hoakley October 6, 2022 Macs, Technology

Firmware and macOS upgrades

One of the side-effects of upgrading your Mac to a new version of macOS such as Ventura is that it will almost inevitably have its firmware updated. While that should be an important part of running the newer macOS, it may not be what you want if you also plan to run an older version on the same Mac.

Conventional wisdom is that firmware and kernel versions are closely linked, after all the firmware launches the kernel, and any mismatch between them could lead to instability. However, Apple’s firmware appears more flexible, in that most supported Macs happily run any of the three supported kernels on the same version of their firmware. When Apple releases Ventura, it’s likely to release parallel security updates to both Big Sur and Monterey with the same firmware but quite different kernels.

The basic rule when installing any macOS update, upgrade or complete installer is that, when it could install a more recent version of that Mac’s firmware, it will do so, and there’s no way to opt out of that.

This applies regardless of whether that update or installation is applied to an external disk, but doesn’t apply to macOS within Virtual Machines, which work completely differently and can’t touch that Mac’s firmware.

There is one workaround that can preserve the current firmware on a Mac even though it’s upgraded to run a more recent version of macOS: install the newer version to a bootable external disk using another Mac, then move that disk to the Mac you don’t want to undergo firmware upgrade. However, should you install a later update on the same Mac, that would then result in firmware upgrade. It’s also important to remember that could result in instability when running the newer version of macOS with older firmware.

Intel Macs without a T2 chip

Older Macs, with neither a T2 chip nor Apple silicon, only have EFI firmware, which should still be checked by eficheck to ensure that their firmware isn’t too old and hasn’t been corrupted in any way. This is updated by an installer within macOS updates and installers, which contains a complete suite of EFI firmware. Some advanced users extract the firmware updater and use it to update the firmware on their Mac independently of its kernel, but that is hazardous and not something you should attempt on any production Mac.

The rule with EFI firmware is that the user can’t downgrade it. If you run a macOS or firmware installer containing an older version of that Mac’s firmware, it simply won’t be installed. Updating is thus a one-way trip.

Intel Macs with a T2 chip

These have both EFI firmware, used by the Intel side of the hardware, and iBridge or BridgeOS firmware for the T2 chip. Although these are installed separately during updates, I haven’t heard of any T2 Mac that has only updated one, not both. iBridge updates are unmistakable, as the whole of the Intel side including the display shuts down and plays dead for a minute or so, while the T2 firmware is updated.

Supported T2 Macs are also unusual in that they all have exactly the same EFI and iBridge versions, regardless of which of the supported versions of macOS they’re running, and which model they are.

Apple supports two processes for fixing firmware problems on T2 Macs, both requiring another Mac running Apple Configurator 2 (free from the App Store). One merely updates iBridge firmware to the current version, the other restores the whole Mac by updating iBridge and erasing macOS and its Recovery volume on its internal storage, which also wipes all user data. These are described in detail in the Help book for Configurator, and in greater depth by Mr. Macintosh.

Apple silicon Macs

M1 and M2 Macs are at once simpler and more complex. Like T2 Macs, all Apple silicon Macs running current versions of supported macOS (in this case, Big Sur or Monterey) have the same firmware version. However, the iBoot version number, normally used as the firmware version, isn’t actually their firmware at all.

What is definitely more complex is that the iBoot version number normally quoted as the firmware version isn’t firmware as such. Apple silicon Macs start their Secure Boot process from the Boot ROM in hardware, which can’t be changed. That verifies and loads the Low-Level Bootloader (LLB), which is true firmware, and that in turn verifies and loads iBoot, which goes on to load and run the kernel. Usage, though, has made the iBoot version number that given as the Mac’s firmware.

Apple silicon Macs are also unique in that they’re the only type of Mac that can have their firmware downgraded, using Apple Configurator. As with T2 Macs, Configurator can perform a firmware refresh to update their firmware, or a full restore, which installs an IPSW image to replace their current firmware and macOS, and wipe all user data. As Apple provides IPSW images for some older versions, those can be used to downgrade when necessary. Full instructions are given in the Configurator Help book, and IPSW images are available through Mr. Macintosh.

Summary

Mac firmware is normally only updated by macOS updaters and installers;
macOS updaters and installers can’t downgrade firmware;
when you install a macOS update or installer, if it contains a more recent version of the firmware, that Mac will be updated to that version;
that applies even when installing/updating to an external disk, but not inside a Virtual Machine;
T2 firmware problems can be fixed by refreshing firmware in Apple Configurator;
Apple silicon Macs can be similarly refreshed, and can also have their firmware downgraded to an older release of macOS, using the right IPSW image and Apple Configurator.

19Comments

Add yours

1

EcleX on October 6, 2022 at 7:11 am

Thanks for the insteresting article. You said:

“The rule with EFI firmware is that the user can’t downgrade it. If you run a macOS or firmware installer containing an older version of that Mac’s firmware, it simply won’t be installed. Updating is thus a one-way trip”

I guess that if you install a newer macOS version on an external disk (for instance, macOS 13 Ventura beta), the firmware of such Mac is updated and cannot be downgraded. Is that correct? Could that create any conflict when booting from the internal disk containing an older macOS version like macOS 12 Monterey?

LikeLiked by 1 person
- 2
  
  hoakley on October 6, 2022 at 8:57 am
  
  Thank you. If you refer to the summary just above these comments, I state that clearly in the third and fourth items. However, if you look back to the early part of the article, I write: “When Apple releases Ventura, it’s likely to release parallel security updates to both Big Sur and Monterey with the same firmware but quite different kernels.”
  I hope those make it clear.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on October 6, 2022 at 9:51 am
    
    Thanks. But could that create any conflict when booting from the internal disk containing an older macOS version like macOS 12 Monterey, after updating external booting disk with newer macOS 13 Ventura beta?
    
    In other words, is there any danger installing such beta (Ventura) in a booting external disk when the internal booting one contains a previous (Monterey) macOS version? Should a different dedicated Mac should be used to install such beta builds of new macOS versions, using such Mac only for such beta installations and not as production Mac for routine work?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 6, 2022 at 11:30 am
      
      Ah. This article is about macOS upgrades, as stated in the title. Betas aren’t macOS upgrades, they’re known to contain bugs, which is one of the main purposes of beta testing. I wrote about this on 2 July, for the public betas of Ventura, where I stated “While that can enforce some degree of separation and protection, it still means that firmware is updated, and still brings significant risk of disaster.” Essentially, you assume that the firmware will contain bugs, and the kernel too, so you’re prepared for the whole system to be broken, and to break that Mac.
      Although it may have escaped your attention, we started testing Ventura betas in June and July, and are just about at the end of that test period, with the release version of Ventura due this month.
      Howard.
      
      LikeLike
    - 5
      
      Tim R on October 6, 2022 at 11:48 am
      
      Howard’s point is exactly why I chose the use a VM for the Ventura beta this time. It’s not a theoretical issue – the very first developer beta of Big Sur (I believe, could’ve been a prior OS) had beta firmware that caused any other volumes to be unable to use Software Update.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on October 6, 2022 at 2:57 pm
      
      Thank you.
      Howard.
      
      LikeLike
    - 7
      
      EcleX on October 6, 2022 at 4:48 pm
      
      Thanks. Then, no problem using a Virtual Machine? I think that the firmware is not installed in the disk, but the machine main board (firmware). If so, it would make no difference if the new macOS version (Ventura beta in this example) is installed into an external disk or a virtual machine of a Mac with older macOS version (Monterey in this example). Is that correct?
      
      LikeLiked by 1 person
    - 8
      
      hoakley on October 6, 2022 at 8:36 pm
      
      I explain this in the fourth paragraph, writing: “This applies regardless of whether that update or installation is applied to an external disk, but doesn’t apply to macOS within Virtual Machines, which work completely differently and can’t touch that Mac’s firmware.”
      So, if you install Ventura on an external disk, that Mac’s firmware will be updated to support that installation. When you install macOS in a virtual machine, it’s quite different and that Mac’s firmware won’t change at all. So there is a huge difference as far as firmware is concerned, and that’s why many prefer to install betas in VMs, and some even consider that’s safe enough to do on a production Mac.
      Howard.
      
      LikeLike
    - 9
      
      EcleX on October 7, 2022 at 4:25 pm
      
      Thanks. You said:
      
      “It’s also important to remember that could result in instability when running the newer version of macOS with older firmware”
      and
      “When you install macOS in a virtual machine, it’s quite different and that Mac’s firmware won’t change at all”
      
      Then, installing a new version (macOS 13 beta like Ventura in this example) in a virtual machine of a Mac with older version (macOS 12 Monterey in this example) could cause also instability?
      
      LikeLiked by 1 person
    - 10
      
      hoakley on October 7, 2022 at 4:31 pm
      
      I don’t think you understand how virtualisation works. Essentially, the virtualiser provides a virtual environment for the guest operating system, complete with its firmware. When a new version of macOS comes out, sometimes virtualisers have problems with the firmware of that guest, but that’s usually temporary, and they then update the virtualiser to fix that. It has nothing whatsoever to do with the firmware installed in the Mac itself, which supports the host operating system, not the guest.
      Howard.
      
      LikeLike
11

Tim R on October 6, 2022 at 8:48 am

Great article. I think dual booting is good for making sure your new OS install is up and running well. Once one’s comfortable with that, long terms needs are likely better suited with a VM. My example (yet to happen but inevitable) is when Apple stops Rosetta 2 support. A VM with the last macOS to support it will be almost certainly the best way to run old Intel only apps on Apple Silicon.

LikeLiked by 1 person
- 12
  
  hoakley on October 6, 2022 at 8:59 am
  
  Thank you.
  Yes, many of us suspect that’s going to be a key function for lightweight virtualisation on Apple silicon, although its current limitations are significant and would limit its usefulness in that role.
  Howard.
  
  LikeLike
13

Simon on October 6, 2022 at 2:53 pm

Thank you for an interesting article. Two simple questions.

1.) If I download the current macOS version from the Mac App Store I can use that to create a bootable installer (eg. on a USB thumb drive). Can such a bootable installer also be used on an M1 Mac? And could it then be used to install Monterey back onto the internal drive *after* I had upgraded that to Ventura? I assume it can’t install over Ventura, but can it be used to wipe the Ventura install and install a fresh Monterey? (assuming apps and data would then be restored via MA from TM).

2.) You specifically note “It’s also important to remember that could result in instability when running the newer version of macOS with older firmware.”, but what about the reverse? Is it known to be problematic to run an older macOS on newer firmware? Specifically, I’m thinking about M1 Macs and a scenario exactly as above where I’d be running Monterey on a Mac that before had been running Ventura. The firmware would then be newer than Monterey. Is that necessarily a recipe for disaster? (I realize reverting the M1 Mac to Monterey with AC2 and Monterey IPSW would get around the firmware issue — just curious what options exist aside from AC2)

LikeLiked by 1 person
- 14
  
  hoakley on October 6, 2022 at 3:07 pm
  
  Thank you. They may be simple questions, but I’m not sure about the answers being simple!
  1. You can make that bootable installer, but it works slightly differently on Apple silicon, because the Mac doesn’t actually boot from it. I’m not sure whether you could use that to wipe the macOS installed on the internal SSD, as that would require you to ‘boot’ from it in Recovery mode, which is of course the Recovery volume in that boot volume group. However, a bootable installer does work well for installing an older version of macOS on an external disk – which I have tested.
  2. This is where you have to read the article very carefully to understand what should happen in that scenario. Although Apple has in the past allowed different parallel versions of supported macOS to run different firmware versions, that’s unusual and normally temporary. Let’s say that Apple releases Monterey 12.6.1 at the same time as Ventura 13.0. I’m fairly certain that they will run the same firmware, so downgrading from Ventura 13.0 to 12.6.1 wouldn’t involve any change in firmware. However, downgrading to 12.3 could be more of a problem, as that does definitely have different firmware, even from 12.6.
  The great thing with Apple silicon, though, is that if the worst comes to the worst you can always restore from an IPSW for an older version of macOS. You don’t need another Apple silicon Mac to do that, as all recent Intel models can do it fine, and if you don’t have access to one, I’m sure your nearest Apple store will be happy to do it for you. That’s wonderful insurance that we’ve never had before.
  Howard.
  
  LikeLike
  - 15
    
    Simon on October 7, 2022 at 5:43 am
    
    Thank you, Howard. Much appreciated, as always.
    
    LikeLiked by 1 person
16

Rob M. on October 6, 2022 at 4:47 pm

Howard,
This is a little bit off topic but you mentioned in one of your answers that the Kernel has changed quite a bit, in the last few releases. I did go back and read your posts on the subject. Is there a source giving overview info on the changes and future direction? It’s pure curiosity on my part.

LikeLiked by 1 person
- 17
  
  hoakley on October 6, 2022 at 8:32 pm
  
  There have been quite a few documented fixes to security vulnerabilities found in the kernel. It’s not unusual to see the security release notes record 3-5 such fixes in each update to Monterey. Beyond that there are occasional glimpses into more extensive changes, but Apple has long since abandoned providing detailed release notes for macOS updates.
  I’m not aware of any independently compiled source on this, and as Apple almost never states what it intends in the future, no one knows where the kernel is heading. Apple does periodically release the XNU source code, and I suppose you could diff that, but that would involve a lot of effort.
  Howard.
  
  LikeLike
18

EcleX on October 7, 2022 at 6:59 am

You said “If you run a macOS or firmware installer”.

I understand that macOS updates/upgrades install new firmware when needed, but are there standalone firmware installers? I mean, is there a way to install or update firmware other than using a macOS update/upgrade installer? Thanks.

LikeLiked by 1 person
- 19
  
  hoakley on October 7, 2022 at 7:44 am
  
  Again, I have anticipated this question in the article, where I write: “Some advanced users extract the firmware updater and use it to update the firmware on their Mac independently of its kernel, but that is hazardous and not something you should attempt on any production Mac.”
  So no, Apple doesn’t provide them, as I state clearly. In spite of that, some users do try to do that, and no it’s not recommended, for reasons that are also explained above.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related