tyler.durden/unlocker
1
0
Fork 0
mirror of https://github.com/paolo-projects/unlocker.git synced 2025-07-28 00:14:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Removing support for ESXi 6.x as unreliable - 2.1.1

Browse Source
This commit is contained in:
David Parsons 2017-10-11 17:12:43 +01:00
parent c6ff390a87
commit e11d6f46a6
31 changed files with 29 additions and 3676 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dumpsmc.py
View File

@ -40,7 +40,7 @@ Offset Length Struct Type Description
0x10/16 0x08/08 Q ptr Internal VMware routine
0x18/24 0x30/48 48B byte Data
"""
"""
from __future__ import print_function
import struct

13
esxi-build.sh
View File

@ -1,13 +0,0 @@
#!/bin/sh
set -e
#set -x
# Ensure we only use unmodified commands
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Copy patch to local.sh
rm -fv local.sh
cp local-prefix.sh local.sh
cat unlocker.py >> local.sh
cat local-suffix.sh >> local.sh
chmod +x local.sh

29
esxi-install.sh
View File

@ -1,29 +0,0 @@
#!/bin/sh
set -e
#set -x
echo VMware Unlocker 2.1.0
echo ===============================
echo Copyright: Dave Parsons 2011-17
# Ensure we only use unmodified commands
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
VER=$(uname -r)
if [ "$VER" == "6.0.0" ]; then
echo "Error - ESXi 6.0.0 is not supported!"
elif [ "$VER" == "6.5.0" ]; then
# Copy patch to local.sh
echo Installing local.sh
chmod +x local.sh
cp local.sh /etc/rc.local.d/local.sh
python esxiconfig.py on
backup.sh 0
echo "Success - please now restart the server!"
else
echo "Unknown ESXi version"
fi

4
esxi-smctest.sh
View File

@ -1,4 +0,0 @@
#!/bin/sh
grep -il \(c\)AppleComputerInc /bin/vmx*
vim-cmd hostsvc/hosthardware | grep smcPresent | cut -d ',' -f 1 | sed 's/^[ \t]*//'
grep useVmxSandbox /etc/vmware/hostd/config.xml | sed 's/^[ \t]*//'

16
esxi-uninstall.sh
View File

@ -1,16 +0,0 @@
#!/bin/sh
set -e
#set -x
echo VMware Unlocker 2.1.0
echo ===============================
echo Copyright: Dave Parsons 2011-17
# Ensure we only use unmodified commands
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
echo Uninstalling local.sh
cp /etc/rc.local.d/.#local.sh /etc/rc.local.d/local.sh
python esxiconfig.py off
backup.sh 0
echo Success - please now restart the server!

63
esxiconfig.py
View File

@ -1,63 +0,0 @@
#!/usr/bin/env python
"""
This is a simple method to modify the hostd XML file
Not using XML on ESXi Python as it does not preserve
formatting or comments.
(This could be sed but cannot find a suitable regex.)
"""
from __future__ import print_function
import sys
def testline(line, test):
sline = line.lstrip()
if sline == test:
return True
else:
return False
def main():
vmsvc = '<vmsvc>\n'
sandbox = '<useVmxSandbox>false</useVmxSandbox>\n'
with open('/etc/vmware/hostd/config.xml', 'r+') as f:
data = f.readlines()
# Search for the relevant XML tags
i = 0
vmsvcindex = 0
sandboxindex = 0
for line in data:
if testline(line, vmsvc):
vmsvcindex = i
if testline(line, sandbox):
sandboxindex = i
# print(line, end='')
i += 1
# Simple toggle on or off depending if found
if sandboxindex != 0 and sys.argv[1] == 'off':
print('Removing useVmxSandbox')
del data[sandboxindex]
elif sandboxindex == 0 and sys.argv[1] == 'on':
print('Adding useVmxSandbox')
pad = len(data[vmsvcindex + 1]) - len(data[vmsvcindex + 1].lstrip())
data.insert(vmsvcindex + 1, (" " * pad) + sandbox)
else:
pass
# Rewrite the config.xml file
f.seek(0)
f.write(''.join(data))
f.truncate()
f.close()
if __name__ == '__main__':
main()

2
lnx-install.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ===============================
echo Copyright: Dave Parsons 2011-17

2
lnx-uninstall.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ===============================
echo Copyright: Dave Parsons 2011-17

2
lnx-update-tools.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo VMware Get OS X Tools 2.1.0
echo VMware Get OS X Tools 2.1.1
echo ===============================
echo Copyright: Dave Parsons 2015-16

65
local-prefix.sh
View File

@ -1,65 +0,0 @@
#!/bin/sh
set -e
set -x
echo VMware ESXi 6.x Unlocker 2.1.0
echo ===============================
echo Copyright: Dave Parsons 2011-17
# Ensure we only use unmodified commands
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Exit if boot option specified
if bootOption -o | grep -q 'nounlocker'; then
logger -t unlocker disabled via nounlocker boot option
exit 0
fi
# Make sure working files are removed
if [ -d /unlocker ]; then
logger -t unlocker Removing current patches
rm -rfv /unlocker
fi
# Create new RAM disk and map to /unlocker
logger -t unlocker Creating RAM disk
mkdir /unlocker
localcli system visorfs ramdisk add -m 200 -M 200 -n unlocker -p 0755 -t /unlocker
logger -t unlocker Stopping hostd daemon
/etc/init.d/hostd stop
# Copy the vmx files
logger -t unlocker Copying vmx files
mkdir /unlocker/bin
cp /bin/vmx /unlocker/bin/
cp /bin/vmx-debug /unlocker/bin/
cp /bin/vmx-stats /unlocker/bin/
# Setup symlink from /bin
logger -t unlocker Setup vmx sym links
rm -fv /bin/vmx
ln -s /unlocker/bin/vmx /bin/vmx
rm -fv /bin/vmx-debug
ln -s /unlocker/bin/vmx-debug /bin/vmx-debug
rm -fv /bin/vmx-stats
ln -s /unlocker/bin/vmx-stats /bin/vmx-stats
# Copy the libvmkctl.so files
logger -t unlocker Copying 32-bit lib files
mkdir /unlocker/lib
cp /lib/libvmkctl.so /unlocker/lib/
logger -t unlocker Setup 32-bit lib sym links
rm -fv /lib/libvmkctl.so
ln -s /unlocker/lib/libvmkctl.so /lib/libvmkctl.so
if [ -f /lib64/libvmkctl.so ]; then
logger -t unlocker Copying 64-bit lib files
mkdir /unlocker/lib64
cp /lib64/libvmkctl.so /unlocker/lib64/
logger -t unlocker Setup 64-bit lib sym links
rm -fv /lib64/libvmkctl.so
ln -s /unlocker/lib64/libvmkctl.so /lib64/libvmkctl.so
fi
# Patch the vmx files
logger -t unlocker Patching vmx files
python <<END

4
local-suffix.sh
View File

@ -1,4 +0,0 @@
END
logger -t unlocker Starting hostd daemon
/etc/init.d/hostd start
exit 0

