iM 4,1-14,4 2011 iMac Graphics Card Upgrade

[liquidtwitch]

Thanks Nick, I've updated that post with the correct link to UEFITool.

I'll try your suggestions with the board but I'm not too fussed if it's dead - to be honest it's been pulled out so many times I'm surprised it's lasted this long.

Lesson for everyone going forward - opt for a decent clamp a la Pomona 5250.

 

[Nick [D]vB]

That pencil trick is worth a shot, just try and bridge the pads shown in the photo, but you might need to build up a thicker layer. I'm amazed my board still works to be honest, I've already managed to rip off several connectors. In all fairness it looks like Apple used many different EEPROM chips, and some of them have a wider / flatter package which is much harder to get the clip onto.

One rooky mistake is to just pull the clip off instead of opening it, that chews the tip off very quickly and the clip never works properly again, I've gone through half a dozen already. Your chip also seems to have particularly wonky soldering so that didn't help, there is definitely an element of luck here!

 

[duvelhedz]

Hi Guys,
Thanks Nick for the howto. Great work!

I have successfully modified my bootrom. The dump was created with flashrom and a raspberry pi.
I have also virginised a copy with a clean ME region and it is also blank with no Serial so the serial number can be written with Blank Board Serialiser USB. This means anyone can flash this bootrom and write their own serial number using BBS. The BootRom is the latest version from the 2018-004 Security Update.

EDIT - Both versions here, The MP6 version will have all Diag LEDs lit up on the logic board.

EDIT - Replace YOURMLBSERIALHERE with your MLB serial number. Search for C02 with a hex editor and it will near the end of the ROM.

Note, A Mac's GUID is generated with with the MLB number and the S/N that BBS writes.

Note: USE OF THESE FILES IS AT YOUR OWN RISK. DO NOT USE THEM UNLESS YOU HAVE A BACKUP OF YOUR CURRENT ROM. MAKE 2 COPIES TO BE SURE. YOU HAVE BEEN WARNED.

 

[Nick [D]vB]

Nice, I thought about doing this but the process was complex enough already, and it was probably best for people to make a back-up anyway. Great to have the option though, and very useful for doing multiple machines. 8)

EDIT - Maybe do a version with the Beta2 MP6 drivers as they get all the debug LEDs working.

EDIT 2 - See comments by tsialex below!

 

[LegoNickD]

Sorry if this has already been asked or is a stupid question, but would it be possible to eventually make a nice program like DosDude1's APFS rom patcher to make the process a little more user friendly? That way once the new card is installed you would just need to run the program after entering flash mode to flash the bootrom on the logic board and nvflash on bootcamp to flash the vbios on the card.

 

[Nick [D]vB]

after entering flash mode

 

[webdepp]

Hey guys
First of all, I wanna thank you Nick for this incredible work. I tried to run a diffrent GPU with bootscreen in my iMac (mid 2011) for almost half a year now. I tried several MXM cards ... NVIDIA and AMD. Then I stumbled across this thread yesterday and what shall I say ... After dumping and modifying the bootrom I finally can run a GTX 780M with bootscreen!
Thank you so much! Any chance to buy you a beer for your work? Just send me a link to donate

 

[liquidtwitch]

That pencil trick is worth a shot,

LOL IT F$#ING WORKED!

Drew a big line of graphite pencil over the missing cap and it posted.

So now I guess I just need to test my solder skills to the limit and complete the trace to make it permanent. Nick you're a deadset guardian angel... I think I love you.

 

[FlorisVN]

Sorry if this has already been asked or is a stupid question, but would it be possible to eventually make a nice program like DosDude1's APFS rom patcher to make the process a little more user friendly? That way once the new card is installed you would just need to run the program after entering flash mode to flash the bootrom on the logic board and nvflash on bootcamp to flash the vbios on the card.

this is a good one, I asked this question before to Nick.
Nick asked @dosdude1 before this question in the past, about how to put the 2011 imac into flashing mode.
If perhaps dosdude1 or someone else can make this possible somehow, it would indeed be great.

I'm sure dosdude1 has some good knowledge already with flashing bootrom's, since he also made his brilliant apfs rom patcher tool.

Perhaps we can get a nice 1-click bootrom patch tool someday somehow, this would be indeed awesome !

 

[FlorisVN]

LOL IT F$#ING WORKED!

Drew a big line of graphite pencil over the missing cap and it posted.

So now I guess I just need to test my solder skills to the limit and complete the trace to make it permanent. Nick you're a deadset guardian angel... I think I love you.

thats great, and good to know here for everyone
using a hotair station is perhaps reccomended for this tiny job, or very small iron station..

