Sharing - How I update my MacOS with a Pascal GPU

[h9826790]

I know most of the unflashed Maxwell / Pascal card user already develop they own way to install the OS / web driver update. However, I didn't see anyone talk about how to do it without any help from another GPU or screen sharing, etc. So, I would like to share how I do it without any assist from other hardware and boot screen.

Before start, the following method is NOT 100% safe. The biggest hurdle is I cannot confirm the OS build number until the whole process completed. I guess there is a way to do it because Apple own security can update the OS number without any reboot. But I just don't know the tricks.

0 - optional) Disable SIP and Gatekeeper to avoid unnecessary issues.

1) Once an OS update available, go to download the corresponding updated Nvidia web driver installer. (Assume the file name is "WebDriver-378.10.10.10.25.102.pkg", and saved in the Downloads folder)

1.1 - optional) Open Terminal and enter "softwareupdate -l" to confirm the OS update is there.

2) In Terminal, enter "sudo softwareupdate -i --all --verbose". Then you can see the update progress. Wait until it finish and ask you to restart (DO NOT RESTART). For info, if you enter "softwareupdate -l" again, you may see the update still there (with different size), but doesn't really matter.

3) still in terminal, enter "pkgutil --expand ~/Downloads/WebDriver-378.10.10.10.25.102.pkg ~/Downloads/WebDriver" (This is base on step 1's assumption. Please replace the files name or location accordingly)

4) Go to your user profile's Downloads -> WebDriver folder, and use TextEdit to open the file "Distribution"

5) go back to terminal again, enter "sw_vers". And copy down the Product version and Build version.

6) In TextEdit, go down to supportedOSVer, and change BOTH the OS version and build number as per the info you get from step 5. Then save it.

7) In terminal, enter "pkgutil --flatten ~/Downloads/WebDriver ~/Downloads/WebDriver-fixed.pkg". Now, you have a working installer called "WebDriver-fixed.pkg"

8) Run this fixed installer, at the end, it will ask you to restart, DO NOT RESTART.

9) Back to terminal and enter "sudo nvram nvda_drv=1"

10) Open Nvidia web driver preference pane (you may see two manager icons on the menu bar, that's normal), and confirm Nvidia web driver is selected.

After this 10 steps, now you can click "restart" in the Nvidia web driver installer to reboot your cMP.

And now, after the start up chime, if you have a SSD, it may take a few minutes before you can see anything (because the OS update in progress after this first reboot). DO NOT disturb the update. If you are running the OS from a HDD, it may take much longer. But once the update completed and boot to desktop, your GPU will work straight away.

The following screen capture pretty much summarise all the steps above. As you can see, there are 2 Nvidia web driver manager on the menu bar. One icon belongs to the old driver, which is disabled already. If you click it, you will see "OS X Default Graphics Driver" selected. And another one is the new one, if you click it after step 9, you should see "NVIDIA Web Driver" is selected.

N.B. With the above methods, the newly available Nvidia web driver will be installed regardless what's the new MacOS build number. So, if you download the wrong driver. Or Apple actually gives you another build number's OS update. The driver will still install, but may not able to function properly after reboot.

Also, I run my system with BOTH SIP and Gatekeeper OFF. I have no idea what will happen if you keep any of these function ON.

 

[Dr. Stealth]

Very nice tutorial. I'm sure this will come in handy for some. Maybe you should add instruction for disabling SIP and Gatekeeper. That could be a very important (1st) step that allows your your method work. Very nice.......

 

[goMac]

Very nice tutorial. I'm sure this will come in handy for some. Maybe you should add instruction for disabling SIP and Gatekeeper. That could be a very important (1st) step that allows your your method work. Very nice.......

I don't think SIP has to be disabled for this. Maybe Gatekeeper but I think with an extra step the package could still run with it on.

 

[h9826790]

To disable SIP (blindly) via Single-user Recovery Mode.

1) Reboot Mac holding down Command+R+S

2) Wait 3 minute to make sure the loading is completed (it should only need less then a minute, 3 min is super safe)

3) Hit ENTER 10 times to make sure you get the command prompt

4) Enter

csrutil disable

5) Enter

reboot

[doublepost=1512946771][/doublepost]To disable Gatekeeper

1) Open terminal

2) Enter

sudo spctl --master-disable

3) Open System Preferences -> Security & Privacy, and Choose "Anywhere"

 

[goMac]

You can usually bypass Gatekeeper by right clicking on something and choosing Open.

Should work on an installer package that’s been altered. Probably safer than turning it off entirely.

 

[h9826790]

You can usually bypass Gatekeeper by right clicking on something and choosing Open.

