Jump to content
  • Announcements

    • Allan

      Forum Rules   04/13/2018

      Hello folks! As some things are being fixed, we'll keep you updated. Per hour the Forum Rules don't have a dedicated "Tab", so here is the place that we have our Rules back. New Users Lounge > [READ] - InsanelyMac Forum Rules - The InsanelyMac Staff Team. 
Sign in to follow this  
dmdimon

How about "brute force" boot?

13 posts in this topic

Recommended Posts

So, goal:

1. make "snapshot" of BIOS booted iMac's BIOS'ed twin brother (first meg, core state,etc., save as file)

2. using EFI tools restore snapshot on targeted iMac

3. jump-start to snapshot point of execution.

 

P.1 Is easy doable thru debug/remote debug/VMware, etc. and will contain all of the already shadowed BIOS'es and system areas initialised.

P.2 Is doable - there are routine in Tianocore that just loads chunk of data at specifyed physical address(originated from IBM code, not in legacy part - so it exists in Apple implementation almost for sure)

P.3 Possibly, use of EFI_LEGACY_BIOS_FARCALL86. Routine Description: Thunk to 16-bit real mode and call Segment:Offset. Regs will contain the 16-bit register context on entry and exit

 

This all based on some assumptions.

a ) We can build iMac's BIOS'ed twin brother.

b ) Hardware, initialised by EFI, is in the same state, as initialised by BIOS.

 

So, I have some questions:

 

Q.1 - how close to iMac (from hardware point) we can get? I mean same chipset (with BIOS) and video(with VGA BIOS) and so on. What's the closest config?

Q.2 - Are there anybody here ;) with knowledge of POST and EFI initialised hardware state? EFI most wanted as POST I can (hardly) recall :)

Q.3 - Are there somewhere an image or something with ORIGINAL iMac EFI?

 

P.S. I personally think that we should wait for next Vista beta, as there are real progress on it. Just can't resist. This (as assumptions come true) WOULD work. Anyway, IF this thread is of interest for you - feel free to post in.

Share this post


Link to post
Share on other sites
Advertisement

hi... i have just built a machine which should be reasonably close to an iMac Core Duo:

 

- Intel D945GTP Desktop board (i945G Express chipset and ICH7 Southbridge)

 

- Pentium D 920 Dual-Core processor with EMT64 and Virtualisation stuff

 

- Radeon X1800XL PCI-E 256Mb

 

OS is Tiger 10.4.3 (with some 10.4.4 kexts and frameworks for CI/QE/OpenGL), booting off a BIOS.

 

i dont have much knowledge, but I will happily provide any help I can - testing stuff out, imaging the BIOS etc.

Share this post


Link to post
Share on other sites
hi... i have just built a machine which should be reasonably close to an iMac Core Duo

 

Hi. As I get out of assembler stuff when Pentium came in, for now I'm not sure that this is "close enough" to targeted iMac. In our case it'll be better to be as close, as possible. After thinking a bit, I'd say that original EFI from iMac are most wanted for preliminary analysis. Are there needed parts inside? And some knowlege on EFI hardware after-init state.

Anyway, thanks.

Share this post


Link to post
Share on other sites

well... its a dual core intel chip on a 945... how different can it be?

 

i'd say it'll get you most of the way there, but there might be some issues to iron out. lets try it! ;)

Share this post


Link to post
Share on other sites
lets try it! :)

 

Ok. Do you have DOS bootable diskette? With (m$)debug on it? Do you have DOS-visible partition on HD? If so, boot from diskette, run debug, press ? to refresh memories. We'll use debug to save DOS memory (with debug itself up and running) to file. I'm now refreshing my memory - how I saved/recalled processor state (with debug again, AFAICR) years ago :)

Share this post


Link to post
Share on other sites

I can give you stuff from a Sony FE11S:

 

- 945 Chipset

- Intel Core Duo T2400

- 1024MB DDR2(533mhz) RAM

- NVIDIA GeForce Go 7400

 

The GPU is different, but other than that I reckon it's pretty much the same. I'll have it in my hands from next week, if you need anything from it.

Share this post


Link to post
Share on other sites
So, goal:

1. make "snapshot" of BIOS booted iMac's BIOS'ed twin brother (first meg, core state,etc., save as file)

2. using EFI tools restore snapshot on targeted iMac

3. jump-start to snapshot point of execution.

 

P.1 Is easy doable thru debug/remote debug/VMware, etc. and will contain all of the already shadowed BIOS'es and system areas initialised.

P.2 Is doable - there are routine in Tianocore that just loads chunk of data at specifyed physical address(originated from IBM code, not in legacy part - so it exists in Apple implementation almost for sure)

P.3 Possibly, use of EFI_LEGACY_BIOS_FARCALL86. Routine Description: Thunk to 16-bit real mode and call Segment:Offset. Regs will contain the 16-bit register context on entry and exit

 

The iMac EFI implementation does not appear to implement the LegacyBoot protocol. Mind you, thunking yourself is pretty trivial.

 

This all based on some assumptions.

b ) Hardware, initialised by EFI, is in the same state, as initialised by BIOS.

