EnableBacklight - Ausdauersportler/IMAC-EFI-BOOT-SCREEN GitHub Wiki
Recently @franetic picked up where @internetzel and I stopped on trying to fix the EG2 backlight problem. Currently most EG2 modded vBIOS enable the EFI boot screen either on an external miniDP connected additional display (visibly, Venus) or on the internal LCD, but the backlight remains disabled (Saturn and Tonga), or on the internal LCD which backlight being enabled only when an external display has been connected. This has been discussed briefly on the limitations page. At the same time the GOP vBIOS versions using OpenCore are able to enable the backlight (on the internal LCD) on OpenCore boot. The EG2 modules (which one may call the Apple GOP) replaces the AMD GOP. So it is pretty clear where to start with modifications.
Finding values to be changed
Comparing the outputs of both bios decoder tools (radeon_bios_decode and redsocks_bios_decoder) from legacy parts found in the already published iMac GOP vBIOS versions (target values) and Apple vBIOS version pulled from the IO registry explorer (most likely the new source values set in the EG2 driver found in the firmware of the newer Macs) one can map the values listed above.
Another way to find the source values might be checking the EG2 modules with a Hex editor. Searching for the text string siuga.c lead us nearly to the very end of the module, but out of the blue we found a table containing all source values ordered from connector 1 to 4 downwards:
You will find similar tables within all other EG2 modules for every AMD GPU family listed. The tables found there are a perfect match with the values extracted from the legacy vBIOS fetched in a complex way from the ioreg variable ATY,bin_image. Since there are no BIOS chips on modern Macs we assume this legacy vBIOS will be constructed dynamically from these tables and other Mac firmware modules.
Finding locations where changes might be needed
Using a disassembler (IDA64) he was able to spot a lot of locations within the M370.efi were values of variables called enc, txmit, hotplugID, and senseID are set within the EG2 modules we pulled from Apple firmware files.
This is a brute force method: You already know (possible) values of variables like txmit to look up in the binary code like 0x10, 0x11, 0x20, 0x21. All variables are tied to the four connectors defined in the vBIOS. You will find loops or switch alike statements running using an index variable with values of 0x100, 0x200, 0x300, 0x400 (these address the first four connectors). Whenever you find such loops/switch statements setting constants to the same variable within a function you have probably found a place to look at and can change values according to the mapping below.
Unfortunately there are 8 functions and more than 20 locations scattered all over the vBIOS. Our first attempt failed because of the combinatorial explosion when testing each mod or subset of all mods separately. @franetic used a more direct change everything at once approach and succeeded immediately with this W5170M Venus card vBIOS.
Mapping
His notes revealed the mappings and functions (IDA just use numbers to identify different functions) from the compiled code M370.efi. On the left hand side you see the values found from the Apple vBIOS versions and on the right hand side the new target value found in the working legacy vBIOS. The same M370.efi module can be used with the M5100, M6000, M4000, and the W5170M as in this particular case. The mapping differs only slightly for the M4000 card, but both mappings are working for all cards in the same way. This tells me we already modified more locations as really necessary. Since only two ports are really used (eDP for internal LCD and one DP for the single working miniDP connector) most likely the third and fourth mapping does not need to be changed at all.
senseID
0x06 -> 0x03
0x01 -> 0x04
0x02 -> 0x01
0x05 -> 0x02
HotPlugID
5 -> 3
1 -> 4
2 -> 1
3 -> 2
txmit
0x20 -> 0x12
0x11 -> 0x22
0x12 -> 0x11
0x10 -> 0x21
enc
0x1 -> 0x4
0x2 -> 0x5
0x4 -> 0x2
0x0 -> 0x3
Where and what to change?
sub_16E90 (enc)
sub_17160 (txmit & enc)
sub_17570 (txmit)
sub_1A340 (HotPlugID-1)
sub_1C5E0 (HotPlugID-1)
sub_1C640 (senseID)
sub_1C7F0 (txmit)
sub_1CA90 (txmit & HotPlugID-1)
Editing the EG2 modules
Duplicate the M370.efi file we constructed before and rename it M370_adj.efi. Now change the values listed above one by one in the M370_adj.efi file using the IDA tool (it has a hex view, too). Search using the IDA View-A tab for the function and the location and source value to change, select with the cursor the line containing the source value, then switch into the IDA Hex View to find the hex address of the location, change the value. Do not forget to save your work!
Example:
The first listed enc change 1 -> 4 in function sub_16E90 becomes a 01 -> 04 at the hex address 0x16EFE. The function named sub_16E90 simply starts at hex address 0x16E90.
Select the location within the source View-A of IDA which includes an assembler command like mov al, 01. When switching from View-A to Hex View you will notice to find the cursor selecting more than a single byte, it is the full hex representation B0 01 of the command mov al, 01 selected above. We do not want to change the mov al command, only the constant moved to this al register from 01 to 04. In full words, the selection B001 becomes B004.
Finishing the EG2 rom parts
One would have to compress the result in the same way as shown on the Constructing page before.
./EfiRom -ec M370_adj.efi -l 0x30000 -f 0x1002 -i 0x6820 -p -o M370-2820-EG2_adj_.rom (W5170M)
./EfiRom -ec M370_adj.efi -l 0x30000 -f 0x1002 -i 0x6825 -p -o M370-2825-EG2_adj_.rom (M6000)
./EfiRom -ec M370_adj.efi -l 0x30000 -f 0x1002 -i 0x6821 -p -o M370-2821-EG2_adj_.rom (M5100)
After replacing the former M370-2820-EG2_.rom part from W5170M-EG2.rom the one gets finally a W5170M-EG2_adj.rom which will offer a perfectly working EFI Boot picker on an 2009-2011 iMac using the EG2 modded firmware.