Download and parse ipsw(s) from ipsw.me or theiphonewiki.com
$ brew install blacktop/tap/ipsw
Download from releases
$ docker pull blacktop/ipsw
$ ipsw --help
Download and Parse IPSWs
Usage:
ipsw [command]
Available Commands:
device-list List all iOS devices
device-tree Parse DeviceTree
download Download and parse IPSW(s) from the internets
dyld Parse dyld_shared_cache
extract Extract kernelcache, dyld_shared_cache or DeviceTree from IPSW
help Help about any command
kernel Parse kernelcache
version Print the version number of ipsw
Flags:
-h, --help help for ipsw
-V, --verbose verbose output
Use "ipsw [command] --help" for more information about a command.
$ ipsw download --device iPhone11,2 --build 16A366
• Getting IPSW build=16A366 device=iPhone11,2 signed=true version=12.0
3.4 GiB / 3.4 GiB [==========================================================| 00:00 ] 79.08 MiB/s
• verifying sha1sum...
$ ipsw extract --kernel iPhone11,2_12.0_16A366_Restore.ipsw
• Extracting Kernelcache from IPSW
• Parsing Compressed Kernelcache
• compressed size: 17842843, uncompressed: 35727352. unknown: 0x3f9543fd, unknown 1: 0x1
• Decompressing Kernelcache
Notice that the kernelcache
was extracted from the ipsw
and decompressed 😈
$ file kernelcache.release.iphone11.decompressed
kernelcache.release.iphone11.decompressed: "Mach-O 64-bit executable arm64"
$ ipsw download --version 12.0
? You are about to download 17 ipsw files. Continue? Yes
• Getting IPSW build=16A366 device=iPhone11,4 signed=true version=12.0
3.3 GiB / 3.3 GiB [==========================================================| 00:00 ] 59.03 MiB/s
• verifying sha1sum...
• Getting IPSW build=16A366 device=iPod7,1 signed=true version=12.0
734.7 MiB / 2.6 GiB [===============>------------------------------------------| 00:57 ] 44.84 MiB/s
...
Queries the iTunes XML for latest version (maybe run this as a cron job) 😉
$ ipsw download -V latest --yes --black-list AppleTV --black-list iPod7,1
• Latest iOS release found is: "12.4.1"
• "Yo, ain't no one jailbreaking this shizz NOT even Ian Beer my dude!!!! 😏"
• Getting IPSW build=16G77 device=iPhone6,2 version=12.4.1
363.0 MiB / 2.9 GiB [======>-----------------------------------------------| 18:52 ] 49.18 MiB/s
...
NOTE: you must do one device type/family per
--black-list
or--white-list
flag
To grab only the iPods
$ ipsw download -V latest --yes --white-list ipod
• Latest iOS release found is: "12.4.1"
• "Yo, ain't no one jailbreaking this shizz NOT even Ian Beer my dude!!!! 😏"
• Getting IPSW build=16G77 device=iPod9,1 version=12.4.1
363.0 MiB / 2.9 GiB [======>-----------------------------------------------| 18:52 ] 49.18 MiB/s
...
This will also generate a checksums.txt.sha1
file that you can use to verify the downloads
$ sha1sum -c checksums.txt.sha1
iPad_64bit_TouchID_13.2.3_17B111_Restore.ipsw: OK
iPadPro_9.7_13.2.3_17B111_Restore.ipsw: OK
iPad_Educational_13.2.3_17B111_Restore.ipsw: OK
Single kernelcache
ipsw download kernel --device iPhone11,2 --build 16B92
All of dem!!!
$ time ipsw download kernel --version 12.0.1
"8.40s user 1.19s system 53% cpu 17.784 total"
That's 14 decompressed kernelcaches in under 9 seconds 😏
$ ls -1
kernelcache.release.ipad4b.decompressed
kernelcache.release.ipad5b.decompressed
kernelcache.release.ipad6b.decompressed
kernelcache.release.ipad6d.decompressed
kernelcache.release.ipad6f.decompressed
kernelcache.release.ipad7.decompressed
kernelcache.release.iphone10b.decompressed
kernelcache.release.iphone11.decompressed
kernelcache.release.iphone11b.decompressed
kernelcache.release.iphone7.decompressed
kernelcache.release.iphone8b.decompressed
kernelcache.release.iphone9.decompressed
kernelcache.release.j42d.decompressed
kernelcache.release.n102.decompressed
But, how does it work?? 🤔 With the POWER 💪 of partialzip !!
$ ipsw download -v 13.2.3 -d iPhone12,3 pattern Firmware/all_flash/iBoot
$ ls iBoot*
iBoot.d321.RELEASE.im4p iBoot.d331p.RELEASE.im4p.plist
iBoot.d321.RELEASE.im4p.plist iBoot.d421.RELEASE.im4p
iBoot.d331.RELEASE.im4p iBoot.d421.RELEASE.im4p.plist
iBoot.d331.RELEASE.im4p.plist iBoot.d431.RELEASE.im4p
iBoot.d331p.RELEASE.im4p iBoot.d431.RELEASE.im4p.plist
This is done by scraping theiphonewiki.com.
