With fully disabled SIP including authenticated root (ARV),
csr-active-config=w%08%00%00
is set in NVRAM, which corresponds to a value of 0x867 after
boot.efi
reads it (previously 0x67 on Catalina).
Knowing this, the new
boot.efi
patch is as follows:
- search for
CSR:IN
string and find the procedure that references it
- find
and some_register1,0xffffffef
("some_register1" changes depending on the build but refers to the value loaded from NVRAM, this line is what explains the
csr-active-config
"w" (0x77) changing to 0x67)
- find the next line which should be
mov dword[some_register3],some_register1
(saves the result, where it will be eventually passed to the kernel)
- copy a nearby line that looks like
or byte[some_register2+6],0x8
(not honestly sure what this is for, but it's necessary -- presumably setting some flag in a structure which is checked later)
- copy the
mov
line and change it such that it's writing
0x867
rather than the previously read value
- overwrite the start of the function with those two lines and then
ret
An example for DP1's
boot.efi
(file is also attached):
Code:
0x1f242: mov dword[rsi+0x498],0x867
or byte[rsi+6],0x8
ret
Most likely
@dosdude1 and
@parrotgeek1 may want this at some point for your patchers. One thing I noticed is that re-selecting the startup disk can
cause boot.efi to be overwritten with the original copy -- probably a good idea to figure out where that "comes from" so it can be replaced as well, or automatically re-replace the file on shutdown. Otherwise, SIP may be randomly enabled after a while (I also had this issue on Cat).
Hope this is useful.