Gone are the days when you could pop the hard drive out of a sick Mac and connect it to another to recover its contents. This article explains how you may be able to transfer some or all of the contents of a modern Mac’s internal SSD to another Mac.

Any Mac: Thunderbolt

As long as you can get your Mac up and running, the fastest way to transfer files from its internal storage is back-to-back Thunderbolt networking, easily set up in Network settings. All you need is another Mac with a free Thunderbolt port and a suitable cable to connect them directly.

Apple silicon: Share Disk

If you can get an Apple silicon Mac to start up in Recovery mode, or Fallback Recovery, then you’ve got a good chance of salvaging whatever you need from its internal SSD.

Connect it back-to-back with another Mac using a Thunderbolt 4 (or 3) cable. Start the sick Mac up in Recovery, pass through to Options and authenticate as necessary. In the Utilities menu there select the Share Disk command.

Select the volume you want to share, and when necessary unlock it with the password required for its encryption.

On the other Mac, that shared volume should appear as a networked device, connected as Guest, or on the Desktop. Despite that, you should have full access to its contents. This connection uses SMB, so listing large folders in the Finder will be surprisingly slow.

Now you can copy across all the files you want to your other Mac. That’s impressively quick, and can read them at about 3 GB/s, as you’d expect from a fast locally attached SSD. However, because of the SMB overhead, copying many small files is noticeably slower.

This can also get a bit kludgy when you’ve finished and want to disconnect. Trying to eject the shared volume may not work, and even when you stop sharing on the Mac in Recovery, and disconnect the cable, you may find the other Mac just won’t let go of it.

This only works with a single volume at a time. If you have added volumes to your Mac’s internal SSD, then you’ll have to repeat the process to access files on a different volume. But it does allow you to choose which volume to share.

Apple silicon: DFU mode

If you’re unable to put your sick Mac into Recovery, or Fallback Recovery, it’s still possible it has entered DFU mode, or could do so when started up to engage that mode. This is explored in more detail in this article, but doesn’t give you access to the contents of the Mac’s internal storage. You could try reviving it rather than performing a full Restore, though, as that isn’t destructive of its contents.

Intel T2: Target Disk

There are now two ways to enter Target Disk Mode on an Intel Mac with a T2 chip: if the Mac is already up and running (and not near-dead at all), you can opt for this in System Settings > General > Startup Disk, although I’m not sure why you would want to. If the Target really is sick, the only way you’re likely to engage this mode is to hold the T key during startup until the Thunderbolt symbol appears on its display.

The Target and Host must now be connected using a Thunderbolt 3 or 4 cable, although between Macs that are both running Catalina or earlier, a USB or USB-C cable could be used instead.

Shortly after they’re connected and ready, the Target’s internal Data volume should mount in the Host’s Finder. You should then be prompted for its FileVault password, and gain access to its contents. As with Apple silicon Macs, you can also copy files from the Host to the Target. To disconnect the Host and Target, eject the Target’s volume from the Host, then press and hold the Power button on the Target to shut it down.

Note that Target Disk Mode doesn’t offer a choice of volume.

Any Mac: External Boot Disk

If an Intel Mac with a T2 chip already has its boot security set (using Startup Security Utility) to allow it boot from an external disk, you may be able to get that to work, then mount the internal SSD to allow you to recover its contents to that or another external disk.

This is unlikely to work with an Apple silicon Mac, though, as it must always start the boot process from its internal SSD before it can continue booting from a system installed on an external bootable disk.

Summary

• Cable: Thunderbolt 4 (or 3) connecting the two Macs back-to-back.
• Apple silicon Mac: Recovery mode, Utilities menu, Share Disk.
• Intel T2 Mac: T key held during startup.
• Eject the Target’s disk on completion.
• Apple silicon Mac: disconnect button, then shut down.
• Intel T2 Mac: hold the Power button to shut down.

Following a general outline of what happens during a macOS 26 update, and a more detailed account of how it uses finite state machines and sends progress reports to Apple, this article describes what happens before Software Update downloads the main update. This was started by opening Software Update in System Settings of macOS 26.2 when the update to 26.3 was available, on a Mac mini M4 Pro. The Appendix at the end explains several in-house jargon terms used widely through these log entries.

Check for an update

In this case, checking for an update was instigated by opening Software Update in System Settings. That initiated a series of preliminary checks to:

• determine whether that Mac and user are enrolled in a beta-test programme;
• obtain the Pallas audience, in this case macOS Customer;
• determine the time interval since the last scan for updates, and its result. As that was 632.8 seconds ago and there were no updates reported as being available then, a further scan is deemed acceptable;
• set the base URL for Pallas of mesu.apple.com/assets/macos/.

