Parallels Desktop client 10.5/10.6 unlock

[vit9696]

Disclaimer: Parallels claimed it to be illegal to install non-server versions of OS X 10.5.x/10.6.x due to Apple Agreement. Make sure it is not applicable to you by the laws of your country. Use the guide below at your own risk. Also make sure that the license agreement allows you to modify Parallels Desktop files.

 

Note: This guide targets comparably experienced users. If you are not able to follow it, wait for someone to provide a more user-friendly way, don't flood here and there.

 

Background: Parallels checks /System/Library/CoreServices/ServerVersion.plist to determine if a user is running a server version of OS X or not. It does this in two places (actually in 3, but whatever): its mac bios, its efi firmware and its debug efi firmware. The first one appears to be unused, and the second one is the one we need. The guide below will cover the firmware patching.

 

Guide:

1. The efi firmware is embedded into prl_vm_app file (Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS/prl_vm_app), so we need to extract it first. I attached a script and a template for 010 editor, which will do that will find the offsets for you. If you don't own this editor and may not use the trial version, you may simply open the files in a text editor and understand the basics. The language is very similar to C. 

 

To begin you basically have to look for _DMI_ string to find the start of the embedded file name table. The first file may be something like "Monitor_64.bin" for your hint. What you need to modify is efi64.bin (and efi64d.bin, but if you have no room in the end, perhaps, the only solution will be to point both file references to a single data object), copy the address of that string and lookup for a reference (remember, Intel is little endian). Once you find it, you will be in a struct of that kind:

struct FileEntry {
	uint64_t id;
	uint64_t off; // not a file address, but a vm address, remove the higher bits.
	uint64_t sz;
	uint64_t name; // here
};

off points to the file and sz determines its size. Proceed to off and dump your firmware binary.

2. You will now find that it actually is compressed. Well, there is not anything special if you ever dealt with rom hacking. The compressed file is defined as follows:

struct Compressed(int content_sz) {
	uint32_t magic; // 0x0DEDBABA :D
	uint32_t unpack_size; //after zlib decompression
	uint32_t crc32;
	uint8_t data[content_sz-12];
}; 

Yes, the data is simply compressed with zlib. Use openssl or whatever you like to decompress it? (openssl zlib -d < filename > decompressed_filename).

3. At this point you will have a decompressed firmware file. Just a hint: you will not be able to find anything server-related in the resulting file. At this point I went to https://github.com/LongSoft/UEFITool/releases and grabbed a new UEFITool. Once you open a file and look closer, you will find a compressed module list inside. To shorten your time, OsxBoardSupport PE image body is what you need (extract it via right-click menu in UEFITool).

That's pretty much the check we are looking for. Patch it the way you like (e. g. by replacing \ServerVersion.plist by \SystemVersion.plist, note the UTF-16LE? encoding).

5. Replace the resulting file via a context menu in UEFITool and export the firmware. Compress the firmware with zlib. Add a header, don't forget that crc32 is something that is going to change. Recalculate it with a standard command (man crc32).

6. Replace the data blob in prl_vm_app by the new content of a compressed firmware (or use other ways) and update the references. You will likely have to update the sz field of efi64.efi and maybe off/size of efi64d if the resulting size is bigger than before.

 

If you did everything right, 10.5.x/10.6.x client guests will start working .

 

Thanks to:

— Parallels Desktop for an awesome product and a fairly acceptable way of editing their files;

— LongSoft for UEFITool;

— SweetScape for a trial version of 010 Editor;

— Download-Fritz for inspiring me to check how Parallels' efi firmware works one day.

extraction.zip

[sebus]

Anybody ever managed to add SLIC to BIOS/UEFI?

 

Thanks

 

sebus