SJ_UnderWater
Moderator
- Joined
- Dec 3, 2010
- Messages
- 461
- Motherboard
- Gigabyte GA-H55M-S2V
- CPU
- Intel i3-530
- Graphics
- HIS HD 6570
- Mac
-
- Classic Mac
-
- Mobile Phone
-
| Tired of the -67050 (errSecCSReqFailed) error, or just want to try your hand at signing kexts? Worried Apple might remove support for hackintoshes soon? Gatebreak aims to solve these problems simply. The edit it performs is very simple and could be duplicated by anyone: change the code requirements embedded in kextutil, kextd, and kextcache so they allow root certificates other than Apple's, then re-sign those binaries with a Trusted certificate. While anyone could perform the edits, I'm offering my version, as the discoverer, as protected and fully secure. The installer pkg below includes two signed sub-packages which can be redistributed (intact) by anyone: the Gatebreak utilities installer which backs up the old binaries before replacing them, and the Gatebreak certificate authority's root certificate; and a special version of FakeSMC (patches available) which allows NVRAM overrides of any configuration property, including the FakeSMC plugins. |
|
Security
The methods used to create the package were secure, and described in How to Make a Certificate Authority, but more generally the certificate chain was produced once on an air-gapped machine running the Snow Leopard Install CD. All USB drives were wiped and did not mount, then wiped again before files were moved out. The USB drives were never in the presence of the unencrypted private keys, the entire procedure was performed in memory inside of a ramdisk which was reclaimed before any drives were attached. The USB drives have been set aside for this purpose. Anyone interested in the Gatebreak certificate authority can visit http://www.gatebreak.org.
Technical Details
The critical part of modifying a binary is to ensure the replacement code is the same length as what it replaces, and we can use the code requirement language's synonyms to satisfy this. The original string is 178 bytes, which can be compressed directly to 151 bytes then reexpanded slightly back to 178 bytes after adding our additional anchor
Before:
Code:
anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[field.1.2.840.113635.100.6.1.18]
Code:
((anchor apple generic and cert 1[field.1.2.840.113635.100.6.2.6]) or anchor trusted) and (cert leaf[field.1.2.840.113635.100.6.1.13] and cert 0[field.1.2.840.113635.100.6.1.18])Installing
Because Gatekeeper itself has expanded in Mavericks, you will not only need to right-click Open the pkg, but also authenticate. There is also a friendlier solution which doesn't require a password. Next, ignore the "invalid certificate" warning. Note that it doesn't say "invalid signature" (because it's properly signed), but invalid certificate because the certificate isn't accepted by OS X (yet). After the Root is trusted, only the Gatekeeper check will remain.
Additional
As an aside to all this code signing, you might be interested in your running processes. This php shell script attempts to resolve all processes to their binaries and checks their signatures.
--edit
Gatebreak has been reissued with a new certificate authority and root certificate. Update existing systems by removing the previous root from the System keychain in Keychain Access, then installing. Please continue to report issues expeditiously.
--edit
Gatebreak for Yosemite is now available
