MP 1,1-5,1 MacPro5,1: BootROM thread | 144.0.0.0.0

[jensd]

The questions I have:
- Am I safe, just going through the process on a regular basis?
- If not, am I safe monitoring the contents of the bootrom and flashing the backup if it grows?
In this case, won't I wear out the flash?
- I see a lot of entries in the bootrom and do not have any previous backup... How much is too much?
- Any chance anyone could help, or better, provide a guide on how to clean up the bootrom?
- Any other options to avoid using EFI mode to run Windows of a NVME SSD?
- Any options to prevent Windows from writing to the bootrom?

Bit strange to quite myself but I've been reading more and looks like I just kind of gave up before find a, from what I see, solution for my issue.

First four questions remain but all come down to the fact that I should prevent writing to the bootrom as much as possible if I get it right. The fact that Windows is writing certificates there is not necessary breaking the system but because it happens often, it will eventually brick the bootrom (correct me if I'm wrong here).

The next one, regarding booting Windows from a NVME SSD using MBR/BIOS mode seems impossible. It's causing issues on non-Mac systems as well and always needs a (dirty) workaround. So in short, it is not possible without using EFI/UEFI boot...

Last one, is the most interesting one I think. I read here (just didn't get this far yet in the topic when writing my previous post) that OpenCore can protect the bootrom, preventing Windows from writing the secureboot certificates to it.
I kind of avoided OpenCore because somehow I thought it was a complex installation process. Boy, was I wrong...
After confirming that, indeed OC prevents writing to the bootrom, I gave it a try. Two minutes later, I had it working

As a test, I first removed the secureboot certificates using the 4x PRAM/NVRAM reset as explained above. Then booted into Windows multiple times and went through a setup. The result: no changes in the bootrom dump

Really hope I understood and got this right but the solution for me seems to be:
Old SATA HD, with Mac + OpenCore and Windows in EFI mode on the NVME SSD.
This should give me the full speed on Windows without any risk of bricking the beloved Mac Pro 5,1

 

[tsialex]

Pretty new on Mac pro's but I guess I fell in love with the possibilities these boxes still have in 2020
I have a 4,1, upgraded to 5,1 with 48GB RAM, dual X5670 and a RX580.

My last upgrade, recently, was to purchase a PCIe NVME card + Evo 970. As I noticed that can do ~1500MB/s while a regular SSD through SATA 2 goes only up to ~200MB/s.

To my surprise it is nearly impossible (at least I did not find it so far) to get Windows to boot natively from the NVME SSD using MBR mode (**see below)

Hence I started to read/investigate about the issues with the secureboot certificates.

So far I installed Windows multiple times using EFI mode, on a SATA SSD and also the NVME SSD (which works fine).
As I started to worry regarding this issue, I took a dump of the rom and went through it with binwalk:

To my surprise, and contrary to what I read here, going through 4 times NVRAM reset (Cmd/option P+R and waiting for 4 chimes), the certificates were removed.
This is a dump I took right after going through the process:

The questions I have:
- Am I safe, just going through the process on a regular basis?
- If not, am I safe monitoring the contents of the bootrom and flashing the backup if it grows?
In this case, won't I wear out the flash?
- I see a lot of entries in the bootrom and do not have any previous backup... How much is too much?
- Any chance anyone could help, or better, provide a guide on how to clean up the bootrom?
- Any other options to avoid using EFI mode to run Windows of a NVME SSD?
- Any options to prevent Windows from writing to the bootrom?

Thanks for having a look at this.

**Just FYI, what I tried to avoid running Windows on the NVME SSD using EFI mode:
- Tried to run install using boot from CD -> message that Windows cannot be installed on this disk
- Clonezilla copy of my SATA SSD with Windows in MBR -> Not bootable (error message)
- WinToUSB copy of my SATA SSD with Windows in MBR -> Not bootable (error message)
- Install Windows on a SATA HD, adding entries for the clone using bcdedit (works for SATA SSD, not for NVME)
- Install Linux (Debian) on a SATA HD, adding entries using GRUB (both manual and automatic) -> can't find boot device
- Install rEFInd -> can't boot from the cloned volume, works find for a SATA SSD clone
- Install nextloader -> same as rEFInd
- More variations on the above...

