Guide :: Details Apple’s System Integrity Protection (SIP) for Hackintosh

SIP Hackintosh

In OS X El Capitan Apple has implemented ‘rootless’ security or System Integrity Protection (SIP) .

To simplify this as much as possible, basically Apple will restrict users from modifying the System folder, bin folder, usr folder, and sbin folder. Some of these folders are already hidden by default.

This locks down system folders and files against hacks and root attacks, thus keeping the system safer. As good as this is for security ,and so on isn’t bad at all. In fact, who doesn’t want to use a computer thats really secured?

 

There is a problem, and that problem is the Hackintosh. How does System Integrity Protection (SIP) affect the Hackintosh?

it has made things much harder for the hackintosh community, requiring workarounds for established methods of installation and maintenance for PCs ,  It has become necessary to make changes in SIP in order to use  unsigned kexts and alter system kexts. These changes are implement with Clover EFI Bootloader and Enoch/Chameleon Legacy Bootloader.

Boot flag kext-dev-mode=1 is no longer required for  OS X 10.11 El Capitan to load unsigned kexts.

SIP must be disabled ,when rebuilding kernel cache on a hackintosh, . SIP must be disabled in order to install anything to protected system folders. SIP can also be disabled partially, to allow unsigned kexts in cache and install to protected folders.

We will likely recommend that SIP be disabled from the beginning of the installation through post-installation process. After everything is set, and the user is successfully booting, SIP can be re-enabled.

Today, the only bootloader that will inject kexts into protected cache and adjust SIP settings on is Clover and Enoch , you have to adjust csr-active-config in Config.plist and Org.chameleon.plist .

Available options for SIP are as follows:

1. csr-active-config 0x0 = SIP Enabled (Default)
2. csr-active-config 0x3 = SIP Partially Disabled (Loads unsigned kexts)
3. csr-active-config 0x67 = SIP Disabled completely

Clover config.plist:
Code:

  <key>RtVariables</key>
    <dict>
        <key>CsrActiveConfig</key>
        <string>0x3</string>
        <key>BooterConfig</key>
        <string>0x28</string>
    </dict>

Enoch/Chameleon org.chameleon.plist:
Code:

 <key>CsrActiveConfig</key>
    <string>3</string>
   <key>KernelBooter_kexts</key>
    <string>Yes</string>

 

How to Disable SIP from Terminal (Command Prompt ):
csrutil_enable_disable
More Available Workarounds /Options for SIP are as follows : csr-active-config
Behind Scene : What is Happening :-
CsrConfig (0x01) :

 

1 CSR_ALLOW_UNTRUSTED_KEXTS 
0 CSR_ALLOW_UNRESTRICTED_FS
0 CSR_ALLOW_TASK_FOR_PID
0 CSR_ALLOW_KERNEL_DEBUGGER
0 CSR_ALLOW_APPLE_INTERNA
0 CSR_ALLOW_UNRESTRICTED_DTRACE1 
0 CSR_ALLOW_UNRESTRICTED_NVRAM
CsrConfig (0x03) :
1 CSR_ALLOW_UNTRUSTED_KEXTS 
1 CSR_ALLOW_UNRESTRICTED_FS
1 CSR_ALLOW_TASK_FOR_PID
0 CSR_ALLOW_KERNEL_DEBUGGER
0 CSR_ALLOW_APPLE_INTERNA
1 CSR_ALLOW_UNRESTRICTED_DTRACE1
1 CSR_ALLOW_UNRESTRICTED_NVRAM

CsrConfig (0x67) :

1 CSR_ALLOW_UNTRUSTED_KEXTS 
0 CSR_ALLOW_UNRESTRICTED_FS
0 CSR_ALLOW_TASK_FOR_PID
0 CSR_ALLOW_KERNEL_DEBUGGER
0 CSR_ALLOW_APPLE_INTERNA
0 CSR_ALLOW_UNRESTRICTED_DTRACE1 
0 CSR_ALLOW_UNRESTRICTED_NVRAM

Special  to :  Piker Alpha and BlackOSX .

2 Responses

  1. Sash 2 years ago
    • Deepak 2 years ago

Add Comment