MP 1,1-5,1 Accessing the hidden MP3,1 BIOS setup utility?

[tsialex]

How can I dump the SPI from within Windows? (Can it even access it?)
Here's a video of how it behaves. https://streamable.com/ew0tc
(Brb, my since making this video my USB 3.0 card isn't starting, Windows reporting it has a problem. I sometimes need to re-seat it in the PCI-E slot).
EDIT: Back. Got it back up again.

Thx for the video, yours is very different from the retail one.

I think flashrom identifies the SPI correctly from macOS, but I never tried to dump it from Windows. Maybe it's easier to just dump it with a Pomona clip. I can hardware dump the SPI from a non-working MP3,1 board that I have at my lab tomorrow.

If the board don't have hardware straps to change the BootROM behaviour, maybe it's some special NVRAM setting inside the 3rd/4th streams of the NVRAM volume, maybe a different hardware descriptor/override. That would be very interesting to check.

 

[lnx64]

I think that is just CSM mode (booting windows)
not sure i've tried booting with no HDD installed in mine with a normal PC card.
I've got several drives installed that aren't in the 4 slots so its more work than I want to mess with right now.

But i'm spinning up my windows 7 install now to see how well I can OC (if it will at all)

I'll be interested in seeing if without an HD if it gives you the same screen with a standard PC card. It's kinda funny it has the VGA font characters to make up the folder icon in the EFI image.
This machine has never booted a single retail OS X copy via EFI. Actually just a thought, maybe this board lacks TPM and that's why OS X refuses to touch it. ?
[automerge]1573534622[/automerge]

Thx for the video, yours is very different from the retail one.

Thanks for confirming this. Because my friends 3,1 doesn't act like this at all, and dumping our ROM's confirm they are the same binary, so something must be on the SPI that's giving it this behavior (or perhaps the board is wired differently that just triggers a different routine). I think I suspect a lacking of TPM to be why it won't boot EFI, but that's based on Windows saying it has no TPM, I don't think Windows is compatible with it, so perhaps something in the NVRAM is triggering the different response.

I have never in the 6 years I left Apple, done a PRAM reset. Perhaps I shouldn't.

 

[tsialex]

I'll be interested in seeing if without an HD if it gives you the same screen with a standard PC card. It's kinda funny it has the VGA font characters to make up the folder icon in the EFI image.
This machine has never booted a single retail OS X copy via EFI. Actually just a thought, maybe this board lacks TPM and that's why OS X refuses to touch it. ?
[automerge]1573534622[/automerge]

Thanks for confirming this. Because my friends 3,1 doesn't act like this at all, and dumping our ROM's confirm they are the same binary, so something must be on the SPI that's giving it this behavior (or perhaps the board is wired differently that just triggers a different routine). I think I suspect a lacking of TPM to be why it won't boot EFI, but that's based on Windows saying it has no TPM, I don't think Windows is compatible with it, so perhaps something in the NVRAM is triggering the different response.

I have never in the 6 years I left Apple, done a PRAM reset. Perhaps I shouldn't.

With a MP5,1 you can't reset the 3rd and 4th streams of the NVRAM with a NVRAM reset, but I'm not certain if the MP3,1 behaves the same.

I'll dump the SPI tomorrow, 2AM here.

 

[lnx64]

Alright, look forward to what you find. Midnight here, time to retreat to music and FM8 for my funtime.

 

[Ludacrisvp]

I set the PLL to a bus speed of 454MHz, so the whole entire system is bus overclocked basically. 454MHz is the fastest you can reliably overclock while being able to still reboot the system. Firmware will fail to execute if you go past this.

I can't even just say 'get FSB' and then 'set FSB' windows just locks up hard, then fans go to max RPM.
(selected the same clock generator chip as you had before doing that)

 

[lnx64]

I can't even just say 'get FSB' and then 'set FSB' windows just locks up hard, then fans go to max RPM.
(selected the same clock generator chip as you had before doing that)

I tried to figure out how that could happen, and the only thing I can replicate is if I use the wrong clock generator selected (with Ultra checked), I can replicate the same thing. SMC freaks out and revs the fans to full tilt and the machine locks up. Only thing I can think of is maybe you have a different PLL. I only figured mine out with trial and error because there's multiple PLL's on the logic board.
(But my cloned HD run on my friends machine also had the overclock script set to run at boot and his overclocked too, so that's really weird.)