I'm on my phone so I'm not going to directly answer all the questions of your post, but you are looking at just one symptom of a much large/serious problem that I wrote several times, **X.509s are a red herring**.

It's not the Windows SecureBoot X.509 certificates/database/PKs that kills the BootROM, it just take too much space and exacerbate the real problem, NVRAM volume corruption that is caused by entries/variables/etc not being erased anymore. The NVRAM volume corrupts when entries from the first store invade the second one - MP5,1 NVRAM is very tiny for today's standards. This happens earlier with Macs that have dual CPU trays, since they have two times the quantity of MemoryConfig and DIMM SPDs dumps inside the NVRAM volume. NVIDIA GPUs that need WEBDRIVERS are another thing that makes it easier to trigger the corruption, since older WEBDRIVERS versions stored an enormous binary blob inside the first and second stores. Sum both and you easily corrupts the NVRAM over time, that's why some people bricked earlier than most here.

The multiple sequentially clear NVRAM process don't solve the real underlying problem, since it's just the X.509 certificates that are erased and the SecureBoot DBs/PKs and all the cruft stored over the years are kept in the first and second NVRAM volume stores.

Btw, it's not just corruption that kills the BootROM, the NAND cell wear is another very serious problem and that's why I warn to always replace the SPI with a brand new one when you desolder it.

 

[DocSnow]

Hey tsialex,

waiting for your PM.

Best

 

[tsialex]

Hey tsialex,

waiting for your PM.

Best

I'll send you when I'm home later tonight, can't post from work.

 

[Norbert Mikołajczyk]

Hi tsialex,

today I was updating my Mac Pro 4.1@5.1 to 144.0.0.0 firmware and it failed.
earlier I successfully updated to 5.1 firmware and I did the high sierra update.
I downloaded the latest Mojave’s, inserted flashed gtx680, checked if I have the screen and then I proceeded to 144.0.0.0 firmware update.
after the restart it hanged on the GREY screen, no progress bar and the red light was on in dimm lights for one of the memory sticks. I restarted mp and it won’t boot again, black screen all the way, I checked the diagnostic leds and Efi leds are not burning.
i tried PRAM And Nvram resets and nothing works.

is the mattcard the only solution without desoldering?
i have original 4.1 rom dump if it helps.
are you from Europe maybe?
thanks!

 

[Borowski]

Second solution could be reflashing with programmer-clip, in most cases it requires external power, the peripheral components will draw to much power from programmer.
I didn't test it yet, desoldering+flashing is the easiest way for me.

 

[Macschrauber]

Hi tsialex,

today I was updating my Mac Pro 4.1@5.1 to 144.0.0.0 firmware and it failed.
earlier I successfully updated to 5.1 firmware and I did the high sierra update.
I downloaded the latest Mojave’s, inserted flashed gtx680, checked if I have the screen and then I proceeded to 144.0.0.0 firmware update.
after the restart it hanged on the GREY screen, no progress bar and the red light was on in dimm lights for one of the memory sticks. I restarted mp and it won’t boot again, black screen all the way, I checked the diagnostic leds and Efi leds are not burning.
i tried PRAM And Nvram resets and nothing works.

is the mattcard the only solution without desoldering?
i have original 4.1 rom dump if it helps.
are you from Europe maybe?
thanks!

I can do all the song and dance if you send me your logic board, am in Europe. The 4.1 dump helps all the way, a 5.1 Rom can be constructed from it. I'd change the flash IC to a new one.

People tried clips and failed, btw.

 

[Norbert Mikołajczyk]

Guys, thanks. One more thing, when I try to press and hold power button to run the firmware update again and again, the power light blinks, no chime but dvd opens and the black screen. is that a good sign? Maybe it’s not bricked?

