search

jwise / HoRNDIS

Android USB tethering driver for Mac OS X
Other
3k stars 330 forks source link

macOS 11 Big Sur Support? #132

Open krjw-eyev opened 4 years ago

krjw-eyev commented 4 years ago

I am hesitant of upgrading to macOS 11 Big Sur since they have deprecated certain functionalities that seem to be necessary fo HoRNDIS to work.

Here is a list: https://developer.apple.com/support/kernel-extensions/

Does anyone know if there is a possibility to transition? I have no experiences with kernel extensions.

brendangibat commented 3 years ago

To chime in, what worked for me was to install then reboot: https://www.dji.com/downloads/softwares/assistant-dji-2-for-mavic

Macbook Pro (16-inch, 2019) (Intel) macOS Big Sur 11.3

Thanks for the suggestion @luxagroove !

gorquan commented 3 years ago

working! macOS Big Sur 11.3.1

amanjain08 commented 3 years ago

Doesn't work for me.

Download and installed successfully DJI Assistant 2 For Mavic Mac V2.0.14 https://www.dji.com/downloads/softwares/assistant-dji-2-for-mavic

macOS Big Sur 11.2.3.

Update: Tried in 11.4 as well but doesn't work.

amanjain08 commented 3 years ago

@Joll123 No, I haven't as I made peace with the WIFI Hotspot instead of tethering.

krjw-eyev commented 3 years ago

@Joll123 I used Velolongs steps here to install it on macOS 11.4.

martin-braun commented 3 years ago

I can confirm, it works on 11.4, however, as soon as I csrutil enable again, it stops working and I get this after system start:

Screen Shot 2021-06-28 at 01 31 31

Is there a way to make an exception to this specific extension?

Joll123 commented 3 years ago

@krjw-eyev @martin-braun Although have horndis installed successful, don't find android phone in network.Would you know how to solve it?

krjw-eyev commented 3 years ago

@martin-braun can you show what '/usr/sbin/spctl kext-consent list' returns when you are in recovery mode? Objective-See is not the issuer of the signature of HoRNDIS. It should be Joshua Wise. There might be a product of Objective-See interfering?? This has nothing to do with HoRNDIS. Do you have something installed from here?

krjw-eyev commented 3 years ago

@Joll123 I actually don't use this for connecting an Android phone. I use this to connect a general RNDIS device.

martin-braun commented 3 years ago

can you show what '/usr/sbin/spctl kext-consent list' returns when you are in recovery mode?

@krjw-eyev it outputs:

Allowed Team Identifiers: 
54GTJ2AU36

The ID above was outputted from the spctl command on the kext file, which I added as trustworthy. I agree something is odd, because it should not have something to do with "Objective-See LLC", but the error came right after I installed this kext. Is it using any third-party component that I need to trust, too? I downloaded the 9.2 release from this repo. Hmmm.

martin-braun commented 3 years ago

@krjw-eyev @martin-braun Although have horndis installed successful, don't find android phone in network.Would you know how to solve it?

Go in your Hotspot settings and make sure to enable USB tethering. If this is online, try to restart your PC and make sure WiFi is off. If the device doesn't list up on the network settings of macOS, something was wrong on the installation, try to reinstall and make sure to uninstall, properly.

krjw-eyev commented 3 years ago

@martin-braun There should not be third party extensions! Could you make sure you haven't installed anything that could interfere with HoRNDIS? Maybe look into '/Library/Extensions/' and check if you have something installed by Objective-See LLC.

martin-braun commented 3 years ago

@krjw-eyev You are right, I figured out that it is related to my printer driver, I just have no idea how it would complain now and even weirder is the fact that USB tether would still not work when I enable SIP again. I will investigate further to a later time.

yannnn09 commented 3 years ago

@Velolong After I drag the extension to terminal and press return, it shows "zsh permission denied". I tried doing chmod a+x to HoRNDIS first but it doesn't work. what should I do next? thanks for helping

martin-braun commented 3 years ago

@yannnn09 try sudo zsh ...

