MP 1,1-5,1 MacPro5,1: BootROM thread | 144.0.0.0.0

[h9826790]

That behavior is also after card change not specifically PRAM reset (which implies SMC reset after more than 15 s power off with power cable disconnected). Bear in mind Windows is in EFI mode .

May be some of our cMP really go too far away (on the hardware upgrade), and the firmware never designed to handle that.

e.g. all macOS on the NVMe and only Windows in SATA ports.

Anyway, in my case, all my boot drives are connected to the SATA ports.

Primary boot drive (Mojave, with recovery partition) - MX500 on a TempoSSD card
Backup boot drive (clone of the primary, no recovery partition) - HDD in bay 2
Backup boot drive (High Sierra, no recovery partition) - HDD in bay 1
Windows 10 (legacy) - DGM S3-120A in upper optical bay

From memory, in this setup (with 140.0.0.0.0), after PRAM reset, the cMP should be default boot to the HS HDD. But since there is only one recovery partition available. So, if I hold Command + R during boot (after PRAM reset), it can still boot to the SSD's recovery partition. And I can disabled SIP, and select my SSD on the next boot.

And after SMC reset (I do that around every 2 weeks due to cleaning), my cMP alway boot back to the last selected boot drive (which is the Mojave SSD in my case). Never boot to any other boot drives.

 

[eksu]

Is the certificate that Windows (UEFI) puts into your bootrom a cert + key pair, or just a certificate?

I assume the reason we're getting multiple certificate writes is because Window's can't read that the initial certificate is there. But maybe it's something else. I wonder if it would respond better to a different certificate (self signed or the one Apple uses in newer devices, etc).​

 

[tsialex]

Is the certificate that Windows (UEFI) puts into your bootrom a cert + key pair, or just a certificate?

I assume the reason we're getting multiple certificate writes is because Window's can't read that the initial certificate is there. But maybe it's something else. I wonder if it would respond better to a different certificate (self signed or the one Apple uses in newer devices, etc).​

This is one of the two SecureBoot blobs. If I have time, I'll do a controlled test this weekend to check if it saves anything elsewhere.

 

[eksu]

Looks like it’a just a der (binary) encoded certificate (no key) valid from 9/9/2016 until 9/8/2019, labeled Microsoft Secure Boot Variable Signer.

Windows identifies it as ‘code signing’ for what it’s worth.

Are both binary blobs the same or are they different?

If you rename the .bin as .cer you can import it into your windows certificate store. On my machine it says the Root CA is untrusted, but I wonder if it would be trusted on the machine that generated it.

I’m trying to read more about secure boot and how the certificates work, why it’s there.

 

[tsialex]

Looks like it’a just a der (binary) encoded certificate (no key) valid from 9/9/2016 until 9/8/2019, labeled Microsoft Secure Boot Variable Signer.

Windows identifies it as ‘code signing’ for what it’s worth.

Are both binary blobs the same or are they different?

If you rename the .bin as .cer you can import it into your windows certificate store. On my machine it says the Root CA is untrusted, but I wonder if it would be trusted on the machine that generated it.

I’m trying to read more about secure boot and how the certificates work, why it’s there.

The same.

I think T2 certificates and Apple SecureBoot ones are not exactly related with this MP5,1 EFIxUEFI problem.

 

[bsbeamer]

Theoretically, would an Apple macOS machine with a "T2/T3/TX security enclave processor chip" running Windows be allowed to write files here, or would there be restrictions for JUST macOS use because it lacks a handshake with the processor/chip? Can this portion be write-protected in any way to allow ONLY macOS to touch and/or prevent Windows from constantly writing or adding with updates? Seems Windows and/or Windows Updates are what is corrupting for so many, but maybe I'm wrong.

I've never personally run into this issue or a corrupted BootROM, or an issue applying or installing firmware updates. My personal authentic MacPro5,1 machine has never directly booted Windows, however. Have installed multiple macOS versions and MANY different system boot drives (or single drives with MANY partitions) throughout the past 7+ years. Have only installed Windows VM's on external drives or drive partitions.

 

[tsialex]

Theoretically, would an Apple macOS machine with a "T2/T3/TX security enclave processor chip" running Windows be allowed to write files here, or would there be restrictions for JUST macOS use because it lacks a handshake with the processor/chip? Can this portion be write-protected in any way to allow ONLY macOS to touch and/or prevent Windows from constantly writing or adding with updates? Seems Windows and/or Windows Updates are what is corrupting for so many, but maybe I'm wrong.

I've never personally run into this issue or a corrupted BootROM, or an issue applying or installing firmware updates. My personal authentic MacPro5,1 machine has never directly booted Windows, however. Have installed multiple macOS versions and MANY different system boot drives (or single drives with MANY partitions) throughout the past 7+ years. Have only installed Windows VM's on external drives or drive partitions.

There's 3 different types of Mac here:

1. EFI Macs still supported (MP5,1)
2. UEFI Macs with Intel ME
3. UEFI Macs with Intel ME + T2 + Security Enclave

With 1, our problem, Windows write everywhere into the NVRAM.

