MP 1,1-5,1 5,1 USB EFI windows install - corrupt firmware?

[stuisthebest]

hi,

today i spent the day attempting to install windows onto a spare HD on my 5,1 mac pro (no partition, just using the whole HD), using a USB flash drive which I created NOT with boot camp, but by downloading an ISO from the windows website and using Homebrew to split large files in order to get them copied over.

i eventually managed to install windows but i was experiencing issues - bluetooth not working, losing picture, and eventually I could not even get past a boot loop after a restart. whilst searching for solutions to these issues, i came across this thread

where someone commented,
"Usb efi installs on the 5,1 are a very bad idea, unless bios is protected by open core, windows will write all kinds for stuff to bios, and brick it."

additionally there was a link to this article which says,
"Warning: DO NOT install Windows from a USB flash drive. It has been discovered that Windows when installed in EFI mode is corrupting the Mac Pro’s firmware by signing it with multiple Secure Boot (X.509) certificates."

I formatted the HD that i had used and abandoned the dream, but at this point i had already (semi-)successfully installed windows. i don't know enough to understand what these consequences mean - is it likely that i have done to my firmware what these people say? how might i test this? if so, what are the implications for my mac? it appears to be operating as normal but i'm just worried.

also, as a footnote: when starting up the mac into Startup Manager using the option key, one of my other disks (NOT the one on which i attempted to install windows) is appearing on the list as "windows" even though it is not a bootable drive - in fact if i select it and try to boot from it, it gives me a black screen with some text saying something like, perating system not found". what's that all about?

thanks for your time

Stu

 

[h9826790]

Run "RomDump Macschrauber" which can help you to check if the MS cert is in the firmware now. It's a safe tool and work very automatically for checking this cert.

Healthy NVRAM normal behaviour on 4,1->5,1 machines

Macschrauber's Rom Dump I needed to encrypt the disk image as DropBox has flagged it for containing Flashrom. The password is rom. What's new in the latest versions: Update from 20-2-2024 -> checking Fsys for missing items or wrong order sometimes they get into the wrong order or items...

forums.macrumors.com

 

[tsialex]

Since you installed Windows via UEFI, the Windows UEFI SecureBoot signing already your Mac Pro EFI BootROM - you already known that. The signing happens at the first reboot of Windows while installing and then subsequently, every time you run it with SecureBoot activated.

This will over time brick your Mac Pro corrupting the NVRAM volume or if you are specially unlucky, some conditions can brick it more or less immediately, but it's a rare occurrence that require MP51.0087.B00 being your current BootROM release.

If you saved a backup of your BootROM image previously, time to flash it back to the Mac Pro.

 

[stuisthebest]

Since you installed Windows via UEFI, the Windows UEFI SecureBoot signing already your Mac Pro EFI BootROM - you already known that. The signing happens at the first reboot of Windows while installing and then subsequently, every time you run it with SecureBoot activated.

This will over time brick your Mac Pro corrupting the NVRAM volume or if you are specially unlucky, some conditions can brick it more or less immediately, but it's a rare occurrence that require MP51.0087.B00 being your current BootROM release.

If you saved a backup of your BootROM image previously, time to flash it back to the Mac Pro.

thanks for your reply! i have not saved a backup of my BootROM image. honestly, all this stuff is over my head, i did not flash the mac myself, i just bought it on ebay already upgraded to 5,1 a few years ago. i had no idea it could be so dangerous trying to install windows - there is very little advice about this situation out there, just lots of info on how to do what you apparently should NEVER do!

i have a time machine backup of all my drives and obviously the mac still works for now so i can still get files off it to make extra backups. but it sounds like long-term i'm ****ed. could you tell me the best next step to take? i found the "bootROM thread" started by yourself which talks about replacing parts? apologies for my ignorance - this is all another language to me.

 

[tsialex]

thanks for your reply! i have not saved a backup of my BootROM image. honestly, all this stuff is over my head, i did not flash the mac myself, i just bought it on ebay already upgraded to 5,1 a few years ago.

So, you have a early-2009 Mac Pro cross-flashed to mid-2010, this makes it worse.

i had no idea it could be so dangerous trying to install windows - there is very little advice about this situation out there, just lots of info on how to do what you apparently should NEVER do!

MacPro5,1 is a EFI 1.10 Mac, not a UEFI one, so, you can't follow instructions for a PC or a UEFI Mac (mostly 2013 and newer Macs).

i have a time machine backup of all my drives and obviously the mac still works for now so i can still get files off it to make extra backups. but it sounds like long-term i'm ****ed. could you tell me the best next step to take?

Flash a backup BootROM image, replacing the damaged one, since you don't have it, you gonna need a BootROM reconstruction service, I'll send you a PM.

i found the "bootROM thread" started by yourself which talks about replacing parts? apologies for my ignorance - this is all another language to me.

Right now you just need the BootROM reconstruction service, no need to replace the SPI flash memory (at least, not immediately, but it's an early2009…).

 

[Yebubbleman]

i had no idea it could be so dangerous trying to install windows - there is very little advice about this situation out there, just lots of info on how to do what you apparently should NEVER do!

Installing Windows on a Mac isn't ordinarily anywhere near this dangerous. It doesn't help that pre-UEFI-only Macs will technically boot both a Windows installer in BIOS mode (which thusly installs Windows in BIOS mode) and a Windows installer in EFI mode. Those newer Intel Macs only boot into UEFI mode and it's largely fine. But older Macs HAVE to run Windows in BIOS mode or else squirrelly nonsense like this happens.