501
local.sh
View File

@ -1,501 +0,0 @@
#!/bin/sh
set -e
set -x
echo VMware ESXi 6.x Unlocker 2.1.0
echo ===============================
echo Copyright: Dave Parsons 2011-17
# Ensure we only use unmodified commands
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Exit if boot option specified
if bootOption -o | grep -q 'nounlocker'; then
logger -t unlocker disabled via nounlocker boot option
exit 0
fi
# Make sure working files are removed
if [ -d /unlocker ]; then
logger -t unlocker Removing current patches
rm -rfv /unlocker
fi
# Create new RAM disk and map to /unlocker
logger -t unlocker Creating RAM disk
mkdir /unlocker
localcli system visorfs ramdisk add -m 200 -M 200 -n unlocker -p 0755 -t /unlocker
logger -t unlocker Stopping hostd daemon
/etc/init.d/hostd stop
# Copy the vmx files
logger -t unlocker Copying vmx files
mkdir /unlocker/bin
cp /bin/vmx /unlocker/bin/
cp /bin/vmx-debug /unlocker/bin/
cp /bin/vmx-stats /unlocker/bin/
# Setup symlink from /bin
logger -t unlocker Setup vmx sym links
rm -fv /bin/vmx
ln -s /unlocker/bin/vmx /bin/vmx
rm -fv /bin/vmx-debug
ln -s /unlocker/bin/vmx-debug /bin/vmx-debug
rm -fv /bin/vmx-stats
ln -s /unlocker/bin/vmx-stats /bin/vmx-stats
# Copy the libvmkctl.so files
logger -t unlocker Copying 32-bit lib files
mkdir /unlocker/lib
cp /lib/libvmkctl.so /unlocker/lib/
logger -t unlocker Setup 32-bit lib sym links
rm -fv /lib/libvmkctl.so
ln -s /unlocker/lib/libvmkctl.so /lib/libvmkctl.so
if [ -f /lib64/libvmkctl.so ]; then
logger -t unlocker Copying 64-bit lib files
mkdir /unlocker/lib64
cp /lib64/libvmkctl.so /unlocker/lib64/
logger -t unlocker Setup 64-bit lib sym links
rm -fv /lib64/libvmkctl.so
ln -s /unlocker/lib64/libvmkctl.so /lib64/libvmkctl.so
fi
# Patch the vmx files
logger -t unlocker Patching vmx files
python <<END
#!/usr/bin/env python
"""
The MIT License (MIT)
Copyright (c) 2014-2016 Dave Parsons & Sam Bingner
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the 'Software'), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
vSMC Header Structure
Offset Length Struct Type Description
----------------------------------------
0x00/00 0x08/08 Q ptr Offset to key table
0x08/08 0x04/4 I int Number of private keys
0x0C/12 0x04/4 I int Number of public keys
vSMC Key Data Structure
Offset Length Struct Type Description
----------------------------------------
0x00/00 0x04/04 4s int Key name (byte reversed e.g. #KEY is YEK#)
0x04/04 0x01/01 B byte Length of returned data
0x05/05 0x04/04 4s int Data type (byte reversed e.g. ui32 is 23iu)
0x09/09 0x01/01 B byte Flag R/W
0x0A/10 0x06/06 6x byte Padding
0x10/16 0x08/08 Q ptr Internal VMware routine
0x18/24 0x30/48 48B byte Data
"""
from __future__ import print_function
import codecs
import os
import sys
import struct
import subprocess
if sys.version_info < (2, 7):
sys.stderr.write('You need Python 2.7 or later\n')
sys.exit(1)
# Setup imports depending on whether IronPython or CPython
if sys.platform == 'win32' \
or sys.platform == 'cli':
from _winreg import *
def bytetohex(data):
if sys.version_info > (3, 0):
# Python 3 code in this block
return "".join("{:02X} ".format(c) for c in data)
else:
# Python 2 code in this block
return "".join("{:02X} ".format(ord(c)) for c in data)
def joinpath(folder, filename):
return os.path.join(folder, filename)
def printkey(i, offset, smc_key, smc_data):
print(str(i + 1).zfill(3)
+ ' ' + hex(offset)
+ ' ' + smc_key[0][::-1].decode('UTF-8')
+ ' ' + str(smc_key[1]).zfill(2)
+ ' ' + smc_key[2][::-1].replace(b'\x00', b' ').decode('UTF-8')
+ ' ' + '{0:#0{1}x}'.format(smc_key[3], 4)
+ ' ' + hex(smc_key[4])
+ ' ' + bytetohex(smc_data))
def set_bit(value, bit):
return value | (1 << bit)
def clear_bit(value, bit):
return value & ~(1 << bit)
def test_bit(value, bit):
return value & bit
E_CLASS64 = 2
E_SHT_RELA = 4
def patchelf(f, oldoffset, newoffset):
f.seek(0)
magic = f.read(4)
if not magic == b'\x7fELF':
raise Exception('Magic number does not match')
ei_class = struct.unpack('=B', f.read(1))[0]
if ei_class != E_CLASS64:
raise Exception('Not 64bit elf header: ' + ei_class)
f.seek(40)
e_shoff = struct.unpack('=Q', f.read(8))[0]
f.seek(58)
e_shentsize = struct.unpack('=H', f.read(2))[0]
e_shnum = struct.unpack('=H', f.read(2))[0]
e_shstrndx = struct.unpack('=H', f.read(2))[0]
print('e_shoff: 0x{:x} e_shentsize: 0x{:x} e_shnum:0x{:x} e_shstrndx:0x{:x}'.format(e_shoff, e_shentsize,
e_shnum, e_shstrndx))
for i in range(0, e_shnum):
f.seek(e_shoff + i * e_shentsize)
e_sh = struct.unpack('=LLQQQQLLQQ', f.read(e_shentsize))
# e_sh_name = e_sh[0]
e_sh_type = e_sh[1]
e_sh_offset = e_sh[4]
e_sh_size = e_sh[5]
e_sh_entsize = e_sh[9]
if e_sh_type == E_SHT_RELA:
e_sh_nument = int(e_sh_size / e_sh_entsize)
# print 'RELA at 0x{:x} with {:d} entries'.format(e_sh_offset, e_sh_nument)
for j in range(0, e_sh_nument):
f.seek(e_sh_offset + e_sh_entsize * j)
rela = struct.unpack('=QQq', f.read(e_sh_entsize))
r_offset = rela[0]
r_info = rela[1]
r_addend = rela[2]
if r_addend == oldoffset:
r_addend = newoffset
f.seek(e_sh_offset + e_sh_entsize * j)
f.write(struct.pack('=QQq', r_offset, r_info, r_addend))
print('Relocation modified at: ' + hex(e_sh_offset + e_sh_entsize * j))
def patchkeys(f, key):
# Setup struct pack string
key_pack = '=4sB4sB6xQ'
# smc_old_memptr = 0
smc_new_memptr = 0
# Do Until OSK1 read
i = 0
while True:
# Read key into struct str and data byte str
offset = key + (i * 72)
f.seek(offset)
smc_key = struct.unpack(key_pack, f.read(24))
smc_data = f.read(smc_key[1])
# Reset pointer to beginning of key entry
f.seek(offset)
if smc_key[0] == b'SKL+':
# Use the +LKS data routine for OSK0/1
smc_new_memptr = smc_key[4]
print('+LKS Key: ')
printkey(i, offset, smc_key, smc_data)
elif smc_key[0] == b'0KSO':
# Write new data routine pointer from +LKS
print('OSK0 Key Before:')
printkey(i, offset, smc_key, smc_data)
# smc_old_memptr = smc_key[4]
f.seek(offset)
f.write(struct.pack(key_pack, smc_key[0], smc_key[1], smc_key[2], smc_key[3], smc_new_memptr))
f.flush()
# Write new data for key
f.seek(offset + 24)
smc_new_data = codecs.encode('bheuneqjbexolgurfrjbeqfthneqrqcy', 'rot_13')
f.write(smc_new_data.encode('UTF-8'))
f.flush()
# Re-read and print key
f.seek(offset)
smc_key = struct.unpack(key_pack, f.read(24))
smc_data = f.read(smc_key[1])
print('OSK0 Key After:')
printkey(i, offset, smc_key, smc_data)
elif smc_key[0] == b'1KSO':
# Write new data routine pointer from +LKS
print('OSK1 Key Before:')
printkey(i, offset, smc_key, smc_data)
smc_old_memptr = smc_key[4]
f.seek(offset)
f.write(struct.pack(key_pack, smc_key[0], smc_key[1], smc_key[2], smc_key[3], smc_new_memptr))
f.flush()
# Write new data for key
f.seek(offset + 24)
smc_new_data = codecs.encode('rnfrqbagfgrny(p)NccyrPbzchgreVap', 'rot_13')
f.write(smc_new_data.encode('UTF-8'))
f.flush()
# Re-read and print key
f.seek(offset)
smc_key = struct.unpack(key_pack, f.read(24))
smc_data = f.read(smc_key[1])
print('OSK1 Key After:')
printkey(i, offset, smc_key, smc_data)
# Finished so get out of loop
break
else:
pass
i += 1
return smc_old_memptr, smc_new_memptr
def patchsmc(name, sharedobj):
with open(name, 'r+b') as f:
smc_old_memptr = 0
smc_new_memptr = 0
# Read file into string variable
vmx = f.read()
print('File: ' + name)
# Setup hex string for vSMC headers
# These are the private and public key counts
smc_header_v0 = b'\xF2\x00\x00\x00\xF0\x00\x00\x00'
smc_header_v1 = b'\xB4\x01\x00\x00\xB0\x01\x00\x00'
# Setup hex string for #KEY key
key_key = b'\x59\x45\x4B\x23\x04\x32\x33\x69\x75'
# Setup hex string for $Adr key
adr_key = b'\x72\x64\x41\x24\x04\x32\x33\x69\x75'
# Find the vSMC headers
smc_header_v0_offset = vmx.find(smc_header_v0) - 8
smc_header_v1_offset = vmx.find(smc_header_v1) - 8
# Find '#KEY' keys
smc_key0 = vmx.find(key_key)
smc_key1 = vmx.rfind(key_key)
# Find '$Adr' key only V1 table
smc_adr = vmx.find(adr_key)
# Print vSMC0 tables and keys
print('appleSMCTableV0 (smc.version = "0")')
print('appleSMCTableV0 Address : ' + hex(smc_header_v0_offset))
print('appleSMCTableV0 Private Key #: 0xF2/242')
print('appleSMCTableV0 Public Key #: 0xF0/240')
if (smc_adr - smc_key0) != 72:
print('appleSMCTableV0 Table : ' + hex(smc_key0))
smc_old_memptr, smc_new_memptr = patchkeys(f, smc_key0)
elif (smc_adr - smc_key1) != 72:
print('appleSMCTableV0 Table : ' + hex(smc_key1))
smc_old_memptr, smc_new_memptr = patchkeys(f, smc_key1)
print()
# Print vSMC1 tables and keys
print('appleSMCTableV1 (smc.version = "1")')
print('appleSMCTableV1 Address : ' + hex(smc_header_v1_offset))
print('appleSMCTableV1 Private Key #: 0x01B4/436')
print('appleSMCTableV1 Public Key #: 0x01B0/432')
if (smc_adr - smc_key0) == 72:
print('appleSMCTableV1 Table : ' + hex(smc_key0))
smc_old_memptr, smc_new_memptr = patchkeys(f, smc_key0)
elif (smc_adr - smc_key1) == 72:
print('appleSMCTableV1 Table : ' + hex(smc_key1))
smc_old_memptr, smc_new_memptr = patchkeys(f, smc_key1)
print()
# Find matching RELA record in .rela.dyn in ESXi ELF files
# This is temporary code until proper ELF parsing written
if sharedobj:
print('Modifying RELA records from: ' + hex(smc_old_memptr) + ' to ' + hex(smc_new_memptr))
patchelf(f, smc_old_memptr, smc_new_memptr)
# Tidy up
f.flush()
f.close()
def patchbase(name):
# Patch file
print('GOS Patching: ' + name)
f = open(name, 'r+b')
# Entry to search for in GOS table
# Should work for 12 & 14 of Workstation...
darwin = (
'\x10\x00\x00\x00\x10\x00\x00\x00'
'\x02\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
)
# Read file into string variable
base = f.read()
# Loop through each entry and set top bit
# 0xBE --> 0xBF (WKS 12)
# 0x3E --> 0x3F (WKS 14)
offset = 0
while offset < len(base):
offset = base.find(darwin, offset)
if offset == -1:
break
f.seek(offset + 32)
flag = ord(f.read(1))
flag = set_bit(flag, 0)
flag = chr(flag)
f.seek(offset + 32)
f.write(flag)
print('GOS Patched flag @: ' + hex(offset))
offset += 40
# Tidy up
f.flush()
f.close()
print('GOS Patched: ' + name)
def patchvmkctl(name):
# Patch file
print('smcPresent Patching: ' + name)
f = open(name, 'r+b')
# Read file into string variable
vmkctl = f.read()
applesmc = vmkctl.find(b'applesmc')
f.seek(applesmc)
f.write(b'vmkernel')
# Tidy up
f.flush()
f.close()
print('smcPresent Patched: ' + name)
def main():
# Work around absent Platform module on VMkernel
if os.name == 'nt' or os.name == 'cli':
osname = 'windows'
else:
osname = os.uname()[0].lower()
vmwarebase = ''
libvmkctl32 = ''
libvmkctl64 = ''
vmx_so = False
# Setup default paths
if osname == 'darwin':
vmx_path = '/Applications/VMware Fusion.app/Contents/Library/'
vmx = joinpath(vmx_path, 'vmware-vmx')
vmx_debug = joinpath(vmx_path, 'vmware-vmx-debug')
vmx_stats = joinpath(vmx_path, 'vmware-vmx-stats')
elif osname == 'linux':
vmx_path = '/usr/lib/vmware/bin/'
vmx = joinpath(vmx_path, 'vmware-vmx')
vmx_debug = joinpath(vmx_path, 'vmware-vmx-debug')
vmx_stats = joinpath(vmx_path, 'vmware-vmx-stats')
if os.path.isfile('/usr/lib/vmware/lib/libvmwarebase.so/libvmwarebase.so'):
vmx_so = True
vmwarebase = '/usr/lib/vmware/lib/libvmwarebase.so/libvmwarebase.so'
else:
vmwarebase = '/usr/lib/vmware/lib/libvmwarebase.so.0/libvmwarebase.so.0'
elif osname == 'vmkernel':
vmx_path = os.path.dirname(os.path.abspath(__file__))
vmx = joinpath(vmx_path, '/unlocker/bin/vmx')
vmx_debug = joinpath(vmx_path, '/unlocker/bin/vmx-debug')
vmx_stats = joinpath(vmx_path, '/unlocker/bin/vmx-stats')
vmx_so = True
libvmkctl32 = joinpath(vmx_path, '/unlocker/lib/libvmkctl.so')
libvmkctl64 = joinpath(vmx_path, '/unlocker/lib64/libvmkctl.so')
elif osname == 'windows':
reg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
key = OpenKey(reg, r'SOFTWARE\Wow6432Node\VMware, Inc.\VMware Workstation')
vmwarebase_path = QueryValueEx(key, 'InstallPath')[0]
vmx_path = QueryValueEx(key, 'InstallPath64')[0]
vmx = joinpath(vmx_path, 'vmware-vmx.exe')
vmx_debug = joinpath(vmx_path, 'vmware-vmx-debug.exe')
vmx_stats = joinpath(vmx_path, 'vmware-vmx-stats.exe')
vmwarebase = joinpath(vmwarebase_path, 'vmwarebase.dll')
else:
print('Unknown Operating System: ' + osname)
return
# Patch the vmx executables skipping stats version for Player
patchsmc(vmx, vmx_so)
patchsmc(vmx_debug, vmx_so)
if os.path.isfile(vmx_stats):
patchsmc(vmx_stats, vmx_so)
# Patch vmwarebase for Workstation and Player
# Not required on Fusion or ESXi as table already has correct flags
if vmwarebase != '':
patchbase(vmwarebase)
else:
print('Patching vmwarebase is not required on this system')
# Now using sed in the local.sh script
if osname == 'vmkernel':
# Patch ESXi 6.0 and 6.5 32 bit .so
patchvmkctl(libvmkctl32)
# Patch ESXi 6.5 64 bit .so
if os.path.isfile(libvmkctl64):
patchvmkctl(libvmkctl64)
if __name__ == '__main__':
main()
END
logger -t unlocker Starting hostd daemon
/etc/init.d/hostd start
exit 0

