Slashdot Mirror
Leopard Already Hacked To Run On PC Hardware
PoliTech passed us a PC World link, noting that the newest version of OS X, Leopard, has already been adapted to run on a PC. "The OSx86 Scene forum has released details of how Windows users can migrate to Apple's new OS, without investing in new hardware -- even though installing Leopard on an PC may be counter to Apple's terms and conditions. The forum is offering full instructions on how to install the system, including screenshots of the installation process. Not all the features of Leopard function with the patch -- Wi-Fi support, for example, is reportedly inoperable. Historically, Apple's likely next move will be to track down and act against those behind the hack."
But they do - at least a very broad range of PC hardware runs every build of Windows they make, for regression testing.
It's not as comprehensive, but they DO bother trying.
I am a registered ADC developer and so I had access to all the seeds. That was a god send for dealing with the new 64-bit Objective-C runtime but I also figured that since I had the seeds, well, why not see how compatible Leopard is with non-Apple hardware.
There are legit reasons to do it. For instance, a base Darwin system can be made out of entirely open source software. Until you start decrypting binaries or (given the DMCA) tell people how to do it, you're not breaking the law. Running binaries you compile yourself is also not breaking the law nor the license.
So I did some research into it and looked at the various hacked kernels that are out there as well as some of the available source patches. After doing some research on it I realized that a good bulk of the typical kernel patch is due to lack of the "/efi" node in the device tree. Well, boot-132 (the non-EFI bootloader) is open source and after a bit of hacking I modified it to look for the ACPI and SMBIOS tables and put them in the appropriate sub-nodes of the efi node.
Assuming the right processor (e.g. Core or Core 2) that's enough to get any kernel Apple has ever made to boot without modifying the binary or recompiling from source. Unfortunately I used a P4 as a test rig so I had to do a tiny bit of hacking. It's pretty easy since the source is available so you can just fix it and recompile. Or if the source isn't available (e.g. source for Leopard isn't yet) you can still quite easily patch the machine code to ignore the processor family.
Once you've got that the only thing between you and OS X is a way to get the kernel to decrypt the binaries. Amit Singh has illustrated the magic poem which is actually not the decryption but instead a secondary protection mechanism. In some earlier Leopard seeds, that mechanism didn't appear to be used anymore. The real decryption is two AES keys, also widely available. The interface between the kernel and the decryption kernel extension is public. That is, there's a function pointer variable in the source and basically you just write a function that does the AES decryption and then set the appropriate function pointer to the address of your function from your kernel extension's initialization routine. That's all I'll give away on a public forum though. And I'm not giving anything away here, it's public knowledge, right in the source code to xnu.
I post here not to tell people how to hack it but to illustrate that it's not some difficult scheme. I have a good laugh reading the various osx86 forums about how cool these hackers must be if they can crack OS X. It's not as if Apple tried to make it hard. I mean, putting the decryption hook in "Don't Steal Mac OS X.kext" is a pretty dead giveaway. The other good meme is the thought that the methods of hacking need to be kept secret so Apple doesn't figure them out. Believe me, if I can reverse engineer the hacks then I'm quite certain Apple has several people who can. If they even want to. I see no indication that anyone at Apple is trying to prevent hacks. They write code that works on their machines. If it happens to work on other x86 machines, it does. They haven't ever done anything to stop it.