Efi Hack
My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password.
The normal process workflow is to first contact Apple support. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. Things got more interesting when I found a website that allegedly sold the SCBO files – just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. There are (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs.Since there was (stil holds true) virtually no information about the SCBO contents, this aroused my curiosity but I never followed up until now. Upon my return from SyScan360 Singapore, I needed a new research direction to kickstart my brain back into work, and this fit the bill.The core question I wanted to answer was if it was really possible for someone to build a SCBO file key generator. If this were true, it would imply that Apple’s EFI contains a significant vulnerability. Understanding how SCBO files work in the first place was also intriguing.
So let’s start another EFI reversing engineering adventureAt the time I could only find a single SCBO file on the Internet, which is bad (impossible to visualise differences between files) but better than no file at all. The sample file can be downloaded here.(SHA256(SCBOoriginal)= fad3ea1c8ffa710c243957cc834ac1427af0ea19503d9fc7839626f6cac4398b). This picture shows us the full contents of the sample file. The SCBO string is clearly visible in the first four bytes, which is a magic number ( 0x4F424353). A couple of bytes later and we see another string. It appears to be some kind of serial number. This information can be verified because part of this string can be found in the motherboard of each Mac (my sample is only composed of MacBooks but I guess iMacs and others will contain the same information).
The rest of the string and binary data that follows are unknown for now. The total file length is 324 bytes. How are the SCBO files generated?As previously mentioned, Apple support is able to generate these files after you provide some key information. To obtain the necessary information, you must hold SHIFT + CONTROL + OPTION + COMMAND + S on the firmware password prompt screen and a string will be generated. This is the string Apple support needs, and this is the same string we see inside the SCBO file.
The first digits are the machine serialnumber as previously described, and the last sixteen digits are a nonce value regenerated every time the firmware password is set, removed, or modified. I know this because I had already reversed Apple’s Firmware Password Utility and observed its communications with the kernel extensions that set the EFI NVRAM variables. Now that we know a bit more about its contents, can the sample SCBO be modified and reused to reset any other Mac’s firmware password?The answer is no. If we set a firmware password on a test Mac, generate the necessary string, and modify the SCBO accordingly, nothing will happen. The computer will process the file and reset the system, but the password isn’t reset.This provides us with another bit of information – that there is some kind of integrity check on the SCBO contents. It would be a surprise if this kind of check wasn’t implemented and anyone could modify the SCBO contents.So if this is true then how is someone selling what appear to be fully working SCBO files? We need to dig deeper and reverse the EFI code responsible for processing this file.And now let’s start the real reverse engineering fun!The first thing we need to do is to extract all the EFI binaries either from a flash chip dump that holds EFI contents or from a SCAP file found in EFI updates (for unknown reasons the fd format is also used for some Macs).I maintain an up-to-date Apple, which you can use to easily download EFI updates or verify the contents of your EFI flash if you fear nation states are attacking you.
The great can easily extract contents from dumps and SCAP (to mass extract all the files use UEFIExtract utility instead). You will need UEFITool’s newengine branch if you want support for NVRAM partition contents (which is super useful feature, thanks Nikolaj!).The target Mac used on this post is a MacBook Pro 8,2 and the files were all extracted from this firmware update file, MBP8100472CBLOCKED.scap. You can use other firmware files – the GUIDs will still be the same but addresses and some content might differ.With the payload extracted we can finally try to find where to start reversing. The initial best clue is the magic value from the SCBO file, since it should be checked somewhere in the code. My favorite tool for this type of task is aka binary grep.
It allows us to grep files for specific byte sequences, an extremely useful feature to locate binary data. The bytes we want to grep for are 5343424F, the SCBO magic value. If you want to grep for strings please remember that most strings in EFI binaries are Unicode (two bytes wide).There is only a single hit, a DXE phase binary with GUID 9EBA2D25-BBE3-4AC2-A2C6-CC. In (U)EFI world there are no filenames, everything is referenced by a 128 bits GUID. This means that we have a good entrypoint into this problem and now need to reverse backwards to understand what this function is trying to accomplish and how is it called. What is the procedure to use the SCBO file?To assist our reversing engineering effort it is important to collect as much data as possible about our target works.
The following describes how to use the SCBO file to reset the firmware password:. Format a Flash drive GUID partition scheme and Mac OS Extended format. The.SCBO filename that is copied into the flash drive is referenced in the strings, althought IDA is unable to find any string references to it (IDA bug? Most probably!).Reversing (U)EFI binaries is quite annoying because every external function is a function pointer, so the disassembly output is not very clear and needs some assistance to improve it. Snare created, a set of scripts that improve the disassembly output by trying to rename function pointers, offsets, and structures. Because I wanted a couple of more features than it provides and I’m not a Python fan I ended up creating my own IDA C plugin for this task called.It does extra things like commenting the known functions with their prototype and documentation, generate some statistics, and extract information about installed and used protocols into a database. This makes it very easy to find out which binaries are installing and using a certain protocol, avoiding tons of binary grep’ing and wasted time finding which module implements a protocol.The next picture shows the start function as IDA disassembles without any plugin help.
