netkas.org forum
June 22, 2018, 11:30:13 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Information for registering users http://forum.netkas.org/index.php/topic,2246.0.html
 
   Home   Help Search Login Register  
Pages: [1] 2
  Print  
Author Topic: Apple Firmware hacking.  (Read 2967 times)
DarthnVader
Newbie

Offline Offline

Posts: 22


« on: December 01, 2017, 01:02:12 PM »

I'm looking at ways to try and hack Apple's firmware updates to insert a NVME driver into the Firmware of a MacPro so it will boot from NVME drives.

Just taking a quick look at the firmware update for the 5,1 from High Sierra installer, the firmware seems to be locked, I can't insert anything into it with UEFITool. This shouldn't come as a shock, as the file name is: MP51_0084_00B_LOCKED.fd

If others are interested in this project we can look into it more, and see if we can't figure out how to insert a driver into the firmware, but then I'm sure Apple's firmware update tool won't flash a modified firmware unless it has a proper CRC, so we'll have to overcome that too.

Logged
tomtomgps
Newbie

Offline Offline

Posts: 43


« Reply #1 on: December 02, 2017, 10:27:18 AM »

Sounds like a great project!  I suppose the firmware you're talking about is contained on a certain chip in the Mac Pro. How do you know there is enough space on it to contain a driver ?  Is there any way to decompile the firmware ?
Logged
DarthnVader
Newbie

Offline Offline

Posts: 22


« Reply #2 on: December 02, 2017, 02:01:11 PM »

Sounds like a great project!  I suppose the firmware you're talking about is contained on a certain chip in the Mac Pro. How do you know there is enough space on it to contain a driver ?  Is there any way to decompile the firmware ?

There is always room Grin

You can't decompile it, but you can extract it. UEFITool does a fare job, if you know how to use it, used to be a python script that did a better job of it.

Logged
tomtomgps
Newbie

Offline Offline

Posts: 43


« Reply #3 on: December 03, 2017, 07:20:50 AM »

"Anecdotal evidence has indicated that Mac systems also contain a “boot ROM”, which is executed before the EFI firmware and verifies the integrity of the firmware image including its cryptographic signature at the end of the firmware volume. If the firmware image is not deemed to be valid, the system generates the “S.O.S.” beep sound (literally “S O S” in Morse code) and refuses to boot."

http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf
Logged
DarthnVader
Newbie

Offline Offline

Posts: 22


« Reply #4 on: March 20, 2018, 08:44:11 PM »

"Anecdotal evidence has indicated that Mac systems also contain a “boot ROM”, which is executed before the EFI firmware and verifies the integrity of the firmware image including its cryptographic signature at the end of the firmware volume. If the firmware image is not deemed to be valid, the system generates the “S.O.S.” beep sound (literally “S O S” in Morse code) and refuses to boot."

http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf

Thanks Tom, I'll look into it.
Logged
vidkidd
Newbie

Offline Offline

Posts: 32


« Reply #5 on: March 27, 2018, 03:04:21 AM »


Looks like Apple's firmware security formula has been figured out.   

https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/

Modifying the MacPro firmware looks possible.
Logged
DarthnVader
Newbie

Offline Offline

Posts: 22


« Reply #6 on: May 29, 2018, 12:01:26 PM »

Someone figured this out, I'm just a dunce with UEFITool, the firmware is not locked.

We should be able to add any driver we want to a Mac's efi firmware now, assuming there is room on the chip.

Sadly I don't have an EFI Mac's but an old ICH8 MacBook that is EFI32, so there really isn't anything I can add to the firmware on it.

For EFI64 systems we should be able to add a GOP driver for boot screens on UEFI unflashed GFX cards, support for NVME booting, and USB XHCI booting.
Logged
Rominator
Hero Member
*****
Offline Offline

Posts: 2275



« Reply #7 on: May 30, 2018, 02:48:55 AM »

Great project, wish I had time for it.

Don't forget adding newer CPUs. I seem to recall that there is a 4.4 Ghz Dual Core Xeon that isn't in the microcode for 4,1/5,1.

Also, the X-Serve never got the Westmere chips and 1,333 RAM but could certainly use them.

Good luck. I have seen a bunch of info on Mac EFI on the web in the last week, it's out there.

A few years back a guy was trying to write a 64bit EFI for the 1,1/2,1. He found a socket for the Mac EFI EEPROM and thus could use a programmer and never had to worry about "bricking" the Mac. Might be something to consider.
Logged

Before asking a question, check your "Personal Settings" and be sure that you have "Brain Services" set to "On".
mikeboss
Newbie

Offline Offline

Posts: 4


« Reply #8 on: May 30, 2018, 12:20:11 PM »

dosdude today released his dump/flash tool -> http://dosdude1.com/apps/ROMTool.zip

dump ROM (serial # of the Mac Pro is stored in the ROM!).
add the NVMe part to the dumped ROM with the UEFITool -> https://github.com/LongSoft/UEFITool/releases
write modded ROM to the EEPROM
done! MacPro5,1 now can boot from NVMe SSD.

Logged
tomtomgps
Newbie

Offline Offline

Posts: 43


« Reply #9 on: May 31, 2018, 10:06:28 PM »

Wow that looks super exciting! I am going to wait for a good tutorial before attempting the flash. Tongue .  I've seen this on twitter https://twitter.com/gillesaurejac/status/997893176135385089 But with the new tool it should be a lot easier.   Can we modify the efi to remove the 2.5GT/Sec limit and most importantly modify the efi   so that non apple  cards can work on boot ?
« Last Edit: May 31, 2018, 10:15:43 PM by tomtomgps » Logged
DarthnVader
Newbie

Offline Offline

Posts: 22


« Reply #10 on: June 01, 2018, 12:58:19 PM »

Great project, wish I had time for it.

