ipsw

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

IPSW - Apple Reverse Engineering Toolkit

IPSW - Apple逆向工程工具包

Install:

brew install blacktop/tap/ipsw

安装：

brew install blacktop/tap/ipsw

Choose Your Workflow

选择你的工作流

Goal	Start Here
Download/extract firmware	Firmware Acquisition
Reverse engineer userspace	Userspace RE
Analyze kernel/KEXTs	Kernel Analysis
Research entitlements	Entitlements
Dump private API headers	Class Dump
Analyze standalone binary	Mach-O Analysis

目标	从此开始
下载/提取固件	固件获取
逆向工程用户态	用户态逆向工程
分析内核/KEXT	内核分析
研究Entitlements	Entitlements
导出私有API头文件	类导出
分析独立二进制文件	Mach-O分析

Firmware Acquisition

固件获取

bash

undefined

bash

undefined

Download latest IPSW for device

下载设备的最新IPSW

ipsw download ipsw --device iPhone16,1 --latest

Download with automatic kernel/DSC extraction

下载并自动提取内核/DSC

ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld

Extract components from local IPSW

从本地IPSW提取组件

ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw

Remote extraction (no full download)

远程提取（无需完整下载）

ipsw extract --kernel --remote <IPSW_URL>


See [references/download.md](references/download.md) for device identifiers and advanced options.

---

ipsw extract --kernel --remote <IPSW_URL>


查看[references/download.md](references/download.md)获取设备标识符与高级选项。

---

Userspace RE (dyld_shared_cache)

用户态逆向工程（dyld_shared_cache）

macOS DSC:

/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

macOS DSC路径：

/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

Essential Commands

核心命令

Command	Purpose
`dyld a2s <DSC> <ADDR>`	Address → symbol (triage crash LR/PC)
`dyld symaddr <DSC> <SYM> --image <DYLIB>`	Symbol → address
`dyld disass <DSC> --vaddr <ADDR>`	Disassemble at address
`dyld disass <DSC> --symbol <SYM> --image <DYLIB>`	Disassemble by symbol
`dyld xref <DSC> <ADDR> --all`	Find all references to address
`dyld dump <DSC> <ADDR> --size 256`	Dump raw bytes at address
`dyld str <DSC> "pattern" --image <DYLIB>`	Search strings
`dyld objc --class <DSC> --image <DYLIB>`	List ObjC classes
`dyld extract <DSC> <DYLIB> -o ./out/`	Extract dylib for external tools

命令	用途
`dyld a2s <DSC> <ADDR>`	地址→符号（分析崩溃日志LR/PC）
`dyld symaddr <DSC> <SYM> --image <DYLIB>`	符号→地址
`dyld disass <DSC> --vaddr <ADDR>`	反汇编指定地址
`dyld disass <DSC> --symbol <SYM> --image <DYLIB>`	按符号反汇编
`dyld xref <DSC> <ADDR> --all`	查找该地址的所有引用
`dyld dump <DSC> <ADDR> --size 256`	导出指定地址的原始字节
`dyld str <DSC> "pattern" --image <DYLIB>`	搜索字符串
`dyld objc --class <DSC> --image <DYLIB>`	列出Objective-C类
`dyld extract <DSC> <DYLIB> -o ./out/`	提取dylib供外部工具使用

Common Workflow

常见工作流

bash

undefined

bash

undefined

1. Resolve address from crash/trace

1. 从崩溃/跟踪日志解析地址

ipsw dyld a2s $DSC 0x1bc39e1e0

→ -[SomeClass someMethod:] + 0x40

2. Disassemble around that address

2. 反汇编该地址附近的代码

ipsw dyld disass $DSC --vaddr 0x1bc39e1e0

3. Find who calls this function

3. 查找调用此函数的对象

ipsw dyld xref $DSC 0x1bc39e1a0 --all

4. Extract string/data referenced in disassembly

4. 提取反汇编中引用的字符串/数据

ipsw dyld dump $DSC 0x1bc39e200 --size 64


**Tip:** Always use `--image <DYLIB>` - it's 10x+ faster.

See [references/dyld.md](references/dyld.md) for complete DSC commands.