But if this trace now works again thanks to your pencil why perhaps bother fixing it.. ?

 

[FlorisVN]

Hi Guys,
Thanks Nick for the howto. Great work!

I have successfully modified my bootrom. The dump was created with flashrom and a raspberry pi.
I have also virginised a copy with a clean ME region and it is also blank with no Serial so the serial number can be written with Blank Board Serialiser USB. This means anyone can flash this bootrom and write their own serial number using BBS. The BootRom is the latest version from the 2018-004 Security Update.

EDIT - Both versions here, The MP6 version will have all Diag LEDs lit up on the logic board.

Note: USE OF THESE FILES IS AT YOUR OWN RISK. DO NOT USE THEM UNLESS YOU HAVE A BACKUP OF YOUR CURRENT ROM. MAKE 2 COPIES TO BE SURE. YOU HAVE BEEN WARNED.

This is great, thx for creating and sharing !!!

 

[FlorisVN]

Hey all, I had a long train journey today so had time for some replies, I'm back at home now but I really have to catch-up on some work before I can do any more testing. I will be checking-in here regularly though.


I look forward to reading the guides when you have finished them.

That EFIcheck is really not a problem, but if it bothers you that link should help us disable it,
the first thing to try is probably just to delete the Launch Daemon:

/System/Library/LaunchDaemons/com.apple.driver.eficheck.plist

If that doesn’t work try deleting the kext (or just remove its execute permissions)

/System/Library/Extensions/eficheck.kext

But if you want to test this remember to disable SIP & make a full MacOS back-up first.

BTW – I was not expecting target display mode to work on the AMD cards, it was not available on iMacs with those GPUs so it is not configured by their EFI, but there is still a small chance it could work on the Kepler cards using the right cables etc.


Good to have you on-board! I did some quick brightness tests a few months back using OpenCore’s ACPI injection, Clover is much more mature so that’s probably a better option, but keep that bootrom back-up handy because I heard it can corrupt the NVRAM volume. I tried naively smooshing together various DSDT / SSDT tables taken from newer iMacs but that mostly resulted in compilation errors and kernel panics - normally related to AGDC. I also got the slider to appear, it just wouldn't do anything. There's something weird going on with multiple “Device LCD” instances, and to be honest I don’t really understand how the graphics EFI injection, DSDT tables, and all the various Kexts actually interact.

There’s also the problem of the missing “MXM structure” and badly hacked DCB tables which certainly don’t match the original iMac vbios properly. Given all that, the legacy / fall-back solution often used by linux users seems to be the better option; just poking the back-light registers directly using something like setpci, but we’d need to find them first. Chipsec might come in handy here, I was playing with it to fix PCIE bridge config issues (why the AMD cards need a back-light mod?) but I gave up on brightness control months ago, those $2 PWM modules will do the trick. I’ve attached some SSDT files & random links that looked promising, but I’ll freely admit to being out of my depth on this one. Good luck with it!


Great write-up, but you have linked the wrong version of UEFI Tool, you must use 0.26. The alpha “NE” versions are read only, still very useful because they display the section & driver names instead of just GUID codes but you can’t edit using it yet. That’s one reason your screen-shot looked different to mine, but most dumps will look a bit different anyway, if UEFI Tool can open the file without a load of error warnings then the dump is probably good. Just insert the driver files before the free space in the first BIOS region, as a rule if you don't see a very long list of DXE drivers you're in the wrong section. I’d question the need to install a Linux virtual machine just to use the CH341A, the drivers are available for almost every OS, but whatever works for you!

Now I can see the photo you posted properly I’m afraid it looks like you might have damaged the logic-board, there seems to be a SMD resistor missing next to the EEPROM chip, marked R6100 (and possible damage to R6101). I think those are “pull-up” resistors for the EEPROM which is probably why the iMac won’t POST. If you are very lucky you might be able to repair it by bridging the solder pads with graphite from a pencil, you could try and “draw” a few lines to join the dots! It’s an old over-clocking trick but it has been known to work, if not I’m afraid you’ll need to get the soldering iron out, or just get a new board. I can also see the edge of the EEPROM chip package has been ground off by the clip, even the Pomona clip will struggle to hold onto that now, I suggest laying the iMac down on it’s back to give it a fighting chance. The casualties seem to be mounting up fast here, but I guess we can say they died for science, if that’s any consolation…


If you can see that text the mod might actually be working now, do you see the boot-picker by holding Option / ALT after the chime? (you must use an Apple or any wired keyboard) What is shown in About this Mac? Do all 4 debug LEDs on the logic-board light up? If you don’t post any information it will be hard for people to help you...



