Launching Recovery on an M1 Mac: Booting and control in 11.4

Having looked at how an M1 Mac boots into macOS yesterday, today it’s the turn of its unique Recovery system. Unlike Recovery and its related modes on Intel Macs, which include some UEFI apps, Apple has completely redesigned the recovery environment, which is kept in its own container (partition) on the internal SSD. The end result is far more consistent, coherent and capable.

As I explained a couple of days ago, there are only two ways for a user to boot an M1 Mac into a Recovery mode: press and hold the Power button for the normal mode, or press twice and hold the Power button for fallback recovery mode instead, when it’s available.

Pressing the Power button starts what appears to be a normal boot process, with the Boot ROM handing over to the first stage LLB to start firmware signature validation. At some early stage, though, the LLB has to determine which of the two recovery modes has been called, according to the pattern of presses on the Power button.

In all normal circumstances, the Power button will simply have been pressed and held, which calls for 1 True Recovery (1TR). To achieve that, LLB validates LocalPolicy for recoveryOS. As that can’t be downgraded below Full Security, that should be straightforward. It also locks a flag in the Boot Progress Register to indicate that this is a user-initiated launch of recoveryOS.

LLB then hands over to a custom iBoot (stage 2) which performs validations and loads a fixed set of firmware, kernel extensions, and the device tree. There’s no scope for recoveryOS to load third-party kernel extensions, of course, as it’s running in Full Security mode. Finally, recoveryOS is loaded and run, with one key setting: because of the flag set in the Boot Progress Register, both Startup Security Utility and bputil are enabled, and shouldn’t return errors.

When the double-press and hold action with the Power button has been used instead, a similar boot process ensues, with two important differences. First, LLB doesn’t lock the flag in the Boot Progress Register, so that when Fallback Recovery (frOS) has loaded, any attempt to use Startup Security Utility or bputil will fail. The other difference is that the current recoveryOS isn’t loaded, but the recoveryOS from the previous macOS installation, if that’s available. For example, when Fallback Recovery succeeds on a Mac running 11.4, it’s likely to load and run the preserved recoveryOS from macOS 11.3.1. That could be quite different in some respects from the current recovery, which is always used otherwise.

These two boot sequences are shown in the diagram below.


The third recovery mode is more complex and less understood at present. That occurs not when the user calls for it with the Power button, but when Apple software calls for recoveryOS. This is less clear, as it’s almost undocumented, and in 11.4 at least appears to be made available through a new private framework. It’s thus unclear whether it’s likely to be macOS, LLB or iBoot which calls for a visit to recoveryOS, and its entry point could be the Boot ROM rather than LLB.

This shouldn’t normally present you with the regular front page of the recovery system, showing disks and the Options icon, but will normally launch one of the tools from within recoveryOS so you can fix a problem that has occurred. The way in which recoveryOS is booted is the same as that initiated by the user, but because the user may not be physically present, no flag is locked in the Boot Progress Register, and any attempt to use Startup Security Utility or bputil will fail. Otherwise recoveryOS (not frOS) is loaded and the requested tool launched.

There is one possible exception to that rule: according to man bputil, it should be possible to set a bootable volume group to Full or Reduced Security using bputil when recoveryOS has been launched from software, as well as in 1TR. I haven’t confirmed that in 11.4.

An example of this is Recovery Assistant, which may appear when you try to restart from your Mac’s internal SSD when it has been booted from an external disk. After the startup chime, instead of booting into macOS from the internal disk, the Mac starts up in software-launched recoveryOS. This first prompts the user to select a known user (of the internal SSD) that you know the password for. Selecting the user and clicking the Next button then displays an authentication dialog for the password.

When that’s been entered, there’s a long pause before the app announces that authentication succeeded and offers a button to Restart the Mac using the internal SSD. When you do so, the Mac restarts, sounds a second startup chime, and should then boot macOS as expected.

This Recovery Assistant app offers a limited range of features: its Apple menu contains commands to set the Startup Disk, Restart and Shut Down. The app’s menu offers an About window, and to Erase Mac. In macOS 11.4, the version number given is 1.0 (132.4), with a copyright of 2019!

For those still in doubt over the existence of software-launched recoveryOS, it is mentioned in man bputil.

Finally, however recoveryOS is launched, it has a rich range of apps available when you can get at them. These include Recovery Assistants, macOS Update Assistant, Time Machine System Restore, Disk Utility, Terminal, and the current version of Safari. Users can also run their own tools, although I don’t think that they can be installed in recoveryOS as such, but can be run from other accessible volumes.

I am grateful to Pico for pointing out a typo in the first version of the diagram, and for other corrections to my mistakes.