hoakley September 15, 2020 Macs, Technology

Firmware fundamentals

Firmware and its updating is a confusing topic: everything about them is unseen, updates just happen or fail silently, apparently out of our control. This article tries to put you back in charge of them.

Here’s a quick summary for those who won’t get any further:

Each Mac can only have one firmware version installed at a time, no matter how many different startup disks it might have.
Firmware updates are bundled within macOS updates and Security Updates. They’re not available by any other means.
When you install a macOS update containing a firmware update for your Mac model, you aren’t informed, and have no option over whether to install it: the installer will try to install it, come what may.
Firmware only updates to a more recent version; it’s practically impossible to downgrade your Mac’s firmware to an earlier version, except by replacing its logic board.
Firmware and the kernel have a special relationship: firmware updates normally come with kernel updates intended to keep them compatible.
Apple only provides kernel updates for supported versions of macOS – they’re the current and two previous major versions, soon to be Big Sur plus Catalina and Mojave.
If possible, avoid updating the firmware of a Mac to a version more recent than its kernel. If your Mac is still running Sierra, for example, it will work best if its firmware is no more recent than the last Sierra Security Update.
eficheck isn’t much help.

One firmware version at a time

Firmware resides in the logic board of your Mac, and those models with T2 chips also have its special iBridge firmware installed in that chip. During installation, the installer may use local storage for staging, but the firmware itself ends up in chips on the logic board.

This means that, if you have two or more versions of macOS installed on the same Mac, the firmware it should have installed is the latest version installed with the most recent of those versions of macOS. If you install a beta-release of Big Sur on a Mac which has been running Mojave, then that results in that Mac – not just an external disk – being upgraded to the firmware supplied with the beta-release of Big Sur.

Delivered in macOS installers and updaters

Many years ago, Apple used to supply firmware separately from Mac OS X, with a tool you could use to install it. That hasn’t been the case for a long time now: the only firmware installers and updaters are supplied as part of macOS installations and updates. Utilities like SilentKnight can’t install firmware for you, only a genuine Apple installer can. If you haven’t updated macOS, then it’s not possible for that Mac’s firmware to have been updated, not even by sharing an external disk with a Mac that has been updated.

There are a couple of marginal exceptions to this. Some users open up macOS updates and try to install firmware separately, with varying degrees of success. Apple technicians also have access to in-house tools which can perform firmware updates.

Firmware updates are mandatory

When you install a system update which contains a firmware update, the installer will check if your Mac’s firmware needs to be updated. If the version bundled in the update is more recent than that installed on your Mac, it will automatically proceed to perform that update. Installers may provide clues that an update is about to take place, for instance by warning the user of black screen phases and telling you not to interrupt that part of the update, but they give you no choice about whether to install it. Proceed with the installation, and the update is inevitable.

Firmware doesn’t downgrade

The logic in firmware updaters is simple: if the version available is more recent than that installed, the update proceeds. There doesn’t appear to be any reliable means of downgrading firmware to an earlier version. If you try to apply an older update containing an older firmware version, it simply doesn’t install the firmware. This appears to be the case even with Apple’s in-house tools. If you really want to downgrade, the only reliable method is to replace your Mac’s logic board with one which has an older firmware version.

Firmware and kernel go together

Your Mac’s firmware, the kernel and its extensions work very closely together. Mixing and matching them is a dangerous business: take firmware from the latest beta-release of Big Sur, run a kernel from a few years ago with its extensions, and don’t be surprised if you encounter problems. This is one good reason that Apple now updates firmware, kernel and extensions together in its macOS updates and Security Updates.

Beware running much newer firmware with older kernels

Clashes do occur. At worst, you can end up with an unstable Mac which is prone to kernel panics. Unfortunately, as you won’t be able to downgrade its firmware, the only solution is then to upgrade macOS to a supported version, which shortly will mean only Mojave, Catalina or Big Sur, as Apple is expected to drop High Sierra support when Big Sur is released.

Firmware updates for supported macOS

Because firmware updates only come with macOS updates and Security Updates, when Apple ceases providing those for a previous version of macOS, those firmware updates also come to an end. If you’re still running El Capitan, your Mac’s last firmware update should therefore have come from its last security update in 2018. The only way you could change that would be to install a later version of macOS; if you then reverted to using El Capitan, it would be running an older kernel which wasn’t intended to be fully compatible with its newer firmware, and steering into danger of compatibility problems.

