MP 1,1-5,1 MacPro5,1: BootROM thread | 144.0.0.0.0

[tsialex]

Sometime ago someone sent me a BootROM dump with two Microsoft EFI signing certificates installed on the private part of the NVRAM. I thought that was a fluke, later I found another. Tonight, another:

Why on hell Microsoft is doing this? One, I can comprehend, but two? Even if the user has different disks/partitions with 8,1 and 10 simultaneously, why signing two times?

 

[UCDHIUS]

Sometime ago someone sent me BootROM dump with two Microsoft EFI signing certificates installed on the private part of the NVRAM. I thought that was a fluke, later I found another. Tonight, another:

View attachment 789368

Why on hell Microsoft is doing this? One, I can comprehend, but two? Even if the user has different disks/partitions with 8,1 and 10 simultaneously, why signing two times?

I only have one copy of W10 on that machine.

Microsoft works in weird ways sometimes.

 

[tsialex]

This is a DRAFT - Part1:​

This is the detailed process to populate generic MP51.fd from Apple with the hardware identifiers, using the intermediate files that I prepared and sent to some people. If you already have it, this is how you can use UEFITool to inject the NVRAM and LBSN_BD sector into every MP51.fd released by Apple.

You can inject the NVMe EFI module into MP51.fd before doing this. (No need to inject if using 140.0.0.0.0 BootROM)

Attention:​

Do exactly as I described here, you don't want to brick your Mac Pro. This process is exclusive to MP51 firmwares, do not ever do this to downgrade to a MP41 firmware or use the same process to clean up a MP31 firmware.


Open UEFITool:

Menu, Open image file:

Select MP51.fd (you can inject the NVMe EFI module into MP51.fd before doing this) and open it:

MP51.fd opened:

Now select the NVRAM area, it’s the GUID FFF12B8D-7696-4C8B-A985-2747075B4F50:

Click with the right button and select Replace as is:

Open your intermediate files folder, select the NVRAM volume and Open it:

NVRAM is done:

Now open the last volume, GUID 04ADEEAD-61FF-4D31-B6BA-64F8BF901F5A:

Select the last RAW section of GUID 1BA0062E-C779-4582-8566-336AE8F78F09:

Continue on Part2

 

[tsialex]

This is a DRAFT - Part2:​

This is the detailed process to populate generic MP51.fd from Apple with the hardware identifiers, using the intermediate files that I prepared and sent to some people. If you already have it, this is how you can use UEFITool to inject the NVRAM and LBSN_BD sector into every MP51.fd released by Apple.

You can inject the NVMe EFI module into MP51.fd before doing this.

Attention:​

Do exactly as I described here, you don't want to brick your Mac Pro. This process is exclusive to MP51 firmwares, do not ever do this to downgrade to a MP41 firmware or use the same process to clean up a MP31 firmware.


Replace as is with your intermediate LBSN_BD sector:

LBSN_BD sector is done, now you just have to save to have a reconstructed BootROM.

Menu, Save image file:

Save your file and you are done!.

Just write it to your logic board SPI flash memory with ROMTool, flashrom etc. You can even use EFI2Updater if you know the hidden/force options and how to manually bless it, but it's out of the scope here.

P.S: There is a tiny easter egg in this document, what is about?

 

[kings79]

This is for NVMe BootROM's?

 

[tsialex]

This is for NVMe BootROM's?

It's the detailed process to populate generic MP51.fd from Apple with the hardware identifiers that I prepared and sent to some people (intermediate files).

You can inject NVMe into MP51.fd before doing this.

 

[crjackson2134]

Just to add an after thought...

I prefer using RomTool for the flashing process. It provides the visual feedback that Apple removed and a Success! notification when completed. It’s not necessary, but it is reassuring.

Thanks for your hard work @tsialex, very much appreciated.

 

[tsialex]

Just to add an after thought...

I recommend using RomTool for the flashing process. It provides the visual feedback that Apple removed and a Success! notification when completed. It’s not necessary, but it is reassuring.

Thanks for your hard work @tsialex, very much appreciated.

Apple EfiUpdater2 is seamless, you don't have to think about the model of the SPI flash, don't have to disable SIP, don't have to disable any AV/malware tracker/firewall and just works - BUT you have to know the force option and how to manually bless it.

Use what you are comfortable with, all roads lead to Rome.

 

[kings79]

process to populate generic MP51.fd from Apple with the hardware identifiers

Can you elaborate on this?

 

[tsialex]

Can you elaborate on this?

Read post #601

 

[kings79]

Read post #601

Yes I remember that post. I find this thread so fascinating in the nerdiest way My wife thinks I'm crazy.

BUT, I still don't understand the purpose of this process. Sorry

Can you explain why do this?

