macOS 10.15 Catalina brings EFI firmware updates for all supported models, and subsequent updates have changed those for most models too. This article lists the firmware versions of Macs which have been successfully updated with Catalina Security Update 2022-005.
For older Macs and earlier versions of macOS, please refer to the previous listing of firmware versions. If your Mac is still running an earlier version of macOS, such as El Capitan, then you should refer to version 2 of this list instead.
Check The EFI Version Of A Mac
One numbering system used by the eficheck tool still uses the older system with two hexadecimal numbers, e.g. F000.B00. However, in Catalina eficheck now also gives version numbers using the new notation.
The full eficheck version number is likely to resembleIM144.88Z.0190.B00.1809171521This is made up from the model designator IM144 = iMac14,4, the code 88Z or sometimes AAPLEFI4 or AAPLEFI5, the version number 0190 B00, and the datestamp of that version 1809171521 = [20]18/09/17 15:21. See below for further details of how to obtain this.
T2 chip models:The iMac Pro, 2019 Mac Pro, iMac 27-inch 2020, 2018 MacBook Pro with Touch Bar (MacBookPro15,1 and 15,2), 2018 Mac mini and 2018 MacBook Air, and their successor models, all use a different mechanism for firmware updates, managed by their T2 chips. They are also unable to run eficheck.
Once it completes, you should see a response likeEFI Version: MBP141.88Z.F000.B00.1909131925 (Boot ROM Version: 202.0.0.0.0)Primary allowlist version match found. No changes detected in primary hashes.In the first line of the response, this gives the Mac model (MBP141 = MacBook Pro 14,1), the major version (F000), the minor version (B00), and the build datestamp of that version (= [20]19/09/13 19:25). The Boot ROM version given in parentheses should match the version given above.
Matching allowlist not found in EFIAllowListShipping. Searching in EFIAllowListAll.Fetching allowlist data update.Waiting for allowlist data download to complete.Allowlist data update failed with error = 108.Primary allowlist version match not found for version MP61.88Z.F000.B00.1906132222 (Boot ROM Version: 132.0.0.0.0).
Thanks, Howard. For others, it worked again, i.e. I replaced the 3rd party (both OWC 1TB and Intel 2TB exhibit the same problem) NVMe SSD with the original Apple NVMe SSD in my MacPro6,1 and update that drive to 10.15 then re-install the 3rd party drive. The Boot ROM is now the latest133.0.0.0.0 and MP61.88Z.F000.B00.1907241309. I have no idea why the Boot ROM is not updated with the 3rd party NVMe SSDs installed nor why the allowlist data update fails during eficheck.
EFI Version: IM171.88Z.F000.B00.1906171551 (Boot ROM Version: 170.0.0.0.0)Matching allowlist not found in EFIAllowListShipping. Searching in EFIAllowListAll.Fetching allowlist data update.Waiting for allowlist data download to complete.Allowlist data update failed with error = 108.Primary allowlist version match not found for version IM171.88Z.F000.B00.1906171551 (Boot ROM Version: 170.0.0.0.0).
I reinstalled the system this computer came with using recovery, but when i tried checking the efi firmware using a terminal command it gave me a imac15 id., i used instructions from this site to check.
You would be better off asking your questions to the guy who runs the blog you linked to since he is the only person I'm aware of that has that much knowledge about the Apple firmware revisions and he even created some of the custom utilities. All Apple has included with macOS is a command line utility for verifying the firmware to see if the computer is running the latest version (or perhaps is just running a compatible firmware version for the OS that is currently booted). Even that Apple utility doesn't work correctly as far as I can tell when I tried it once (I don't recall the name now). I think the blogger you linked actually mentions the Apple utility in one of his blog posts.
Apple no longer provides any information about what firmware is available for any of their Macs. Apple stopped updating their own documentation listing the current latest version of firmware for each system several years ago. The blogger you linked has shown that even putting the firmware updaters within the macOS installers does not always keep a Mac's firmware up to date since some people are still running older firmware for unknown reasons even after running a macOS 10.13+ installer.
To the best of our knowledge, firmware is ALWAYS [intended to be] backward compatible. Installing a different MacOS will NOT reset firmware to an older version -- the updated firmware version will remain in place.
You are massively over-thinking this. No one fiddles with older firmware versions -- it is not necessary. The newer versions just work with the older MacOS software, all the way back to factory original versions.
Maybe the replies here contain more thought then necessary, im asking how to check versions because Apple had clearly stated that their boot versions are not backward compatible with older no longer supported machines., in fact Mojave now requires afps formatted drives to install boot partitions, after almost a year of denying this was going on after catalina was released with no communication with alsoft Duskwarrior to help anyone sort failed installs of catalina or bricked machines Apple releases the list of compatible boot firmware, here is the link -to-check-your-firmware-version
For this example, I am interested in retrieving the EFI version of a macOS host.Knowing the EFI version of your hosts can come in handy, especially when there is a known security vulnerability but it can also be hard to parse with just bash.
To learn more about remote querying osquery agents, check out ourarticle Managing Osquery with Kolide Launcher and Fleet.For a more in-depth introduction to macOS instrumentation,see Monitoring macOS hosts with osquery.
macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer.
The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac's firmware against Apple's database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.
The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else.
Another advantage of Apple bundling the EFI updates with the OS and security updates is that it provided us with a triplicate mapping between the particular model of Mac, the OS build version and the version of EFI that came bundled with that OS version. These mappings provided us with an oracle that, when it was given the OS version and Mac model as inputs, it would provide the version of EFI that system should be running. We could then compare the EFI version we expect a system to be running against the EFI version we actually observed it running in reality.
It also highlighted some deficiencies in terms of overall visibility to EFI firmware security, this manifests in the lack of end user notification for systems running out-of-date EFI even if they are running an up-to-date OS, as well as the lack of details coming from Apple with respect to the versions of EFI systems that should be running or the vulnerabilities those versions are exposed to.
An x86_64 UEFI firmware does not include support for launching 32-bit EFI applications (unlike x86_64 Linux and Windows versions which include such support). Therefore the EFI application must be compiled for that specific firmware processor bitness/architecture.
If any userspace tool is unable to modify UEFI variable data, check for existence of /sys/firmware/efi/efivars/dump-* files. If they exist, delete them, reboot and retry again.If the above step does not fix the issue, try booting with efi_no_storage_paranoia kernel parameter to disable kernel UEFI variable storage space check that may prevent writing/modification of UEFI variables. 2ff7e9595c
Comments