Confirmed full write access with flashrom on linux on a MacPro2,1 (real 2,1 not crossflashed 1,1) and MacPro3,1 but partial success on iMac4,1 (crossflashed as 5,1)!

This post consist of 3 parts, part 1 explaining the method and give an example, part 2 collecting logs/info to get flashrom officially recognize early intel MacPro's without the need of adding "laptop=this_is_not_a_laptop" and part 3 investigate if the iMac 4,1 can still be fully unlocked this way.

Most of this method was well known, but using it this way hasn't been documented earlier yet?

Part1:¶

Mac OSX requirement:¶

You'll first need access to a working Mac OSX version (10.6.8 Snow Leopard - 10.14.x Mojave confirmed) before flashrom in Linux will become unlocked!

Apple (cross) firmware introduction:¶

Sometimes early intel Mac's required a special power ON/OFF method to let official Apple firmware upgrades succeed. This method has been exploited in the past to allow cross upgrading from certain iMac and MacPro models to a higher model number firmware which for instance could improve functionality like more RAM support, booting NVME drives or allow higher OS upgrades. For instance MacPro1,1 to 2,1 or MacPro4,1 to 5,1 or iMac4,1 to 5,1 were done in similar ways.

Simply put, by modifying the apple firmware "model-xyz.fd" file and firmware update "EfiUpdaterAppX.efi" tool themself (adjusting version numbers & checksums methods) these correctly modified files with the help of a common Mac OSX bless command refering to these modified files (first copied to the right system folder), will upon "being blessed" copy themself again but this time to the EFI FAT partition and at the same time set some nvram/efibootmgr magic.
Followed by normally shutting it down first, on the next power ON, keep the power button pressed until it flashes/blinks, it will power ON making a scarry BEEPING sound to warn you it starts the firmware efiupgrade tool from the EFI FAT partition! This only happens "once", on subsequent next power ON, it will just continue regular booting, also pressing the power button for a long time again till it blinks won't start the efiupdate again unless it has been reblessed again first in Mac OS X!

Till here this was well known...

Flashrom in linux:¶

However if you just replace the modified "EfiUpdaterApp.efi" tool with regular "grubia32.efi" or "refind_ia32.efi" (or 64 efi variants) and supply a empty "LOCKED_IM41_0055_08B.fd" firmware file but still use the same special bless command and shutdown the Mac in a regular correct way. The next special power ON (while keeping the button pressed until it flashes) will still greet you with the same scarry BEEPING sound but will not flash the firmware but boots (just for once) to "refind_x-.efi" or "grubx-.efi" whatever you supplied to bless earlier from Mac OSX!
From here you can continue booting a installed Linux (USB live with refind_x-.efi also works), but you'll notice however that the machine is in a different state now. The FAN's are still a lot louder! In this state flashrom -p internal:laptop=this_is_not_a_laptop -w anything.rom will fully flash your MacPro2,1 or MacPro3,1 its ROM instead of not being able to write it at all when normally booted! Be careful not to brick it with broken or incorrect firmware since recovery and soldering 40 pin TSOP is almost impossible!

For the iMac 4,1 it will only write a little bit past the first 1MB not fully, but thats more than it did while normally powering on.

Notice that the same bless command was valid using the iMac4,1 firmware update file and tool "file names" on all tested different Mac models including a MacBookPro 9,1. They all start the requested grub/refind file with the same power ON long press sequence. Except the MacBookPro 9,1 didn't gain any write improvements (was already partly flashable by IFD hack).

Example commands:¶

Run in Mac OS X terminal (uses MacPro3,1 with 64bit efi for example):

sudo mkdir /System/Library/CoreServices/Firmware\ Updates/iMacEFIUpdate
sudo cp ~/Desktop/refind-bin-0.14.2/refind/refind_x64.efi /System/Library/CoreServices/Firmware\ Updates/iMacEFIUpdate/EfiUpdaterApp.efi
#or refind_ia32.efi if MacPro2,1 or 1,1 or other 32bit efi Mac or the grubloader that was already in /EFI/BOOT/GRUB or debian what works for you
sudo touch /System/Library/CoreServices/Firmware\ Updates/iMacEFIUpdate/LOCKED_IM41_0055_08B.fd

firmware="EfiUpdaterApp.efi"
firmware2="LOCKED_IM41_0055_08B.fd"
updatesdir1="/System/Library/CoreServices/Firmware Updates"
updatesdir2="/System/Library/CoreServices/Firmware Updates/iMacEFIUpdate"
sudo /usr/sbin/bless -mount / -firmware "${updatesdir2}/${firmware}" -payload "${updatesdir2}/${firmware2}" --verbose
#this bless command will fail if you already mounted the hidden FAT EFI partition, unmount it first ifso
#regularly shutdown your Mac after this

#power ON next boot while holding the powerbutton until led blinks than release powerbutton!
#continu booting your Mac from the refind or grub menu to linux and verify flashing!

#notice that on subsequent boots the firmware program and files(refind /grub/empty fake firmware) are still on the EFI partition in the APPLE folder...

Credit for the special bless commands and variables should go to the creators of the cross iMac 4,1/5,1 and other firmware update tools!

Part2:¶

The MacPro2,1 and MacPro3,1 work with flashrom with this method, without this method they can still read the ROM but in both cases they need special flashrom programmer reference "internal:laptop=this_is_not_a_laptop". Supplied are 2 verbose dumps of flashrom writing the MacPro's firmware, what else should be supplied to have official read and perhaps write support?

Notice that these firmware restoring write logs were made after they have been successfully written earlier the first time with 2MB of zero's and checksum verified!

Part3:¶

The iMac 4,1 only gets some parts beyond the 1st MB unlocked, any possible adjustments to flashrom that could make this fully work? (will upload log later)