hoakley July 15, 2023 Macs, Technology

Why can’t you just roll back from a bad macOS update?

As some of us learned in the last week, it’s easy to uninstall a troublesome Rapid Security Response (RSR). Several naturally asked why that isn’t possible with a macOS update, pointing out that it was available and worryingly popular between High Sierra and Catalina 10.15.2, since when the ability has been lost.

RSRs are designed to be quick and simple to install and uninstall, as they’re rapid patches that don’t undergo much testing, and aren’t released to developers as betas. While Apple doesn’t intend that they cause the problem that arose with Ventura 13.4.1 (a) last Monday, the risk of them doing so is inherently greater.

RSRs are also far simpler than even a very small macOS update, as they don’t change anything in the Signed System Volume (SSV) that your Mac boots from. They’re small well-protected files of a type known as a Cryptex that are loaded separately during the boot process, without any involvement of snapshots or the tree of hashes used to seal the contents of the SSV. Software Update can thus provide a simple option to install a given RSR when it’s available, and to uninstall it by replacing its Cryptexes with those previous to the RSR.

The SSV is far more than the plain snapshots used to make roll back so easy in High Sierra. To create it, it has firmlinks to the Data volume built in, the snapshot is made, then the installer builds a tree of cryptographic hashes to include its entire contents, culminating in the seal. That’s a hash of the hashes in the next level down, and so on until you reach individual files in that snapshot. These enable the entire contents of the SSV to be verified down to the last bit. A hash is made of that seal, to act as the signature of the SSV, and compared with the value set by Apple for that version of macOS.

In the days of High Sierra, through to Catalina, macOS updates were essentially large and complicated Installer packages. The actions required to create the SSV require far more than the Installer app could ever achieve, so each macOS installer and updater comes with its own ‘update brain’ to handle these tasks. While in theory an update could leave the old SSV alongside the new, being able to roll back to the old would present major difficulties, including:

The old SSV would occupy up to 9 GB of disk space until it’s deleted. While some users might be happy to lose that, the great majority wouldn’t. Some mechanism would also be required to delete the old SSV and commit fully to the update when the user is happy to do that.
To be able to roll back to the previous SSV, all the firmlinks between the updated SSV and the Data volume would have to be broken, and remade between the old SSV and the same Data volume. All the evidence is that wouldn’t be easy, could be unreliable, and may not even be feasible. Without that, roll back couldn’t work.
As some of macOS is still installed on the Data volume, reverting that would need to be addressed separately.
None of this would address the problem of rolling back firmware updates, although those are often the primary reason for wanting to return to the previous version of macOS.
Roll back would require its own software tools, perhaps in a separate updater-like download.
There’s a risk that a roll back would result in the SSV’s hash tree and signature being broken. Provision would therefore be required to reinstall that older version of macOS.

For those who decide that they want to roll back a macOS update on an Apple silicon Mac, by far the simplest procedure is to back the Mac up fully, put it into DFU mode, use Configurator 2 to restore the IPSW image for the previous version of macOS including its firmware, then to migrate the backup to that fresh boot disk. That also caters for all problems that may have arisen with the update.

30Comments

Add yours

1

Zorin on July 15, 2023 at 2:05 pm

Apple could make it incredibly easy to roll back from a bad MacOS update. I’m surprised they don’t.

All they have to do is take a rollback snapshot of all volumes including the data volume. If the user wants to go back, they can agree to a dialog saying their data partition will be rolled back to how it was, losing any changes since the update. Then do the rollback and it’ll be like the update never happened.

My theory as to why they don’t offer this is that someone won’t understand the warning and lose data and then blame Apple. At the very least they could offer this during the beta period; if someone upgrades to the beta it should be a single click to go back if it’s too problematic for them to run and test.

LikeLiked by 1 person
- 2
  
  hoakley on July 15, 2023 at 2:16 pm
  
  If you really think it’s that simple, why not try it?
  The answer is because it won’t work because of the firmlinks, as I have tried to explain above, something that you carefully avoid explaining.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Zorin on July 20, 2023 at 3:46 pm
    
    If a snapshot truly is a *SNAPSHOT* then the state of the firmlinks should be part of the snapshot and should be restored when you roll back.
    
    If it doesn’t work as you say then I consider this a problem with APFS because snapshots should be true snapshots, encompassing everything about a filesystem. To be honest, I’m not surprised; Apple has always done some things in oddball ways.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on July 20, 2023 at 4:00 pm
      
      I have tried to explain this above. Firmlinks are AFAIK unique to Apple, and join the System and Data volumes together. If that’s oddball, then I’m all for oddball, please, as it works amazingly well.
      Howard.
      
