You may remember that I own a prototype 2011 MacBook Pro in my collection. The machine uses a beta version of a ROM and I thought this ROM would prevent from starting a recent OS (beyond Snow Leopard). So I looked for a way to flash the ROM with a newer version.
You might know official updates do not work, otherwise I would not write an article on the subject. The idea is to find a way to replace the contents of the ROM without going through the official tools. To start, I tried to find a way to force the flash with a software, unsuccessfully. So I got a little bit further : manual flash !
The method is pretty harsh (it is explained here): it consists in flashing manually the chip that contains the ROM. The needed equipment is simple: a BusPirate (a small card dedicated to development), a connectors of the Mac chip size, a breadboard (or something to link a few wires together) and that’s it. Just open the Mac, put the clip on the chip and go to the software part.
BusPirate
The Clip
The main part is more complicated. First, the BisPirate has to be wired properly, by checking the chip datasheets (it has to be identified, but the forums will help you). The wiring itself is simple if you have the right values. If someone wants to try, I may provide the information concerning my case, but it is not of valuable interest. Then you have to connect the BusPirate to a computer (in my case, I had to use Windows), and try to read the ROM several times. The idea is to check that the system reads correctly without errors.
flashrom -p buspirate_spi:dev=COM3,spispeed=2M -c MX25L6405(D) -r nameoftherom
On my machine, it is this chip (MX25 …) that is used, but it can vary. Reading may take a long time (a little less than an hour) and I made three readings, then validated with a MD5 hash. If the three readings do not give the same result, there is a problem.
The second step is to replace the ROM with a new one. The writing is not a problem, but it obviously need a ROM. Collecting one provided by Apple’s updates does not work: changes occur when flashing, so there are two solutions: either read the ROM of a conventional machine (the same one), or search on the Internet for someone offering the right ROM for download. Keep in mind that the ROM contains the serial number, it is therefore necessary to change it depending on your machine: without this step, your flashed Mac will have the same serial number as the one who provided the ROM, which can cause difficulties, especially with iCloud. Once the ROM is obtained, the writing request one command (and some time).
flashrom -p buspirate_spi:dev=COM3,spispeed=2M -c MX25L6405(D) -w nameoftherom
Once it is done (it’s slow), you must read again the content and check that it matches before trying to reboot the machine.
If all goes well, the machine will boot. In my case, it remains a failure: the machine still hangs with a modern OS, either because it differs from the conventional machine or because the SMC raises concerns, and I have not found ways to change it. Please note that the change of ROM also allows to blow up a password on the EFI, as it is stored on the ROM, and some do not hesitate to ask for money in exchange of this manipulation.
Sorry to say this, but all this info is pointless, same goes to ho.ax.
It’s not a hoax, i can prove it if you want ;)