I suggest you remove the GPU to test and try and restore the original bootrom backup using Flashrom, but if the back-up file is bad you are going to have a problem, what software did you dump it with? If you PM me the dump and a good photo of the EEPROM chip and I’ll have a look.

Great thx for your info again !
Good luck with all the catch-up work..

So if I understand you correctly, Target display mode is working with the RX580/560 cards.. ?
And it is proberly not a vbios mod, but a bootrom patch issue.. ?

The 2012-2013 iMac's also used kepler cards, perhaps then some bootrom code digging, and loaning something of these models could help us out with target display mode for our kepler cards.. ?
Just wondering this..

Anyway keep up the good work..

 

[tsialex]

Hi Guys,
Thanks Nick for the howto. Great work!

I have successfully modified my bootrom. The dump was created with flashrom and a raspberry pi.
I have also virginised a copy with a clean ME region and it is also blank with no Serial so the serial number can be written with Blank Board Serialiser USB. This means anyone can flash this bootrom and write their own serial number using BBS. The BootRom is the latest version from the 2018-004 Security Update.

EDIT - Both versions here, The MP6 version will have all Diag LEDs lit up on the logic board.

Note: USE OF THESE FILES IS AT YOUR OWN RISK. DO NOT USE THEM UNLESS YOU HAVE A BACKUP OF YOUR CURRENT ROM. MAKE 2 COPIES TO BE SURE. YOU HAVE BEEN WARNED.

Did you noticed that everyone that flashes these dumps will get your MLB and BuildDate and basically will clone your iMac? Check around 7FFF00.

The dump from another persons iMac + BBS is not a solution for the problem since all people will get iMessage/iCloud/Facetime blocked down the road because of all flashed iMacs will be clones, MLB and BB are a lot more important than SSN. You can't leave them empty too.

BBS was never designed with this usage in sight, all Apple new replacement or remanufactured boards have different MLB/BD hardwareIDs from factory.

 

[dolmatovm]

my gtx780m after firmware from Nick [D] vB started without problems. the only thing I did not understand you need to install NVIDIA driver or not? and at all under any conditions will work on full capacity gtx780m?

 

[FlorisVN]

Did you noticed that everyone that flashes these dumps will get your MLB and BuildDate and basically will clone your iMac? Check around 7FFF00.

The dump way + BBS is not a solution for the problem since all people will iMessage blocked down the road because of clones, MLB is more important than SSN.

this is good you mentioned this.
perhaps @duvelhedz could change his shared rom so that we can all still use it.

Good to see you here tsialex..

Perhaps you btw know a way how to get our iMac's in firmware/flashing mode so a 1 click bootrom patch tool can me made somehow/someday.. ?

 

[tsialex]

this is good you mentioned this.
perhaps @duvelhedz could change his shared rom so that we can all still use it.

Good to see you here tsialex..

Perhaps you btw know a way how to get our iMac's in firmware/flashing mode so a 1 click bootrom patch tool can me made somehow/someday.. ?

You all have to use the original dump and inject there, no way around it.

The correct way to do this would be an script/app/whatever that:

1. Dump the original Fsys and Gaid stores and MLB/LBSN sector from the iMac own BootROM
2. Inject both stores and the sector in the most recent generic BootROM, AFAIK, 87.0.0.0.0
3. Inject the needed GOP modules/VBIOS/etc [Updated APFSJumpstart and NVMe modules from Catalina supported iMacs with IvyBridge processors IM13,1 and IM13,2 (no AVX within the modules yet) would be nice too)
4. Flashes it back to the SPI.

I probably forgot something, there are a lot of hardwareIDs and I only have a deep MacPro BootROM knowledge.

This will take considerable development since the only tool that correctly does the injection is UEFITool. All other tools make a mess, that's why a lot of MP4,1/MP5,1 bricked when injecting NVMe modules and MP3,1 bricks with APFS/NVMe injection. Btw, there are eficheck problems too to take into consideration with iMacs that we don't have with Mac Pros earlier than MP6,1 at all.

Maybe a easier way is to make patchers for the GOP/VBIOS/etc part, then do a script to dump and inject the original Fsys/Gaid stores and MLB/LBSN sector like the old MP4,1 to MP5,1 script (just an idea, that tool needs a lot of improvements since it makes Firmware Recuperation CD useless and make another mess with the BootBlock - needs to change the flashing process to flashrom too).

Anyway, I read this thread from time to time and just wanted to share the pitfalls of the cloning process and congratulate @Nick [D]vB.

I’ll update the post when I remember anything.