vanyamlb commented 3 years ago

I have installed it but every time I turn off my Mac it can see my phone but says "not connected" even though I have been re-enabling USB tethering. So every time I need to reinstall the pkg. Does it happen to you too?

jmatbastos commented 3 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

rizqiimani commented 3 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This solution worked for me! Thanks, @jmatbastos!

haraldrudell commented 3 years ago

If csrutil is disabled too soon, it may have to be re-enabled. I think an improved sequence is (worked on two 11.5.1 Intel 2020):

  1. Download HoRNDIS-9.2.pkg from https://github.com/jwise/HoRNDIS/releases/download/rel9.2/HoRNDIS-9.2.pkg
    optional verify: 
    sha256sum ~/Downloads/HoRNDIS-9.2.pkg
15f5c6cbe14e5c0f11bf27172dfbcdf3b753122d128807d6bad94c8f4c2b71e1  ~/Downloads/HoRNDIS-9.2.pkg
  2. Obtain kernel extension developer team ID, it’s going to be 54GTJ2AU36: 
    spctl -avvtinstall ~/Downloads/HoRNDIS-9.2.pkg 
/Users/foxyboy/Downloads/HoRNDIS-9.2.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: Joshua Wise (54GTJ2AU36)
  3. Recovery boot:  — Shutdown…, press Power On, hold down command+R until a progress bar appear under a white apple
  4. Recovery Mode: Language: English, click →, click your installation and user account, password, select Utilities — Terminal 
    csrutil disable
spctl kext-consent add 54GTJ2AU36
  5.  — Restart…, Double click HoRNDIS-9.2.pkg in Finder, run to end with Installation Failed
  6.  — System Preferences… — Security & Privacy — General — click lock, Touch ID — by “Some system software requires your attention before it can be used”: click Details… , check Joshua Wise,  — Restart…
  7. Double click HoRNDIS-9.2.pkg in Finder, run to end with Installation Failed
  8.  — System Preferences… — Security & Privacy — General — click lock, Touch ID — by “Some system software requires your attention before it can be used”: click Allow,  — Restart…
  9. Plug in an Android device via usb, on Android enable usb tethering similar to: Settings — Network & internet — Hotspot & tethering — enable USB tethering
  10.  — System Preferences… — Network: left pane should have a device named after your Android phone with green dot “Connected.” If not, HoRNDIS not working for you…
  11. Recovery boot: Language: English, click →, click your installation and user account, password, select Utilities — Terminal 
    csrutil enable

The above steps are typed from memory but will generally work

If USB tethering should go via OpenVPN, which Google doesn’t allow due to its Verizon bend-overs, have Android rooted, use Termux and the following script (If this seems mysterious, don’t bother):