 

[Macschrauber]

You can try the firmware restoration CD
[automerge]1601242671[/automerge]

Firmware Restoration CD 1.9

not sure you need for 4.1 (1.8) or for 5.1 (1.9)

 

[Norbert Mikołajczyk]

You can try the firmware restoration CD

Well i don’t have it, I’ll try to make one if possible, but I read somewhere that the downgrade is not possible for Frankenstein 4.1@5.1 Netkas firmware...

 

[tsialex]

Well i don’t have it, I’ll try to make one if possible, but I read somewhere that the downgrade is not possible for Frankenstein 4.1@5.1 Netkas firmware...

One of the adverse effects of an early-2009 Mac Pro that was cross-flashed to MP5,1 firmware with Netkas forum method is that Firmware Restoration CDs don't work anymore since the BootBlock is messed up, being part MP4,1 and part MP5,1. Won't work with 1.8 or 1.9.

Clips unfortunately don't work, myself and several people with large experience tried to make it work even powering the board with different ways to overcome the power draw, see my posts around September 2018. Just one user here wrote that he miraculously got it working with a clip…

 

[Melbourne Park]

It's not the Windows SecureBoot X.509 certificates/database/PKs that kills the BootROM, it just take too much space and exacerbate the real problem, NVRAM volume corruption that is caused by entries/variables/etc not being erased anymore. The NVRAM volume corrupts when entries from the first store invade the second one - MP5,1 NVRAM is very tiny for today's standards. This happens earlier with Macs that have dual CPU trays, since they have two times the quantity of MemoryConfig and DIMM SPDs dumps inside the NVRAM volume. NVIDIA GPUs that need WEBDRIVERS are another thing that makes it easier to trigger the corruption, since older WEBDRIVERS versions stored an enormous binary blob inside the first and second stores. Sum both and you easily corrupts the NVRAM over time, that's why some people bricked earlier than most here.

Hmm you are making me nervous. My 5,1 I thought was almost a "virgin". I haven't upgraded the CPUs yet, and while its got lots of drives in its Sata ports, its ROM is MP51.007F.B03, which earlier you said was original.

My machine is a 2010 but was first turned on in late 2012. Apple ran them out due to the 2012 model, the prices were great. However I have had Windows 7 on it, and then upgraded for free to Windows 10. And last year without any changes, now when I boot into Windows, it doesn't fully boot Windows. I've tried to recover it and it fails. I do have the original 7 disk and I could ring Microsoft for the serial number they gave me for the free 10 upgrade. I also have another system 10 Windows disk never used, so i could use that for another install, and use the serial number from Microsoft (if they give it to me!). But I am concerned whether Windows might be filling up my ROM chip. Fortunately I've only ever used the 5770 and am looking to upgrade when I go to eventually 10.14 in order to have NVMe drives.

Should I forget about windows in order to protect my ROM?

 

[tsialex]

Hmm you are making me nervous. My 5,1 I thought was almost a "virgin". I haven't upgraded the CPUs yet, and while its got lots of drives in its Sata ports, its ROM is MP51.007F.B03, which earlier you said was original.

My machine is a 2010 but was first turned on in late 2012. Apple ran them out due to the 2012 model, the prices were great. However I have had Windows 7 on it, and then upgraded for free to Windows 10. And last year without any changes, now when I boot into Windows, it doesn't fully boot Windows. I've tried to recover it and it fails. I do have the original 7 disk and I could ring Microsoft for the serial number they gave me for the free 10 upgrade. I also have another system 10 Windows disk never used, so i could use that for another install, and use the serial number from Microsoft (if they give it to me!). But I am concerned whether Windows might be filling up my ROM chip. Fortunately I've only ever used the 5770 and am looking to upgrade when I go to eventually 10.14 in order to have NVMe drives.

Should I forget about windows in order to protect my ROM?

If you upgraded Windows 10 from Windows 7, you probably still have BootCamp, no?

If so, it's CSM and you don't have SecureBoot, but you can't use NVMe. Windows 10 with MP5,1 is a compromise choice, you have to really analyse what will work better for you.

Sent you a PM.

