A short history of Recovery in macOS
Recovery mode and its underlying system and storage are relative newcomers to the Mac. For the first 27 years, we made do with alternatives, until in the summer of 2011, with Mac OS X Lion, the first Recovery partition was installed.
Classic Mac OS didn’t really have a System folder as such, and making a volume bootable was a combination of providing it with an appropriate System file and working a bit of black magic by ‘blessing’ it. There was no command line either, so providing yourself a rescue or emergency disk was relatively straightforward.
SUM
For the first ten years of Mac OS X, its closest substitute was Single User Mode, or SUM, entered by starting the Mac up with the Command and S keys held down. OS X then booted into the command line, where you could for example repair your startup volume using the standard command
/sbin/fsck -fy
You could then restart using the command
reboot
with your fingers crossed and lucky rabbit’s foot ready, hoping that all worked properly again. Many of us kept emergency boot disks at the ready, stocked with useful diagnostic and repair tools we could use to get our Macs out of trouble.
Recovery partition
With Mac OS X Lion, and the delivery of OS X from the App Store, this all changed, when starting a Mac up with the Command and R keys held entered its new Recovery mode, stored in what was termed the Recovery partition. In those days of HFS+, that was just another volume on the boot disk, and could be supplemented with a prepared USB stick containing third-party recovery tools, such as Drive Genius or Disk Warrior.
Recovery could restore a Mac from a Time Machine backup, run Disk Utility to check and repair the startup volume or others currently connected, install or reinstall OS X, and would walk you through testing an Internet connection if required. Apple even released the occasional update to Recovery, for instance in OS X Yosemite Recovery Update 1.0.
As this local Recovery was dependent on its volume remaining intact and bootable on the startup disk, Apple added Internet Recovery, available by holding Command-Option-R when starting up. This ran Recovery by connecting to an Apple server, and was quickly recognised as being interminably slow, even over faster network connections of the time. There was also an important difference in reinstalling OS X in the two variants: standard Recovery reinstalled the most recent version of OS X found on that Mac, but Internet Recovery took the Mac back to the version that originally shipped on it, leaving you to update from the App Store.
Complications
Prior to macOS Sierra, entering Recovery usually worked with a wireless keyboard; when running Sierra and later, many users found that they had to connect Bluetooth keyboards to a USB port to ensure the startup key combination worked reliably.
Sierra 10.12.4 introduced what were effectively three different Recovery modes:
local Recovery mode, engaged with Command-R, behaved as before, in providing the version of macOS already running on that Mac, even if a more recent version was available;
remote latest Recovery mode, engaged with Command-Option-R, behaved differently according to the version of macOS installed. In 10.12.3 and earlier, reinstalling restored the version that came with that Mac. In 10.12.4 and later, reinstalling upgraded that Mac to the latest version of macOS compatible with it.
remote original Recovery mode, engaged with Command-Option-Shift-R, only worked when running macOS 10.12.4 or later, where it reinstalled the version of macOS that shipped with the Mac.
Apple also warned that not all old versions of macOS/OS X were available to reinstall, and the version actually installed might have been “the version closest to it that is still available.” I summarised that in the following flow chart.
The introduction of APFS in High Sierra also complicated Recovery. As macOS 10.13 only converted hard disks and SSDs, not Fusion Drives, to APFS, some Macs were left with the traditional HFS+ Recovery volume, while those that moved up to APFS adopted its new boot disk structure, shown below.
This changed again with Catalina, and its new volume group consisting of a System and Data volume, with a paired Recovery volume.
Apple silicon Macs and Big Sur
For Intel models, the introduction of Big Sur’s Signed System Volume (SSV) had limited effects on Recovery.
Apple silicon Macs, though, had a brand new Recovery system, dubbed 1 True Recovery (1TR), run from a hidden container on their internal SSD, and engaged by pressing and holding the Power button. This requires both physical contact with the Mac and a mechanical action.
The three containers on an M1 Mac’s internal storage have distinct functions. The first, Apple_APFS_ISC, is the iBoot System Container (iSC), and supports the iBoot firmware in the early boot process, as well as providing trusted storage for the Secure Enclave within the M1 chip. The Apple_APFS_Recovery container is dedicated to providing 1TR, which is stored on its Recovery volume. This includes a second part of iBoot and all that’s necessary for the M1’s full Recovery mode. In this scheme, there’s just one True Recovery system on each M1 Mac, regardless of how many different versions of macOS it might have installed.
If you need your M1 Mac to enter 1 True Recovery, but that fails, there’s a second copy of the software required for 1TR “for resiliency”, stored in the Recovery volume paired in the current boot volume group. To boot into that, instead of just holding the Power button until 1TR starts loading, you press the Power button twice in rapid succession, and on the second press, instead of releasing the button, hold it pressed until recovery options are reported as loading.
What you then get is every bit as good as regular 1TR, with one significant exception: you can’t set the system security state using Startup Security Utility. Apple explains that this is because “LLB [Low-Level Bootloader] doesn’t lock an indication into the Boot Progress Register saying it is going into recoveryOS”. But for all other purposes, this is just as good as 1TR.
Apple silicon Macs and Monterey
That new Recovery architecture was fine while Apple silicon Macs could only boot into the one major version of macOS, Big Sur. When Apple released the next, Monterey, it changed Recovery to cope better with those that might have two different boot volume groups installed on their internal storage. That swapped the location of primary and fallback Recovery.
From Monterey onwards, starting up in primary Recovery using the Power button boots that Mac into the Recovery volume paired with the current boot volume group. Starting up in fallback Recovery using the doubly-pressed Power Button boots that Mac into the fallback Recovery (frOS) installed in the hidden Apple_APFS_Recovery container on the internal SSD.
This is simplest with just one version of macOS installed, and no external bootable disk. In that case, primary Recovery is in the only paired Recovery volume on the visible Apple_APFS container, alongside its System and Data volumes. When there’s more than one bootable copy of macOS available, then primary Recovery is the Recovery volume paired with the System volume that Mac was expecting to start up from. By default, that’s the last system that it was running, unless you have changed the boot volume in Startup Disk settings.
As fallback Recovery is stored in its own dedicated container on the internal SSD of Apple silicon Macs, it should be more robust and resilient than primary Recovery. It differs in two significant respects:
Startup Security Utility is not available, as noted above for Big Sur.
Its version may lag the current firmware installed on that Mac, as updating fallback Recovery has been opportunistic and not reliable. Apple may be taking steps to address this.