      LikeLike
5

Sab Gigo on July 15, 2023 at 4:44 pm

Thank you, Howard. I’ve always wondered what Mac firmware encompasses. I remember a time when firmware updates seemed to be few and far between the macOS updates, and now, each update seems to be accompanied by a firmware update. In iOS, it seems that a firmware cannot be rolled back to a previous version, and thus, is to a degree protective of malware and hacking of the device. The importance of the firmware for Macs is critical, and yet, it seems that the updates are more frequent than would be strictly necessary. Also, Apple has some responsibility of ensuring that the latest firmware (especially when applied to beta testing) be compatible (fully?) with previous versions of macOS, not just for the user, but for developer testing as well. Would you consider devoting an article for discussion of Apple firmware functions, features and what can be inferred to change with an update, if this would fit into your incredibly full and busy schedule? Thank you for all you do to benefit the population of Apple users.

LikeLiked by 1 person
- 6
  
  hoakley on July 15, 2023 at 8:02 pm
  
  Thank you. I’ll put that on my list – I can’t promise it this coming week, but I will get round to it soon.
  Howard.
  
  LikeLiked by 1 person
  - 7
    
    hoakley on July 16, 2023 at 9:09 pm
    
    Scheduled for Tuesday morning.
    Howard.
    
    LikeLiked by 1 person
8

Martyn on July 17, 2023 at 7:18 pm

Thanks for explaining this. I guess I can save myself the experimentation with attempting to have two data volumes linked to one SSV now, as the firmlink issue would surely present itself the moment an in-place upgrade occurs…

LikeLiked by 1 person
- 9
  
  hoakley on July 17, 2023 at 9:25 pm
  
  As there’s no way anyone outside Apple can make a true firmlink, as opposed to the ‘synthetic’ firmlinks that are available to users, I’d be interested to know if anyone does think they could do so.
  It’s not an easy process, and in the days of Big Sur it often failed, leaving orphaned Data volumes, with the System volume firmlinked to a fresh Data volume. There was no way to undo that, either.
  From what I gathered at the time, at least one end of each firmlink has to be created before there are any files populating that file system, which is why Apple has never tried to provide a tool to make or repair firmlinks. Although they seem more reliable now, I suspect there’s still a fair bit of magic involved.
  Howard.
  
  LikeLike
10

toke lahti on July 20, 2023 at 9:46 am

Once again, because knowledge seems to live hear,
I seek help, once more.

I used TimeMachine backups for 13 years without problems.
Then I upgraded from Mojave to Monterey.

Now, my last “long history” TM backup disk is corrupted.

Can anybody help?

TokesMini2018:~ ext-toke$ sudo fsck_hfs -r -d /dev/disk6s2
Password:
journal_replay(/dev/disk6s2) returned 0
** /dev/rdisk6s2
Using cacheBlockSize=32K cacheTotalBlock=81920 cacheSize=2621440K.
Executing fsck_hfs (version hfs-627.100.6).
Invalid content in journal
** Checking Journaled HFS Plus volume.
Invalid B-tree node size
(4, 0)
** The volume could not be verified completely.
volume check failed with error 7
volume type is pure HFS+
primary MDB is at block 0 0x00
alternate MDB is at block 0 0x00
primary VHB is at block 2 0x02
alternate VHB is at block 15627381342 0x3a376ea5e
sector size = 512 0x200
VolumeObject flags = 0x07
total sectors for volume = 15627381344 0x3a376ea60
total sectors for embedded volume = 0 0x00
Invalid content in journal
(4, 0)
CheckHFS returned -1317, fsmodified = 1

LikeLiked by 1 person
- 11
  
  hoakley on July 20, 2023 at 9:57 am
  
  The only way forward is to try DiskWarrior, I’m afraid.
  Howard
  
  LikeLike
  - 12
    
    toke lahti on July 20, 2023 at 2:42 pm
    
    Yep, this might get expensive.
    
    I wonder why many places like this: https://www.cgsecurity.org/testdisk_doc/repairing_filesystem.html#repairing-filesystems-from-macos
    advice to use
    
    sudo fsck /dev/disk1s1
    
    Which does not work in Ventura, but when it stopped working?
    
