Bless failed on El Capitan beta 7 #19
In Console, if you search for "bless" are there any entries? Maybe something about sandboxd? Can you copy and paste any relevant lines here?
Actually, there is one line for each reboot attempt. Here is a copy of the "full report" of one instance, it does indeed come from sandboxd.
22.08.15 12:54:42,351 sandboxd[130]: ([1379]) bless(1379) System Policy: deny nvram-set efi-boot-next
bless(1379) System Policy: deny nvram-set efi-boot-next
Process: bless [1379]
Path: /usr/sbin/bless
Load Address: 0x10b8a7000
Identifier: bless
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: BOHelper [1378]
Date/Time: 2015-08-22 12:54:42.301 +0300
OS Version: Mac OS X 10.11 (15A263e)
Report Version: 8
Thread 0:
0 libsystem_kernel.dylib 0x00007fff8bccbc96 mach_msg_trap + 10
1 IOKit 0x00007fff8c8bdd1d io_registry_entry_set_properties + 130
2 IOKit 0x00007fff8c8633bb IORegistryEntrySetCFProperties + 80
3 IOKit 0x00007fff8c863433 IORegistryEntrySetCFProperty + 91
4 bless 0x000000010b8b9e67
5 bless 0x000000010b8b98fd
6 bless 0x000000010b8a8d41
7 bless 0x000000010b8a8899
8 libdyld.dylib 0x00007fff95f2b5ad start + 1
Binary Images:
0x10b8a7000 - 0x10b8c1fff bless (105) <466744da-6605-3566-9aa4-fc280f753b27> /usr/sbin/bless
0x7fff8bcba000 - 0x7fff8bcd8fff libsystem_kernel.dylib (3247.1.99) <47769d1e-cf1c-308e-984d-ebb064af4ef8> /usr/lib/system/libsystem_kernel.dylib
0x7fff8c85c000 - 0x7fff8c8cffff com.apple.framework.IOKit (2.0.2) <66122065-961d-3a36-a1f3-9dfeedb7a52c> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fff95f28000 - 0x7fff95f2bffb libdyld.dylib (360.14) <2516e491-3379-3e46-9af9-e73d7c11ff9d> /usr/lib/system/libdyld.dylib
bless(11804) System Policy: deny nvram-set efi-boot-next
Process: bless [11804]
Path: /usr/sbin/bless
Load Address: 0x106580000
Identifier: bless
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: BOHelper [11803]
Date/Time: 2015-08-22 10:58:01.663 +0200
OS Version: Mac OS X 10.11 (15A262e)
Report Version: 8
Thread 0:
0 libsystem_kernel.dylib 0x00007fff81a17c96 mach_msg_trap + 10
1 IOKit 0x00007fff83771d1d io_registry_entry_set_properties + 130
2 IOKit 0x00007fff837173bb IORegistryEntrySetCFProperties + 80
3 IOKit 0x00007fff83717433 IORegistryEntrySetCFProperty + 91
4 bless 0x0000000106592e67
5 bless 0x00000001065928fd
6 bless 0x0000000106581d41
7 bless 0x0000000106581899
8 libdyld.dylib 0x00007fff8a00e5ad start + 1
Binary Images:
0x106580000 - 0x10659afff bless (105) <466744da-6605-3566-9aa4-fc280f753b27> /usr/sbin/bless
0x7fff81a06000 - 0x7fff81a24fff libsystem_kernel.dylib (3247.1.99) <47769d1e-cf1c-308e-984d-ebb064af4ef8> /usr/lib/system/libsystem_kernel.dylib
0x7fff83710000 - 0x7fff83783fff com.apple.framework.IOKit (2.0.2) <66122065-961d-3a36-a1f3-9dfeedb7a52c> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fff8a00b000 - 0x7fff8a00effb libdyld.dylib (360.14) /usr/lib/system/libdyld.dylib
Similar problem on my end.
