Apple offers the right operating system for its various electronic products - macOS for the Mac, iOS for the iPhone, watchOS for the Apple Watch and so on. However, there are also firmware and systems that are also named after the “…OS” scheme, but are much less well known. For example, I have summarized below what the hidden systems embeddedOS, bridgeOS and sepOS are all about. In addition to the three examples, there are other “micro operating systems” and examples of firmware. However, these are not always equipped with an “OS” name.
Chapter in this post:
Systems for T1 and T2 chips: embeddedOS and bridgeOS
Even before Apple switched from Intel CPUs to its own chip combinations for its computers, it was already using self-developed ARM chips. These included, among others, the processors of the T series, i.e. the T1 and the T2. These are said to have come from the SoC of the Apple Watch (S1 and S2) and, in addition to the Touch Bar in the MacBook Pro, also take care of various security mechanisms - such as Touch ID, camera and microphone use. In addition, the use of the Secure Enclave with its encrypted data is handled via the T-chips.
To implement the whole thing, embeddedOS and bridgeOS are used. While embeddedOS is mentioned as an operating system for embedded systems primarily in connection with the T1, bridgeOS is primarily found in connection with the T2. Depending on the source, there is a different weighting, which makes an exact assignment not so easy. In any case, the operating systems that run independently of macOS ensure that biometric data for Touch ID as well as access to the microphone and camera are managed externally and are therefore more difficult to hack.
Since the “Apple Silicon”, i.e. the M-chips, which have been used in new Mac models since 2020, individual T-chips are no longer used. The corresponding technology, including the Secure Enclave, has since been integrated into Apple's own M-series ARM chip on the Mac. This also not only runs with macOS, but also has its own operating systems and firmware for different components. This means that these individual areas can work more safely and efficiently. They act as gatekeepers for boot and login processes, making data management more secure and overall Mac usage (theoretically) more efficient.
Der laut AppleDB firmware overview EmbeddedOS seems to have been merged into bridgeOS 3.0 after version 2.0. The last release of embeddedOS is associated with the T1 chip, while the first release entry of bridgeOS was associated with the T2 chip. The current versions are bridgeOS 8.3 (released on January 22, 2024) and the bridgeOS 8.4 beta (released on January 29, 2024). Information as of February 1, 2024.
Special system for the Secure Enclave: sepOS
The sepOS, which is an abbreviation for “Secure Enclave Processor Operating System”, runs in the same area of Apple’s ARM chips. In addition to the T1 and T2, the sepOS is also used on modern Apple silicon Macs, for example to protect biometric data for the Touch ID on the MacBook Pro from hacking attacks.
The same applies to the Secure Enclave and its sepOS in the SoC models of iPhone and iPad (A and M chips). The data for Touch ID and Face ID are also handled separately there. They must be requested from iOS and iPadOS at sepOS.
The Secure Enclave is also available in the Apple Watch, Apple TV and HomePod (mini). Here is the complete overview of Apple devices with Secure Enclave:
- iPhone 5s or newer
- iPad Air or newer
- MacBook Pro computers with Touch Bar (2016 and 2017) and Apple T1 chip
- Intel-based Mac computers with Apple T2 Security Chip
- Mac computers with Apple chips
- Apple TV HD (or newer)
- Apple Watch Series 1 or later
- HomePod and HomePod mini
If you are interested in the security mechanisms of the Apple Secure Enclave and want to understand them in their technical details, then I recommend the manual “Security of Apple platforms“. The link takes you to the web version of the manual, which you can read in its entirety and ad-free via Apple.com.
In addition to the information presented here in layman's terms, it also covers, among other things, the management of the Secure Enclave SoC, including exchange with NAND flash memory and DRAM via the memory protection engine. In addition, the secured boot process of sepOS is discussed, the cryptography used in operation is explained, the Secure Neural Engine is described and the differences between different Secure Enclave generations are shown.
Here is another video from the “Black Hat” conference in 2016, which is about the potential hacking of the then new sepOS:
My tips & tricks about technology & Apple
Related Articles
Apple M4: Details about the new system on a chip- Let Loose: This is how you watch the iPad keynote live!
- In the test: AirPods Pro as hearing protection at a heavy metal concert
- First CTF adjustment: Apple weakens unfair developer fees
- Audio and video: Apple Events from 2007 in the Podcasts app (+alternatives)
- Creality CR-Scan Raptor – Hand-held 3D scanner with laser and NIR modes (sponsor)
- New iPads: Apple announces event for May 7, 2024
- iCloud+: features, storage, costs and benefits
After graduating from high school, Johannes completed an apprenticeship as a business assistant specializing in foreign languages. But then he decided to research and write, which resulted in his independence. For several years he has been working for Sir Apfelot, among others. His articles include product introductions, news, manuals, video games, consoles, and more. He follows Apple keynotes live via stream.