Should work on an installer package that’s been altered. Probably safer than turning it off entirely.

The problem is not to run the installer, but will GateKeeper block the driver loading on next reboot.

I didn’t use GateKeeper, but AFAIK, after Nvidia Web Driver installed, you can go to the same Security & Privacy page to "Allow" it (A notice should be there, but since I never use it, so not 100% sure. Both SIP and Gatekeeper OFF works so well with me, I just have no intention to re-enable them again).

 

[goMac]

The problem is not to run the installer, but will GateKeeper block the driver loading on next reboot.

I didn’t use GateKeeper, but AFAIK, after Nvidia Web Driver installed, you can go to the same Security & Privacy page to "Allow" it (A notice should be there, but since I never use it, so not 100% sure. Both SIP and Gatekeeper OFF works so well with me, I just have no intention to re-enable them again).

Gatekeeper doesn’t block drivers, having it on or off shouldn’t matter.

The Nvidia web drivers are also signed through Apple’s partner program so they don’t need SIP or Gatekeeper turned off to use the driver unmodified (and I don’t see anything here modifying the driver itself unless I’m totally wrong.)

To review:
- Gatekeeper blocks unsigned apps and installers. This will break the signing on the installer but that can be bypassed by right clicking. Disabling Gatekeeper completely might not be a good idea when you can bypass it on a case by case basis already.
- SIP blocks kernel extensions that aren’t Apple authorized. The Nvidia web drivers are Apple authorized, so SIP should be ok that stay on. SIP is an important security feature and really should not be disabled unless you are tinkering with unauthorized things.

(If SIP is getting in your way you can also selectively disable parts of SIP which is way safer than disabling the whole thing, but that’s another topic... But asking the user to disable SIP and Gatekeeper for this is kind of like asking them to unlock all their doors and open all their windows just to replace a sink.)

 

[h9826790]

Gatekeeper doesn’t block drivers, having it on or off shouldn’t matter.

The Nvidia web drivers are also signed through Apple’s partner program so they don’t need SIP or Gatekeeper turned off to use the driver unmodified (and I don’t see anything here modifying the driver itself unless I’m totally wrong.)

To review:
- Gatekeeper blocks unsigned apps and installers. This will break the signing on the installer but that can be bypassed by right clicking. Disabling Gatekeeper completely might not be a good idea when you can bypass it on a case by case basis already.
- SIP blocks kernel extensions that aren’t Apple authorized. The Nvidia web drivers are Apple authorized, so SIP should be ok that stay on. SIP is an important security feature and really should not be disabled unless you are tinkering with unauthorized things.

It does! I am not making up something. That's why I personally prefer to keep everything OFF.

But as you said, that's another matter. IMO, it's not unlocking the door. SIP just don't allow you to modify the system files etc. It's more like don't allow someone to "move" (or replace) a table inside the house if (s)he is already inside, but not stopping them to get in. Gatekeeper is like stopping someone in the house to "use" a newly installed unknown brand TV, again, the person is already in. These 2 functions don’t stop anyone to get in. As long as keep the door and windows secure properly. SIP and GateKeeper is just preventing me to freely manage my own house.

I am totally on another point of view when consider using SIP or Gatekeeper.

Since both SIP and Gatekeeper won’t protect anyone “viewing” my personal data. That’s pretty useless to me. I need a real protection to stop someone to get in (e.g. firewall). If anyone already break into my place, I hope (s)he will stupid enough to destroy my OS, so that the whole system collapse, stop functioning, and they cannot steal any personal data from my computer anymore (of course, I have more than one external full backup). Or at least they move something a bit, so that I may able to detect / awear something is wrong. (SIP prevent this to happen).

The real valuables stuff is my personal data, not the OS. The OS is free from Apple, protect it for what? I can re-download a secured clean installer anytime from Apple. And I am not worrying someone to “modify” my system. That’s easy to fix. What I don’t like is someone “silently break in and viewing my personal data". But since that’s a "read only" action. SIP won’t help anything.

GateKeeper is virtually the same thing. If the user is stupid enough to run a hazard software. (S)he can always “allow” that software in security preference pane, so, Gatekeeper won’t stop it happening. And if something able to silently passed the firewall and break into my system. S(he) can already view my data, and no need to install / run anything to steal my personal data. So, it doesn’t protect anything (in my own point of view).

 

[Squuiid]

From Wikipedia:

Justification
Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised.[4] Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to Mac OS X Leopard enforce level 1 of securelevel, a security feature that originates in BSD and its derivatives upon which macOS is partially based.[6]

https://en.wikipedia.org/wiki/System_Integrity_Protection