Bless failed:
EFI found at IODeviceTree:/efi
Mount point for /Volumes/Untitled is /Volumes/Untitled
Mount point is '/Volumes/Untitled'
No BootX creation requested
No boot.efi creation requested
Firmware feature mask: 0xC0007FFF
Firmware features: 0xC0005403
Legacy mode suppported
Got IODeviceTree:/rom
Got start address ffd50000
Got size 2a0000
Found SATA interconnect in protocol characteristics
IOGUIDPartitionScheme
ST31000520AS Media
IOBlockStorageDriver
IOAHCIBlockStorageDevice
AppleAHCIDiskDriver
IOAHCIDevice
PRT4
AppleAHCI
SATA
AppleACPIPCI
PCI0
AppleACPIPlatformExpert
MacPro4,1
Root
Setting EFI NVRAM:
efi-boot-next='MemoryType0xbStartingAddress0xffd50000IOEFIDevicePathTypeHardwareMemoryMappedEndingAddress0xfffeffffIOEFIDevicePathTypeMediaFirmwareVolumeFilePathGuid2B0585EB-D8B8-49A9-8B8C-E21B01AEF2B7IOEFIBootOptionHD'
Could not set boot device property: 0xe00002bc
This is what I get, too:
Bless failed:
EFI found at IODeviceTree:/efi
found ioreg "FirmwareFeaturesMask"; featureMaskValue=0xF803FF37
found ioreg "FirmwareFeatures"; featureFlagsValue=0xF803F537
isPreBootEnvironmentUEFIWindowsBootCapable=1
given BSD is not a DVD disc medium
isDVDWithElToritoWithUEFIBootableOS=0
Checking if disk is complex (if it is associated with booter partitions)
GPT detected
Booter partition required at index 2
System partition found
Preferred system partition found: disk0s1
Preferred system partition found: disk1s1
Returning booter information dictionary:
{type = mutable dict, count = 3,
entries =>
0 : {contents = "System Partitions"} = (
disk1s1,
disk0s1
)
1 : {contents = "Data Partitions"} = (
disk1s1
)
2 : {contents = "Auxiliary Partitions"} = (
)
}
IOMedia disk1s1 has UUID 095BF590-08C2-4910-95DF-8EBA6B92E26F
Setting EFI NVRAM:
efi-boot-next='IOMatchIOProviderClassIOMediaIOPropertyMatchUUID095BF590-08C2-4910-95DF-8EBA6B92E26FBLLastBSDNamedisk1s1'
Could not set boot device property: 0xe00002bc
Bless failed:
EFI found at IODeviceTree:/efi
Mount point for /Volumes/Windows 10 is /Volumes/Windows 10
Mount point is '/Volumes/Windows 10'
No BootX creation requested
No boot.efi creation requested
Firmware feature mask: 0xE803FF37
Firmware features: 0xE803F536
Legacy mode NOT suppported
Legacy mode not supported on this system
@helptiger that looks like a different/new issue. Does Startup Disk show your Windows volume?
I did a brief test on a machine and got the same error, so I don't think it's fixed yet.
now it changes to:
Bless failed:
EFI found at IODeviceTree:/efi
found ioreg "FirmwareFeaturesMask"; featureMaskValue=0xE803FF37
found ioreg "FirmwareFeatures"; featureFlagsValue=0xE803F536
isPreBootEnvironmentUEFIWindowsBootCapable=1
given BSD is not a DVD disc medium
isDVDWithElToritoWithUEFIBootableOS=0
Checking if disk is complex (if it is associated with booter partitions)
GPT detected
Booter partition required at index 2
System partition found
