initial commit, running config

EFI/OC/Tools/CreateVault/create_vault.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+#  create_vault.sh
+#
+#
+#  Created by Rodion Shingarev on 13.04.19.
+#
+OCPath="$1"
+
+if [ "${OCPath}" = "" ]; then
+  echo "Usage ./create_vault.sh path/to/EFI/OC"
+  exit 1
+fi
+
+if [ ! -d "${OCPath}" ]; then
+  echo "Path $OCPath is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
+  echo "Unix environment is broken!"
+  exit 1
+fi
+
+if [ ! -x /usr/libexec/PlistBuddy ]; then
+  echo "PlistBuddy is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/shasum ]; then
+  echo "shasum is missing!"
+  exit 1
+fi
+
+abort() {
+  /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+echo "Chose ${OCPath} for hashing..."
+
+cd "${OCPath}" || abort "Failed to reach ${OCPath}"
+/bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
+/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
+
+echo "Hashing files in ${OCPath}..."
+
+/usr/bin/find . -not -path '*/\.*' -type f \
+  \( ! -iname ".*" \) \
+  \( ! -iname "vault.*" \) \
+  \( ! -iname "OpenCore.efi" \) | while read fname; do
+  fname="${fname#"./"}"
+  wname="${fname//\//\\\\}"
+  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
+  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
+  if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')"]; then
+    abort "Got invalid hash: ${sha}!"
+  fi
+
+  echo "${wname}: ${sha}"
+
+  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
+  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
+done
+
+/bin/rm -rf /tmp/vault_hash
+
+echo "All done!"
+exit 0

EFI/OC/Tools/CreateVault/sign.command

@@ -0,0 +1,81 @@
+#!/bin/sh
+
+abort() {
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] ; then
+  abort "Unix environment is broken!"
+fi
+
+cd "$(/usr/bin/dirname "$0")" || abort "Failed to enter working directory!"
+
+OCPath="$1"
+
+if [ "$OCPath" = "" ]; then
+  OCPath=../../EFI/OC
+fi
+
+KeyPath="${OCPath}/Keys"
+OCBin="${OCPath}/OpenCore.efi"
+RootCA="${KeyPath}/ca.pem"
+PrivKey="${KeyPath}/privatekey.cer"
+PubKey="${KeyPath}/vault.pub"
+
+if [ ! -d "${OCPath}" ]; then
+  abort "Path ${OCPath} is missing!"
+fi
+
+if [ ! -f "${OCBin}" ]; then
+  abort "OpenCore.efi is missing!"
+fi
+
+if [ ! -x ./RsaTool ] || [ ! -x ./create_vault.sh ]; then
+  if [ -f ./RsaTool ]; then
+    /bin/chmod a+x ./RsaTool || abort "Failed to set permission for RsaTool"
+  else
+    abort "Failed to find RsaTool!"
+  fi
+
+  if [ -f ./create_vault.sh ]; then
+    /bin/chmod a+x ./create_vault.sh || abort "Failed to set permission for create_vault.sh"
+  else
+    abort "Failed to find create_vault.sh!"
+  fi
+fi
+
+if [ ! -d "${KeyPath}" ]; then
+  /bin/mkdir -p "${KeyPath}" || abort "Failed to create path ${KeyPath}"
+fi
+
+./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
+
+if [ ! -f "${RootCA}" ]; then
+  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
+  if [ -f "${PrivKey}" ]; then
+    echo "WARNING: Private key exists without CA"
+  fi
+fi
+
+/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
+echo "Issuing a new private key..."
+/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
+
+/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
+echo "Getting public key based off private key..."
+./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
+
+echo "Signing ${OCBin}..."
+./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
+
+echo "Bin-patching ${OCBin}..."
+off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
+if [ "${off}" -le 16 ]; then
+  abort "${OCBin} is borked"
+fi
+
+/bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
+
+echo "All done!"
+exit 0

