Since the release of my video on Secure Enclave, tons of comments have told me that
Apple's NANDs are upgradeable. y first thought was, oh man, boy, did I ever
screw this one up, but when I looked into it, it wasn't so straightforward. The root of
these claims mostly comes from a Chinese social media post that I definitely missed.
Then came the problem of verifying it. Pretty much any major media that reported
on SSD upgrades used this one source. I wanted more. This is The Blood and Guts
version of how you can swap SSDs on an Apple silicon Mac and whether it's actually feasible
to upgrade the Apple silicon Mac SSDs. Let's review the facts that I discovered when making
my video on sepOS Apple secret operating system. Fact 1: since 2016 Apple has ported over the secure
Enclave from IOS in the form of the t2 chipset, which provided Services via Bridge OS as
the t2 is more than just the Secure Enclave Fact 2: During this time, Apple removed
the ability to upgrade SSDs, with outliers being computers like the iMac
Pro and the Mac Pro 2019. Most computers from this point onward had soldered down SSDs, even in
the non-t2 Macs like the MacBook 12-inch series. Fact 3:
with apple silicon Apple no longer needed a T2 chipset, thus folding the
secure Enclave into the system on a chip design. Apple now integrates the SSD controller for
internal storage entirely on the SoC. This has been true for all Apple silicon Macs thus far. Fact 4: Apple released the Max studio, the first Apple
silicon Mac with modular NANDs meaning for the first time, users were able to experiment with
swapping NAND modules without requiring extreme measures to other proprietary NAND that are
in short supply, and for our final fact... fact 5
The Mac Studios SSDs were first thought to be unswappable, then confirmed to be
swappable Mac YouTuber Luke Miani first attempted a Mac Studio SSD Swap and was unsuccessful.
iFixit had its issues but ultimately was able to swap the Mac Studios SSDs. This was
also confirmed by Linus Tech tips which attempted to swap the Mac Studio modules and were
successful but unable to upgrade to larger SSDs. These developments were also covered by
respectable tech [ublications like ARS Technica. Luke probably suffered some of the same
problems iFixit originally had. Despite this, pretty much everybody's conclusion was the same.
[Luke] Apple is intentionally deliberately restricting your access to your own device, but
there is no benefit to shipping a machine with removable storage mediums that can't be upgraded.
[iFixIt] storage swaps are possible, at
least between drives of the same size. the jury's still out on upgrades, but
we can always hope for a software update/ [Linus]
Apple locks it through firmware. There's no reason they have to do that, but
they do it anyway, and unless their customers make a great big stink about it, they're just
going to keep on doing this kind of thing. [DMUG]
I will have these videos, of course, linked in the description, as they are all very good.
Since my video was primarily focused on sepOS as it exists today and to keep the narrative
flow, I left out the next bits from the video, but I think this provides a nice explainer
of the treatment of the NAND modules. I warn you the next section will be dense, so
feel free to skip ahead using the chapters as I'm going to explain why you can't easily swap
an SSD in a Mac and also pairing to boot drives. Apple's white paper, the T2 security chip
overview, gives a great summary of APFS encryption. This gives us a nice overview on
how Apple locks its storage. The next three paragraphs are important, but I'm not going to
read them verbatim. Apple embeds a unique ID into the Secure Enclave during manufacturing, and it's
done so in such a way that even Apple doesn't have access to it. With Apple's encryption engine, the
unique identifier makes it impossible to decrypt a drive on another computer. This forms the basis
for its encryption engine for storage and is why merely having a decryption key alone is not
enough to decrypt the contents of the SSD. Apple illustrates this concept with the quote on screen,
and it goes on to explain this in greater detail, and another interesting point is in the following
if the file vault is not enabled on a T2 Mac. During the initial setup assistant
process, the volume is still encrypted, but the volume key is protected by the
hardware UID and the secure Enclave. So even if you're not using the
File Vault to encrypt the drive, it will still not be accessible without
the secure Enclave providing the uid. This also applies to the Apple Silicon Macs.