2
osx-install.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ===============================
echo Copyright: Dave Parsons 2011-17

2
osx-uninstall.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ===============================
echo Copyright: Dave Parsons 2011-17

50
readme.txt
View File

@ -6,38 +6,36 @@ macOS Unlocker for VMware V2.1
| ========== |
| |
| Always uninstall the previous version of the Unlocker before using a new |
| version. Failure to do this could render VMware unusable especially ESXi. |
| version. Failure to do this could render VMware unusablei. |
| |
+-----------------------------------------------------------------------------+
1. Introduction
---------------
Unlocker 2 is designed for Workstation 11/12/14, Player 7/12/14, ESXi 6.5
Unlocker 2 is designed for Workstation 11/12/14, Player 7/12/14,
and Fusion 7/8/10.
If you are using an earlier product please continue using Unlocker 1 and use
Unlcoker 2.0 for ESXi 6.0
Unlocker 2.0 for ESXi 6.0
Version 2 has been tested against:
* Workstation 11/12/14 on Windows and Linux
* Workstation Player 7/12/14 on Windows and Linux
* Fusion 7/8/10 on Sierra
* ESXi 6.5U1
* Fusion 7/8/10 on macOS Sierra
The patch code carries out the following modifications dependent on the product
being patched:
* Fix vmware-vmx and derivatives to allow macOS to boot
* Fix vmwarebase .dll or .so to allow Apple to be selected during VM creation
* Fix libvmkctl.so on ESXi 6 to allow use with vCenter
* Download a copy of the latest VMware Tools for macOS
Note that not all products recognise the darwin.iso via install tools menu item.
You will have to manually mount the darwin.iso for example on Workstation 11 and Player 7.
The vmwarebase code does not need to be patched on macOS or ESXi so you will see a
The vmwarebase code does not need to be patched on macOS systems so you will see a
message on those systems telling you that it will not be patched.
In all cases make sure VMware is not running, and any background guests have
@ -48,11 +46,11 @@ The code is written in Python as it makes the Unlocker easier to run and maintai
2. Prerequisites
----------------
The code requires Python 2.7 to work. Most Linux distros, ESXi and macOS ship with a compatible
The code requires Python 2.7 to work. Most Linux distros and macOS ship with a compatible
Python interpreter and should work without requiring any additional software.
Windows Unlocker has a packaged version of the Python script using PyInstaller, and so does not
require Python to be installed.
Windows Unlocker has a packaged version of the Python script using PyInstaller,
and so does not require Python to be installed.
3. Limitations
--------------
@ -107,34 +105,8 @@ osx-uninstall.sh - restores VMware
7. ESXi
-------
You will need to transfer the zip file to the ESXi host either using vSphere client or SCP.
Once uploaded you will need to either use the ESXi support console or use SSH to
run the commands. Use the unzip command to extract the files.
<<< WARNING: use a datastore volume to store and run the scripts >>>
Please note that you will need to reboot the host for the patches to become active.
The patcher is embbedded in a shell script local.sh which is run at boot from /etc/rc.local.d.
You may need to ensure the ESXi scripts have execute permissions
by running chmod +x against the 2 files.
esxi-install.sh - patches VMware
esxi-uninstall.sh - restores VMware
There is a boot option for ESXi that disables the unlocker if there is a problem.
At the ESXi boot screen press shift + o to get the boot options and add nounlocker.
Note:
1. Any changes you have made to local.sh will be lost. If you have made changes to
that file, you will need to merge them into the supplied local.sh file.
2. The unlocker needs to be re-run after an upgrade or patch is installed on the ESXi host.
3. The macOS VMwwre tools are no longer shipped in the image from ESXi 6.5. They have to be
downloaded and installed manually onto the ESXi host. For additional details see this web page:
https://blogs.vmware.com/vsphere/2016/10/introducing-vmware-tools-10-1-10-0-12.html
ESXi is no longer supported as there are too many errors on newer versions due to
VMware hardening the ESXi image.
8. Thanks
---------
@ -152,5 +124,7 @@ History
10/10/17 2.1.0 - New version to support ESXi 6.5, Workstation/Player 14 and Fusion 10
- Removed support for ESXi 6.0
- Added ESXi boot option to disable unlocker (nounlocker)
11/10/17 2.1.1 - Removed all support for ESXi 6.x
(c) 2011-2017 Dave Parsons