 

[Nick [D]vB]

Thank you so much! Any chance to buy you a beer for your work? Just send me a link to donate

Thanks! www.unicef.org.uk

LOL IT F$#ING WORKED!

Great! Now if it ain’t broke, just stick some tape over it and pretend it never happened!

and be very careful using that new Pomona clip when it arrives!

So if I understand you correctly, Target display mode is working with the RX580/560 cards.. ?

No, it's the other way around - I don’t think new AMD cards can work,

but the Kepler cards might because they were used in iMacs that have TDM.

You all have to use the original dump and inject there, no way around it.

Anyway, I read this thread from time to time and just wanted to share the pitfalls of the cloning process and congratulate @Nick [D]vB.

Thanks, and great to have your input here. I assumed BBS would just fix all the IDs on a real Mac? (I thought maybe MLB was derived from the MAC address somehow?). But if that is not the case I think it is best for people just to use their own iMac dumps. A patcher tool could be useful for updates though, if we get any more.

I’m interested about the eficheck issues, I guess the MP3/4/5.1 are immune because the update mechanism is so different, but the guys doing NVME upgrades on 2013/14 MBPs don’t seem to have too many problems with it? Sadly I don’t think they ever found a way to write their bootroms using software tools either.

I'm working on a method that will not require a bootrom mod (or bootloader) but I don’t have much time to test it now. I actually found a way to load the NVME driver from the vBIOS EEPROM, but sadly it only works on some cards. It is a shame I didn’t find that out earlier, it might have saved you some trouble fixing those bricked MP bootroms before Apple added NVME support!

I have also tried injecting the vbios into the bootrom (for MXM cards with no EEPROM chip) I tried to copy how this is done on real iMacs but I can’t make it work, I think it might be a device ID strap problem, or maybe some resistors on the graphics card need moving?

When you have time I’d be interested to get you thoughts on the boot-screen “delay” problem, we can fix the problem to get instant bootscreens on UEFI windows drives by using BootCamp control panel, so I am hoping that setting the correct NVRAM variables for MacOS boot drives might fix the delay problem??

It would also be great to have your input on the Ivy Bridge upgrade project to,
MicroCode & ME updates should be do-able but I was thinking that cross-flashing
by fixing-up the iMac 13 bootrom might actually be a better plan?

 

[tsialex]

Thanks! www.unicef.org.uk

Great! Now if it ain’t broke, just stick some tape over it and pretend it never happened!

Just be very careful using that new clip when it arrives!

No, the other way around - I don’t think new AMD cards can work but the Kepler cards might because they were used in iMacs that do support TDM.

Thanks, and great to have your input here. I assumed BBS would just fix all the IDs on a real Mac? (I thought maybe MLB was derived from the MAC address somehow?). But if that is not the case I think it is best for people just to use their own iMac dumps. A patcher tool could be useful for updates though, if we get any more.

I’m interested about the eficheck issues, I guess the MP3/4/5.1 are immune because the update mechanism is so different, but the guys doing NVME upgrades on 2013/14 MBPs don’t seem to have too many problems with it? Sadly I don’t think they ever found a way to write their bootroms using software tools either.

I'm working on a method that will not require a bootrom mod (or bootloader) but I don’t have much time to test it now. I actually found a way to load the NVME driver from the vBIOS EEPROM, but sadly it only works on some cards. It is a shame I didn’t find that out earlier, it might have saved you some trouble fixing those bricked MP bootroms before Apple added NVME support!

I have also tried injecting the vbios into the bootrom (for MXM cards with no EEPROM chip) I tried to copy how this is done on real iMacs but I can’t make it work, I think it might be a device ID strap problem, or maybe some resistors on the graphics card need moving?

When you have time I’d be interested to get you thoughts on the boot-screen “delay” problem, we can fix the problem to get instant bootscreens on UEFI windows drives by using BootCamp control panel, so I am hoping that setting the correct NVRAM variables for MacOS boot drives might fix the delay problem??

It would also be great to have your input on the Ivy Bridge upgrade project to,
MicroCode & ME updates should be do-able but I was thinking that cross-flashing
by fixing-up the iMac 13 bootrom might actually be a better plan?

I’ll answer all your questions later, at work/iPhone now.

About the MLB/BD sector:

AFAIK, MLB is not derived or have any link or interrelation to any other hardwareID, it's old hackintosh tools for MLB generation that used MACAddresses and etc to generate a fake MLB.

