MP51.0084.B00 Rom Dump Request

[HaypurTiryading]

Heya!
I saw gilles_polysoft made a miracle and gave our dusty machines to native NVMe abilities. I look at his twitter and he can edit Apple Efi with UEFITool. I am familiar with this kind of editing. I just ask myself to why didn't Apple release efi/bootrom files to public for corruption or recovery situation? Voila.

MP 5.1 - EFI Firmware Restoration
https://support.apple.com/kb/DL1320?locale=en_US
MP 4.1 / XS 3.1 - EFI Firmware Restoration
https://support.apple.com/kb/DL976?locale=tr_TR

I just download the .dmg file and unpacked in the windows 10. There is 4 files in the .dmg package. The file end with .hfs is efi/bios file for Mac Pro's. I opened with UEFITool and saw the modules. (Check the picture.) I can insert any module even NVMe but there is a problem. Our machines (MP 4.1 - 5.1) have updated/better bootrom if High Sierra installed. If I don't know wrong the most up to date version is end with B00. EFI Restoration files should be older. B07-B08 or B03.

https://imgur.com/kwgAiIM

Can anyone provide me a .hfs file, dump file or show me a better way?
Sorry for my not native english. I hope my sentences is understandable.
By the way I have a MP 4.1 - 2009. Upgraded fw 5.1 with ends B00.

Best regards,
Muhammet

 

[LightBulbFun]

its pretty Awesome that gilles_polysoft was able to patch the Mac Pro BootROM, a few of us theorised it would be possible its pretty cool to see it being actually done

as for the BootROM you can use the linux program flashrom to Dump and flash the BootROM chip in the Mac Pro

you can read a bit about my adventures with flashrom here https://forums.macrumors.com/threads/updating-a-mac-pro-s-cpu-microcode.2114187/

remember when flashing the EEPROM you have to put the Mac Pro into Programmers mode by holding the Power Button down until it blinks rapidly/you get the Long tone then boot your linux drive


BTW in the dmg is just 1 file. which is MP51_007F_03B.fd this is not a complete BootROM dump keep that in mind. (also its quite out of date being from 2010 it pre-dates any of the High sierra BootROMs)

 

[HaypurTiryading]

its pretty Awesome that gilles_polysoft was able to patch the Mac Pro BootROM, a few of us theorised it would be possible its pretty cool to see it being actually done

as for the BootROM you can use the linux program flashrom to Dump and flash the BootROM chip in the Mac Pro

you can read a bit about my adventures with flashrom here https://forums.macrumors.com/threads/updating-a-mac-pro-s-cpu-microcode.2114187/

remember when flashing the EEPROM you have to put the Mac Pro into Programmers mode by holding the Power Button down until it blinks rapidly/you get the Long tone then boot your linux drive


BTW in the dmg is just 1 file. which is MP51_007F_03B.fd this is not a complete BootROM dump keep that in mind. (also its quite out of date being from 2010 it pre-dates any of the High sierra BootROMs)
View attachment 762373

I'll digg your thread tomorrow. If I remember correctly, High Sierra should be contain a complete or partial bootrom. Because I did programming thing that you've said in quote. I must unzip the HS Setup file.

Thanks.
Muhammet

 

[h9826790]

The newest bootrom image should be inside the latest HS installer.

 

[MIKX]

I'm enthralled ! The big question to me is " Will the flash be reversible ? "

Once this flash is proved viable & stable it absolutely has to become the No.1 Macrumors/mac pro / STICKY !

I've always known that one of our cMP owners would crack what Apple has denied us for so long.

Goodbye to internal SATA II spinner hdd's !
[doublepost=1526899408][/doublepost]My current 4,1 > 5,1 Bootrom version is MP51.0085.B00

 

[expede]

And I can confirm that my Firmware ends with B00 (MP51.0084.B00). And my cMP is from mid 2012. I found a file called MP51_0084_00B_LOCKED.fd in the installer of HS (Contents/Resorces/Firmware/).

/Per

 

[HaypurTiryading]

What is the difference between 85.B00 and 84.B00?

 

[expede]

I do not know? That mine is much faster?? Sorry, had to.

/Per

 

[h9826790]

What is the difference between 85.B00 and 84.B00?

Apple never says anything about all this firmware update except the APFS support.

