Dont Steal Mac OS.kext ("DSMOS") is a kernel extension added in Mac OS X 10.4.4 that prevents the operating system from running on unauthorized Intel hardware.
DSMOS performs challenges against the System Management Controller to derive a decryption key. If decryption succeeds, the following string is stored in memory:
Your karma check for today:
There once was was a user that whined
his existing OS was so blind,
he'd do better to pirate
an OS that ran great
but found his hardware declined.
Please don't steal Mac OS!
Really, that's way uncool.
(C) Apple Computer, Inc.
The key is then used to decrypt binaries critical to running a macOS GUI:
- Dock
- Finder
- loginwindow
- SystemUIServer
- mds (Spotlight daemon)
- ATSServer (Apple Type System daemon)
- translate and translated (Rosetta)
Specifically, a Mach-O loader hook is registered that checks for the flag SG_PROTECTED_VERSION_1 (0x8) on the __TEXT segment. When present, the decryption routine is executed to produce the __TEXT data in memory.[1]
If the SMC fails to respond, or the key is incorrect, the computer is assumed to be unauthorized. The kernel extension calls panic(), preventing the operating system from reaching a desktop.
Preview builds of Mac OS X for the Developer Transition Kit (2005) use a different mechanism, in which the Rosetta emulation layer issues challenges against the Trusted Platform Module. The ATSServer daemon is included as a PowerPC-only binary, thereby requiring the TPM check to pass for Mac OS X to boot into a graphical interface.
By the first retail version of Mac OS X for Intel hardware, the Rosetta/TPM approach is replaced by DSMOS. Compared to the original approach, DSMOS is checked earlier in the boot process. Early 2006 (first-generation) Intel iMacs, MacBook Pros and Mac minis, while featuring a TPM, do not make any use of it - the operating system in fact lacks the necessary driver to use the TPM. Subsequent Macs remove the TPM.[2]
In practice, the copy protection provided by DSMOS has been defeated by SMC emulators, such as FakeSMC and VirtualSMC, both being used to make hackintoshing possible. With this said, bypass of DSMOS has been successfully used in at least one legal case against a business, Psystar Corporation, that sold pre-configured hackintosh computers. On 13 November 2009, the court found that Psystar's circumventing of "a technological measure" was in violation of the Digital Millennium Copyright Act.
DSMOS is only used on Intel macOS. It is not loaded on PowerPC or Apple Silicon. Starting with macOS 11.0 Big Sur, the above binaries are no longer encrypted.
License file
A file contained within the kext, LICENSE, has the following contents:
Copyright (c) 2006,2009 Apple Inc. All rights reserved.
The purpose of this Apple software is to protect Apple copyrighted materials from unauthorized copying and use. You may not copy, modify, reverse engineer, publicly display, publicly perform, sublicense, transfer or redistribute this software, in whole or in part. If you have obtained a copy of this Apple software and do not have a valid license from Apple to use it, please immediately destroy or delete it from your computer.
Printing the DSMOS message
As DSMOS stores a 256-byte blob of "integrity" data in the commpage, it is possible to print the DSMOS message ("Please don't steal Mac OS!" poem) using the following C program.[3] The program must be compiled as i386, as such, it will not work on macOS 10.15 Catalina and later.
#include <stdio.h>
void main() {
puts((char *)(-16 * 4096 + 0x1600));
}
This can also be achieved with Python:[4]
import ctypes
print ctypes.c_char_p(-16 * 4096 + 0x1600).value
External Links
References
- ^ https://www.lightbulbone.com/posts/2016/10/dsmos-kext/
- ^ https://web.archive.org/web/20180817161332/http://www.osxbook.com/book/bonus/chapter10/tpm/
- ^ https://web.archive.org/web/20170707181645/http://www.osxbook.com/book/bonus/chapter7/binaryprotection/
- ^ https://simonwillison.net/2006/Oct/31/ctypes/