 

[tsialex]

Yes I remember that post. I find this thread so fascinating in the nerdiest way My wife thinks I'm crazy.

BUT, I still don't understand the purpose of this process. Sorry

Can you explain why do this?

I'm leaving for work now. Tonight, or when I have free time, I can explain it.

 

[kings79]

I'm leaving for work now. Tonight, or when I have free time, I can explain it.

Thanks tsialex! You are the posterboy for Mac Pro'ers

 

[h9826790]

Yes I remember that post. I find this thread so fascinating in the nerdiest way My wife thinks I'm crazy.

BUT, I still don't understand the purpose of this process. Sorry

Can you explain why do this?

I'm leaving for work now. Tonight, or when I have free time, I can explain it.

Hopefully I can relieve some of tsialex workload by answering this kind of question.

That process is basically to reconstruct / fix a Mac Pro BootROM.

Some cMP BootROM are partially corrupted, or someone like me bought a 2nd hand logicboard to rescue a dead cMP, may have a BootROM that’s not healthy, or some info in the BootROM does not match the original hardware / system, etc.

This is the process about how to reconstruct a healthy 5,1 BootROM from the clean infoless 5,1 ROM image that’s extracted from the OS installer.

However, this process only works with the intermediate files sent by tsialex. Do NOT do this without those intermediate files, or try to use those intermediate files on any other BootROM (e.g. 4,1).

 

[kings79]

Hopefully I can relieve some of tsialex workload by answering this kind of question.

That process is basically to reconstruct / fix a Mac Pro BootROM.

Some cMP BootROM are partially corrupted, or someone like me bought a 2nd hand logicboard to rescue a dead cMP, may have a BootROM that’s not healthy, or some info in the BootROM does not match the original hardware / system, etc.

This is the process about how to reconstruct a healthy 5,1 BootROM from the clean infoless 5,1 ROM image that’s extracted from the OS installer.

However, this process only works with the intermediate files sent by tsialex. Do NOT do this without those intermediate files, or try to use those intermediate files on any other BootROM (e.g. 4,1).

Thanks M, another member PM'd me with this explanation also. Very interesting! Explains why my 1,1 wouldn't update with the flashing app because I had a refurbished logic board.

I love this thread! Kudos to all the nerds! I love it

 

[tsialex]

Sometimes things that I document/show don't make immediate sense or have immediate use, just wait a little, down the road everything will make sense.

Later, when things are more streamlined, I'll document the process to extract/repair the NVRAM. Since it involves heavy hex editing (updating the hardware descriptor, correcting the IDs, injecting missing ones, putting everything in the correct place), I'm not going to do that now.

The NVRAM area is the big problem. LBSN_BD sector is simple, already documented, wrote once by the logic board factory and never updated again. It's and easy to edit and only becomes corrupted with direct user intervention (for example, if the user writes the MP51.fd to the SPI flash, you will loose LBSN and BD - bye-bye iCloud/iMessage/FaceTime).

However, this process only works with the intermediate files sent by tsialex. Do NOT do this without those intermediate files, or try to use those intermediate files on any other BootROM (e.g. 4,1).

Thx for explaining. =)


[doublepost=1538046461][/doublepost]About the downgrade to 4,1 problem:

First: It's easy to revert to a MP4,1 firmware with a reconstructed BootROM or the with the original MP4,1 dump, but you will have to use a Nehalem Xeon.

Second: If you are using a MP5,1 dump to recreate a MP4,1 BootROM, you will create a brick if you not modify it exactly - the jump points are different in the last sector of the BootROM.

The LBSN_BD sector has a jumping point at the end of it that differs between MP5,1 and MP4,1:

MP5,1:

BF5041EB 1D000000 00000000 00000000 FFFFFFFF FFFFFFFF
FFFFFFFF E802FFFF 0F09E9FB F2000000 78563412 0000FFFF

MP4,1:

BF5041EB 1D000000 00000000 00000000 FFFFFFFF FFFFFFFF
FFFFFFFF 6804FFFF 0F09E91B F3000000 78563412 0000FFFF

 

[BillyBobBongo]

I know you can't install Mojave from USB when using a GTX 680 (due to a bug in the installer) but perhaps it doesn't work with an RX 580 either?

Right, I went and looked in to this some more.

I created a High Sierra and a Mojave USB installer and tried to install both with:
a) No Hard drive present
b) A Mac formatted drive containing data but no OS present
c) A totally empty/formatted drive present
d) A hard drive containing a working version of macOS Mojave.

I was able to boot the installer in all cases, except for d. I have waited in 15 second increments, up to 2 minutes, after the chime rings before tapping the right arrow key and then enter to get the installer to load. But have had no success at all.