With improved disassembly output we can proceed to try to understand what happens with the SCBO file.Because reverse engineering is more of an art and less of a science, I’ll start by telling you what happens and then walk you through how it happens.What happens is that an event notification is installed by this EFI binary. When a USB flash drive is inserted, it triggers the notification and a callback is executed.One of the callback tasks is to try to read the SCBO file from the flash drive and verify if its format is correct (checking the magic number, etc). If the SCBO contents appear correct then a new EFI NVRAM variable will be set,.SCBO0000 using GUID 5D62B28D-6ED2-40B4-A560-6CD79B93D366. This GUID can also be found in the Firmware Password Utility. This GUID is not unique to this variable and it is used for other variables, e.g.
The variable can be observed in NVRAM when a new password is set, changed, or removed by Firmware Password Utility. If the.SCBO0000 variable is set succcessfully then the system will be reset via ResetSystem service.The event notification code can be found at start. The following code snippet is responsible for creating the event.
The code above is responsible for opening the USB flash drive volume so it can read its contents. In this particular case we need to check the layout of the EFISIMPLEFILESYSTEMPROTOCOLGUID protocol so we understand what each function pointer of the protocol is doing.
Usually I grep to find the protocols, even if the EDK2 specification is more advanced than Apple’s EFI fork (the AMIBios source leak is also a good place to search, in particular code that is outside of EDK2 such as power management). The following snippet shows the EFISIMPLEFILESYSTEMPROTOCOL structure. We can observe that EFIFILEPROTOCOL supports the basic functions we need to read and write files on a filesystem. The staggering amount of protocols are a bit annoying to the reverser, but after a while we start appreciating some elegant parts of (U)EFI’s design.The previously posted disassembly snippet first tries to open the root volume, and if it succeeds uses the returned handle to try to open the.SCBO file from the USB flash drive volume. If it manages to open the file, it uses the GetInfo function from the EFIFILEPROTOCOL to find the file size, then allocate the necessary memory, and finally read its contents into the allocated buffer.
We can observe in the above code snippet the first 12 bytes being read, and then the verification of header structure. The SCBO file supports multiple units of data, meaning that a single USB flash drive could potentially reset the password of more than one Mac.
Efi Hack Pc
This may be pretty useful for a system administrator that has to reset many Macs. This could explain the rumored “universal” reset SCBO, which could be a file with multiple units – this is just pure speculation since that file isn’t public.
The rest of the function resets the file position back to the beginning and reads the whole SCBO contents into a previously allocated memory buffer.If the SCBO contents were read successfully, the next step is to call a function from another protocol that will verify if the Mac’s serial number and current nonce match the contents of the SCBO file. Remember that the nonce is rotated every time the firmware password is modified. Now we understand a bit more how the SCBO feature works.If the SCBO file contents match the current Mac, a new variable is set and the computer is rebooted before any other operations. This means that there will be another EFI binary reading and processing the new variable. The current binary is only responsible for reading the SCBO file and doing basic integrity verification but it has no capabilities to remove the firmware password.
This feature is reserved to the 818544B5-1B9D-4E7B-8F7D-835AAEAF3B5C binary.The.SCBO0000 variable can be seen in the following firmware dump. If you look at the body size of this variable it’s 312 bytes, the expected value. This ends the reversing process regarding 9EBA2D25-BBE3-4AC2-A2C6-CC binary. We now know what it does and we can move to the really interesting binary.Before starting to reverse the new binary let’s first understand how the firmware password feature is implemented.Two years ago I reversed the Firmware Password Utility and built a small EFI password bruteforcer based on that work. My work helped me determine that the EFI variable that contains the firmware password information is CBF2CC32. The password is stored as a Message Autentication Code (MAC) using SHA256, with a variable number of rounds.
Bruteforcing the firmware password is useless for any password longer than four digits, since the high number of rounds makes it impossible within a reasonable time frame. The following structure can describe the variable contents. If you try to patch this function to always return zero, pack it again into a firmware dump, and reflash it, then any firmware password will be accepted.
