Drop reliance on amfi_get_out_of_my_way=0x1

2026-04-24 20:10:14 +10:00 · 2022-09-13 19:51:28 -06:00
parent 839a37f897
commit 616d812913
10 changed files with 168 additions and 38 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,7 +32,7 @@
    - Intel: Ivy Bridge, Haswell, Broadwell and Skylake
    - Nvidia: Kepler
    - AMD: GCN 1 through 3
-  - Raise SIP requirement to 0xA03 for root patching
+  - Raise SIP requirement to 0x803 for root patching
  - Add Ventura Boot Picker icons
  - Implement KDK-less root patching for Metal Intel and Nvidia GPUs
    - AMD GCN will still require a KDK installed for patching
--- a/data/sip_data.py
+++ b/data/sip_data.py
@@ -134,6 +134,14 @@ class system_integrity_protection:
        "CSR_ALLOW_UNAPPROVED_KEXTS",  #           0x200 - Required for Aux Cache in Big Sur+
    ]
    root_patch_sip_ventura = [
        # Variables required to root patch in Ventura
        "CSR_ALLOW_UNTRUSTED_KEXTS",  #            0x1   - Required for Aux Cache in Big Sur+
        "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2   - Required to mount and edit root volume, as well as load modded platform binaries
        "CSR_ALLOW_UNAUTHENTICATED_ROOT",  #       0x800 - Required to avoid KC mismatch kernel panic
    ]
    # CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (introduced with Mojave):
    # This bit is quite strange and was originally assumed to be required for modded platform binaries
    # However after extensive testing, this doesn't seem true. In addition, this bit is never flipped via
--- a/gui/gui_main.py
+++ b/gui/gui_main.py
@@ -3108,7 +3108,7 @@ class wx_python_gui:
        elif self.constants.sip_status is True:
            self.sip_value = 0x00
        else:
-            self.sip_value = 0xA03
+            self.sip_value = 0x803
        self.sip_label_2 = wx.StaticText(self.frame_modal, label=f"Currently configured SIP: {hex(self.sip_value)}")
        self.sip_label_2.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_BOLD))
@@ -3124,21 +3124,21 @@ class wx_python_gui:
        )
        self.sip_label_2_2.Center(wx.HORIZONTAL)
-        self.sip_label_3 = wx.StaticText(self.frame_modal, label="For older Macs requiring root patching, we set SIP to\n be partially disabled (0xA03) to allow root patching.")
+        self.sip_label_3 = wx.StaticText(self.frame_modal, label="For older Macs requiring root patching, we set SIP to\n be partially disabled (0x803) to allow root patching.")
        self.sip_label_3.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
        self.sip_label_3.SetPosition(
            wx.Point(self.sip_label_2_2.GetPosition().x, self.sip_label_2_2.GetPosition().y + self.sip_label_2_2.GetSize().height + 10)
        )
        self.sip_label_3.Center(wx.HORIZONTAL)
-        self.sip_label_4 = wx.StaticText(self.frame_modal, label="This value (0xA03) corresponds to the following bits in csr.h:")
+        self.sip_label_4 = wx.StaticText(self.frame_modal, label="This value (0x803) corresponds to the following bits in csr.h:")
        self.sip_label_4.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
        self.sip_label_4.SetPosition(
            wx.Point(self.sip_label_3.GetPosition().x, self.sip_label_3.GetPosition().y + self.sip_label_3.GetSize().height + 5)
        )
        self.sip_label_4.Center(wx.HORIZONTAL)
-        self.sip_label_5 = wx.StaticText(self.frame_modal, label="      0x1  - CSR_ALLOW_UNTRUSTED_KEXTS\n      0x2  - CSR_ALLOW_UNRESTRICTED_FS\n   0x200 - CSR_ALLOW_UNAPPROVED_KEXTS\n   0x800 - CSR_ALLOW_UNAUTHENTICATED_ROOT")
+        self.sip_label_5 = wx.StaticText(self.frame_modal, label="      0x1  - CSR_ALLOW_UNTRUSTED_KEXTS\n      0x2  - CSR_ALLOW_UNRESTRICTED_FS\n   0x800 - CSR_ALLOW_UNAUTHENTICATED_ROOT")
        self.sip_label_5.SetFont(wx.Font(12, wx.FONTFAMILY_DEFAULT, wx.FONTSTYLE_NORMAL, wx.FONTWEIGHT_NORMAL))
        self.sip_label_5.SetPosition(
            wx.Point(self.sip_label_4.GetPosition().x, self.sip_label_4.GetPosition().y + self.sip_label_4.GetSize().height + 7)
@@ -3192,7 +3192,7 @@ OpenCore Legacy Patcher by default knows the most ideal
        if hex(self.sip_value) == "0x0":
            self.constants.custom_sip_value = None
            self.constants.sip_status = True
-        elif hex(self.sip_value) == "0xA03":
+        elif hex(self.sip_value) == "0x803":
            self.constants.custom_sip_value = None
            self.constants.sip_status = False
        else:
--- a/payloads/Config/config.plist
+++ b/payloads/Config/config.plist
@@ -1787,6 +1787,36 @@
 				<key>Skip</key>
 				<integer>0</integer>
 			</dict>
 			<dict>
 				<key>Arch</key>
 				<string>x86_64</string>
 				<key>Base</key>
 				<string>__ZL22_vnode_check_signatureP5vnodeP5labeliP7cs_blobPjS5_ijPPcPm</string>
 				<key>Comment</key>
 				<string>Disable _csr_check() in _vnode_check_signature</string>
 				<key>Count</key>
 				<integer>1</integer>
 				<key>Enabled</key>
 				<false/>
 				<key>Find</key>
 				<data>AQAAAOgAAAAAhcB1</data>
 				<key>Identifier</key>
 				<string>com.apple.driver.AppleMobileFileIntegrity</string>
 				<key>Limit</key>
 				<integer>0</integer>
 				<key>Mask</key>
 				<data>//////8AAAAA////</data>
 				<key>MaxKernel</key>
 				<string></string>
 				<key>MinKernel</key>
 				<string>22.0.0</string>
 				<key>Replace</key>
 				<data>AQAAALgBAAAAhcB1</data>
 				<key>ReplaceMask</key>
 				<data></data>
 				<key>Skip</key>
