README
ΒΆ
ipsw
iOS/macOS Research Swiss Army Knife
What is ipsw π€
ipsw is a comprehensive command-line research framework for iOS and macOS. It provides an extensive toolkit for security researchers, reverse engineers, jailbreak developers, and iOS enthusiasts to download, parse, and analyze Apple firmware and interact with iOS devices.
Core Capabilities
- π± IPSW/OTA Analysis - Download, extract, and analyze iOS firmware files
- π Binary Analysis - Advanced Mach-O parsing with ARM disassembly and AI assistance
- π§ dyld_shared_cache - Complete shared cache analysis with ObjC/Swift class dumping
- π§ Kernel Analysis - Kernelcache parsing, syscall extraction, and symbolication
- π² Device Interaction - Comprehensive iOS device management and debugging
- π Firmware Research - IMG4, iBoot, SEP, and co-processor firmware analysis
- πͺ App Store Connect - Full API integration for app and certificate management
- π οΈ Developer Tools - SSH, Frida, debugging, and reverse engineering utilities
Quick Start
Installation
macOS
Using blacktop tap (includes extras)
brew install blacktop/tap/ipsw
Using official Homebrew formula
brew install ipsw
Linux
sudo snap install ipsw
Windows
scoop bucket add blacktop https://github.com/blacktop/scoop-bucket.git
scoop install blacktop/ipsw
Basic Usage
# Download latest iOS IPSW
ipsw download ipsw --device iPhone16,1 --latest
# Extract kernelcache
ipsw extract --kernel iPhone16,1_18.2_22C150_Restore.ipsw
# Analyze dyld_shared_cache
ipsw dyld info /path/to/dyld_shared_cache_arm64
# Get device information
ipsw idev list
Major Features
π± IPSW & OTA Management
- Download Sources: Apple, AppleDB, Developer Portal, RSS feeds, GitHub, iTunes, Wikipedia
- File Types: IPSW, OTA, macOS installers, Xcode, KDKs, PCC files
- Operations: Extract, diff, mount, analyze metadata
ipsw download ipsw --device iPhone16,1 --latest
ipsw extract --kernel iPhone16,1_18.2_22C150_Restore.ipsw
ipsw diff iPhone16,1_18.1_22B83_Restore.ipsw iPhone16,1_18.2_22C150_Restore.ipsw
π Binary Analysis & Reverse Engineering
- Mach-O Parsing: Complete binary analysis with symbol extraction
- ARM Disassembly: ARM v9-a disassembler with AI-powered analysis
- Code Signing: Verify signatures, analyze entitlements
- Binary Patching: Add, modify, or remove patches
ipsw macho info /path/to/binary
ipsw macho disass /path/to/binary --symbol _main
ipsw macho search /path/to/binary --string "password"
π§ dyld_shared_cache Analysis
- Cache Parsing: Extract and analyze the complete shared cache structure
- ObjC Analysis: Class dumps, method analysis, protocol parsing
- Swift Support: Swift class dumping and analysis (experimental)
- Symbol Management: Symbol extraction and address resolution
ipsw dyld info /path/to/dyld_shared_cache
ipsw dyld extract /path/to/dyld_shared_cache --dylib Foundation
ipsw dyld objc class /path/to/dyld_shared_cache --class NSString
π² iOS Device Interaction (idev)
- File System: Browse and transfer files via AFC
- App Management: Install, uninstall, and analyze applications
- Backup & Restore: Complete device backup operations
- Development: Mount developer images, capture logs, packet capture
- Diagnostics: Battery info, crash logs, system diagnostics
ipsw idev list
ipsw idev afc ls /
ipsw idev apps ls
ipsw idev backup create
ipsw idev syslog
π Firmware & Security Analysis
- IMG4: Parse and decrypt Image4 format files
- iBoot: Bootloader analysis and research
- SEP: Secure Enclave Processor firmware analysis
- AEA: Apple Encrypted Archives decryption
- Co-processors: AOP, DCP, GPU, Camera firmware analysis
ipsw img4 dec iBoot.img4
ipsw fw sep iPhone16,1_18.2_22C150_Restore.ipsw
ipsw fw iboot iPhone16,1_18.2_22C150_Restore.ipsw
πͺ App Store Connect Integration
- Certificate Management: iOS/macOS certificates and profiles
- Device Registration: Manage development devices
- App Management: Bundle IDs, capabilities, and reviews
- Provisioning: Complete provisioning profile lifecycle
ipsw appstore cert ls
ipsw appstore device reg --name "My Device" --udid 1234567890
ipsw appstore profile create --name "Development Profile"
π οΈ Advanced Research Tools
- Symbolication: Crash log analysis and symbol resolution
- Class Dumping: ObjC and Swift class extraction
- SSH Access: Jailbroken device SSH with debugserver
- Frida Integration: Dynamic instrumentation capabilities
- AI Powered Decompiler: Integration with Claude, OpenAI, Gemini, Ollama and OpenRouter
ipsw symbolicate crash.ips --dsym /path/to/symbols
ipsw class-dump /path/to/binary
ipsw ssh debugserver
Architecture
ipsw consists of two main components:
ipsw- Main CLI tool with complete analysis capabilitiesipswd- REST API daemon for remote operations and automation
Configuration
ipsw supports YAML configuration files and environment variables:
# Create config directory
mkdir -p ~/.config/ipsw
# Copy example config
cp config.example.yml ~/.config/ipsw/config.yaml
Database Support
- SQLite (default) - Local storage
- PostgreSQL - Production deployments
AI Decompiler
β± ipsw macho disass /System/Library/PrivateFrameworks/ApplePushService.framework/apsd --entry \
--dec --dec-model "Claude 3.7 Sonnet"
β’ Loading symbol cache file...