Interesting to note is that if you are using any of the cases a-c there is no need to hold the Option key, the USB installer will just boot on its own without you having to do anything.

I also tested in using two different USB drives, one drastically newer than the other to give some indication of how long you need to wait for display to kick in. Here are my findings.

High Sierra (with empty/non OS/no hard drive)

Power On
Chime
Start Timer
@ 3:00 Grey Screen Appears
@ 3:15 Apple logo and loading bar appears
@ 3:30 Ready to Go


Mojave (with empty/non OS/no hard drive)

Power On
Chime
Start Timer
@ 3:00 Grey Screen Appears (5:20 with older USB drive)
@ 3:10 Apple logo and loading bar appears (5:30 with older USB drive)
@ 3:30 Ready to Go (5:56 with older USB drive)

I may drop the GT 120 back in so that I can watch/time how long is takes for the Drive menu to appear, but will do that another time. In reality if you should be in the possession of a drive with a working OS then using 'Recovery Mode' would be the most logical choice of action. From there you can format or delete the drive/partition and with install directly from there or then use a USB drive.

So, long story short it certainly does look like my esteemed forum colleague @Squuiid was indeed correct in his observation

Now that you officially can’t enable FileVault nor BootCamp in Mojave I see very little reason to have an EFI card in the system, or even have one at all really.

Once you’re on 089 firmware or above you’re set.

 

[monoton]

USB3.0 boot is not possible at the moment. If you want to be on the bleeding edge, you can always extract the modules from the firmwares after I test them. I'm not going to post every thing I test here. It's not safe, if you are reading my posts, you now that.

The tested NVMe module is the one extracted from the MP6,1, on the Google Docs document, use that.

Thanks for confirming that ! I then suppose that one works well with both 138.0.0.0.0 and 139.0.0.0.0.0..

 

[tsialex]

Thanks for confirming that ! I then suppose that one works well with both 138.0.0.0.0 and 139.0.0.0.0.0..

With 36h of 139.0.0.0.0 release, we can't assure anything yet, but seems to work.

 

[expede]

Wow, this was scary!!

I have an old enroll for Mojave and suddenly my new Mojave said that I had a new Beta update. I have, with tsialex help got me self a new 139.0.0.0.0 Firmware and everything was working perfect. In a split second a clicked update and my cMP 5.1 started to update.
After, let say, 10 minutes my screen went black and after a wile the white boot-screen came on, nothing strange here. BUT the then the white screen showed this;

And then my Window 10 HD kicked in and started win 10. WHAT??? Booted back in Recovery Mode and klicked "Repair/install Mac OSX" or something. Pressed the botton and the "installer" asked if I would like to cancel the installation? A pressed "No" and the installation went on for 8minutes. Then reboot and an additional install for 36 minutes.
Talk about anxiety!!!

I unrolled the Beta program, because the installer asked if I would update to Beta 10. Noooo!! I´m not.

So now I am on:

Best regards

/Per

 

[w1z]

All files are in the SUCatalog, just open the seed one on Safari, search for what you need, grab the URL and use curl to download.

Having difficulty locating the 139 bootrom update in the sucatalog... Is it under 10.14.1 Recovery update or somewhere else?

Appreciate your help!

 

[tsialex]

Having difficulty locating the 139 bootrom update in the sucatalog... Is it under 10.14.1 Recovery update or somewhere else?

Appreciate your help!

Yep.

 

[Mac64]

Hello
To many information for me...
I have a 4.1 upgraded as 5.1 Macpro (2x 3,33Ghz 6core Xeon, 128Gb DDR3) 980GTX with High Sierra 10.13.6 on NVME and everything works fine.

I want to upgrade to Mojave but I don't know which method I need to use (to keep NVME boot...)

Could you help me?
Regards

(excuse me for my bad english)

 

[tsialex]

Hello
To many information for me...
I have a 4.1 upgraded as 5.1 Macpro (2x 3,33Ghz 6core Xeon, 128Gb DDR3) 980GTX with High Sierra 10.13.6 on NVME and everything works fine.

I want to upgrade to Mojave but I don't know which method I need to use (to keep NVME boot...)

Could you help me?
Regards

(excuse me for my bad english)

You can't keep NVMe boot updating with Apple updaters. Use a SATA drive to do the upgrades, you will loose NVMe boot until you inject 138.0.0.0.0.

Or you can dump your current one and I can upgrade it manually to 138.0.0.0.0 and you won't loose NVMe boot.

 

[kings79]

So, long story short it certainly does look like my esteemed forum colleague @Squuiid was indeed correct in his observation

Right?
There are other reasons to have bootcamp other than booting to a USB.