A new scan for updates is started, with a UUID chosen to identify it. The UUID used is version 5, so is expected to be based on a hash of other identifiers, and is unique to this software update. The catalogue is downloaded from Pallas, and analysed for new versions being offered for download.

In this case there are two available:

• macOS263Short comes with just an arm64e system cryptex at 6,458 MB, and a download size of 3.68 GB which unarchives to 4.36 GB;
• macOS263Long comes with both arm64e and x86_64 system cryptexes at 6,458 + 2,312 MB, and a download size of 17.48 GB which unarchives to 18.14 GB.

Both of those use the Zip compression algorithm, and are designated as being ZipStreamable. macOS263Short is clearly the Delta update from 26.2, whose download size was then displayed in the Software Update panel. macOS263Long appears to be a full upgrade, equivalent to the macOS Installer app in terms of its contents.

A similar sequence of events occurs when you request a list of available macOS installers using the command
softwareupdate --list-full-installers

Routine checks

The following checks are repeated at frequent intervals throughout scanning and preparation:

• the presence of rollback objects, a rollback copy of cryptex1 in the Preboot volume;
• whether semi-splat is active, by comparing the Splat RestoreVersion with the Cryptex1 RestoreVersion;
• whether the root volume is sealed;
• whether this is an emergency update;
• battery level, even in Macs without a battery.

Sizing

Early estimates are made of the size required to prepare and apply the update. Prepare size consists of:

• a cryptex size requirement, consisting of the sum of the sizes of the app and system cryptexes, multiplied by 1.2, in this case a total of 7,809 MB;
• a snapshot prepare size, consisting of the snapshot installation size of 3,785 MB plus the cryptex size, for a total of 11,595 MB.

These total 11,595 MB when first calculated, but a little later the snapshot installation size was increased to 5,154, for a total of 12,963 MB.

The apply and reserve size consists of twice the update partition size plus the update APFS reserve of 700 MB, plus 231 MiB for volume sealing overhead, giving a total of 931 MB. Presumably any shortfall in free space available would be notified to the user at this stage, and the update cancelled.

The policy for updates is determined in detail, before Pallas is asked for a catalogue of MacSplatSoftwareUpdate, updates using cryptexes, probably including both older RSRs and their successor BSIs. In this case, that catalogue is empty.

Mobile asset catalogues

softwareupdated then takes a back seat for much of the following 15 seconds or so, as mobileassetd determines which mobile assets need to be updated. These are the multitude of components to support Siri, AI and other features. This too is run by a finite state machine, AutoControlManager, which downloads catalogues of these components to assemble its auto-stager. One catalogue alone lists 91 available for update, but thankfully many of those don’t need to be updated.

Once that’s complete, the progress bar is displayed and updated by softwareupdated.

Progress bar

This is divided into zones used for different stages of progress by softwareupdated. These can be summarised as:

• 0.0-0.9 prepare
• 1.0-7.0 reloading and downloading Update Brain
• 7.0-15.0 preflight
• 15.0-55.0 downloading
• 55.0-60.0 preflight FDR Recovery
• 60.0-100.0 preparing update

During the downloading and preparing stages, progress updates are made according to the amount of the stage that has been completed. Otherwise they are made when each stage has been achieved.

In practice, progress is most meaningful during the downloading and preparing stages, between percentages of 15-55 and 60-100. Time estimates are displayed for both of those separately, with download time remaining based on size transferred. Once downloading is complete, the final 40% of the bar is given a fixed period of 30 minutes to complete, although that’s never required now.

Initial preparation

softwareupdated determines and downloads the cryptex updates, any SFR software update, any Rosetta update, any RecoveryOS update and the RecoveryOS update ‘brain’ for that. These are set up with their own finite state machine that downloads the catalogue, determines what should be downloaded, and downloads it. The final phase handles the documentation for the update, in this case consisting of

• release notes summary, 1,268 B
• release notes, 1,243 B
• licence agreement, 97,187 B.

There’s an irony here that the first two are so tiny by comparison with the last.

In this case, downloading the update was completed within 10 minutes of obtaining the first update catalogue from Pallas.

Summary

• After preliminary checks on beta enrolment and the period since last check, a catalogue of available updates is obtained from the software update server.
• That catalogue offers a short Delta update, and a long full update.
• Downloaded updates are compressed using Zip, and decompressed as they are streamed in the download.
• Sizes required for preparation and applying the update are checked and adjusted.
• mobileassetd determines a potentially long list of mobile assets to be updated.
• Progress is displayed according to a combination of downloading between 15-55%, and preparation between 60-100%. Other stages are defined by progress through required steps rather than time.

