netkas.org forum
October 15, 2019, 01:26:29 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Information for registering users http://forum.netkas.org/index.php/topic,2246.0.html
 
   Home   Help Search Login Register  
Pages: 1 2 [3] 4 5 ... 10
  Print  
Author Topic: Mac Mini Firmware Upgrade Utility Needed (help request).  (Read 661588 times)
growner
Not Newbie
*
Offline Offline

Posts: 7


« Reply #30 on: September 23, 2011, 12:16:28 PM »

@sebinouse: Thanks for the info on the changes.  I should be careful.  When I used the word "mangled", I was using it in a very offhand manner, and did not mean to imply that you had done something wrong.  I'd just not seen the various "override" fields in the 'Fsys' section before, and thought that was how the change was made.

Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #31 on: September 23, 2011, 11:00:29 PM »

I don't know how you came to this idea, but it's a great one !  Shocked (I would never have consider this solution, regarding to my soldering skills ... )

I will try the PRAM Reset trick tomorrow evening and see what I get ...


Logged
lolof
Guest
« Reply #32 on: September 24, 2011, 08:03:21 AM »

Thanks to growner to have let us know about flashrom, with flashrom the SST chip was easily identified.

Sebinou : I think it would be good to have the macmini2,1 dump redone with the pram trick. If you can have it, please post it here or on MB.

Programmer and blanks chips ordered. This will probably arrive in 1 or 2 weeks. The time to look in the firwares...
« Last Edit: September 24, 2011, 09:45:53 AM by lolof » Logged
lolof
Guest
« Reply #33 on: September 24, 2011, 07:12:25 PM »

Quote
Another part is more problematic, it is present in the official firmware and *NOT* in the dump :
0x4000 bytes offset 0x1DA000

*BUT* with more investigation this part is the same for MM11_004B_00B.fd, MM11_0055_02B.fd and MM11_0055_03B.fd. It only differs in the MM11_0055_08B.fd.


I think this is a kind of loader to programm the chip, can it be ?? They could have modified the loader to programm the chip and could justify that there is more code in the MM11_0055_08B.fd file.





It is the only big difference I found between this dump and the one already posted here.

If you want it pm me.



« Last Edit: September 30, 2011, 02:06:44 PM by lolof » Logged
growner
Not Newbie
*
Offline Offline

Posts: 7


« Reply #34 on: September 24, 2011, 10:53:03 PM »

...
I have the MACMINI2,1 dump (reset pram) from a friend. I have only change SN at offset 1D825C another personal number at offset 1FFF02 and a last one at offset 1FFF51.

It is the only big difference I found between this dump and the one already posted here.

If you want it pm me.

To me the field at 1fff51 looks like a repeated text date, with some additional integer values after it. For the dump posted above, that date is 081117, while for mine it is 060225.  The field at 1fff02 has *some* numbering similar to my serial number, like it was partially encoded. Since the serial number was changed for the dump above, I cannot make a similar comparison.  Maybe both you and sebinouse can make a comparison to the original SN in your dumps and the field at 1fff02?
Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #35 on: September 24, 2011, 10:58:31 PM »

I think this is a kind of loader to programm the chip, can it be ?? They could have modified the loader to programm the chip and could justify that there is more code in the MM11_0055_08B.fd file.

I've been digging deeper for this and here is what I found.

We have two types of firmwares :
Quote
0x4000 bytes offset 0x1DA000

MM11.88Z.004B.00B.0602170954
MM11.88Z.0055.02B.0603301152
MM11.88Z.0055.03B.0604071521
differs from
MM11.88Z.0055.08B.0610121326
IM41.88Z.0055.08B.0610121350
slightly differs from
IM42.88Z.0071_03B.0610121320

and is blank in my firmware or in the firmware listed below
Quote
0x7000 offset 0x1A4100

IM51.88Z.0090.03B.0610121400
slightly differs from
IM51.88Z.0090.09B.0706270921
slightly differs from
IM61.88Z.0093.01B.0610121336
slightly differs from
AlexCoolTranquille's firmware

and is blank in my firmware or in the firmware listed above

These two part look similar : they are X000 bytes long exactly, each thousand byte begin with the same sequence, and they really look the same in the different firmware ...

But I can't explain why this part is not in *MY* firmware ...

So to create a "virgin" MM21.XX firmware we can compare MM21 Dumps & IM51.88Z.0090.09B.0706270921 like we can compare MM11 Dumps & MM11.88Z.0055.08B.0610121326 (see first post on the third page).