 

[freddomseven]

Can someone point me in the right direction please as Ive spent hours trying to update my Mac Pro from MP51.089.B00 to 144.0.0.0.0
Its already been updated from 4,1 - 5,1
I'd originally used the dos dudes Mojave download, so understood why that wasnt working
But even after downloading the original Mojave from Apple links on here and holding down power button til its completed flashing
Once booted, it still reads MP51.089.B00
Im running a Saphire RX 580 8 GB GPU and wondering about the whole EFI thing and if i need to do something else to get it to work with that card
The GPU works fine in this Mojave install it just won't update to latest Firmware
Could you please advide or point me in the right direction link wise ?
I feel i might be missing something ?

I used my Macbook Pro to load Mojave onto an external SSD which i installed in Mac Pro if that helps in any way
I know there was a way to go about it via High Sierra, but I also read that you can do it from within Mojave

Many thanks

 

[tsialex]

Can someone point me in the right direction please as Ive spent hours trying to update my Mac Pro from MP51.089.B00 to 144.0.0.0.0
Its already been updated from 4,1 - 5,1
I'd originally used the dos dudes Mojave download, so understood why that wasnt working
But even after downloading the original Mojave from Apple links on here and holding down power button til its completed flashing
Once booted, it still reads MP51.089.B00
Im running a Saphire RX 580 8 GB GPU and wondering about the whole EFI thing and if i need to do something else to get it to work with that card
The GPU works fine in this Mojave install it just won't update to latest Firmware
Could you please advide or point me in the right direction link wise ?
I feel i might be missing something ?

I used my Macbook Pro to load Mojave onto an external SSD which i installed in Mac Pro if that helps in any way
I know there was a way to go about it via High Sierra, but I also read that you can do it from within Mojave

Many thanks

Read the first post, pay attention on the notes, there are several pitfalls.

MP5,1: What you have to do to upgrade to Mojave (BootROM upgrade instructions thread)

Please fully read this first post, you will probably find that you have one or more problems described into the various notes below. Mojave will only install if you have upgraded your BootROM to the current release and your Mac Pro have a Metal capable GPU*. If you are trying to install Mojave...

forums.macrumors.com

 

[freddomseven]

Read the first post, pay attention on the notes, there are several pitfalls.

MP5,1: What you have to do to upgrade to Mojave (BootROM upgrade instructions thread)

Please fully read this first post, you will probably find that you have one or more problems described into the various notes below. Mojave will only install if you have upgraded your BootROM to the current release and your Mac Pro have a Metal capable GPU*. If you are trying to install Mojave...

forums.macrumors.com

Thanks for that
Ive read it and re read it several times
so I’m now just gone install high Sierra on an ssd, then put in Mac pro and try install Mojave from that and hope that works as I’ve not gained anything from your recommendation

 

[trifero]

Thanks for that
Ive read it and re read it several times
so I’m now just gone install high Sierra on an ssd, then put in Mac pro and try install Mojave from that and hope that works as I’ve not gained anything from your recommendation

You mean you wont install High Sierra in the Mac Pro properly?

 

[HuRR]

@tsialex, was reading through this thread and wanted to get your input. Am I screwed? I have a Windows 10 install on an SSD using OpenCore. I don't see any certificates but I was wondering about the XML 1.0. Am I screwed?

