Can we get black apple logo (gray background) on boot?

[cecekpawon]

Been a week that Im bored with current black apple boot & trying to get something else with my macpro6,1 hack (without changing it). In contrary, we can found on other forum they (with older / unsupported real mac) had been struggle to get black apple boot & solve it by binary patching mac bootloader / with the help of a forked tiamos macosxbootloader with greats support. What Im willing to know, is there any hack (bin patch / storing NVRAM) other than this to feed my needs? Is all that possible on newer boot.efi (currently 10.12). Please share ...

References: macosxbootloader, (boot.efi) binary it self, thread.
Tools to use: Hopper, Clover (mod, which able to patch boot.efi onthefly).

For drawing logo, in macosxbootloader, they have following process:

 

 

 

EFI_STATUS CsDrawBootImage(BOOLEAN normalLogo)
{
  ...

  CsClearScreen(); ## 1

  //
  // convert logo image
  //
  EFI_UGA_PIXEL* logoImage = nullptr;
  UINTN imageWidth = 0;
  UINTN imageHeight = 0;

  if (EFI_ERROR(status = CspConvertLogoImage(normalLogo, &logoImage, &imageWidth, &imageHeight))) ## 2
  {
    try_leave(NOTHING);
  }

  //
  // draw it
  //
  status = CspDrawRect((CspHorzRes - imageWidth) / 2, (CspVertRes - imageHeight) / 2, imageWidth, imageHeight, logoImage); ## 3

 

 

 

But in binary, I got this:

 

 

 

sub_9c8a:

0x0000000000009c8a 55                     push       rbp
0x0000000000009c8b 4889E5                 mov        rbp, rsp
0x0000000000009c8e 56                     push       rsi
0x0000000000009c8f 57                     push       rdi
0x0000000000009c90 4883EC60               sub        rsp, 0x60
0x0000000000009c94 48C745C000000000       mov        qword [rbp+var_40], 0x0
0x0000000000009c9c 833D25DE070001         cmp        dword [sub_87258+2160], 0x1
0x0000000000009ca3 0F85BA020000           jne        loc_9f63

0x0000000000009ca9 488B05F8DD0700         mov        rax, qword [sub_87258+2128]
0x0000000000009cb0 4885C0                 test       rax, rax
0x0000000000009cb3 0F84AA020000           je         loc_9f63

0x0000000000009cb9 83F901                 cmp        ecx, 0x1
0x0000000000009cbc 0F8538020000           jne        loc_9efa

0x0000000000009cc2 48C745E800000000       mov        qword [rbp+var_18], 0x0
0x0000000000009cca 488D55E8               lea        rdx, qword [rbp+var_18]
0x0000000000009cce 4C8D45E0               lea        r8, qword [rbp+var_20]
0x0000000000009cd2 4C8D4DD8               lea        r9, qword [rbp+var_28]
0x0000000000009cd6 B901000000             mov        ecx, 0x1
0x0000000000009cdb E8A0020000             call       sub_9f80                   ; ## 2 CspConvertLogoImage
0x0000000000009ce0 488D0D500F0300         lea        rcx, qword [sub_3ab25+274] ; "Start DrawColorRectangle"
0x0000000000009ce7 E846B30000             call       sub_15032
0x0000000000009cec 448B058DDD0700         mov        r8d, dword [sub_87258+2088]
0x0000000000009cf3 448B0D8ADD0700         mov        r9d, dword [sub_87258+2092]
0x0000000000009cfa 31C9                   xor        ecx, ecx
0x0000000000009cfc 31D2                   xor        edx, edx
0x0000000000009cfe E82BFCFFFF             call       sub_992e                   ; ## 1 CsClearScreen
0x0000000000009d03 488D0D460F0300         lea        rcx, qword [sub_3ab25+299] ; "End DrawColorRectangle"
0x0000000000009d0a E823B30000             call       sub_15032
0x0000000000009d0f F6059CD5070001         test       byte [sub_87258+90], 0x1
0x0000000000009d16 0F8547020000           jne        loc_9f63

0x0000000000009d1c 488B45E8               mov        rax, qword [rbp+var_18]
0x0000000000009d20 4885C0                 test       rax, rax
0x0000000000009d23 0F843A020000           je         loc_9f63