Finally to remove personal data (SSN, NVRAM, etc.) we can just blank (replace by "FF") these main differences found from this second comparison (MM21 Dump / IM51):
  • 0x4 bytes offset 0x1B004C
  • 0x38D6 bytes offset 0x1B0058
  • 0x244 bytes offset 0x1D0018
  • 0x2000 bytes offset 0x1D8000
  • 0x80 bytes offset 0x1FFF00
(It looks like the MM11 Dumps / MM11 comparison ... and I think it is a good point  Grin)

 
« Last Edit: September 24, 2011, 11:56:52 PM by Sebinouse » Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #36 on: September 24, 2011, 11:06:57 PM »

To me the field at 1fff51 looks like a repeated text date, with some additional integer values after it. For the dump posted above, that date is 081117, while for mine it is 060225.  The field at 1fff02 has *some* numbering similar to my serial number, like it was partially encoded. Since the serial number was changed for the dump above, I cannot make a similar comparison.  Maybe both you and sebinouse can make a comparison to the original SN in your dumps and the field at 1fff02?
These part are empty in the officials firmwares ... so I don't think we have to find out what it is (even if I agree the last field definitely looks like the serial ...).
I will have a look on the original MM21 Dump...
« Last Edit: September 24, 2011, 11:26:52 PM by Sebinouse » Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #37 on: September 25, 2011, 12:06:07 AM »

Thx Lolof !  Cheesy



Does anyone know a simple way to perform the modification mentioned above ? (like a script or so ?) Huh



If some brave soul wants to try it out, I can edit the updater file and scripts, and someone can try it out using the uploaded MacMini2,1 file posted previously.
@MacEFIRom, we have almost everything we need to create a "good as official" firmware, we'll have a test machine (Lolof's MacMini with several test eproom) so can you update your application for MM11.88Z.0055.08B.0610121326 <-> MM21.88Z.009A.B00.0706281359 ?  Roll Eyes
« Last Edit: September 26, 2011, 12:03:09 AM by Sebinouse » Logged
lolof
Guest
« Reply #38 on: September 25, 2011, 12:36:41 AM »

I think that each of us has to create the firmware.fd update file, than after we can compare our files to each other.
When we are sure on the firmware.fd file, the best man to write a beautiful clean script id macEfirom. I am sure he will help us if he know we have a test computer with blank chips in case of problems.
To try, we will have to wait 1 week or 2. When the chips and programmer will arrive.
Logged
growner
Not Newbie
*
Offline Offline

Posts: 7


« Reply #39 on: September 25, 2011, 04:17:49 AM »

I've attached a file adding some notes to highlights of some firmware differences.

* MacminiFWdiff.txt (7.26 KB - downloaded 432 times.)
« Last Edit: September 25, 2011, 04:20:14 AM by growner » Logged
lolof
Guest
« Reply #40 on: September 25, 2011, 02:36:35 PM »

here is the file I have reconstructed (mm21.009A.B00.fd) date (0706281359)

MD5  :  BFBD7357AB42CCF507FD936C0C227E8E

Link removed

I am betting on it  Smiley , Will try when I will receive the SST chip.

It is based on the mm2.1 firmware I posted yesterday and  the "LOCKED_IM51_0090_09B".

The firmware from the mm2.1 is written in the same way as the one from LOCKED_IM51_0090_09B, it is no more like our dumped mm1,1  firmware file.
You can see this by comparing the mm2.1 firmware with your mm1.1 and LOCKED_IM51_0090_09B firmware, especially at the end of the file.
Plus the mm2,1 firmware has a big sequence (firmware itself)  who is the same as the im51 firmware. They have many similitude in hardware.

I do not know if this file will work, but I am convinced that the IM5,1 firmware file is the start point.

Please tell me your opinion.

If macEfirom could modify his app to flash this file, it would be very nice. I think, this have to be based on the imac5.1 apple firmware update that we are sure to use the same tools to flash as this firmware is very similare to IM5,1.

@growner All highlited value in your txt are value generated after or during fw instalation. If we are lucky enough this will be generated by our firmware update... I just hope there is no crc check on the firmware integrity upon each start.
« Last Edit: September 26, 2011, 08:36:43 AM by lolof » Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #41 on: September 25, 2011, 11:58:18 PM »

Be careful, there is some IM51 code left in FW ...