This means we are on the right track.Now I’m just rewriting the story, because what I initially did before starting to reverse everything was to use Trammell’s infinite loop trick on each function of 75FAB4B4-6AC1-429A-A000-6B0B95E71CA1 protocol, and after finding the interesting ones I patched them to return zero and found out which function verifies the password, the first one from the protocol.The sub10000704 protocol function will retrieve the CBF2CC32 variable, generate the hash from the user-inserted password and compare with the information in the variable. SHA1, SHA256 and SHA512 constants can be found at the 818544B5-1B9D-4E7B-8F7D-835AAEAF3B5C binary.If you have a SPI flasher and want to remove an Apple EFI firmware password, what you need to do is to dump the flash contents, remove the CBF2CC32 variable (you just need to flip a single bit on its name for example), and reflash the modified firmware. Or just locate the variable and erase or modify it directly without reflashing the whole contents.There is also another way to do this. The 3E6D568B variable is special because if you remove it, the NVRAM will be reset to a default state where the firmware password is not set anymore.So there you go: you don’t need to search any more web forums and buy some overpriced EFI password reset hardware. You only need a SPI flasher and a SOIC clip and you can do it yourself.If you look at all the remaining functions from this 75FAB4B4-6AC1-429A-A000-6B0B95E71CA1 protocol there is nothing related to SCBO except the one called by the 9EBA2D25-BBE3-4AC2-A2C6-CC binary that just verifies if the SCBO serial and nonce match the current Mac (Picture 15, offset 0x18, sub10000828).This means that the.SCBO0000 variable is being processed somewhere else. The answer is the sub10000314 function called in main (Picture 18).
This is the function that will process the variable and reset the NVRAM in case there is a problem with 3E6D568B variable as I just mentioned. The code that starts at address 0x100003CD in the above screenshot deletes a couple of variables, including CBF2CC32 (the first one being cleared), and creates 3E6D568B again so the Mac doesn’t get stuck in a loop of doom. I labelled the function zeroEFIvariable but what it does is delete the variable by setting the DataSize parameter to zero.
From (U)EFI documentation “ a size of zero causes the variable to be deleted”.The next problem is how to track the code that processes the SCBO variable?Static analysis is not always easy on (U)EFI binaries because we have very limited ways to test hypothesis – each reflash takes around 5 to 8 mins if we want to patch code and see what happens. We also don’t have easy access to debuggers – JTAG debuggers for (U)EFI are expensive – some cost 6k USD or more.I already had reversed many parts of this large function and other functions it calls, but I was still having trouble finding the code that processes the SCBO variable contents, and I didn’t want to really reverse everything and/or keep using the slow patch and reflash method.This is when I had an idea!
How about creating an EFI emulator and debugger using the framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated.And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. I gave it a gdbinit-style UX and emulated some basic commands such as add breakpoints, step in and step out of calls, dump memory, set memory and registers, making it a very basic but extremely useful EFI debugger. It has some limitations (can’t change directly RIP or EFLAGS registers) due to Unicorn/QEMU JIT design but it is definitely usable for basic tasks.
I emulated the core Boot and RunTime services such as get and set variables, NVRAM area, allocate/copy/set memory, load additional images and install/locate new protocols. While far from feature and emulation complete this is a pretty useful tool that was a critical development on this and future (U)EFI projects.Once again let’s do this backwards and start with the conclusions. After I finished reversing this function I finally understood the SCBO feature. First the SCBO file structure can be described by the following data structures. The unknown binary data we initially saw is nothing but a 2048 bit RSA signature. Unless someone got hold of Apple’s private keys, there is no possibility of building a SCBO key generator.
So what is happening with all those videos and people claiming they were able to buy SCBO files from websites? My bet is that these guys somehow are able to submit illegitimate requests to Apple’s support system and then sell the SCBO files they receive for some nice fat profit. These could be insiders working at Apple support centers or even Apple itself. Only Apple has a real chance to investigate and track the source of these files. Another alternative is that there is a vulnerability I wasn’t yet able to find.
The code and design appear solid and I saw no obvious vulnerabilities.To verify this hypothesis outside EFI code I adapted some code I previously used to verify the signatures of SCAP firmware updates and voila, I was finally able to verify that the SCBO file I had was indeed a valid SCBO file signed by Apple and it wasn’t possible to modify it to run on other machines unless I patched some firmware code (which is useless since if you can patch firmware code, it would be easier to just reset the variables). Each raw file is 276 bytes meaning that the first 20 bytes are just some meaningless header.
We just need to remove those 20 bytes and we get the 256-byte public key. One important detail described by Trammell Hudson in his Thunderstrike presentation is that the key bytes are inverted.
If we want to use this public key in our own utilities, we need to reverse its bytes. Once again the keys aren’t directly extracted by a function – there is as usual a protocol that implements this feature. This protocol has GUID AC5E4829-A8FD-440B-AF33-9FFE013B12D8, and is installed by binary 8B24E4D4-C84C-4FFC-81E5-D3EACC3F08DD. There is no point in reversing the whole protocol; I saw that it was retrieving the Apple public keys and that’s it.To avoid emulating filesystem-related operations I simply enabled a Unicorn code hook and injected the correct public key. The public key used to verify the SCBO signature is the third one on Picture 33, with a SHA256 of 94218318fe5aaada2889bbd5f9789cf4afa15bd6eb7654ad66f1f199cf70f8ad (for the whole raw file as extracted by UEFITool).Another 32-byte buffer will be allocated to hold a SHA256 hash.