EFI/OC/Tools/LogoutHook/LogoutHook.command

@@ -0,0 +1,77 @@
+#!/bin/sh
+
+#
+# Copyright © 2019 Rodion Shingarev. All rights reserved.
+# Slight optimizations by PMheart and vit9696.
+#
+
+if [ ! -x /usr/bin/dirname ] || [ ! -x /usr/sbin/nvram ] || [ ! -x /usr/bin/grep ] || [ ! -x /bin/chmod ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/base64 ] || [ ! -x /bin/rm ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/cat ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/stat ] || [ ! -x /usr/libexec/PlistBuddy ] || [ ! -x /usr/sbin/ioreg ] || [ ! -x /usr/bin/xxd ] || [ ! -x /usr/sbin/diskutil ] || [ ! -x /bin/cp ] || [ ! -x /usr/bin/wc ] || [ ! -x /usr/bin/uuidgen ]; then
+  abort "Unix environment is broken!"
+fi
+
+thisDir="$(/usr/bin/dirname "${0}")"
+uuidDump="${thisDir}/$(/usr/bin/uuidgen)"
+if [ "${thisDir}/" = "${uuidDump}" ]; then
+  echo "uuidgen returns null!"
+  exit 1
+fi
+cd "${thisDir}" || abort "Failed to enter working directory!"
+
+abort() {
+  echo "Fatal error: ${1}"
+  /bin/rm -rf "${uuidDump}"
+  exit 1
+}
+
+nvram=/usr/sbin/nvram
+# FIXME: find an nvram key that is mandatory
+if [ -z "$("${nvram}" -x '4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path' | /usr/bin/grep 'xml')" ]; then
+  nvram="$(pwd)/nvram.mojave"
+  if [ ! -f "${nvram}" ]; then
+    abort "${nvram} does NOT exist!"
+  elif [ ! -x "${nvram}" ]; then
+    abort "${nvram} is not executable!"
+  fi
+fi
+
+getKey() {
+  local key="$1"
+  "${nvram}" -x "${key}" | /usr/bin/sed '/\<data\>/,/\<\/data\>/!d;//d' | /usr/bin/base64 --decode
+}
+
+/bin/rm -rf "${uuidDump}"
+/bin/mkdir "${uuidDump}" || abort "Failed to create dump directory!"
+cd "${uuidDump}"         || abort "Failed to enter dump directory!"
+
+"${nvram}" -xp > ./nvram1.plist || abort "Failed to dump nvram!"
+
+getKey '8BE4DF61-93CA-11D2-AA0D-00E098032B8C:Boot0080' > ./Boot0080
+if [ ! -z "$(/bin/cat ./Boot0080)" ]; then
+  getKey 'efi-boot-device-data' > efi-boot-device-data || abort "Failed to retrieve efi-boot-device-data!"
+  /bin/dd seek=24 if=efi-boot-device-data of=Boot0080 bs=1 count=$(/usr/bin/stat -f%z efi-boot-device-data)    || abort "Failed to fill Boot0080 with efi-boot-device-data!"
+  /usr/libexec/PlistBuddy -c "Import Add:8BE4DF61-93CA-11D2-AA0D-00E098032B8C:Boot0080 Boot0080" ./nvram.plist || abort "Failed to import Boot0080!"
+fi
+
+for key in BootOrder BootCurrent BootNext Boot008{1..3}; do
+  getKey "8BE4DF61-93CA-11D2-AA0D-00E098032B8C:${key}" > "${key}"
+  if [ ! -z "$(/bin/cat "${key}")" ]; then
+    /usr/libexec/PlistBuddy -c "Import Add:8BE4DF61-93CA-11D2-AA0D-00E098032B8C:${key} ${key}" ./nvram.plist || abort "Failed to import ${key} from 8BE4DF61-93CA-11D2-AA0D-00E098032B8C!"
+  fi
+done
+
+/usr/libexec/PlistBuddy -c "Add Version integer 1"                                       ./nvram.plist || abort "Failed to add Version!"
+/usr/libexec/PlistBuddy -c "Add Add:7C436110-AB2A-4BBB-A880-FE41995C9F82 dict"           ./nvram.plist || abort "Failed to add dict 7C436110-AB2A-4BBB-A880-FE41995C9F82"
+/usr/libexec/PlistBuddy -c "Merge nvram1.plist Add:7C436110-AB2A-4BBB-A880-FE41995C9F82" ./nvram.plist || abort "Failed to merge with nvram1.plist!"
+
+UUID="$("${nvram}" 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | /usr/bin/sed 's/.*GPT,\([^,]*\),.*/\1/')"
+if [ "$(printf "${UUID}" | /usr/bin/wc -c)" -eq 36 ] && [ -z "$(echo "${UUID}" | /usr/bin/sed 's/[-0-9A-F]//g')" ]; then
+  /usr/sbin/diskutil mount "${UUID}" || abort "Failed to mount ${UUID}!"
+  /bin/cp ./nvram.plist "$(/usr/sbin/diskutil info "${UUID}" | /usr/bin/sed -n 's/.*Mount Point: *//p')" || abort "Failed to copy nvram.plist!"
+  /usr/sbin/diskutil unmount "${UUID}" || abort "Failed to unmount ${UUID}!"
+  /bin/rm -rf "${uuidDump}"
+  exit 0
+else
+  abort "Illegal UUID or unknown loader!"
+fi
+
+/bin/rm -rf "${uuidDump}"

