Compiling img4

First, we will need to do two kernel patches, a trustcache patch, along with a file system read/write patch.

You'll need to compile img4lib from source on your Mac machine as there are no currently available arm64 binaries:

git clone --recursive https://github.com/xerub/img4lib.git

Install lzfse and openssl from homebrew:

brew install lzfse openssl@3

Edit the Makefile for img4lib:

nano Makefile

Add a CFLAGS line:

CFLAGS += -I/opt/homebrew/include

And an LDFLAGS line:

LDFLAGS += -L/opt/homebrew/lib

Compile the project:

make

You will now have a binary of img4, I recommend moving it to /usr/local/bin

Using img4

To keep things organized I'm going to be creating a folder named Jailbreak in my home directory:

mkdir -p ~/Jailbreak/KPatch && cd ~/Jailbreak/KPatch

To begin with the kernel modifications we will need to use img4 on our current kernelcache:

img4 -i /System/Volumes/Preboot/*/boot/*/System/Library/Caches/com.apple.kernelcaches/kernelcache -o kcache.raw.backup

Copy the extracted kernelcache to a new file, allowing us to create a patched version:

cp -v kcache.raw.backup kcache.trust

Trustcache Patch

We will be using Radare2, a reverse engineering tool, for the first patch, install it using homebrew:

brew install radare2

Open our ready to patch kernelcache in Radare2:

r2 -w kcache.trust

When Radare2 is finished initializing all the kexts, type in this command to find the location for our patch, you should get one result. Copy this address and keep it safe:

/x e0030091e10313aa000000949f020071e0179f1a:ffffffffffffffff000000fcffffffffffffffff

Source for the trustcache patch

We need to write new instructions in Radare2, to do this type V to enter visual mode, then type g and paste in the address you found earlier. When you are at the address use j and k to scroll down and up respectively. We will need to scroll up a few lines. Once you've scrolled up type A to enter the assembler mode. You're going to want to find the AMFIIsCDHashInTrustCache function, below this function you should see an instruction named pacibsp. Save the address for this instruction q to quit out of assembler mode, you should be back in visual mode. Type g and go to the address of the pacibsp instruction, then type A to enter assembler mode again. Once in assembler mode at the instruction replace the instructions with:

mov x0, 1; cbz x2, .+0x8; str x0, [x2]; ret

Press return to save the changes and press q to exit assembler mode, then press q and return again to exit Radare2.

Read/Write RootFS Patch

Now we need to apply the read/write rootfs patch. Use KPlooshFinder to apply this patch. I recommend moving the binary to /usr/local/bin.

Use KPlooshFinder on our patched kernel to apply the second patch:

KPlooshFinder kcache.trust kcache.trustrw

Reducing Security

We will now need to boot into 1 True Recovery (1TR). To enter 1TR shut down your Mac, do not press restart. Once your Mac is off press and hold down the power button, you will see Continue holding for startup options.... Keep holding down the power button until you see Loading startup options..., at this point you can stop holding the button down.

Once you are in startup options menu select Options with the settings icon. Type your password to authenticate then open terminal by pressing Utilities at the top of the menu bar.

We will need to disable System Integrity Protection, the Secured System Volume, and Gatekeeper. We will also need to install the custom kernel, along with reboot back into normal mode. Run these 4 commands:

Disable SIP:

csrutil disable

Disable SSV:

csrutil authenticated-root disable

Installing the Kernel

Install Kernel:

kmutil configure-boot -v /Volumes/Macintosh\ HD -c /Volumes/Data/Users/[username]/Jailbreak/KPatch/kcache.trustrw

Reboot the system:

reboot

We need to add boot arguments to further relax system restrictions, along with disable Gatekeeper. Run these commands (the -v is optional, all it does is enable verbose booting):

sudo nvram boot-args="-v -arm64e_preview_abi amfi_get_out_of_my_way=1 ipc_control_port_options=0"

Disable Gatekeeper on macOS 14 and below:

sudo spctl --master-disable

In macOS 15 and above, Apple made it harder to disable Gatekeeper. The command above no longer works so we will need to use a configuration profile to disable it instead. Follow the guide below on how to disable it on macOS 15.

Disable-Gatekeeper

reboot