We will see later on that this buffer will hold the checksum of the first 56 bytes of the SCBO variable.Next is the extraction of the serial number from physical memory at address 0x0FFFFFF08. If you boot a Linux installation and use to read the physical memory you are able to read the Mac’s individual serial number (on older macOS versions you could also use AppleHWAccess.kext or DirectHW.kext to read the memory but they are now blacklisted on El Capitan and Sierra). The DataSize parameter ( R9 register at address 0x100024F8) is zero so the variable will be deleted from NVRAM.
This code once again shows that the EFI password feature is definitely implemented via the CBF2CC32 NVRAM variable.And that’s it. The SCBO mystery is finally solved and its format understood. With the precious assistance of my EFI DXE emulator and debugger I sped up the reverse engineering effort. The SCBO feature design is robust, and the only mystery I haven’t solved right now is how someone is apparently selling working SCBO files on the Internet. My bet is on insider access to Apple systems via Apple Support centers or something like that, but once again only Apple can really investigate the root cause.If you lost your firmware password you can now reset it yourself as long the SPI flash chip is not the new BGA type (newer Macs are using them but there is a sneaky debug port that can be used for this same purpose!). You just need a device to dump the flash chip, remove the variable and reflash the modified version, or directly remove the variable (I always prefer to full dump and reflash).Of course this information can be used by thieves selling stolen Macs, but given that there are already defeat devices being sold all over the web, this post does not reveal any previously-unknown secrets.I hope you enjoyed this post, and I also hope you are now interested in (U)EFI reversing.
It’s not as easy as userland or kernel reversing due to the lack of debuggers, but with some extra work those difficulties can be solved. For the moment I am not going to release the code for my EFI emulator. I am fed up with people stealing my code without giving proper attribution; recently I discovered a couple of cases of stolen code and even modified credits. It is really annoying when I demand nothing but credits and code licensing is pretty much liberal.Have fun,fG!P.S.:Thanks to Jeffrey Czerniak ( @geekable) for pre-publication editing.Update 1:Biases are part of being Human and knowing them doesn’t make you immune. Since I was looking for an excuse to use Unicorn I didn’t even bother to search for EFI emulators, which was good since it was heaps of fun to write my own and dominate Unicorn engine, something that will be very useful for other projects.EDK2 has an ( on how to install it), and there is also efiperun project.
I would expect them to run with Apple EFI binaries since basic services are the same. Need to give it a try. If you do that before me please update me how it went.Update 2:Where I refer to machine serial number I am talking about the motherboard’s serial number and not the one outside on the back. You have to open the Mac to access it.Update 3:If you bothered to read this from start to end you would understand that there is no way for an outsider to generate the codes to reset your Mac firmware.
So please stop sending me emails and comments asking for it.
Hackintosh running OS X YosemiteA Hackintosh (a of ' and '), is a computer that runs an ('macOS' or 'OS X') on not authorized for the purpose by Apple. 'Hackintoshing' began as a result of, away from. Since 2005, Mac computers use the same as many other desktop, and, meaning that in principle, the making up macOS/OS X systems and software can be run on alternative platforms with minimal compatibility issues. Benefits cited for 'Hackintoshing' can include cost (older, cheaper or commodity hardware), ease of repair and piecemeal upgrade, and freedom to use customized choices of components that are not available (or not available together) in the branded Apple products. MacOS can also be run on several non-Apple, although such systems are not usually described as Hackintoshes. Hackintosh laptops are sometimes referred to as 'Hackbooks'.Apple's for macOS only permits the software's use on computers that are 'Apple-branded.'
However, because modern Macintosh computers use, there are few limitations keeping the software from running on other types of Intel-based PCs. Notably, companies such as have attempted to release products using macOS on non-Apple machines, though many Hackintosh systems are designed solely by macOS enthusiasts of various. While the methods Apple uses to prevent macOS from being installed on non-Apple hardware are protected from commercial circumvention in the by the (DMCA), specific changes to the law regarding the concept of have placed circumvention methods like these into a.
This section contains. The purpose of Wikipedia is to present facts, not to train. Please help either by rewriting the how-to content or by it to,. ( September 2015)OS X Tiger (10.4) On June 6, 2005, Apple announced their plans to switch to processors at their and released a Developer Transition Kit to selected developers at a cost of $999 (equivalent to $1,310 in 2019). Efforts immediately began to attempt to run Mac OS X on non-Apple hardware, but developers quickly found themselves with an error message saying that the PC hardware configurations were not supported.On January 10, 2006, Apple released Mac OS X 10.4.4 with the first generation of Intel-based Macs, the iMac and the MacBook Pro. These machines used (EFI) platform firmware instead of the older style found on most x86 motherboards at the time. On February 14, 2006, an initial ' of Mac OS X v10.4.4 was released on the Internet by a programmer with the pseudonym crg92.