With 2, Intel ME limits a lot what can be modified, no low-level config data like MACAddresses can be modified, you have to reset/deactivate Intel ME to change it.

With 3, Windows have the Intel ME limitations and T2 validation, so any modification is detected at initialisation and Windows never gets to the data in the Security Enclave.
[doublepost=1545333060][/doublepost]Btw, 2018 Macs have even more security features, If I remember correctly, no more SPI flash and the BootROM is loaded from T3. Some very high end servers have the same type of BootROM security, Apple is not the first to do this.

 

[roto1231]

Try booting 10.13.6, then opening the full Mac App Store installer for Mojave (the current one, 10.14.2).

I followed the process of installing 10.3.6 and “started” the install of 10.14.2 to get the firmware prompt. Ran a successful firmware install (rebooted and DVD Drive opened). I then restarted into Mojave and I now see BOOTRom 140.00.
[doublepost=1545343539][/doublepost]

Yesterday I installed two SATA SSDs from a W10 PC into my Mac Pro SATA bays, to backup user files and erase the SSDs. Inadvertently, as I was using a RX-580, my Mac Pro booted from one of the Windows SSDs.

Look what I got:

View attachment 811591

So, some things that I noticed with this fiasco:

• My Mac Pro booted over the SATA SSDs even with my SSD7101A/970Pro installed. So, the SATA bays have precedence into the boot order, even if my 970Pro was selected as the default boot drive.
• I couldn't control the boot order with a non Mac EFI GPU, I had to install my GTX 680 to boot back into my 970Pro using the boot selector.
• Just two boots with UEFI W10 and two SecureBoot certificates.

Well, they booted from those drives because the onboard SATA ports on your MacPro have priority over any drive in a PCIe slot. It’s an architecture design that, will give them priority that is more than likely hard coded into the firmware. Hello

 

[tsialex]

I followed the process of installing 10.3.6 and “started” the install of 10.14.2 to get the firmware prompt. Ran a successful firmware install (rebooted and DVD Drive opened). I then restarted into Mojave and I now see BOOTRom 140.00.

140.0.0 you get from early High Sierra and previous OSX versions, with 10.13.6/Mojave you will see the full EFI version: 140.0.0.0.0.

 

[Chicago Keri]

I have been following this thread for many weeks, which led to another successful Bootrom update on a 2010 Mac Pro 5.1 to 140.0.0.0.0 and Mojave, thus extending the useful life of my main projects machine.
Am now happily booting on an Intel 760p 1tb instead of the old Samsung 951? Many thanks to tsialex for all of the advice throughout.

Unrelated, Mojave runs great with a Radeon RX550 or an RX570.

added: a Powercolor Radeon RX550 2gb worked on loan until I got the 4gb RX570. Of course neither has boot screen support. Am keeping the previous Apple brand HD5870 just in case..

 

[tsialex]

I have been following this thread for many weeks, which led to another successful Bootrom update on a 2010 Mac Pro 5.1 to 140.0.0.0.0 and Mojave, thus extending the useful life of my main projects machine.
Am now happily booting on an Intel 760p 1tb instead of the old Samsung 951? Many thanks to tsialex for all of the advice throughout.

Unrelated, Mojave runs great with a Radeon RX550 or an RX570.

Thx for the report.

BTW, seems that RX-550 support is a hit or miss, some say that it worked, some say that it never get any output working.

For me, since it’s not so much cheaper than a RX-560, it is better to just get the recommended one than try to find a RX-550 that works correctly.

 

[t8er8]

Hey can anyone link me a compatibility list for M.2 PCIe SSD's and their PCIe cards on BR 140? I cant find it anywhere. Thanks

also happy holidays!

 

[tsialex]

Hey can anyone link me a compatibility list for M.2 PCIe SSD's and their PCIe cards on BR 140? I cant find it anywhere. Thanks

also happy holidays!

https://forums.macrumors.com/threads/blade-ssds-nvme-ahci.2146725/

 

[t8er8]

https://forums.macrumors.com/threads/blade-ssds-nvme-ahci.2146725/

Thanks this is what I was looking for.

 

[tsialex]

Some days a go, people here started to get in contact via PM about Apple rejecting iMessage log-ins with 10.14.2.

Today @handheldgames sent his BootROM that Apple rejected iMessage logins and I checked with one I reconstructed for his Mac Pro. Seems that Apple now is validating the checksum of the 3rd stream of the NVRAM.

If someone is having iMessage problems, get in contact - I'd like to confirm this with a bigger sample.

 

[sailmac]

I recently acquired a 5,1 running Sierra 10.12.6 with Boot ROM MP51.007F.B03.

First I upgraded to High Sierra 10.13.6 which induced a firmware update to MP51.0089.B00.