By considering Apple has zero interest to cMP at all, I will definitely go for 0085 because there may be some serious bug fix (most likely still APFS related).

 

[ActionableMango]

When @Lauwie was working on modifying his EFI for NVME and USB 3.0 boot support, he discovered that the MacOS maintenance scripts didn't like a custom EFI. Also, updating MacOS resulted in the stock EFI reflashing back in, so the custom EFI was inherently temporary.

Are these issues not a problem now?

 

[HaypurTiryading]

I don't know. I don't have NVMe card yet or I didn't prepare a modified efi. I'm searching the files, ways, working principles etc. But @gilles_polysoft made via SPI Programmer and look like working. I hope he will publish some of the document / how to do list or complete modified efi.

 

[ActionableMango]

I'm searching the files, ways, working principles etc. But @gilles_polysoft made via SPI Programmer and look like working. I hope he will publish some of the document / how to do list or complete modified efi.

You'll probably find this overview to be informative. It's about Thunderstrike, but most of the content still directly applies, or at least the first half of the presentation does. That person made his own tool.

EDIT:
Also, here is some information about tricking the CRC check so you can use Apple's own firmware updater tool.

Please forgive me if I'm sending non-relevant information, I am completely ignorant about these topics. But I had an interest back in the day, so I'm searching back to share what I found.

 

[gilles_polysoft]

Heya!
I saw gilles_polysoft made a miracle and gave our dusty machines to native NVMe abilities. I look at his twitter and he can edit Apple Efi with UEFITool. I am familiar with this kind of editing. I just ask myself to why didn't Apple release efi/bootrom files to public for corruption or recovery situation? Voila.
[...]
Can anyone provide me a .hfs file, dump file or show me a better way?
Sorry for my not native english. I hope my sentences is understandable.
By the way I have a MP 4.1 - 2009. Upgraded fw 5.1 with ends B00.

Hi Muhammet,

Sorry I had lot of work lately and didn't have the time to make a lot of documentation yet..
I'm in the process of making a tutorial on ifixit, maybe I'll have finished in next days but can't promise (I would really love to make this documentation available to all).
If you want all files and archives I made yet I can send you them via personal mail.

I think we have no right to publish any BootRom from Apple, but we can publish any procedure so that anyone can try the upgrade.

First of all, please, make backups of your systems, Roms, etc.
I highly recommend, yet, to do backups with SPI programmer if possible.
Work with a uninterruptible power supply (UPS) if possible.
Any failure while working on the Bootrom can brick your computer...

Note that once your cMP flashed with a NVMe modded BootRom, you will be able to :
- run Sierra (like I did) or High Sierra, booted from a 4K compatible (and 4K formatted) NVMe drive. 4K capable NVMe SSD include any Kingston (A1000, KC1000), Toshiba (XG3-XG4-XG5), some WD / OCZ, some Intel datacenter SSDs.
- otherwise, run High Sierra from any 512b formated NVMe SSD, including any Samsung M.2 NVMe SSD.

In any case, macOS Sierra and High Sierra will both try to update the BootRom at each update, forever.
While we can't stop this process, fortunately the fact is that, while booted from any external or NVMe drive, BootRom update will fail... That will keep our cMP with its modded NVMe Bootrom !
But if you boot any time from an internal AHCI drive and proceed to macOS update, thought, there is a risk that a BootRom update may succed which can revert to a non-NVMe compatible BootRom.. You are warned !


That said, here are the process I made, and sorry for my bad english...

The process is doable either : 1) with hardware SPI programmer, which may be best at present (by safety, because with an SPI programmer it's easy to roll back any change if anything goes wrong), or : 2) with software, by patching the EFIUpdater files.


