A plain guide to Mac firmware and its problems

There are three software systems at the heart of every Mac: its firmware (‘EFI firmware’), the system kernel, and a few hundred kernel extensions. Together, they get your Mac running at startup, and provide all its basic services, from driving graphics cards, to the file system used for storage, and providing the ‘sandbox’ used by App Store apps.

These have to be closely matched. Try running a newer kernel and extensions on old firmware, and you can encounter problems, including kernel panics, in which everything has packed up and gone home, and your Mac needs to restart and try again. The kernel and extensions are supplied and installed in macOS updates, but updating firmware is more tricky, and these days is only performed as an operation within a macOS update.

Firmware is also more complex on Macs with T1 or T2 chips: they have their own firmware, which is downloaded securely during the update, and installed then. Some Macs have had more serious problems with T1/T2 firmware, and Apple provides a special mechanism for restoring their firmware in the event of problems. However, this is a serious undertaking, and if it goes wrong the T2 chip can brick that Mac. This is most likely when you run pre-release versions of macOS on your Mac. If you stick to normal release versions, the chances of that happening should be extremely low.

Until the summer of 2019, Apple had brought all recent versions of macOS, from Sierra to Mojave, up to the same firmware versions, which differ between different models. Provided that you kept your Mac up to date with updates and security updates for the given major version of macOS it was running, each model should have been running the same version of firmware appropriate to that specific model. For example, an iMac Retina 5K 27-inch Late 2015, with the model ID iMac17,1, should have been running EFI firmware version 170.0.0.0.0.

Macs running older versions of macOS, El Capitan and before, use firmware which has a different numbering system. Under that, the same iMac should have been running firmware version 0157 B00. So before the release of Catalina, an iMac17,1 should have been running firmware version 0157 B00 for El Capitan, or 170.0.0.0.0 for Sierra, High Sierra or Mojave.

Unusually, when Apple released Catalina, it included another firmware update for all models capable of running the new macOS. In recent years, Apple has avoided doing that, and performed the firmware update in the last update of the previous macOS, which would have been Mojave 10.14.6. That would again have brought all Macs running 10.12.6 and later up to the new versions, which would then have been common with Catalina 10.15 too. This year, that didn’t happen, neither has Apple brought firmware versions into line in the first updates after Catalina’s release. So the situation on EFI firmware versions has become more complex.

In Sierra and earlier, macOS doesn’t check the version of firmware installed or its integrity. Apple realised that this was a risky approach, so in High Sierra introduced a system tool, eficheck, which each week automatically checks the installed firmware against a list of what is permissible. eficheck can encounter two problems: it can discover that the firmware installed doesn’t match what is allowed, or its list of what is allowed can fall out of date and cause spurious errors as a result. It should warn you if either of those occurs.

eficheck doesn’t work on Macs with T1/T2 chips either. The mechanism for installing their firmware should be sufficiently secure, and their own checks on their integrity should make it unnecessary. However, there doesn’t seem to be any way in macOS to verify your T2 firmware yourself.

You can check your Mac’s firmware using SilentKnight or LockRattler. They’re free from here, and SilentKnight also checks the version it finds against my own database of what I believe to be current.

You can compare LockRattler’s manual results against the version lists for each model for:

Each of those articles contains detailed instructions for use, and other helpful information.

If any of these reports an older version number than you expect, or if eficheck reports a problem, all you can do is download and install the last full update for your version of macOS, and hope that will fix it.

Some users are reporting that certain models don’t reliably update. This is true for the iMac17,1 which I cited: many of those which have been upgraded to Catalina still show the old Mojave version of 170.0.0.0.0, rather than the new version 173.0.0.0.0 for Catalina. This could cause problems with macOS 10.15, and in the worst case could result in kernel panics.

If your Mac is running out of date firmware for Catalina and you have already installed the 10.15.1 update, apart from trying a clean install of Catalina, there isn’t a great deal more that you can do. If you’re still concerned (I would be), contact Apple Support who may be able to suggest something, or advise you to take your Mac in to an Apple store for their attention.

