In the first part of this series, we went over the most of ipsw commands and today we will continue with the rest of them. We will see how to work with kernelcache, img4, how to interact with the USB connected device and more.
We will start with the
ipsw extract command which allows us to extract kernelcache, dyld_shared_cache, DeviceTree and Im4p keybags from IPSW/OTA files.
Since we have already covered extracting DeviceTree, we will jump right into dumping kernelcache and dyld_shared_cache. kernelcache is basically a kernel along with all the extensions (kexts). To actually analyze the kernelcache, we first need to extract it. We will later see how to analyze and get some interesting information out of it.
ipsw extract --kernel PATH_TO_IPSW_FILE
To dump the dyld_shared_cache, we pass the
--dyld flag instead of
ipsw extract --dyld PATH_TO_IPSW_FILE
Another useful feature is dumping im4p keybags as json file.
im4p file is a payload of IMG4 file format which is used for iBoot, ramdisk etc for 64 bit devices.
ipsw extract --kbag PATH_TO_IPSW_FILE
ipsw idev provides a lot of functionality related to the interaction with the USB connected device.
ipsw idev subcommand is
afc which provides a couple of filesystem commands which allows us to manipulate files and directories inside of
/var/mobile/Media on the device.
command to list files:
ipsw idev afc ls OPTIONAL_FILE
command to list all files:
ipsw idev afc tree
ipsw idev apps command allows us to view installed application, install the application from IPA file or uninstall them.
ipsw idev apps ls
ipsw idev apps uninstall BUNDLE_ID
ipsw idev comp allows us to view all companion paired devices, such as AppleWatch.
ipsw idev comp
This command gives us an ability to work with crashes. We can list the crashes, clear them all or download them.
ipsw idev crash ls
ipsw idev crash pull NAME_OF_THE_CRASH
ipsw idev diag provides us with the couple of diagnostics commands, such as getting snapshot of battery data, querying IORegistry, shutting down, rebooting and putting the device to sleep.
ipsw idev diag info
We can also view I/ORegistry which is a dynamic database of which describes a collection of drivers and it has tree structure.
ipsw idev ioreg FLAGS
Another useful command which allows us to download linker and dyld_shared_cache from the device, this can come in handy when we want to for example symbolicate the crash.
ipsw idev fsyms
We can list the information about the connected device using
ipsw idev list.
ipsw idev list
This command allows us to capture the traffic. We can optionally filter it by the process ID.
ipsw idev pcap OPTIONAL_FLAGS
In a situation where we want to proxy the connection from our localhost to port on the USB connected device, we can use this command.
ipsw idev proxy --lport LOCAL_PORT --rport REMOTE_PORT
We can enter and exit recovery mode using
ipsw idev restore
ipsw idev restore enter
ipsw idev restore exit
We can take screenshot of the device using
ipsw idev screen
ipsw idev screen
We can monitor the syslog of the connected device using
ipsw idev syslog command.
ipsw idev syslog
ipsw img4 allows us to work with the
im4p files. For example, if we dump the iBoot from the IPSW file using
ipsw extract, it will be in the
We can see that the extracted files are in
im4p format. These files are encrypted and if we want to decrypt them, we first need to extract keybags in order to see the key.
ipsw img4 kbag PATH_TO_IM4P_FILE
Once we have obtained the key from the keybags we can now decrypt the im4p file, but before doing that, we can also extract payloads using
ipsw img4 extract.
ipsw img4 extract PATH_TO_IM4P_FILE
We can see that now we have new file(
iBoot.d37.RELEASE.im4p.payload) which is the actual payload/content inside of im4p files.
ipsw img4 dec -i IV_FROM_KEYBAGS -k KEY_FROM_KEYBAGS PATH_TO_IM4P_FILE.
ipsw kernel commands allows us to work with kernelcaches. It supports things such as viewing DWARF debug information, extracting kernel extensions (kexts), viewing syscalls, sandbox operations and more.
ipsw kernel ctfdump allows us to view CTF (Compact ANSI-C Type Format) format which is similar to DWARF format and contains a lot of useful information for reverse engineering. It is worth to note that only KDK (Kernel Development Kit) contains these information.
ipsw ctfdump PATH_TO_KDK
ipsw kernel dwarf allows us to view DWARF debug information. We need to pass it the type to lookup or we can do diff on types or two kernels.
ipsw kernel dwarf --type TYPE_TO_LOOKUP PATH_TO_DSYM
ipsw kernel kexts allows us to view kernel extensions. Kernel extensions are like module to the kernel and each provides specific functionality.
ipsw kernel kexts PATH_TO_KERNEL
ipsw kernel extract allows us to extract a single or all of the kernel extensions.
ipsw kernel extract PATH_TO_KERNELCACHE KEXT
We can view sandbox operations using
ipsw kernel sbopts.
ipsw kernel sbopts PATH_TO_KERNEL
We can view the list of syscalls (system calls) using
ipsw kernel syscall.
ipsw kernel syscall PATH_TO_KERNEL
ipsw ota allows us to parse OTA (Over-The-Air) files which is file format to update the device using wireless network.
ipsw ota info returns as a basic information about the OTA file, such as version, kernelcache, CPU, etc.
ipsw ota info PATH_TO_OTA_FILE
Based on the pattern of filename, we can extract the files using
ipsw ota extract command.
ipsw ota extract PATH_TO_OTA PATTERN
We can view all the files inside of OTA file using
ipsw ota ls.
ipsw ota ls PATH_TO_OTA_FILE
If we want to work with the versions of iOS of 16.x and greater or macOS of 13.x and greater, we need to patch cryptex volumes. cryptex (CRYPTographically-sealed EXtension) is a mean of deploying updates/patches without updating the entire system and they are the base for the Rapid Security Response.
ipsw ota patch PATH_TO_OTA_FILE --output OUTPUT_DIRECTORY
ipsw ota patch can also be used to apply OTA of Rapid Security Response which we can use to diff them. To apply the RSR OTA patch, we first need to extract the patches of previous version and then download the RSR OTA patch followed by the command below. RSR OTA files can be downloaded using
ipsw download ota command.
ipsw ota patch --input PATH_TO_PREVIOUS_PATCHES/BUILD_DEVICE --output PATH_TO_PREVIOUS_PATCH OTA_RSR
ipsw ssh command allows us to configure
debugserver and to dump
debugserver allows us to remotely debug applications, while the
shsh blobs allows us to restore our iPhone to lower version using them.
To set-up debugserver on the device, we first need to setup the proxy between us and the mobile device, we can do so using
ipsw idev proxy and then we just type
ipsw ssh debugserver.
ipsw ssh debugserver
We have come to an end of this two-part series where we have covered a lot of ipsw commands and its functionality. ipsw is indeed The Swiss Army Knife for iOS/MacOS security research as it provides a lot more and it takes a bit of time to explore all of its capabilities. Additionally, it is good source for anyone who wants to learn more about internals of different iOS/MacOS components.
The post ipsw Walkthrough Part 2 – The Swiss Army Knife for iOS/MacOS security research first appeared on 8kSec.
Article Link: https://8ksec.io/ipsw-walkthrough-part-2-the-swiss-army-knife-for-ios-macos-security-research/?utm_source=rss&utm_medium=rss&utm_campaign=ipsw-walkthrough-part-2-the-swiss-army-knife-for-ios-macos-security-research