/resources/defaults.py
+++ b/resources/defaults.py
@@ -125,8 +125,6 @@ class generate_defaults:
if "-v" in (utilities.get_nvram("boot-args") or ""):
settings.verbose_debug = True
- if utilities.amfi_status() is False:
- settings.amfi_status = False
if model in ["MacBookPro8,2", "MacBookPro8,3"]:
# Users disabling TS2 most likely have a faulty dGPU
diff --git a/resources/sys_patch_detect.py b/resources/sys_patch_detect.py
index e03aeb74d..5f6d7dd47 100644
--- a/resources/sys_patch_detect.py
+++ b/resources/sys_patch_detect.py
@@ -225,12 +225,18 @@ class detect_root_patch:
def check_sip(self):
if self.constants.detected_os > os_data.os_data.catalina:
- if self.nvidia_web is True or self.constants.detected_os >= os_data.os_data.ventura:
+ if self.nvidia_web is True:
sip = sip_data.system_integrity_protection.root_patch_sip_big_sur_3rd_part_kexts
sip_hex = "0xA03"
sip_value = (
f"For Hackintoshes, please set csr-active-config to '030A0000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
)
+ elif self.constants.detected_os >= os_data.os_data.ventura:
+ sip = sip_data.system_integrity_protection.root_patch_sip_ventura
+ sip_hex = "0x803"
+ sip_value = (
+ f"For Hackintoshes, please set csr-active-config to '03080000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
+ )
else:
sip = sip_data.system_integrity_protection.root_patch_sip_big_sur
sip_hex = "0x802"
diff --git a/resources/utilities.py b/resources/utilities.py
index ff5ced83f..35586f1a3 100644
--- a/resources/utilities.py
+++ b/resources/utilities.py
@@ -15,7 +15,7 @@ import atexit
import requests
import shutil
-from resources import constants, ioreg
+from resources import constants, ioreg, amfi_detect
from data import sip_data, os_data
@@ -150,26 +150,6 @@ def enable_sleep_after_running():
sleep_process.kill()
sleep_process = None
-def amfi_status(fully_disabled=False):
- amfi_args = [
- "amfi_get_out_of_my_way=0x1",
- "amfi_get_out_of_my_way=1",
- "amfi=128",
- ]
-
- if fully_disabled is False:
- # Library Validation based patch
- oclp_guid = get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
- if oclp_guid:
- if "-allow_amfi" in oclp_guid:
- return False
- boot_args = get_nvram("boot-args", decode=True)
- if boot_args:
- for arg in amfi_args:
- if arg in boot_args:
- return False
- return True
-
def check_kext_loaded(kext_name, os_version):
if os_version > os_data.os_data.catalina:
@@ -278,10 +258,10 @@ def patching_status(os_sip, os):
gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"
if os > os_data.os_data.catalina:
- requires_full_amfi = False
+ amfi_level = 1
if os >= os_data.os_data.ventura:
- requires_full_amfi = True
- amfi_enabled = amfi_status(fully_disabled=requires_full_amfi)
+ amfi_level = 2
+ amfi_enabled = not amfi_detect.amfi_configuration_detection().check_config(amfi_level)
else:
# Catalina and older supports individually disabling Library Validation
amfi_enabled = False