8
test-unlocker.py
View File

@ -1,7 +1,6 @@
from __future__ import print_function
import shutil
import dumpsmc
import unlocker
@ -11,9 +10,11 @@ def main():
shutil.copyfile('./samples/windows/wks12/vmware-vmx.exe', './tests/windows/wks12/vmware-vmx.exe')
unlocker.patchsmc('./tests/windows/wks12/vmware-vmx.exe', False)
dumpsmc.dumpsmc('./tests/windows/wks12/vmware-vmx.exe')
unlocker.patchbase('./tests/windows/wks12/vmware-vmx.exe')
shutil.copyfile('./samples/windows/wks14/vmware-vmx.exe', './tests/windows/wks12/vmware-vmx.exe')
dumpsmc.dumpsmc('./tests/windows/wks14/vmware-vmx.exe')
unlocker.patchsmc('./tests/windows/wks14/vmware-vmx.exe', False)
unlocker.patchbase('./tests/windows/wks14/vmware-vmx.exe')
shutil.copyfile('./samples/windows/wks12/vmwarebase.dll', './tests/windows/wks12/vmwarebase.dll')
unlocker.patchbase('./tests/windows/wks12/vmwarebase.dll')
shutil.copyfile('./samples/windows/wks14/vmwarebase.dll', './tests/windows/wks14/vmwarebase.dll')
@ -23,9 +24,11 @@ def main():
shutil.copyfile('./samples/linux/wks12/vmware-vmx', './tests/linux/wks12/vmware-vmx')
dumpsmc.dumpsmc('./tests/linux/wks12/vmware-vmx')
unlocker.patchsmc('./tests/linux/wks12/vmware-vmx', True)
unlocker.patchbase('./tests/linux/wks12/vmware-vmx')
shutil.copyfile('./samples/linux/wks14/vmware-vmx', './tests/linux/wks14/vmware-vmx')
dumpsmc.dumpsmc('./tests/linux/wks14/vmware-vmx')
unlocker.patchsmc('./tests/linux/wks14/vmware-vmx', True)
unlocker.patchbase('./tests/linux/wks14/vmware-vmx')
shutil.copyfile('./samples/linux/wks12/libvmwarebase.so', './tests/linux/wks12/libvmwarebase.so')
unlocker.patchbase('./tests/linux/wks12/libvmwarebase.so')
shutil.copyfile('./samples/linux/wks14/libvmwarebase.so', './tests/linux/wks14/libvmwarebase.so')
@ -41,9 +44,11 @@ def main():
shutil.copyfile('./samples/esxi/esxi600/vmx', './tests/esxi/esxi600/vmx')
dumpsmc.dumpsmc('./tests/esxi/esxi600/vmx')
unlocker.patchsmc('./tests/esxi/esxi600/vmx', True)
unlocker.patchbase('./tests/esxi/esxi600/vmx')
shutil.copyfile('./samples/esxi/esxi650/vmx', './tests/esxi/esxi650/vmx')
dumpsmc.dumpsmc('./tests/esxi/esxi650/vmx')
unlocker.patchsmc('./tests/esxi/esxi650/vmx', True)
unlocker.patchbase('./tests/esxi/esxi650/vmx')
shutil.copyfile('./samples/esxi/esxi600/libvmkctl.so', './tests/esxi/esxi600/libvmkctl.so')
unlocker.patchvmkctl('./tests/esxi/esxi600/libvmkctl.so')
shutil.copyfile('./samples/esxi/esxi650/lib/libvmkctl.so', './tests/esxi/esxi650/lib/libvmkctl.so')
@ -51,7 +56,6 @@ def main():
shutil.copyfile('./samples/esxi/esxi650/lib64/libvmkctl.so', './tests/esxi/esxi650/lib64/libvmkctl.so')
unlocker.patchvmkctl('./tests/esxi/esxi650/lib64/libvmkctl.so')
shutil.copyfile('./samples/esxi/esxi650/config.xml', './tests/esxi/esxi650/config.xml')
esxiconfig.main('./tests/esxi/esxi650/config.xml')
if __name__ == '__main__':

2
win-install.cmd
View File

@ -1,6 +1,6 @@
@echo off
setlocal ENABLEEXTENSIONS
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ========================
echo (c) Dave Parsons 2011-17

2
win-test-install.cmd
View File

@ -1,6 +1,6 @@
@echo off
setlocal ENABLEEXTENSIONS
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ========================
echo (c) Dave Parsons 2011-17

2
win-uninstall.cmd
View File

@ -1,6 +1,6 @@
@echo off
setlocal ENABLEEXTENSIONS
echo VMware Unlocker 2.1.0
echo VMware Unlocker 2.1.1
echo ========================
echo (c) Dave Parsons 2011-17

4
win-update-tools.cmd
View File

@ -1,7 +1,7 @@
@echo off
setlocal ENABLEEXTENSIONS
echo VMware Get macOS Tools 2.1.0
echo ===========================++
echo VMware Get macOS Tools 2.1.1
echo =============================
echo (c) Dave Parsons 2015-17
net session >NUL 2>&1

0
wip/__init__.py
View File

14
wip/argtest.py
View File

@ -1,14 +0,0 @@
#!/usr/bin/python
import argparse
parser = argparse.ArgumentParser()
osnames = ['darwin', 'linux', 'vmkernel', 'windows']
parser.add_argument('-v', '--vmx', help='vmx file', dest='vmx', action='store', type=argparse.FileType('r+b'))
parser.add_argument('-d', '--vmx-debug', help='vmx-debug file', dest='vmx_debug', action='store', type=argparse.FileType('r+b'))
parser.add_argument('-s', '--vmx-stats', help='vmx-stats file', dest='vmx_stats', action='store', type=argparse.FileType('r+b'))
parser.add_argument('-b', '--vmbase', help='vmwarebase file', dest='vmwarebase', action='store', type=argparse.FileType('r+b'))
parser.add_argument('-k', '--vmkctl', help='vmkctl file', dest='vmkctl', action='store', type=argparse.FileType('r+b'))
parser.add_argument('-o', '--osname', help='OS type', dest='osname', action='store', choices=osnames)
args = parser.parse_args()
parser.print_help()
print args

86
wip/esxiconfig.py
View File

@ -1,86 +0,0 @@
#!/usr/bin/env python
"""
This is a simple method to modify the hostd XML file
Not using XML on ESXi Python as it does not preserve
formatting or comments.
(This could be sed but cannot find a suitable regex.)
"""
from __future__ import print_function
import sys
def testline(line, test):
sline = line.lstrip()
if sline == test:
return True
else:
return False
def main(filename):
vmsvc = '<vmsvc>\n'
starttag = '<useVmxSandbox>'
endtag = '</useVmxSandbox>'
with open(filename, 'r+') as f:
data = f.readlines()
# Search for the relevant XML tags
i = 0
vmsvcindex = 0
sandboxindex = 0
for line in data:
if testline(line, vmsvc):
vmsvcindex = i
if testline(line, starttag):
sandboxindex = i
# print(line, end='')
i += 1
# If vmsvc tag not found then file is probably corrupt
if vmsvcindex is None:
print('ESXi Config - config.xml is corrupt')
return False
# Remove the existing line if prsent
del data[sandboxindex]
# Now add line with correct flag
pad = len(data[vmsvcindex + 1]) - len(data[vmsvcindex + 1].lstrip())
if sys.argv[1] in ['on', 'off']:
pass
if sys.argv[1] == 'off':
print('ESXi Config - useVmxSandbox off')
data.insert(vmsvcindex + 1, (" " * pad) + 'false')
elif sys.argv[1] == 'on':
print('ESXi Config - useVmxSandbox on')
data.insert(vmsvcindex + 1, (" " * pad) + 'true')
else:
print('ESXi Config - Incorrect paramter passed')
return False
# Rewrite the config.xml file
f.seek(0)
f.write(''.join(data))
f.truncate()
f.close()
return True
if __name__ == '__main__':
if len(sys.argv) == 1:
sys.exit(1)
if main('/etc/vmware/hostd/config.xml'):
sys.exit(0)
else:
sys.exit(1)

16
wip/extract-smbiosdb.py
View File

@ -1,16 +0,0 @@
import plistlib
smbiosdb = plistlib.readPlist('smbiosdb.plist')
# print header
print 'hw.model' + '\t' + 'family' + '\t' + 'board-id' + '\t' + 'serial.type' + '\t' + 'eee.code' + '\t' + \
'bios.version' + '\t' + 'y1' + '\t' + 'y2' + '\t' + 'y3' + '\t' + 'y4'
for model in smbiosdb.keys():
data = smbiosdb[model]
for s in data:
line = s['SMproductname'] + '\t' + s['SMfamily'] + '\t' + s['SMboardproduct'] + '\t' + str(len(s['SMserial'])) \
+ '\t' + s['Number'] + '\t' + s['SMbiosversion']
for y in s['Years']:
line = line + '\t' + y
print line