Pre-requirement : extraction of the NVMe DXE driver :
- download and install Pacifist.app : https://www.charlessoft.com
- download and install UEFI Tool : https://github.com/LongSoft/UEFITool/releases
- download "Install macOS High Sierra.app" : https://itunes.apple.com/fr/app/macos-high-sierra/id1246284741
- locate your "Install macOS High Sierra.app", right-click on it and click on "show Package content"
- open "InstallESD.dmg" file in "Contents/SharedSupport"
- you get a mounted "InstallESD" volume. Right-click on the "Firmwareupdate" package and click on "Open with Pacifist"
- in Pacifist, click on the "Resources" tab and open "FirmwareUpdate.pkg"->"Scripts"->"Tools"->"EFIPayloads". Select any firmware payload from a Mac that has native NVMe support, I have used the rMBP 11.4 (MBP114_0182_B00.fd)
- click on "extract as is" and save the MBP114_0182_B00.fd file [edit : corrected thanks to LightBulbFun)
- open that same MBP114_0182_B00.fd file with "UEFI Tool"
- do a text search (not unicode) with "NVMe" : you will find the NVMe DXE driver at an address starting with "51116915-C34B"
- right-click on the DXE driver and click on "extract body", save the file (with an informative name like "NVMe_DXE_apple.ffs" for example )

Here it is, you have the NVMe DXE driver.


Next, solution n°1, with a SPI programmer :
process is very straightforward :
- unsolder the BootRom (chip U8700 on the logic board, a SST 25VF032B on my logic board)
- read the BootRom with an SPI programmer and save the 4M resulting file (for ex. : MP51.007F.xxxxxx_orig.rom
- open the result file with UEFI Tool
- search for a text (non unicode) field "DXE" : that will get you to the DXE driver image portion
- add the previously saved NVMe DXE driver after the last DXE driver (Insert after)
- save the file (ex: MP51.007F.xxxxx_NVMe.rom) and write it back to the Bootrom chip
- solder back the BootRom chip
- et voilà !



Otherwise, solution n°2, With software : (might only work yet on a 4.1 MacPro with BootRom MP51.007F)
the aim is to use the MP51.0085.00B_LOCKED firmware from High Sierra installer app, to patch it to add NVMe DXE driver, then to use the EfiUpdaterApp2.efi programm from MacPro Firmware Update 1.5 which will be patched with help of a script from Netkas MacPro2009-2010 Firmware tool to make accept our modded firmware (with a different CRC32 file)... Sorry if that sounds complicated, I've not managed to patch the EfiUpdaterApp2.efi from High Sierra yet...

Procedure might be changed if starting from a different BootRom version or board...
As always, make backups...

- If running on El Capitan or Sierra and have SIP enabled, start on recovery partition, disable SIP, and reboot.
- download MacPro2009-2010FirmwareTool.zip from Netkas forums
- download MacPro Firmware Update 1.5 : https://support.apple.com/kb/dl1321?locale=en_CA
- download Hexfriend (or any Hexadecimal editor)
- locate your "Install macOS High Sierra" app
- right-click on "Install macOS High Sierra.app", click on "show Package content"
- open "BaseSystem.dmg" file in "Contents/SharedSupport"
- you get an "OS X Base System" mounted volume. Open it, locate the "Install macOS High Sierra.app" at the root of this volume, right-click on it and click on "Show Package Content"
- open the folders "Contents/Resources/Firmware" : you will find in it the last MacPro 5.1 BootRom : MP51.0085.00B_LOCKED.fd
- Make a copy of this file to your desktop
- open this "MP51.0085.00B_LOCKED.fd" file with UEFI Tool
- search for a text (non unicode) field "DXE" : that will get you to the DXE driver image portion
- add the previously saved NVMe DXE driver after the last DXE driver (Insert after)
- save the file (ex: MP51.0085.00B_NVMe.fd)
- with the terminal, calculate the CRC32 of this modded fd file (type : CRC32 and drag your MP51.0085.00B_NVMe.fd file)
- If you used same XDE driver as mine (from rMBP11,4) you should get a value of f35a82b5 which translate to B5825AF3 in big endian
- locate your MacPro2009-2010FirmwareTool and right click on it -> Show Package Content
- open Contents/Resources/ folder, and locate EFIUpdater2010.patch and drag it on your hexadecimal editor
- search and replace for hexadecimal BDD7C676 (big end. crc32 of the 4.1 BootRom) with BE5899C0 (big end. CRC32 of our modded MP51.0085.00B_NVMe.fd file)
- save the obtained file as EFIUpdaterNVMe.patch
- locate your MacPro Firmware Update 1.5 dmg, and mount it on the Desktop
- open with Pacifist the MacProEFIUpdate.pkg
- extract the file "EfiUpdaterApp2.efi" from the resource tab and save it to the same folder as EFIUpdaterNVMe.patch. Note the name of the firmware : MP51_007F_03B_LOCKED.fd
- Patch your "EfiUpdaterApp2.efi" with the previously done "EFIUpdaterNVMe.patch" by typing in the terminal :
patch EfiUpdaterApp2.efi EFIUpdaterNVMe.patch
- If all done well, you now have your patched EfiUpdaterApp2.efi programm and your modded firmware MP51.0085.00B_NVMe.fd
- Place a copy of those both files in /System/Library/CoreServices/Firmware\ Updates/
- rename MP51.0085.00B_NVMe.fd as MP51_007F_03B_LOCKED.fd
- Bless the EfiUpdaterApp2.efi file :
/usr/sbin/bless -mount / -firmware /System/Library/CoreServices/Firmware\ Updates/EfiUpdaterApp2.efi -payload /System/Library/CoreServices/Firmware\ Updates/MP51_007F_03B_LOCKED.fd -options "-x efi-apple-payload0-data" --verbose
- if all done well, you should get "exit 0" as result