 

[netkas]

just launch it in efi shell if it's efi app
otherwise use load command if it's efi module but not app

 

[startergo]

Most of the renames can be emulated with opencore with less possibility of bricking since it is dynamically loading during boot process.

 

[tsialex]

Most of the renames can be emulated with opencore with less possibility of bricking since it is dynamically loading during boot process.

Sure, but some people will prefer some careful edits inside the BootROM one time and a vanilla OS install without any boot loaders forever.

 

[startergo]

Sure, but some people will prefer some careful edits inside the BootROM and a vanilla OS install without any boot loaders.

But then the VMM flag has to be added as well for cat

 

[tsialex]

But then the VMM flag has to be added as well for cat

Why not an EFI module to set it once and forever?

 

[startergo]

This will be similar approach as the ozmosis firmware.

 

[lnx64]

Found this in the 3,1 ROM at: GUID: A6F691AC-31C8-4444-854C-E2C1A6950F92. IFR Extractor shows some interesting bits. Notably the text: "Intel Mobile Calistoga CRB Framework Implementation", and the "For evaluation purposes only!". When Googling this I found this article: https://www.mac-forums.com/forums/apple-notebooks/145446-powerbook-g4-startup.html

This is still present in the 3,1 ROM's released by Apple. I find this kind of digging fascinating because it shows just how much is still buried in the ROM. (and more interesting, that's "mobile", on a desktop). This ROM is cluttered with stuff.

 

[Petri Krohn]

I think these BIOS settings are stored in NVRAM in the variable Setup-EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9. This is the content of the Setup variable on my Mac Pro 3,1:

GUID: ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
Name: "Setup"
Attributes:
    Non-Volatile
    Boot Service Access
    Runtime Service Access
Value:
00000000  00 00 00 00 01 01 01 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 01 02 00 00 00 00 00  |................|
00000060  00 01 01 01 01 02 00 00  00 01 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 01 01 03  07 01 00 01 01 00 01 04  |................|
00000080  02 00 01 00 01 00 01 00  01 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000240  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 01  |................|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000260  00 00 00 00 00 00 00 00  04 00 01 08 00 00 00 00  |................|
00000270  00 00 00 00 04 00 01 08  00 00 01 00              |............    |

This page says the Globally Unique Identifier and the associated variable is used by AMI bios. It contains settings defined in the dumped IFR file.

• Editing system menu vars tool (AMI bios maybe others)

To access all UEFI or NVRAM variables on a Mac, boot into Linux and use the efivar command. You can also see the NVRAM variables as files in the folder /sys/firmware/efi/efivars/. Variables can be created, deleted and modified with the efivarfs filesystem.

Update: There are 60 one-byte variables defined in the IFR file. The EFI Setup variable has 636 bytes (0x27c) in addition to the four-byte header. A quick check shows that all the non-zero values correspond to IFR variables. The bytes that have a value of 3 or more correspond to matching IFR variables. For example, the value 7 at offset 0x78 corresponds to the variable "Set Processor Ratio (20-1)" which should be 7 on my 2.8 GHz Mac Pro 3,1.

 

[lnx64]

That is odd though, that is has variables for AMI, yet the MP3,1 uses Insyde.

 

[Petri Krohn]

What we need is to inject the setup utility back in the ROM and to be able to utilize it.

There is no need to include the BIOS / EFI setup utility in the Mac Pro firmware. All settings can be made from a EFI shell, a EFI program, or from an operating system that starts in EFI mode.

The simplest options is to use the command setup_var from a EFI shell to modify individual variables. For example, the command setup_var 0x78 should return the current value of the variable "Set Processor Ratio (20-1)" which would be 7 on my 2.8 GHz Mac Pro 3,1.

The command setup_var 0x78 6 should set the CPU multiplier to 6 and the processor speed to 2.4GHz.

The setup_var command might be specific to the GUID of the "Setup" variable in NVRAM. The page I linked in my previous post has a download link to an EFI shell with the setup_var command modified to work with firmware that use the "EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9" GUID for their Setup variable. (setup_var.zip - Size: 813.84 KB / Downloads: 4)

It took me a day of googling to figure out what this setup_var command actually is and where it originates from. It is not a part of the default EFI shell created by Intel. The one I linked to is a version of grub2-add-setup_var-cmd.patch. The link to Github is broken, but a copy can be found here.