232
wip/generate.py
View File

@ -1,232 +0,0 @@
"""
The MIT License (MIT)
Copyright (c) 2016 Dave Parsons
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the 'Software'), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
"""
import json
import random
import string
import sys
# Years and months
# 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022
years = ['C', 'D', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'T', 'V', 'W', 'X', 'Y', '1', '2', '3', '4',
'5', '6', '7', '8']
# Week numbers from 1-52
# B is used to shift indexing to 1 and is not used
weeks = ['B', 'C', 'D', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'T', 'V', 'W', 'X', 'Y', '1', '2', '3',
'4', '5', '6', '7', '8',
'C', 'D', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'T', 'V', 'W', 'X', 'Y', '1', '2', '3', '4',
'5', '6', '7', '8']
# Values to generate 3 code production number
production = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
'V', 'W', 'X', 'Y', 'Z',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
# MLB codes
ttt = ['200', '600', '403', '404', '405', '303', '108', '207', '609', '501', '306', '102', '701', '301', '501',
'101', '300', '130', '100', '270', '310', '902', '104', '401', '902', '500', '700', '802']
cc = ['GU', '4N', 'J9', 'QX', 'OP', 'CD', 'GU']
eeee = ['DYWF', 'F117', 'F502', 'F505', 'F9GY', 'F9H0', 'F9H1', 'F9H2', 'DYWD', 'F504', 'F116', 'F503', 'F2FR',
'F653', 'F49P', 'F651', 'F49R', 'F652', 'DYW3', 'F64V', 'F0V5', 'F64W', 'FF4G', 'FF4H', 'FF4J', 'FF4K',
'FF4L', 'FF4M', 'FF4N', 'FF4P', 'DNY3', 'DP00', 'DJWK', 'DM66', 'DNJK', 'DKG1', 'DM65', 'DNJJ', 'DKG2',
'DM67', 'DNJL', 'DJWM', 'DMT3', 'DMT5', 'DJWN', 'DM69', 'DJWP', 'DM6C']
kk = ['1H', '1M', 'AD', '1F', 'A8', 'UE', 'JA', 'JC', '8C', 'CB', 'FB']
# Loaded JSON model database
smbiosdb = {}
model = None
year = 2010
week = 1
yearweek = None
run = None
mlb = None
rom = None
def loaddb():
global smbiosdb
# Load the json database file
with open('smbiosdb.json') as json_file:
smbiosdb = json.load(json_file)
def getmlb():
global mlb
if model['serial.type'] == 11:
mlb = yearweek + '0' + run + id_generator(4)
elif model['serial.type'] == 12:
mlb = 'C02{0}{1}{2}{3}{4}{5}'.format(str(year - 2010), str(week).zfill(2), random.choice(ttt),
random.choice(cc), random.choice(eeee), random.choice(kk))
else:
pass
def getmodel():
global model
modeltype = None
# Build a menu with the types of Mac to select hw.model
modeltypes = ['iMac', 'Mac mini', 'Mac Pro', 'MacBook', 'MacBook Air', 'MacBook Pro']
print("[1] iMac\n[2] Mac mini\n[3] Mac Pro\n[4] MacBook\n[5] MacBook Air\n[6] MacBook Pro\n")
while True:
try:
index = int(raw_input('Please enter model family [1-6]: '))
except KeyboardInterrupt:
print "Goodbye!"
sys.exit(0)
except ValueError:
print "This is not a number."
else:
if (index >= 1) and (index <= 6):
modeltype = modeltypes[index - 1]
break
else:
print 'Invalid model family selected: ', index
# Now build a menu with selected models
i = 1
models = []
for m in smbiosdb:
if m['family'] == modeltype:
print '[' + str(i) + '] ' + m['hw.model']
models.append(m['hw.model'])
i += 1
while True:
try:
index = int(raw_input('Please enter model [1-{}]: '.format(i - 1)))
except KeyboardInterrupt:
print "Goodbye!"
sys.exit(0)
except ValueError:
print "This is not a number."
else:
if (index >= 1) and (index <= (i - 1)):
model = models[index - 1]
break
else:
print 'Invalid model selected: ', index
for m in smbiosdb:
if m['hw.model'] == model:
model = m
def getrom():
global rom
# Using an Apple Wifi ethernet OUI AC:BC:32
rom = "acbc32%02x%02x%02x" % (
random.randint(0, 255),
random.randint(0, 255),
random.randint(0, 255),
)
def getrun():
global run
# Generate 3 random characters from list
run = id_generator()
def getweek():
global year
global week
global yearweek
# Get the serial number type
serlen = model['serial.type']
# Save year for MLB processing
year = model['y1']
# Get a week number
while True:
try:
week = int(input('Please enter week for year {0} (1 - 52): '.format(year)))
except KeyboardInterrupt:
print "Goodbye!"
sys.exit(0)
except ValueError:
print "This is not a week number."
else:
if (week >= 1) and (week <= 52):
break
else:
print 'Invalid week: ', week
# Format date based on serial number length
if serlen == 11:
yearweek = 'CK{0}{1}'.format(str(year)[-1], str(week).zfill(2))
elif serlen == 12:
index_year = (year - 2010) * 2
if week <= 27:
yearweek = 'C02{0}{1}'.format(years[index_year], weeks[week])
else:
yearweek = 'C02{0}{1}'.format(years[index_year + 1], weeks[week])
else:
return
def id_generator(size=3, chars=string.ascii_uppercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def main():
loaddb()
getmodel()
getweek()
getrun()
getmlb()
getrom()
print
print '# Passthru host definitions - FALSE'
print 'board-id.reflectHost = "FALSE"'
print 'hw.model.reflectHost = "FALSE"'
print 'serialNumber.reflectHost = "FALSE"'
print 'smbios.reflectHost = "FALSE"'
print 'efi.nvram.var.ROM.reflectHost = "FALSE"'
print 'efi.nvram.var.MLB.reflectHost = "FALSE"'
print 'SMBIOS.use12CharSerialNumber = "TRUE"'
print 'smc.version = "0"'
print
print '# Generated information'
print 'hw.model = "{0}"'.format(model['hw.model'])
print 'board-id = "{0}"'.format(model['board-id'])
print 'serialNumber = "{0}{1}{2}"'.format(yearweek, run, model['eee.code'])
print 'efi.nvram.var.ROM = "{0}"'.format(rom)
print 'efi.nvram.var.MLB = "{0}"'.format(mlb)
print
if __name__ == '__main__':
main()

45
wip/parse-test.py
View File

@ -1,45 +0,0 @@
#!/usr/bin/env python
from __future__ import print_function
import sys
import xml.etree.ElementTree as ET
def main():
dom = ET.ElementTree(file='./samples/config.xml')
vmsvcpath = './/plugins//vmsvc'
sandboxpath = './/plugins//vmsvc//useVmxSandbox'
vmsvc = ET.ElementTree.find(dom, vmsvcpath)
sandbox = ET.ElementTree.find(dom, sandboxpath)
if vmsvc is None:
print('ESXi Config - config.xml is corrupt')
return False
else:
if sandbox is None:
sandbox = ET.Element('useVmxSandbox')
sandbox.text = 'false'
vmsvc.append(sandbox)
sandbox = ET.ElementTree.find(dom, sandboxpath)
if sys.argv[1] == 'off':
sandbox.text = 'false'
elif sys.argv[1] == 'on':
sandbox.text = 'true'
else:
print('ESXi Config - Error no or incorrect paramter passed')
return False
dom.write('./samples/output.xml')
return True
if __name__ == '__main__':
if len(sys.argv) == 1:
sys.exit(1)
if main():
sys.exit(0)
else:
sys.exit(1)

