Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Late-2013 21.5" black boot screen delay

Y

yjchua95

macrumors 604
Original poster
Apr 23, 2011
6,725
233
GVA, KUL, MEL (current), ZQN
Hi,

My late-2013 iMac has been staying at the boot screen for about 5 seconds before showing the Apple logo. All my other Macs don't have this problem and display the Apple logo within 1-2 seconds. (call me picky or OCD, but I'll assume that something isn't right and that an EFI rootkit might've attacked my iMac - definitely not Thunderstrike, but could be something related to the flawed suspend-resume implementation of Apple's sleep mode).

I've ensured that the startup disk was selected and tried a NVRAM and SMC reset, to no avail. A clean install didn't help either.

Has anyone experienced this as well? I'm thinking that there might be something with the EFI.
 
yjchua95 said:
Is your model identifier iMac14,3 (BTO 21.5" iMac) as well? And is the boot ROM version IM143.0118.B11, with an SMC version of 2.17f7?
Click to expand...
Mine is late 2012 21.5" imac,
iMac13,1
Boot ROM:IM131.010A.B05
SMC:2.9f5
 
Last edited:
yjchua95 said:
Is your model identifier iMac14,3 (BTO 21.5" iMac) as well? And is the boot ROM version IM143.0118.B11, with an SMC version of 2.17f7?
Click to expand...

Off topic, but my iMac is a 14,3. It was an in store purchase and wasn't a custom build.
 
I don't really want to have to bump this, but has anyone else faced this as well?

Right now I'm thinking that some boot kit like Thunderstrike (doubt it though, it was patched in 10.10.2) or the sleep-wake implementation flaw (discovered by Pedro Vilaça) may have caused it.
 
yjchua95 said:
I don't really want to have to bump this, but has anyone else faced this as well?

Right now I'm thinking that some boot kit like Thunderstrike (doubt it though, it was patched in 10.10.2) or the sleep-wake implementation flaw (discovered by Pedro Vilaça) may have caused it.
Click to expand...

Could you video what is happening?
 
MartinAppleGuy said:
Could you video what is happening?
Click to expand...
Here's the videos comparing the delay between the chime and the Apple logo: http://1drv.ms/1fXSKkH

The 21.5" iMac is always consistently much slower than my other Macs when it comes to the period between the chime and the Apple logo showing up.

Note: In this case, both Macs don't have FileVault enabled. The rMBP is a 13" early-2015 i7/16/512 variant with Force Touch.

I'm thinking that during the abnormally long delay between the chime and the Apple logo on the iMac, some extra (and possibly illegal) background tasks may be in progress in the iMac, due to some form of bootkit.
 
Last edited:
yjchua95 said:
Here's the videos comparing the delay between the chime and the Apple logo: http://1drv.ms/1fXSKkH

The 21.5" iMac is always consistently much slower than my other Macs when it comes to the period between the chime and the Apple logo showing up.

Note: In this case, both Macs don't have FileVault enabled. The rMBP is a 13" early-2015 i7/16/512 variant with Force Touch.

I'm thinking that during the abnormally long delay between the chime and the Apple logo on the iMac, some extra (and possibly illegal) background tasks may be in progress in the iMac, due to some form of bootkit.
Click to expand...

Am I not right in thinking the delay you have on the 21.5" is due to any other bootable drives or partitions you have? As you are supposed to hold down the alt key to change what partition/drive you wish to boot from. Do you have a partition on your iMacs storage or an external drive connected?
 
yjchua95 said:
Here's the videos comparing the delay between the chime and the Apple logo: http://1drv.ms/1fXSKkH

The 21.5" iMac is always consistently much slower than my other Macs when it comes to the period between the chime and the Apple logo showing up.

Note: In this case, both Macs don't have FileVault enabled. The rMBP is a 13" early-2015 i7/16/512 variant with Force Touch.

I'm thinking that during the abnormally long delay between the chime and the Apple logo on the iMac, some extra (and possibly illegal) background tasks may be in progress in the iMac, due to some form of bootkit.
Click to expand...

And is there a difference in transfer speeds between the 256GB SSD in your iMac against the 13 inch you compared it too?
 
MartinAppleGuy said:
Am I not right in thinking the delay you have on the 21.5" is due to any other bootable drives or partitions you have? As you are supposed to hold down the alt key to change what partition/drive you wish to boot from. Do you have a partition on your iMacs storage or an external drive connected?
Click to expand...
Nope, there is only one partition in the internal 256GB SSD. There are no external devices connected.
 
MartinAppleGuy said:
And is there a difference in transfer speeds between the 256GB SSD in your iMac against the 13 inch you compared it too?
Click to expand...
Massive difference (700 vs 1500), but I tested it against my 27" retina (the 256GB in the 21.5" and the 5K 512GB clock in at around 700 as well) and the 5K booted up as fast as the 13" rMBP.

Transfer rates are not a factor. Rather, it's the delay between the chime and the Apple logo, which have nothing to do with the SSD speeds, as during this period, the computer isn't actually booting - it's doing some EFI tasks like searching for the boot partition.

What I'm worried about is that the abnormal delay in the 21.5" is due to some extra (non-Apple) EFI tasks that may have been injected by a boot kit. And some boot kits (like the one exploiting the sleep-wake flaw) can be deployed without physical access. All the bootkit would need to do is to force a sleep (like running a script related to pmset) and execute.
 
yjchua95 said:
Massive difference (700 vs 1500), but I tested it against my 27" retina (the 256GB in the 21.5" and the 5K 512GB clock in at around 700 as well) and the 5K booted up as fast as the 13" rMBP.
Click to expand...
MartinAppleGuy said:
Then I'm really not sure. Have you tried reformatting the operating system?
Click to expand...
Yes, I have. A clean install that was preceded by a secure wipe (single pass though).

A clean install can't remove boot kits.
 
yjchua95 said:
Yes, I have. A clean install that was preceded by a secure wipe (single pass though).

A clean install can't remove boot kits.
Click to expand...

I believe that you could only be infected if it's transmitted via a physical drive (ie an external TB drive) and cannot be infected with so,etching just over the web?
 
MartinAppleGuy said:
I believe that you could only be infected if it's transmitted via a physical drive (ie an external TB drive) and cannot be infected with so,etching just over the web?
Click to expand...
It can be done over the web, without physical access (in the case of the sleep-wake vulnerability), but Thunderstrike has to be deployed physically via a TB device (and this was patched quite early with 10.10.2). See my post regarding pmset earlier in this thread.
 
yjchua95 said:
It can be done over the web, without physical access (in the case of the sleep-wake vulnerability), but Thunderstrike has to be deployed physically via a TB device (and this was patched quite early with 10.10.2). See my post regarding pmset earlier in this thread.
Click to expand...


Right. Really not sure how I can help then. Is there not software out there that could detect and remove any greats deep down such as boot kit?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back