Macos – What are the .efires files on OS X Lion’s Recovery HD

efifile formatfilevaultmacososx lion

If you mount the Recovery HD that enables OS X Lion File Vault 2, Safari mode, and certain recovery options, you see several .efires files. What format are those and what do they contain?

Best Answer

These files contain resources required for displaying the boot screen of OS X Lion before loading the actual operating system or in cases there is no system partition (or when it's broken).

They contain a flat list of files (no hierarchy), and each file has a name of up to 64 characters. The file format is as follows; all numbers are little endian, i.e. least significant byte first.

  • Two bytes 0x0200 with unknown purpose
  • Two byte short integer with the number of file entries (e.g. 0x3800 is 56 files)
  • Now there will be one record for every file entry:
    • 64 bytes ASCII file name, with NUL bytes used to fill up
    • 4 byte integer offset of the file data within the archive file
    • 4 byte integer length of the file data within the archive file
  • There is an additional unused record after the file entries consisting of 72 NUL bytes.
  • Now there is the actual file data. There are no gaps or separators, the file entries described above position the data of all files right next to each other.

The first file's data offset in e.g. an archive file with 56 entries is 0x0C10, or 4108 bytes, by default:

2 bytes unknown + 2 bytes file count + (56+1 file entries) * 72 bytes each = 4108.

The second file's data offset in the same file is 4108 plus the length of the first file's data.

These files are recreated automatically whenever you change a setting relevant for the boot login screen, e.g. whether to enable Safari mode in Security & Privacy preference pane in System Preferences). It uses default system resources to do this, so if you want to change e.g. the Apple icon, it is sufficient to edit the regular resource and have the system recreate the corresponding .efires archive file.