Restoring The Root User in MacOS 10.11, nvram boot-args trouble on 10.11 public beta

Discussion in 'OS X El Capitan (10.11)' started by Lord Daedra, Sep 1, 2015.

  1. Lord Daedra macrumors newbie

    Joined:
    Aug 1, 2013
    #1
    Hello.

    I tried to follow this guide http://wallydavid.com/restoring-the-root-user-in-macos-10-11

    Version 1:
    1.) Search for “Directory Utility“.
    2.) Look in the menu and select “Enable Root User“.
    3.) Log out and log back into your standard account.
    4.) Go to /Applications/Utilities/Terminal.app and open it.
    5.) type: sudo nvram boot-args=“rootless=0″
    6.) Then double check it worked by typing: nvram boot-args
    7.) You should get this: boot-args rootless=0
    8.) Reboot your machine and log into the “Other” user account from the login screen.
    9.) username is: root and the password is whatever you chose when you enabled Root in Directory Utility.
    10.) You now fully own and can hack your machine.

    I completed 1-4 steps.
    Next, I tried to run nvram boot-args and got results:

    ➜ ~ nvram help boot-args
    nvram: Error getting variable - 'help': (iokit/common) data was not found

    Okay, looks good, so I completed 5 (and 6 step again).

    Oh, no.. on 7 step I do not see boot-args rootless=0

    I see

    ➜ ~ nvram boot-args
    nvram: Unable to convert value to C string
    boot-args <UNPRINTABLE>

    I tried to find help for nvram command with man.

    this is results of
    ➜ ~ nvram -p boot-args
    Code:
    ➜  ~  nvram -p boot-args
    efi-apple-payload0-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%01%00%00%00(%00%00%00%00%00%00%00%00@%06%00%00%00%00%00%d3%8a:%b4%8fa%ccI%80Sh%02%8c%0e3%8e%02%02%04%04f%00\%00E%00F%00I%00\%00A%00P%00P%00L%00E%00\%00U%00P%00D%00A%00T%00E%00R%00S%00\%00S%00M%00C%00\%00M%00a%00c%00-%007%00D%00F%002%001%00C%00B%003%00E%00D%006%009%007%007%00E%005%00.%00s%00m%00c%00%00%00%7f%ff%04%00
    efi-boot-device    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>FE78794A-573F-43C1-B597-EDECC3FF48A0</string></dict></dict><key>BLLastBSDName</key><string>disk0s2</string></dict></array>%00
    fmm-mobileme-token-FMM    bplist00%d8%01%02%03%04%05%06%07%08%09%0a%15%16%17%18%19%1aVuserid_%10%13dataclassPropertiesYauthTokenXpersonIDXusername_%10%12enabledDataclassesTguidXuserInfo%11%01%f5%d1%0b%0c_%10!com.apple.Dataclass.DeviceLocator%d4%0d%0e%0f%10%11%12%13%14VapsEnvXhostname]authMechanismVschemeZProduction_%10%13p04-fmip.icloud.comUtokenUhttps_%10(AQAAAABTnsJPxIJ8rG1o9HfV8h8cyOSBkt3PPno~Y290536018_%10%15alexander@entropia.us%a1%0b_%10$0F51BB39-4548-4465-AA7E-961EB3090BF9%d3%1b%1c%1d%1e%1f _%10%15InUseOwnerDisplayName_%10%13InUseOwnerFirstName_%10%12InUseOwnerLastNameo%10%14%04%10%04;%045%04:%04A%040%04=%044%04@%00 %04%1e%042%04G%048%04=%04=%048%04:%04>%042i%04%10%04;%045%04:%04A%040%04=%044%04@j%04%1e%042%04G%048%04=%04=%048%04:%04>%042%00%08%00%19%00 %006%00@%00I%00R%00g%00l%00u%00x%00{%00%9f%00%a8%00%af%00%b8%00%c6%00%cd%00%d8%00%ee%00%f4%00%fa%01%25%01/%01G%01I%01p%01w%01%8f%01%a5%01%ba%01%e5%01%f8%00%00%00%00%00%00%02%01%00%00%00%00%00%00%00!%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%0d
    SystemAudioVolumeDB    %80
    efi-apple-payload3    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>B43A8AD3-618F-49CC-8053-68028C0E338E</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\UPDATERS\SMC\Mac-7DF21CB3ED6977E5.epm</string></dict></array>%00
    efi-apple-payload3-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%01%00%00%00(%00%00%00%00%00%00%00%00@%06%00%00%00%00%00%d3%8a:%b4%8fa%ccI%80Sh%02%8c%0e3%8e%02%02%04%04f%00\%00E%00F%00I%00\%00A%00P%00P%00L%00E%00\%00U%00P%00D%00A%00T%00E%00R%00S%00\%00S%00M%00C%00\%00M%00a%00c%00-%007%00D%00F%002%001%00C%00B%003%00E%00D%006%009%007%007%00E%005%00.%00e%00p%00m%00%00%00%7f%ff%04%00
    efi-apple-recovery    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>B43A8AD3-618F-49CC-8053-68028C0E338E</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\FIRMWARE\MBA61_0099_B19_LOCKED.scap</string></dict></array>%00
    prev-lang:kbd    en:0
    efi-apple-payload1-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%01%00%00%00(%00%00%00%00%00%00%00%00@%06%00%00%00%00%00%d3%8a:%b4%8fa%ccI%80Sh%02%8c%0e3%8e%02%02%04%04V%00\%00E%00F%00I%00\%00A%00P%00P%00L%00E%00\%00U%00P%00D%00A%00T%00E%00R%00S%00\%00S%00M%00C%00\%00f%00l%00a%00s%00h%00e%00r%00_%00b%00a%00s%00e%00.%00s%00m%00c%00%00%00%7f%ff%04%00
    LocationServicesEnabled    %01
    efi-apple-payload2    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>B43A8AD3-618F-49CC-8053-68028C0E338E</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\UPDATERS\SMC\flasher_update.smc</string></dict></array>%00
    InstallWindowsUEFI    1
    fmm-computer-name    Alexander%e2%80%99s MacBook Air
    backlight-level    %d9%0a
    efi-apple-payload1    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>B43A8AD3-618F-49CC-8053-68028C0E338E</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\UPDATERS\SMC\flasher_base.smc</string></dict></array>%00
    SmcFlasherResult    %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
    Test_ALS_Data    %01%00
    bluetoothActiveControllerInfo    %8f%82%ac%05%02%00%00%003%14dv%ba%b5%c3A
    efi-apple-payload0    <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>B43A8AD3-618F-49CC-8053-68028C0E338E</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\UPDATERS\SMC\Mac-7DF21CB3ED6977E5.smc</string></dict></array>%00
    SystemAudioVolume    %80
    nvram: Unable to convert value to C string
    boot-args    <UNPRINTABLE>
    efi-boot-device-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%02%00%00%00(@%06%00%00%00%00%00@%c7%fc%1c%00%00%00%00Jyx%fe?W%c1C%b5%97%ed%ec%c3%ffH%a0%02%02%7f%ff%04%00
    ALS_Data    %00%ac
    bluetoothInternalControllerInfo    %8f%82%ac%05%00%003%14dv%ba%b5%c3A
    efi-apple-payload2-data    %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%01%00%00%00(%00%00%00%00%00%00%00%00@%06%00%00%00%00%00%d3%8a:%b4%8fa%ccI%80Sh%02%8c%0e3%8e%02%02%04%04Z%00\%00E%00F%00I%00\%00A%00P%00P%00L%00E%00\%00U%00P%00D%00A%00T%00E%00R%00S%00\%00S%00M%00C%00\%00f%00l%00a%00s%00h%00e%00r%00_%00u%00p%00d%00a%00t%00e%00.%00s%00m%00c%00%00%00%7f%ff%04%00
    nvram: Unable to convert value to C string
    boot-args    <UNPRINTABLE>
    I think, if I will reboot now - I lose my system with kernel panic...

