Begining with OS X 10.11 El Capitan, a set of security mechanism, System Integrity Protection(SIP), has been enforced and it can only be configured or turned off in the recovery environment like Recovery HD. In the normal environment, SIP configuration will not be permitted even with root privilege. If so, the SIP would be useless since it can be easily turned off.
As many people may already noticed, the configuration of SIP status is stored in
the NVRAM with a property called csr-active-config. Of course users wouldn’t be
allowed to modify or delete value of this certain property since the only official
way to config SIP shall be the csrutil tool.
However, such restriction on certain NVRAM properties can be easily bypassed by patching the AppleEFINVRAM.kext.
These patches can also be applied using Clover KextPatch if on a Hack.
After patching AppleEFINVRAM, csr-active-config and other protected properties
like csr-data can be modified and deleted directly using the nvram tool without
the GUID: 7C436110-AB2A-4BBB-A880-FE41995C9F82. Besides, csrutil tool in 10.11
won’t complain about that operation must be in the Recovery environment when change
the SIP configs since the NVRAM set restriction had been taken cared.
One last thing, these experiments are all for test purpose ONLY, do not use it on your working machine to avoid potential security issues. Just keep the SIP in place, as it should be.
UPDATE The patch has been changed since 10.12.4 DP1 build 16E144f. Here are the details:
— 10124_efinvram_org.txt 2017-01-28 18:38:17.000000000 +0800
+++ 10124_efinvram_patched.txt 2017-01-28 18:36:58.000000000 +0800
@@ -1,4 +1,4 @@
-AppleEFINVRAM:
+HackrEFINVRAM:
(__TEXT,__text) section
__ZN20AppleEFINVRAMGlobalsC1Ev:
00000000000011d0 55 pushq %rbp
@@ -2762,7 +2762,12 @@
0000000000003633 4c 89 e2 movq %r12, %rdx
0000000000003636 e8 00 00 00 00 callq 0x363b
000000000000363b 85 c0 testl %eax, %eax
-000000000000363d 0f 85 38 01 00 00 jne 0x377b // This jne entry has been changed.
+000000000000363d 90 nop
+000000000000363e 90 nop
+000000000000363f 90 nop
+0000000000003640 90 nop
+0000000000003641 90 nop
+0000000000003642 90 nop
0000000000003643 4c 89 f7 movq %r14, %rdi
0000000000003646 4c 89 e6 movq %r12, %rsi
0000000000003649 e8 80 f7 ff ff callq __ZL19ConvertObjectToDataPK8OSSymbolP8OSObject ## ConvertObjectToData(OSSymbol const*, OSObject*)
@@ -3414,7 +3419,7 @@
0000000000003fab 48 89 c6 movq %rax, %rsi
0000000000003fae e8 00 00 00 00 callq 0x3fb3
0000000000003fb3 85 c0 testl %eax, %eax
-0000000000003fb5 74 0b je 0x3fc2 // This will still work.
+0000000000003fb5 eb 0b jmp 0x3fc2
0000000000003fb7 48 83 c4 08 addq $0x8, %rsp
0000000000003fbb 5b popq %rbx
0000000000003fbc 41 5e popq %r14
And thus the new patch is:
perl -pi -e ‘s|\x85\xC0\x0F\x85\x38\x01\x00\x00|\x85\xC0\xEB\x04\x90\x90\x90\x90|’ AppleEFINVRAM
NOTE Delete was not changed.