You can now shut down your MacPro, then press and hold the power button and let the firmware update be done.

 

[tsialex]

Thanks a lot, with these instructions I can make it work here. I’ll try via POMONA clip, flashrom and a Pi.

At the moment I only have a 512MB SM951 AHCI, time to get a bigger NVMe one.

 

[handheldgames]

A soldering iron isn’t necessary. The 2009 MacBook Pro and the 4,1/5,1 share the identical EFI / Serial RAM chip.

There are plenty of tutorials sharing an easy process to dump and flash efi roms based on the ST25VF032B without desoldering, using a clip to attach to the posts of the serial ram.

I’ve ordered a bus pirate, sioc8 clip and cables. I’m looking forward to flashing later this week.

 

[LightBulbFun]

@gilles_polysoft Awesome guide! we should be able to use this as a template to add NVMe to other EFI64 macs like Mac Pro 3,1s and Xserves as well as adding APFS support! sounds pretty epic... (cc @dosdude1 )

out of curiosity do you mean - right-click on the DXE driver and click on "extract as is", save the file (with an informative name like "NVMe_DXE_apple.ffs" for example )

rather then "extract body"? as extracting body gives me something thats not a DXE driver that i cant insert after... (it also has a diffrent file extension)

where as doing "extract as" is gives me a .ffs file that is a DXE driver/image that i can insert after the last DXE image in the Mac Pro 5,1 BootROM

 

[gilles_polysoft]

A soldering iron isn’t necessary.[...]
There are plenty of tutorials sharing an easy process to dump and flash efi roms based on the ST25VF032B without desoldering, using a clip to attach to the posts of the serial ram.

I don't say that it is not possible without an iron (after all I used a hot air gun ) but I simply described the way I made it. It is not probably the best but I didn't
manage to get coherent data with my on-chip so8 clip which is a cheap one that I got with the EZP2013.
On my 13" rMBP (on which I did a similar mod to have deepsleep working with a NVMe drive) I had to bring 3,3V power and could read/write eeprom data with a macpirate cable.
I've ordered a Ponoma to figure it out.

All suggestions are welcome

 

[MIKX]

Gilles, my 4,1 cMP is now at MP51.0085.B00 boot rom.

Will your technique work with it ?

In your #13 post you say " might only work yet on a 4.1 MacPro with BootRom MP51.007F

 

[gilles_polysoft]

@gilles_polysoft Awesome guide! we should be able to use this as a template to add NVMe to other EFI64 macs like Mac Pro 3,1s and Xserves as well as adding APFS support! sounds pretty epic... (cc @dosdude1 )

Hi LightBulbFun
Thanks a lot and yes, we could try this ! I've got two Xserve3,1 that serve me as reballed MXM card test machines, I'll try the mod also.
Maybe we can also update the intel ME, and try to boot on USB 3.0 !

out of curiosity do you mean - right-click on the DXE driver and click on "extract as is", save the file (with an informative name like "NVMe_DXE_apple.ffs" for example )

rather then "extract body"? as extracting body gives me something thats not a DXE driver that i cant insert after... (it also has a diffrent file extension)

Ohhhh yes you're definitely right, accept my apologies... I'll correct it.

Gilles, my 4,1 cMP is now at MP51.0085.B00 boot rom.

Will your technique work with it ?