 

[mahdif62]

If you already have Opencore legacy patcher installed when you install Windows, will there still be a risk of nvram curroption?

 

[haralds]

I bought a 5,1 system that had a Windows certificate in the boot ROM. Using MacSchrauber and multiple param resets actually were able to remove the bad certificate entries. Perhaps I was lucky.

 

[netsrot39]

MacPro5,1 is a EFI 1.10 Mac, not a UEFI one, so, you can't follow instructions for a PC or a UEFI Mac (mostly 2013 and newer Macs).

This might be a bit off-topic, but do you know if a MacBook Air 6,2 (Early 2014) has a proper UEFI implementation? I'm asking because I recently installed Windows 11 in EFI mode and didn’t think much about it, but I am aware of the potential hazards when doing this on a Mac Pro 2009 or 2010. So my question is: Is it really only the Mac Pro 4,1/5,1 that is at risk when performing an EFI boot, or are other Macs affected as well?

 

[tsialex]

This might be a bit off-topic, but do you know if a MacBook Air 6,2 (Early 2014) has a proper UEFI implementation? I'm asking because I recently installed Windows 11 in EFI mode and didn’t think much about it, but I am aware of the potential hazards when doing this on a Mac Pro 2009 or 2010. So my question is: Is it really only the Mac Pro 4,1/5,1 that is at risk when performing an EFI boot, or are other Macs affected as well?

As older as MacPro5,1 only.

Simplifying a lot, late-2013 Macs are UEFI, most 2013 Macs are UEFI aware, while 2012 models have some mitigations.

P.S.: No Mac at all have a “proper UEFI implementation” - Macs are not PCs and a lot of PCs from the same era also fail to comply with the UEFI spec.

 

[Dayo]

Are other Macs vulnerable to issues with booting into UEFI Windows?

First you need to understand what the vulnerability is.

The UEFI specs didn't really mature until around 2013 but Apple had been rolling implementations out since 2008.
That is, they were rolling out pseudo versions of an aspect of the specs called the "nvRAM".

They had one implementation in the 2008/09 MP, tried to be clever for the 2010 MP and introduced some flaws which they could not be bothered to rectify for the 2012 MP although the requirements for the nvRAM were quite settled and when done as per the specs, CANNOT BE OVERLOADED WITH DATA.

Having said that, Apple's PseudoNVram worked just fine ... as long as you stayed within the Supported MacOS and BootCamp bubble. Once you step out of this bubble into either Unsupported MacOS or UEFI Windows, you could find out that Apple's PseudoNVram CAN EASILY BE OVERLOADED WITH DATA ... with nasty consequences.

By 2013 however, Apple had addressed things and their PseudoNVram was now basically immune ... just like the real deal.

A few years later, around 2016/17, new Macs started identifying themselves as UEFI 2.x units, indicating they were compliant with the minimum requirements of the applicable UEFI Self Certification Test.

UEFI SCT

Tianocore website. Contribute to tianocore/tianocore.github.io development by creating an account on GitHub.

github.com

In summary, your 2014 unit, sporting PseudoNVram Mark III/Newer or maybe even a real UEFI 2.x compliant nvRAM, is almost certainly *NOT* vulnerable to issues that afflict units with older versions of Apple's PseudoNVram.

You can get a broad idea whether your unit identifies itself as uEFI 1 or 2 with:

ioreg -l -p IODeviceTree | grep firmware-revision | awk -F'[<>]' '{print $2}'

My MP31 gives "0a000100" which is "1.10". If you see a "2" in there, basically means it is UEFI 2.x.

This processes the output a bit more:

ioreg -l -p IODeviceTree | grep firmware-revision | \
awk -F'[<>]' '{print $2}' | xxd -r -p | od -An -t u2

---

EDIT: This should give even clearer output...

ioreg -l -p IODeviceTree | grep firmware-revision | \
awk -F'[<>]' '{print $2}' | xxd -r -p | od -An -t u2 | \
awk 'NR==1 {if ($2==1) print "EFI 1." $1; else if ($2==2) \
print "UEFI 2." $1; else print "Not an Intel Mac!"}'

 

[netsrot39]

Very interesting, thanks to you both @tsialex and @Dayo for explaining how this came to be.

My MP31 gives "0a000100" which is "1.10". If you see a "2" in there, basically means it is UEFI 2.x.

My MacBook Air6,2 also outputs "0a000100". If I understand correctly, the EFI version doesn’t matter, but the NVRAM does. Do you know why Apple messed up so badly with the 4,1 and 5,1 Mac Pros in this regard, while getting it right with other models?

So, running Windows 11 on my MacBook Air is safe, as far as I understand, right? OpenCore is a great bootloader, and I could use it to load Windows 11—but why introduce an extra layer if it isn’t necessary?

 

[Dayo]

Do you know why Apple messed up so badly with the 4,1 and 5,1 Mac Pros in this regard?

You cannot describe something that works perfectly well for everything officially supported as messed up.

So, running Windows 11 on my MacBook Air is safe, as far as I understand, right?

It *SHOULD* be, but you might want to check or get someone like @tsialex to verify for you or explain what to check.