-
Notifications
You must be signed in to change notification settings - Fork 122
The fakeEFI iMessage workaround
I received an e-mail from someone a few weeks ago, asking for my help with iMessage login/registration problems. I thought that my iMessage was working. And it did. Until I logged out. Now I had to take a look. Hey. Sometimes I use a hack for fun, and when I do, then I want my messages to come through in a timely fashion.
Also. They told him, very recently, that this problem cannot be solved in a non-Clover world. To me that is a misunderstanding. To say the least. Soon you'll find patched boot loaders that are non-EFI based. So whatever they tell you, that Clover is great and all that, it can be done with a fakeEFI. Maybe not as nice as in the Clover world, but it works. Which is all I care about.
Note: We are secretively working on a groundbreaking and totally awesome RevoUEFI in the same style as our current work. Ultra small, simple and lightning fast. What else is new ;)
You may have missed it, but Sam blogged about why iCloud/iMessage is broken with a self compiled mach_kernel and when you add a boot uuid to com.apple.Boot.plist. This long before anyone knew about it. Not only that. She also figured out how to add a workaround to solve the iCloud/iMessage login/registration problems. Like she did when she introduced people over at insanelymac.com to chosen/boot-uuid. Which is also required for iMessage. Remember? But this time around she had a reason to be quiet about it as not much later... Sam died. A terrible tragic. Not just for us as a family, but for the whole community.
Now. I was made aware of the fact that other people in the community. Like minded people. Worked on this as well. Sure. No problem. That happens more often than you may think. I also like to acknowledge their hard work. And to be honest. I have to because I would not have found Sam's work if it wasn't for these strings:
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
That got me started after all. Anyway. They did their thing and Sam. Well. Sam did her part. Be it months earlier. The only thing that counts for me is that I did not break the rules. I did not reverse the Apple code and made it public. Luckily. That was someone else.
Ok. So now we have this sorted. Lets talk about the underlaying problem. Which is that Apple's mach_kernel includes undocumented code, that Apple isn't sharing with us. This may change over time, but this is the current state of affairs. I won't go into the why or what here. I'll leave that up to your own imagination.
Sam's idea was to patch the mach_kernel with iMessagePatch (a script) which locates "4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14" and replaces it with "NVRAM". Then it locates a certain string ("/options") and replaces it with "RevoEFI". But be aware. There are two of these strings. Just in case you want to patch it manually.
My work here is limited. I only have to polish it a little and share my sisters findings. But as usual. Things change over time and sometimes Sam just didn't had the time and energy to share it with you. That is where I step in. I like to see her work, this Proof Of Concept, spread out to other boot loaders as well. So. As of today, 10 January 2013, which is when I committed RevoBoot/i386/libsaio/efi.c (among others) into our Clang repository, RevoBoot injects two new EFI properties that the patched mach_kernel will search for. So instead of looking for:
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
It will now look for NVRAM:ROM and NVRAM:MLB instead. A simple but clever trick.
The good news is that Chameleon/Chimera et all can do this kernel patching on-the-fly. There's no need to use a script, nor to mod the mach_kernel manually. Unfortunately. There is no such thing in the world of RevoBoot, but we have plans to add it in the near future. Totally differently of course.
The next step is to let a modified copy of Sam's nvramStorage add:
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM
4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB
We have to do this because there are certain (private) frameworks reading IODeviceTree/options(GUID):ROM/MLB, which is what this 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14 points to. A shadow of the IOPower plane. Which is where the kernel saves the generated hashes. It's just not visible.
You can do this manually, or from a script. Here's what you need:
sudo nvram 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM=%01%02%03%04%05%06%07%08%09%0A%0B%NN%NN%NN%NN%NN%NN
The percent sign (%) is used to store data instead of a string. Use your IOPlatformUUID and replace the last bytes (%NN) with your MAC address. Next up is the board serial number, which we get from the SMBIOS from our Mac, and that is stored with:
sudo nvram 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB=%01%02%03%04%05%06%07%08%09%0A%0B%0C%0D%0E%0F%10%11
These are examples only. Of course. But you get the picture. Right?
You may run into a dialog saying: Your Apple ID "[email protected]" can't be used to set up iMessage at this time. Click on the Contact Support... button to land here:
http://www.apple.com/support/validation/?code=1234-5678-9012&lang=en-us
I obviously changed the code, so yours will be different. The problem is that it failed to verify (read: to contact one of the Apple servers) so you just have to call Apple in your country and tell them that you use Beta software. Also add that you block stuff from /etc/hosts so that they can toggle a flag and all is well. Please note. They will ask you for a serial number. I used the one from my Mac. The phone numbers are all there. Good luck.
Note: We might want to compare values from Clover/real Mac's to see what data we should change. I mean. When they are different. Which they shouldn't i.m.h.o.
Here's Sam's iMessagePatch. I have changed it a little (commented out the actual patching) and a next update will add a function to undo the patch. Maybe later this week. Anyway. Have fun with it!
targetVolume="/Volumes/Mountain Lion"
TARGET_PATH="${targetVolume}/"
FILENAME="mach_kernel"
TARGET_FILE="${TARGET_PATH}${FILENAME}"
function _fileExists() { if [ -e "$1" ]; then echo 1 # "File exists" else echo 0 # "File does not exist" fi }
function _notAlreadyPatched() { local retValue=0
if [[
/usr/bin/grep -pi '\x34\x44\x31\x45\x44\x45\x30\x35\x2D\x33\x38\x43\x37\x2D\x34\x41\x36\x41\x2D\x39\x43\x43\x36\x2D\x34\x42\x43\x43\x41\x38\x42\x33\x38\x43\x31\x34' "$TARGET_FILE"=~$TARGET_FILE ]]; then local retValue=$ ((retValue+1)) fi
if [[
/usr/bin/grep -pi '\x2F\x6F\x70\x74\x69\x6F\x6E\x73\x00\x25\x73\x3A\x25\x73' "$TARGET_FILE"=~$TARGET_FILE ]]; then local retValue=$ ((retValue+2)) fi
echo $retValue }
function _patchTargetFile() { if $(_fileExists "${TARGET_FILE}_backup") -eq 0; then echo "Backing up
${TARGET_FILE}..." /usr/bin/sudo /bin/cp "$ {TARGET_FILE}" "${TARGET_PATH}${FILENAME}_backup" fi
echo "Patching phase 1 of: ${TARGET_FILE}..."
/usr/bin/perl -pi -e 's|\x34\x44\x31\x45\x44\x45\x30\x35\x2D\x33\x38\x43\x37\x2D\x34\x41\x36\x41\x2D\x39\x43\x43\x36\x2D\x34\x42\x43\x43\x41\x38\x42\x33\x38\x43\x31\x34|\x4E\x56\x52\x41\x4D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|g' $TARGET_FILE
echo "Done!" echo "Patching phase 2 of: ${TARGET_FILE}..."
echo "Done!" }
function main() { if $(_notAlreadyPatched) -eq 0; then echo "Already patched." else _patchTargetFile fi }
function _isRoot() { if [ $(id -u) != 0 ]; then echo "This script must be run as root" 1>&2 exit 1 fi
echo 1 }
if [ $(_isRoot) ]; then main fi
exit 0