In your #13 post you say " might only work yet on a 4.1 MacPro with BootRom MP51.007F

Hi MIKX,

It was quite uneasy to me to understand how to patch the EfiUpdaterApp2.efi, because I'm mostly an hardware guy, not software. I don't know how to mod the EfiUpdaterApp2.efi from the HighSierra installer app, that's why I prefered to use the already available MacPro Firmware Update 1.5 from Apple and EFIUpdater2010.patch from Netkas forums, which both expect to work on a MP51.007F firmware.

It seems to me that the Firmware update verification of the UpdaterApp2.efi app from High Sierra is different from previous ones, I've not been able to find CRC32 values in it (the whole UpdaterApp2.efi seems to be encrypted ?).

Maybe the way to update via software a MacPro already having MP51.0085.B00 BootRom would be to try to patch the EfiUpdaterApp2.efi from MacPro Firmware Update 1.5 with adding to it the full expected board ID, like it the EFIUpdater2010.patch does.

At least, the method with full dump with a SPI programmer (or under linux) will work.

 

[HaypurTiryading]

If I understand correctly, first of all we must downgrade the firmware to the 007F if it is possible. Then modified efi file can be flashed via Netkas 4.1->5.1 method. Am I correct?

It is not possible updating modified firmware 84.B00 to 85.B00 or 85.B00 to 85.B00, am I right?

 

[DearthnVader]

Hi Muhammet,

Sorry I had lot of work lately and didn't have the time to make a lot of documentation yet..
I'm in the process of making a tutorial on ifixit, maybe I'll have finished in next days but can't promise (I would really love to make this documentation available to all).
If you want all files and archives I made yet I can send you them via personal mail.

I think we have no right to publish any BootRom from Apple, but we can publish any procedure so that anyone can try the upgrade.

First of all, please, make backups of your systems, Roms, etc.
I highly recommend, yet, to do backups with SPI programmer if possible.
Work with a uninterruptible power supply (UPS) if possible.
Any failure while working on the Bootrom can brick your computer...

Note that once your cMP flashed with a NVMe modded BootRom, you will be able to :
- run Sierra (like I did) or High Sierra, booted from a 4K compatible (and 4K formatted) NVMe drive. 4K capable NVMe SSD include any Kingston (A1000, KC1000), Toshiba (XG3-XG4-XG5), some WD / OCZ, some Intel datacenter SSDs.
- otherwise, run High Sierra from any 512b formated NVMe SSD, including any Samsung M.2 NVMe SSD.

In any case, macOS Sierra and High Sierra will both try to update the BootRom at each update, forever.
While we can't stop this process, fortunately the fact is that, while booted from any external or NVMe drive, BootRom update will fail... That will keep our cMP with its modded NVMe Bootrom !
But if you boot any time from an internal AHCI drive and proceed to macOS update, thought, there is a risk that a BootRom update may succed which can revert to a non-NVMe compatible BootRom.. You are warned !


That said, here are the process I made, and sorry for my bad english...

The process is doable either : 1) with hardware SPI programmer, which may be best at present (by safety, because with an SPI programmer it's easy to roll back any change if anything goes wrong), or : 2) with software, by patching the EFIUpdater files.


Pre-requirement : extraction of the NVMe DXE driver :
- download and install Pacifist.app : https://www.charlessoft.com
- download and install UEFI Tool : https://github.com/LongSoft/UEFITool/releases
- download "Install macOS High Sierra.app" : https://itunes.apple.com/fr/app/macos-high-sierra/id1246284741
- locate your "Install macOS High Sierra.app", right-click on it and click on "show Package content"
- open "InstallESD.dmg" file in "Contents/SharedSupport"
- you get a mounted "InstallESD" volume. Right-click on the "Firmwareupdate" package and click on "Open with Pacifist"
- in Pacifist, click on the "Resources" tab and open "FirmwareUpdate.pkg"->"Scripts"->"Tools"->"EFIPayloads". Select any firmware payload from a Mac that has native NVMe support, I have used the rMBP 11.4 (MBP114_0182_B00.fd)
- click on "extract as is" and save the MBP114_0182_B00.fd file [edit : corrected thanks to LightBulbFun)
- open that same MBP114_0182_B00.fd file with "UEFI Tool"
- do a text search (not unicode) with "NVMe" : you will find the NVMe DXE driver at an address starting with "51116915-C34B"
- right-click on the DXE driver and click on "extract body", save the file (with an informative name like "NVMe_DXE_apple.ffs" for example )

Here it is, you have the NVMe DXE driver.