0             0x0             UEFI PI Firmware Volume, volume size: 524288, header size: 1, revision: 0, EFI Firmware File System, GUID:
24972         0x618C          CRC32 polynomial table, little endian
35787         0x8BCB          mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
524288        0x80000         UEFI PI Firmware Volume, volume size: 524288, header size: 1, revision: 0, EFI Firmware File System, GUID:
549260        0x8618C         CRC32 polynomial table, little endian
560075        0x88BCB         mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
1048576       0x100000        UEFI PI Firmware Volume, volume size: 16384, header size: 1, revision: 0, EFI Firmware File System, GUID:
1064960       0x104000        UEFI PI Firmware Volume, volume size: 49152, header size: 1, revision: 0, GUID:
1065216       0x104100        Intel x86 or x64 microcode, sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
1077504       0x107100        Intel x86 or x64 microcode, sig 0x000206c0, pf_mask 0x13, 2009-08-20, rev 0x-ffea, size 8192
1085696       0x109100        Intel x86 or x64 microcode, sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
1114112       0x110000        UEFI PI Firmware Volume, volume size: 16384, header size: 1, revision: 0, EFI Firmware File System, GUID:
1130496       0x114000        UEFI PI Firmware Volume, volume size: 49152, header size: 1, revision: 0, GUID:
1130752       0x114100        Intel x86 or x64 microcode, sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
1143040       0x117100        Intel x86 or x64 microcode, sig 0x000206c0, pf_mask 0x13, 2009-08-20, rev 0x-ffea, size 8192
1151232       0x119100        Intel x86 or x64 microcode, sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
1179648       0x120000        UEFI PI Firmware Volume, volume size: 196608, header size: 1, revision: 0, Variable Storage, GUID:
1209508       0x1274A4        XML document, version: "1.0"
1210387       0x127813        XML document, version: "1.0"
1234384       0x12D5D0        XML document, version: "1.0"
1343538       0x148032        bzip2 compressed data, block size = 100k
1376256       0x150000        UEFI PI Firmware Volume, volume size: 2686976, header size: 1, revision: 0, EFI Firmware File System, GUID:
4063232       0x3E0000        UEFI PI Firmware Volume, volume size: 65536, header size: 1, revision: 0, GUID:
4128768       0x3F0000        UEFI PI Firmware Volume, volume size: 65536, header size: 0, revision: 0, Apple Boot Volume, GUID:

 

[tsialex]

@tsialex, was reading through this thread and wanted to get your input. Am I screwed? I have a Windows 10 install on an SSD using OpenCore. I don't see any certificates but I was wondering about the XML 1.0. Am I screwed?

0             0x0             UEFI PI Firmware Volume, volume size: 524288, header size: 1, revision: 0, EFI Firmware File System, GUID:
24972         0x618C          CRC32 polynomial table, little endian
35787         0x8BCB          mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
524288        0x80000         UEFI PI Firmware Volume, volume size: 524288, header size: 1, revision: 0, EFI Firmware File System, GUID:
549260        0x8618C         CRC32 polynomial table, little endian
560075        0x88BCB         mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
1048576       0x100000        UEFI PI Firmware Volume, volume size: 16384, header size: 1, revision: 0, EFI Firmware File System, GUID:
1064960       0x104000        UEFI PI Firmware Volume, volume size: 49152, header size: 1, revision: 0, GUID:
1065216       0x104100        Intel x86 or x64 microcode, sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
1077504       0x107100        Intel x86 or x64 microcode, sig 0x000206c0, pf_mask 0x13, 2009-08-20, rev 0x-ffea, size 8192
1085696       0x109100        Intel x86 or x64 microcode, sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
1114112       0x110000        UEFI PI Firmware Volume, volume size: 16384, header size: 1, revision: 0, EFI Firmware File System, GUID:
1130496       0x114000        UEFI PI Firmware Volume, volume size: 49152, header size: 1, revision: 0, GUID:
1130752       0x114100        Intel x86 or x64 microcode, sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
1143040       0x117100        Intel x86 or x64 microcode, sig 0x000206c0, pf_mask 0x13, 2009-08-20, rev 0x-ffea, size 8192
1151232       0x119100        Intel x86 or x64 microcode, sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
1179648       0x120000        UEFI PI Firmware Volume, volume size: 196608, header size: 1, revision: 0, Variable Storage, GUID:
1209508       0x1274A4        XML document, version: "1.0"
1210387       0x127813        XML document, version: "1.0"
1234384       0x12D5D0        XML document, version: "1.0"
1343538       0x148032        bzip2 compressed data, block size = 100k
1376256       0x150000        UEFI PI Firmware Volume, volume size: 2686976, header size: 1, revision: 0, EFI Firmware File System, GUID:
4063232       0x3E0000        UEFI PI Firmware Volume, volume size: 65536, header size: 1, revision: 0, GUID:
4128768       0x3F0000        UEFI PI Firmware Volume, volume size: 65536, header size: 0, revision: 0, Apple Boot Volume, GUID:

Your dump shouldn't have three IASInstallPhaseList.plists, it's completely normal to have one and it's expected to have two, one for each of the two NVRAM stores with a Mac Pro that have been in constantly use.