Preferred system partition found: disk0s1
Returning booter information dictionary:
{type = mutable dict, count = 3,
entries =>
0 : {contents = "System Partitions"} = (
disk0s1
)
1 : {contents = "Data Partitions"} = (
disk0s1
)
2 : {contents = "Auxiliary Partitions"} = (
)
}
IOMedia disk0s1 has UUID E1C3CC32-604A-4C4F-B9E6-499C2C63464D
Setting EFI NVRAM:
efi-boot-next='IOMatchIOProviderClassIOMediaIOPropertyMatchUUIDE1C3CC32-604A-4C4F-B9E6-499C2C63464DBLLastBSDNamedisk0s1'
Could not set boot device property: 0xe00002bc
dev beta 8 still looks quite the same to me:
BootChamp was unable to set your Windows volume as the temporary startup disk
Bless failed:
EFI found at IODeviceTree:/efi
Firmware feature mask: 0xE803FF37
Firmware features: 0xE803F537
Legacy mode suppported
Got IODeviceTree:/rom
Got start address ff990000
Got size 1a0000
Found USB interconnect in protocol characteristics
Setting EFI NVRAM:
efi-boot-next='<array><dict><key>MemoryType</key><integer size="64">0xb</integer><key>StartingAddress</key><integer size="64">0xff990000</integer><key>IOEFIDevicePathType</key><string>HardwareMemoryMapped</string><key>EndingAddress</key><integer size="64">0xffb2ffff</integer></dict><dict><key>IOEFIDevicePathType</key><string>MediaFirmwareVolumeFilePath</string><key>Guid</key><string>2B0585EB-D8B8-49A9-8B8C-E21B01AEF2B7</string></dict><dict><key>IOEFIBootOption</key><string>USB</string></dict></array>'
Could not set boot device property: 0xe00002bc
01.09.15 16:46:04,571 sandboxd[129]: ([1575]) bless(1575) System Policy: deny nvram-set efi-boot-next
bless(1575) System Policy: deny nvram-set efi-boot-next
Process: bless [1575]
Path: /usr/sbin/bless
Load Address: 0x108f17000
Identifier: bless
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: BOHelper [1574]
Date/Time: 2015-09-01 16:46:04.408 +0300
OS Version: Mac OS X 10.11 (15A279b)
Report Version: 8
Thread 0:
0 libsystem_kernel.dylib 0x00007fff9d52ac96 mach_msg_trap + 10
1 IOKit 0x00007fff92647d2d io_registry_entry_set_properties + 130
2 IOKit 0x00007fff925ed3cb IORegistryEntrySetCFProperties + 80
3 IOKit 0x00007fff925ed443 IORegistryEntrySetCFProperty + 91
4 bless 0x0000000108f29e67
5 bless 0x0000000108f298fd
6 bless 0x0000000108f18d41
7 bless 0x0000000108f18899
8 libdyld.dylib 0x00007fff8bf915ad start + 1
Binary Images:
0x108f17000 - 0x108f31fff bless (105) <4b057336-4831-32d0-9189-de6a659a275b> /usr/sbin/bless
0x7fff8bf8e000 - 0x7fff8bf91ffb libdyld.dylib (360.14) <228abadd-2621-3bf6-b744-bca871ca0344> /usr/lib/system/libdyld.dylib
0x7fff925e6000 - 0x7fff92659fff com.apple.framework.IOKit (2.0.2) <ab6afbda-118d-3f61-89a7-ea02fbd021d2> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fff9d519000 - 0x7fff9d537fff libsystem_kernel.dylib (3247.1.106) <7dd242a1-e2bf-39d1-8787-b174046e4f15> /usr/lib/system/libsystem_kernel.dylib
Same thing here since public beta 6, setting the startup disk manually work fine though.