The file was originally written by Bernhard Froemel in 2009. The original posting of the code is now only available in archive form. The file is actually not even source code, but a diff to some file in the GRUB bootloader. Here are some selected sections of the file:

+/* setup_var.c - InsydeH2o Setup variable modification tool, can modify single
+ *               bytes within the Setup variable */
+/*  (c) 2009 by Bernhard Froemel
+ *
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2002,2003,2005,2006,2007,2008,2009,2008  Free Software Foundation, Inc.

+#define INSYDE_SETUP_VAR        ((grub_efi_char16_t*)"S\0e\0t\0u\0p\0\0\0")
+#define INSYDE_SETUP_VAR_NSIZE        (12)
+#define INSYDE_SETUP_VAR_SIZE        (0x2bc)
+#define INSYDE_SETUP_VAR_GUID        { 0xa04a27f4, 0xdf00, 0x4d42, { 0xb5, 0x52, 0x39, 0x51, 0x13, 0x02, 0x11, 0x3d } }
+#define MAX_VARIABLE_SIZE        (1024)

+    grub_printf(
+"Final warning: YOU MAY BRICK YOUR LAPTOP IF YOU USE THIS TOOL - I TAKE  N O \n");
+    grub_printf(
+"RESPONSIBILITY FOR  Y O U R  ACTIONS.\n");

+    /* scan for Setup variable */
+    grub_printf("Looking for Setup variable...\n");
+    do
+    {
+        name_size = MAX_VARIABLE_SIZE;
+        status = efi_call_3(grub_efi_system_table->runtime_services->get_next_variable_name,
+        &name_size,
+        name,
+        &guid);

Luckily there is a ready-made version of GRUB on Github with the patch included.

A modified grub allowing tweaking hidden BIOS settings.

based on grub with setup_var patch (invalid link now) and setup_var2 patch with setup_var_3 patch as a wordaround to duplicate Setup vairable.

As said in a guide about changing hidden "CFG Lock" BIOS setting, by using a modified GRUB shell, we can change any hidden UEFI BIOS settings. But here comes some errors on my Dell XPS 8930, so I have the shell patched and added a new command setup_var_3 for this situation.

I am still investigating. I did not know there was a EFI shell or any shell included in GRUB and have no idea how to start it.

Note, that setup_var uses GRUB runtime services to access the EFI NVRAM variables. Therefore it needs the ballast of the whole GRUB framework to run. It would be far easier to implement the same functionality in Linux by a Python script that would read and write to the /sys/firmware/efi/efivars/ filesystem.

 

[lnx64]

Now, can we enter an EFI shell from the CSM? In my machine's case it auto boots into CSM and won't actually enter pure EFI mode, and even if I could I'm using a PC video card with no access to a Mac only GPU anymore.

 

[DearthnVader]

There is no need to include the BIOS / EFI setup utility in the Mac Pro firmware. All settings can be made from a EFI shell, a EFI program, or from an operating system that starts in EFI mode.

The simplest options is to use the command setup_var from a EFI shell to modify individual variables. For example, the command setup_var 0x78 should return the current value of the variable "Set Processor Ratio (20-1)" which would be 7 on my 2.8 GHz Mac Pro 3,1.

The command setup_var 0x78 6 should set the CPU multiplier to 6 and the processor speed to 2.4GHz.

The setup_var command might be specific to the GUID of the "Setup" variable in NVRAM. The page I linked in my previous post has a download link to an EFI shell with the setup_var command modified to work with firmware that use the "EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9" GUID for their Setup variable. (setup_var.zip - Size: 813.84 KB / Downloads: 4)

It took me a day of googling to figure out what this setup_var command actually is and where it originates from. It is not a part of the default EFI shell created by Intel. The one I linked to is a version of grub2-add-setup_var-cmd.patch. The link to Github is broken, but a copy can be found here.