0x0000000000009d29 8B3551DD0700           mov        esi, dword [sub_87258+2088]
0x0000000000009d2f 482B75E0               sub        rsi, qword [rbp+var_20]
0x0000000000009d33 48D1EE                 shr        rsi, 0x1
0x0000000000009d36 8B3D48DD0700           mov        edi, dword [sub_87258+2092]
0x0000000000009d3c 482B7DD8               sub        rdi, qword [rbp+var_28]
0x0000000000009d40 48D1EF                 shr        rdi, 0x1
0x0000000000009d43 488D0D1D0F0300         lea        rcx, qword [sub_3ab25+322] ; "Start DrawDataRectangle"
0x0000000000009d4a E8E3B20000             call       sub_15032
0x0000000000009d4f 4C8B45E0               mov        r8, qword [rbp+var_20]
0x0000000000009d53 4C8B4DD8               mov        r9, qword [rbp+var_28]
0x0000000000009d57 488B45E8               mov        rax, qword [rbp+var_18]
0x0000000000009d5b 4889442420             mov        qword [rsp+0x70+var_50], rax
0x0000000000009d60 4889F1                 mov        rcx, rsi
0x0000000000009d63 4889FA                 mov        rdx, rdi
0x0000000000009d66 E8C7070000             call       sub_a532                   ; ## 3 CspDrawRect
0x0000000000009d6b 488D0D0D0F0300         lea        rcx, qword [sub_3ab25+346] ; "End DrawDataRectangle"
0x0000000000009d72 E8BBB20000             call       sub_15032
0x0000000000009d77 488B4DE8               mov        rcx, qword [rbp+var_18]
0x0000000000009d7b E86F710000             call       sub_10eef
0x0000000000009d80 488B0529D50700         mov        rax, qword [sub_87258+88]
0x0000000000009d87 A804                   test       al, 0x4
0x0000000000009d89 0F84D4010000           je         loc_9f63

 

 

 

By patching a conditional jump below, it prevent the screen to be swap / filled with black color & allowed me to use my gray background previously set by Clover (ClearScreen (&StdBackgroundPixel)). But I got white apple logo with black rectangle with correct progress bar color (see attachment, kBootArgsFlagBlackBg to use white progrees bar).

 

 

 

sub_992e:

0x000000000000992e 55                     push       rbp
0x000000000000992f 4889E5                 mov        rbp, rsp
0x0000000000009932 4883EC50               sub        rsp, 0x50
0x0000000000009936 488B050BDA0700         mov        rax, qword [sub_87258+240]
0x000000000000993d 4885C0                 test       rax, rax
0x0000000000009940 750C                   jne        loc_994e <== ### just NOP it / reverse

0x0000000000009942 488B05F7D90700         mov        rax, qword [sub_87258+232]
0x0000000000009949 4885C0                 test       rax, rax
0x000000000000994c 7439                   je         loc_9987

                                      loc_994e:
0x000000000000994e 4C894C2440             mov        qword [rsp+0x50+var_10], r9
0x0000000000009953 4C89442438             mov        qword [rsp+0x50+var_18], r8
0x0000000000009958 4889542430             mov        qword [rsp+0x50+var_20], rdx
0x000000000000995d 48894C2428             mov        qword [rsp+0x50+var_28], rcx
0x0000000000009962 48C744244800000000     mov        qword [rsp+0x50+var_8], 0x0
0x000000000000996b 48C744242000000000     mov        qword [rsp+0x50+var_30], 0x0
0x0000000000009974 488D15ADC80700         lea        rdx, qword [sub_861b9+111]
0x000000000000997b 4531C0                 xor        r8d, r8d
0x000000000000997e 4531C9                 xor        r9d, r9d
0x0000000000009981 4889C1                 mov        rcx, rax
0x0000000000009984 FF5010                 call       qword [rax+0x10]

                                      loc_9987:
0x0000000000009987 4883C450               add        rsp, 0x50
0x000000000000998b 5D                     pop        rbp
0x000000000000998c C3                     ret

 

 

 

So I try to apply same patch for DrawDataRectangle (in 'sub_a532' ; ## 3 CspDrawRect) which seems identical for me.
Yes now it draw gray rect on logo, but I lost the logo.

After this, what I cannot figured out is what & where they compose the logo with CLUT things?

 

 

 

sub_9f80:

...