Within hours Apple released the 10.4.5 update, which was then hacked by the same author within two weeks. On April 3, 2006 Apple released their 10.4.6 update and again were released within two weeks that allowed users to install most of this update on non-Apple computers, although this did not include the updated kernel in 10.4.6. In June 2006, an updated patch was released for the 10.4.7 Mac OS X update for non-Apple computers using the 10.4.4 kernel.Up to the release of the 10.4.8 update, all OSx86 patches used the 10.4.4 kernel with the rest of the operating system at version 10.4.8.
However, the newer frameworks relied on the newer kernels and this led to users of 10.4.8 encountering many problems. Apple also started making more use of instructions on their hardware making it even more difficult for users with CPUs supporting only SSE2 (such as older ) to get a fully compatible system running. To solve this problem, hackers from the community released kernels where those instructions were emulated with equivalents, although this produced a performance penalty.Throughout the years, many ' were released for download over the Internet.
Hackintosh Efi Download
These distros were copies of the Mac OS X installer disc modified to include additional components necessary to make the OS run on the non-Apple hardware. A prominent member of the community, JaS, released many distros of Mac OS X Tiger containing patched kernels. Some other popular distros are iATKOS, Kalyway, iPC, iDeneb,.
Distros have fallen out of favour as the OSx86 community grew, as new bootloaders were developed that made it possible to use actual copies of the OS X Installer.OS X Leopard (10.5). Mac OS X v10.5 installing on a laptop computer.As early as Mac OS X v10.5 build 9A466 the community has maintained a version of Leopard that can run on non-Apple hardware. A hacker by the handle of BrazilMac created one of the earliest patching processes that made it convenient for users to install Mac OS X onto 3rd party hardware by using a legally obtained, retail version of Apple Mac OS X. This simplification made the BrazilMac patch and its later revisions quickly the most popular choice for many distros. Five of the most popular builds go by the name JaS, Kalyway, iATKOS, iPC and iDeneb - although more recently these builds are on the way out as the Boot-132 method (described below) gains popularity. However, all of these compilations rely on the work of kernel hackers made by Lorem (build 9A466), SynthetiX (builds 9A499, 9A527 and 9A559), ToH (builds 9A581, 9B13 and 9B18) and more recently a group calling themselves StageXNU (now called Voodoo) (Darwin 9.4.0).
Their contributions trickled down into the various Mac OSx86 installers, readily available on the Internet. They continue to be refined and updated builds released, not just to maintain compatibility with Apple releases but an ever-increasing number of third-party components. The OSx86 community has been quick to make the necessary modifications to enable Apple's latest releases to run on non-Apple hardware. Within hours of Leopard's release, an AMD/Intel SSE2/3 Kernel Patcher was created that removed the requirement from an original untouched machkernel file, a core component of the Mac OS.OS X Snow Leopard (10.6) When 'Snow Leopard' was released, Russian hacker netkas created a version of Chameleon that can boot Mac OS X v10.6.
The main problem was that many people were forced to modify DSDT or use kexts due to some specific issues. As soon as possible modbin and dmitrik released test versions of kernel that allow to boot Snow Leopard on AMD machines. Stable XNU kernels for v10.6 were released by Qoopz and Pcj. There are some popular builds based on Retail by the name Universal (Intel only), Hazard, and iAtkos.
Since v10.6.2 Nawcom, Qoopz, and Andy Vandijck have been working on Legacy kernel for unsupported CPUs.OS X Lion (10.7) When Apple released the Developer Preview 1, a Russian Hackintosh developer usr-sse2 was the first who created a method to install Lion. The method consists of deploying Mac OS X v10.7 image on a flash drive, and booting from it via XPC UEFI Bootloader (See below). After some changes were made to the Chameleon source code, it became possible to boot Lion with an updated version of Chameleon. After a while Dmitrik also known as Bronzovka had luck with creating a kernel that supported AMD systems; after a few months (10.7.3 V2 With AMD Support) and iAtkos L2 (10.7.2 Only Intel) were released.OS X Mountain Lion (10.8) Shortly after the release of Developer Preview 1, some unknown developers managed to install this version of OS X to their PC by using a modified version of the Chameleon Bootloader. This version was released via the main project starting at version r1997 to the general public. Due to the problems sourced during the Lion eraother ways of installing and required patches were never made public, which leaves the scene in an unknown state towards Mountain Lion.
Since the retail release of Mountain Lion several users have reported successful setups using installers purchased from the, along with updated versions of Chameleon and other tools including distros.Niresh's Distro (10.8 Intel only) was first released and then was updated to 10.8.2 (With AMD and Intel) and 10.8.5 (With UEFI Support, AMD and Intel Support) versions; iAtkos ML2 was released after Niresh's Release. OS X Mavericks (10.9) Multiple new kernels for Hackintosh 10.9 are in the works, although there still are minor issues with most of them. Most of these kernels aim to allow users to run Mavericks on AMD and older Intel CPUs, which lack certain instruction sets of the latest Intel CPUs. Significant efforts have been made to emulate instruction sets like, which are not present on AMD K10-based CPUs, and older Intel CPUs, like the Intel Core Duo.AMD's latest CPUs, from the ' architecture onwards, contain almost all the latest instruction sets, and hence, some kernels with full support have also been released. After two months, Niresh's Distro was released for Mavericks, which supports AMD CPUs and latest Intel CPUs. It also has a custom kernel that allows Intel Atom processors to boot into Mavericks.
