8ksec Logo

ipsw Walkthrough Part 2 – The Swiss Army Knife for iOS & MacOS security research

In the first part of this series, we went over the most of ipsw commands and today we will continue with the rest of them. We will see how to work with kernelcache, img4, how to interact with the USB connected device and more.

extract

We will start with the ipsw extract command which allows us to extract kernelcache, dyld_shared_cache, DeviceTree and Im4p keybags from IPSW/OTA files.

Since we have already covered extracting DeviceTree, we will jump right into dumping kernelcache and dyld_shared_cache. kernelcache is basically a kernel along with all the extensions (kexts). To actually analyze the kernelcache, we first need to extract it. We will later see how to analyze and get some interesting information out of it.

command: ipsw extract --kernel PATH_TO_IPSW_FILE

To dump the dyld_shared_cache, we pass the --dyld flag instead of --kernel.

command: ipsw extract --dyld PATH_TO_IPSW_FILE

Another useful feature is dumping im4p keybags as json file. im4p file is a payload of IMG4 file format which is used for iBoot, ramdisk etc for 64 bit devices.

command: ipsw extract --kbag PATH_TO_IPSW_FILE

idev

ipsw idev provides a lot of functionality related to the interaction with the USB connected device.

afc

The first ipsw idev subcommand is afc which provides a couple of filesystem commands which allows us to manipulate files and directories inside of /var/mobile/Media on the device.

command to list files: ipsw idev afc ls OPTIONAL_FILE

command to list all files: ipsw idev afc tree

apps

ipsw idev apps command allows us to view installed application, install the application from IPA file or uninstall them.

command_to_list_apps: ipsw idev apps ls

command_to_uninstall_app: ipsw idev apps uninstall BUNDLE_ID

comp

ipsw idev comp allows us to view all companion paired devices, such as AppleWatch.

command: ipsw idev comp

crash

This command gives us an ability to work with crashes. We can list the crashes, clear them all or download them.

command_to_list: ipsw idev crash ls

command_to_download_crash: ipsw idev crash pull NAME_OF_THE_CRASH

diag

ipsw idev diag provides us with the couple of diagnostics commands, such as getting snapshot of battery data, querying IORegistry, shutting down, rebooting and putting the device to sleep.

command_to_get_info: ipsw idev diag info

We can also view I/ORegistry which is a dynamic database of which describes a collection of drivers and it has tree structure.

command_to_query_ioreg: ipsw idev ioreg FLAGS

fsyms

Another useful command which allows us to download linker and dyld_shared_cache from the device, this can come in handy when we want to for example symbolicate the crash.

command: ipsw idev fsyms

list

We can list the information about the connected device using ipsw idev list.

command: ipsw idev list

pcap

This command allows us to capture the traffic. We can optionally filter it by the process ID.

command: ipsw idev pcap OPTIONAL_FLAGS

proxy

In a situation where we want to proxy the connection from our localhost to port on the USB connected device, we can use this command.

command: ipsw idev proxy --lport LOCAL_PORT --rport REMOTE_PORT

restore

We can enter and exit recovery mode using ipsw idev restore

command_to_enter_recovery: ipsw idev restore enter

command_to_exit_recovery: ipsw idev restore exit

screen

We can take screenshot of the device using ipsw idev screen

command: ipsw idev screen

syslog

We can monitor the syslog of the connected device using ipsw idev syslog command.

command: ipsw idev syslog

img4

ipsw img4 allows us to work with the im4p files. For example, if we dump the iBoot from the IPSW file using ipsw extract, it will be in the im4p format.

We can see that the extracted files are in im4p format. These files are encrypted and if we want to decrypt them, we first need to extract keybags in order to see the key.

command: ipsw img4 kbag PATH_TO_IM4P_FILE

Once we have obtained the key from the keybags we can now decrypt the im4p file, but before doing that, we can also extract payloads using ipsw img4 extract.

command: ipsw img4 extract PATH_TO_IM4P_FILE

We can see that now we have new file(iBoot.d37.RELEASE.im4p.payload) which is the actual payload/content inside of im4p files.

command: ipsw img4 dec -i IV_FROM_KEYBAGS -k KEY_FROM_KEYBAGS PATH_TO_IM4P_FILE.

kernel

ipsw kernel commands allows us to work with kernelcaches. It supports things such as viewing DWARF debug information, extracting kernel extensions (kexts), viewing syscalls, sandbox operations and more.

