A plain guide to Mac firmware and its problems

There are three software systems at the heart of every Mac: its firmware (‘EFI firmware’), the system kernel, and a few hundred kernel extensions. Together, they get your Mac running at startup, and provide all its basic services, from driving graphics cards, to the file system used for storage, and providing the ‘sandbox’ used by App Store apps.

These have to be closely matched. Try running a newer kernel and extensions on old firmware, and you can encounter problems, including kernel panics, in which everything has packed up and gone home, and your Mac needs to restart and try again. The kernel and extensions are supplied and installed in macOS updates, but updating firmware is more tricky, and these days is only performed as an operation within a macOS update.

Firmware is also more complex on Macs with T1 or T2 chips: they have their own firmware, which is downloaded securely during the update, and installed then. Some Macs have had more serious problems with T1/T2 firmware, and Apple provides a special mechanism for restoring their firmware in the event of problems. However, this is a serious undertaking, and if it goes wrong the T2 chip can brick that Mac. This is most likely when you run pre-release versions of macOS on your Mac. If you stick to normal release versions, the chances of that happening should be extremely low.

Until the summer of 2019, Apple had brought all recent versions of macOS, from Sierra to Mojave, up to the same firmware versions, which differ between different models. Provided that you kept your Mac up to date with updates and security updates for the given major version of macOS it was running, each model should have been running the same version of firmware appropriate to that specific model. For example, an iMac Retina 5K 27-inch Late 2015, with the model ID iMac17,1, should have been running EFI firmware version

Macs running older versions of macOS, El Capitan and before, use firmware which has a different numbering system. Under that, the same iMac should have been running firmware version 0157 B00. So before the release of Catalina, an iMac17,1 should have been running firmware version 0157 B00 for El Capitan, or for Sierra, High Sierra or Mojave.

Unusually, when Apple released Catalina, it included another firmware update for all models capable of running the new macOS. In recent years, Apple has avoided doing that, and performed the firmware update in the last update of the previous macOS, which would have been Mojave 10.14.6. That would again have brought all Macs running 10.12.6 and later up to the new versions, which would then have been common with Catalina 10.15 too. This year, that didn’t happen, neither has Apple brought firmware versions into line in the first updates after Catalina’s release. So the situation on EFI firmware versions has become more complex.

In Sierra and earlier, macOS doesn’t check the version of firmware installed or its integrity. Apple realised that this was a risky approach, so in High Sierra introduced a system tool, eficheck, which each week automatically checks the installed firmware against a list of what is permissible. eficheck can encounter two problems: it can discover that the firmware installed doesn’t match what is allowed, or its list of what is allowed can fall out of date and cause spurious errors as a result. It should warn you if either of those occurs.

eficheck doesn’t work on Macs with T1/T2 chips either. The mechanism for installing their firmware should be sufficiently secure, and their own checks on their integrity should make it unnecessary. However, there doesn’t seem to be any way in macOS to verify your T2 firmware yourself.

You can check your Mac’s firmware using SilentKnight or LockRattler. They’re free from here, and SilentKnight also checks the version it finds against my own database of what I believe to be current.

You can compare LockRattler’s manual results against the version lists for each model for:

Each of those articles contains detailed instructions for use, and other helpful information.

If any of these reports an older version number than you expect, or if eficheck reports a problem, all you can do is download and install the last full update for your version of macOS, and hope that will fix it.

Some users are reporting that certain models don’t reliably update. This is true for the iMac17,1 which I cited: many of those which have been upgraded to Catalina still show the old Mojave version of, rather than the new version for Catalina. This could cause problems with macOS 10.15, and in the worst case could result in kernel panics.

If your Mac is running out of date firmware for Catalina and you have already installed the 10.15.1 update, apart from trying a clean install of Catalina, there isn’t a great deal more that you can do. If you’re still concerned (I would be), contact Apple Support who may be able to suggest something, or advise you to take your Mac in to an Apple store for their attention.

Firmware is important. It’s at the heart of your Mac. The wrong firmware can cause serious problems. It’s worth getting it fixed.

Thanks to Jeff Johnson @lapcatsoftware for his comments, leading to minor amendments for clarity. Any lack of clarity or errors remain entirely my own.