Apple's hidden systems: What are embeddedOS, bridgeOS and sepOS?

Apple offers the right operating system for its various electronic products - macOS for the Mac, iOS for the iPhone, watchOS for the Apple Watch and so on. However, there are also firmware and systems that are also named after the “…OS” scheme, but are much less well known. For example, I have summarized below what the hidden systems embeddedOS, bridgeOS and sepOS are all about. In addition to the three examples, there are other “micro operating systems” and examples of firmware. However, these are not always equipped with an “OS” name.

Here you will find information about the embeddedOS, bridgeOS and sepOS systems running on Apple's ARM chips. These serve, among other things, to manage sensitive data and hardware access separately from macOS, iOS and Co. in order to make the respective device more secure.
Here you will find information about the embeddedOS, bridgeOS and sepOS systems running on Apple's ARM chips. These serve, among other things, to manage sensitive data and hardware access separately from macOS, iOS and Co. in order to make the respective device more secure.

Systems for T1 and T2 chips: embeddedOS and bridgeOS

Even before Apple switched from Intel CPUs to its own chip combinations for its computers, it was already using self-developed ARM chips. These included, among others, the processors of the T series, i.e. the T1 and the T2. These are said to have come from the SoC of the Apple Watch (S1 and S2) and, in addition to the Touch Bar in the MacBook Pro, also take care of various security mechanisms - such as Touch ID, camera and microphone use. In addition, the use of the Secure Enclave with its encrypted data is handled via the T-chips.

To implement the whole thing, embeddedOS and bridgeOS are used. While embeddedOS is mentioned as an operating system for embedded systems primarily in connection with the T1, bridgeOS is primarily found in connection with the T2. Depending on the source, there is a different weighting, which makes an exact assignment not so easy. In any case, the operating systems that run independently of macOS ensure that biometric data for Touch ID as well as access to the microphone and camera are managed externally and are therefore more difficult to hack.

Since the “Apple Silicon”, i.e. the M-chips, which have been used in new Mac models since 2020, individual T-chips are no longer used. The corresponding technology, including the Secure Enclave, has since been integrated into Apple's own M-series ARM chip on the Mac. This also not only runs with macOS, but also has its own operating systems and firmware for different components. This means that these individual areas can work more safely and efficiently. They act as gatekeepers for boot and login processes, making data management more secure and overall Mac usage (theoretically) more efficient.

Der laut AppleDB firmware overview EmbeddedOS seems to have been merged into bridgeOS 3.0 after version 2.0. The last release of embeddedOS is associated with the T1 chip, while the first release entry of bridgeOS was associated with the T2 chip. The current versions are bridgeOS 8.3 (released on January 22, 2024) and the bridgeOS 8.4 beta (released on January 29, 2024). Information as of February 1, 2024.

Special system for the Secure Enclave: sepOS

The sepOS, which is an abbreviation for “Secure Enclave Processor Operating System”, runs in the same area of ​​Apple’s ARM chips. In addition to the T1 and T2, the sepOS is also used on modern Apple silicon Macs, for example to protect biometric data for the Touch ID on the MacBook Pro from hacking attacks.

The same applies to the Secure Enclave and its sepOS in the SoC models of iPhone and iPad (A and M chips). The data for Touch ID and Face ID are also handled separately there. They must be requested from iOS and iPadOS at sepOS.

The Secure Enclave is also available in the Apple Watch, Apple TV and HomePod (mini). Here is the complete overview of Apple devices with Secure Enclave:

  • iPhone 5s or newer
  • iPad Air or newer
  • MacBook Pro computers with Touch Bar (2016 and 2017) and Apple T1 chip
  • Intel-based Mac computers with Apple T2 Security Chip
  • Mac computers with Apple chips
  • Apple TV HD (or newer)
  • Apple Watch Series 1 or later
  • HomePod and HomePod mini

If you are interested in the security mechanisms of the Apple Secure Enclave and want to understand them in their technical details, then I recommend the manual “Security of Apple platforms“. The link takes you to the web version of the manual, which you can read in its entirety and ad-free via Apple.com.

In addition to the information presented here in layman's terms, it also covers, among other things, the management of the Secure Enclave SoC, including exchange with NAND flash memory and DRAM via the memory protection engine. In addition, the secured boot process of sepOS is discussed, the cryptography used in operation is explained, the Secure Neural Engine is described and the differences between different Secure Enclave generations are shown.

Here is another video from the “Black Hat” conference in 2016, which is about the potential hacking of the then new sepOS:

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.