Usage of csrutil and Standalone OS X 10.9 Recovery HD Backup

09/18 Update: 
Begin with 10.11.1, the Apple Internal flag won’t allowed to be set. This Apple Internal status provided by csrutil tool shall always be “Disabled” even if you set this bit in your csr-active-config.

08/19 Update:
An updated csrutil tool has been released with the DP7 of 10.11 El Capitan, bring more features to configure SIP:
-> Detailed SIP status report:

$ csrutil status

Output result like follows:

System Integrity Protection status: enabled (Custom Configuration).
Configuration:
        Apple Internal: disabled
        Kext Signing: disabled
        Filesystem Protections: enabled
        Debugging Restrictions: enabled
        DTrace Restrictions: enabled
        NVRAM Protections: enabled
        BaseSystem Verification: enabled

-> Custom SIP configuration supported (In Recovery OS):

# csrutil enable [--without kext|fs|debug|dtrace|nvram|basesystem] [--no-internal]

Examples:

# csrutil enable --without kext --without fs --without debug --without dtrace --without nvram --without basesystem

More examples below.
-> Other arguments provided like “netboot”, “clear” and “report”

Since Apple decide to put restriction towards the modification of certain NVRAM data, like “csr-active-config” variable is required by newly introduced System Integrity Protection (SIP), an Recovery OS from previous OS X build may needed to handle the NVRAM data freely.

Wondering what is SIP? SIP/Rooless Internal in El Capitan

Here comes the Recovery HD made from the latest build (10.9.5) of OS X Mavericks.
All credits goes to Apple Inc.

Download Link: MediaFire link

How to use this 10.9 Recovery HD backup:

1. Directly replace your current Recovery HD partition is not recommended. The present Recovery HD would be updated with the current OS.
2. This Recovery HD backup could be extracted to an external HFS+ partition (like USB Flash disk or external HDD) directly and ready to use. The size of the partition should be at least 650002432 Bytes, which is the standard size of the Recovery HD.
3. [Optional] To make it more like “genuine” Recovery HD, the partition type which contains this Recovery OS may set to “Apple Boot Partition” by using the following command:

$ sudo asr adjust --target /dev/diskXsX -settype "Apple_Boot"

Replace diskXsX with your own one.
4. Now boot into this 10.9.5 Recovery OS and now you can modify any nvram data you want.

Regarding the “csr-active-config”, this variable cannot be modified in 10.11 and 10.10. In the 10.11 Recovery OS, Apple provides csrutil tool to turn on/off SIP and it basically does the same job by modify this particular variable. By setting this variable manually, you can turn on/off every single protection inside the SIP and don’t need to rely on the csrutil to either enable or disable the entire SIP.
Here are some examples to manually set csr-active-config variable:
-> Fully enable SIP, default in 10.11:

# nvram csr-active-config=%00%00%00%00

This value is as same as running the following command in 10.11 Recovery:

# csrutil enable --no-internal

-> Fully enable SIP, with APPLE_INTERNAL bit set:

# nvram csr-active-config=%10%00%00%00

This value is as same as running the following command in 10.11 Recovery:

# csrutil enable

-> Disable SIP, not fully:

# nvram csr-active-config=%77%00%00%00

This value is as same as running the following command in 10.11 Recovery:

# csrutil disable

And of course you can set any valid bit as you wish since the csrutil cannot support this for now:
-> Only allow untrusted kext:

# nvram csr-active-config=%11%00%00%00

If use csrutil utility:

# csrutil enable --without kext

-> Allow untrusted kext & unrestricted file system:

# nvram csr-active-config=%13%00%00%00

If use csrutil utility:

# csrutil enable --without kext --without fs

-> Fully disable SIP:

# nvram csr-active-config=%ff%00%00%00

4 thoughts on “Usage of csrutil and Standalone OS X 10.9 Recovery HD Backup

  1. Safari 9.1.1 Safari 9.1.1 Mac OS X  10.11.5 Mac OS X 10.11.5
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17

    「Directly replace your current Recovery HD partition is not RECOMMANDED. The present Recovery HD would be updated with the current OS.」
    Should be RECOMMENDED. 🙂

    // typo…Oops.

    1. Google Chrome 51.0.2704.84 Google Chrome 51.0.2704.84 Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36

      You got that. 🙂 Thanks.

      1. Safari 9.1.1 Safari 9.1.1 Mac OS X  10.11.5 Mac OS X 10.11.5
        Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17

        Good. And I cannot log in Telegram now… Oops.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.