#!/system/bin/sh -eu
#© 2021-present Harald Rudell  (https://haraldrudell.github.io/haraldrudell/)
# License: ISC
TABLE=61
MARK=0x10
CHAIN=RNDIS
CHAINX=RNDISX
LINE=$(ip -brief l | grep rndis) || { echo >&2 "Could not find rndis network interface"; exit 1; }
if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple rndis"; exit 1; fi
RNDIS=${LINE%% *}
if [ ${#RNDIS} -eq 0 ]; then echo >&2 "rndis detection failed"; exit 1; fi
LINE=$(ip r | grep "dev $RNDIS") || { echo >&2 "No $RNDIS route"; exit 1; }
if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple $RNDIS routes"; exit 1; fi
CIDR=${LINE%% *} # 192.168.227.0/24
echo "rndis: $RNDIS cidr: $CIDR"
LINE=$(ip -brief l | grep tun) || { echo >&2 "Could not find openvpn network interface"; exit 1; }
if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple vpns"; exit 1; fi
TUN=${LINE%% *}
echo "tun: $TUN"
#LINES=$(ip rule | sed 's/^/a /' | grep "lookup $TABLE" | head -1)
#echo "$LINES"
if [ "${1-}" = d ]; then
  # ip rule
  if [ $(ip rule list lookup $TABLE | wc -l) -ne 0 ]; then
    CMD=(ip rule del lookup $TABLE)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # table 61
  if [ $(ip r s table $TABLE | wc -l) -ne 0 ]; then
    CMD=(ip route flush table $TABLE)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # FORWARD RNDIS
  LINE=$(iptables --list-rules FORWARD | egrep -ne "-j $CHAIN"'$') || :
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --delete FORWARD $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  if iptables --list-rules | grep --silent -xe "-N $CHAIN"; then
    CMD=(iptables --flush $CHAIN)
    echo "${CMD[*]}"
    "${CMD[@]}"
    CMD=(iptables --delete-chain $CHAIN)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  LINE=$(iptables --list-rules FORWARD | egrep -ne "-j $CHAINX"'$') || :
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --delete FORWARD $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  if iptables --list-rules | grep --silent -xe "-N $CHAINX"; then
    CMD=(iptables --flush $CHAINX)
    echo "${CMD[*]}"
    "${CMD[@]}"
    CMD=(iptables --delete-chain $CHAINX)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # masquerade
  RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE)
  LINE=$(iptables --table nat --list-rules POSTROUTING | grep -ne "-m mark --mark $MARK -j MASQUERADE"'$')
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --table nat --delete POSTROUTING $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  exit
fi
# ip rule
IPRULE=(from $CIDR lookup $TABLE)
if ! ip rule | fgrep --silent "${IPRULE[*]}"; then
  CMD=(ip rule add "${IPRULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# table 61
RULE=(default dev $TUN)
FLUSH=false
ADD=false
NO=$(ip r s table $TABLE | wc -l)
if [ $NO -eq 0 ]; then ADD=true
elif $NO -ne 1 ]; then FLUSH=true
elif !ip r s table $TABLE | grep --silent "default dev $TUN"; then FLUSH=true
fi
if $FLUSH; then
  ADD=true
  CMD=(ip route flush table $TABLE)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(ip route add "${RULE[@]}" table $TABLE)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# RNDIS
if ! iptables --list-rules | grep --silent -xe "-N $CHAIN"; then
  CMD=(iptables --new-chain $CHAIN)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE=(FORWARD --in-interface $RNDIS --jump $CHAIN)
CMD=(iptables --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE1=($CHAIN --out-interface $TUN --jump MARK --set-mark $MARK)
RULE2=($CHAIN --out-interface $TUN --jump ACCEPT)
FLUSH=false
ADD=false
NO=$(iptables --list-rules $CHAIN | wc -l)
if [ $NO -eq 1 ]; then ADD=true
elif [ $NO -ne 3 ]; then FLUSH=true
else
  CMD=(iptables --check "${RULE1[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
  CMD=(iptables --check "${RULE2[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
fi
if $FLUSH; then
  ADD=true
  CMD=(iptables --flush $CHAIN) 
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(iptables --append "${RULE1[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
  CMD=(iptables --append "${RULE2[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
#RNDISX
if ! iptables --list-rules | grep --silent -xe "-N $CHAINX"; then
  CMD=(iptables --new-chain $CHAINX)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE=(FORWARD --in-interface $TUN --jump $CHAINX)
CMD=(iptables --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE1=($CHAINX --out-interface $RNDIS --jump ACCEPT)
FLUSH=false
ADD=false
NO=$(iptables --list-rules $CHAINX | wc -l)
if [ $NO -eq 1 ]; then ADD=true
elif [ $NO -ne 2 ]; then FLUSH=true
else
  CMD=(iptables --check "${RULE1[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
fi
if $FLUSH; then
  ADD=true
  CMD=(iptables --flush $CHAINX)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(iptables --append "${RULE1[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# masquerade
RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE)
CMD=(iptables --table nat --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --table nat --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi

Note: the shell on Android 11 is buggy, so too complex greps or iteration will crash

vaneet-hash commented 3 years ago

Macbook M1 Tethering solution

haraldrudell commented 3 years ago

I polished the script solution to set-and-forget, so, for those who have a rooted Android device of any release and need tethered USB traffic via on-device vpn, install the below

— vicious carrier will have no idea — traffic and dns routed via goddess vpn provider — Though Google these days is ”do all evil,” if it wasn’t for Larry Page, there would be no golang. He smartest out there

After each device reboot, in a termux rooted session, run "bin/monlink." Xanadu nema problema

script 1:

#!/system/bin/sh -eu
# © 2021–present Harald Rudell  (https://haraldrudell.github.io/haraldrudell/)
# License: ISC 210803
# Android 11, termux, root
# /data/data/com.termux/files/home/bin/monlink
VPN="/data/data/com.termux/files/home/bin/vpn"
if [ "$(id -u)" != 0 ]; then
  echo "must be root"
  exit 1
fi
echo "$(date +'%F %T') monlink up"
"$VPN" || { X=$?; echo >&2 "vpn: $X"; }
ip monitor link | while read LINE; do
  if ! echo "$LINE" | egrep --silent "^[^ ]* (tun|rndis).*LOWER_UP"; then
    continue
  fi
  LINE2="${LINE#* }"
  IFACE=${LINE2%%:*}
  echo "$(date +'%F %T') interface: $IFACE"
  "$VPN" || { X=$?; echo >&2 "vpn: $X"; }
done

Script 2:

#!/system/bin/sh -eu
# © 2021–present Harald Rudell  (https://haraldrudell.github.io/haraldrudell/)
# License: ISC 210803
# Android 11, termux, root
# /data/data/com.termux/files/home/bin/vpn
TABLE=61
MARK=0x10
CHAIN=RNDIS
CHAINX=RNDISX
LINE=$(ip -brief l | grep rndis) || { echo >&2 "Could not find rndis network interface"; exit 1; }
if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple rndis"; exit 1; fi
RNDIS=${LINE%% *}
if [ ${#RNDIS} -eq 0 ]; then echo >&2 "rndis detection failed"; exit 1; fi
echo "rndis: $RNDIS" # cidr: $CIDR"
LINE=$(ip -brief l | grep tun) || { echo >&2 "Could not find openvpn network interface"; exit 1; }
if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple vpns"; exit 1; fi
TUN=${LINE%% *}
echo "tun: $TUN"
if [ "${1-}" = d ]; then
  # ip rule
  if [ $(ip rule list lookup $TABLE | wc -l) -ne 0 ]; then
    CMD=(ip rule del lookup $TABLE)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # table 61
  if [ $(ip r s table $TABLE | wc -l) -ne 0 ]; then
    CMD=(ip route flush table $TABLE)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # FORWARD RNDIS
  LINE=$(iptables --wait 1 --list-rules FORWARD | egrep -ne "-j $CHAIN"'$') || :
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --wait 1 --delete FORWARD $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  if iptables --wait 1 --list-rules | grep --silent -xe "-N $CHAIN"; then
    CMD=(iptables --wait 1 --flush $CHAIN)
    echo "${CMD[*]}"
    "${CMD[@]}"
    CMD=(iptables --wait 1 --delete-chain $CHAIN)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  LINE=$(iptables --wait 1 --list-rules FORWARD | egrep -ne "-j $CHAINX"'$') || :
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --wait 1 --delete FORWARD $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  if iptables --wait 1 --list-rules | grep --silent -xe "-N $CHAINX"; then
    CMD=(iptables --wait 1 --flush $CHAINX)
    echo "${CMD[*]}"
    "${CMD[@]}"
    CMD=(iptables --wait 1 --delete-chain $CHAINX)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  # masquerade
  RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE)
  LINE=$(iptables --wait 1 --table nat --list-rules POSTROUTING | grep -ne "-m mark --mark $MARK -j MASQUERADE"'$')
  if [ ${#LINE} -ne 0 ]; then
    NO=${LINE%%:*}
    NO2=$(($NO-1))
    CMD=(iptables --wait 1 --table nat --delete POSTROUTING $NO2)
    echo "${CMD[*]}"
    "${CMD[@]}"
  fi
  exit
fi
# ip rule
IPRULE=(iif $RNDIS lookup $TABLE)
if ! ip rule | fgrep --silent "${IPRULE[*]}"; then
  CMD=(ip rule add "${IPRULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# table 61
RULE=(default dev $TUN)
FLUSH=false
ADD=false
NO=$(ip r s table $TABLE | wc -l)
if [ $NO -eq 0 ]; then ADD=true
elif [ $NO -ne 1 ]; then FLUSH=true
elif ! ip r s table $TABLE | grep --silent "${RULE[*]}"; then FLUSH=true
fi
if $FLUSH; then
  ADD=true
  CMD=(ip route flush table $TABLE)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(ip route add "${RULE[@]}" table $TABLE)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# RNDIS
if ! iptables --wait 1 --list-rules | grep --silent -xe "-N $CHAIN"; then
  CMD=(iptables --wait 1 --new-chain $CHAIN)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE=(FORWARD --in-interface $RNDIS --jump $CHAIN)
CMD=(iptables --wait 1 --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --wait 1 --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE1=($CHAIN --out-interface $TUN --jump MARK --set-mark $MARK)
RULE2=($CHAIN --out-interface $TUN --jump ACCEPT)
FLUSH=false
ADD=false
NO=$(iptables --wait 1 --list-rules $CHAIN | wc -l)
if [ $NO -eq 1 ]; then ADD=true
elif [ $NO -ne 3 ]; then FLUSH=true
else
  CMD=(iptables --wait 1 --check "${RULE1[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
  CMD=(iptables --wait 1 --check "${RULE2[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
fi
if $FLUSH; then
  ADD=true
  CMD=(iptables --wait 1 --flush $CHAIN) 
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(iptables --wait 1 --append "${RULE1[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
  CMD=(iptables --wait 1 --append "${RULE2[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
#RNDISX
if ! iptables --wait 1 --list-rules | grep --silent -xe "-N $CHAINX"; then
  CMD=(iptables --wait 1 --new-chain $CHAINX)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE=(FORWARD --in-interface $TUN --jump $CHAINX)
CMD=(iptables --wait 1 --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --wait 1 --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
RULE1=($CHAINX --out-interface $RNDIS --jump ACCEPT)
FLUSH=false
ADD=false
NO=$(iptables --wait 1 --list-rules $CHAINX | wc -l)
if [ $NO -eq 1 ]; then ADD=true
elif [ $NO -ne 2 ]; then FLUSH=true
else
  CMD=(iptables --wait 1 --check "${RULE1[@]}")
  Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
  if [ $X -ne 0 ]; then
    if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
    FLUSH=true
  fi
fi
if $FLUSH; then
  ADD=true
  CMD=(iptables --wait 1 --flush $CHAINX)
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
if $ADD; then
  CMD=(iptables --wait 1 --append "${RULE1[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi
# masquerade
RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE)
CMD=(iptables --wait 1 --table nat --check "${RULE[@]}")
Y=$("${CMD[@]}" 2>&1) && X=0 || X=$?
if [ $X -ne 0 ]; then
  if [ $X -ne 1 ]; then echo "${CMD[*]}: $X $Y"; exit 1; fi
  CMD=(iptables --wait 1 --table nat --insert "${RULE[@]}")
  echo "${CMD[*]}"
  "${CMD[@]}"
fi

“We are all just prisoners here, of our own device”

APwhitehat commented 3 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This worked for me too. Thanks a ton @rizqiimani !!

