What is ipsw used for?

ipsw is a CLI toolkit for Apple firmware and binary reverse engineering, enabling firmware acquisition, dyld_shared_cache analysis, entitlements exploration, and Mach-O inspection.

Can I download IPSWs with ipsw?

Yes. ipsw can download IPSWs or kernelcaches and also extract components from local IPSWs for analysis.

How do I start analyzing entitlements?

Build or query a local entitlements database with ipsw ent --sqlite ent.db --ipsw iOSXX.ipsw and use --key to search for specific entitlements across binaries.

ipsw

Scanned

npx machina-cli add skill blacktop/ipsw-skill/skill --openclaw

Files (1)

SKILL.md

5.5 KB

IPSW - Apple Reverse Engineering Toolkit

Install: brew install blacktop/tap/ipsw

Choose Your Workflow

Goal	Start Here
Download/extract firmware	Firmware Acquisition
Reverse engineer userspace	Userspace RE
Analyze kernel/KEXTs	Kernel Analysis
Research entitlements	Entitlements
Dump private API headers	Class Dump
Analyze standalone binary	Mach-O Analysis

Firmware Acquisition

# Download latest IPSW for device
ipsw download ipsw --device iPhone16,1 --latest

# Download with automatic kernel/DSC extraction
ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld

# Extract components from local IPSW
ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw
ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw

# Remote extraction (no full download)
ipsw extract --kernel --remote <IPSW_URL>

See references/download.md for device identifiers and advanced options.

Userspace RE (dyld_shared_cache)

macOS DSC: /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

Essential Commands

Command	Purpose
`dyld a2s <DSC> <ADDR>`	Address → symbol (triage crash LR/PC)
`dyld symaddr <DSC> <SYM> --image <DYLIB>`	Symbol → address
`dyld disass <DSC> --vaddr <ADDR>`	Disassemble at address
`dyld disass <DSC> --symbol <SYM> --image <DYLIB>`	Disassemble by symbol
`dyld xref <DSC> <ADDR> --all`	Find all references to address
`dyld dump <DSC> <ADDR> --size 256`	Dump raw bytes at address
`dyld str <DSC> "pattern" --image <DYLIB>`	Search strings
`dyld objc --class <DSC> --image <DYLIB>`	List ObjC classes
`dyld extract <DSC> <DYLIB> -o ./out/`	Extract dylib for external tools

Common Workflow

# 1. Resolve address from crash/trace
ipsw dyld a2s $DSC 0x1bc39e1e0
# → -[SomeClass someMethod:] + 0x40

# 2. Disassemble around that address
ipsw dyld disass $DSC --vaddr 0x1bc39e1e0

# 3. Find who calls this function
ipsw dyld xref $DSC 0x1bc39e1a0 --all

# 4. Extract string/data referenced in disassembly
ipsw dyld dump $DSC 0x1bc39e200 --size 64

Tip: Always use --image <DYLIB> - it's 10x+ faster.

See references/dyld.md for complete DSC commands.

Kernel Analysis

# List all KEXTs
ipsw kernel kexts kernelcache.release.iPhone16,1

# Extract specific KEXT
ipsw kernel extract kernelcache sandbox --output ./kexts/

# Dump syscalls
ipsw kernel syscall kernelcache

# Diff KEXTs between versions
ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0

See references/kernel.md for KEXT extraction and kernel analysis.

Entitlements

# Single binary entitlements
ipsw macho info --ent /path/to/binary

# Build searchable database from IPSW
ipsw ent --sqlite ent.db --ipsw iOS18.ipsw

# Query database
ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox"
ipsw ent --sqlite ent.db --key "platform-application"
ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"

See references/entitlements.md for common entitlements and query patterns.

Class Dump

Dump Objective-C headers from binaries or dyld_shared_cache:

# Dump all headers from framework in DSC
ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/

# Dump specific class
ipsw class-dump $DSC Security --class SecKey

# Filter by pattern
ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/

# Include runtime addresses (for hooking)
ipsw class-dump $DSC Security --re

See references/class-dump.md for filtering and output options.

Mach-O Analysis

# Full binary info
ipsw macho info /path/to/binary

# Disassemble function
ipsw macho disass /path/to/binary --symbol _main

# Get entitlements and signature
ipsw macho info --ent /path/to/binary
ipsw macho info --sig /path/to/binary

See references/macho.md for complete Mach-O commands.

Reference Files

references/download.md - Firmware download, device IDs, extraction
references/dyld.md - Complete DSC commands (a2s, xref, dump, str, extract)
references/kernel.md - Kernel and KEXT analysis
references/entitlements.md - Entitlements database and queries
references/class-dump.md - ObjC header dumping
references/macho.md - Mach-O binary analysis

Tips

Symbol caching: First a2s/symaddr creates .a2s cache - subsequent lookups are instant
Use --image flag: Specifying dylib is 10x+ faster for DSC operations
JSON output: Most commands support --json for scripting
Device IDs: Use ipsw device-list to find device identifiers

Source

git clone https://github.com/blacktop/ipsw-skill/blob/main/skill/SKILL.mdView on GitHub

Overview

ipsw is a CLI toolkit for Apple firmware and binary reverse engineering. It enables downloading and extracting IPSWs or kernelcaches, dumping Objective-C headers from private frameworks, analyzing Mach-O files, and researching Apple security through entitlements and kernel/KEXT analysis.

How This Skill Works

Install via Homebrew and then use the ipsw CLI to access dedicated workflows: Firmware Acquisition, Userspace RE (dyld_shared_cache), Kernel Analysis, Entitlements, Class Dump, and Mach-O Analysis. Typical work starts with fetching an IPSW or kernelcache, followed by subcommands like dyld, kernel, ent, or macho to inspect binaries and headers.

When to Use It

Download or extract device IPSWs or kernelcaches for offline analysis
Reverse engineer iOS/macOS userspace by inspecting the dyld_shared_cache
Analyze kernel objects, KEXTs, and kernel internals for vulnerability research
Dump Objective-C headers from private frameworks to map private APIs
Research and query entitlements across binaries using a local database

Quick Start

Step 1: Install the tool: brew install blacktop/tap/ipsw
Step 2: Download the latest IPSW for a device: ipsw download ipsw --device iPhone16,1 --latest
Step 3: Start analysis (example): ipsw dyld a2s $DSC 0x1bc39e1e0

Best Practices

Always use --image with dyld disassembly for faster, more accurate results
Use ipsw download with --latest to ensure you’re analyzing the current firmware
For kernel/KEXT work, save outputs to an organized directory (e.g., ./kexts/ or ./binaries/)
Build an entitlements database with ipsw ent --sqlite ent.db --ipsw <FW.ipsw> for quick queries
Verify the correct architecture (e.g., arm64e) and the DSC path when targeting dyld_shared_cache

Example Use Cases

Download the latest iPhone IPSW, extract the kernelcache, and list KEXTs for comparison across versions
Dump Objective-C headers from a private framework in an IPSW to identify non-public APIs
Create and query an entitlements database to locate sandbox or TCC-related keys in multiple binaries
Disassemble a function in dyld_shared_cache to triage crash traces and identify caller chains
Diff KEXTs between iOS versions to spot changes in kernel interfaces or entitlement handling

Frequently Asked Questions

Add this skill to your agents