Downgrading from MacPro5,1 to MacPro4,1 after installing macOS High Sierra

[watkipet]

I'd like to try downgrading from a MacPro5,1 firmware to a MacPro4,1 (for testing). The machine was originally a MacPro4,1. I flashed it to a 5,1 and then installed macOS High Sierra (which updated the firmware in the process). I have both a Sapphire Radeon GTX 580 and an Nvidia GT 120 installed. This is what I've done so far:

Dump the existing MacPro5,1 firmware
I dumped the firmware using dosdude's ROMTool.
In System Information: Hardware Overview -> Boot ROM Version = MP51.0084.B00
My dumped ROM has this for the last jumping point in the LSBN_BD sector:

BF5041EB 1D000000 00000000 00000000 FFFFFFFF FFFFFFFF
FFFFFFFF E802FFFF 0F09E9FB F2000000 78563412 0000FFFF

Install OS X El Capitan on another HD
I made bootable install media in order to install it.

Created a RAM disk with the Mac Pro 2009-2010 Firmware Tool
I downloaded the tool from netkas (May 18 2017). Hopefully this is the correct version of the tool. I downloaded the Mac Pro EFI Firmware Update 1.5 and mounted per the instructions in this post. I ran the tool and picked the "Downgrade to 2009 Firmware" option.

Inside the RamDisk, among other files, are:
MacProEFI2010-2009/EfiUpdaterApp2.efi
MacProEFI2010-2009/MP51_007F_03B_LOCKED.fd

The MacProEFI2010-2009/MP51_007F_03B_LOCKED.fd ROM has this for the last jumping point in the LSBN_BD sector:

BF5041EB 1D000000 00000000 00000000 FFFFFFFF FFFFFFFF
FFFFFFFF A004FFFF 0F09E91B F3000000 78563412 0000FFFF

This is close, but not exactly the same, as what tsialex posted here for a 4,1 ROM.

Everything OK?
Does this all look reasonable? Is it OK that the *.fd file that's going to be used has a name indicative of an earlier version of the firmware than I have loaded? (MP51_007F_03B_LOCKED.fd versus MP51.0084.B00)

 

[tsialex]

The MacEFIRom way to downgrade to 4,1 only works if your Mac Pro has those pre-requisites:

1. 2009/2010 Mac Pro
2. Supported Nehalem Xeon, some Nehalem processors are not supported by the 4,1 firmware.
3. BootROM MP51.007F.B00

You can't downgrade MP51.0084.B00 to MP51.007F.B00, more than one person tested this. The only way is manually reconstructing or MP51.007F.B00, to do the MacEFIRom way, or the MP41.0081.B07 to flash it with ROMTool or with the hidden options (-safetyoff -OVR) of EFIUpdaterApp2.efi.

I can reconstruct either BootROM, but for me to do this, you must have the necessary equipment and the ability to de-solder, program the SPI-Flash with a external programmer and solder it again. I'm not going to do this if you can't repair a brick.

 

[watkipet]

You can't downgrade MP51.0084.B00 to MP51.007F.B00, more than one person tested this. The only way is manually reconstructing or MP51.007F.B00, to do the MacEFIRom way, or the MP41.0081.B07 to flash it with ROMTool or with the hidden options (-safetyoff -OVR) of EFIUpdaterApp2.efi.

I presume this is because EFIUpdaterApp2.efi is going to check to make sure that the ROM being flashed is newer than the one on the machine. Otherwise, you might flash a machine with a ROM which is older than what it's compatible with.

Along these lines, is a manually constructed MP51.007F.B00 ROM one where the internal version has been bumped in order to fool EFIUpdaterApp2.efi into using it on a MP51.0084.B00 machine?

I can reconstruct either BootROM, but for me to do this, you must have the necessary equipment and the ability to de-solder, program the SPI-Flash with a external programmer and solder it again. I'm not going to do this if you can't repair a brick.

That's very generous of you, tsialex. I'm trying to teach myself to fish, so to speak. So I'll try my hand at modifying a 4,1 ROM for use with ROMTool. Then I'll post my results to confirm that I'm on the right track before flashing it. Or if you're still up for making me a ROM, I'll compare the two so I can understand what's going on.

In any case, first I'll:

1. Review your posts where you replaced your ROM
2. Order the parts, Pomona clip, etc. I have a Bus Pirate--I'm not sure if that'll be too slow for programming. I've replaced surface-mount parts before. I'm a bit of a butcher at it, but so long as I'm careful not to pull up a solder-pad, I'll be OK.
3. Make sure I understand the ROM modifications

 

[tsialex]

I presume this is because EFIUpdaterApp2.efi is going to check to make sure that the ROM being flashed is newer than the one on the machine. Otherwise, you might flash a machine with a ROM which is older than what it's compatible with.

Not only that, open EFIUpdaterApp2.efi on a hex editor, you gonna see a list of the supported BootROMs that it accepts.

Along these lines, is a manually constructed MP51.007F.B00 ROM one where the internal version has been bumped in order to fool EFIUpdaterApp2.efi into using it on a MP51.0084.B00 machine?

Without the source code for EFIUpdaterApp2.efi to show how is updated or downgraded BootROMs, everything is based on tests and partial disassembly. I know that downgrade from MP51.0084.B00 don't work, even changing MP51.007F.B00 to a greater version.

Order the parts, Pomona clip, etc. I have a Bus Pirate--I'm not sure if that'll be too slow for programming. I've replaced surface-mount parts before. I'm a bit of a butcher at it, but so long as I'm careful not to pull up a solder-pad, I'll be OK.

Anything is much slower than the 50 MHz that the SPI-Flash is capable of working. I'm using ch341a_spi and it's 1MHz, so 50 times slower than the Mac Pro, more or less 30 min to fully erase/program/verify. Flashrom manual page says BusPirate can work at 8MHz, so it's a lot faster than ch341_spi.

Disclaimer: This can brick your Mac Pro

You have to insert the NVRAM, wipe it first, and the modified last sector on the MP51.007F.B00.LOCKED.fd to make it work with iMessage/FaceTime/iCloud, but if you just want to test, flash the LOCKED.fd file and test what you want to test without iMessage/FaceTime/iCloud, then flash back your original dump.