Quote
00006420: 20 00 20 00 49 00 4D 00 35 00 31 00 2E 00 38 00     . .I.M.5.1...8.
00006430: 38 00 5A 00 2E 00 30 00 30 00 39 00 30 00 2E 00    8.Z...0.0.9.0...
00006440: 42 00 30 00 39 00 2E 00 30 00 37 00 30 00 36 00    B.0.9...0.7.0.6.
00006450: 32 00 37 00 30 00 39 00 32 00 31 00 00 00 FF FF    2.7.0.9.2.1.....

For my part I removed the parts I mentiioned earlier from the dump and you can find the result here.
« Last Edit: September 26, 2011, 12:18:49 AM by Sebinouse » Logged
growner
Not Newbie
*
Offline Offline

Posts: 7


« Reply #42 on: September 26, 2011, 01:54:54 AM »

@lolof: If the desired result is to "upgrade" the MM1 with a C2D cpu into a MM2 in the eyes of the Lion installer, then I think the contents of the rom that aren't in the firmware updates are potentially the key to this transformation.  Also, if I were to pick a non-Mini Mac most similar to the mid-2007 Mini, it'd be the mid-2007 Macbook, since it has the same chipset as the Mini according to "http://wiki.osx86project.org/wiki/index.php/Apple_hardware", "http://en.wikipedia.org/wiki/Mac_mini" and "http://en.wikipedia.org/wiki/Macbook". Granted, I have very little information about this hack that MacEFIRom put together, so maybe your pathway is correct.
Logged
Sebinouse
Jr. Member
**
Offline Offline

Posts: 64



« Reply #43 on: September 26, 2011, 10:56:42 AM »

I think @Lolof meant that the MM21....fd looks more like a IM51...fd than a MM11...fd. I also noticed that earlier with a code sequence (0x4000 byte long in the MM11 at a certain offset and 0x7000 in the MM21/IM51 at another offset).

I also think that the EFI updater picks several informations from the actual firmware and create a custom firmware before flashing (SSN, NVRAM ..) as none of the apple official firmware contains these kind of data.

The method used by @MacEFIROM is based on official firmwares, and the upgrade actually works without these data, so I also guess that a good firmware to start the flashing experiment is MM21 dump without the personal data I mentioned earlier ...

[off topic]Several people tried to change their MM11 SSN with a MM21 SSN to fools Lion Installer and it didn't work : their system was still recognized as a MM11. So a MM21 with a MM11 SSN shouldn't be a problem also ...[/off topic]

By the way, I modified Lolof's dump and I get the *EXACT* same file as earlier with AlexCoolTranquille's dump : more info and file here


« Last Edit: September 26, 2011, 11:29:53 AM by Sebinouse » Logged
lolof
Guest
« Reply #44 on: September 26, 2011, 12:59:35 PM »

A step further :

My macmini is back to firmware B03.
I have looked in macEfirom (thanks a lot to him) code and modded an officiel apple installer.
My mac is now downgraded to B03.
On the updater from B03, there is only a check on the name of the firmware to be updated, on the newer updater there is  new check that macEfirom has patched.

I hope this will also work to update to our customs firmware, this part is not very sure because it seems that each firmware has a corresponding effi app updater. We will have to look in all firmware updater package and try. I can imagine that apple has done some test with different rom, with chance there is an updater to mod to get this working.

As the stucture of our custom firmware is written like the one from im5,1 and maybe imac4,1  that can be that the effi app from the imac5,1 or 4,1 will work. Or the one from macbook.

I am almost sure this will work with a modified efiupdateapp2 from imac5,1 firmware update package because this efiupdateapp2 is doing 2 calls on the firmware file and the older one are calling the file only once. And our self reassembled firmware like it is on the imac5,1 has 2  differents sections named mm2188z009ab000706281359 (one I forgot to replace in the modified firmware I posted yesterday).



@Sebinou Thanks to have find the mistake in the firmware, maybe there is still other. I will look again, it is just the time to do this :-)

@growner  If you know where the string with computer name like MM2 is in the original firmware (if there is), this should be not complicate with a moded installer to install the actual modified firmware and get lion running on it (if the installer will not clean the modified string with a new one during installation). To avoid this you could write your actual modified firmware with flashrom but I would not do this as nobody try this on a mac before (its what I have been said from IRC), there is no guarantie that it will work anf flashrom is seeing some blocks that are loked on the chip. I could investigate this when I will receive the chips and programmer.
From my point of view, I would like to fully install the efi from the MM2,1 on the MM1,2, just to have more ram...
« Last Edit: September 30, 2011, 02:05:03 PM by lolof » Logged
Pages: 1 2 [3] 4 5 ... 10
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!