SMC flashing

Disclaimer

This page will show you how to force flash an SMC using the EFI. The Mac you want to flash needs to be able to boot into EFI (Boot selection page) in order to flash it. We have not tested to further extent if you can solder any SMC on any board to flash it. So far, this method has been successfully applied to flash a SMC from a 820-3437 donor soldered on a 820-00165 and a 820-00165 SMC soldered on a 820-3437. SMC update and MacOS update have not been tested. Any further compatibility information is welcome and can be contributed here. Any further test, information, compatibilities or incompatibilities are welcome.

Update: Flashing SMC, the easy way

Muerto (thanks to him) went further and developed a tool more suitable and easier to use.

The easy way to flash an SMC is here.

For the hardworking ones, follow the tutorial below.

Requirements

List of required tools to flash your SMC:

Hardware

• A working laptop, to find or prepare some software tools
• A Mac with an SMC to flash... of course. No soldering is involved here. We will boot the Mac and force flash in EFI
• A USB key. It will contain reFIt, to boot on EFI, a shell and tools to flash

Software

• A MacOS installer application. In order to extract the SMC update files. We recommend a not too recent installer, which has SMC firmware in a 3 files format (Base, App and Update file).
• SMCutil.efi. One that works. A link will be provided, or a way to find it. Download link.
• shell.efi. You need to add an EFI shell to rEFIt. Same, you need the right version that will work on a Mac. Download link.
• Pacifist: An app to extract .pkg. Other tools exist and terminal command can be used to do this as well. Available on https://www.charlessoft.com/.

Gathering the stuff we need

Installing rEFIt on a bootable drive

rEFIt will help you boot an EFI on an external drive to launch the shell, SMCutils and other stuffs... if you want to.

Download Link: http://refit.sourceforge.net/#download

We recommend to install it on a separate volume or external disk is explained on the website: http://refit.sourceforge.net/doc/c1s1_install.html Installation procedure is basically the same as explained above:

• Copy the “efi” folder to the root of the volume
• Run “enable.sh” inside the “efi/refit” directory. The path in Terminal will be different, for example “/Volumes/MyUSB/efi/refit” if the volume is named “MyUSB”.
• If you want, you can use the provided “rEFIt.icns” icon as a volume icon.
• You should also install an EFI Shell. A link to a shell.efi file will be provided. You just need to add it to a "tools" folder on the USB key.

Finding your Board id

Example here: Mac-7DF32CB3ED6977E5

The BoardID is different from the board number, the A number, the part number... It's an ID as Mac-boarIDinHexadecimal. Here is the list of BoardID for almost all Macs. : https://mrmacintosh.com/list-of-mac-boardid-deviceid-model-identifiers-machine-models/

Note the board ID from the SMC firmware you need, it will be used to extract the right SMC firmware files.

Extracting SMC Firmware

To find SMC rom files, you need to have a bootable dmg file for OSX. Mojave Installation DMG File is used in this example.

• Right click and show package contents as in picture.
• Get InstallESD.dmg file and copy it to desktop.

• Open the dmg, open packages folder and find FirmwareUpdate.pkg.
• Extract pkg file using PACIFIST app. (Link: https://www.charlessoft.com/)

• Open FirmwareUpdate.pkg from pacifist app.
• You will find a list of Mac-BoardID folders in scripts/tools/SMCPayloads. Select the 4 SMC related files according to your mac BoardID and extract to desktop

Prepare USB drive

• Copy the files to USB drive that you have made bootable before and arrange like this:
  • efi
    • refit (where refit installed)
    • SMCFlasher (where smcutils and your smc firmware is)
      • smcutil.efi
      • flasher base file
      • flasher update file
      • Mac-BoardID.smc
      • Mac-BoardID.epm
    • tools
      • shell.efi

Example of the content of the USB key used to force flash the SMC.

Flashing the SMC

• Boot from USB Drive
• Select boot from Shell (or efishell) on the rEFIt boot page

• Look for removable drives the list of drives displayed by efi ("Removable HardDisk"), and identify the Alias: fs2 in this example.
• Type “fs2:” to enter the drive. Now the shell act as a regular terminal: "ls", "cd" and autofill with tab will work.

• Confirm its your USB drive and go to SMCFlasher folder
• Type smcutil.efi. You now have the liste of commands allowed by smcutil

• You can now flash each file one by one using the -force argument to force flash without checking the version, -norestart to not reboot (it still reboots sometimes but we don't know why) and using the right argument each time: -LoadApp, -LoadUpdate or -LoadBase :
  • smcutil.efi -force -norestart -LoadUpdate flasher_update.smc
  • smcutil.efi -force -norestart -LoadBase flasher_base.smc
  • smcutil.efi -force -norestart -LoadApp Mac-BoardID.smc

• Type exit, reboot your Mac
• Enjoy your new SMC file

Final remarks

• It could be useful to reset the SMC using a smcutil command, but we don't know how it can affect the flashing.
• epm file is not flashed in this tutorial. We don't know what it's used for and if it succeed to flash or if it's useful to be flashed.
• We have not tested MacOS update or SMC update after this forced flashing. Feedbacks are welcome.
• Some tools are specific and we need to find a place to store and provide them. The article will be updated with download links.
• We don't know if we can flash any SMC solder on the wrong board to a compatible SMC. We believe a shell script can be built to do so.
• SMCutil.efi is a modified version of SMCflasher.efi that can be found in MacOSinstaller packages. SMCflasher.efi includes both 32bit and 64bit and adds a header in front of it. SMCutil.efi has only 64bit and the header removed, so it can be used in EFI shell. SMCFlasher.efi should be usable with a EFI script right away, but this hasn't been tested here.

This is very preliminary. It's a draft with many missing parts, unexplained and no understood stuff. Please, if you know more, feel free to modify, comment, add to make this thing look better.

Specials thanks to:

• Sajan Gurung for the pictures, the draft of this tutorial and the kick to get the tutorial done at last.
• Alexandre "Padawan" Tissot for the initial searches, smcutil findings and the kick to get the flashing s***t done.

Other resources

• Forum where SMCutil, SMCflasher and SCM disassembly is discussed: https://www.insanelymac.com/forum/topic/299811-readsmc-for-efi-a-tool-to-enter-read-smc-keys-from-efi-shell-on-real-macs/
• Discussion on SMCFlasher.efi in Ghostlyhaks: https://www.ghostlyhaks.com/forum/macbook-pro-retina-2015-2016/2231-smc-flashing-with-smcflasher-efi-or-within-os?start=0
• SMC downgrade tutorial on Apple forum (yes... Apple): https://discussions.apple.com/thread/6838010
• Youtube video of REcon2014 hacking conference of Alex Ionescu "SMC, the place to be, definitely" about hacking into SMC to make it run modified code: https://youtu.be/nSqpinjjgmg