578
wip/smbiosdb.json
View File

@ -1,578 +0,0 @@
[
{
"family": "MacBook Air",
"hw.model": "MacBookAir5,2",
"board-id": "Mac-2E6FAB96566FE58C",
"serial.type": 12,
"eee.code": "DRVC",
"bios.version": "MBA51.88Z.00EF.B00.1205221442",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "MacBook Air",
"hw.model": "MacBookAir6,2",
"board-id": "Mac-7DF21CB3ED6977E5",
"serial.type": 12,
"eee.code": "F5V8",
"bios.version": "MBA61.88Z.0099.B04.1305241529",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac8,1",
"board-id": "Mac-F227BEC8",
"serial.type": 11,
"eee.code": "ZE3",
"bios.version": "IM81.88Z.00C1.B00.0802091538",
"y1": 2009,
"y2": 2008,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac9,1",
"board-id": "Mac-F2218EC8",
"serial.type": 11,
"eee.code": "0TF",
"bios.version": "IM91.88Z.008D.B00.0901142258",
"y1": 2009,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac10,1",
"board-id": "Mac-F2268CC8",
"serial.type": 11,
"eee.code": "B9U",
"bios.version": "IM101.88Z.00CC.B00.0909031926",
"y1": 2010,
"y2": 2009,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac11,1",
"board-id": "Mac-F2268DAE",
"serial.type": 11,
"eee.code": "5RU",
"bios.version": "IM111.88Z.0034.B02.1003171314",
"y1": 2010,
"y2": 2009,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac11,2",
"board-id": "Mac-F2238AC8",
"serial.type": 11,
"eee.code": "DNN",
"bios.version": "IM112.88Z.0057.B00.1005031455",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac11,3",
"board-id": "Mac-F2238BAE",
"serial.type": 11,
"eee.code": "DB6",
"bios.version": "IM112.88Z.0057.B00.1005051455",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac12,1",
"board-id": "Mac-942B5BF58194151B",
"serial.type": 12,
"eee.code": "DHJT",
"bios.version": "IM121.88Z.0047.B0A.1104221555",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac12,2",
"board-id": "Mac-942B59F58194171B",
"serial.type": 12,
"eee.code": "DHJP",
"bios.version": "IM121.88Z.0047.B1D.1110171110",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac13,1",
"board-id": "Mac-00BE6ED71E35EB86",
"serial.type": 12,
"eee.code": "DNCT",
"bios.version": "IM131.88Z.010A.B05.1209042338",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac13,2",
"board-id": "Mac-FC02E91DDD3FA6A4",
"serial.type": 12,
"eee.code": "DNMP",
"bios.version": "IM131.88Z.010A.B05.1210121459",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac14,1",
"board-id": "Mac-031B6874CF7F642A",
"serial.type": 12,
"eee.code": "F8J3",
"bios.version": "IM141.88Z.0118.B00.1309031248",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac14,2",
"board-id": "Mac-27ADBB7B4CEE8E61",
"serial.type": 12,
"eee.code": "F8JC",
"bios.version": "IM142.88Z.0118.B00.1309031249",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "iMac",
"hw.model": "iMac15,1",
"board-id": "Mac-42FD25EABCABB274",
"serial.type": 12,
"eee.code": "FY11",
"bios.version": "IM151.88Z.0207.B00.1409291931",
"y1": 2014,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro1,1",
"board-id": "Mac-F425BEC8",
"serial.type": 11,
"eee.code": "VJ1",
"bios.version": "MBP11.88Z.0055.B08.0610121325",
"y1": 2008,
"y2": 2007,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro3,1",
"board-id": "Mac-F4238BC8",
"serial.type": 11,
"eee.code": "X91",
"bios.version": "MBP31.88Z.0070.B07.0803051658",
"y1": 2008,
"y2": 2007,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro4,1",
"board-id": "Mac-F42C89C8",
"serial.type": 11,
"eee.code": "YP4",
"bios.version": "MBP41.88Z.00C1.B00.0802091544",
"y1": 2008,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro5,1",
"board-id": "Mac-F42D86C8",
"serial.type": 11,
"eee.code": "1G0",
"bios.version": "MBP51.88Z.007E.B05.0905051508",
"y1": 2009,
"y2": 2008,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro5,4",
"board-id": "Mac-F22587A1",
"serial.type": 11,
"eee.code": "7XK",
"bios.version": "MBP53.88Z.00AC.B03.0906151647",
"y1": 2010,
"y2": 2009,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro5,5",
"board-id": "Mac-F2268AC8",
"serial.type": 11,
"eee.code": "66D",
"bios.version": "MBP55.88Z.00AC.B03.0906151708",
"y1": 2010,
"y2": 2009,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro6,1",
"board-id": "Mac-F22589C8",
"serial.type": 12,
"eee.code": "DC79",
"bios.version": "MBP61.88Z.0057.B0C.1007261552",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro6,2",
"board-id": "Mac-F22589C8",
"serial.type": 11,
"eee.code": "AGW",
"bios.version": "MBP61.88Z.0057.B0C.1007261552",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro7,1",
"board-id": "Mac-F222BEC8",
"serial.type": 11,
"eee.code": "ATM",
"bios.version": "MBP71.88Z.0039.B05.1003251322",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro8,1",
"board-id": "Mac-94245B3640C91C81",
"serial.type": 12,
"eee.code": "DH2G",
"bios.version": "MBP81.88Z.0047.B0E.1104221557",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro8,2",
"board-id": "Mac-94245A3940C91C80",
"serial.type": 12,
"eee.code": "DF8X",
"bios.version": "MBP81.88Z.0047.B24.1110141131",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro8,3",
"board-id": "Mac-942459F5819B171B",
"serial.type": 12,
"eee.code": "DF92",
"bios.version": "MBP81.88Z.0047.B26.1110311252",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro9,1",
"board-id": "Mac-4B7AC7E43945597E",
"serial.type": 12,
"eee.code": "F1G4",
"bios.version": "MBP91.88Z.00D3.B00.1203211536",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro9,2",
"board-id": "Mac-6F01561E16C75D06",
"serial.type": 12,
"eee.code": "DTY3",
"bios.version": "MBP91.88Z.00D3.B00.1203211536",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro10,1",
"board-id": "Mac-C3EC7CD22292981F",
"serial.type": 12,
"eee.code": "DKQ1",
"bios.version": "MBP101.88Z.00EE.B00.1205101839",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro11,1",
"board-id": "Mac-189A3D4F975D5FFC",
"serial.type": 12,
"eee.code": "FGYY",
"bios.version": "MBP111.88Z.0138.B03.1310291227",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "MacBook Pro",
"hw.model": "MacBookPro11,2",
"board-id": "Mac-3CBD00234E554E41",
"serial.type": 12,
"eee.code": "FD56",
"bios.version": "MBP112.88Z.0138.B02.1310181745",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini1,1",
"board-id": "Mac-F4208EC8",
"serial.type": 11,
"eee.code": "U35",
"bios.version": "MM11.88Z.0055.B08.0610121326",
"y1": 2007,
"y2": 2006,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini2,1",
"board-id": "Mac-F4208EAA",
"serial.type": 11,
"eee.code": "YL2",
"bios.version": "MM21.88Z.009A.B00.0706281359",
"y1": 2007,
"y2": 2006,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini3,1",
"board-id": "Mac-F22C86C8",
"serial.type": 11,
"eee.code": "19X",
"bios.version": "MM31.88Z.00AD.B00.0907171535",
"y1": 2009,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini4,1",
"board-id": "Mac-F2208EC8",
"serial.type": 12,
"eee.code": "DD6H",
"bios.version": "MM41.88Z.0042.B03.1111072100",
"y1": 2011,
"y2": 2010,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini5,1",
"board-id": "Mac-8ED6AF5B48C039E1",
"serial.type": 12,
"eee.code": "DJD0",
"bios.version": "MM51.88Z.0077.B0F.1110201309",
"y1": 2012,
"y2": 2011,
"y3": null,
"y4": null
},
{
"family": "Mac mini",
"hw.model": "Macmini6,2",
"board-id": "Mac-F65AE981FFA204ED",
"serial.type": 12,
"eee.code": "DWYN",
"bios.version": "MM61.88Z.0106.B00.1208091121",
"y1": 2013,
"y2": 2012,
"y3": null,
"y4": null
},
{
"family": "Mac Pro",
"hw.model": "MacPro2,1",
"board-id": "Mac-F4208DC8",
"serial.type": 11,
"eee.code": "XYL",
"bios.version": "MP21.88Z.007F.B06.0707021348",
"y1": 2008,
"y2": 2007,
"y3": null,
"y4": null
},
{
"family": "Mac Pro",
"hw.model": "MacPro3,1",
"board-id": "Mac-F42C88C8",
"serial.type": 11,
"eee.code": "XYL",
"bios.version": "MP31.88Z.006C.B05.0802291410",
"y1": 2009,
"y2": 2008,
"y3": null,
"y4": null
},
{
"family": "Mac Pro",
"hw.model": "MacPro4,1",
"board-id": "Mac-F221BEC8",
"serial.type": 11,
"eee.code": "4PC",
"bios.version": "MP41.88Z.0081.B08.1001221313",
"y1": 2010,
"y2": 2009,
"y3": null,
"y4": null
},
{
"family": "Mac Pro",
"hw.model": "MacPro5,1",
"board-id": "Mac-F221BEC8",
"serial.type": 11,
"eee.code": "EUH",
"bios.version": "MP51.88Z.007F.B03.1010071432",
"y1": 2013,
"y2": 2012,
"y3": 2011,
"y4": 2010
},
{
"family": "Mac Pro",
"hw.model": "MacPro6,1",
"board-id": "Mac-F60DEB81FF30ACF6",
"serial.type": 12,
"eee.code": "F693",
"bios.version": "MP61.88Z.0116.B04.1312061508",
"y1": 2013,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "MacBook",
"hw.model": "MacBook2,1",
"board-id": "Mac-F4208CA9",
"serial.type": 11,
"eee.code": "YA4",
"bios.version": "MB21.88Z.00A5.B07.0706270922",
"y1": 2007,
"y2": 2006,
"y3": null,
"y4": null
},
{
"family": "MacBook",
"hw.model": "MacBook3,1",
"board-id": "Mac-F22788C8",
"serial.type": 11,
"eee.code": "Y51",
"bios.version": "MB31.008E.B02.0803051832",
"y1": 2008,
"y2": 2007,
"y3": null,
"y4": null
},
{
"family": "MacBook",
"hw.model": "MacBook4,1",
"board-id": "Mac-F22788A9",
"serial.type": 11,
"eee.code": "0P0",
"bios.version": "MB41.88Z.00C1.B00.0802091535",
"y1": 2008,
"y2": null,
"y3": null,
"y4": null
},
{
"family": "MacBook",
"hw.model": "MacBook5,1",
"board-id": "Mac-F42D89C8",
"serial.type": 11,
"eee.code": "1AQ",
"bios.version": "MB51.88Z.0073.B06.0810291326",
"y1": 2009,
"y2": 2008,
"y3": null,
"y4": null
},
{
"family": "MacBook",
"hw.model": "MacBook9,1",
"board-id": "Mac-9AE82516C7C6B903",
"serial.type": 12,
"eee.code": "GTHV",
"bios.version": "MB91.88Z.0154.B00.1603041656",
"y1": 2016,
"y2": null,
"y3": null,
"y4": null
}
]

