Find old (ARC) BYP ME Images

Dear Members,

I have a MacBook Pro Retina with an older ME that has an ARC processor (as opposed to the 80468 CPU) in it.
To better understand the inner workings of my ME I wanted to get hold of such an apparently rare and precious old BYP FW.
While I have been able to find one for the ME 11, this isn’t too useful for me, and I have yet to find one for that older ME 7 to 10, which leverages an ARC processor.
Multiple approaches and several different search terms haven’t found me anything interesting, despite trying various numbers and combinations from the MEA.dat file.
A hash-based search in both Google and virustotal was unsuccessful either.

Thus my question is: How would you go about finding such rare FW? There have also been rumors of deliberately not posting such in the public because Intel demanded so.
I can understand that, but giving ideas or hints where to look externally should be ok I recon?
It might also help if I only just knew an original source file name (not the MEAnalyzer designation!), because right now I don’t even know what to really look for…

Any slightest pointers highly appreciated. And if it is too hot here, then I’m happy to be hit by you with a PM.

As an unrelated note: What can I do if I have a PRE image? I suppose PRE isn’t quite the real deal when compared to BYP…?

Kind regards
microwave89-hv

There is some tools around based on FW for Apple, that can make a dump of SPI as backup before a flash. Search InsanelyMac or Macrumors, can remember correct names.
This is the starting point to identify clues/specs on the FW presented in the current working Apple EFI FW in use now in that machine.
Attach info as much as u can, so someone can help u.

EDIT: I see that plutomaniac as answered u already, is the best in the subject.

Thanks for your reply.
MEAnalyzer tells me that I am running the following FW:

╔══════════════════════════════════════════════╗
║ ME Analyzer v1.186.2 Unknown ║
╚══════════════════════════════════════════════╝

╔══════════════════════════════════════════╗
║ read5Mhz15.bin (1/1) ║
╟─────────────────────────────┬────────────╢
║ Family │ ME ║
╟─────────────────────────────┼────────────╢
║ Version │ 9.0.5.1367 ║
╟─────────────────────────────┼────────────╢
║ Release │ Production ║
╟─────────────────────────────┼────────────╢
║ Type │ Extracted ║
╟─────────────────────────────┼────────────╢
║ SKU │ 1.5MB ║
╟─────────────────────────────┼────────────╢
║ TCB Security Version Number │ 1 ║
╟─────────────────────────────┼────────────╢
║ Version Control Number │ 2 ║
╟─────────────────────────────┼────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼────────────╢
║ Date │ 2013-05-15 ║
╟─────────────────────────────┼────────────╢
║ Size │ 0x17D000 ║
╟─────────────────────────────┼────────────╢
║ Flash Image Tool │ 9.0.5.1367 ║
╟─────────────────────────────┼────────────╢
║ Chipset Support │ LPT ║
╟─────────────────────────────┼────────────╢
║ Latest │ Yes ║
╚═════════════════════════════╧════════════╝

Error: Unknown ME 9.0 RSA Public Key!

The ME region was extracted from an offline SPI dump.
Besides wondering where to get BYP FW for that generation 2 ME, I was also wondering what will happen if I were to flash a 9.0 PRE FW? Would this relax signing requirements?

Do you need any more info regarding my MacBook Pro’s HW/SW?

Kind regards,
microwave89-hv

Btw, is it normal that a registered user has to solve a captcha when re-logging into the win-raid site?

Can you compress and upload/link to that dump because it makes no sense for ME Analyzer to report that an “Unknown ME 9.0 RSA Public Key” was encountered.

Try searching for the package archive names, say for example “ME10.0_1.5M_10”.

Thanks @ plutomaniac for that information.
Accidentally, it just has so that I independently managed to find such a FW.
Interestingly enough this also has a n unknown RSA key.
╔════════════════════════════════════════════════════╗
║ ME10.0_1.5M_RomBypass.bin (1/1) ║
╟──────────────────────────────────┬─────────────────╢
║ Family │ ME ║
╟──────────────────────────────────┼─────────────────╢
║ Version │ 10.0.55.3000 ║
╟──────────────────────────────────┼─────────────────╢
║ Release │ ROM-Bypass ║
╟──────────────────────────────────┼─────────────────╢
║ Type │ Stock ║
╟──────────────────────────────────┼─────────────────╢
║ SKU │ 1.5MB ║
╟──────────────────────────────────┼─────────────────╢
║ TCB Security Version Number │ 1 ║
╟──────────────────────────────────┼─────────────────╢
║ Version Control Number │ 6 ║
╟──────────────────────────────────┼─────────────────╢
║ Production Ready │ Yes ║
╟──────────────────────────────────┼─────────────────╢
║ Date │ 2017-04-09 ║
╟──────────────────────────────────┼─────────────────╢
║ Size │ 0x19D000 ║
╟──────────────────────────────────┼─────────────────╢
║ Chipset Support │ WPT-LP ║
╚══════════════════════════════════╧═════════════════╝

Error: Unknown ME 10.0 RSA Public Key!

What am I doing wrong?

I will find a temporary storage and upload the image with the 9.0 issue.

Kind regards,
microwave89-hv

(Maybe we should move into another thread then? (Seeing that the BYP problem was solved anyways))

EDIT: How can that FW be Production Ready if it is that “Alpha” version?

EDIT2: g o f i l e . i o / d / w Q b 8 5 v
(I heard once that new members can’t post links)

I see from the previous MEA log that it says “Unknown” at the DB revision at the top. So it cannot parse the DB. Make sure it’s there and that it is healthy/stock.

The “PV Bit” (Production Ready) flag is not trustworthy a lot of times. Intel is not consistent. Sometimes it might mean “Tested/Validated”. Ignore it.

╔═══════════════════════════════════════════╗
║ ME Analyzer v1.186.2 r229 ║
╚═══════════════════════════════════════════╝

╔══════════════════════════════════════════╗
║ read5Mhz15i.bin (1/1) ║
╟─────────────────────────────┬────────────╢

╟─────────────────────────────┼────────────╢
║ Latest │ No ║
╚═════════════════════════════╧════════════╝

Press enter to exit

LOL. Thanks a lot @plutomaniac !

The DB was damaged!
And it was me, because to simplify skimming for BYP images I find/replaced "BYP" by "BYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYP" to have the desired versions optically stand out.
Must have saved at some point accidentally :expressionless:

So that leaves only my second question: Might I gain something in terms of capabilities or relaxed signing requirements and so on, if I were to deliberately
replace a PRD image by a PRE one, and then reflash the SPI ROM?

Kind regards,
microwave89-hv


No, it is neither possible nor does it work like that. PRD HW accepts PRD FW only. PRE HW accepts PRE or BYP FW only. PRD and PRE/BYP FW are signed with different keys. PRE FW is the same as PRD but signed with a different key. BYP is PRE coupled with the ROMB partition for early silicon bypassing/testing.