Next, solution n°1, with a SPI programmer :
process is very straightforward :
- unsolder the BootRom (chip U8700 on the logic board, a SST 25VF032B on my logic board)
- read the BootRom with an SPI programmer and save the 4M resulting file (for ex. : MP51.007F.xxxxxx_orig.rom
- open the result file with UEFI Tool
- search for a text (non unicode) field "DXE" : that will get you to the DXE driver image portion
- add the previously saved NVMe DXE driver after the last DXE driver (Insert after)
- save the file (ex: MP51.007F.xxxxx_NVMe.rom) and write it back to the Bootrom chip
- solder back the BootRom chip
- et voilà !



Otherwise, solution n°2, With software : (might only work yet on a 4.1 MacPro with BootRom MP51.007F)
the aim is to use the MP51.0085.00B_LOCKED firmware from High Sierra installer app, to patch it to add NVMe DXE driver, then to use the EfiUpdaterApp2.efi programm from MacPro Firmware Update 1.5 which will be patched with help of a script from Netkas MacPro2009-2010 Firmware tool to make accept our modded firmware (with a different CRC32 file)... Sorry if that sounds complicated, I've not managed to patch the EfiUpdaterApp2.efi from High Sierra yet...

Procedure might be changed if starting from a different BootRom version or board...
As always, make backups...

- If running on El Capitan or Sierra and have SIP enabled, start on recovery partition, disable SIP, and reboot.
- download MacPro2009-2010FirmwareTool.zip from Netkas forums
- download MacPro Firmware Update 1.5 : https://support.apple.com/kb/dl1321?locale=en_CA
- download Hexfriend (or any Hexadecimal editor)
- locate your "Install macOS High Sierra" app
- right-click on "Install macOS High Sierra.app", click on "show Package content"
- open "BaseSystem.dmg" file in "Contents/SharedSupport"
- you get an "OS X Base System" mounted volume. Open it, locate the "Install macOS High Sierra.app" at the root of this volume, right-click on it and click on "Show Package Content"
- open the folders "Contents/Resources/Firmware" : you will find in it the last MacPro 5.1 BootRom : MP51.0085.00B_LOCKED.fd
- Make a copy of this file to your desktop
- open this "MP51.0085.00B_LOCKED.fd" file with UEFI Tool
- search for a text (non unicode) field "DXE" : that will get you to the DXE driver image portion
- add the previously saved NVMe DXE driver after the last DXE driver (Insert after)
- save the file (ex: MP51.0085.00B_NVMe.fd)
- with the terminal, calculate the CRC32 of this modded fd file (type : CRC32 and drag your MP51.0085.00B_NVMe.fd file)
- If you used same XDE driver as mine (from rMBP11,4) you should get a value of f35a82b5 which translate to B5825AF3 in big endian
- locate your MacPro2009-2010FirmwareTool and right click on it -> Show Package Content
- open Contents/Resources/ folder, and locate EFIUpdater2010.patch and drag it on your hexadecimal editor
- search and replace for hexadecimal BDD7C676 (big end. crc32 of the 4.1 BootRom) with BE5899C0 (big end. CRC32 of our modded MP51.0085.00B_NVMe.fd file)
- save the obtained file as EFIUpdaterNVMe.patch
- locate your MacPro Firmware Update 1.5 dmg, and mount it on the Desktop
- open with Pacifist the MacProEFIUpdate.pkg
- extract the file "EfiUpdaterApp2.efi" from the resource tab and save it to the same folder as EFIUpdaterNVMe.patch. Note the name of the firmware : MP51_007F_03B_LOCKED.fd
- Patch your "EfiUpdaterApp2.efi" with the previously done "EFIUpdaterNVMe.patch" by typing in the terminal :
patch EfiUpdaterApp2.efi EFIUpdaterNVMe.patch
- If all done well, you now have your patched EfiUpdaterApp2.efi programm and your modded firmware MP51.0085.00B_NVMe.fd
- Place a copy of those both files in /System/Library/CoreServices/Firmware\ Updates/
- rename MP51.0085.00B_NVMe.fd as MP51_007F_03B_LOCKED.fd
- Bless the EfiUpdaterApp2.efi file :
/usr/sbin/bless -mount / -firmware /System/Library/CoreServices/Firmware\ Updates/EfiUpdaterApp2.efi -payload /System/Library/CoreServices/Firmware\ Updates/MP51_007F_03B_LOCKED.fd -options "-x efi-apple-payload0-data" --verbose
- if all done well, you should get "exit 0" as result

You can now shut down your MacPro, then press and hold the power button and let the firmware update be done.