cabin33 commented 3 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

Thanks, it works for me (bigsur 11.5.2 (20G95))

cabin33 commented 3 years ago

If csrutil is disabled too soon, it may have to be re-enabled. I think an improved sequence is (worked on two 11.5.1 Intel 2020):

  1. Download HoRNDIS-9.2.pkg from https://github.com/jwise/HoRNDIS/releases/download/rel9.2/HoRNDIS-9.2.pkgoptional verify:

sha256sum ~/Downloads/HoRNDIS-9.2.pkg 15f5c6cbe14e5c0f11bf27172dfbcdf3b753122d128807d6bad94c8f4c2b71e1 ~/Downloads/HoRNDIS-9.2.pkg

  1. Obtain kernel extension developer team ID, it’s going to be 54GTJ2AU36:

spctl -avvtinstall ~/Downloads/HoRNDIS-9.2.pkg /Users/foxyboy/Downloads/HoRNDIS-9.2.pkg: accepted source=Notarized Developer ID origin=Developer ID Installer: Joshua Wise (54GTJ2AU36)

  1. Recovery boot:  — Shutdown…, press Power On, hold down command+R until a progress bar appear under a white apple
  2. Recovery Mode: Language: English, click →, click your installation and user account, password, select Utilities — Terminal

csrutil disable spctl kext-consent add 54GTJ2AU36

  1.  — Restart…, Double click HoRNDIS-9.2.pkg in Finder, run to end with Installation Failed
  2.  — System Preferences… — Security & Privacy — General — click lock, Touch ID — by “Some system software requires your attention before it can be used”: click Details… , check Joshua Wise,  — Restart…
  3. Double click HoRNDIS-9.2.pkg in Finder, run to end with Installation Failed
  4.  — System Preferences… — Security & Privacy — General — click lock, Touch ID — by “Some system software requires your attention before it can be used”: click Allow,  — Restart…
  5. Plug in an Android device via usb, on Android enable usb tethering similar to: Settings — Network & internet — Hotspot & tethering — enable USB tethering
  6.  — System Preferences… — Network: left pane should have a device named after your Android phone with green dot “Connected.” If not, HoRNDIS not working for you…
  7. Recovery boot: Language: English, click →, click your installation and user account, password, select Utilities — Terminal

csrutil enable The above steps are typed from memory but will generally work

If USB tethering should go via OpenVPN, which Google doesn’t allow due to its Verizon bend-overs, have Android rooted, use Termux and the following script (If this seems mysterious, don’t bother):

!/system/bin/sh -eu

© 2021-present Harald Rudell (https://haraldrudell.github.io/haraldrudell/)

License: ISC

TABLE=61 MARK=0x10 CHAIN=RNDIS CHAINX=RNDISX LINE=$(ip -brief l | grep rndis) || { echo >&2 "Could not find rndis network interface"; exit 1; } if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple rndis"; exit 1; fi RNDIS=${LINE%% } if [ ${#RNDIS} -eq 0 ]; then echo >&2 "rndis detection failed"; exit 1; fi LINE=$(ip r | grep "dev $RNDIS") || { echo >&2 "No $RNDIS route"; exit 1; } if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple $RNDIS routes"; exit 1; fi CIDR=${LINE%% } # 192.168.227.0/24 echo "rndis: $RNDIS cidr: $CIDR" LINE=$(ip -brief l | grep tun) || { echo >&2 "Could not find openvpn network interface"; exit 1; } if [ $(echo "$LINE" | wc -l) -ne 1 ]; then echo >&2 "multiple vpns"; exit 1; fi TUN=${LINE%% *} echo "tun: $TUN"

LINES=$(ip rule | sed 's/^/a /' | grep "lookup $TABLE" | head -1)

echo "$LINES"

if [ "${1-}" = d ]; then

ip rule

if [ $(ip rule list lookup $TABLE | wc -l) -ne 0 ]; then CMD=(ip rule del lookup $TABLE) echo "${CMD[*]}" "${CMD[@]}" fi

table 61

if [ $(ip r s table $TABLE | wc -l) -ne 0 ]; then CMD=(ip route flush table $TABLE) echo "${CMD[*]}" "${CMD[@]}" fi