EFI/OC/Tools/LogoutHook/README.md

@@ -0,0 +1,8 @@
+LogoutHook
+===========
+
+## Installation
+```sudo defaults write com.apple.loginwindow LogoutHook /path/to/LogoutHook.command```
+
+## Notes
+`LogoutHook.command` highly depends on macOS `nvram` utility supporting `-x` option, which is unavailable on 10.12 and below. (Our `nvram.mojave` somehow fixes that issue by invoking it instead of system one)

EFI/OC/Tools/Recovery/obtain_recovery.php

@@ -0,0 +1,218 @@
+<?php
+
+function run_query($headerQuery, $httpQuery, &$headers, &$output, $postvars='', $verbose=false) {
+	$ch = curl_init();
+
+	$headers = [];
+
+	curl_setopt($ch, CURLOPT_URL, $httpQuery);
+	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+	curl_setopt($ch, CURLOPT_TIMEOUT, 99999*60);
+
+	if (strlen($postvars) > 0) {
+		curl_setopt($ch, CURLOPT_POST, true);
+		curl_setopt($ch, CURLOPT_POSTFIELDS, $postvars);
+	}
+
+	if ($verbose) {
+		$f = tmpfile();
+		curl_setopt($ch, CURLOPT_VERBOSE, true);
+		curl_setopt($ch, CURLOPT_STDERR, $f);
+	}
+
+	$tofile = is_resource($output) && (get_resource_type($output) === 'stream' || get_resource_type($output) === 'file');
+
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+
+	if ($tofile)
+		curl_setopt($ch, CURLOPT_FILE, $output);
+
+	curl_setopt($ch, CURLOPT_HEADERFUNCTION, function($curl, $header) use (&$headers) {
+		$len = strlen($header);
+		$header = explode(':', $header, 2);
+		if (count($header) < 2) // ignore invalid headers
+			return $len;
+
+		$name = strtolower(trim($header[0]));
+		if (!array_key_exists($name, $headers))
+			$headers[$name] = [trim($header[1])];
+		else
+			$headers[$name][] = trim($header[1]);
+
+		return $len;
+	});
+
+
+	curl_setopt($ch, CURLOPT_HTTPHEADER, $headerQuery);
+
+	if ($tofile)
+		curl_exec($ch);
+	else
+		$output = curl_exec($ch);
+
+	curl_close($ch);
+
+	if ($verbose) {
+		fseek($f, 0);
+		echo fread($f, 32*1024);
+		fclose($f);
+	}
+}
+
+function dump_query($name, $headers, $output) {
+	print 'Performed: ' . $name . PHP_EOL;
+
+	foreach ($headers as $name => $value) {
+		print $name . ': ' . $value[0] . PHP_EOL;
+	}
+
+	print PHP_EOL . 'Output:' . PHP_EOL;
+	print $output . PHP_EOL;
+}
+
+function setup_session() {
+	$headersReq = [
+		'Host: osrecovery.apple.com',
+		'Connection: close',
+		'User-Agent: InternetRecovery/1.0'
+	];
+
+	$output = '';
+	$headers = [];
+
+	run_query($headersReq, 'http://osrecovery.apple.com/', $headers, $output);
+	dump_query('setup_session', $headers, $output);
+
+	$cookie = '';
+
+	foreach ($headers as $name => $value) {
+		if ($name == 'set-cookie') {
+			$cookie = explode(';', $value[0])[0];
+			break;
+		}
+	}
+
+	return $cookie;
+}
+
+function obtain_images($session, $board, $mlb, $diag = false) {
+	$headersReq = [
+		'Host: osrecovery.apple.com',
+		'Connection: close',
+		'User-Agent: InternetRecovery/1.0',
+		'Cookie: ' . $session,
+		'Content-Type: text/plain',
+		'Expect:'
+	];
+
+	$output = '';
+	$headers = [];
+
+	$postvars =
+		'cid=F4FDBCCF36190DD4' . PHP_EOL .
+		// MLB, board serial number
+		'sn=' . $mlb . PHP_EOL .
+		// board-id
+		'bid=' . $board . PHP_EOL .