""Bless failed:
EFI found at IODeviceTree:/efi
found ioreg "FirmwareFeaturesMask"; featureMaskValue=0xE803FF37
found ioreg "FirmwareFeatures"; featureFlagsValue=0xE803F536
isPreBootEnvironmentUEFIWindowsBootCapable=1
given BSD is not a DVD disc medium
isDVDWithElToritoWithUEFIBootableOS=0
Checking if disk is complex (if it is associated with booter partitions)
GPT detected
Booter partition required at index 2
System partition found
Preferred system partition found: disk0s1
Returning booter information dictionary:
{type = mutable dict, count = 3,
entries =>
0 : {contents = "System Partitions"} = (
disk0s1
)
1 : {contents = "Data Partitions"} = (
disk0s1
)
2 : {contents = "Auxiliary Partitions"} = (
)
}
IOMedia disk0s1 has UUID E1C3CC32-604A-4C4F-B9E6-499C2C63464D
Setting EFI NVRAM:
efi-boot-next='IOMatchIOProviderClassIOMediaIOPropertyMatchUUIDE1C3CC32-604A-4C4F-B9E6-499C2C63464DBLLastBSDNamedisk0s1'
Could not set boot device property: 0xe00002bc""
confirmed also with GM
Bless failed:
EFI found at IODeviceTree:/efi
found ioreg "FirmwareFeaturesMask"; featureMaskValue=0xE803FF37
found ioreg "FirmwareFeatures"; featureFlagsValue=0xE803F536
isPreBootEnvironmentUEFIWindowsBootCapable=1
given BSD is not a DVD disc medium
isDVDWithElToritoWithUEFIBootableOS=0
Checking if disk is complex (if it is associated with booter partitions)
GPT detected
Booter partition required at index 2
System partition found
Preferred system partition found: disk0s1
Returning booter information dictionary:
{type = mutable dict, count = 3,
entries =>
0 : {contents = "System Partitions"} = (
disk0s1
)
1 : {contents = "Data Partitions"} = (
disk0s1
)
2 : {contents = "Auxiliary Partitions"} = (
)
}
IOMedia disk0s1 has UUID E1C3CC32-604A-4C4F-B9E6-499C2C63464D
Setting EFI NVRAM:
efi-boot-next='IOMatchIOProviderClassIOMediaIOPropertyMatchUUIDE1C3CC32-604A-4C4F-B9E6-499C2C63464DBLLastBSDNamedisk0s1'
Could not set boot device property: 0xe00002bc
I'm pretty sure this is an OS X bug. I just found out that running the bless command directly in the Terminal produces the exact same problem. Basically Apple broke their own tool, and at this point there's nothing I can do.
Originally I thought it was related to how BootCamp was calling bless, since it uses a deprecated function, but I just tested using the modern replacement (see #6) and it still behaves the same way.
I've been updating my bug report but they are not responding... hopefully it'll be fixed in a point release.
I just blogged about this issue, it may be the end of the road for BootChamp, with one exception.
In summary, Apple has added a feature to El Capitan called System Integrity Protection. It's essentially a sandbox like the Mac App Store or iOS that applies to rooted processes, which up until now have had zero restrictions. This is dangerous as all a process has to do is prompt for the user's admin password and they now can run as root. SIP fixes that by preventing root from doing things such as modifying /System, /usr/bin, modifying running processes, etc.
Apple's pre-release documentation states:
To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the
bless(8)command.
They go on to say SIP can be disabled by booting into the recovery partition. Anyone want to get this a try and see if BootChamp would work afterwards? The thing is, SIP is a good security feature, it shouldn't be disabled, and it's not worth it to disable it to save yourself a few seconds of time. However if someone wants to experiment it would be interesting.
- Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup.
- Launch Terminal from the Utilities menu.
- Enter the following command:
$ csrutil enable
NOTE: The above instructions are only for testing. I will not support BootChamp running in this environment.
Hi, I think you've found the fix! However I was suspicious of csrutil enable as why would I want to enable the security? So I tried csrutil disable and bootchamp is working again!
More about SIP here: http://arstechnica.com/apple/2015/09/os-x-10-11-el-capitan-the-ars-technica-review/9/
Being able to make exemptions for SIP or allow per-permission granularity would be ideal. I'd rather not disable the lot if I have to. But that's Apple's architecture, not yours, kainjow.
I read that the official way to boot into Bootcamp is now to Restart, hold Alt/Option upon the BONG sound and select the boot partition then. Which is a shame. I love Bootchamp.
@tsaomao if they add exceptions that would defeat the purpose unless they had an MAS-style approval for all apps ahead of time.
I updated my blog post, seems BootChamp may be EOL'd. Really the only way to reach out to Apple about this is to fill bug reports. They will listen (not necessarily act) if they receive "duplicate" reports.
Having the same problem. Where can I file a bug report with Apple?
Here is my suggestion (22487755 is the bug I filed):
Title: bless is no longer functional in 10.11 due to SIP
Description: The built-in bless tool is no longer functional due to SIP, yet the tool is still installed. This prevents long-standing boot software such as BootChamp (http://kainjow.com) from functioning. See #22487755
I submitted too. it's a happening newest public beta (15B38b).
#23122750
Submitted as 23179218. This is annoying! I'm not using BootChamp, I was just trying to use bless to change the default EFI boot program (rEFInd).
