recoveryOS

From The iPhone Wiki
Revision as of 15:52, 9 August 2022 by HappyMac3920 (talk | contribs)
Jump to: navigation, search

recoveryOS is the recovery environment used in macOS, watchOS, tvOS and audioOS.
This is not the same as the iBoot Recovery Mode available on most Apple devices, as this type of recovery environment requires the device to be plugged into a computer.

macOS

recoveryOS for macOS had its first introduction with Mac OS X Lion. At that time, Apple stopped selling Mac OS X through DVD's, and instead, they provided either USB sticks, or it could be downloaded through the Mac App Store. Apple also introduced a recovery environment, that in case a macOS installation is corrupted, it could be recovered by reinstalling macOS through the internet, without the need to reinstall macOS through a DVD. It also includes the tools that were used to be on the DVD (Terminal, Disk Utility, Startup Security Utility).

Booting to recovery mode

Intel based Macs (including T2 Macs)

To boot to the local recovery mode, press Command + R at the same time during bootup until you see the Apple logo. To get the latest version of macOS (Internet Recovery), press Option (Alt) + Command + R at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.". You may need to choose a Wi-Fi network in order to download recoveryOS. To boot to the original macOS that your computer shipped with (or the closest version available), press Shift + Option (Alt) + Command + R at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.". You may need to choose a Wi-Fi network in order to download recoveryOS.

Apple Silicon based Macs

Press and hold the power button. You will see text "Countinue holding for startup options...". When you see the text "Loading startup options..." you may release the power button. Then choose Options (with the picture of a cogwheel (Software Update icon)).
To boot to fallback recoveryOS (AKA System Recovery) double-press and hold the power button. You will see text "Countinue holding for startup options...". When you see the text "Loading startup options..." you may release the power button. Then choose Options (with the picture of a cogwheel (Software Update icon)). The fallback recoveryOS doesn’t have the capability to change the system security state.

What's included in recovery mode

- Restore from Time Machine: restore from a Time Machine backup.
- Reinstall macOS: installs macOS full OTA from gdmf.apple.com (Pallas).
- Safari (minimal version, does not have the capability to play videos): User can use the internet to troubleshoot the Mac. The default home page is an HTML file which contains information about using recoveryOS.
- Disk Utility: Can be used to repair the disk using First Aid or erase the disk.
There are more utilities that can be accesed through the menu bar by clicking Utilities:
- Startup Security Utility: On normal Intel Macs, it can be used to enable/disable the firmware password (only on regural Intel and T2 Macs). On T2/Apple Silicon Macs, you can change the security settings and the allowed boot media settings.
- Share Disk (Apple Silicon Macs only): Can be used to transfer files from one computer to another. The equivalent of Target Disk mode on Intel Macs.
- Terminal: Can be used for advanced troubleshooting, and it has the possiblity to enable/disable System Integrity Protection using csrutil.
File -> Choose Language: Switch between languages. This does not include the hello screen, which is normaly seen in the regular Language Chooser app.
Window -> Recovery Log (Command + L): view recovery log.
Country flag: switch between keyboard inputs.
Wi-Fi: switch between Wi-Fi networks
Apple logo -> Startup Disk: choose startup disk/boot to Target Disk Mode (only on Intel).

Downloading Intel recoveryOS

The internet recoveryOS is downloaded from osrecovery.apple.com using HTTP. The recoveryOS is completely separate from macOS, and the entire contents (the recoveryOS) are stored in a disk image file named BaseSystem.dmg. There is also an associated BaseSystem.chunklist, which is used to verify the integrity of the BaseSystem.dmg. The chunklist is a series of hashes for 10 MB chunks of the BaseSystem.dmg. The UEFI firmware evaluates the signature of the chunklist file and then evaluates the hash one chunk at a time from the BaseSystem.dmg. This helps ensure that it matches the signed content present in the chunklist. If any of these hashes don’t match, booting from the local recoveryOS is aborted and the UEFI firmware attempts to boot from Internet Recovery instead. First, a session cookie is requested from osrecovery.apple.com. Then a request is made to http://osrecovery.apple.com/InstallationPayload/RecoveryImage. The request looks like this:

cid=A64F96125D28533D
sn=C079442000SJRWLAX
bid=Mac-7BA5B2DFE22DDD8C
k=CF4EF754A68299485E52179B73382421FDBE38BAA06C7CE518A9A4BA91E3C96D
os=latest
bv=17.16.11081.0.0,0
fg=9ECA302EC3E25279AA80C088EF82A821DAD22197B8516F2E9966CC462B524393
cid: The T2 ECID (T2 only)
sn - Motherboard Serial number
bid - Board ID (BDID)
k - Key or some form of challenge (unknown, server accepts any value)
os - The requested macOS (latest: internet recovery, default: the factory macOS or the closest still available)
bv - Version of bridgeOS (T2 only)
fg - Anti forgery challenge (unknown, server accepts any value)

