Usage of csrutil and Standalone OS X 10.9 Recovery HD Backup

09/18 Update: 
Begin with 10.11.1, the Apple Internal flag won’t allowed to be set. This Apple Internal status provided by csrutil tool shall always be “Disabled” even if you set this bit in your csr-active-config.

08/19 Update:
An updated csrutil tool has been released with the DP7 of 10.11 El Capitan, bring more features to configure SIP:
-> Detailed SIP status report:

Output result like follows:

-> Custom SIP configuration supported (In Recovery OS):

Examples:

More examples below.
-> Other arguments provided like “netboot”, “clear” and “report”

Since Apple decide to put restriction towards the modification of certain NVRAM data, like “csr-active-config” variable is required by newly introduced System Integrity Protection (SIP), an Recovery OS from previous OS X build may needed to handle the NVRAM data freely.

Wondering what is SIP? SIP/Rooless Internal in El Capitan

Here comes the Recovery HD made from the latest build (10.9.5) of OS X Mavericks.
All credits goes to Apple Inc.

Download Link: MediaFire link

How to use this 10.9 Recovery HD backup:

1. Directly replace your current Recovery HD partition is not recommended. The present Recovery HD would be updated with the current OS.
2. This Recovery HD backup could be extracted to an external HFS+ partition (like USB Flash disk or external HDD) directly and ready to use. The size of the partition should be at least 650002432 Bytes, which is the standard size of the Recovery HD.
3. [Optional] To make it more like “genuine” Recovery HD, the partition type which contains this Recovery OS may set to “Apple Boot Partition” by using the following command:

Replace diskXsX with your own one.
4. Now boot into this 10.9.5 Recovery OS and now you can modify any nvram data you want.

Regarding the “csr-active-config”, this variable cannot be modified in 10.11 and 10.10. In the 10.11 Recovery OS, Apple provides csrutil tool to turn on/off SIP and it basically does the same job by modify this particular variable. By setting this variable manually, you can turn on/off every single protection inside the SIP and don’t need to rely on the csrutil to either enable or disable the entire SIP.
Here are some examples to manually set csr-active-config variable:
-> Fully enable SIP, default in 10.11:

This value is as same as running the following command in 10.11 Recovery:

-> Fully enable SIP, with APPLE_INTERNAL bit set:

This value is as same as running the following command in 10.11 Recovery:

-> Disable SIP, not fully:

This value is as same as running the following command in 10.11 Recovery:

And of course you can set any valid bit as you wish since the csrutil cannot support this for now:
-> Only allow untrusted kext:

If use csrutil utility:

-> Allow untrusted kext & unrestricted file system:

If use csrutil utility:

-> Fully disable SIP:

4 thoughts on “Usage of csrutil and Standalone OS X 10.9 Recovery HD Backup

  1. Safari 9.1.1 Mac OS X  10.11.5

    「Directly replace your current Recovery HD partition is not RECOMMANDED. The present Recovery HD would be updated with the current OS.」
    Should be RECOMMENDED. 🙂

    // typo…Oops.

Leave a Reply to Angel Wu Cancel reply

Your email address will not be published. Required fields are marked *