The file was originally written by Bernhard Froemel in 2009. The original posting of the code is now only available in archive form. The file is actually not even source code, but a diff to some file in the GRUB bootloader. Here are some selected sections of the file:

+/* setup_var.c - InsydeH2o Setup variable modification tool, can modify single
+ *               bytes within the Setup variable */
+/*  (c) 2009 by Bernhard Froemel
+ *
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2002,2003,2005,2006,2007,2008,2009,2008  Free Software Foundation, Inc.

+#define INSYDE_SETUP_VAR        ((grub_efi_char16_t*)"S\0e\0t\0u\0p\0\0\0")
+#define INSYDE_SETUP_VAR_NSIZE        (12)
+#define INSYDE_SETUP_VAR_SIZE        (0x2bc)
+#define INSYDE_SETUP_VAR_GUID        { 0xa04a27f4, 0xdf00, 0x4d42, { 0xb5, 0x52, 0x39, 0x51, 0x13, 0x02, 0x11, 0x3d } }
+#define MAX_VARIABLE_SIZE        (1024)

+    grub_printf(
+"Final warning: YOU MAY BRICK YOUR LAPTOP IF YOU USE THIS TOOL - I TAKE  N O \n");
+    grub_printf(
+"RESPONSIBILITY FOR  Y O U R  ACTIONS.\n");

+    /* scan for Setup variable */
+    grub_printf("Looking for Setup variable...\n");
+    do
+    {
+        name_size = MAX_VARIABLE_SIZE;
+        status = efi_call_3(grub_efi_system_table->runtime_services->get_next_variable_name,
+        &name_size,
+        name,
+        &guid);

Luckily there is a ready-made version of GRUB on Github with the patch included.



I am still investigating. I did not know there was a EFI shell or any shell included in GRUB and have no idea how to start it.

Note, that setup_var uses GRUB runtime services to access the EFI NVRAM variables. Therefore it needs the ballast of the whole GRUB framework to run. It would be far easier to implement the same functionality in Linux by a Python script that would read and write to the /sys/firmware/efi/efivars/ filesystem.

Interesting stuff, I found a version of the Grub Shell with setup_var and setup_var2 enabled.

It can be launched from within an EFI shell, however when I try and exit the Grub Shell I'm left with no input in my EFI Shell, so I can't boot the macOS to see if any changes made from setup_var have any effect?

 

[lnx64]

I've grabbed an EEPROM programmer and may be able to now dump the NVRAM directly out of curiosity for what makes my non-retail machine boot like a PC, while using standard firmware. I think I need a clip though that I can clip on the chip without removing.

 

[startergo]

I think these BIOS settings are stored in NVRAM in the variable Setup-EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9. This is the content of the Setup variable on my Mac Pro 3,1:

GUID: ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
Name: "Setup"
Attributes:
    Non-Volatile
    Boot Service Access
    Runtime Service Access
Value:
00000000  00 00 00 00 01 01 01 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 01 02 00 00 00 00 00  |................|
00000060  00 01 01 01 01 02 00 00  00 01 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 01 01 03  07 01 00 01 01 00 01 04  |................|
00000080  02 00 01 00 01 00 01 00  01 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000240  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 01  |................|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000260  00 00 00 00 00 00 00 00  04 00 01 08 00 00 00 00  |................|
00000270  00 00 00 00 04 00 01 08  00 00 01 00              |............    |

This page says the Globally Unique Identifier and the associated variable is used by AMI bios. It contains settings defined in the dumped IFR file.

• Editing system menu vars tool (AMI bios maybe others)

To access all UEFI or NVRAM variables on a Mac, boot into Linux and use the efivar command. You can also see the NVRAM variables as files in the folder /sys/firmware/efi/efivars/. Variables can be created, deleted and modified with the efivarfs filesystem.

Update: There are 60 one-byte variables defined in the IFR file. The EFI Setup variable has 636 bytes (0x27c) in addition to the four-byte header. A quick check shows that all the non-zero values correspond to IFR variables. The bytes that have a value of 3 or more correspond to matching IFR variables. For example, the value 7 at offset 0x78 corresponds to the variable "Set Processor Ratio (20-1)" which should be 7 on my 2.8 GHz Mac Pro 3,1.