$ ipsw download beta 17C5046a
This will download and decompress the kernelcache
for an iPhone XS
running iOS 12.1
behind a corporate proxy
$ ipsw download --proxy http://proxy.org:[PORT] --device iPhone11,2 --build 16B92
To disable cert verification
$ ipsw download --insecure --device iPhone11,2 --build 16B92
$ ipsw extract --kernel iPhone11,2_12.0_16A366_Restore.ipsw
macOS
$ ipsw extract --dyld iPhone11,2_12.0_16A366_Restore.ipsw
• Extracting dyld_shared_cache from IPSW
• Mounting DMG
• Extracting System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e to dyld_shared_cache
• Unmounting DMG
docker
🆕
$ docker run --init -it --rm \
--device /dev/fuse \
--cap-add=SYS_ADMIN \
-v `pwd` :/data \
blacktop/ipsw -V extract --dyld iPhone11_2_12.4.1_16G102_Restore.ipsw
Extract WebKit version from dyld_shared_cache
$ ipsw dyld webkit dyld_shared_cache
• WebKit Version: 607.2.6.0.1
Similar to otool -L dyld_shared_cache
$ ipsw dyld list dyld_shared_cache
Header
======
Magic = dyld_v1 arm64e
MappingOffset = 00000138
MappingCount = 3
ImagesOffset = 00000198
ImagesCount = 1819
DyldBaseAddress = 00000000
CodeSignatureOffset = 5F4B0000
CodeSignatureSize = 002FC000
SlideInfoOffset = 48108000
SlideInfoSize = 00018000
LocalSymbolsOffset = 4F714000
LocalSymbolsSize = 0FD9C000
UUID = 7659EEB7-96EB-38AB-A8B6-76367E2EC5E6
Platform = iOS
Format = 10
Mappings
========
| INITPROT | MAXPROT | SIZE | ADDRESS | FILE OFFSET |
|----------|---------|--------|------------------|-------------|
| r-x | r-x | 968 MB | 0000000180000000 | 0 |
| rw- | rw- | 184 MB | 00000001BE8FC000 | 3C8FC000 |
| r-- | r-- | 118 MB | 00000001CC108000 | 48108000 |
Images
======
1: 18003c000 /usr/lib/system/libsystem_trace.dylib
2: 180053000 /usr/lib/system/libxpc.dylib
3: 180087000 /usr/lib/system/libsystem_blocks.dylib
4: 180088000 /usr/lib/system/libsystem_c.dylib
5: 180107000 /usr/lib/system/libdispatch.dylib
6: 180144000 /usr/lib/system/libsystem_malloc.dylib
7: 180165000 /usr/lib/system/libsystem_platform.dylib
<SNIP>
Split up a dyld_shared_cache
$ ipsw dyld split dyld_shared_cache
• Splitting dyld_shared_cache
0/1445
1/1445
2/1445
3/1445
<SNIP>
1441/1445
1442/1445
1443/1445
1444/1445
Decompress a previously extracted kernelcache
$ ipsw kernel decompress kernelcache.release.iphone11
Print out SUMMARY
$ ipsw download -v 13.3 -d iPhone12,3 pattern DeviceTree
$ ipsw device-tree DeviceTree.d431ap.im4p
• Product Name: iPhone 11 Pro Max
• Model: iPhone12,5
• BoardConfig: D431AP
Or print out JSON
$ ipsw device-tree --json DeviceTree.d431ap.im4p | jq .
{
"device-tree": {
"#address-cells": 2,
"#size-cells": 2,
"AAPL,phandle": 1,
"children": [
{
"chosen": {
"#address-cells": 2,
"AAPL,phandle": 2,
<SNIP>
Or remotely
$ ipsw device-tree --remote https://updates.cdn-apple.com/../iPodtouch_7_13.3_17C54_Restore.ipsw
• DeviceTree.n112ap.im4p
• Product Name: iPod touch
• Model: iPod9,1
• BoardConfig: N112AP
I am playing with the idea of diffing
kernelcaches by creating directory structures of Apple's src from assert strings.
Then you could use git diff
or something to get a quick high level view of what Apple has changed by seeing new files being added or removed as well as seeing the line numbers of the assert strings move around.
$ ipsw kernel diff kernelcache.release.iphone11
You can see an example of what this outputs HERE
Pick a folder in your $fpath
to write the completion to.
NOTE: I'm using
/usr/local/share/zsh-completions
$ ipsw completion zsh > /usr/local/share/zsh-completions/_ipsw
$ rm -f ~/.zcompdump; compinit
=OR=
Add the following to your ~/.zshrc
autoload -Uz compinit && compinit -C
source <(ipsw completion zsh)
compdef _ipsw ipsw
- use https://github.com/gocolly/colly
- create offline copy of ipsw.me API
- download simultaniously to decrease total time (need to limit concurrent downloads and 17+ at a time could be bad)
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue
MIT Copyright (c) 2018 blacktop