How To Read/Write/Erase Apple EFI-SPI-ROM with Raspberry Pi

Crizz

Member
Here I will explain the way I fixed some boards by rewriting the Apple EFI SPI ROM.

You should try this if your machine has the following symptoms:

  • stuck in a start-stop loop without posting
  • it will boot, chime, load the OS, but the WiFi, and/or the graphics will behave irregular.
  • it will boot, chime, but will not load an OS and gets stuck on the loading bar. (This can also be an SMC issue)
  • it will boot, chime, but stays on a black or white screen and doesn't even reach a loading bar

What you need:
  • Raspberry PI
  • min. 4GB microSD
  • 4x 150Ω
  • 1x 47µF Cap
  • optional a SOP8 SOP Clip Cable

First localize your SPI ROM on your board. I recommend to desolder it before flashing it. On the left side normal SO-8 package. On the right sight MacBook Air has a different package but in most cases the same PIN-out.
I managed to use the clamp to flash the right chip as well and it worked like a charm:
Check if your chip is supported by the free software Flashrom:
https://www.flashrom.org/Supported_hardware

Hook up the SPI:
http://imgur.com/EAXwlfw
EAXwlfw
This is my version: Download and install Raspbian on your Raspberry PI:
https://www.raspberrypi.org/downloads/

After the first boot go to: Menu -> Preferences -> Raspberry Pi Configuration -> Expand Filesystem
Then go to “Interfaces” Tab and Enable SPI: Reboot!!

After that we can download Flashrom and configure it.
First install a few libraries that Flashrom relies on:
Open a Terminal and type:
sudo apt-get install pciutils
sudo apt-get install libftdi-dev
sudo apt-get install libusb-dev
sudo apt-get install libusb-1.0
sudo apt-get install libpci-dev


Then you need to download the latest flashrom version:
sudo git clone https://github.com/stefanct/flashrom.git

It will be downloaded into a folder called "flashrom" so change directory into the folder:
cd flashrom
sudo make
sudo make install
sudo modprobe spi_bcm2835
sudo modprobe spidev



Now comes the start of the Flashrom process:

Get to the help page:
sudo flashrom –help

List the supported chips:
sudo flashrom -L

Read the flash chip by using the below command three times:
sudo flashrom -r oldefi1.bin -V -p linux_spi:dev=/dev/spidev0.0

If the SPI ROM wouldn’t be recognized type the SPI ROM number manually:
sudo flashrom -r oldefi1.bin -c "MX25L1605" -V -p linux_spi:dev=/dev/spidev0.0

Now make sure the three dumps are absolutely identical!!
I compared the files with a hexeditor HxD: https://mh-nexus.de/en/hxd/

Erase the chip after you have verified all three reads have no differences:
sudo flashrom -E -V -p linux_spi:dev=/dev/spidev0.0

After modifying the donor-file write it back:
sudo flashrom -w newEFI.bin -V -p linux_spi:dev=/dev/spidev0.0

(Optional) Verify the chips contents with the file that you just wrote to ensure its integrity:
sudo flashrom -v newEFI.bin -V -p linux_spi:dev=/dev/spidev0.0

If you haven’t run into any problems you will have a freshly flashed chip :)


How to modify/ repair the dump- / donor-file:

Explanation: The MacBook will not run properly or not run at all without a proper management engine. When a new MacBook is turned on for the first time the Bios and the CPU perform a "handshake" allowing them to work together. So in turn, if your management engine gets corrupted, and you try to copy the EFI from another MacBook of the same model, it will still not work because the CPU knows it’s not the original EFI-BIOS. In best case the MacBook will run but veeeery slow.

In my case I found a complete clean EFI-dump for my machine in the web. There are a lot of places where you can download EFI-dumps (clean or not) for free.

You can check your EFI version by analyzing your machine´s EFI-dump with ME-Analyzer:
http://www.mediafire.com/download/mn...zer+v1.5.1.rar

Once you extract the folder, just drag and drop your EFI-file onto the MEA.bat file, a cmd window will open and give you the info. You will see your ME-version and that it is locked.
If you find a EFI-dump for your machine in the web check it if it is unlocked.
If you cannot find a clean EFI-file you have to build a working EFI-file by yourself.
Follow this: https://www.ghostlyhaks.com/blog/app...lean-me-region


Now open your dump- and donor-file with a hex-editor:


In my case you can clearly see the corruption in my dump since it looks kind of weird.
In a normal case the EFI-file should look like the right side!

Next check and compare the length of your dump- and donor-file.
Select all by pressing CTRL+A and compare the lengths of your files:
It is important that the two files have the same length!!!

Now you will need to replace the serial of the donated dump with your own serial in order to not register over a foreign Mac. You can do this by simply searching for "override-version" and on that same line there will be an 11 to 12 digit serial number that you will replace with your own:
Next search for “$SVS” in the dump and you should find 2 instances. The first instance is what you will need to clear out making sure to keep the file length the same. It is safe to replace it with an empty value such as “F”. The string including the $SVS should be replaced! Keep in mind not to delete anything rather to overwrite it. The file size has to be exactly the same size as the chip or it will return an error: Finally save your newEFI.bin and flash it back to your chip like described above.

NOTE: Here are a few things worth mentioning...

  • Make sure your chip is supported in Flashrom which is the program you will be using to talk to the chip.
  • You need to make sure the clip makes a solid connection to avoid misreads.
  • You need to verify your chips datasheet to correctly identify the pin-out to the SPI programmer.
  • The wires connecting the clip to the SPI programmer need not be any longer than 8 cm.
  • Always make sure to back up your original dump and verify the write.

When everything went well your machine will boot and chime normally.
If not … you have to look for another solution for your problem.


Enjoy :)




Sources:
http://www.win-raid.com/t58f16-Guide...pberry-PI.html
https://www.flashrom.org/RaspberryPi
https://github.com/bibanon/Coreboot-...h-Raspberry-Pi
https://www.ghostlyhaks.com/blog/app...lean-me-region
https://ghostlyhaks.com/blog/apple-e...ck-apple-efi-2
https://www.raspberrypi.org/forums/v...?f=28&t=105360
https://www.raspberrypi.org/document...aspi-config.md
https://github.com/nfd/spi-flash-programmer
https://translate.google.de/?hl=de
 
Last edited:

Crizz

Member
I have to add some information here:
I've noticed that every single machine with faulty SPI ROM that I had also had a bad RAM Bank!
When I think about it it makes sense. The faulty RAM writes back some strange bits and this fucks up the SPI ROM!
This will most likely happen if you try to update your system.

On Mac Pros you can just change the RAM stick bun on Airs the changing is trickier since the chips are soldered on the board.
I recently had some success changing a hynix chip on a Air.
Tested with "rember" before and after. IT WORKED :)

IMG_7622.JPG
 

Crizz

Member
Well this is a good good question. Actually a was lucky since I had no idea which one was bad.

I was looking in the web how to identify which chip is bad depending on the address in the log:

FAILURE! Data mismatch at local BUFA address 0x00000001394fa4e0, BUFB address 0x000000017e406ce0
BUFA Data: 0x9494949494949494, BUFB Data: 0xd494949494949494


But no success...

So I decided to reflow the entire RAM section --> Problem still there

I had as result no other choice rather than swapping all the chips one by one and run a test after each swap.
So my choice fell on slot B at the corner and after the first swap - BANG - no errors anymore :)

Machine runs now and no more kernel panics
 
Top