ctfdump

ipsw kernel ctfdump allows us to view CTF (Compact ANSI-C Type Format) format which is similar to DWARF format and contains a lot of useful information for reverse engineering. It is worth to note that only KDK (Kernel Development Kit) contains these information.

command: ipsw ctfdump PATH_TO_KDK

dwarf

ipsw kernel dwarf allows us to view DWARF debug information. We need to pass it the type to lookup or we can do diff on types or two kernels.

command: ipsw kernel dwarf --type TYPE_TO_LOOKUP PATH_TO_DSYM

kexts

ipsw kernel kexts allows us to view kernel extensions. Kernel extensions are like module to the kernel and each provides specific functionality.

command: ipsw kernel kexts PATH_TO_KERNEL

extract

ipsw kernel extract allows us to extract a single or all of the kernel extensions.

command: ipsw kernel extract PATH_TO_KERNELCACHE KEXT

sbopts

We can view sandbox operations using ipsw kernel sbopts.

command: ipsw kernel sbopts PATH_TO_KERNEL

syscall

We can view the list of syscalls (system calls) using ipsw kernel syscall.

command: ipsw kernel syscall PATH_TO_KERNEL

ota

ipsw ota allows us to parse OTA (Over-The-Air) files which is file format to update the device using wireless network.

info

ipsw ota info returns as a basic information about the OTA file, such as version, kernelcache, CPU, etc.

command: ipsw ota info PATH_TO_OTA_FILE

extract

Based on the pattern of filename, we can extract the files using ipsw ota extract command.

command: ipsw ota extract PATH_TO_OTA PATTERN

ls

We can view all the files inside of OTA file using ipsw ota ls.

command: ipsw ota ls PATH_TO_OTA_FILE

patch

If we want to work with the versions of iOS of 16.x and greater or macOS of 13.x and greater, we need to patch cryptex volumes. cryptex (CRYPTographically-sealed EXtension) is a mean of deploying updates/patches without updating the entire system and they are the base for the Rapid Security Response.

command: ipsw ota patch PATH_TO_OTA_FILE --output OUTPUT_DIRECTORY

ipsw ota patch can also be used to apply OTA of Rapid Security Response which we can use to diff them. To apply the RSR OTA patch, we first need to extract the patches of previous version and then download the RSR OTA patch followed by the command below. RSR OTA files can be downloaded using ipsw download ota command.

command_to_apply_patch: ipsw ota patch --input PATH_TO_PREVIOUS_PATCHES/BUILD_DEVICE --output PATH_TO_PREVIOUS_PATCH OTA_RSR

ssh

ipsw ssh command allows us to configure debugserver and to dump shsh blobs. debugserver allows us to remotely debug applications, while the shsh blobs allows us to restore our iPhone to lower version using them.

debugserver

To set-up debugserver on the device, we first need to setup the proxy between us and the mobile device, we can do so using ipsw idev proxy and then we just type ipsw ssh debugserver.

command: ipsw ssh debugserver

We have come to an end of this two-part series where we have covered a lot of ipsw commands and its functionality. ipsw is indeed The Swiss Army Knife for iOS/MacOS security research as it provides a lot more and it takes a bit of time to explore all of its capabilities. Additionally, it is good source for anyone who wants to learn more about internals of different iOS/MacOS components.

GET IN TOUCH

Visit our training page if you’re interested in learning more about these techniques and developing your abilities further. Additionally, you may look through our Events page and sign up for our upcoming Public trainings. 

Check out our Certifications Program and get Certified today.

Please don’t hesitate to reach out to us through out Contact Us page or through the Button below if you have any questions or need assistance with Penetration Testing or any other Security-related Services. We will answer in a timely manner within 1 business day.

We are always looking for talented people to join our team. Visit out Careers page to look at the available roles. We would love to hear from you.

Trainings

On Trend

Most Popular Stories

Mobile Malware Analysis - Part 7 - Blackrock

Mobile Malware Analysis Part 7 – Blackrock

Application Details Name : <code>Flash Player</code> Package : artwork.differ.kitchen SHA256 Hash : a25bf4bdb2ed9872456af0057eb21ce31fd03d680d63a9da469519060b4814bc Introduction Hey there! Welcome to the seventh blog in our Mobile Malware

Subscribe & Get InFormation

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.