Wouldn't another argument be, that you can't even use system settings "Startup volume" utility?
If I try to set it to my BootCamp partition I get the error, that bless couldn't set the startup volume..
@DarkCloud14 you mean Startup Disk in System Preferences? I assumed that works, we would need more than one person to verify this is the situation.
I tried the Target disk mode from Startup Disk in System Preferences, it did not give out any errors. However as it rebooted, it would not boot the device (I set it to boot from a USB 3 drive, which used to work with BootChamp and still works when Mac is booted up while alt is held down).
There was nothing about bless in console, so I guess what I encountered is another issue probably not related to this.
@kainjow yes that's what I meant, sorry I've the system set to german language and didn't know the correct english description for it. I've tested it again and now it works.
It was my fault, the problem occurred after uninstalling Tuxera NTFS and immediately trying to set the startup disk, without rebooting the system.
Sorry!
This breaks our product as well. We make a psychological test which relies on sub-millisecond precision, so we reboot to a stripped-down real-time Linux OS. We had just figured out how to use bless to reboot to this environment automatically, when Apple goes and breaks it! So mad.
@IanOsgood I suggest filing a bug. Maybe with the more they hear, they'll reconsider or figure out a way to bring it back in a secure way.
@kainjow I did (23276004).
Ironically, we are working around a similar problem on Windows, trying to reboot automatically on UEFI systems which require a signed OS. The only solution is to use a signed boot loader like EFI GRUB, which requires paying Microsoft for the signature. Honestly, I'm surprised Apple hasn't moved to UEFI yet if they are so paranoid about system integrity. As it is, we may have to drop Mac support due to SIP (along with my job :( ).
This problem is due to the new "rootless" feature in El Capitan.
I had the same problems until I deactivated the rootless feature on my MacBook. Afterwards I could use BootChamp just like before. To deactivate rootless restart your Mac and hold cmd+r to boot into recovery mode. Open up the terminal and type "csrutil disable; reboot". You will be asked for an administrator password and afterwards the Mac will reboot and BootChamp should work. Let me know if that solved it the same way it did for me.
@IanOsgood As a workaround, the suggested trick of logging into the Recovery mnager then disabling the SPI security tool works, and I was able to use bless to make a custom partition bootable, then afterwords I re-enabled SPI. Give it a try. :}
I theory, this is good, so that a random program doesn't just ask for your password when installing then all of a sudden you find yourself booting into some strange OS (though I'm sure all of us in this thread wouldn't install such a program).
(though I'm sure all of us in this thread wouldn't install such a program)
Isn't that what we all did when we installed BootChamp in the first place ;)
I found this thread because this is how I was setting a startup disk from the command line. A bit more research shows me that I can do the same task using "systemsetup -setstartupdisk ". So, if you're doing this yourself, there's a workaround that basically takes the same parameter as the "bless -mount" without having to disable SIP.
I would guess that BootChamp will have to change the command they use, too.
@ketterling that appears to only work on OS X disks because the path you give gets appended with /System/Library/CoreServices which obviously is an OS X only path. So that may be a workaround for some cases that need to only set an OS X disk permanently, but for BootChamp it's of no use. Also, it's probably a bug that that feature still works. I wouldn't expect it to be around in a future update.
@kainjow You're right. I didn't think about it looking for that path.
@heyfrank can't you read? deactivate rootless and you will be fine - no need for a new build.
At least Apple tech's noticed the comments. Today I received this mail from them:
quote:
Engineering has determined that your bug report (23007738) is a duplicate of another issue (22170141) and will be closed.
The open or closed status of the original bug report your issue was duplicated to appears in the yellow "Duplicate of XXXXXXXX" section of the bug reporter user interface. This section appears near the top of the right column's bug detail view just under the bug number, title, state, product and rank.
An example of the duplicate section from the bug reporter user interface with your bug and the duplicate bug info is included below:
23007738 bless is no longer functional in 10.11 due to SIP
State: Closed Product:
Rank: No Value
Duplicate of 22170141 (Open or Closed; log in to see the actual state)
unquote
Now lets hope they will do something about it :P
Mine was closed dup of 22394947 (open). Not that we can see what those other bugs are.
