** Quick Analysis of Patched GC-Titan Ridge Firmware **
The Osy86 article on GitBook states that for an Alpine Ridge controller we should only look for differences in the first 0x1000 (4096) bytes of the
Active Partition. We do this by comparing the firmware of our device with the closest matching firmware from Apple. But this technique has apparently had limited success with Titan Ridge.
So it is instructive to compare differences between the modified GC-Titan Ridge firmware and the original. Fortunately, my GC-Titan Ridge comes with NVM 23, which is the same version on which the DSM2.Hackintosh patch is based.
If we start at byte offset 0x4000, which is the start of the
Active Partition, and compare the next 0x5D120 byes (381,216 or 372 KB), we find the following:
Original Firmware on
left and Modified Firmware on
right.
The list at the bottom of the screenshot shows
26 differences. In the first 0x1000 (4096) bytes, we find these few differences that we should be able to figure out by comparing the equivalent bytes in the closest Apple firmware:
But much further below, at offset
0x152EB from the start of the active partition, we see a set of empty values (0xFF) in the original firmware. These have all been replaced as we see on the right side:
The same thing happens again at offset
0x30054 from the start of the active partition. Another group of 0xFF is replaced entirely.
And finally we see this again at offset
0x4A8AE from the start of the active partition.
If the three sets of changes at offsets
0x152EB,
0x30054, and
0x4A8AE are significant and consequential (I have not removed these changes to observe the effect), then it seems that a successful firmware patch for Titan Ridge is much more complex than the Osy86 technique would suggest.
So where did these "filler" values come from?
One possibility is that DSM2 copied them from the closest Apple firmware. But based on some of his claims over at MacRumors, it's more likely that he somehow generated them himself. If that's true, it makes it much harder to replicate this work to other Titan Ridge firmware.
Question:
If the firmware that we see in these screenshots is compiled code, is anyone familiar enough with the subject to disassemble this code? Several x86 disassemblers are available.