This is probably the source code:
http://sources.buildroot.org/linux/git/drivers/firmware/efi/efi.c

 

[nos1609]

Looks similar to the xps 9360 IFR for gpu memory fix and undervolt, same stup_var being used

 

[lnx64]

I haven't done much more digging since starting this thread. I honestly decided to ultimately not tinker with this machine too much due to the special nature of it and rarity. So I took some high resolution pictures of it. The always on diagnostic LED's show through the back at all times as well.

I tried clipping my EEPROM programmer on the NVRAM, but was unable to read it, so I decided not to mess with it so I didn't accidentally nuke it and all of a sudden turn it back into a retail machine. I'd rather keep the "debugging" mode it's permanently in. (Seems to run Windows and modern GPU's FAR better in this mode, even booting to CD's without requiring to hold any keys, even with an HD with a bootloader present, so this mode has the CD boot order before the HD).

 

[Larsvonhier]

Ok, but don't test with a MP3,1. The TSOP FWB is hell to reprogram. We can test it easily with MP5,1 SPI.

See my "solution" for this bricking-deadlock problem... ;-)

 

[Petri Krohn]

Found this in the 3,1 ROM at: GUID: A6F691AC-31C8-4444-854C-E2C1A6950F92. IFR Extractor shows some interesting bits. Notably the text: "Intel Mobile Calistoga CRB Framework Implementation", and the "For evaluation purposes only!". When Googling this I found this article: https://www.mac-forums.com/forums/apple-notebooks/145446-powerbook-g4-startup.html

Martin Nobel (YouTube) posted this on the Low End Mac Facebook group today. It shows a iMac 4,1 displaying the Duet Boot Device Selection interface. He says he downgraded his iMac to IM41_0039_00B.fd from Firmware Restoration CD 1.7, after first intentionally corrupting his firmware. He was able to enter the Duet BDS by starting a EFI shell and exiting it.

It seems this interface has only been seen twice in the wild before.

• On a 2005 prototype of a 15 inch Macbook Pro with pre-Yonah Pentium-M CPU.
• An another early iMac, before Apple released Boot Camp and a firmware update with a proper Compatibility Support Module (CSM).

I opened the IM41_0039 firmware file on Firmware Restoration CD 1.7 using UEFITool NE alpha 57. I found the relevant DXE driver using the same GUID as it has in the MP3,1 firmware. UEFITool calls it "DuetBds" for "Boot Device Selection".

I extracted the driver and opened it in Hex Fiend. I then copied all the English language UI strings to a text file. See spoiler:

Spoiler: Intel Mobile Calistoga CRB Framework Implementation - English

eng
English
View Diagnostic Page
Diagnostic Page
Select this to view the platform component details.
Motherboard =
CPU Core Frequency =
FSB Frequency =
Processor Version =
MCU Version = 00000017h
System BIOS Version = NAPA0001.86C.0001.D.0506021732
KSC EC Version =
GM MCH Version =
MCH PM Mode =
Enhanced IGD VBIOS Version =
ICH7-M Version =

Front Page
Intel Mobile Calistoga CRB Framework Implementation
Copyright(c) 1999 - 2005 Intel Corporation. All rights reserved.
FOR EVALUATION PURPOSES ONLY( ! DO NOT DISTRIBUTE ! )

