RecoveryOS

recoveryOS is the recovery environment used in macOS, watchOS, tvOS, audioOS and visionOS. This is not the same as the iBoot Recovery Mode available on most Apple devices, as this type of recovery environment requires the device to be plugged into a computer.

macOS
recoveryOS for macOS had its first introduction with Mac OS X Lion. At that time, Apple stopped selling Mac OS X through DVD's, and instead, they provided either USB sticks, or it could be downloaded through the Mac App Store. Apple also introduced a recovery environment, that in case a macOS installation is corrupted, it could be recovered by reinstalling macOS through the internet, without the need to reinstall macOS through a DVD. It also includes the tools that were used to be on the DVD (Terminal, Disk Utility, Startup Security Utility). recoveryOS is on a separate partition from the main macOS partition in a disk image file named BaseSystem.dmg. An associated chunklist in the file BaseSystem.chunklist is used for security reasons to verify the integrity of BaseSystem.dmg. If one of the hashes don’t match, the UEFI firmware instead boots from internet recovery that is built in with Mac computers from 2011 and later.

Intel based Macs (including T2 Macs)
To boot to the local recovery mode, press Command + R at the same time during bootup until you see the Apple logo. To get the latest version of macOS (Internet Recovery), press Option (Alt) + Command + R at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.". You may need to choose a Wi-Fi network in order to download recoveryOS. To boot to the original macOS that your computer shipped with (or the closest version available), press Shift + Option (Alt) + Command + R at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.". You may need to choose a Wi-Fi network in order to download recoveryOS.

Apple Silicon based Macs
Press and hold the power button. You will see text "Countinue holding for startup options...". When you see the text "Loading startup options..." you may release the power button. Then choose Options (with the picture of a cogwheel (Software Update icon)). To boot to fallback recoveryOS (AKA System Recovery) double-press and hold the power button. You will see text "Countinue holding for startup options...". When you see the text "Loading startup options..." you may release the power button. Then choose Options (with the picture of a cogwheel (Software Update icon)). The fallback recoveryOS doesn’t have the capability to change the system security state.

What's included in recoveryOS
- Restore from Time Machine: restore from a Time Machine backup. - Reinstall macOS: installs macOS InstallAssistant from the Software Update Catalog. - Safari (minimal version, does not have the capability to play videos): User can use the internet to troubleshoot the Mac. The default home page is an HTML file which contains information about using recoveryOS. - Disk Utility: Can be used to repair the disk using First Aid or erase the disk. There are more utilities that can be accesed through the menu bar by clicking Utilities: - Startup Security Utility: On normal Intel Macs, it can be used to enable/disable the firmware password (only on regural Intel and T2 Macs). On T2/Apple Silicon Macs, you can change the security settings and the allowed boot media settings. - Share Disk (Apple Silicon Macs only): Can be used to transfer files from one computer to another. The equivalent of Target Disk mode on Intel Macs. - Terminal: Can be used for advanced troubleshooting, and it has the possiblity to enable/disable System Integrity Protection using csrutil. File -> Choose Language: Switch between languages. This does not include the hello screen, which is normaly seen in the regular Language Chooser app. Window -> Recovery Log (Command + L): view recovery log. Country flag: switch between keyboard inputs. Wi-Fi: switch between Wi-Fi networks Apple logo -> Startup Disk: choose startup disk/boot to Target Disk Mode (only on Intel).

Downloading Intel recoveryOS
The internet recoveryOS is downloaded from osrecovery.apple.com using HTTP. The recoveryOS is completely separate from macOS, and the entire contents (the recoveryOS) are stored in a disk image file named BaseSystem.dmg. There is also an associated BaseSystem.chunklist, which is used to verify the integrity of the BaseSystem.dmg. The chunklist is a series of hashes for 10 MB chunks of the BaseSystem.dmg. The UEFI firmware evaluates the signature of the chunklist file and then evaluates the hash one chunk at a time from the BaseSystem.dmg. This helps ensure that it matches the signed content present in the chunklist. If any of these hashes don’t match, booting from the local recoveryOS is aborted and the UEFI firmware attempts to boot from Internet Recovery instead. First, a session cookie is requested from osrecovery.apple.com. Then a request is made to http://osrecovery.apple.com/InstallationPayload/RecoveryImage. The request looks like this:

cid=A64F96125D28533D sn=C079442000SJRWLAX bid=Mac-7BA5B2DFE22DDD8C k=CF4EF754A68299485E52179B73382421FDBE38BAA06C7CE518A9A4BA91E3C96D os=latest bv=17.16.11081.0.0,0 fg=9ECA302EC3E25279AA80C088EF82A821DAD22197B8516F2E9966CC462B524393

cid: The T2 ECID (T2 only) sn - Motherboard Serial number bid - Board ID (BDID) k - Key or some form of challenge (unknown, server accepts any value) os - The requested macOS (latest: internet recovery, default: the factory macOS or the closest still available) bv - Version of bridgeOS (T2 only) fg - Anti forgery challenge (unknown, server accepts any value)

