startupdiskhelper

executablemacOS236.3 KBx86_64, arm64

System firmware interface — manages NVRAM variables and hardware encryption keys

Communicates directly with hardware and firmware to read and write system NVRAM variables, which store boot settings, device identifiers, and configuration parameters. Accesses the device keychain to retrieve encryption keys for cryptographic operations. Establishes network connections to multiple endpoints, likely for firmware updates or telemetry. Uses both public and private Apple frameworks to interface with low-level system components and manage persistent storage outside the normal filesystem.AI

Fingerprint

Platform: macOS
Type: executable
Arch: x86_64, arm64
Min OS: 26.1.0
SDK: 26.1.0
File Size: 236.3 KB
UUID: 906BAB62-44B6-35A1-AB25-AA2969255F84
Analyzed: 2026-04-09T10:06:21Z
CDHash: a3850e7d22196bfd2a5716cf69073477760444dabe3b0b7297529e9fdc495974

Capabilities

KeychainDevice key bag (encryption keys)

/System/Library/PrivateFrameworks/MobileKeyBag.framework/Versions/A/MobileKeyBag

StorageRead and write system NVRAM variables

com.apple.private.iokit.system-nvram-allow [object Object]

HardwareDirect hardware/driver communication

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Frameworks16

IASUtilities DiskManagement DiskArbitration APFS SystemAdministration MobileKeyBag(weak)libBSDPClient.A.dylib Bootability Foundation libobjc.A.dylib libSystem.B.dylib AppKit CoreFoundation IOKit OpenDirectory IASUtilitiesCore

Entitlements7

com.apple.keystore.filevaulttrue

com.apple.private.bootabilitytrue

com.apple.private.iokit.system-nvram-allowtrue

com.apple.private.opendirectoryd.ownership.granttrue

com.apple.private.opendirectoryd.ownership.readtrue

com.apple.private.opendirectoryd.securetokentrue

com.apple.private.security.nvram.recovery-boot-modetrue

Interesting Strings

Bundle IDs(17)

*com.apple.private.iokit.system-nvram-allow ,com.apple.private.opendirectoryd.securetoken /com.apple.private.opendirectoryd.ownership.read 0com.apple.private.opendirectoryd.ownership.grant 3com.apple.private.security.nvram.recovery-boot-mode

File Paths(14)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

URLs & Endpoints(4)

$http://crl.apple.com/codesigning.crl0 %http://www.apple.com/appleca/root.crl0 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">https://www.apple.com/appleca/0

Network Surface

Networking Frameworks

CoreFoundation Foundation

Endpoints(7)

Urlhttp://www.apple.com/DTDs/PropertyList-1.0.dtd">

Hostnamewww.apple.com

Urlhttp://www.apple.com/appleca/root.crl0

Urlhttp://crl.apple.com/codesigning.crl0

Hostnamecrl.apple.com

Urlhttps://www.apple.com/appleca/0

DNA Capability Vector

Location

0

Keychain

1

Network

0

Storage

1

Hardware

1

IPC

0

Analytics

0

Security

0

System

0

Behavioral Profile

URL Endpoints

4

Telemetry Strings

0

File Paths

14

Bundle IDs

17

IOKit Constants

0

Library Functions

0

Structural HashesSHA-256

Codef9bf71a4a208ddab1a9b307076b51d1b9838b82e9b8b754fe9fafe3850a6a8cb

Imports6fc508ffadccb082305dffc3b20b435698dc3138967db6785275c962334667ed

Frameworks6f6064aadddc3382edba1c29aaddcf96b366247fa16ed10d02e46dea82a6730f

Classes017cee8f4387165da64c58ba0b2b9a9af065e8c4828f3a846da202000bb7d887

Entitlementsafa7b8a97fdfb9428f6f19c8c4fb26db947d08ec8791adf8cb20dd15e4d5b288

Symbols0b5e6ef212abe5b4c47ba9210734b814979e80aad93bf0e1d1b36b25b9b19848

Static Libraries0 / 137 functions identified

Functions(137)

0x1000011c8+[SDUser supportsSecureCoding]

0x1000011d0-[SDUser initWithCoder:]

0x100001478-[SDUser encodeWithCoder:]

0x100001694-[SDUser description]

0x1000017d0-[SDUser userPicture]

0x1000019e8-[SDUser validatePassword:error:]

0x100001bdc-[SDUser userName]

0x100001be8-[SDUser setUserName:]

0x100001bf0-[SDUser shortName]

0x100001bfc-[SDUser setShortName:]

0x100001c04-[SDUser uuid]

0x100001c10-[SDUser setUuid:]

0x100001c18-[SDUser volumeName]

0x100001c24-[SDUser setVolumeName:]

0x100001c2c-[SDUser userPictureData]

0x100001c38-[SDUser setUserPictureData:]

0x100001c40-[SDUser isAdmin]

0x100001c4c-[SDUser setIsAdmin:]

0x100001c54-[SDUser isOwner]

0x100001c60-[SDUser setIsOwner:]

Imports114 symbols from 14 dylibs

libobjc.A.dylib23 libSystem.B.dylib18 Foundation15 IOKit13 CoreFoundation11

Exports1

_mh_execute_header0x0

Similar Binaries1,470 comparable

system-override

mobile_obliterator