The response looks like this:

AP: 041-76812
AU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg
AH: 0DD88446D924DC180B25085F53BEA4A2B148024F69EA93E265AEC2F1102E4CB4
AT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg~md5=aade63d0bf105b660880b522ee16276f
CU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist
CH: 791BD581006AD8147F988138B434A2CB792D87F4C2187BD992CC06B64234CA4A
CT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist~md5=7b7ae5fd362c4ff1b216016121f6cb87
AP - Apple's update ID for the package, from the software update catalog
AU - recoveryOS URL to download from (BaseSystem.dmg)
AH - Some form of hash for the base system URL / content
AT - BaseSystem URL token cookie (Passed in the next request as a cookie header)
CU - chunklist URL (BaseSystem.chunklist)
CH - Chunklist URL hash / content
CT - Chunklist URL token cookie (Passed in the next request as a cookie header)

While the connection to the osrecovery.apple.com is done using HTTP, the complete downloaded contents are still integrity checked as previously described, and as such are protected against manipulation by an attacker with control of the network. In the event that an individual chunk fails integrity verification, it is re-requested from the osrecovery.apple.com 11 times, before giving up and displaying an error with the globe frozen and displaying a warning symbol with an exclamation mark with the URL support.apple.com/mac/startup (which redirects to [1]). If the verification is successfully completed, the UEFI firmware mounts the BaseSystem.dmg as a ramdisk (not as an update ramdisk) and launches the boot.efi file that’s in it. There’s no need for the UEFI firmware to do a specific check of the boot.efi, nor for the boot.efi to do a check of the kernel, because the completed contents of the operating system (of which these elements are only a subset) have already been integrity checked.

Mac Diagnostics

Apple discountinued Apple Hardware Test in 2012 for a newer version, called Apple Diagnostics.

Booting Intel Diagnostics

Press D on startup at the same time until you see a progress bar on the screen. To boot from the internet, press Option (alt) + D at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.".

Downloading Intel Diagnostics

Just like on the recoveryOS, it is also downloaded from osrecovery.apple.com using HTTP. The steps are the same as downloading recoveryOS.
The only difference here is that the diagnostics request URL is http://osrecovery.apple.com/InstallationPayload/Diagnostics.

Booting Apple Silicon Diagnostics

In the startup options, press and hold Command + D at the same time untill "Loading diagnostics..." appears on the screen.

Downloading Apple Silicon Diagnostics

The diagnostics are fetched from https://diagnostics.apple.com/api/v1/ast2-companion/public/services/assets. It is fetched as a JSON request.
The request looks like this:

{"ProductVersion": "12.5","boardID":10,"chipID":24577, "OSVersion":"12.5"}
ProductVersion: latest version
boardID: Board ID in decimal
chipID: Chip ID in decimal
OSVersion: the current version of macOS currently on your Mac

The response looks like this:

{
    "assetList": [{
        "url": "https://diagassets.apple.com/diagassets/FieldServiceDiskImagePersonalizedHWThree_cc11202.dmg?accessKey=1658564349_jbnHcYba5vXrn6jM_1aT%2FASCZ5sq6%2Bu%2BzF09Nte61Usz1YY0mtHxow%2BZOQbldxWJ%2B%2Bx%2FLsKw8IP6q4ooeOXkfJKtD8Nx%2FBach4s8LPi27OWcwxVJnwRXcSteLvNH9ellFKZE3eLSHzqZZ%2Bv6d",
        "type": "",
        "audience": "FieldServiceDiskImage",
        "imageName": "FieldServiceDiskImagePersonalizedHWThree_cc11202.dmg",
        "partNumber": "012-04479",
        "version": "",
        "checkSum": "",
        "reserved1": "",
        "reserved2": ""
    }],
    "responseUUID": "003c1e99-0382-40df-b3a3-51d1cbec431c"
}
url: FieldService diagnostics image
audience: The name of the image
imageName: file name
partNumber: Apple's update ID for the package, from the software update catalog

watchOS

Booting to recovery mode

Double press the side button when in iBoot Recovery Mode.

An Apple Watch Series 7 running in recoveryOS, recreated using an extracted graphic.

Usage

Can update/restore an Apple Watch using an iPhone (not just the paired iPhone).

audioOS and tvOS

Currently unknown.

See Also