0x000000000000a2f6 4885C0                 test       rax, rax
0x000000000000a2f9 488D051EF80200         lea        rax, qword [sub_39ae5+57]  ; "AppleLogoBlack2X"
0x000000000000a300 488D0DFCF70200         lea        rcx, qword [sub_39ae5+30]  ; "AppleLogo2X"
0x000000000000a307 EB64                   jmp        loc_a36d

                                      loc_a309:
0x000000000000a309 49C70600000000         mov        qword [r14], 0x0
0x000000000000a310 48C70300000000         mov        qword [rbx], 0x0
0x000000000000a317 49C7450000000000       mov        qword [r13], 0x0
0x000000000000a31f EB7A                   jmp        loc_a39b

                                      loc_a321:
0x000000000000a321 B800000400             mov        eax, 0x40000
0x000000000000a326 48230583CF0700         and        rax, qword [sub_87258+88]
0x000000000000a32d 803D24D0070000         cmp        byte [sub_87258+256], 0x0
0x000000000000a334 7426                   je         loc_a35c

0x000000000000a336 4885C0                 test       rax, rax
0x000000000000a339 488D051AF80200         lea        rax, qword [sub_39ae5+117] ; "CircleSlashBlack2X"
0x000000000000a340 488D0DF4F70200         lea        rcx, qword [sub_39ae5+86]  ; "CircleSlash2X"
0x000000000000a347 EB24                   jmp        loc_a36d

                                      loc_a349:
0x000000000000a349 4885C0                 test       rax, rax
0x000000000000a34c 488D05BCF70200         lea        rax, qword [sub_39ae5+42]  ; "AppleLogoBlack"
0x000000000000a353 488D0D9FF70200         lea        rcx, qword [sub_39ae5+20]  ; "AppleLogo"
0x000000000000a35a EB11                   jmp        loc_a36d

                                      loc_a35c:
0x000000000000a35c 4885C0                 test       rax, rax
0x000000000000a35f 488D05E3F70200         lea        rax, qword [sub_39ae5+100] ; "CircleSlashBlack"
0x000000000000a366 488D0DC2F70200         lea        rcx, qword [sub_39ae5+74]  ; "CircleSlash"

                                      loc_a36d:
0x000000000000a36d 480F45C8               cmovne     rcx, rax                   ; ## should I NOP this to prevent rcx (AppleLogo) to be swaped by rax (AppleLogoBlack)?
0x000000000000a371 4C89F2                 mov        rdx, r14
0x000000000000a374 4989D8                 mov        r8, rbx
0x000000000000a377 4D89E9                 mov        r9, r13
0x000000000000a37a E8DF9FFFFF             call       sub_435e
0x000000000000a37f 4885C0                 test       rax, rax

 

 

 

Things that I also have tried:

- Set bootcfg with kBootArgsFlagBlack | store NVRAM: "BlackMode" / "DefaultBackgroundColor" / "Background Color" take no effect. "BackgroundClear" currently obsolete?
- Yes sometimes it show gray boot with a half of progress bar and then black.

[Mr.Graphic]

Hi cecekpawon!

 

In my gray background, and black Apple logo.

Clover_v2.4k_r4003

 

 

 

[cecekpawon]

Hello Mr. Graphics, far as I can remember we have very similar system (still with my i5 3570K here) and same macpro6 board-id to be used, is that correct? Do you have any special settings with Clover or it just boot & go like that with your current imac13? Thanks for share ... just beautiful

[Mr.Graphic]

Hello cecekpawon!

 

iMac 13,2 (LGA 1155 ivy Bridge) my motherboard Asrock Z77 Pro4M (LGA 1155/ cpu i5 3570 ivy Bridge) (not K).

I think it has to do with the graphics card. Now it is booted as a original Mac.

A single monitor: Setup boot HD2500/HDMi port, after RX 460/DP port full functions OS

Nothing takes particular note was the config.plist:

config.plist.zip

[cecekpawon]

I have tried with your smbios to run my installer & still got boring white apple & black background. I will leave the binary for anyone to play with, and should let this thread buried by others. Thanks for joining me Mr. Graphics (seem you have wrong 'KernelPm' entry in KernelAndKextPatches)!