Niresh's was the only free distro that was released for Mavericks, since the iAtkos Team decided to release their Mavericks distro for specific hardware on donation basis. OS X Yosemite (10.10) After the initial release of OS X Yosemite 10.10 BETA, various developers took on the role of updating their bootloaders for the system.
Members of OSx86 forum Insanelymac set to update the EFI Bootloader Chameleon for this new OS release. Some time later, Niresh (an independent OSx86 developer) released a standalone tool known as Yosemite Zone, which would automatically install the new OS and other various features on a non-Apple device with minimal input. This method consisted of an OS X 10.10 DMG onto a USB flash drive with MacPwn Vanilla Installation.
Unibeast was updated to support Yosemite, and a distribution of Yosemite Zone was released with AMD processor support.A vanilla installation of Yosemite is possible via Insanelymac's Pandora Box Beta 2.0 and UniBeast. This type installation uses as few kexts (drivers) as possible in addition to using an unaltered version of the OS X installation app, and is preferred over distributions.
OS X El Capitan (10.11) Both Clover and Chameleon were updated to be compatible with. Unibeast and MacPwn were updated to support El Capitan as well, since El Capitan, Unibeast (and Multibeast) use the Clover bootloader instead of Chimera (a Chameleon-based bootloader).macOS Sierra (10.12) Clover and Chameleon were updated to be compatible with. UniBeast, Pandora Box and MacPwn were updated to support it and a distribution of Sierra Zone (10.12.3) was released with AMD processor support.macOS High Sierra (10.13) Clover, MacPwn and UniBeast were updated to support it. A distro of High Sierra Zone by Hackintosh Zone (10.13) was released with AMD Processor support including Ryzen CPUs.macOS Mojave (10.14) Clover was updated to support Mojave with revision 4514. UniBeast also received Mojave support for -based machines.
A distro of Hackintosh Mojave by Hackintosh Zone (10.14) was released. Apple has also discontinued support for NVIDIA Web Drivers from the first release of macOS Mojave, to current.macOS Catalina (10.15).Apple does not authorize the use of Mac OS X on any x86 PC other than the ones it has developed itself. The company used technical means (although not the, or TPM, as has been widely mis-reported ), to tie Mac OS to the systems it distributed to developers after announcing its switch to Intel's chips.The macOS forbids installations of macOS on a 'non-Apple-branded computer'. On July 3, 2008, Apple filed a lawsuit against for violating this restriction, among other claims. Apple claimed Psystar 'violated the Digital Millennium Copyright Act (DMCA) by dodging copy-protection technologies Apple uses to protect Mac OS X.' Apple employs technological protection measures that effectively control access to Apple's copyrighted works.
Specifically, Apple charged Psystar with acquiring or creating code that 'avoids, bypasses, removes, descrambles, decrypts, deactivates or impairs a technological protection measure without Apple's authority for the purpose of gaining unauthorized access to Apple's copyrighted works.' This brief revealed that Apple considers the methods that it uses to prevent macOS from being installed on non-Apple hardware to be protected by the (DMCA).On November 13, 2009, the court granted Apple's motion for summary judgment and found Apple's copyrights were violated as well as the DMCA when Psystar installed Apple's operating system on non-Apple computers. A hearing on remedies was set for December 14.On January 14, 2009, the Gadget Lab site of Wired Magazine posted a video tutorial for installing Mac OS X on an MSI Wind netbook, but removed it following a complaint from Apple. Textual instructions remain, but include an EULA violation disclaimer.On May 15, 2012, the case vs.
The court ruled that Psystar had 'violated Apple's exclusive reproduction right, distribution right, and right to create derivative works,' putting an end to the case.Hacking approaches Kernel hacks When copies of Mac OS X Tiger started running on non-Apple hardware, it was found that some processors were unable to run the OS., a binary translator that made it possible to run PowerPC programs on Intel processors, (and later the kernel itself) required the support of the instruction set. To circumvent this, programmers in the community released patched kernels, which included support for emulating SSE3 instructions using equivalents.
In October 2005, Apple released update 10.4.3 to developers that required microprocessor support; however, patches were released to circumvent this as well. Patched kernels were also later released that supported AMD processors.When Mac OS X Leopard released on October 26, 2007, patches were created to remove the requirement from the kernel.