 				<integer>0</integer>
 			</dict>
 		</array>
 		<key>Quirks</key>
 		<dict>
--- a/resources/amfi_detect.py
+++ b/resources/amfi_detect.py
@@ -0,0 +1,107 @@
 # Determine AppleMobileFileIntegrity's OS configuration
 from resources import utilities
 class amfi_configuration_detection:
    def __init__(self):
        self.AMFI_ALLOW_TASK_FOR_PID =      False
        self.AMFI_ALLOW_INVALID_SIGNATURE = False
        self.AMFI_LV_ENFORCE_THIRD_PARTY =  False
        self.AMFI_ALLOW_EVERYTHING =        False
        self.SKIP_LIBRARY_VALIDATION =      False
        self.boot_args = []
        self.oclp_args = []
        self.init_nvram_dicts()
        self.parse_amfi_bitmask()
        self.parse_amfi_boot_args()
        self.parse_oclp_configuration()
    def init_nvram_dicts(self):
        boot_args = utilities.get_nvram("boot-args", decode=True)
        oclp_args = utilities.get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
        if boot_args:
            self.boot_args = boot_args.split(" ")
        if oclp_args:
            self.oclp_args = oclp_args.split(" ")
    def parse_amfi_bitmask(self):
        # See data/amfi_data.py for more information
        amfi_value = 0
        for arg in self.boot_args:
            if arg.startswith("amfi="):
                try:
                    amfi_value = arg.split("=")
                    if len(amfi_value) != 2:
                        return
                    amfi_value = amfi_value[1]
                    if amfi_value.startswith("0x"):
                        amfi_value = int(amfi_value, 16)
                    else:
                        amfi_value = int(amfi_value)
                except:
                    return
                break
        if amfi_value == 0:
            return
        if amfi_value & 0x1:
            self.AMFI_ALLOW_TASK_FOR_PID = True
        if amfi_value & 0x2:
            self.AMFI_ALLOW_INVALID_SIGNATURE = True
        if amfi_value & 0x4:
            self.AMFI_LV_ENFORCE_THIRD_PARTY = True
        if amfi_value & 0x80:
            self.AMFI_ALLOW_EVERYTHING = True
            self.SKIP_LIBRARY_VALIDATION = True
            self.AMFI_ALLOW_INVALID_SIGNATURE = True
    def parse_amfi_boot_args(self):
        for arg in self.boot_args:
            if arg.startswith("amfi_unrestrict_task_for_pid"):
                value = arg.split("=")
                if len(value) == 2:
                    if value[1] in ["0x1", "1"]:
                        self.AMFI_ALLOW_TASK_FOR_PID = True
            elif arg.startswith("amfi_allow_any_signature"):
                value = arg.split("=")
                if len(value) == 2:
                    if value[1] in ["0x1", "1"]:
                        self.AMFI_ALLOW_INVALID_SIGNATURE = True
            elif arg.startswith("amfi_get_out_of_my_way"):
                value = arg.split("=")
                if len(value) == 2:
                    if value[1] in ["0x1", "1"]:
                        self.AMFI_ALLOW_EVERYTHING = True
                        self.SKIP_LIBRARY_VALIDATION = True
                        self.AMFI_ALLOW_INVALID_SIGNATURE = True
    def parse_oclp_configuration(self):
        if "-allow_amfi" in self.oclp_args:
            self.SKIP_LIBRARY_VALIDATION = True
    def check_config(self, level):
        # Levels:
        # - 1. Library Validation (Monterey and Older)
        # - 2. Library Validation and Signature Checks (Ventura and Newer)
        if level > 2 or level < 1:
            raise ValueError("Invalid AMFI Configuration Level")
        if level == 1:
            return self.SKIP_LIBRARY_VALIDATION
        if level == 2:
            return bool(self.SKIP_LIBRARY_VALIDATION and self.AMFI_ALLOW_INVALID_SIGNATURE)
        return False
--- a/resources/build.py
+++ b/resources/build.py
@@ -995,7 +995,7 @@ class BuildOpenCore:
                self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = utilities.string_to_hex(self.constants.custom_sip_value.lstrip("0x"))
            elif self.constants.sip_status is False:
                print("- Set SIP to allow Root Volume patching")
-                self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030A0000")
+                self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("03080000")
        # if self.constants.amfi_status is False:
        #     print("- Disabling AMFI")
@@ -1004,8 +1004,9 @@ class BuildOpenCore:
            print("- Disabling Library Validation")
            # In Ventura, LV patch broke. For now, add AMFI arg
            # Before merging into mainline, this needs to be resolved
-            # self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=0x1"
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable _csr_check() in _vnode_check_signature")["Enabled"] = True
            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi=0x2"
            self.config["NVRAM"]["Add"]["4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102"]["OCLP-Settings"] += " -allow_amfi"
            # CSLVFixup simply patches out __RESTRICT and __restrict out of the Music.app Binary
            # Ref: https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html
--- a/resources/cli_menu.py
+++ b/resources/cli_menu.py
@@ -173,7 +173,7 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
        print(
            f"""SIP is used to ensure proper security measures are set,
 however to patch the root volume this must be lowered partially.