Continue
Select this to boot with the current settings
Select Language
Select this to modify the current language
Boot Manager
Select this to choose one of the current boot options
Boot Maintenance Manager
Select this to modify the EFI boot settings
Device Manager
Select this to modify the system configuration settings (Setup)
Boot process will continue in %d seconds
Missing String
Perform memory test (ESC to skip)
% of the system memory tested OK
Press ESC key to skip memory test
bytes of system memory tested OK
System encounters memory errors
Start boot option
NONE
Boot Maintenance Manager
Boot Options
Modify system boot options
Driver Options
Modify boot driver options
Add Boot Option
Add EFI Application or Removable Fs as Boot Option
Delete Boot Option
Will be valid on next boot
Change Boot Order
Add Driver Option
Add .EFI Driver as Driver Option
Delete Driver Option
Change Driver Order
Set Boot Next Value
Modify next boot behavior
Set Time Out Value
Modify automatic boot time-out value
Console Options
Modify system console options
Console Input Device Select
Enable console device as ConIn
Set Legacy Floppy Drive Order
Set Legacy Hard
Disk Drive Order
Set Legacy CD-ROM Drive Order
Set Legacy NET Drive Order
Set Legacy BEV Drive Order
Console Output Device Select
Enable console device as ConOut
Console Standard Error Device Select
Enable console device as StdErr
COM Attribute Setup Page
Setup ComPort BaudRate, DataBits, StopBits, Parity and TerminalType
Add Driver Option Using File
Add Driver Option Using Handle
Modify Boot Option Description
Modify Driver Option Description
Auto Boot Time-out
Range: 0 to 65535 seconds, 0 means no wait, 65535 means waiting for key
Boot Next Value
Next boot use this boot option
Input the description
Load Option Force Reconnect
Apply Changes
Discard Changes
Set COM Attributes
Set COM Terminal Type
Set COM Baud Rate
Set COM Data Bits
Set COM Parity
Set COM Stop Bits
115200 57600 38400 19200 9600 7200 4800 3600 2400 2000 1800 1200 600 300 150 134 110 75 50 5 6 7 8 None Even Odd Mark Space One One And A Half Two PC_ANSI VT_100 VT_100_PLUS VT_UTF8
Reset System
Go Back To Main Page
Boot From File
Boot system from a file or device
Input Optional Data
Change the order
Disabled File Explorer
Boot Manager�! and �! to change option, ENTER to select an option, ESC to exit
Boot Option Menu
Press any key to continue...
Device Manager
Disk Devices
Video Devices
Network Devices
Input Devices
Motherboard Devices
Other Devices
Press ESC to exit.
Primary Video BIOS
Set primary video BIOS PCI AGP

Evidently the EFI driver modifies the BOOT#### variables in NVRAM to set the boot order. It might also set DRIVER#### variables. This would be useful for loading APFS and NVMe drivers from disk before the Apple BootPicker kicks in.

The EFI module is a driver, so it cannot directly be launched as an application. We still do not know how to start this. Starting the interface has also been discussed in this other thread.

(Google search does not index "####"s so make this easier to find: BootXXXX, DriverXXXX)

Update March 2, 2021: After writing this I noticed that Martin Nobel had posted a video on the topic. The video description links to a blog post from January 2006 with a long discussion thread.

Entering the EFI menu on Intel based iMacs

Now, on to the instructions.
1. Download the EFI Sample Implementation from Intel.
2. Unzip the file to /efi (or anywhere else, but /efi is what I'll be using)
3. In terminal do 'sudo bless --folder /efi --file /efi/Binary/BIOS32/Bin/GraphicsConsole.efi --setBoot'
4. Reboot your computer.
5. You'll get the familiar chime and gray screen, wait about 10 seconds then hit the spacebar.
6. You're now in EFI!

Let's head over to the shell...
1. Select Boot Maintenance Manager
2. Select Boot From File
3. Select the option that begins with "NO FILE SYSTEM INFO", this is your start-up volume
4. Navigate your way to /efi/Binary/BIOS32/SHELLBios32/Shell.efi

These instructions from January 2006 contain two obvious misunderstandings. (They are obvious now, 15 years later.)

1. If the intention is merely to boot the EFI shell, there is no need to use the EFI menu. (Just name the shell /EFI/BOOT/bootia32.efi)
2. The post assumes that GraphicsConsole.efi is an EFI application that displays the Human Interface Infrastructure (HII) forms. In theory such a generic IFR browser can exist, but is not included in the Mac firmware. In reality GraphicsConsole.efi is a EFI driver, not an application. Calling it as an application causes an error situation. The Mac firmware falls back to launching the EFI menu.

 

[startergo]

Martin Nobel (YouTube) posted this on the Low End Mac Facebook group today. It shows a iMac 4,1 displaying the Duet Boot Device Selection interface. He says he downgraded his iMac to IM41_0039_00B.fd from Firmware Restoration CD 1.7, after first intentionally corrupting his firmware. He was able to enter the Duet BDS by starting a EFI shell and exiting it.

View attachment 1737766

It seems this interface has only been seen twice in the wild before.

• On a 2005 prototype of a 15 inch Macbook Pro with pre-Yonah Pentium-M CPU.
• An another early iMac, before Apple released Boot Camp and a firmware update with a proper Compatibility Support Module (CSM).

