A collection of reverse engineered Apple formats, protocols, or other interesting bits.
Join us on Discord - Discord Rules
Repo inspired by Papers we Love
Install our tap with brew tap hack-different/homebrew-jailbreak
Information about the maintaining of that tap can be found at homebrew-jailbreak
Linking your Discord and GitHub
We want this collection to be around for new jailbreakers and hobbyists for years to come, so we must say: this
collection accepts (with gratitude) pull-requests that improve it, but under no circumstances
will a PR based on AppleInternal
, or any other copyrighted works protected by the
DMCA be accepted. If
you need help determining this, tag the PR with license help
, join the
Discord server, and ask a #Legit
or higher role for help.
Violation of the DMCA or Copyright law is the responsibility of the submitter.
We attempt to derive from machine sources and produce machine readable files (YAML) in this repo under _data
. For
information about creating and extending data format see Data Format Guidance.
Updates and additions there should automatically be reflected in the documents
hack-different/apple-knowledge/_data
Another authoritative source of information is the open source code released by Apple themselves at one of the following locations:
- Open Source at Apple Wesbite
- Apple's GitHub profile
- apple-oss-distributions's Github profile
- Apple Gifts
- mootool - FOSS Ruby Mach-O Tool (aims to replicate jtool2 feature set)
- ktool - FOSS Python Mach-O Tool
checkra1n/toolchain
alephsecurity/xnu-qemu-arm64
- IDA Disassembler by HexRays
- Binary Ninja Disassembler
- VisUAL ARM Simulator
- Ghidra Disassembler
- Hopper Disassembler
- Capstone Engine
- Unicorn Engine
- QEMU
blacktop/ipsw
- jtool2
- frida
Proteas/apple-cve
- kpwn / qwertyoruiop's Wiki
- kpwn / qwertyoruiop's Papers
- About Apple Prototype and CPFM
- OWASP: iOS Tampering and Reverse Engineering
- Kernel Debug Kit
- *OS Internals by Jonathan Levin
- T2 Dev Setup
- Apple 4CC
bytepack/IntroToiOSReverseEngineering
- Remote Attack Surface
- Lakr233's Research
- Device List
- T2
- Wi-Fi / Bluetooth
- The iPhone Wiki
- SMC (System Management Controller) for pre-T2
acidanthera/VirtualSMC
t8012/smcutil
- Create SMC binaries from update payloads
- Mach
- Mach and the Mach Interface Generator by nemo
- Apple IPC by Ian Beer
acidanthera/Lilu
osy/AMFIExemption
- Siguza's Research on KTRR
- Tick Tock by xerub
- Casa de PPL by Levin
- KTRW by Brandon Azad
- Qwertyoruiopz Attacking XNU: Part 1
- Qwertyoruiopz Attacking XNU: Part 2
- Kernel Heap by Stefan Esser
- Levin's Who needs
task_for_pid()
anyway... - Apple Official Documentation
- EFI
NVRAM
SEP_memmap
- All About Kernels
Factory_Firmware_Payloads
- iBoot
- SecureROM
- APFS - Apple Filesystem
- LwVM Lightweight Volume Manager
- NeXT / Apple "Bill of Materials" /
pkg
/bom
pbzx
- Apple Disk Image -
dmg
- Signed System Volumes (SSV) /
root_hash
- Property Lists
- iTunes database
- Apple iDevice Backup Format
- Apple Flavored PNG
- Apple IMA ADPCM
- AirPlay2
- Mach-O File Types - Mach-O / Signing / Entitlements
- img4 - Apple signed images, version 4
- TrustCache - Pre-authorized Binary Hashes
- EALF -
eficheck
baselines - ChunkList - Used to verify macOS Recovery / Internet Recovery
dyld
and DSC (dyld Shared Cache)- Levin's Dyld
rickmark/yolo_dsc
- Used as last resort and depend on Xcodearandomdev/DyldExtractor
- Fixes up linking- dyld_shared_cache_util.cpp
- iBoot LocalPolicy, RemotePolicy and BAA signing
- Rosetta2
- Swift
- Levin's - The Apple Sandbox
- Apple Sandbox Guide v1.0
- OWASP - Reversing the Apple Sandbox
- iBSparkles Breaking Entitlements
- stek29: Shenanigans, Shenanigans!