β’ Decompiling... π
int main(int argc, char *argv[]) {
@autoreleasepool {
__set_user_dir_suffix(@"com.apple.apsd");
@autoreleasepool {
APSDaemon *daemon = [[APSDaemon alloc] init];
if (daemon) {
NSRunLoop *runLoop = [NSRunLoop currentRunLoop];
[runLoop run];
[runLoop release];
}
[daemon release];
}
return 0;
}
@catch (NSException *exception) {
if ([exception reason] == 1) {
id exceptionObj = [exception retain];
id logger = [APSLog daemon];
if (_os_log_type_enabled(logger, 0x11)) {
[exceptionObj logWithLogger:logger];
}
[logger release];
[exceptionObj release];
}
}
}
Use Cases
Security Research
- Vulnerability analysis and exploit development
- Firmware security assessment
- Binary reverse engineering
Jailbreak Development
- Bootchain analysis and exploitation
- Kernel extension research
- System modification and patching
iOS Development
- App debugging and analysis
- Certificate and provisioning management
- Device testing and automation
Digital Forensics
- Device data extraction and analysis
- Timeline reconstruction
- Artifact analysis
Requirements
- Go: 1.24+ (for building from source)
- Platform: macOS, Linux, Windows
- USB: libusb for device interaction
- Optional: AI API keys for enhanced analysis
Documentation
- Website: https://blacktop.github.io/ipsw
- API Docs: REST API documentation available at
/docswhen runningipswd - Examples: Comprehensive usage examples in the documentation
π AI-Powered Wiki
Ask questions about the repository using AI:
[!WARNING] AI responses may contain hallucinations - verify important information.
Community Resources
π IPSW Diffs
Pre-computed firmware differences: ipsw-diffs
π¬ Community
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
Development
git clone https://github.com/blacktop/ipsw.git
cd ipsw
make build
Known Issues
- macOS IPSW Support: Some macOS firmware operations may have compatibility issues
- Testing: Comprehensive testing is challenging due to the variety of firmware versions and device types
- Resource Intensive: Some operations require significant memory and processing power
Create an issue if you encounter problems - fixes are prioritized! A comprehensive test suite is planned for future releases.
Credits
Huge thanks to:
- Jonathan Levin for his legendary tools and comprehensive iOS internals documentation
- The iOS research community for continuous innovation and knowledge sharing
- All contributors who help make this project better
Stargazers
License
MIT Copyright (c) 2018-2025 blacktop
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
Package api contains common constants for daemon and client.
|
Package api contains common constants for daemon and client. |
|
server
Package server ipswd API
|
Package server ipswd API |
|
server/routes
Package routes contains all the routes for the API
|
Package routes contains all the routes for the API |
|
server/routes/aea
Package aea provides the /aea API route
|
Package aea provides the /aea API route |
|
server/routes/daemon
Package daemon provides the daemon routes
|
Package daemon provides the daemon routes |
|
server/routes/devicelist
Package devicelist contains the /device_list routes for the API
|
Package devicelist contains the /device_list routes for the API |
|
server/routes/diff
Package diff provides /diff routes for diffing two files/text blobs
|
Package diff provides /diff routes for diffing two files/text blobs |
|
server/routes/download
Package download contains the /download routes
|
Package download contains the /download routes |
|
server/routes/dsc
Package dsc provides the /dsc route and handlers
|
Package dsc provides the /dsc route and handlers |
|
server/routes/extract
Package extract provides the /extract API route
|
Package extract provides the /extract API route |
|
server/routes/idev
Package idev provides the /idev route and handlers
|
Package idev provides the /idev route and handlers |
|
server/routes/info
Package info provides a route for getting info about an IPSW or OTA file
|
Package info provides a route for getting info about an IPSW or OTA file |
|
server/routes/kernel
Package kernel provides the /kernel routes
|
Package kernel provides the /kernel routes |
|
server/routes/mount
Package mount provides the /mount API route
|
Package mount provides the /mount API route |
|
server/routes/syms
Package syms provides the /syms API route
|
Package syms provides the /syms API route |
|
cmd
|
|
|
ipsw
command
|
|
|
ipswd
command
|
|
|
internal
|
|
|
commands/dsc
Package dsc implements the `dsc` commands
|
Package dsc implements the `dsc` commands |
|
commands/ent
Package ent contains functions to extract entitlements from an IPSW
|
Package ent contains functions to extract entitlements from an IPSW |
|
commands/extract
Package extract contains the extract commands.
|
Package extract contains the extract commands. |
|
commands/macho
Package macho provides functionality for parsing Mach-O files.
|
Package macho provides functionality for parsing Mach-O files. |
|
commands/mount
Package mount provides the mount command
|
Package mount provides the mount command |
|
config
Package config is used to load the configuration file
|
Package config is used to load the configuration file |
|
daemon
Package daemon provides the daemon interface and implementation.
|
Package daemon provides the daemon interface and implementation. |
|
db
Package db provides a database interface and implementations.
|
Package db provides a database interface and implementations. |
|
demangle
Package demangle defines functions that demangle GCC/LLVM C++ symbol names.
|
Package demangle defines functions that demangle GCC/LLVM C++ symbol names. |
|
diff
Package diff provides a way to diff two ipsws
|
Package diff provides a way to diff two ipsws |
|
model
Package model contains the IPSW model for the database.
|
Package model contains the IPSW model for the database. |
|
srp
Package srp implements SRP-6a per [1].
|
Package srp implements SRP-6a per [1]. |
|
lzma
The lzma package implements reading and writing of LZMA format compressed data.
|
The lzma package implements reading and writing of LZMA format compressed data. |
|
onthedl
Package onthedl is for downloading files in parallel
|
Package onthedl is for downloading files in parallel |
Click to show internal directories.
Click to hide internal directories.