When you have three IASInstallPhaseList.plists, your Mac Pro NVRAM is not erasing entries anymore and you have a good chance of NVRAM corruption in the near future. I'll send you a PM.

 

[HuRR]

Your dump shouldn't have three IASInstallPhaseList.plists, it's completely normal to have one and it's expected to have two, one for each of the two NVRAM stores with a Mac Pro that have been in constantly use.

When you have three IASInstallPhaseList.plists, your Mac Pro NVRAM is not erasing entries anymore and you have a good chance of NVRAM corruption in the near future. I'll send you a PM.

Thanks! I appreciate the help. Yikes. Glad I looked this up. Oh crap! I just dumped my Rom using Rom tool and ran binwalk and now I have four of IASInstallPhaseList.plists!

 

[tsialex]

Thanks! I appreciate the help. Yikes. Glad I looked this up. Oh crap! I just dumped my Rom using Rom tool and ran binwalk and now I have four of IASInstallPhaseList.plists!

It's not erasing old entries anymore, the NVRAM will continue to add entries without deleting the superseded ones until it's completely full and you will then have a brick.

PM sent.

 

[William B]

I have some sort of problem with the 144 firmware, and I'm wondering if I could have some assistance.

I updated my 2010 Mac Pro to Mojave (with a metal flashed AMD card) and had to update the firmware. After the install, everything worked fine until I booted into my Windows drive. Only one of my two monitors would be recognized by Windows, so I tried to swap out my video card with the one(s) that I used before the firmware update. (a pair of 5770s). It still would only recognize one of my monitors. Both worked separately, but I wasn't able to use both at the same time. I tried to install the new version of BootCamp (6.1 I think) and then reinstalled the GPU drivers (for both the metal flashed one and the 5770s) but nothing would work. I was wondering if I needed to downgrade back to an older version of the firmware, and whether or not I would need to downgrade to High Serria if that was the case.

Please help,
William

 

[h9826790]

I have some sort of problem with the 144 firmware, and I'm wondering if I could have some assistance.

I updated my 2010 Mac Pro to Mojave (with a metal flashed AMD card) and had to update the firmware. After the install, everything worked fine until I booted into my Windows drive. Only one of my two monitors would be recognized by Windows, so I tried to swap out my video card with the one(s) that I used before the firmware update. (a pair of 5770s). It still would only recognize one of my monitors. Both worked separately, but I wasn't able to use both at the same time. I tried to install the new version of BootCamp (6.1 I think) and then reinstalled the GPU drivers (for both the metal flashed one and the 5770s) but nothing would work. I was wondering if I needed to downgrade back to an older version of the firmware, and whether or not I would need to downgrade to High Serria if that was the case.

Please help,
William

Doesn't sounds like BootROM related.

 

[William B]

Doesn't sounds like BootROM related.

oh ok

 

[trifero]

I have some sort of problem with the 144 firmware, and I'm wondering if I could have some assistance.

I updated my 2010 Mac Pro to Mojave (with a metal flashed AMD card) and had to update the firmware. After the install, everything worked fine until I booted into my Windows drive. Only one of my two monitors would be recognized by Windows, so I tried to swap out my video card with the one(s) that I used before the firmware update. (a pair of 5770s). It still would only recognize one of my monitors. Both worked separately, but I wasn't able to use both at the same time. I tried to install the new version of BootCamp (6.1 I think) and then reinstalled the GPU drivers (for both the metal flashed one and the 5770s) but nothing would work. I was wondering if I needed to downgrade back to an older version of the firmware, and whether or not I would need to downgrade to High Serria if that was the case.

Please help,
William

Windows 7?