Efforts were also made to emulate the instruction set for processors that did not support it. The kernel used by OS X Mavericks made use of SSSE3 instructions, requiring those patches.Boot loaders and emulators EFI emulation (EFI) is a specification that defines a software interface between an operating system and platform firmware. Since this method generally does not require copying or modification of macOS, it is considered to be the legal way of installing macOS on non-Apple computers (despite being untested in courts). In early November 2007, a group of hackers (fronted by a Russian hacker known as Netkas), using an already modified Boot-132 source root from David Elliot (also known as dfe), developed a method of emulating an EFI environment using a specially modified Darwin bootloader.
In practical terms, this meant that regular PCs meeting a minimum set of hardware requirements could now be 'seen' as real Macintosh computers by the OS, allowing the use of unmodified, 'stock' Apple kernels (as long as the CPU supports it) and thus giving a more transparent and reliable operation. Several methods for real world deployment of this innovative solution have arisen around the Internet. An explanation of this achievement along with a usage guide was provided by the website DigitMemo.com.True EFI emulation was a highly sought after asset for the OSx86 community. Previous efforts based upon Apple's open source Darwin Project and Hackintosh gurus allowed users to use macOS on normal PCs, with patched kernels/kernel modules that simply bypassed EFI. Using the EFI patch, a Hackintosh could boot off ' (unmodified) macOS kernels and use vanilla kernel extensions. This not only allowed the system to be compatible with future system updates, but also offered increased stability. This method also circumvents one aspect of Apple's End User License Agreement, which states that the modification of non-Open Source components of the OS is forbidden.In mid-2008, a new commercial product, EFi-X, was released that claims to allow full, simple booting off official Leopard install disks, and a subsequent install, without any patching required, but this is possibly a repackaging of Boot-132 technology in a -attached device.
Is another commercial product that also seems to use Open Source software.It was thought that Windows 7's support of EFI would result in PC motherboards replacing BIOS with EFI. MSI announced the Efinity mainboard in early 2008. As of 2011, EFI-based computers have entered the market, however none can natively boot Mac OS X due to the lack of a driver in the EFI implementation.Boot-132 Boot-132 is a bootloader provided by Apple for loading the XNU kernel.
In mid-2008, a new modified BOOT-132 came on to the scene. This method allows users to conduct the Leopard-based OSx86 installation using a stock, retail-purchased copy of Mac OS X Leopard and eradicates the necessity of a hacked installation like JaS or Kalyway (mentioned previously). The Boot-132 bootloader essentially preloads an environment on the system from which Leopard can boot and operate. The bootloader stores the necessary files (kext files) in a.img collection or simply a folder. The luxury of this new installation method includes the ability to boot and install from a retail Leopard DVD and update straight from Apple without breaking the DMCA. The only possible problem here is that it breaks the macOS EULA.The bootloader behaves like the kernel: one can use an mboot-compatible (a patched was used for the hack) bootloader that tells boot-dfe about the.img file (the or, as it's known by Linux users), and boot-dfe will then use the kexts (or mkext) from it.
This new boot-dfe has been tested with the retail Leopard DVD, and it can boot, install, run Leopard without having to build a modified DVD.Chameleon Since the early developer builds of Mac OS X v10.6, members of the OSx86 community had been booting the new operating system using yet another bootloader called PC EFI provided by Russian hacker Netkas or the bootloader of the Voodoo team's Chameleon. Chameleon is based on David Elliot's Boot-132. The bootloader supports ACPI, SMBIOS, graphics, ethernet, and some other injections.
It allows to boot up macOS on non-Macintosh hardware. Chameleon supports a lot of AMD as well as Nvidia graphics cards. There are a lot of branches of it by different developers.
Hackintosh Efi Failed To Mount
Chameleon is currently in the 2.1 development state.Clover. This section does not any. Unsourced material may be challenged and.Find sources: – ( February 2018) FakeEFI was invented by David Elliot many years ago and operates on the assumption that EFI already did its work. It leaves activity traces (boot-args and tables tree) and EfiRuntime routines in a simple form in memory and starts the kernel machkernel.RealEFI theoretically should be flashed instead of the BIOS but alternatively a loadable EFI can be used for those with a BIOS motherboard. This system was invented by Intel and is currently in active open source development at. The bootloader is named DUET and it is capable of loading EFI but it is not designed to load Mac OS X, so, one more step was needed, adapt DUET to the requirements of Mac OS X. Also, newer motherboards already contain EFI but it is not suitable for running a Macintosh.Beginning in March 2011, Slice discussed his idea with other community members, resulting in the development of a bootloader that can do both: emulate an EFI firmware of one's choice or use a Real UEFI firmware to boot Mac OS X.Live DVD In March 2007, the OSx86 community made some significant progress with the development of a.
The Live DVD allows booting to a working system with Mac OS X v10.4.8.On January 2, 2009, InsanelyMac's Live DVD team published a new method by which a Mac OS X v10.5.x Live DVD could be produced, allowing users to boot a fully working macOS desktop from a DVD or USB flash drive. The method was more reliable than previous methods because it manipulated Apple's existing Netboot and Imageboot functionalities and behaved as if the system were running off a network disk. It was easier to produce; requiring only a single script to be added to an existing installation. Distributions of the live DVD have been made since its inception.