+		'k=6E7D753C11E1F9652B99D3DB8C80A49E82143EA027CBA516E3E18B3A4FFDCD58' . PHP_EOL .
+		'fg=80F6E802A09B8B553202EE0D37AE64662ACFAF30B111E1984C01F64551BB7EFE'
+	;
+
+	$images = [ 'image' => [], 'chunklist' => [] ];
+
+	if ($diag) {
+	 run_query($headersReq, 'http://osrecovery.apple.com/InstallationPayload/Diagnostics', $headers, $output, $postvars);
+	} else {
+		run_query($headersReq, 'http://osrecovery.apple.com/InstallationPayload/RecoveryImage', $headers, $output, $postvars);
+	}
+	dump_query('obtain_images', $headers, $output);
+
+	$fields = explode("\n", $output);
+
+	foreach ($fields as $field) {
+		$pair = explode(': ', $field);
+		if (count($pair) != 2)
+			continue;
+
+		$name = $pair[0];
+		$value = $pair[1];
+
+		if ($name == 'AU')
+			$images['image']['link'] = $value;
+		else if ($name == 'AH')
+			$images['image']['hash'] = $value;
+		else if ($name == 'AT')
+			$images['image']['cookie'] = $value;
+		else if ($name == 'CU')
+			$images['chunklist']['link'] = $value;
+		else if ($name == 'CH')
+			$images['chunklist']['hash'] = $value;
+		else if ($name == 'CT')
+			$images['chunklist']['cookie'] = $value;
+	}
+
+	return $images;
+}
+
+function download_images($images, $diag = false) {
+	foreach ($images as $imagename => $imagefields) {
+		$headersReq = [
+			'Host: ' . parse_url($imagefields['link'], PHP_URL_HOST),
+			'Connection: close',
+			'User-Agent: InternetRecovery/1.0',
+			'Cookie: AssetToken=' . $imagefields['cookie']
+		];
+
+		if ($diag)
+			$type = 'Diagnostics';
+		else
+			$type = 'Recovery';
+
+		if ($imagename == 'image')
+			$filename = $type . 'Image.dmg';
+		else
+			$filename = $type . 'Image.chunklist';
+
+		$headers = [];
+		$output = fopen($filename, 'w+');
+
+		print $imagefields['link'] . ' ' . $filename . PHP_EOL;
+
+		run_query($headersReq, $imagefields['link'], $headers, $output);
+
+		fclose($output);
+	}
+}
+
+if ($argc < 2) {
+	print 'Usage: php obtain_recovery.php board-id [MLB] [--diag]' . PHP_EOL;
+	exit(1);
+}
+
+$board = $argv[1];
+$mlb   = '00000000000000000';
+$diag  = false;
+
+if ($argc > 2) {
+	if ($argv[2] == '--diag') {
+		$diag = true;
+	} else {
+		$mlb  = $argv[2];
+		$diag = $argc > 3 && $argv[3] == '--diag';
+	}
+}
+
+$sess = setup_session();
+if ($sess == '') {
+	print 'Failed to obtain session!' . PHP_EOL;
+	exit(1);
+}
+
+$images = obtain_images($sess, $board, $mlb, $diag);
+
+if (count($images['image']) == 0 || count($images['chunklist']) == 0) {
+	print 'Failed to obtain images!' . PHP_EOL;
+	exit(1);
+}
+
+download_images($images, $diag);

EFI/OC/Tools/Recovery/recovery_urls.txt

@@ -0,0 +1,25 @@
+Lion
+php obtain_recovery.php Mac-2E6FAB96566FE58C
+php obtain_recovery.php Mac-C3EC7CD22292981F
+
+Mountain Lion:
+php obtain_recovery.php Mac-7DF2A3B5E5D671ED
+
+Mavericks
+php obtain_recovery.php Mac-F60DEB81FF30ACF6
+
+Yosemite:
+php obtain_recovery.php Mac-E43C1C25D4880AD6
+
+El Capitan
+php obtain_recovery.php Mac-FFE5EF870D7BA81A
+
+Sierra
+php obtain_recovery.php Mac-B809C3757DA9BB8D
+
+High Sierra
+php obtain_recovery.php Mac-7BA5B2D9E42DDD94
+php obtain_recovery.php Mac-BE088AF8C5EB4FA2
+
+Mojave
+php obtain_recovery.php Mac-7BA5B2DFE22DDD8C