The only "solution" is to turn off SIP as described upthread on Sept 12.
Thank you so much for this solution! I was tearing my hair out over why bless was failing... again. (It seems to fail on me once a month for some extremely frustrating reason). I disabled SIP as described in the Sept. 12 post and it is working again. BootChamp has been a NECESSITY for me for the last 3 years because I am using unsupported video cards in my Mac. It's not just for convenience... I can't see the startup screen due to the lack of EFI on my GTX 980, and if I can't see the bootscreen I can't choose the OS, so thank you for this program, and thanks for the fix!
I don't think I really understand the ramification of disabling SIP, can someone give me a real world example of why it's bad to disable it? Was it active pre ElCap?
Others here that know more than I do can correct me if I'm wrong about this, but I believe you just use the term "enable" instead of "disable"...
//
1. Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup. (Or option and choosing "Recovery 10.xx")
2. Launch Terminal from the Utilities menu.
3. Enter the following command: " csrutil enable " (Obviously you don't use the "Quotes").
//
I am closing this project down. Please see my updated blog post. Thanks everyone!
The Startup Disk pane in System Preferences works for me as of OS X 10.11.2. However, BootChamp 1.7 does not work; it complains about the failed bless as described above. So, could BootChamp be modified to do whatever the Startup Disk pane is now doing?
Specifically, I have an early 2008 Mac Pro that was running Yosemite until today when I upgraded it to 10.11.2. I've been using BootChamp for years (thanks, Kevin!) to reboot into Windows 7, due to the lack of a boot screen because I've upgraded the GPU. When I encountered the BootChamp error just now, I googled and arrived here, and I was grumbling to myself about the prospect of disabling SIP, when I decided to try the Startup Disk pane to confirm that it's still broken, and it surprisingly worked.
@fjarlq Why are you grumbling about disabling SIP? It is a newly added "feature" by Apple that nobody needed before (and which was also not there in Yosemite) and basically reduces your control over your own computer. Win7 does not have a SIP feature (at least that I know of) and nobody seems to care - but disabling an OSX feature and everyone loses their minds o.O
@DanielMarcato Because I agree with the general rationale given for SIP: https://en.wikipedia.org/wiki/System_Integrity_Protection#Overview
As far as I can tell, I am still able to do everything I need to do on my Macs with SIP enabled, except for this BootChamp issue. So I would much rather leave SIP enabled and enjoy its protection. However, I certainly think Apple should provide some way in OS X by which a program like BootChamp can be authorized to set the boot disk.
If at some point I become forced to disable SIP in order to do something that is important to me, then I will. But I'd rather not. It doesn't offend me that Apple has introduced SIP, but of course it won't work for me if the security is so tight that I can't get my work done.
@fjarlq To update my earlier post on the Startup Disk System Preferences pane not working in El Capitan: I reset my Mac’s PRAM (aka NVRAM) by holding Cmd, Option, P, and R during boot, and when I got back in, the preference pane worked again as normal (with SIP re-enabled). Bear in mind that this will also wipe the graphics card boot settings required to get a newer nVidia card working, so you will need an old, official GPU card in the Mac to be able to start back up and add these settings back in.
SIP still allows Apple-signed software to do what it used to be able to do, so I imagine this is why it can still call bless successfully.

Since installing El Capitan beta 7 (beta 6 worked fine), I have got the following error:
BootChamp was unable to set your Windows volume as the temporary startup disk
Bless failed:
EFI found at IODeviceTree:/efi
Firmware feature mask: 0xE803FF37
Firmware features: 0xE803F537
Legacy mode suppported
Got IODeviceTree:/rom
Got start address ff990000
Got size 1a0000
Found USB interconnect in protocol characteristics
Setting EFI NVRAM:
efi-boot-next='MemoryType0xbStartingAddress0xff990000IOEFIDevicePathTypeHardwareMemoryMappedEndingAddress0xffb2ffffIOEFIDevicePathTypeMediaFirmwareVolumeFilePathGuid2B0585EB-D8B8-49A9-8B8C-E21B01AEF2B7IOEFIBootOptionUSB'
Could not set boot device property: 0xe00002bc
BootChamp version is 1.7.