FORWARD RNDIS

LINE=$(iptables --list-rules FORWARD | egrep -ne "-j $CHAIN"'$') || : if [ ${#LINE} -ne 0 ]; then NO=${LINE%%:} NO2=$(($NO-1)) CMD=(iptables --delete FORWARD $NO2) echo "${CMD[]}" "${CMD[@]}" fi if iptables --list-rules | grep --silent -xe "-N $CHAIN"; then CMD=(iptables --flush $CHAIN) echo "${CMD[]}" "${CMD[@]}" CMD=(iptables --delete-chain $CHAIN) echo "${CMD[]}" "${CMD[@]}" fi LINE=$(iptables --list-rules FORWARD | egrep -ne "-j $CHAINX"'$') || : if [ ${#LINE} -ne 0 ]; then NO=${LINE%%:} NO2=$(($NO-1)) CMD=(iptables --delete FORWARD $NO2) echo "${CMD[]}" "${CMD[@]}" fi if iptables --list-rules | grep --silent -xe "-N $CHAINX"; then CMD=(iptables --flush $CHAINX) echo "${CMD[]}" "${CMD[@]}" CMD=(iptables --delete-chain $CHAINX) echo "${CMD[]}" "${CMD[@]}" fi

masquerade

RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE) LINE=$(iptables --table nat --list-rules POSTROUTING | grep -ne "-m mark --mark $MARK -j MASQUERADE"'$') if [ ${#LINE} -ne 0 ]; then NO=${LINE%%:} NO2=$(($NO-1)) CMD=(iptables --table nat --delete POSTROUTING $NO2) echo "${CMD[]}" "${CMD[@]}" fi exit fi

ip rule

IPRULE=(from $CIDR lookup $TABLE) if ! ip rule | fgrep --silent "${IPRULE[]}"; then CMD=(ip rule add "${IPRULE[@]}") echo "${CMD[]}" "${CMD[@]}" fi

table 61

RULE=(default dev $TUN) FLUSH=false ADD=false NO=$(ip r s table $TABLE | wc -l) if [ $NO -eq 0 ]; then ADD=true elif $NO -ne 1 ]; then FLUSH=true elif !ip r s table $TABLE | grep --silent "default dev $TUN"; then FLUSH=true fi if $FLUSH; then ADD=true CMD=(ip route flush table $TABLE) echo "${CMD[]}" "${CMD[@]}" fi if $ADD; then CMD=(ip route add "${RULE[@]}" table $TABLE) echo "${CMD[]}" "${CMD[@]}" fi

RNDIS

if ! iptables --list-rules | grep --silent -xe "-N $CHAIN"; then CMD=(iptables --new-chain $CHAIN) echo "${CMD[]}" "${CMD[@]}" fi RULE=(FORWARD --in-interface $RNDIS --jump $CHAIN) CMD=(iptables --check "${RULE[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi CMD=(iptables --insert "${RULE[@]}") echo "${CMD[]}" "${CMD[@]}" fi RULE1=($CHAIN --out-interface $TUN --jump MARK --set-mark $MARK) RULE2=($CHAIN --out-interface $TUN --jump ACCEPT) FLUSH=false ADD=false NO=$(iptables --list-rules $CHAIN | wc -l) if [ $NO -eq 1 ]; then ADD=true elif [ $NO -ne 3 ]; then FLUSH=true else CMD=(iptables --check "${RULE1[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi FLUSH=true fi CMD=(iptables --check "${RULE2[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi FLUSH=true fi fi if $FLUSH; then ADD=true CMD=(iptables --flush $CHAIN) echo "${CMD[]}" "${CMD[@]}" fi if $ADD; then CMD=(iptables --append "${RULE1[@]}") echo "${CMD[]}" "${CMD[@]}" CMD=(iptables --append "${RULE2[@]}") echo "${CMD[]}" "${CMD[@]}" fi