Don't forget adding newer CPUs. I seem to recall that there is a 4.4 Ghz Dual Core Xeon that isn't in the microcode for 4,1/5,1.

Also, the X-Serve never got the Westmere chips and 1,333 RAM but could certainly use them.

Good luck. I have seen a bunch of info on Mac EFI on the web in the last week, it's out there.

A few years back a guy was trying to write a 64bit EFI for the 1,1/2,1. He found a socket for the Mac EFI EEPROM and thus could use a programmer and never had to worry about "bricking" the Mac. Might be something to consider.

Come on Dave, you always have time to make money Grin

No really, you should know by now, no matter how easy you make things for people, there will still be people willing to pay you to create it for them, rather than think for themselves.

Apple people are more likely to pay you to do something for them, even tho they could do it for themselves, mostly because they are busy making money using there Macs and would rather not get down into the nuts and bolts like we do, because they could spend that time racking up billable hours.

I know, you still have a day job, so you get to rack up billable hours of your own. Tongue
Logged
vidkidd
Newbie

Offline Offline

Posts: 32


« Reply #11 on: June 02, 2018, 02:02:40 AM »

Wow that looks super exciting! I am going to wait for a good tutorial before attempting the flash. Tongue .  I've seen this on twitter https://twitter.com/gillesaurejac/status/997893176135385089 But with the new tool it should be a lot easier.   Can we modify the efi to remove the 2.5GT/Sec limit and most importantly modify the efi   so that non apple  cards can work on boot ?

" I am going to wait for a good tutorial before attempting the flash. "

Here ya go.   Cheesy    This should work for the 3,1 4,1 and 5,1

https://docs.google.com/document/d/1WNkM9LuGPq1sArO9EedWBHYq14NU7m-mDBLAWWJipyM/edit?usp=sharing
« Last Edit: June 02, 2018, 02:05:59 AM by vidkidd » Logged
Rominator
Hero Member
*****
Offline Offline

Posts: 2275



« Reply #12 on: June 02, 2018, 04:05:18 AM »

Wow, so has someone done this and confirmed it works?

If so, who is going to figure out the extra CPUs?

UPDATE: Wow, it's working for folks at MR. I don't go there much, not much fun when you can't post.

Apple isn't going to be too happy. An exploit that could wedge itself into boot rom is something that keeps them up at night.

But a 4.4 Ghz 4,1 would be fun. And I was amused to see one posted there had same thought process I did, he tests MXM cards in an X-Serve.

Or a way to update SMC on 4,1 CPU boards so 4,1 and 5,1 would be interchangeable.

« Last Edit: June 02, 2018, 06:17:55 AM by Rominator » Logged

Before asking a question, check your "Personal Settings" and be sure that you have "Brain Services" set to "On".
DarthnVader
Newbie

Offline Offline

Posts: 22


« Reply #13 on: June 02, 2018, 02:26:17 PM »

Wow, so has someone done this and confirmed it works?

If so, who is going to figure out the extra CPUs?

UPDATE: Wow, it's working for folks at MR. I don't go there much, not much fun when you can't post.

Apple isn't going to be too happy. An exploit that could wedge itself into boot rom is something that keeps them up at night.

But a 4.4 Ghz 4,1 would be fun. And I was amused to see one posted there had same thought process I did, he tests MXM cards in an X-Serve.

Or a way to update SMC on 4,1 CPU boards so 4,1 and 5,1 would be interchangeable.



A few people have confirmed it works, but it depends on the drive and the carrier card. This is really why Apple never updated the MP to support 3rd party NVME, it's just a support nightmare for them.

3rd parties like Sonnet, OWC, etc. could have come up with a solution. I mean in the PPC days they patched the boot rom of new world Macs to support their CPU upgrades, however the DMCA and other copy prevention maybe preventing 3rd parties from patching the EFI FW on Intel Macs.

It seems like an issue that should be able to be addressed in a PCI option rom, and it seems like there would be a market for an M.2 to PCI-E card that has native boot support on Mac Pros, must be some issue preventing the 3rd parties from offering a turn key product, I just don't have an idea what it would be.
Logged
Bunga-Bunga
Newbie

Offline Offline

Posts: 48


« Reply #14 on: June 03, 2018, 10:44:53 AM »

Hello folks,

i was able to update the microcode of my MP5.1 (ex-4.1) to the latest versions. It is simple copy-paste, but keep in mind not to change the romsize, because newer codes are bigger. In the volume is enough empty space filled with FF.
Before i had four codes, the two 106A4 are for different platforms (0+1) , the latest 106A4 contain both platforms, so i have only three codes now.

The rom has two identical volumes which hold the microcode, so you have to update both. Easiest way is to do it with UEFITool, extract body of one microcode-volume, modify manually with hexeditor and replace body of both volumes with the new file.

One problem after updating: Windows 10 won't boot, because of unsupported cpu, neither installed os on drive nor from install-stick! Did MS really dropped support for "newer" microcode?!?
« Last Edit: June 03, 2018, 10:47:32 AM by Bunga-Bunga » Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines
SMFAds for Free Forums
Valid XHTML 1.0! Valid CSS!