ipsw

IPSW - Apple Reverse Engineering Toolkit

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "ipsw" with this command: npx skills add blacktop/ipsw-skill/blacktop-ipsw-skill-ipsw

IPSW - Apple Reverse Engineering Toolkit

Install: brew install blacktop/tap/ipsw

Choose Your Workflow

Goal Start Here

Download/extract firmware Firmware Acquisition

Reverse engineer userspace Userspace RE

Analyze kernel/KEXTs Kernel Analysis

Research entitlements Entitlements

Dump private API headers Class Dump

Analyze standalone binary Mach-O Analysis

Firmware Acquisition

Download latest IPSW for device

ipsw download ipsw --device iPhone16,1 --latest

Download with automatic kernel/DSC extraction

ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld

Extract components from local IPSW

ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw

Remote extraction (no full download)

ipsw extract --kernel --remote <IPSW_URL>

See references/download.md for device identifiers and advanced options.

Userspace RE (dyld_shared_cache)

macOS DSC: /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

Essential Commands

Command Purpose

dyld a2s <DSC> <ADDR>

Address → symbol (triage crash LR/PC)

dyld symaddr <DSC> <SYM> --image <DYLIB>

Symbol → address

dyld disass <DSC> --vaddr <ADDR>

Disassemble at address

dyld disass <DSC> --symbol <SYM> --image <DYLIB>

Disassemble by symbol

dyld xref <DSC> <ADDR> --all

Find all references to address

dyld dump <DSC> <ADDR> --size 256

Dump raw bytes at address

dyld str <DSC> "pattern" --image <DYLIB>

Search strings

dyld objc --class <DSC> --image <DYLIB>

List ObjC classes

dyld extract <DSC> <DYLIB> -o ./out/

Extract dylib for external tools

Common Workflow

1. Resolve address from crash/trace

ipsw dyld a2s $DSC 0x1bc39e1e0

→ -[SomeClass someMethod:] + 0x40

2. Disassemble around that address

ipsw dyld disass $DSC --vaddr 0x1bc39e1e0

3. Find who calls this function

ipsw dyld xref $DSC 0x1bc39e1a0 --all

4. Extract string/data referenced in disassembly

ipsw dyld dump $DSC 0x1bc39e200 --size 64

Tip: Always use --image <DYLIB>

  • it's 10x+ faster.

See references/dyld.md for complete DSC commands.

Kernel Analysis

List all KEXTs

ipsw kernel kexts kernelcache.release.iPhone16,1

Extract specific KEXT

ipsw kernel extract kernelcache sandbox --output ./kexts/

Dump syscalls

ipsw kernel syscall kernelcache

Diff KEXTs between versions

ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0

See references/kernel.md for KEXT extraction and kernel analysis.

Entitlements

Single binary entitlements

ipsw macho info --ent /path/to/binary

Build searchable database from IPSW

ipsw ent --sqlite ent.db --ipsw iOS18.ipsw

Query database

ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox" ipsw ent --sqlite ent.db --key "platform-application" ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"

See references/entitlements.md for common entitlements and query patterns.

Class Dump

Dump Objective-C headers from binaries or dyld_shared_cache:

Dump all headers from framework in DSC

ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/

Dump specific class

ipsw class-dump $DSC Security --class SecKey

Filter by pattern

ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/

Include runtime addresses (for hooking)

ipsw class-dump $DSC Security --re

See references/class-dump.md for filtering and output options.

Mach-O Analysis

Full binary info

ipsw macho info /path/to/binary

Disassemble function

ipsw macho disass /path/to/binary --symbol _main

Get entitlements and signature

ipsw macho info --ent /path/to/binary ipsw macho info --sig /path/to/binary

See references/macho.md for complete Mach-O commands.

Reference Files

  • references/download.md - Firmware download, device IDs, extraction

  • references/dyld.md - Complete DSC commands (a2s, xref, dump, str, extract)

  • references/kernel.md - Kernel and KEXT analysis

  • references/entitlements.md - Entitlements database and queries

  • references/class-dump.md - ObjC header dumping

  • references/macho.md - Mach-O binary analysis

Tips

  • Symbol caching: First a2s /symaddr creates .a2s cache - subsequent lookups are instant

  • Use --image flag: Specifying dylib is 10x+ faster for DSC operations

  • JSON output: Most commands support --json for scripting

  • Device IDs: Use ipsw device-list to find device identifiers

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

ratatui-tui

No summary provided by upstream source.

Repository SourceNeeds Review
47-blacktop
General

speak

No summary provided by upstream source.

Repository SourceNeeds Review
17-blacktop
General

media-compress

Compress and convert images and videos using ffmpeg. Use when the user wants to reduce file size, change format, resize, or optimize media files. Handles common formats like JPG, PNG, WebP, MP4, MOV, WebM. Triggers on phrases like "compress image", "compress video", "reduce file size", "convert to webp/mp4", "resize image", "make image smaller", "batch compress", "optimize media".

Archived SourceRecently Updated
--1987566643
General

humanizer

Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.

Archived SourceRecently Updated
--12357851