1682
wip/smbiosdb.plist
View File

File diff suppressed because it is too large Load Diff

1
wip/smbiosdb.txt
View File

@ -1 +0,0 @@
family hw.model board-id serial.type eee.code bios.version y1 y2 y3 y4 MacBook Air MacBookAir5,2 Mac-2E6FAB96566FE58C 12 DRVC MBA51.88Z.00EF.B00.1205221442 2013 2012 MacBook Air MacBookAir6,2 Mac-7DF21CB3ED6977E5 12 F5V8 MBA61.88Z.0099.B04.1305241529 2013 iMac iMac8,1 Mac-F227BEC8 11 ZE3 IM81.88Z.00C1.B00.0802091538 2009 2008 iMac iMac9,1 Mac-F2218EC8 11 0TF IM91.88Z.008D.B00.0901142258 2009 iMac iMac10,1 Mac-F2268CC8 11 B9U IM101.88Z.00CC.B00.0909031926 2010 2009 iMac iMac11,1 Mac-F2268DAE 11 5RU IM111.88Z.0034.B02.1003171314 2010 2009 iMac iMac11,2 Mac-F2238AC8 11 DNN IM112.88Z.0057.B00.1005031455 2011 2010 iMac iMac11,3 Mac-F2238BAE 11 DB6 IM112.88Z.0057.B00.1005051455 2011 2010 iMac iMac12,1 Mac-942B5BF58194151B 12 DHJT IM121.88Z.0047.B0A.1104221555 2012 2011 iMac iMac12,2 Mac-942B59F58194171B 12 DHJP IM121.88Z.0047.B1D.1110171110 2012 2011 iMac iMac13,1 Mac-00BE6ED71E35EB86 12 DNCT IM131.88Z.010A.B05.1209042338 2013 2012 iMac iMac13,2 Mac-FC02E91DDD3FA6A4 12 DNMP IM131.88Z.010A.B05.1210121459 2013 2012 iMac iMac14,1 Mac-031B6874CF7F642A 12 F8J3 IM141.88Z.0118.B00.1309031248 2013 iMac iMac14,2 Mac-27ADBB7B4CEE8E61 12 F8JC IM142.88Z.0118.B00.1309031249 2013 iMac iMac15,1 Mac-42FD25EABCABB274 12 FY11 IM151.88Z.0207.B00.1409291931 2014 MacBook Pro MacBookPro1,1 Mac-F425BEC8 11 VJ1 MBP11.88Z.0055.B08.0610121325 2008 2007 MacBook Pro MacBookPro3,1 Mac-F4238BC8 11 X91 MBP31.88Z.0070.B07.0803051658 2008 2007 MacBook Pro MacBookPro4,1 Mac-F42C89C8 11 YP4 MBP41.88Z.00C1.B00.0802091544 2008 MacBook Pro MacBookPro5,1 Mac-F42D86C8 11 1G0 MBP51.88Z.007E.B05.0905051508 2009 2008 MacBook Pro MacBookPro5,4 Mac-F22587A1 11 7XK MBP53.88Z.00AC.B03.0906151647 2010 2009 MacBook Pro MacBookPro5,5 Mac-F2268AC8 11 66D MBP55.88Z.00AC.B03.0906151708 2010 2009 MacBook Pro MacBookPro6,1 Mac-F22589C8 12 DC79 MBP61.88Z.0057.B0C.1007261552 2011 2010 MacBook Pro MacBookPro6,2 Mac-F22589C8 11 AGW MBP61.88Z.0057.B0C.1007261552 2011 2010 MacBook Pro MacBookPro7,1 Mac-F222BEC8 11 ATM MBP71.88Z.0039.B05.1003251322 2011 2010 MacBook Pro MacBookPro8,1 Mac-94245B3640C91C81 12 DH2G MBP81.88Z.0047.B0E.1104221557 2012 2011 MacBook Pro MacBookPro8,2 Mac-94245A3940C91C80 12 DF8X MBP81.88Z.0047.B24.1110141131 2012 2011 MacBook Pro MacBookPro8,3 Mac-942459F5819B171B 12 DF92 MBP81.88Z.0047.B26.1110311252 2012 2011 MacBook Pro MacBookPro9,1 Mac-4B7AC7E43945597E 12 F1G4 MBP91.88Z.00D3.B00.1203211536 2013 2012 MacBook Pro MacBookPro9,2 Mac-6F01561E16C75D06 12 DTY3 MBP91.88Z.00D3.B00.1203211536 2013 2012 MacBook Pro MacBookPro10,1 Mac-C3EC7CD22292981F 12 DKQ1 MBP101.88Z.00EE.B00.1205101839 2013 2012 MacBook Pro MacBookPro11,1 Mac-189A3D4F975D5FFC 12 FGYY MBP111.88Z.0138.B03.1310291227 2013 MacBook Pro MacBookPro11,2 Mac-3CBD00234E554E41 12 FD56 MBP112.88Z.0138.B02.1310181745 2013 Mac mini Macmini1,1 Mac-F4208EC8 11 U35 MM11.88Z.0055.B08.0610121326 2007 2006 Mac mini Macmini2,1 Mac-F4208EAA 11 YL2 MM21.88Z.009A.B00.0706281359 2007 2006 Mac mini Macmini3,1 Mac-F22C86C8 11 19X MM31.88Z.00AD.B00.0907171535 2009 Mac mini Macmini4,1 Mac-F2208EC8 12 DD6H MM41.88Z.0042.B03.1111072100 2011 2010 Mac mini Macmini5,1 Mac-8ED6AF5B48C039E1 12 DJD0 MM51.88Z.0077.B0F.1110201309 2012 2011 Mac mini Macmini6,2 Mac-F65AE981FFA204ED 12 DWYN MM61.88Z.0106.B00.1208091121 2013 2012 Mac Pro MacPro2,1 Mac-F4208DC8 11 XYL MP21.88Z.007F.B06.0707021348 2008 2007 Mac Pro MacPro3,1 Mac-F42C88C8 11 XYL MP31.88Z.006C.B05.0802291410 2009 2008 Mac Pro MacPro4,1 Mac-F221BEC8 11 4PC MP41.88Z.0081.B08.1001221313 2010 2009 Mac Pro MacPro5,1 Mac-F221BEC8 11 EUH MP51.88Z.007F.B03.1010071432 2013 2012 2011 2010 Mac Pro MacPro6,1 Mac-F60DEB81FF30ACF6 12 F693 MP61.88Z.0116.B04.1312061508 2013 MacBook MacBook2,1 Mac-F4208CA9 11 YA4 MB21.88Z.00A5.B07.0706270922 2007 2006 MacBook MacBook3,1 Mac-F22788C8 11 Y51 MB31.008E.B02.0803051832 2008 2007 MacBook MacBook4,1 Mac-F22788A9 11 0P0 MB41.88Z.00C1.B00.0802091535 2008 MacBook MacBook5,1 Mac-F42D89C8 11 1AQ MB51.88Z.0073.B06.0810291326 2009 2008