In this respect, Sierra is a particular problem. Its last security update was released on 26 September 2019, unusually late in the cycle. There had been a flurry of firmware updates at the time, and Apple had also changed the firmware version numbering system over the previous year. This didn’t settle until Mojave’s release cycle was well established. Working out the ‘correct’ firmware versions for the last months of Sierra’s support is therefore fraught.

eficheck

Apple introduced eficheck to try to tackle problems with a wide range of firmware versions in use on different models of Mac. Unfortunately, it doesn’t check whether your Mac is running the latest firmware, even when its macOS is still supported, but works on an allow list which allows your Mac to run older firmware.

Not only that, but eficheck doesn’t work with Macs with a T2 chip, which now includes Apple’s complete product range. At least all T2 models (to date) run the same firmware, both internally in the ‘iBridge’ and in their EFI firmware, but Apple doesn’t appear to provide any means of determining whether it’s up to date.

Looking ahead to Apple Silicon Macs, this has surely got to become simpler. As they don’t have Intel processors, they don’t have EFI or EFI firmware. If Apple integrates the current functions of the T2 chip into their main SoC, they might perhaps have a single series of firmware versions which proves much easier to track. My fingers are crossed.

Useful articles

A plain guide to Mac firmware and its problems

Which EFI firmware should your Mac be using? (version 4) – for Catalina
Which EFI firmware should your Mac be using? (version 3) – for Sierra, High Sierra, Mojave
Which EFI firmware should your Mac be using? (version 2) – for El Capitan and earlier

What to do when a T2 Mac suffers a problem updating its firmware
Does replacing internal storage cause EFI updating problems?
Some Macs don’t update their firmware when they should
Firmware updates and the iMac Retina 5K 27-inch Late 2015 (iMac17,1)

SilentKnight, LockRattler and silnite: which should you use?

30Comments

Add yours

1

EcleX on September 15, 2020 at 7:28 am

Awesome! Many thanks. Then, it seems dangerous (instability generating crashes, kernel panics, etc, and even bricking the Mac altogether making it unusable!) to install any new final or beta macOS version on an internal or external disk to test if you want to keep using a previous macOS version in the production disk (external or internal, respectively) of such Mac.

The only safe way to install any new final or beta macOS version on an internal or external disk of a Mac to test is to use a different testing (non-production) Mac for it, assuming not to run in such testing Mac older macOS versions than the latest installed in such a testing way, in its external or internal disk, respectively In other words, only use the latest macOS version installed in a production Mac. In a testing Mac, do whatever you want, albeit you could end up with serious problems, including bricking it.

Therefore, all Apple installers should warn about it. And since beta testing in general (developers) and public ones in particular help Apple to identify issues and fix them for free (Apple does not pay beta testers), at least Apple should repair or replace broken Macs caused by such beta installations.

LikeLiked by 2 people
- 2
  
  hoakley on September 15, 2020 at 12:34 pm
  
  Thank you.
  That is only potentially dangerous when the kernel and firmware aren’t designed to be run together. That would apply with running Sierra on Big Sur beta firmware, and to a lesser degree, with Catalina firmware too. But as Sierra was still supported when Mojave was released, Sierra should run fairly reliably on Mojave firmware. The further apart the two are, the greater the chance of problems.
  Not that problems are guaranteed, of course: you might be lucky and find a combination which works fine.
  I have already written elsewhere that you should never install beta release macOS on a production system.
  I’ll leave you to contact Apple to ask them to warn users. I don’t recall much about firmware at all in Apple’s support docs, for users or developers.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    EcleX on September 15, 2020 at 1:49 pm
    
    Thanks. Yes, as you said. I know now that “you should never install beta release macOS on a production system”. But some users may not fully understand the deep implications of that, because it means also not installing on other disk connected to such Mac, either internal or external.
    
    BTW, the iMac 27-inch 5K Retina (mid 2017; iMac18,3) booting from external SSD (the internal one is used as Time Machine disk only) used to install macOS 11 Big Sur Public Beta 1, 2 and 3 on other different external disk has EFI 4.8.2..0.0.0.0 instead of EFI EFI 183.0.0.0.0 (as shown by SilentKnight) because of such Big Sur installation, yet works fine so far when booted from the external disk with macOS 10.12.6 (16G2136) Sierra as production Mac.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 15, 2020 at 4:22 pm
      
      Thank you. SilentKnight doesn’t try to check beta-release firmware versions, only final release ones. They’re quite hard enough to track, thank you!
      Howard.
      
      LikeLike
- 5
  
  EcleX on November 15, 2020 at 7:21 pm
  
  Talking about bricking Macs, even with final macOS releases…
  
  macOS Big Sur Update Bricking Some Older MacBook Pro Models
  https://www.macrumors.com/2020/11/15/macos-big-sur-update-bricking-some-macbook-pros
  
  I hope that Apple releases a fix or pays for fixing such bricked Macs. Otherwise, it could be a Class Action Lawsuit…
  
  LikeLiked by 1 person
  - 6
    
    hoakley on November 15, 2020 at 7:58 pm
    
    Thank you.
    There’s a much better article here from Mr Macintosh, which deals more generally with Big Sur installation problems.
    If anyone does experience problems, Apple Support should be your first call.
    Howard.
    
    LikeLike
7

checknickelson on September 15, 2020 at 9:01 am

So many thanks! A great summary of this slightly chaotic situation. Regarding the iMacs 17,1 that I have been trying to update the firmware for, I read hints that this might also have to do with the installed memory. If the updater doesn’t find the original modules it stops, supposably. (The original modules have since been installed in other iMacs…) Do you have any infos on this? Also my testing MacBook Pro 13 2019, that got a new firmware via external Big Sur Beta runs smoothly with the internal 10.15.6 but has reproducible I/O errors (cannot be fixed by Disk Utility, not even with the latest Big Sur Beta) when booting from external 10.14.6 and 10.15.6 SSDs. This kind of behaviour should be better communicated by Apple I think. Again, thank you so much for this great work of yours! Best e.

LikeLiked by 1 person
- 8
  
  hoakley on September 15, 2020 at 12:47 pm
  
  Thank you.
  Yes, using non-standard RAM can prevent firmware updates from occurring, although I can’t understand why it should. That said, there are also plenty of Macs with non-standard RAM which update fine, and plenty of iMac17,1 models which are completely standard yet still won’t update their firmware.
  As you say, slight chaos.
  Regarding Big Sur betas, there are incompatibilities apparent between APFS and possibly a bit more which could account for this. On occasion, my MacBook Pro booting from an external SSD with the beta installed on it has been unable to find its internal SSD, but so far that’s been only temporary.
  Howard.
  
  LikeLike
9

TomJ72 on September 15, 2020 at 11:58 am

How does the firmware affect virtual machines like Parallels?

LikeLiked by 1 person
- 10
  
  hoakley on September 15, 2020 at 12:49 pm
  
  A good question. I believe that virtualisation environments like Parallels have to provide a virtualised firmware, which is the concern of their developers. Although a macOS VM appears to install firmware, that’s only within the VM, of course. The host Mac’s firmware remains completely independent of that.
  Howard.
  
  LikeLike
11

alvarnell on September 15, 2020 at 12:33 pm

I think it’s important to realize that eficheck is intended to ensure that a given version of a firmware has not been modified. So it’s true that it won’t tell you if you are up to date, but it still performs an important security check.

LikeLiked by 1 person
- 12
  
  hoakley on September 15, 2020 at 12:57 pm
  
  Thank you, Al.
  I’ve explained in detail what we know about eficheck. Yes, it computes a hash of the installed firmware and checks that against its allow list of hashes. Any alteration – accidental or malicious – should be detected and (with user permission) reported to Apple.
  Historically, it arose out of Duo’s project which demonstrated how many Macs were running very old firmware versions. As eficheck checks against an allow list of hashes, you’d have thought that it might take the opportunity to distinguish between good but out-of-date firmware, and good and current firmware. But it doesn’t seem to do that, which I think is odd given that motivation.
  It’s also worth noting that eficheck doesn’t necessarily even warn the user when firmware doesn’t match an entry in its allow list: in many cases, that’s only recorded in the log.
  We also know that some firmware versions have had vulnerabilities – something which Apple used to list in its security release notes – but that doesn’t seem to worry eficheck either. And with so many T2 models now I suspect that it has served its purpose, and Macs will be left without any means of checking their firmware for anything.
  Howard.
  
  LikeLike
13

Joe on September 15, 2020 at 8:26 pm

I wonder if there are exceptions. For example my wife’s macbook air was running High Sierra at the beginning of the year and I decided to upgrade to Mojave. We than noticed that the battery was draining much faster than before.
Since the only thing that had changed was the version of the OS I reverted back to High Sierra which brought things back to normal.
Using your SilentKnight utility it tells me that I am up to date with the firmware 195.0.0.0.0 on High Sierra.
My only conclusion is that at some point this version must have been also used by Mojave otherwise I would have a newer version than what High Sierra should have but that is not the case.
Could this be pure luck due to timing.
JR

LikeLiked by 1 person
- 14
  
  hoakley on September 15, 2020 at 10:53 pm
  
  Thank you.
  At the time, High Sierra and Mojave were receiving security updates, as they still are, and broadly kept in step with their firmware updaters. So you would expect to both show the same version when installed.
  Howard.
  
  LikeLike
15

Robert Hancock on September 15, 2020 at 9:16 pm

Mac firmware can be read and written usind a SOP clip and ch431a µprogrammer (total cost <5£) plus the flashrom program running on Windows, Linux or even a Homebrew Mac. With some effort and access to an identical 17,1 iMac, it is not impossible to update even a 17,1 to the latest bootrom this way. There might be some Apple news on the 17,1 issue soon.

LikeLiked by 2 people
- 16
  
  hoakley on September 15, 2020 at 10:56 pm
  
  Thank you.
  I don’t think that’s exactly straightforward for the average Mac user. Given the complexity of the internals, I wouldn’t even suggest it as a solution. But it’s nice to known that it exists.
  Howard.
  
  LikeLiked by 1 person
  - 17
    
    BKDad on September 16, 2020 at 4:13 pm
    
    I agree.
    
    There has to be a good, even if not pleasant to hear, reason why these computers won’t update the firmware from official MacOS upgrades. So, using a direct to hardware upgrade may not be of help in this case.
    
    Still, it’s good to know that a service shop with all the tools can do this kind of operation. Better than replacing the logic board.
    
    LikeLiked by 1 person
18

BKDad on September 16, 2020 at 2:37 am

We own one of the iMac 17.1 models that won’t update.

I spent hours on the phone with various Apple technical people asking why I get a scary message every month or two about the firmware being wrong. Every single one hadn’t a clue of the problem, or even who to ask about it. These people were certainly nice enough about the situation, but weren’t really helpful. But, at least my problem was documented.

Of course, other people here have experienced much the same. Howard has made a great effort to educate people on this, and has tried to educate Apple. Apple obviously has a reason why they’re keeping a lid on this. That doesn’t give me a good feeling. Keep in mind that when we purchased this computer, it was the most advanced and expensive iMac model available. (The Mac Pro of the day was getting mixed reviews and eventually fell even further.) So, I don’t think it’s asking too much to be dealt with honestly.

My conclusions and path forward are simple.

One is that I won’t ever update the MacOS version in this computer as long as the firmware is stuck. I think that’s asking for trouble. Of course, that does leave us somewhat vulnerable to various security issues, but I think the odds of a bricked computer are just as great.

We used to buy a new iMac every couple of years because some feature was quite compelling. Whether it was the Retina display, internal SSDs, or processor advances, it was worth spending the money and putting us on track for really benefitting from the latest operating system upgrades. But, based on some of my friend’s experiences and things I’ve read, I’m pretty pleased that we stayed with Mojave instead of moving to Catalina. Big Sur is clearly aimed toward migration to new Apple silicon, as it should be. I don’t think installing on this computer makes sense. The newest features just aren’t that great.

So, if this computer develops a problem, we are almost certainly going to pay for a new logic board, power supply, or display rather than purchase a new iMac. This isn’t our attempt to punish Apple – it’s just a realization that newer isn’t always that much better, at least for our own needs. We aren’t developers nor do we edit video. Those are two areas where faster would be a significant advantage. For other applications, maybe not so much. Even engineering software I use runs very well on this computer – faster than on my work computer – and it isn’t clear how many engineering software companies will take the time to move to the new silicon when their main market uses PCs. Or Linux.

We don’t have a desire to be some of the cool kids. We just want our gear to work and stay working within reasonable boundaries. I’m sure new iMacs with Apple silicon will perform better in some ways, but in meaningful ways for us? Time will tell on that, of course, but if Apple is fine with burying this problem, do we really want to volunteer for that again?

LikeLiked by 1 person
- 19
  
  alvarnell on September 16, 2020 at 2:49 am
  
  At this time, I can’t agree with your decision not to update. I am in daily contact with at least three individuals with the same issue as you have and none of them have experienced any issue that appears firmware related, let alone bricking their computer, and they are running the very latest macOS out there today. So as of this moment in time, I would consider the lack of Security Updates a more risky choice.
  
  LikeLiked by 2 people
  - 20
    
    BKDad on September 16, 2020 at 4:17 pm
    
    Since I’ve embraced this philosophy, there has been one MacOS upgrade. I think that upgrade only addressed a single possible security problem for Mojave. (Lots of Catalina changes)
    
    I’m just afraid that Apple either knows there’s a problem they can’t address with a firmware upgrade, or that they aren’t testing across the entire span of iMac devices. Neither makes me feel good.
    
    Maybe things will change, but I’m not really sure Apple has any inclination to invest in fixing this problem. Eventually, it will go away for them when they sunset support for this model.
    
    LikeLiked by 1 person
    - 21
      
      alvarnell on September 17, 2020 at 1:51 am
      
      You are correct that there was only one Mojave patch included in the latest Security Update 2020-004. There was a Safari 14 update today that included four more https://lists.apple.com/archives/security-announce/2020/Sep/msg00002.html. I would also encourage you to make certain that all background updates (XProtect, MRT, etc.) take place as neither Safari nor backgrounds have never included firmware updates and I can’t image that they ever will. LockRattler can help with that if you insist on only manual updates.
      
      LikeLiked by 1 person
22

Robert Hancock on September 16, 2020 at 11:42 pm

Apple is NOW fully aware of the 17,1 firmware upgrade issue and has captured some of the affected iMacs in the engineering labs. They ARE working on understanding the cause and should develop a fix hopefully.

LikeLiked by 1 person
- 23
  
  BKDad on September 16, 2020 at 11:48 pm
  
  That’s great news. I hope it works out. Thanks for the information.
  
  Now, why they didn’t get the message from the likes of Howard and others…
  
  LikeLiked by 1 person
  - 24
    
    Robert Hancock on September 16, 2020 at 11:54 pm
    
    An engineer reading a description but not having a Mac actually displaying the problem is very different from having a Mac or two sitting on a test bench with the issue. Now it’s a real problem requiring an engineering fix.
    
    LikeLiked by 1 person
    - 25
      
      BKDad on September 17, 2020 at 12:18 am
      
      I get that, completely.
      
      It’s really unlikely that Apple allows bugs into the field knowingly. If they don’t have samples of all the models that a firmware change might affect, OK. But, when multiple field reports show up all saying much the same thing, shouldn’t they pursue it?
      
      It’s been documented that this problem has been reported to Apple multiple times. Howard has a few posts about his efforts to communicate this.
      
      If the normal channels of bug reporting are not effective, do you have suggestions for an alternate approach?
      
      I’m not complaining to you, but you seem to have more insight than the rest of us.
      
      LikeLiked by 1 person
- 26
  
  hoakley on September 17, 2020 at 5:58 am
  
  Thank you. Can you give any more details of how this was achieved? My longstanding Feedback report appears to have been ignored completely, which isn’t how this is supposed to work.
  Howard.
  
  LikeLike
  - 27
    
    Robert Hancock on September 17, 2020 at 6:06 am
    
    Has to be offsite
    
    LikeLiked by 1 person
28

Firmware Basics | on September 24, 2020 at 6:00 am

[…] whole concept of Firmware is quite technical. This article describes the basics of Firmware. It is technical so it might not be for everyone. However, at the end of the […]

LikeLike
29

tsunamicoder on October 29, 2020 at 1:24 am

Hello Hoakley,

I like how you mentioned, you cannot rollback your firmware once you perform an upgrade. I know a lot of times in the firmware industry this is done for good reasons.

I remember one instance many years ago a serial flash chip we were using went end of life and the new flash chips we had as a replacement were slightly different. Because of this we had to modify the old serial flash driver to work for both the old serial flash chips and the new serial flash chips. When this code was released we didn’t want a customer somehow putting an old release of firmware on new hardware or it wouldn’t work!! So, we implemented a version check that wouldn’t allow old code to run on new devices. If we didn’t do this then a customer would brick their device (ouch)!!

Firmware, can be tricky business to update especially once it is out in the wild! Thanks again for great post!

If anyone is interested about what firmware engineering is please checkout my post for a high level overview!

https://tsunamicode.com/general-engineering/what-is-firmware-engineering/

Cheers!

Brandon

LikeLiked by 1 person
- 30
  
  hoakley on October 29, 2020 at 6:01 am
  
  Thank you – that’s very useful.
  Howard.
  
  LikeLike