 

This is where you will probably fall down.

Share this post


Link to post
Share on other sites
The iMac EFI implementation does not appear to implement the LegacyBoot protocol. Mind you, thunking yourself is pretty trivial.

 

So, I wrote "possibly" :happymac: I know that you know that "Thunk to 16-bit real mode and call Segment:Offset. Regs will contain the 16-bit register context on entry" already implemented ten million times in ten million x86 operating systems, so, it's really not a problem.

 

hardware...

This is where you will probably fall down.

Yea, I'm afraid of this also. But there are nothing I can do. From other side, why it should be different? I think that EFI on-board firmware most probably is old BIOS with interface layer modifyed. Becoase it's cheap solution. So, as silicon is the same(is it?), and I/O of card is in silicon(mean, not microprogrammed - is it?) - than initialized card will behave the same. Again, I'm asking third time about "some knowlege on EFI hardware after-init state"

 

@blackice

Sorry, there will be shadowed ROM from nvidia and it will fail on ATI. Only if we'll combine memory dumps from 2 (or more) PC's it can be useful.

 

 

Ok, I thought a bit more. And get to this:

BEFORE making any snapshots we should know that targeted system is able to install Win from CD on external drive. And even more - external HD should be unplugged on boot and plugged in and mounted UNDER DOS or during wininstall itself - or we'll end linked to exact model&size of HD for install. I'd look at that.

 

Hey, are there interested or I'm just wasting my time?

Share this post


Link to post
Share on other sites

ok... i dont have a floppy drive, but im presuming i could burn a CD-R with the floppy imaged to the El Torito boot image instead?

 

i also dont have any external hard disks...

Share this post


Link to post
Share on other sites
im presuming i could burn a CD-R with the floppy imaged to the El Torito boot image

 

No need if you have one of "all-in-one Reanimator" (DOS)bootable CD with wxp install and some strange tools on it :star_smile:

But there are need for external drive (at least for check that combination will work). We have to install XP on external MBR'ed HD on iMac.

 

O-ops! Actually, we have no need to install, it's enough to run preinstalled Win... It may be a bit better...

 

Ok, I just checked - first stage works. I mean when you boot from CD into DOS shell, then attach external HD, then run WinXP installer, it can see attached drive. So, you don't need external drive.

Share this post


Link to post
Share on other sites

So-o... Zero interest.

As I just can't do it without some help(have no time and hardware), I'll end on this. Just to let you know:

 

This is FILO, a bootloader which loads boot images from local filesystem, without help from legacy BIOS services.

http://felixx.tsn.or.jp/~ts1/filo/

... Only i386 PC architecture is currently supported.

x86-64 (AMD 64) machines in 32-bit mode should also work...

 

"Reboot-by-BIOS-jump-patch"

http://www.ussg.iu.edu/hypermail/linux/ker...610.2/0284.html

...The following code and data reboots the machine by switching to real mode and jumping to the BIOS reset entry point, as if the CPU has really been reset...

Share this post


Link to post
Share on other sites
So-o... Zero interest.

As I just can't do it without some help(have no time and hardware), I'll end on this. Just to let you know:

 

This is FILO, a bootloader which loads boot images from local filesystem, without help from legacy BIOS services.

http://felixx.tsn.or.jp/~ts1/filo/

... Only i386 PC architecture is currently supported.

x86-64 (AMD 64) machines in 32-bit mode should also work...

 

"Reboot-by-BIOS-jump-patch"

http://www.ussg.iu.edu/hypermail/linux/ker...610.2/0284.html

...The following code and data reboots the machine by switching to real mode and jumping to the BIOS reset entry point, as if the CPU has really been reset...

 

dmdimon,

you should post this on http://www.win2osx.net/forum/. in case you aren't aware of it, it is more technically oriented.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Posts

    •   Here you go  https://www.sendspace.com/file/b5iijx It's a shame the forum only allows 10MB.
    • So you're saying the card works in macOS without the cable attached to the motherboard's TB header?   I wonder if it would be possible to add a TB card to my X79 system? I assumed it wasn't possible because there's no TB header on the board.
    • True, my card is not displayed now in the bios, but it works perfectly in MacOS! I do not use windows, so it's not a problem.   Try activating the 4G Decoding in the bios and check that the ACPI Thunderbolt paths are the same as those in the SSDT even now.
    • AFAIK, the THB_C header on the motherboard has nothing to do with USB. It's a GPIO, though its use is undocumented.   On Gigabyte x299 and ASRock at least, if you do not connect the THB header, then the TB card won't activate at all, and the BIOS will not show a Thunderbolt entry...   I'm rather amazed that it would work for you in macOS, I'm 99.99% sure your TB is now broken in windows however (and the TB card won't even appear)...   I'm on a different problem now, since I added a 2nd nvidia 1080Ti, just having the TB SSDT causes a kernel panic at boot
    • I dont have a DSDT.aml. Why is it im getting Kernel panic if i use Clover's ACPI>DSDT>Fixes>FakeLPC The rest of the Fixes bits are Ok. It does the same even i only select FakeLPC


×