276
wip/unlocker-asmpatch.diff
View File

@ -1,276 +0,0 @@
--- unlocker.py 2015-06-19 15:45:49.557221936 -1000
+++ unlocker-sam.py 2015-06-19 15:46:27.238391426 -1000
@@ -75,51 +75,208 @@
+ ' ' + hex(smc_key[4]) \
+ ' ' + bytetohex(smc_data)
-E_CLASS64 = 2;
-E_SHT_RELA = 4;
+E_CLASS32 = 1
+E_CLASS64 = 2
+E_SHT_STRTAB = 3
+E_SHT_RELA = 4
+E_SHT_DYNSYM = 11
+
+# Indexes for e_ident
+EI_MAGIC = 0
+EI_CLASS = 1
+EI_DATA = 2
+EI_VERSION = 3
+EI_OSABI = 4
+EI_ABIVERSION = 5
+EI_PAD = 6
+
+# Data Types
+ELFDATA2LSB = 1
+ELFDATA2MSB = 2
+
+EI_PACK = '!LBBBBB7B'
+
+ehPack = ''
+shPack = ''
+relaPack = ''
+dynSymPack = ''
+
+def readELF_sh(f, offset, shPack, e_shstr_off = None):
+ f.seek(offset)
+ e_sh_raw = struct.unpack(shPack, f.read(struct.calcsize(shPack)))
+ e_sh_entry = dict(
+ name = e_sh_raw[0],
+ type = e_sh_raw[1],
+ flags = e_sh_raw[2],
+ addr = e_sh_raw[3],
+ offset = e_sh_raw[4],
+ size = e_sh_raw[5],
+ link = e_sh_raw[6],
+ info = e_sh_raw[7],
+ addralign = e_sh_raw[8],
+ entsize = e_sh_raw[9]
+ )
+ if e_sh_entry['entsize'] != 0:
+ e_sh_entry['nument'] = e_sh_entry['size'] / e_sh_entry['entsize']
+ else:
+ e_sh_entry['nument'] = 0
+
+
+ if e_shstr_off is not None:
+ f.seek(e_shstr_off + e_sh_entry['name'])
+ e_sh_entry['nameText'] = f.read(0x40).split(b'\x00')[0]
+ else:
+ e_sh_entry['nameText'] = ''
+
+ return e_sh_entry
+
+def readELF_sym(f, offset, dynSymPack):
+ f.seek(offset)
+ size = struct.calcsize(dynSymPack)
+ sym_raw = struct.unpack(dynSymPack, f.read(size))
+ if (size == 16):
+ sym = dict(
+ name = sym_raw[0],
+ value = sym_raw[1],
+ size = sym_raw[2],
+ info = sym_raw[3],
+ other = sym_raw[4],
+ shndx = sym_raw[5]
+ )
+ elif (size == 24):
+ sym = dict(
+ name = sym_raw[0],
+ info = sym_raw[1],
+ other = sym_raw[2],
+ shndx = sym_raw[3],
+ value = sym_raw[4],
+ size = sym_raw[5]
+ )
+ else:
+ raise Exception('Unknown size: {:d}'.format(size))
+
+ return sym
+
+def findSym(f, dynSymPack, dynsym_sh, dynstr_sh, symbol):
+ f.seek(dynstr_sh['offset'])
+ index = f.read(dynstr_sh['size']).find(symbol)
+ if index >= 0:
+ for i in range(0, dynsym_sh['nument']):
+ sym = readELF_sym(f, dynsym_sh['offset'] + dynsym_sh['entsize'] * i, dynSymPack)
+ if sym['name'] == index:
+ sym['nameText'] = symbol
+ print 'Found {:s} at index {:d}'.format(symbol, i)
+ return sym
+ return -1
+
+def readELF_hdr(f):
+ global ehPack, shPack, relaPack, dynSymPack
-def patchELF(f, oldOffset, newOffset):
f.seek(0)
- magic = f.read(4)
- if not magic == b'\x7fELF':
+ e_ident = struct.unpack(EI_PACK, f.read(16))
+ if not e_ident[EI_MAGIC] == 0x7F454C46:
raise Exception('Magic number does not match')
- ei_class = struct.unpack('=B', f.read(1))[0]
- if ei_class != E_CLASS64:
- raise Exception('Not 64bit elf header: ' + ei_class)
-
- f.seek(40)
- e_shoff = struct.unpack('=Q', f.read(8))[0]
- f.seek(58)
- e_shentsize = struct.unpack('=H', f.read(2))[0]
- e_shnum = struct.unpack('=H', f.read(2))[0]
- e_shstrndx = struct.unpack('=H', f.read(2))[0]
-
- #print 'e_shoff: 0x{:x} e_shentsize: 0x{:x} e_shnum:0x{:x} e_shstrndx:0x{:x}'.format(e_shoff, e_shentsize, e_shnum, e_shstrndx)
-
- for i in range(0, e_shnum):
- f.seek(e_shoff + i * e_shentsize)
- e_sh = struct.unpack('=LLQQQQLLQQ', f.read(e_shentsize))
- e_sh_name = e_sh[0]
- e_sh_type = e_sh[1]
- e_sh_offset = e_sh[4]
- e_sh_size = e_sh[5]
- e_sh_entsize = e_sh[9]
- if e_sh_type == E_SHT_RELA:
- e_sh_nument = e_sh_size / e_sh_entsize
- #print 'RELA at 0x{:x} with {:d} entries'.format(e_sh_offset, e_sh_nument)
- for j in range(0, e_sh_nument):
- f.seek(e_sh_offset + e_sh_entsize * j)
- rela = struct.unpack('=QQq', f.read(e_sh_entsize))
- r_offset = rela[0]
- r_info = rela[1]
- r_addend = rela[2]
- if r_addend == oldOffset:
- r_addend = newOffset;
- f.seek(e_sh_offset + e_sh_entsize * j)
- f.write(struct.pack('=QQq', r_offset, r_info, r_addend))
- print 'Relocation modified at: ' + hex(e_sh_offset + e_sh_entsize * j)
+ if e_ident[EI_DATA] == ELFDATA2LSB:
+ fileEncoding = '<'
+ elif e_ident[EI_DATA] == ELFDATA2MSB:
+ fileEncoding = '>'
+ else:
+ raise Exception('Invalid data encoding: {:d}'.format(e_ident[EI_DATA]))
+
+
+ if e_ident[EI_CLASS] == E_CLASS64:
+ ehPack = fileEncoding + 'HHLQQQLHHHHHH'
+ shPack = fileEncoding + 'LLQQQQLLQQ'
+ relaPack = fileEncoding + 'QQq'
+ dynSymPack = fileEncoding + 'LBBHQQ'
+ elif e_ident[EI_CLASS] == E_CLASS32:
+ ehPack = fileEncoding + 'HHLLLLLHHHHHH'
+ shPack = fileEncoding + 'LLLLLLLLLL'
+ relaPack = fileEncoding + 'LLl'
+ dynSymPack = fileEncoding + 'LLLBBH'
+ else:
+ raise Exception('Not 32 or 64bit elf header: {:d}'.format(e_ident[EI_CLASS]))
+
+ e_hdr_raw = struct.unpack(ehPack, f.read(struct.calcsize(ehPack)))
+ e_hdr = dict(
+ ident = e_ident,
+ type = e_hdr_raw[0],
+ machine = e_hdr_raw[1],
+ version = e_hdr_raw[2],
+ entry = e_hdr_raw[3],
+ phoff = e_hdr_raw[4],
+ shoff = e_hdr_raw[5],
+ flags = e_hdr_raw[6],
+ ehsize = e_hdr_raw[7],
+ phentsize = e_hdr_raw[8],
+ phnum = e_hdr_raw[9],
+ shentsize = e_hdr_raw[10],
+ shnum = e_hdr_raw[11],
+ shstrndx = e_hdr_raw[12]
+ )
+
+ # print 'e_shoff: 0x{:x} e_shentsize: 0x{:x} e_shnum:0x{:x} e_shstrndx:0x{:x}'.format(e_hdr['shoff'], e_hdr['shentsize'], e_hdr['shnum'], e_hdr['shstrndx'])
+
+ return e_hdr
+def patchELF_rela(f, oldOffset, newOffset):
+ e_hdr = readELF_hdr(f)
+
+ e_shstr_off = readELF_sh(f, e_hdr['shoff'] + e_hdr['shstrndx'] * e_hdr['shentsize'], shPack)['offset']
+
+ e_shs = []
+
+ for i in range(0, e_hdr['shnum']):
+ e_sh = readELF_sh(f, e_hdr['shoff'] + i * e_hdr['shentsize'], shPack, e_shstr_off)
+ e_shs.append(e_sh)
+
+ #print '{:s} at 0x{:x} with {:d} entries'.format(e_sh['nameText'], e_sh['offset'], e_sh['nument'])
+
+ if e_sh['type'] == E_SHT_RELA:
+ for j in range(0, e_sh['nument']):
+ f.seek(e_sh['offset'] + e_sh['entsize'] * j)
+ rela_raw = struct.unpack(relaPack, f.read(struct.calcsize(relaPack)))
+ rela = dict(offset = rela_raw[0], info = rela_raw[1], addend = rela_raw[2])
+ if rela['addend'] == oldOffset:
+ rela['addend'] = newOffset
+ f.seek(e_sh['offset'] + e_sh['entsize'] * j)
+ f.write(struct.pack(relaPack, rela['offset'], rela['info'], rela['addend']))
+ print 'Relocation modified at: ' + hex(e_sh['offset'] + e_sh['entsize'] * j) + ' 0x{:x}'.format(rela['offset'])
+
+def patchELF_dynsym(f, symbol, newASM):
+ e_hdr = readELF_hdr(f)
+
+ e_shstr_off = readELF_sh(f, e_hdr['shoff'] + e_hdr['shstrndx'] * e_hdr['shentsize'], shPack)['offset']
+ e_dynsym_idx = -1;
+ e_dynstr_idx = -1;
+
+ e_shs = []
+
+ for i in range(0, e_hdr['shnum']):
+ e_sh = readELF_sh(f, e_hdr['shoff'] + i * e_hdr['shentsize'], shPack, e_shstr_off)
+ e_shs.append(e_sh)
+
+ #print '{:s} at 0x{:x} with {:d} entries'.format(e_sh['nameText'], e_sh['offset'], e_sh['nument'])
+
+ if e_sh['type'] == E_SHT_DYNSYM:
+ if e_sh['nameText'] == '.dynsym':
+ e_dynsym_idx = i;
+ if e_dynsym_idx > 0 and e_dynstr_idx > 0:
+ sym = findSym(f, dynSymPack, e_shs[e_dynsym_idx], e_shs[e_dynstr_idx], symbol)
+
+ elif e_sh['type'] == E_SHT_STRTAB:
+ if e_sh['nameText'] == '.dynstr':
+ e_dynstr_idx = i;
+ if e_dynsym_idx > 0 and e_dynstr_idx > 0:
+ sym = findSym(f, dynSymPack, e_shs[e_dynsym_idx], e_shs[e_dynstr_idx], symbol)
+
+ if sym != -1:
+ print 'Patching SMC for symbol {:s} at 0x{:x}'.format(sym['nameText'], sym['value'])
+ f.seek(sym['value'])
+ f.write(newASM)
+ else:
+ print 'Unable to patch ' + symbol
def patchkeys(f, vmx, key, osname):
# Setup struct pack string
@@ -258,10 +415,9 @@
print
# Find matching RELA record in .rela.dyn in ESXi ELF files
- # This is temporary code until proper ELF parsing written
if osname == 'vmkernel':
print 'Modifying RELA records from: ' + hex(smc_old_memptr) + ' to ' + hex(smc_new_memptr)
- patchELF(f, smc_old_memptr, smc_new_memptr)
+ patchELF_rela(f, smc_old_memptr, smc_new_memptr)
# Tidy up
f.flush()
@@ -314,11 +470,7 @@
print 'smcPresent Patching: ' + name
f = open(name, 'r+b')
- # Read file into string variable
- vmkctl = f.read()
- applesmc = vmkctl.find('applesmc')
- f.seek(applesmc)
- f.write('vmkernel')
+ patchELF_dynsym(f, '_ZN6VmkCtl8Hardware16HardwareInfoImpl12IsSmcPresentEv', '\xb8\x01\x00\x00\x00\xc3')
# Tidy up
f.flush()

BIN
wip/xmllint
View File

Binary file not shown.