    LikeLiked by 1 person
    - 13
      
      hoakley on July 20, 2023 at 3:59 pm
      
      AFAIK, fsck still works fine. However, all fsck does is call the correct fsck_ version for the file system you’re using. In your case, that’s fsck_hfs, which you said that you had already run directly. If that can’t repair the error, then Disk Warrior is the tool of choice. It’s not that expensive, and could rescue your old backups.
      When you have done so, I strongly recommend that you start a new backup series from Ventura, as it much prefers to back up to APFS, not HFS+. Trying to get it to work with HFS+ is a sure way of damaging those old backups.
      Howard.
      
      LikeLike
14

Toke Lahti on July 20, 2023 at 7:44 pm

I’ll just get this:

TokesMini2018:3 ext-toke$ sudo fsck /dev/disk6s2
fsck usage: fsck [-fdnypqL] [-l number]

Of course I have now apfs TM backup disk, which has been giving me a headacke for the last year.

LikeLiked by 1 person
- 15
  
  hoakley on July 20, 2023 at 7:56 pm
  
  That’s the usage info, because you’re not supplying it with appropriate options. Read its man page, and you’ll see: “It should be noted that fsck is now essentially a wrapper that invokes other fsck_XXX utilities as needed. Currently, fsck can invoke fsck_hfs, fsck_apfs, fsck_msdos, fsck_exfat, and fsck_udf.”
  Which is exactly what I told you: you’re wasting your time calling fsck if you’ve already encountered unrepairable errors with fsck_hfs, assuming that you’re trying to repair an HFS+ volume.
  Howard.
  
  LikeLike
  - 16
    
    Toke Lahti on July 21, 2023 at 9:40 am
    
    I tried every option and the output was same.
    Also with rdisk device.
    
    LikeLiked by 1 person
    - 17
      
      hoakley on July 21, 2023 at 11:19 am
      
      I did try to explain that to you yesterday. Even First Aid in Disk Utility calls fsck_hfs to check and repair an HFS+ volume. I stand by my previous advice: if you want to try to fix this and repair that volume, try using Disk Warrior. It’s the only utility that I know of that offers a reasonable chance of success when fsck_hfs fails. There are other third-party utilities, which will also cost you, but Disk Warrior is, in my opinion, likely to have the greatest chance of success.
      Howard.
      
      LikeLike
18

Toke Lahti on July 21, 2023 at 12:59 pm

I understood that the real tool behind fsck is fs specific.
And I used _hfs version like I wrote.

I just find it weird that the “frontend” fsck does not work at all for me and was wondering is it just my system or maybe Ventura with every user.

I think I’m getting DW. TestDisk is open source and can do a lot of things but does not help with this.
Maybe I will start to repair people’s TM disks as a job…

LikeLiked by 1 person
- 19
  
  hoakley on July 21, 2023 at 2:25 pm
  
  I wish you success with Disk Warrior. It is the best, but only for HFS+.
  Howard.
  
  LikeLike
  - 20
    
    Toke Lahti on July 21, 2023 at 2:46 pm
    
    They have promised APFS support for next update, which is also free with current license.
    
    Can you try if FSCK works with your systems?
    
    LikeLiked by 1 person
    - 21
      
      hoakley on July 22, 2023 at 9:31 am
      
      No one knows when or even whether APFS support will, or whether it will be any better than fsck_apfs.
      I never use fsck – man fsck to discover why.
      Howard.
      
      LikeLike
  - 22
    
    Toke Lahti on October 15, 2023 at 11:52 am
    
    In the summer I mailed same data shown here to Alsoft and explained that the case is about hfs+ TM-disk, the answer was: “Based on your screenshot DiskWarrior will attempt to rebuild the Volume.
    Assuming there is no physical damage; you will be able to write the new directory to the drive itself, no backup to another disk needed.”
    
    Now I have bought the DW and complained, why it can’t repair the TM disk, I got this answer: “DiskWarrior will repair the directory and allow access to the files. It simply won’t be a Time machine backup set. The important part is that the files will be available.”
    
    Right now I’m wondering what “repairing a directory” of TM disks means, if it can’t bring back the TM’s incremental system?
    
    LikeLiked by 1 person
    - 23
      
      hoakley on October 15, 2023 at 8:31 pm
      
      I’m sorry, but I think you should be asking Alsoft support about this, not me. I haven’t used HFS+ in anger since Mojave.
      Howard.
      