Firmware is important. It’s at the heart of your Mac. The wrong firmware can cause serious problems. It’s worth getting it fixed.

Thanks to Jeff Johnson @lapcatsoftware for his comments, leading to minor amendments for clarity. Any lack of clarity or errors remain entirely my own.

7Comments

Add yours

1

Thomas Tempelmann (@tempelorg) on October 31, 2019 at 10:12 am

Thanks to your tool I found out that my macpro5,1 has an old firmware (140 instead of 144) while running Mojave, and it won’t update it for me having the wrong graphics card installed (supposedly that’s because of a bug by Apple’s installer not identifying it as a Metal supported card, even though it is), and now you’re telling me that I should be worried. I just spent a whole day trying to update the firmware, but no dice (Tried to install a RX 580, same problem. Removed the SSD and re-installed 10.13.6 on a fresh HD, booted from it, and tried to install 10.14.6 – still the same problem: Installer says it needs to update the firmware first and then reboot, asks me to enter my pw, and then it just sits there). I’m glad I also built myself a HackMac, twice as fast, and half the troubles 😉

LikeLiked by 1 person
- 2
  
  hoakley on October 31, 2019 at 10:18 am
  
  Sorry, Thomas!
  Cheesegrater Mac Pros are something of an acquired taste, and an exception to everything, though.
  Howard.
  
  LikeLike
3

jazz110 on October 31, 2019 at 9:04 pm

Well this probably explains my wake from sleep issues I had on my late 2015 iMac. The latest update of Catalina finally fixed this. But I’m going to check the firmware per your article just to play it safe. Thanks for the heads up!

LikeLiked by 1 person
4

Justin McMurtry on November 22, 2019 at 8:05 pm

I have here a Macmini5,1 (Mid-2011, base model) which SilentKnight v1.5 reports as having EFI firmware version 130, whereas version 135 is “expected”. This is despite the fact that I’ve installed every High Sierra update available, and in fact even experimentally (and successfully) installed the latest updates of Mojave and of Catalina, using the “DosDude1” tools. Still, the EFI version won’t budge. I’m curious as to how we know that 135 is actually the latest EFI firmware version for this Mac model.

LikeLiked by 1 person
- 5
  
  hoakley on November 22, 2019 at 8:20 pm
  
  I (and others who help me in this task) examine the firmware updaters which Apple includes in the updates which it ships.
  Your Mac mini is listed there as not having a firmware update for Catalina, of course. The latest firmware released for High Sierra should have ensured that it was updated to version 135.0.0.0.0, which was that included in that update.
  However, as I point out in the separate listings, Apple doesn’t publish any lists of expected firmware versions, so all we can go by are the versions which it ships with its system updates.
  Have you run eficheck?
  Howard.
  
  LikeLiked by 1 person
  - 6
    
    Justin McMurtry on November 22, 2019 at 10:15 pm
    
    Good news, Howard! While reviewing your numerous articles on the subject of EFI firmware, I came across your suggestion in a comment that booting into Recovery, and reinstalling the OS from there, might do the trick. I tried that, then booted normally into the refreshed OS, then used SilentKnight to run through two rounds of updates requiring restarts. After all that, my Macmini5,1 now has EFI version 135! It appears to have been installed as part of the High Sierra Security Update 2019-006. I had, in fact, installed that same update at least twice before on the same volume, but with no effect on the EFI. Reinstalling the OS from within Recovery seems to have been the key to success. Thank you for your help, good sir!
    
    LikeLiked by 1 person
    - 7
      
      hoakley on November 22, 2019 at 10:16 pm
      
      Hurrah for that mini too!
      Sometimes these firmware updates seem stubborn, but persistence usually pays in the end.
      Howard.
      
      LikeLiked by 1 person

Share this:

Related