Then I used a slightly modified version of the RecoveryHDMeta method described in posts #1 and #1570

1. Used Pacifist to open RecoveryHDMeta.dmg.pkg then extract RecoveryHDMeta.dmg
2. Double-clicked RecoveryHDMeta.dmg to mount it
3. Double-clicked BaseSystem.dmg to mount it
4. Double-clicked Install macOS Mojave Beta.app to trigger the firmware update
5. Followed the screen instructions. When Shutdown appeared I clicked it
6. Waited 10 seconds
7. Pressed power button and kept holding - listened for the long beep (it’s after the power light starts flashing) then held another 3 seconds then released (about the same time as I saw the white screen on monitor)
8. Allowed system to auto reboot

At that point the system had firmware 140.0.0.0.0. I continued using High Sierra 10.13.6.

I installed an IOCrest carrier in PCIe slot 2 with a 256GB Samsung 970 Evo NVMe for boot and a 1TB 970 Evo NVMe for users. The 256GB drive achieves 1500/2800 MB/sec W/R and the 1TB drive gets 2500/2800. I’m using Innie so the drives appear internal.

Super thanks to tsialex and cheers to everyone who has contributed!

 

[krishnaM]

Hi tsialex,
I have currently both GT120 and AMD580 cards installed in my cMP. Can I upgrade bootrom from MP51.0089.B00 to 140.0.0.0.0 with both cards installed or do I have to pull out the GT120 first? I keep my mac inside desk cabinet and I'll have to disconnect everything to remove the GT120. I am planning just to upgrade the firmware only for now and continue with High Sierra. I know Mojave is not going to work with both cards installed. Thanks in advance for your help.

Krishna

 

[h9826790]

Hi tsialex,
I have currently both GT120 and AMD580 cards installed in my cMP. Can I upgrade bootrom from MP51.0089.B00 to 140.0.0.0.0 with both cards installed or do I have to pull out the GT120 first? I keep my mac inside desk cabinet and I'll have to disconnect everything to remove the GT120. I am planning just to upgrade the firmware only for now and continue with High Sierra. I know Mojave is not going to work with both cards installed. Thanks in advance for your help.

Krishna

You have to remove the GT120 if use the native method.

 

[bplein]

It appears that the instructions for non-Metal 5,1s do not work any longer. The download for RecoveryHDMeta.dmg is the latest Mojave installer and opening it up doesn't show the beta version. When running from High Sierra, you get stopped at the Metal check.

Any thoughts at a workaround? I am at BIOS MP51.88Z.0084.B00.1708080528 (as noted under Ubuntu, I am running that OS these days. I installed High Sierra on a spare drive to get it to that level). I have a GT120.

====

edited later: I'll go back to High Sierra and see if later updates will get a newer version. I didn't do any software updates on HS.

 

[tsialex]

It appears that the instructions for non-Metal 5,1s do not work any longer. The download for RecoveryHDMeta.dmg is the latest Mojave installer and opening it up doesn't show the beta version. When running from High Sierra, you get stopped at the Metal check.

Any thoughts at a workaround? I am at BIOS MP51.88Z.0084.B00.1708080528 (as noted under Ubuntu, I am running that OS these days. I installed High Sierra on a spare drive to get it to that level). I have a GT120.

You are mistaken, you always needed METAL GPUs to install 138/139/140.0.0.0.0. Without a METAL GPU you can install up to MP51.0089.B00, using the full Mac App Store installer for 10.13.6.

 

[bplein]

OK, got it. Thanks!

 

[tsialex]

I'll go back to High Sierra and see if later updates will get a newer version. I didn't do any software updates on HS.

Mac Pro don't upgrade firmware with software upgrades like other supported Macs, only with full Mac App Store installers.

Read the first post, MP5,1: What you have to do to upgrade to Mojave, all info about how to upgrade the firmware are there.

 

[bplein]

Thanks for the pointer, I'm downloading the newer 10.13.6 installer now (I only had 10.13.2). Thanks again for all your help.

 

[Flocarino]

Is it possible to have Mojave 10.14.2 with still bootrom/firmware MP51.0089.B00 ?
It is in a actual dual 2.4ghz cMP 2010 5.1 with a Nvidia Quadro card.
I tought the firmware it has to be flashed to 138.0.0.0.0 when you upgrade to Mojave first thing???
Any input is appreciated. Thank you.

 

[tsialex]

Is it possible to have Mojave 10.14.2 with still bootrom/firmware MP51.0089.B00 ?
It is in a actual dual 2.4ghz cMP 2010 5.1 with a Nvidia Quadro card.
I tought the firmware it has to be flashed to 138.0.0.0.0 when you upgrade to Mojave first thing???
Any input is appreciated. Thank you.

I did a rapid test some time ago and you can run Mojave with MP51.0089.B00, if you use another Mac Pro to install or downgrade after Mojave is installed. Mojave won't install with it. 10.14.0 will force you to upgrade to 138.0.0.0.0 before installing, 10.14.1 to 140.0.0.0.0.

Please note that I did a rapid test and don't know if there is any problem running Mojave with MP51.0089.B00 in the long term.