Appendix: Terms used

• Pallas is the internal name for Apple’s software update server. This appears throughout log entries, where for example Pallas audience is jargon for the type of user, normally macOS Customer.
• RecoveryOS appears to refer to the version of Recovery in the hidden container of the internal SSD, more widely known as Fallback Recovery.
• SFR appears to refer to the version of Recovery in the Recovery volume of the active boot volume group, also known as Paired Recovery.
• Splat, semi-splat and rollback objects all refer to cryptexes. Splat is the general term, while semi-splat refers to a cryptex-based update that might include rapid security responses (RSR) and background security improvements (BSI) implemented by replacing one or both cryptexes. Rollback objects are older versions of a cryptex that have been saved to allow a newer cryptex to be reverted to that older one, in the event that the newer cryptex causes problems.

If you need features in Recovery, but can’t get an Intel Mac to enter that mode, your next step is to start it up with the Command, Option and R keys held for Remote or Internet Recovery. But you can’t do that with an Apple silicon Mac. Instead you should try Fallback Recovery, the subject of this article.

When Apple silicon Macs first came out and ran Big Sur, they only had one Recovery system, installed in a dedicated container named Apple_APFS_Recovery. If that didn’t work, the best you could hope for was that Refreshing or Reviving in DFU mode might fix it. That changed in Big Sur 11.6.1 and Monterey. Since then, most Apple silicon Macs have had two Recovery systems:

• Primary or Paired Recovery is stored in the Recovery volume associated with each macOS boot volume group, and inside the same container.
• Fallback Recovery is an older version of the Recovery system that has been moved from a paired Recovery volume and is now stored in the hidden Apple_APFS_Recovery container in the internal SSD.

In the diagram above, Paired Recovery is the green volume disk3s3, and Fallback Recovery is disk2s1 in the yellow Apple_APFS_Recovery container.

Start up in Fallback Recovery

Where Fallback Recovery has been installed by macOS, a Mac may start up automatically in Fallback Recovery if you try to start up in Paired Recovery using a long press on the Power button, but that fails. You can also elect to start up in Fallback Recovery by pressing the Power button once, immediately pressing it again and holding that until the display informs you that options are loading. The cadence of the presses is like the Morse ‘di-da’, with a pause of no more than a second between them.

What’s missing from Fallback

From its outset, one standard feature of Recovery doesn’t work in Fallback: Startup Security Utility. You can’t therefore use it to change your Mac’s security settings or disable loading of third-party kernel extensions. For those you must use Paired Recovery. Apple also warns that Device Recovery Assistant may not be available in Fallback Recovery either.

Most importantly, though, Fallback Recovery can only offer the features that come with Recovery in that version of macOS. For example, at present it’s likely that Macs running Tahoe will have Fallback Recovery systems from Sequoia. Where they do, the new Repair Assistant isn’t available in Fallback Recovery, as that will still run Apple Diagnostics from Sequoia.

How it works

Since macOS installers and updaters for Big Sur 11.6.1 and Monterey, when the Paired Recovery system is updated, the installer may opt to copy the contents of the old Paired Recovery volume to the Fallback Recovery volume. This is presumably pre-determined in each updater and installer, and intended to ensure the fallback is as reliable as possible, even though its features are a little out of date. The user is given no option.

This may mean that a brand new Apple silicon Mac doesn’t come with Fallback Recovery, and that isn’t installed until the Mac has undergone its first macOS update.

Apple provides a bare minimum of documentation. Indeed, it’s most detailed account in its Platform Security Guide hasn’t been updated since May 2022, and contains an error in which it claims that Fallback Recovery starts the Mac up using Paired Recovery, exactly the same as for Paired Recovery.

Check Fallback Recovery

If you have never started your Mac up in Fallback Recovery, it’s a good learning exercise to do so when you have a few moments. You can then tackle the question of how to tell whether the Recovery mode your Mac is in is Paired or Fallback. There are three simple signs to look for:

• If Fallback is an older version of macOS, then the Reinstall macOS feature will offer that older version.
• Startup Security Utility will warn you that you can’t make any changes if you open it in Fallback mode.
• Opening Terminal and typing the sw_vers command will tell you the version of macOS running.

You can also check whether Fallback Recovery is available, and its version, in my free utility Mints. In its main window click on the Software Update button to view a list of software update settings. Within those:

• sfrProductVersion is the version of Paired Recovery available,
• recoveryOSProductVersion is the version of Fallback Recovery available.

In both my active Apple silicon Macs running macOS 26.3 Tahoe, Fallback Recovery is currently macOS 15.6 Sequoia, although both have been through 26.0 and every release update since. This could of course indicate that Tahoe’s updates haven’t yet installed a new version of Recovery since that supplied with 26.0.