---

ipsw dyld dump $DSC 0x1bc39e200 --size 64


**提示：** 始终使用`--image <DYLIB>`参数，速度可提升10倍以上。

查看[references/dyld.md](references/dyld.md)获取完整的DSC命令。

---

Kernel Analysis

内核分析

bash

undefined

bash

undefined

List all KEXTs

列出所有KEXT

ipsw kernel kexts kernelcache.release.iPhone16,1

Extract specific KEXT

提取指定KEXT

ipsw kernel extract kernelcache sandbox --output ./kexts/

Dump syscalls

导出系统调用

ipsw kernel syscall kernelcache

Diff KEXTs between versions

对比不同版本间的KEXT差异

ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0


See [references/kernel.md](references/kernel.md) for KEXT extraction and kernel analysis.

---

ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0


查看[references/kernel.md](references/kernel.md)获取KEXT提取与内核分析的更多内容。

---

Entitlements

bash

undefined

bash

undefined

Single binary entitlements

单个二进制文件的Entitlements

ipsw macho info --ent /path/to/binary

Build searchable database from IPSW

从IPSW构建可搜索的数据库

ipsw ent --sqlite ent.db --ipsw iOS18.ipsw

Query database

查询数据库

ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox" ipsw ent --sqlite ent.db --key "platform-application" ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"


See [references/entitlements.md](references/entitlements.md) for common entitlements and query patterns.

---

ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox" ipsw ent --sqlite ent.db --key "platform-application" ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"


查看[references/entitlements.md](references/entitlements.md)获取常见Entitlements与查询模式。

---

Class Dump

类导出

Dump Objective-C headers from binaries or dyld_shared_cache:

bash

undefined

从二进制文件或dyld_shared_cache导出Objective-C头文件：

bash

undefined

Dump all headers from framework in DSC

从DSC中的框架导出所有头文件

ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/

Dump specific class

导出指定类

ipsw class-dump $DSC Security --class SecKey

Filter by pattern

按模式过滤

ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/

Include runtime addresses (for hooking)

包含运行时地址（用于Hook）

ipsw class-dump $DSC Security --re


See [references/class-dump.md](references/class-dump.md) for filtering and output options.

---

ipsw class-dump $DSC Security --re


查看[references/class-dump.md](references/class-dump.md)获取过滤与输出选项。

---

Mach-O Analysis

Mach-O分析

bash

undefined

bash

undefined

Full binary info

完整二进制文件信息

ipsw macho info /path/to/binary

Disassemble function

反汇编函数

ipsw macho disass /path/to/binary --symbol _main

Get entitlements and signature

获取Entitlements与签名信息

ipsw macho info --ent /path/to/binary ipsw macho info --sig /path/to/binary


See [references/macho.md](references/macho.md) for complete Mach-O commands.

---

ipsw macho info --ent /path/to/binary ipsw macho info --sig /path/to/binary


查看[references/macho.md](references/macho.md)获取完整的Mach-O命令。

---

Reference Files

参考文档

references/download.md - Firmware download, device IDs, extraction
references/dyld.md - Complete DSC commands (a2s, xref, dump, str, extract)
references/kernel.md - Kernel and KEXT analysis
references/entitlements.md - Entitlements database and queries
references/class-dump.md - ObjC header dumping
references/macho.md - Mach-O binary analysis

references/download.md - 固件下载、设备ID、提取
references/dyld.md - 完整DSC命令（a2s、xref、dump、str、extract）
references/kernel.md - 内核与KEXT分析
references/entitlements.md - Entitlements数据库与查询
references/class-dump.md - Objective-C头文件导出
references/macho.md - Mach-O二进制文件分析

Tips

技巧

Symbol caching: First
```
a2s
```
/
```
symaddr
```
creates
```
.a2s
```
cache - subsequent lookups are instant
Use --image flag: Specifying dylib is 10x+ faster for DSC operations
JSON output: Most commands support
```
--json
```
for scripting
Device IDs: Use
```
ipsw device-list
```
to find device identifiers

符号缓存： 首次执行
```
a2s
```
/
```
symaddr
```
会创建
```
.a2s
```
缓存，后续查询瞬间完成
使用--image参数： 指定dylib可使DSC操作速度提升10倍以上
JSON输出： 大多数命令支持
```
--json
```
参数以用于脚本编写
设备ID： 使用
```
ipsw device-list
```
查找设备标识符