Part of the reason the flash procedure is designed to work from the internal storage only is that this is a rudimentry sort of defence against attack vectors that exploit the use of external usb devices/thunderbolt devices from uploading malicious code or otherwise tampering with the rom. Good in one way, but a nuisance in our case as we WANT to flash a modified rom.
I have worked out a simple solution to bypass the protection but it involves opening the computer and a soldering iron along with a 100k resistor - we bypass the write enable / write protect line going to the SPI chip, by tying it to ground or Vcc using the resistor - which ever logic level enables flash mode, flash it with dosdude1's software, then return control of the write enable line to the logic board. I am looking for the paper I read on the Thunderstrike 2 exploit I read a few days ago - it goes in depth on how the flash protection works, and how we might be able to use the paper to learn how to temporarily bypass the protection. It was very in depth, and went down to what the pins on the SPI flash chip actually did. AFAIK the resistor could theorectically be left in place indefinatly so we could continue to flash modified roms to these models, or removed easily by untacking one end, then untacking the other. Personally I would remove the resistor once your done to restore the security agains firmware worms and other malicious code that could easily brick the machine.
The whole reason for this is not many people are really going to want to buy an SPI flashing device just for one or two jobs nor wait for it to arrive on the slow boat from China (the cheaper ones that are capable of doing the work are all shipped out of China). However a soldering iron is cheap, available almost everywhere, and most people who pull apart computers to do maintainence or upgrades, would know how to use one. Now that dosdude1 has provided the software to flash the rom, and gilles_polysoft has provided the processs for modifying the rom the only thing standing in our way is the way the logic board protects against malicious code rewriting parts or all of the firmware chip. Newcomers to soldering would obviously be well advised to practice on some dead circuits first to get a feel for the skill, before attacking an soic8 device, but its an easy skill to pick up - there are plenty of video tutorials on youtube to teach you. if you're still too scared to do it, you could always take the machine to a friend you trust who has done xbox or other console hackery - the process is similar to adding a very simple mod-chip.
Before my trying any of this I need to do more research and begin with removing my firmware password and temporarily uninstalling my copy of Orbicule Undercover, just in case it gets in the way of flashing the firmware.
If the resistor trick doesn't work, we'll just have to concede that loading a hacked firmware will not be possible with software along with a 5 c part, and can only be accomplished with a SPI programming tool. These are cheap too, just take a while to arrive, but better than pulling your hair out wondering why the hacked firmware won't take, and less invasive than soldering to the chip inside the notebook.
edit: apologies for any poor spelling - at home sick today but brain going lightspeed + 10 as usual
. Since I am not well and my hands very shaky at the moment I cannot perform the resistor trick yet - and I'd like to do more research on wether my speculated process will work at all - in theory it should. The trick could possibly be performed with an SOIC8 clip with the resistor attached at the other end, but that would make it kind of difficult to then flip the computer over to boot it and load dosdude1's software. Once again apologies if I am not making a lot of sense, I am not well and this is speculation only, but it should work.
TL;DR : it may be possible to trick / jump start the firmware to always be in flash mode with a resistor, but doing so opens up the computer to firmware exploits by malicious code. An SOIC clip with the resistor elimenates the need for any other tools like a soldering iron.
Has anyone attempted to use the "efiupdater" program with our hacked roms and the --force-update switch?
edit 2: on further research it looks like the only easy way to write to the rom chip is with a raspberry pi and a clip for now. A raspberry pi is also a handy thing to have around - I have 1 here but it does not belong to me so I won't tinker with it, but they're basically a little linux computer which one can use to program the flash. They are often used when the owner of the computer has forgotten their icloud or firmware password to get around it, but also can be used for flashing the chip.
