SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubResearch & OpsFull StackMobileSecurity

ipsw

Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
44
Hot score
91
Updated
March 20, 2026
Overall rating
C2.7
Composite score
2.7
Best-practice grade
B75.6

Install command

npx @skill-hub/cli install blacktop-ipsw

Repository

blacktop/ipsw-skill

Skill path: skill

Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.

Open repository

Best for

Primary workflow: Research & Ops.

Technical facets: Full Stack, Mobile, Security.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: blacktop.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install ipsw into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/blacktop/ipsw-skill before adding ipsw to shared team environments
  • Use ipsw for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: ipsw
description: Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.
---

# IPSW - Apple Reverse Engineering Toolkit

**Install:** `brew install blacktop/tap/ipsw`

## Choose Your Workflow

| Goal | Start Here |
|------|------------|
| Download/extract firmware | [Firmware Acquisition](#firmware-acquisition) |
| Reverse engineer userspace | [Userspace RE](#userspace-re-dyld_shared_cache) |
| Analyze kernel/KEXTs | [Kernel Analysis](#kernel-analysis) |
| Research entitlements | [Entitlements](#entitlements) |
| Dump private API headers | [Class Dump](#class-dump) |
| Analyze standalone binary | [Mach-O Analysis](#mach-o-analysis) |

---

## Firmware Acquisition

```bash
# Download latest IPSW for device
ipsw download ipsw --device iPhone16,1 --latest

# Download with automatic kernel/DSC extraction
ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld

# Extract components from local IPSW
ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw
ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw

# Remote extraction (no full download)
ipsw extract --kernel --remote <IPSW_URL>
```

See [references/download.md](references/download.md) for device identifiers and advanced options.

---

## Userspace RE (dyld_shared_cache)

**macOS DSC:** `/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e`

### Essential Commands

| Command | Purpose |
|---------|---------|
| `dyld a2s <DSC> <ADDR>` | Address → symbol (triage crash LR/PC) |
| `dyld symaddr <DSC> <SYM> --image <DYLIB>` | Symbol → address |
| `dyld disass <DSC> --vaddr <ADDR>` | Disassemble at address |
| `dyld disass <DSC> --symbol <SYM> --image <DYLIB>` | Disassemble by symbol |
| `dyld xref <DSC> <ADDR> --all` | Find all references to address |
| `dyld dump <DSC> <ADDR> --size 256` | Dump raw bytes at address |
| `dyld str <DSC> "pattern" --image <DYLIB>` | Search strings |
| `dyld objc --class <DSC> --image <DYLIB>` | List ObjC classes |
| `dyld extract <DSC> <DYLIB> -o ./out/` | Extract dylib for external tools |

### Common Workflow

```bash
# 1. Resolve address from crash/trace
ipsw dyld a2s $DSC 0x1bc39e1e0
# → -[SomeClass someMethod:] + 0x40

# 2. Disassemble around that address
ipsw dyld disass $DSC --vaddr 0x1bc39e1e0

# 3. Find who calls this function
ipsw dyld xref $DSC 0x1bc39e1a0 --all

# 4. Extract string/data referenced in disassembly
ipsw dyld dump $DSC 0x1bc39e200 --size 64
```

**Tip:** Always use `--image <DYLIB>` - it's 10x+ faster.

See [references/dyld.md](references/dyld.md) for complete DSC commands.

---

## Kernel Analysis

```bash
# List all KEXTs
ipsw kernel kexts kernelcache.release.iPhone16,1

# Extract specific KEXT
ipsw kernel extract kernelcache sandbox --output ./kexts/

# Dump syscalls
ipsw kernel syscall kernelcache

# Diff KEXTs between versions
ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0
```

See [references/kernel.md](references/kernel.md) for KEXT extraction and kernel analysis.

---

## Entitlements

```bash
# Single binary entitlements
ipsw macho info --ent /path/to/binary

# Build searchable database from IPSW
ipsw ent --sqlite ent.db --ipsw iOS18.ipsw

# Query database
ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox"
ipsw ent --sqlite ent.db --key "platform-application"
ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"
```

See [references/entitlements.md](references/entitlements.md) for common entitlements and query patterns.

---

## Class Dump

Dump Objective-C headers from binaries or dyld_shared_cache:

```bash
# Dump all headers from framework in DSC
ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/

# Dump specific class
ipsw class-dump $DSC Security --class SecKey

# Filter by pattern
ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/

# Include runtime addresses (for hooking)
ipsw class-dump $DSC Security --re
```

See [references/class-dump.md](references/class-dump.md) for filtering and output options.

---

## Mach-O Analysis

```bash
# Full binary info
ipsw macho info /path/to/binary

# Disassemble function
ipsw macho disass /path/to/binary --symbol _main

# Get entitlements and signature
ipsw macho info --ent /path/to/binary
ipsw macho info --sig /path/to/binary
```

See [references/macho.md](references/macho.md) for complete Mach-O commands.

---

## Reference Files

- [references/download.md](references/download.md) - Firmware download, device IDs, extraction
- [references/dyld.md](references/dyld.md) - Complete DSC commands (a2s, xref, dump, str, extract)
- [references/kernel.md](references/kernel.md) - Kernel and KEXT analysis
- [references/entitlements.md](references/entitlements.md) - Entitlements database and queries
- [references/class-dump.md](references/class-dump.md) - ObjC header dumping
- [references/macho.md](references/macho.md) - Mach-O binary analysis

## Tips

1. **Symbol caching:** First `a2s`/`symaddr` creates `.a2s` cache - subsequent lookups are instant
2. **Use --image flag:** Specifying dylib is 10x+ faster for DSC operations
3. **JSON output:** Most commands support `--json` for scripting
4. **Device IDs:** Use `ipsw device-list` to find device identifiers


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/download.md

```markdown
# Firmware Download & Extraction Reference

Complete reference for downloading and extracting Apple firmware with ipsw.

## Which Download Command Do I Need?

```
What do you want to download?
│
├─► iOS/iPadOS/tvOS/watchOS firmware
│   │
│   ├─► Full restore image (.ipsw file)
│   │   └─► ipsw download ipsw
│   │
│   ├─► Over-the-air update (smaller, delta updates)
│   │   └─► ipsw download ota
│   │
│   └─► Just the kernel or dyld_shared_cache (fastest)
│       └─► ipsw download ipsw --kernel --dyld
│           (extracts during download, no full IPSW saved)
│
├─► macOS installer
│   └─► ipsw download macos
│
├─► Kernel Development Kit (debug symbols, type info)
│   └─► ipsw download kdk
│
├─► Apple open source (xnu, dyld, etc.)
│   └─► ipsw download git <project>
│
├─► App Store IPA
│   └─► ipsw download ipa
│
├─► Firmware decryption keys
│   └─► ipsw download keys
│
└─► SHSH blobs / signing status
    └─► ipsw download tss
```

### