hoakley July 7, 2023 Macs, Technology

When to revive or restore in DFU mode

It’s not that long ago that taking a Mac back to ‘bare metal’ was a simple matter of booting from an external disk and reformatting the internal drive, followed by installing macOS from scratch. Of course that didn’t do anything with the Mac’s firmware, which you were stuck with. While you can certainly boot a T2 or Apple silicon Mac into Recovery, wipe and rebuild its macOS partition (container), in many cases that isn’t likely to be sufficient to return it to full working order. This article looks at some good reasons for taking a modern Mac back to bare metal and starting from scratch.

Reasoning

In those older and simpler times, the internal boot disk had just two partitions: a hidden EFI partition, and the main container for its APFS volumes. That started to become more complex when a dedicated Recovery volume was added, and since Big Sur even Intel Macs have had at least five APFS volumes in that main macOS container.

bootdiskstructureintelvent

From the start, Apple silicon Macs have come with three containers or partitions on their internal SSD, of which only one is used for the five volumes making up the boot volume group. Erasing just that macOS container can’t fix some problems occurring with the internal SSD.

bootdiskstructureMm1vent

DFU mode is run from the Boot ROM of Apple silicon Macs, so is the lowest level at which they can run. It’s so basic that it doesn’t even support Thunderbolt connections, only USB-C. Because it doesn’t rely on firmware such as LLB or iBoot, those have to be sent over the USB connection from the Mac running Apple Configurator 2. Apple provides detailed instructions for this in the Help book for Configurator 2, also available online for Apple silicon and T2 Intel models.

Firmware and system software for a revive or full restore of an Apple silicon Mac in DFU mode comes in an IPSW image, supplied only by Apple. Configurator will happily download the current 14 GB image for you, and previous versions are accessible through Mr. Macintosh’s listing. Reviving installs a fresh copy of all the firmware and the Recovery container on the internal SSD, but leaves the macOS container untouched. Restoring erases the whole internal SSD, then installs the firmware, Recovery and macOS containers to the same state when that Mac was first unboxed, ready for personalisation and configuration of the fresh copy of macOS, and migration of data from a backup.

For T2 Macs, the processes are slightly different. Reviving downloads and installs the current iBridge (BridgeOS) firmware, but doesn’t touch the System or Data volumes in the macOS container. Restoring installs the current firmware and erases the boot volume group. Following that, you have to boot the Mac into internet (Remote) Recovery to download and install the current version of macOS, then migrate from a backup.

As a general principle, unless you want to completely erase the internal SSD, you should try to revive first. If that fails, or doesn’t fix the problem, then proceed to restore.

Automatic

There are some circumstances where Apple silicon Macs enter DFU mode as a last resort, for example when their firmware has become damaged. Most then shown no obvious signs of life. This is even true of MacBook Pro models with MagSafe 3 power cables: in DFU mode, their LED doesn’t light up. Neither will a notebook keyboard light, nor is there normally any indication that a built-in display has power.

Notable exceptions to this are:

Mac Studio and Mac mini, whose power status indicator light should display amber;
Mac Pro 2019, whose status indicator light should display amber and may flash.

For all models, once Apple Configurator has connected successfully to the Mac in DFU mode, you should see the Apple logo and a progress bar on any connected display during IPSW download.

For the Mac Pro 2019, the status indicator light will flash amber in different patterns as a result of memory, PCIe card and other faults. Apple explains those here.

Spontaneously entering DFU mode should be a very rare event, but in most cases the only way to determine whether it has happened is to connect the Mac using a suitable USB cable to another Mac running Apple Configurator 2, which should then connect to the Mac in DFU mode.

Boot loop

One well-known if rare cause of boot looping, where the Mac panics and restarts in an endless loop, is a problem with firmware. For T2 and Apple silicon Macs, the preferred solution is to shut the Mac down, boot it in DFU mode and revive the affected Mac. If that doesn’t fix the boot looping, then a full restore is necessary.

Locked Mac

A full restore is the only reliable way to access a T2 or Apple silicon Mac that can’t be unlocked because the password has been lost, and no recovery is possible using the Apple ID or Recovery Key.

Roll back macOS and firmware

Intel Macs are unable to roll back macOS and its firmware in DFU mode as Apple doesn’t supply old versions of firmware, and old macOS can’t be installed using internet Recovery.

Apple silicon Macs can readily be reverted to older firmware and macOS, though, by putting them into DFU mode and restoring that older version of macOS complete with its firmware in the appropriate IPSW image.

Lost Recovery Mode

Rarely, both regular paired Recovery, in the boot volume group, and Fallback Recovery, in its separate container on the internal SSD, may be lost on an Apple silicon Mac. The only way to restore Recovery then is by reviving or restoring in DFU mode.

For T2 Macs, if both local and internet (Remote) Recovery are unavailable, a full restore is necessary.

Deployment

DFU mode can provide a quick and effective way to deploy Macs in small to enterprise settings, for example specialist twocanoes offers its MDS.

Deep sanitisation

Macs that have been used with potentially malicious software or in other circumstances in which they need to be erased completely should be restored in DFU mode, as the only code that isn’t erased and replaced is that in their Boot ROM.

Cleaning

Preparing a Mac for disposal by completely erasing all non-system data shouldn’t normally require the use of DFU mode. Both T2 and Apple silicon Macs offer Erase All Content and Settings (EACAS) as the preferred method for doing this, as it’s quicker, simpler, and minimises erase cycles on the internal SSD.

Other situations in which internal storage might have been erased in the past are also usually better addressed using EACAS, provided that the Mac’s firmware and system software are functioning normally.

20Comments

Add yours

1

Enzo Vincenzo on July 7, 2023 at 7:44 am

A great and important article! Also thanks to it I will be able to overcome the indecisions of switching from Intel technology to Apple Silicon. Thanks!
[A sincere and serious invitation.
Given that I fell in love with Macs thanks to David Pogue’s first “Missing Manual” because that book allowed me to see the System and Hardware with X-Rays and made me feel in control of my Macs: from formatting to the Mac OS X use, Unix and Terminal secrets included, etc., why don’t you write a book? I would pay gold for one of your books and I think I wouldn’t be the only one since, on the Internet and on the world, you are the only person who can make us physically “visualize” the structure of our Macs and macOS. After that, you are full of information about Firmware, XProtect, hidden but essential functions and features of macOS, etc.]
So, thank you and thank you so much and thank you so much for this article!

LikeLiked by 2 people
- 2
  
  hoakley on July 7, 2023 at 7:50 am
  
  Thank you.
  The trouble with writing books now is that by the time you’ve finished chapter 2, the first chapter is already out of date. I was once commissioned to write a book on Mac OS X Server. Before the deal could be signed, Apple changed it so much that the book was already out of date, before I had even started!
  Howard.
  
  LikeLiked by 2 people
3

Scott Colby on July 7, 2023 at 8:34 pm

Indeed, Howard, I suspect that is the primary reason why most user guides for both software and even many physical hardware products are now provided in the form of on-line documents. Not only does software continue to receive updates and bug-fixes, but time brings the discover of documentation errors and previously unknown (or undisclosed) issues. In fact, it would not surprise me if David Pogue discontinued his fine Missing Manual series because hard-copy user manuals were becoming outdated so rapidly.

On an unrelated note, thank you, Howard, for the software apps and on-line articles you have been making available for quite some time now. They are an excellent resource for we Mac users.

LikeLiked by 1 person
- 4
  
  hoakley on July 8, 2023 at 5:52 am
  
  Thank you.
  One of the big problems with modern online documentation is that it lacks the coherent explanations that are so important in well-written books. They explain fundamental concepts as well as layering detail over that. Apple has discontinued writing any conceptual accounts of macOS internals, which leaves us trying to make sense of a mass of disparate detail. The end result is we know what to do, but not why, nor how to use that information to tackle the unforeseen.
  Howard.
  
  LikeLike
  - 5
    
    BenSar on July 8, 2023 at 3:05 pm
    
    …. and this insight and coherence is what your daily articles supply.
    
    Thank you – yet again – for the pace, depth and utilities you gift us. Managing a modern Apple system is more possible (nay, tolerable!) thanks to your work and generosity in sharing all of this.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on July 8, 2023 at 6:36 pm
      
      Thank you.
      Howard.
      
      LikeLike
7

sydsyd on July 7, 2023 at 11:30 pm

Thanks Howard – I wish I had known about this when I had an iMac Pro (intel). It wouldn’t go into recovery mode “randomly”. I would have done a DFU-Revive to see if that would have fixed it.

LikeLiked by 1 person
- 8
  
  hoakley on July 8, 2023 at 5:53 am
  
  Thank you – yes, it may well have done.
  Howard.
  