MLB is a 17/19 alphanumerical char unique identifier saved in the SPI by the OEM, not Apple, at the manufacture time of the main/logic board. MLB/BD sector is at the end of the BootROM and is not updated by BBS at all, who updates only IDs within the Fsys store of the NVRAM volume.
All remanufactured/replacement boards, non-serialized supplied by Apple, have both MLB and BD from factory. MLB/BD sector is the real identifier that differentiate one Mac from another, not the SSN who is more an “ownership/tracking” one.

Btw, BBS just adds SSN, remanufactured non-serialized replacement boards that had the serial added with BBS still miss the HWC and SON that a pristine iMac have. Another info, the BBS tool that Apple repair centers use adds more info to the Fsys store, to track the repair itself, like SSNP and others. An Apple repaired Mac that had a logic board replacement is easy identified by these new info/IDs. 3rd party people who does the repair itself like some Universities and Corporations don’t have access to the Apple internal version, just to the same leaked ones that we know of.

 

[jmilan0302]

It would also be great to have your input on the Ivy Bridge upgrade project to,
MicroCode & ME updates should be do-able but I was thinking that cross-flashing
by fixing-up the iMac 13 bootrom might actually be a better plan?

I think the iMac 13 uses a different chipset to the 12 though, still will be very interesting to see this. The Ivy Bridge CPUs are more powerful and produce noticeably less heat, that would be a great upgrade especially for the 27" the power supply on those puts out a ton of heat (because of the power needed to run the backlight) and the CPU heatsink is right under it. My 2010 27" iMac makes absolutely no heat at all with the display off but with it on, the power supply gets up to 80c even if the rest of the computer isn't doing much at all.

 

[Borak]

What application brightness control for Nvidia 770m?

 

[LegoNickD]

this is a good one, I asked this question before to Nick.
Nick asked @dosdude1 before this question in the past, about how to put the 2011 imac into flashing mode.
If perhaps dosdude1 or someone else can make this possible somehow, it would indeed be great.

I'm sure dosdude1 has some good knowledge already with flashing bootrom's, since he also made his brilliant apfs rom patcher tool.

Perhaps we can get a nice 1-click bootrom patch tool someday somehow, this would be indeed awesome !

Yea I just checked, looks like the 2010 27 doesn't have (a traditionally accessible) flash mode. Guess that kinda rules out the easy software flash unless someone finds a hidden flash mode or something. I assume whatever way normal bootrom updates work on the App Store is encrypted so that isn't an option. Maybe someone will discover something but unless that happens it looks like the clip is the only option.

How is the current state of backlight mods? I am considering a rx 580 that I have pushed off getting to see how these new developments come along. The easiest option seems to be the one wire but it is far from perfect. I saw at some point that there was work being done with software integration using an Arduino, is that almost as good as dying lights integration as far as keyboard buttons and the hud?
EDIT: Nevermind, just checked the website and it looks like dying light is back for sale! Ill defiantly pick one up since every card has a backlight issue. What is the precess for installing one in an iMac compared to a MacBook?

 

[Nick [D]vB]

There are ways to defeat the write protection on the bootrom, but a clip really is the safest option at the moment. I have software control of the PWM modules working with CoolTerm or a hot-key script, we just need someone to throw together a Qt slider app, which should be very straight forward for those with development experience.

If you connect the PWM module with an FTDI TTL cable / board then the drivers are built into MacOS, but you could also make further use of the CH341A and install its driver. I've had some COM problems on the PWM module with the blue LCD screen (I might just have a duff one), but the 2 channel version works perfectly.

If you just want to use the buttons it has a micro USB port for power (not data) and you can feed the single PWM wire up through the RAM cover. If you only want to use software control you can mount everything internally by running it off the 5v IR sensor interface.

EDIT: Glad to see the DyingLight hasn't died after all! Those PWM modules are a lot cheaper, and don't have the black-out / flicker problem of the DyingLight. Hopefully they can get that firmware bug fixed at some point.

 

[liquidtwitch]

$50 postage to Australia, that's insane for something so small.

 

[Nick [D]vB]

True, but I doubt they realised eBay would have set that price for them.

 

[LegoNickD]

Alright I think I got a mediocre drawing on how to hook up a dying light, did I do it right? the usb data on the ir board is almost certainly wrong but you should just have to test for ground and then go to the opposite side, according to a diagram it goes
USB -
USB +
5V
GND
It would probably be more easy to get ground from the ir plug but id rather not have the thin 3V line run alone. This SHOULD replace ir receiving functionality with a working backlight for amd/nvidia. I see the flickering issue but it looks like that only happens when changing the brightness, a small price to pay for salvation.

Let me know how this looks.

Maybe if someone really wants they can use the board out of an old usb hub to keep ir and use the other ports for other fun internal things.