Recovery isn’t available

If neither Paired nor Fallback Recovery are available, you can try reinstalling macOS in normal user mode. As you have no option to try that in Recovery, if that fails you’ll have to put that Mac into DFU mode, connect it to another recent Mac using a USB-C cable, then Revive its firmware. Reviving firmware isn’t destructive, and should leave both macOS System and your Data volumes intact. If that too doesn’t work, the only remaining option is to perform a full Restore, which will wipe absolutely everything on the internal SSD.

Erasing the contents of the internal SSD in an Apple silicon Mac might seem a simple task, until you consider what’s on it in addition to the user files in its Data volume. Not only is that paired with the System volume, a mounted snapshot, but there are two additional containers that you don’t normally see.

This article explains how you can erase the following:

• the Data volume, shown in blue
• the Boot Volume Group, consisting of the Data and System (pink), and their accessory volumes (green)
• all volumes in the Apple_APFS container (red)
• the entire SSD, including the other two containers (pale yellow).

Assuming that you’re going to install something in their place, it’s up to you to choose, and that will in turn determine how you can install macOS and anything else required to allow your Mac to start up and run again.

Before you try any of these, you should de-authorise that computer in one of Apple’s media apps, and ensure you have a thorough and reliable backup of all the user files.

Data volume

Erase the Data volume by destroying its encryption key using EACAS, Erase All Content and Settings. This doesn’t so much delete anything, as render it inaccessible, so is most economical on SSD use, and quickest without compromising on security. This affects all user accounts with Home folders stored on the internal SSD.

Open System Settings, General, Transfer or Reset, and click Erase All Content and Settings.

If you continue, you should see one final warning before the contents of the Data volume are blown away into the great bit-bucket in the sky.

When that has completed, your Mac will start up for personalisation, configuration, and creation of its new primary admin user, just as it did when it was new. However, it will still be running the same macOS installation as before you used EACAS.

Boot Volume Group

Erase the current Boot Volume Group using Disk Utility in Recovery. Put your Mac into Recovery by starting it up with the Power button held, select Options, select a user and authenticate as that user to display the Recovery window. There select Disk Utility and click Continue.

Select Macintosh HD at the left and click the Erase tool at the top of the window. Enter a name for the volume such as Macintosh HD, select APFS as the format, and click the Erase or Erase Volume Group button.

You might be asked to Erase and Restart, which will lead to a restart and following that your Mac will try to activate over a network.

On completion, quit Disk Utility, select Reinstall macOS if necessary, click Continue and follow the instructions to download and install fresh macOS. Note this procedure doesn’t wipe and reinstall the Preboot or Recovery volumes in the Boot Volume Group.

Some instead select the disk at the top of the list at the left, here named Apple Inc. VirtIO Block Media because it’s running in a VM. In theory that should completely reformat the internal SSD, wiping all three of its containers, and so require a more extensive reinstallation. In many cases, it’s preferable to Restore in DFU mode, to ensure the whole of the firmware is replaced at the same time.

Apple_APFS container

Erase the whole of the Apple_APFS container using Erase Mac in Recovery, which should erase all Boot Volume Groups within that container.

Enter Recovery as normal using the Power button, select Options, and click Continue. Then instead of selecting a known user, use the Erase Mac command in the Recovery Assistant menu. This completely erases all Boot Volume Groups in the Mac’s internal SSD, ready to reinstall macOS, for which it requires an internet connection.

This has the advantage that it can be performed when you don’t know the password to unlock the Data volume (FileVault).

Entire SSD

Erase the entire contents of the internal SSD by formatting it and installing its contents afresh from another Mac, using Restore in DFU mode.

This is described here. Apple has improved that from Sonoma onwards, as it’s no longer necessary to use Apple Configurator 2 on the Mac that’s performing this, but it can all be done in the Finder. To do that, you’ll need another Mac to perform the restore process, and a USB-C data cable to connect the two of them. Don’t try using a Thunderbolt cable, though, as it won’t work. Another secret for success is to plug that cable into the target Mac’s DFU port, that designated to support DFU connections, as detailed here.

Restoring in DFU mode replaces the Mac’s firmware, erases the boot volume group, and installs the bundled version of macOS, leaving that Mac in the same condition in which it was delivered to its first user, with a fresh copy of macOS ready to be personalised and set up. Although that part of the process is fairly quick, full migration is then required before user applications and documents are available. The great advantage of restoring is that you can pick which version of macOS and its firmware are installed.

Which version of macOS will be installed?

When restoring in DFU mode, you can choose which version of macOS will be installed according to the IPSW image you use, making it the method of choice when you intend downgrading that Mac to an older version of macOS.

Methods that obtain new macOS from Apple should install:

• the current version of the most recently installed major version of macOS
• if you have just upgraded macOS, then erased the Boot Volume Group in Recovery, Apple warns that “you may get” the version of macOS that was running before that upgrade.