    I would like to rollback of transaction which was created by command sudo nvram boot-args=“rootless=0″ How to do that?.. Next, I will use rollback 2 step and try to follow version 2 steps

    Version 2:
    1.) Hold COMMAND-R to get to Recovery HD when booting your machine.
    2.) Go to Utilities > Security Configuration menu.
    3.) Uncheck Enforce System Integrity Protection and hit Apply Configuration button.
    4.) It will warn you about the end of the world by doing this (ignore and continue).
    5.) Reboot your machine and log into the “Other” user account from the login screen.
    6.) username is: root and the password is whatever you chose when you enabled Root in Directory Utility.
    7.) You now fully own and can hack your machine.

    I think, I need to run
    nvram -d boot-args
    Is that correct solution in my case?.. I hope this command will not delete something more than I added on 5 step?..
     
  2. Shirasaki macrumors 603

    Shirasaki

    Joined:
    May 16, 2015
    #2
    According to previous posts and Apple developer forum information provided by other forum members, nvram will no longer be available to disable rootless on demand.

    Instead, csrutil, which is only available through recovery partition, will replace nvram to let some users, including developers, disable rootless.
     
  3. w0lf macrumors 65816

    w0lf

    Joined:
    Feb 16, 2013
    Location:
    USA
  4. Erdbeertorte, Sep 2, 2015
    Last edited: Sep 2, 2015

    Erdbeertorte macrumors demi-goddess

    Joined:
    May 20, 2015
    #4
    I really tried every option on each Beta version and at least 3 different MacBooks.

    It never ever worked, although I always got the message that it is disabled and I have to restart.

    Now csrutil seems at least to work directly in the recovery terminal. On Beta 7 it was hidden in some folder, where I had to go first. Just followed the link from @w0lf and tried it again.


    The status says it's still enabled, but these configuration options are all disabled. I don't know if they were before. Are these extra options or is it completely disabled now?


    csrutil status

    System Integrity Protection status: enabled (Custom Configuration).

    Configuration:

    Apple Internal: disabled

    Kext Signing: disabled

    Filesystem Protections: disabled

    Debugging Restrictions: disabled

    DTrace Restrictions: disabled

    NVRAM Protections: disabled



    The DiskUtiltity application is displaying too that it is still enabled, they even forgot to translate it:

    Bildschirmfoto 2015-09-02 um 12.46.16.png


    Edit: By the way, I was thinking about switching to english because I write mostly here. But than I cannot report translation errors to Apple anymore. What do you think should I do?
     
  5. KALLT, Sep 2, 2015
    Last edited by a moderator: Sep 13, 2015

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #5
    csrutil is a work in progress, it is possible and likely that the information shown is not accurate yet. In fact, the status operation was expanded only two betas ago (before it wouldn’t even show you that much information). Also the info window in Disk Utility is not accurate with respect to System Integrity Protection, it has been a known issue.

    In short: don’t solely rely on what the utility or the system says. What are you trying to do anyway, have you confirmed whether that works?
     
  6. Erdbeertorte macrumors demi-goddess

    Joined:
    May 20, 2015
    #6
    I just thought some issues with applications might be caused by that. But that was in the first beta, when there were not any beta versions of these applications. I think I just don't need to turn it of anymore. Everything is running fine.

    They even got translated it now in the GM Candidate:

    Bildschirmfoto 2015-09-10 um 12.11.46.png
     

Share This Page