That's great work @gilles_polysoft .

Really, I don't think there is any need of a UPS when updating the Firmware, if the update get interrupted then you should be able to use Apple's Firmware Restoration CD.

https://support.apple.com/kb/dl1320?locale=en_US

The Firmware Restoration CD can restore the firmware of an Intel-based Macintosh computer.

Note: Restoring your firmware will reset some of your computer's preferences to defaults.

You can only use this to restore the firmware after an interrupted or unsuccessful update. If your computer is already in this state, you'll need to download the software and create the CD on another Macintosh computer, or you can take your computer to an Apple Store or Apple Authorized Service Provider to restore your firmware. This CD can be created on either a PowerPC or Intel-based Mac, but only works with Intel-based Macs.

Note: This CD cannot be used to return an Intel-based Macintosh computer's firmware to a previous version if a successful update has already been performed.

Download the correct Firmware Restoration CD image
Different computers use different versions of the Restoration CD. Please reference the table below to determine if this version of the Firmware Restoration CD is correct for your machine.

Computer Model Identifier
Mac Pro (Mid 2010) MacPro 5,1
To see your Mac's model information (Model Identifier), follow these steps on the computer you will be using the CD with:

1. From the Apple menu, choose About this Mac.
2. Click the "More Info" button. This opens System Profiler.
3. The Model Identifier is located in the Hardware Overview, which is the first window you should see. It looks something like this: "MacBookPro 2,1".
4. Compare the model information to the table above to choose the correct Restoration CD image to download for your computer.

Someone should find the one for the 4,1 as well.

It's likely a good idea to make this CD before attempting any flash.

 

[MIKX]

So, for a 4,1 cMP if we use the Apple restore CD back to the original firmware the hack to boot from NVMe M.2 will work in Sierra 10.12.6
.
But ! High Sierra will not allow installation without the new MP51.0084.B00 or MP51.0085.B00.

That will nullify the hack won't it ?

 

[DearthnVader]

So, for a 4,1 cMP if we use the Apple restore CD back to the original firmware the hack to boot from NVMe M.2 will work in Sierra 10.12.6
.
But ! High Sierra will not allow installation without the new MP51.0084.B00 or MP51.0085.B00.

That will nullify the hack won't it ?

Trouble is you can't use the Firmware Restore CD if you have a valid firmware, I suppose that if the machine can't find a valid firmware in goes into recovery mode when you hold the power button at boot time, then it searches for a firmware file it can use to restore the firmware. I don't know if it only searches the CD drive, or it can/will search any HFS+ volume for one.

It's really only useful for recovery of an incomplete flash, but the firmware file on the CD maybe can be used with Flashrom under Linux to restore you're firmware to the original state.

However, if you're going to do that, you'd just flash the modified firmware and be done with it.

It's really not the hard to install Linux.

 

[LightBulbFun]

method one @gilles_polysoft posted should work fine on 0084.B00/0085.B00 firmware (and you dont even need an external EEPROM programmer you should be able to use flashrom as @DearthnVader says)

I actually gave it a dry run and i was able to do all the steps properly but I sadly dont own any NVMe drives for testing it out.

I do have a FL1100 USB 3 card installed that I would like to try get bootable on my MP5,1, i had look in my MBP9,1s EFI but I could not find any USB3 XHCI/FL1100 drivers, I need to have a look at a MP6,1s BootROM for those I guess, (a dump of the MP6,1 bootrom and a picture of what the command: drivers says when run at an EFI shell is what i want)

 

[mikeboss]

I need to have a look at a MP6,1s BootROM for those I guess, (a dump of the MP6,1 bootrom and a picture of what the command: drivers says when run at an EFI shell is what i want)

okay, I just dumped the boot ROM from my MacPro6,1 using flashrom (ubuntu linux). drop me a message if interested in the file...