I opened the IM41_0039 firmware file on Firmware Restoration CD 1.7 using UEFITool NE alpha 57. I found the relevant DXE driver using the same GUID as it has in the MP3,1 firmware. UEFITool calls it "DuetBds" for "Boot Device Selection".

I extracted the driver and opened it in Hex Fiend. I then copied all the English language UI strings to a text file. See spoiler:

Spoiler: Intel Mobile Calistoga CRB Framework Implementation - English

eng
English
View Diagnostic Page
Diagnostic Page
Select this to view the platform component details.
Motherboard =
CPU Core Frequency =
FSB Frequency =
Processor Version =
MCU Version = 00000017h
System BIOS Version = NAPA0001.86C.0001.D.0506021732
KSC EC Version =
GM MCH Version =
MCH PM Mode =
Enhanced IGD VBIOS Version =
ICH7-M Version =

Front Page
Intel Mobile Calistoga CRB Framework Implementation
Copyright(c) 1999 - 2005 Intel Corporation. All rights reserved.
FOR EVALUATION PURPOSES ONLY( ! DO NOT DISTRIBUTE ! )

Continue
Select this to boot with the current settings
Select Language
Select this to modify the current language
Boot Manager
Select this to choose one of the current boot options
Boot Maintenance Manager
Select this to modify the EFI boot settings
Device Manager
Select this to modify the system configuration settings (Setup)
Boot process will continue in %d seconds
Missing String
Perform memory test (ESC to skip)
% of the system memory tested OK
Press ESC key to skip memory test
bytes of system memory tested OK
System encounters memory errors
Start boot option
NONE
Boot Maintenance Manager
Boot Options
Modify system boot options
Driver Options
Modify boot driver options
Add Boot Option
Add EFI Application or Removable Fs as Boot Option
Delete Boot Option
Will be valid on next boot
Change Boot Order
Add Driver Option
Add .EFI Driver as Driver Option
Delete Driver Option
Change Driver Order
Set Boot Next Value
Modify next boot behavior
Set Time Out Value
Modify automatic boot time-out value
Console Options
Modify system console options
Console Input Device Select
Enable console device as ConIn
Set Legacy Floppy Drive Order
Set Legacy Hard
Disk Drive Order
Set Legacy CD-ROM Drive Order
Set Legacy NET Drive Order
Set Legacy BEV Drive Order
Console Output Device Select
Enable console device as ConOut
Console Standard Error Device Select
Enable console device as StdErr
COM Attribute Setup Page
Setup ComPort BaudRate, DataBits, StopBits, Parity and TerminalType
Add Driver Option Using File
Add Driver Option Using Handle
Modify Boot Option Description
Modify Driver Option Description
Auto Boot Time-out
Range: 0 to 65535 seconds, 0 means no wait, 65535 means waiting for key
Boot Next Value
Next boot use this boot option
Input the description
Load Option Force Reconnect
Apply Changes
Discard Changes
Set COM Attributes
Set COM Terminal Type
Set COM Baud Rate
Set COM Data Bits
Set COM Parity
Set COM Stop Bits
115200 57600 38400 19200 9600 7200 4800 3600 2400 2000 1800 1200 600 300 150 134 110 75 50 5 6 7 8 None Even Odd Mark Space One One And A Half Two PC_ANSI VT_100 VT_100_PLUS VT_UTF8
Reset System
Go Back To Main Page
Boot From File
Boot system from a file or device
Input Optional Data
Change the order
Disabled File Explorer
Boot Manager�! and �! to change option, ENTER to select an option, ESC to exit
Boot Option Menu
Press any key to continue...
Device Manager
Disk Devices
Video Devices
Network Devices
Input Devices
Motherboard Devices
Other Devices
Press ESC to exit.
Primary Video BIOS
Set primary video BIOS PCI AGP

Evidently the EFI driver modifies the BOOT#### variables in NVRAM to set the boot order. It might also set DRIVER#### variables. This would be useful for loading APFS and NVMe drivers from disk before the Apple BootPicker kicks in.

The EFI module is a driver, so it cannot directly be launched as an application. We still do not know how to start this. Starting the interface has also been discussed in this other thread.

(Google search does not index "####"s so make this easier to fo find: BootXXXX, DriverXXXX)

If it is an efi driver it can be extracted with the same EFI tool, renamed .efi and loaded with rEFInd/RP/OC as a driver for testing