RNDISX

if ! iptables --list-rules | grep --silent -xe "-N $CHAINX"; then CMD=(iptables --new-chain $CHAINX) echo "${CMD[]}" "${CMD[@]}" fi RULE=(FORWARD --in-interface $TUN --jump $CHAINX) CMD=(iptables --check "${RULE[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi CMD=(iptables --insert "${RULE[@]}") echo "${CMD[]}" "${CMD[@]}" fi RULE1=($CHAINX --out-interface $RNDIS --jump ACCEPT) FLUSH=false ADD=false NO=$(iptables --list-rules $CHAINX | wc -l) if [ $NO -eq 1 ]; then ADD=true elif [ $NO -ne 2 ]; then FLUSH=true else CMD=(iptables --check "${RULE1[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi FLUSH=true fi fi if $FLUSH; then ADD=true CMD=(iptables --flush $CHAINX) echo "${CMD[]}" "${CMD[@]}" fi if $ADD; then CMD=(iptables --append "${RULE1[@]}") echo "${CMD[]}" "${CMD[@]}" fi

masquerade

RULE=(POSTROUTING --match mark --mark $MARK --jump MASQUERADE) CMD=(iptables --table nat --check "${RULE[@]}") Y=$("${CMD[@]}" 2>&1) && X=0 || X=$? if [ $X -ne 0 ]; then if [ $X -ne 1 ]; then echo "${CMD[]}: $X $Y"; exit 1; fi CMD=(iptables --table nat --insert "${RULE[@]}") echo "${CMD[]}" "${CMD[@]}" fi Note: the shell on Android 11 is buggy, so too complex greps or iteration will crash

setp 9. "Plug in an Android device via usb, on Android enable usb tethering similar to: Settings — Network & internet — Hotspot & tethering — enable USB tethering" works for me , thanks!

DuckLL commented 3 years ago

I can confirm, it works on 11.4, however, as soon as I csrutil enable again, it stops working and I get this after system start:

Screen Shot 2021-06-28 at 01 31 31

Is there a way to make an exception to this specific extension?

@martin-braun did you install lulu ? I solved the same problem after uninstall lulu.

FherNando commented 3 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This one worked for me, you are the man @jmatbastos

marioapardo commented 3 years ago

This sequence worked for me... 1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This one worked for me and it also works in macOS Monterrey, you are the man @jmatbastos

furiousjay commented 3 years ago

This sequence worked for me... 1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This one worked for me and it also works in macOS Monterrey, you are the man @jmatbastos

I can confirm this to be working on the MacBook Pro 16 2019. As this is an easy fix to get the Hotspot working on Big Sur I recommend joshuawise to include the guide on his website. thanks!

adarsh-sgh commented 2 years ago

I am getting installation successful message but could not find horndis.kext in /System/Library/Extensions where other kext files are present. also usb tethering my phone is not working I am on BigSur 11.6 with Apple M1 chip

Please suggest if there is a way to find out what went wrong ?

mac-zhou commented 2 years ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

it's help for me, thanks

dascientist777 commented 1 year ago

This sequence worked for me...

1 - Command+R to reboot in recovery mode. 2 - (terminal) csrutil disable 3 - reboot in normal mode and install HoRNDIS-9.2.pkg (when prompted, enable the permissions for a joshua wise app in System Preferences). Repeat install and ignore message install failed... 4 - Command+R to reboot in recovery mode 5 - (terminal) /usr/sbin/spctl kext-consent add 54GTJ2AU36. 6 - (terminal) csrutil enable 7 - reboot in normal mode

This also worked for me. Thank you! (MacOS Big Sur 11.4 on a macbook pro retina 2014, and LG K30 android phone) (going to apple menu to reboot and then holding down the command+R keys while it is booting up, to get into recovery mode, then going under utilities in recovery mode to launch terminal, then going back to apple menu to do regular reboot)