  LikeLike
9

Jimmy on July 8, 2023 at 3:00 am

Another great article I’ll have to read twice. 🙂 Dumb question: How to I get a mac into DFU mode? *Also, just opening  Configurator, it looks more than a bit daunting. Yikes. Brave new world…

LikeLiked by 1 person
- 10
  
  hoakley on July 8, 2023 at 5:57 am
  
  The best guide on how to enter DFU mode is in Configurator’s documentation, as linked to above, as it varies according to model. There can be something of a knack to some of them, but they’re not that hard. For instance, a Studio or M-series mini needs to be disconnected from power for at least 10 seconds. Then, when ready to reconnect it, you first press and hold the Power button, connect the mains cable, then release the Power button.
  Yes, DFU mode can seem daunting at first. When you’ve done it once or twice, you realise that it’s like anything else, and actually straightforward and a valuable tool.
  Howard.
  
  LikeLike
  - 11
    
    Jimmy on July 8, 2023 at 12:54 pm
    
    Thanks a lot.
    
    LikeLiked by 1 person
  - 12
    
    Jimmy on July 8, 2023 at 12:55 pm
    
    Thanks a lot. Will test as soon as I have another  silicon Mac to attach!
    
    LikeLiked by 1 person
    - 13
      
      hoakley on July 8, 2023 at 6:28 pm
      
      You do know that you don’t need to connect an Apple silicon Mac to an Apple silicon Mac, but can mix and match with Intel Macs too? I’ve only ever connected using my iMac Pro, which works fine to an Apple silicon Mac in DFU mode.
      Howard.
      
      LikeLike
14

Average Apple Enjoyer on July 12, 2023 at 7:33 am

Does Apple verify the signature of IPSW images?
And is there any chance that they will only allow the latest version of macOS to be installed as with iOS?

LikeLiked by 1 person
- 15
  
  hoakley on July 12, 2023 at 7:43 am
  
  IPSW images are of course signed. If they weren’t they’d be a wonderful way of distributing malicious software. Yes, those signatures are checked, otherwise there’d be no point in signing them, would there?
  Currently, pretty well every release of macOS going back to 11.0.1 in November 2020, and a great many betas, are available and their signatures remain valid.
  Why on earth would Apple want to withdraw any of those – after all, I’m sure that Apple’s own engineers rely on them too?
  iOS and macOS are totally different, as I keep trying to explain. So are Apple silicon Macs and Intel Macs with T2 chips. Just try downgrading an Intel Mac and its firmware!
  Howard.
  
  LikeLike
16

CS on August 9, 2023 at 4:19 pm

Thanks Howard!

Another great article!

I’m wondering if it’s possible that the two containers other than Apple_APFS can be modified by hackers by any means.

Or, assume those two containers are actually been modified. On an Apple silicon Mac with Secuirty Boot set to Full Security, will the boot still process successfully? Or simply fail to DFU mode (because it detects those two containers are not valid Apple ones)?

It seems like an over-kill to do DFU in some cases, but a deep sanitisation is always good if the Mac is purchased from a non-Apple source (like eBay.)

Thanks again!

LikeLiked by 1 person
- 17
  
  hoakley on August 9, 2023 at 8:37 pm
  
  Thank you.
  It’s my understanding that, unless you’re an Apple installer, you can’t get access to those two hidden containers unless you’re in Recovery, which severely limits the tools available.
  If the contents of either container were to be modified, it should be detectable one way or another. The Pre-Boot container mostly contains items that have hashes checked during boot, so that would almost certainly put the Mac into DFU mode and wait for a clean sweep with a fresh IPSW image of the whole disk. The Recovery container only contains a secure disk image of Recovery, which is checked when you try to boot into fallback Recovery. In Big Sur, it held the main Recovery image, but that’s now in the paired Recovery volume in the boot volume group. Changing that would certainly prevent booting in fallback Recovery, but otherwise I don’t think that container is used now.
  As both containers are inaccessible in regular boot, it seems a fairly pointless and extremely difficult hack. If you want to alter how the Mac boots, it won’t achieve anything: the Secure Boot chain ensures that.
  Howard.
  
  LikeLike
  - 18
    
    CS on August 10, 2023 at 12:54 am
    
    Thanks a lot.
    
    That to me seems bulletproof even if the only thing you can wipe in Recovery is the macOS container itself.
    
    Secure boot chain really shines here.
    
    LikeLiked by 1 person
19

nudge on October 1, 2023 at 12:44 pm

Thanks for this excellent article!
Does the erase all content and settings option clear out /usr/local as well ?

LikeLiked by 1 person
- 20
  
  hoakley on October 1, 2023 at 12:48 pm
  
  It destroys everything on the Data volume by throwing the encryption key away. So wherever in the directory tree an item might appear, if it’s stored on the Data volume, it goes.
  Howard
  
  LikeLike