Since then, it is notable that this method has been shown to work on normal Apple Mac hardware.Virtual machine It is possible to run macOS as a inside other operating systems installed on standard PC hardware by using software such as (though this is not officially supported by Oracle ). It is also possible to install macOS on Windows and Linux versions of software through the use of patches, even though the company states it is only officially supported for VMware running on Apple-labeled computers in compliance with Apple's licensing policies. See also. About clones and emulators of various Macintosh models.
a list of Macintosh and other computer system emulators.References. David Ramsey. Archived from on 2011-07-07.
Retrieved 2010-10-10. Retrieved 2019-04-27.
21 April 2014. Retrieved 2015-01-06. ^ Apple Inc.
Retrieved 2010-09-02. Ars Technica.
Retrieved 2018-06-01. Retrieved 2018-06-01. Lynch, Jim. Retrieved 2018-06-01. ^ Keizer, Greg (2009-11-15). Retrieved November 15, 2009.
Retrieved 2018-06-01., Wikipedia, 2019-11-14, retrieved 2019-11-28. Apple Computer, Inc. Retrieved 2009-04-28. Marsal, Katie (June 23, 2005). Retrieved January 12, 2016. Jonathan Black (February 14, 2006). OSx86 Project.
Retrieved 2006-05-28. Apple Computer (February 14, 2006). Apple Computer. Retrieved 2006-05-28. sHARD (February 23, 2006). OSx86 Project.
Retrieved 2006-05-28. Apple Computer (April 3, 2006). Apple Computer. Retrieved 2006-05-28., Wikipedia, 2019-11-22, retrieved 2019-11-28., Wikipedia, 2019-11-27, retrieved 2019-11-28., Wikipedia, 2019-11-14, retrieved 2019-11-28. 4 December 2013. Retrieved 2011-04-24., Wikipedia, 2019-11-16, retrieved 2019-11-28. 14 August 2012.
Retrieved 2013-03-20. 25 July 2012.
Retrieved 2013-03-20. 15 April 2012. Retrieved 2013-04-20.
15 April 2012. Retrieved 2013-04-20., Wikipedia, 2019-11-27, retrieved 2019-11-28., Wikipedia, 2019-11-25, retrieved 2019-11-28. 9 November 2014. Retrieved 2014-11-21. 9 November 2014.
Retrieved 2014-11-21. 17 October 2014.
Retrieved 2016-11-07., Wikipedia, 2019-11-09, retrieved 2019-11-28., Wikipedia, 2019-11-09, retrieved 2019-11-28. Computer, Hackintosh (2016-08-20).
Hackintosh Computer. Retrieved 2016-11-17. 26 September 2016. Retrieved 2016-11-07. 23 March 2017. Retrieved 2017-03-23., Wikipedia, 2019-11-27, retrieved 2019-11-28. Computer, Hackintosh (2017-06-09).
Hackintosh Computer. Retrieved 2017-06-09. 24 October 2017. Retrieved 2017-10-24. 17 December 2017.
Retrieved 2017-12-17., Wikipedia, 2019-11-24, retrieved 2019-11-28. InsanelyMac Forum. Retrieved 2019-04-01.
Retrieved 2019-04-01. Retrieved 2019-09-03., Wikipedia, 2019-11-27, retrieved 2019-11-28.
Singh, Amit. Www.osxbook.com. 2009-10-16 at the. Fried, Ina (2008-07-15). Retrieved 2009-04-28.
Retrieved 2009-04-28. Keizer, Gregg (November 30, 2008). Retrieved 2009-10-07. Elmer-DeWitt, Philip (November 14, 2009). Archived from on March 30, 2010. Retrieved November 15, 2009.
Archived from on 2009-04-14. Retrieved 2009-04-28. Chen, Brian X. Archived from on 2012-02-29. Retrieved 2009-04-28. May 15, 2012. Retrieved 2012-07-22.
sHARD (October 16, 2005). OSx86 Money Project. Archived from on 2006-04-12. Retrieved 2006-05-28. Jonathan Black (October 30, 2005). OSx86 $$$ Project. Archived from on 2006-09-06.
Retrieved 2006-05-28. Retrieved 2009-04-28. Archived from on 2012-02-29. Retrieved 2007-11-16. Retrieved 2009-04-28.
Archived from on 2009-05-24. Retrieved 2009-04-28. Nguyen, Tuan (2009-09-08).
Retrieved 2010-12-29. Potty racers 3 new space missions hacked celebrity. Retrieved 2010-09-02. Retrieved 2009-05-12. Retrieved 2010-09-02.
Retrieved 2009-04-28. DrDonk (2019-08-30), retrieved 2019-08-30. Retrieved 2019-08-30. Retrieved 2018-06-01.
Comments are closed.