      LikeLike
    - 24
      
      Toke Lahti on October 16, 2023 at 10:19 am
      
      Howard,
      I’m sorry if you don’t find this info appropriate.
      Your pages are no.1 source for info and understanding about apple’s filesystems and their quirks.
      I assume that there are others.
      And when there is a question or problem asked here and there is a solution presented and it prooves to be at least challenging, it is helpful to others sekking help to know that.
      Internet is full of wrong advice, which hasn’t been told to be wrong.
      
      You suggested that DW could fix this corruption in file system.
      They said it also. Now they say that they can’t repair the TM structure, but DW can restore the files.
      There’s 50 TM backups of 3 macs in that 7.7TB.
      I’m not trying to figure out what to do with those files without a structure.
      
      I could go to the specifics, but I’m not sure if you’d like that.
      I’d welcome any suggestions from all readers, where to discuss these fs/TM/recovery etc. mac specific things.
      
      LikeLiked by 1 person
    - 25
      
      hoakley on October 16, 2023 at 11:28 am
      
      No, my point is that you’re asking questions about what Disk Warrior can and cannot do. Few of us here still use HFS+ backups, and few of us still use Disk Warrior to try to repair them. It’s Alsoft’s product, their pride and joy, so surely they should be explaining this to you, as they really do know what they’re talking about. The last time I used DW to repair a volume must be way back when I had an 8-core Mac Pro – more than ten years ago!
      I could waffle on about the difference between repairing the file system and TM’s structures, but as I don’t know much about either of those for your case, and I don’t know of any product that might repair TM structures, I don’t think that would help you.
      Howard.
      
      LikeLike
26

edjusted on July 22, 2023 at 6:18 am

Firmware aside, couldn’t you do something like this in a pinch:
1. clone your data
2. wipe and install the OS version you want
3. use Migration Assistant to copy your data back

There might be some edge cases where preference files or things like that don’t quite work, though.

I know I successfully did this a couple of years ago, but I don’t remember if the last time was on an Intel or M1 Mac.

I do miss the old days when I could just make as multiple clones of different system versions and boot off any of them, using Dropbox for most of my data.

LikeLiked by 1 person
- 27
  
  hoakley on July 22, 2023 at 9:39 am
  
  Thank you. That’s nothing like a roll back, though, is it?
  You don’t have to “clone” your Data volume. These days if you install macOS it will try to re-use the existing Data volume. You shouldn’t have to wipe your boot partition beforehand either (which would preclude re-use of the Data volume), and migration should work very nicely from a backup if that’s necessary. But that’s a great deal more work than a roll back.
  Howard.
  
  LikeLiked by 1 person
28

Michael Tsai - Blog - Why You Can No Longer Roll Back a macOS Update on July 24, 2023 at 7:13 pm

[…] Howard Oakley: […]

LikeLike
29

Michele Galvagno on September 14, 2023 at 7:40 pm

Something that is no longer clear to me is how we used to have these “Time Machine snapshots” that could be restored in Recovery in few minutes. The fact that this is no longer available is a great loss to the user, in my opinion, even if I understand all the other benefits of the current system. Those advantages are not clear to the users, while the impossibility to restore the system is a clear limitation.
What I don’t understand, now, is why we continue to have TM snapshots if we cannot use them to restore the system (ok, things were divided into System & Data, so you don’t actually backup System, and firm links prevent you from restoring just Data… headache…).
Beside security, what do you think is the greatest advantage of the new system that makes up from what is lost?

LikeLiked by 1 person
- 30
  
  hoakley on September 14, 2023 at 9:16 pm
  
  Before Big Sur, you needed to be able to restore the system, because the only thing that sort-of protected it was SIP. What were the top solutions to fixing many problems? Install the Combo update, re-install macOS, or clean-install macOS, all of which are now redundant. If you want to check that your Mac’s system is in perfect order, simply restart it: if there’s one bit wrong on its SSV, your Mac will detect it and you’ll then need to reinstall macOS. How often does that happen with Big Sur and later? Hardly ever, because nothing can change the contents of the SSV other than an Apple installer.
  The same is true of macOS updates. In Mojave and earlier, updates not infrequently left the system in a mess that could only be sorted out by reinstalling it, or the Combo update. When macOS restarts after an update now, you know the update was installed perfectly, down to the very last bit.
  TM snapshots are still valuable, as you can restore items from anywhere on each volume that’s backed up, even if your backups don’t contain the whole volume. And when your Mac is away from its backup store, those are the only backups you get anyway.
  The security advantages of the SSV are the least important to users – the reliability and stability of macOS is far more important.
  Howard.
  
  LikeLiked by 1 person