The next source that I didn't really talk about is the Apple platform security doc, where
Apple outlines some of the latest security, like how the recovery OS on Apple silicon
is actually paired to that computer. This is accomplished using the UID even if you
had a NAND with a recovery partition on it. it would not be able to launch it. This is why you
can't use a recovery partition on an external device asked to be paired for your device,
assuming I didn't misinterpret Apple's data. Just so we're clear, this does not apply to
external media as a whole, only the recovery OS if your SSD dies it leaves your Mac in an unbootable
State, well.... mostly, we'll come back to that. So if you take the scenario of swapping
SSDs between Mac Studios, it cannot boot into the recovery mode since that's paired
to a different computer. Even for Apple, this would be completely off the rails
if they didn't have some way to service a Mac that was rendered unbootable after
corruption of the main OS and Recovery OS. In the same document , under LocalPolicy
Signing Key creation and management, we get the explanation of how it was installed at
the factory and how it could be installed again. When macOS is first installed from the factory
or when a tethered erase install is performed, the Mac runs code from a temporary restore
RAM disk to initialize the default state. So yeah, it's really complicated,
but there is this tether mode they mentioned (in the document). This tethered
mode is DFU, device firmware update. It's a special boot mode on Apple silicon
devices that allow users to update and restore the firmware on the device. Long-time
iPhone users may be familiar with DFU mode already, but it became part of Macs as of the T2
and made the transition to Apple silicon. In DFU mode, the device is able to communicate with
another Mac and can be restored to its factory settings or updated to the latest firmware
version. It requires a second Mac to fix the first Mac using the Apple Configurator. Unlike
the recovery OS, it is part of the secure ROM and is a last-ditch effort for when the recovery
OS is corrupt or unbootable. I've linked in the docs how to reach the DFU mode for both T2 and
Apple Silicon. It's very similar. The DFU mode will reinstall recovery OS, AKA Apple's recovery
mode on the storage media then, the Mac can be booted into the recovery mode and perhaps fix
the boot volume or reinstall Mac OS altogether. I know that was headache inducing, but
there is a way to install Mac OS onto a fresh SSD . The reason you have to do it
this way is because of very tight security, and for the uber-nerds out there, I'm not going
to touch on the Lifeboat connector because that is only found on old MacBook Pros. I don't think I
made this point very clearly in my previous video, but you can still boot off an external drive,
even if as a T2 chipset or it's Apple silicon. I boot off a nvme in my Mac Pro 2019, which is not
the internal SSD, but if you remove the internal Apple proprietary ssds the computer will not boot.
Now that we've caught up on the world-building and lore, we can return to the main story. DFU is
where people got stuck, like Luke and iFixit. Then later (I think after a DFU update), both
iFixit and LTT were able to swap SSDs. This is where I figured this entire story ended, and I
admit I made kind of a haphazard speculative lead, but I had missed a mysterious subplot in
the form of the Chinese social media post. When I asked users for any better sources, two
of the viewers of my videos really stepped up and gave me some pretty good information. Thanks,
sssloe (struggles to pronounce). Anyhow, also, thanks to Matthaus Woolard. Then another viewer
by the name of Peter Wan also pointed me to a very useful YouTube video that just confirmed
what the other two guys had just told me. This video illustrates how you replace the NAND
modules in a MacBook Air M1. Once you're done, you do the DFU restore. At this point,
I felt like you could confidently say you can upgrade to Apple silicon
laptop storage or the Mac Mini. I was wrong in my first video. You can indeed
upgrade your SSDs... well provided you have serious soldering skills and the ability to
source the NANDs. But what about the Mac Studio? I tried calling it a local authorized
Mac dealer that did Mac repairs, and I'll leave them nameless, but I spoke to an
employee who was kind enough to humor me when I asked if I could replace the SSD in a Mac Studio
with a larger one. And of course, I was told no, but when I asked it the DFI mode would restore it
to a larger one, he seemed intrigued but didn't have an answer. The other shop I called didn't
feel like chatting. They just told me they could only replace the SSD. I was still at a dead end,
unable to find any more information online. Then a breakthrough, I stumbled across a post on the
Mac Rumors forums that would contain the answers I was looking for. The user Gillies_Polysoft
was not able to just swap SSDs but to upgrade a Mac Studio from 512 gigabytes to 4 terabytes.
Gillies outlines the process and hits on the first obvious truth. Apple does not sell replacement or
upgrade NAND cards for the Mac Studio. They are not available anywhere at present. Secondly. he
speculates someone armed with a JCID programmer and the skills for BGA soldering that they could
probably upgrade their Mac studio. Of course, they need the right NAND modules too. However,
this breakthrough doesn't mean that Macs are user serviceable in any sane way. Apple still has a
tight control over the supply lines disallowing any third parties from creating SSDs for
the Mac Studio. Very technically inclined individuals may have the ability to potentially
repair these machines.... maybe. And this is why the internet can be so wonderful. You can always
find out that you are wrong. Thanks everybody!