 

 

 

<!-- 'KernelAndKextPatches' also fine -->
<key>Patches</key>
<dict>
  <key>KextsToPatch</key>
  <array>
    <dict>
      <key>Comment</key>
      <string>Boot gray</string>
      <key>Disabled</key>
      <false/>
      <key>Find</key>
      <data>
      Qb+/v78AQYP6IHQQ
      </data>
      <key>MatchOS</key>
      <string>10.12</string>
      <key>Name</key>
      <string>com.apple.iokit.IOGraphicsFamily</string>
      <key>Replace</key>
      <data>
      Qb+/v78AQYP6IOsQ
      </data>
    </dict>
  </array>
  <key>BooterToPatch</key>
  <array>
    <dict>
      <key>Comment</key>
      <string>gray (clearscreen)</string>
      <key>Count</key>
      <integer>1</integer>
      <key>Disabled</key>
      <false/>
      <key>Find</key>
      <data>
      SIsFC9oHAEiFwHUM
      </data>
      <key>MatchOS</key>
      <string>10.12</string>
      <key>Replace</key>
      <data>
      SIsFC9oHAEiFwJCQ
      </data>
    </dict>
    <dict>
      <key>Comment</key>
      <string>gray (drawrect)</string>
      <key>Count</key>
      <integer>1</integer>
      <key>Disabled</key>
      <false/>
      <key>Find</key>
      <data>
      6LT9//9IhcB1Eg==
      </data>
      <key>MatchOS</key>
      <string>10.12</string>
      <key>Replace</key>
      <data>
      6LT9//9IhcB0Eg==
      </data>
    </dict>
  </array>
</dict>

 

 

[cecekpawon]

According to this post, I have found lzvn_decode proc at 0x1dc80 & packedlogo at 0x46a10 for boot.efi 10.12.

[cecekpawon]

Unrelated. Found interesting post here to force print boot.efi messages by Vit, with another patterns below which seems do the same job?

4881EC58010000803D -> 4881EC58010000EB07

[Oliver@Cheme]

By changing a few things in Clover sources, I could finally get gray boot. Apparently, changing the value of the DefaultBackgroundColor variable (and using a smbios expected by boot.efi?) is enough. It seems pretty nice, for me there isn't the delay between the first and the second boot stage anymore like in the dark boot. 

Edited July 26, 2018 by Oliver@Cheme

[LockDown]

9 minutes ago, Oliver@Cheme said:

By changing a few things in Clover sources, I could finally get gray boot. Apparently, changing the value of the DefaultBackgroundColor variable (and using a smbios expected by boot.efi?) is enough. It seems pretty nice, for me there isn't the delay between the first and the second boot stage anymore like in the dark boot. 

what did you change?

[Oliver@Cheme]

2 minutes ago, ellaosx said:

what did you change?

I changed the value of the DefaultBackgroundColor property to 0xBFBFBF (gray). I also added a property "BlackMode=0", to explicitly require gray boot, but I don't think this is necessary. I'm going to rebuild without it to test. 

Just now, Oliver@Cheme said:

I changed the value of the DefaultBackgroundColor property to 0xBFBFBF (gray). I also added a property "BlackMode=0", to explicitly require gray boot, but I don't think this is necessary. I'm going to rebuild without it to test. 

Also works with 0xF0F0F0, or maybe, any other color.

[Oliver@Cheme]

Yes, no "BlackMode" variable is necessary. Just download the latest official Clover sources, and change the following values: in the files Settings.c and PlatformData.c, change the value from "gSettings.DefaultBackgroundColor" from 0x80000000 to 0xBFBFBF and in the file AppleUITheme.c, change the value of defined variable "BLACK_COLOR" to 0xBFBFBF. Recompile and reinstall Clover (replace all drivers as well) and that's it. The obtained Apple logo is gray and the progress bar is black. I don't know if there is a way to obtain black logo too...

[cecekpawon]

Hey @Oliver@Cheme I still cant believe it that 'AppleUITheme' protocol thing were responsible to read our 'DefaultBackgroundColor'. I thought it just for FileVault, so I never installed it before LOLOL ...

 

I dont use Clover, but AppleSupportPkg came with AppleUiSupport last day (which pretty much same with Fritz EfiPkg) to try and i confirmed it works here.

 

Far as I can remember, IOGraphicsFamily need to be patched too to get grey apple black logo before reach the login screen. The code has much changed since my last try. Did some more trial patches with 10.13.6 without success. So I leave it as is for now.

 

Thanks!