-Only disable is absolutely necessary. SIP value = 0xA03
+Only disable is absolutely necessary. SIP value = 0x803
 Valid options:
@@ -819,7 +819,7 @@ Note: This option should only be flipped under the following circumstances:
        print(
            """
 By default OCLP will use the SIP value of 0x00 as the enabled and
-0xA03 for machines that require root patching. For users who wish
+0x803 for machines that require root patching. For users who wish
 to flip additional bits in SIP may use this option.
 To disable SIP outright, set it to 0xFEF
--- a/resources/defaults.py
+++ b/resources/defaults.py
@@ -125,8 +125,6 @@ class generate_defaults:
        if "-v" in (utilities.get_nvram("boot-args") or ""):
            settings.verbose_debug = True
        if utilities.amfi_status() is False:
            settings.amfi_status = False
        if model in ["MacBookPro8,2", "MacBookPro8,3"]:
            # Users disabling TS2 most likely have a faulty dGPU
--- a/resources/sys_patch_detect.py
+++ b/resources/sys_patch_detect.py
@@ -225,12 +225,18 @@ class detect_root_patch:
    def check_sip(self):
        if self.constants.detected_os > os_data.os_data.catalina:
-            if self.nvidia_web is True or self.constants.detected_os >= os_data.os_data.ventura:
+            if self.nvidia_web is True:
                sip = sip_data.system_integrity_protection.root_patch_sip_big_sur_3rd_part_kexts
                sip_hex = "0xA03"
                sip_value = (
                    f"For Hackintoshes, please set csr-active-config to '030A0000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
                )
            elif self.constants.detected_os >= os_data.os_data.ventura:
                sip = sip_data.system_integrity_protection.root_patch_sip_ventura
                sip_hex = "0x803"
                sip_value = (
                    f"For Hackintoshes, please set csr-active-config to '03080000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
                )
            else:
                sip = sip_data.system_integrity_protection.root_patch_sip_big_sur
                sip_hex = "0x802"
--- a/resources/utilities.py
+++ b/resources/utilities.py
@@ -15,7 +15,7 @@ import atexit
 import requests
 import shutil
-from resources import constants, ioreg
+from resources import constants, ioreg, amfi_detect
 from data import sip_data, os_data
@@ -150,26 +150,6 @@ def enable_sleep_after_running():
        sleep_process.kill()
        sleep_process = None
 def amfi_status(fully_disabled=False):
    amfi_args = [
        "amfi_get_out_of_my_way=0x1",
        "amfi_get_out_of_my_way=1",
        "amfi=128",
    ]
    if fully_disabled is False:
        # Library Validation based patch
        oclp_guid = get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
        if oclp_guid:
            if "-allow_amfi" in oclp_guid:
                return False
    boot_args = get_nvram("boot-args", decode=True)
    if boot_args:
        for arg in amfi_args:
            if arg in boot_args:
                return False
    return True
 def check_kext_loaded(kext_name, os_version):
    if os_version > os_data.os_data.catalina:
@@ -278,10 +258,10 @@ def patching_status(os_sip, os):
    gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"
    if os > os_data.os_data.catalina:
-        requires_full_amfi = False
+        amfi_level = 1
        if os >= os_data.os_data.ventura:
-            requires_full_amfi = True
+            amfi_level = 2
-        amfi_enabled = amfi_status(fully_disabled=requires_full_amfi)
+        amfi_enabled = not amfi_detect.amfi_configuration_detection().check_config(amfi_level)
    else:
        # Catalina and older supports individually disabling Library Validation
        amfi_enabled = False