- argp vs com.apple.security.sandbox
malus-security/sandblaster
- SEP_memmap
- sep.yaml
- SEPROM
nyuszika7h/sepfinder
- Demystifying the Secure Enclave Processor
seputil
- SEPOS: A Guided Tour
- Attack Secure Boot of SEP - blackbird
- ARM General
- Apple CPUs
- Compilers
- ARM Mitigations
- Apple Hypervisor
baseband.yaml
in Data Files- Qualcomm
- hollance/neural-engine
- RTKit - "Realtime" Kit
- Basically all iDevice / iTunes
- DFU / Recovery
- usbmuxd - USB transport for iDevices
com.apple.restored
- iDevice Restore Protocol- UTDM - USB Target Disk Mode
- USB-C Power Delivery - Vendor Defined Messages
- Lightning
- NVMe / NAND / PCIe
gh2o/rvi_capture
osy/ThunderboltPatcher
- Qi Wireless Charging
- Apple Wi-Fi Password Sharing
- AWDL - Apple Wireless Distribution Link
- Bluetooth Bonjour (Service Discovery)
- iCloud
- Apple Watch Pairing
com.apple.terminusd
- Magic Pairing: Securing Bluetooth Peripherals
- ATC - Air Traffic Control - iTunes Wi-Fi Sync
- RemoteXPC
- macOS Internet Recovery
- iCloud Keychain (Umbrella for multiple formats)
- FDR - Factory Data Restore
- SysCfg - System Configuration - Serial Number and other Device Info
- APTicket - The root of an authorized version set
- AWDD - Apple Wireless Diagnostics (misnomer, more than wireless, system trace)
- Mojo Serial
- XHC20 USB Capture
- limera1n
OpenJailbreak/greenpois0n
axi0mX/ipwndfu
- checkra1n
- unc0ver
- Taurine
- evasi0n writeup by geohot
- TaIG
Hack Different - Apple Knowledge is a product of the entire community and belongs to the community. It is facilitated by the volunteer work of the Hack Different moderation team.
Portions of data and knowledge come from TheiPhoneWiki, libimobiledevice's website, and checkra1n's website, as well as the individuals who brought you those projects (and many more!)
Special mention to Jonathan Levin and Amit Singh for taking the time to publish books on these topics.
- Mac OS Internals by Singh
- Mac and iOS Internals by Levin
- *OS Internals - User Mode by Levin
- *OS Internals - Kernel Mode by Levin
- *OS Internals - Security by Levin
A list of all projects and their contributors is at CREDITS and is updated by a script. If there are persons not updated due to limitations, please PR the CREDITS page and call them out.
Main article is in BUILD
To keep the repo, docs, and data tidy, we use a tool called overcommit
to connect up the git hooks to a
set of quality checks. The fastest way to get setup is to run the following to make sure you have all the tools:
brew install hunspell
gem install overcommit bundler
bundle install
overcommit --install
Wiki's best serve prose, and part of the goal here is to leverage machine readable and ingestable information with human augmentation wherever possible.
As of 2022, GitHub has 56 million users. That means that there are 56 million people who are able to contribute directly to this repo via a fork and PR, in opposition to wiki's which have a relatively small number of potential editors. The PR process also allows for modifications to be reviewed, commented and debated before inclusion.
The contents of this repo are dual-licensed:
Code and data licensed under the MIT license
Documents also licensed under the CC-BY-SA
{style="border-width:0"} {rel=license} Apple Knowledge{:xmlns:dct="http://purl.org/dc/terms/", :property="dct:title"} by Hack Different{:xmlns:cc="http://creativecommons.org/ns#", :property="cc:attributionName", :rel="cc:attributionURL"} is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/ licenses/by-sa/4.0/){:rel="license"}
Here’s to the crazy ones, the misfits, the rebels, the troublemakers
the round pegs in the square holes…
the ones who see things differently — they’re not fond of rules…
You can quote them, disagree with them, glorify or vilify them, but the only thing you can’t do is ignore them because they change things…
They push the human race forward, and while some may see them as the crazy ones,
we see genius,
because the ones who are crazy enough to think that they can change the world,
are the ones who do.
— Steve Jobs, 1997
Also dedicated to the volunteer work of those who use this for good, and deny the shadow to those who seek to harm.