The response looks like this:

AP: 041-76812 AU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg AH: 0DD88446D924DC180B25085F53BEA4A2B148024F69EA93E265AEC2F1102E4CB4 AT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.dmg~md5=aade63d0bf105b660880b522ee16276f CU: http://oscdn.apple.com/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist CH: 791BD581006AD8147F988138B434A2CB792D87F4C2187BD992CC06B64234CA4A CT: expires=1585251286~access=/content/downloads/22/29/041-76812a/2liqsakq9ocpldao5gxogpqqkg3666itc6/RecoveryImage/BaseSystem.chunklist~md5=7b7ae5fd362c4ff1b216016121f6cb87

AP - Apple's update ID for the package, from the software update catalog AU - recoveryOS URL to download from (BaseSystem.dmg) AH - Some form of hash for the base system URL / content AT - BaseSystem URL token cookie (Passed in the next request as a cookie header) CU - chunklist URL (BaseSystem.chunklist) CH - Chunklist URL hash / content CT - Chunklist URL token cookie (Passed in the next request as a cookie header)

While the connection to the osrecovery.apple.com is done using HTTP, the complete downloaded contents are still integrity checked as previously described, and as such are protected against manipulation by an attacker with control of the network. In the event that an individual chunk fails integrity verification, it is re-requested from the osrecovery.apple.com 11 times, before giving up and displaying an error with the globe frozen and displaying a warning symbol with an exclamation mark with the URL support.apple.com/mac/startup (which redirects to ). If the verification is successfully completed, the UEFI firmware mounts the BaseSystem.dmg as a ramdisk (not as an update ramdisk) and launches the boot.efi file that’s in it. There’s no need for the UEFI firmware to do a specific check of the boot.efi, nor for the boot.efi to do a check of the kernel, because the completed contents of the operating system (of which these elements are only a subset) have already been integrity checked.

Mac Diagnostics
Apple discountinued Apple Hardware Test in 2012 for a newer version, called Apple Diagnostics.

Booting Intel Diagnostics
Press D on startup at the same time until you see a progress bar on the screen. To boot from the internet, press Option (alt) + D at the same time until you see a spinning globe with text "Starting Internet Recovery. This may take a while.".

Downloading Intel Diagnostics
Just like on the recoveryOS, it is also downloaded from osrecovery.apple.com using HTTP. The steps are the same as downloading recoveryOS. The only difference here is that the diagnostics request URL is http://osrecovery.apple.com/InstallationPayload/Diagnostics.

Booting Apple Silicon Diagnostics
In startup options, press and hold Command + D at the same time untill "Loading diagnostics..." appears on the screen.

Downloading Apple Silicon Diagnostics
The diagnostics/repair disk image for Mac are fetched from https://diagnostics.apple.com/api/v1/ast2-companion/public/services/assets. It is fetched as a JSON request. The request looks like this:

boardID: Board ID in decimal chipID: Chip ID in decimal OSVersion: the current version of macOS currently on your Mac

The response looks like this:

url: FieldService diagnostics/repair image audience: The image type imageName: file name partNumber: Apple's update ID for the package, from the software update catalog

Booting instructions
Double press the side button when in iBoot Recovery Mode. It is unknown if it is possible to boot to recoveryOS manually using button combinations at startup, just like on iOS, iPadOS, macOS and tvOS devices.

Usage
Can update/restore an Apple Watch (running watchOS 8.5 or newer) using an iPhone (not just the paired iPhone).

Booting instructions
Plug the Apple TV to power, wait for loading boot to finish and unplug the Apple TV, repeat it 5 times. On the 6th time it will bring up a menu with three options: Reset, Restore and Restart. Choose Restore and the recovery screen will appear.

Usage
Allowing an Apple TV (running tvOS 17 or newer) to be reset to factory settings using an iPhone, just like on the Apple Watch.

audioOS and visionOS
Currently unknown.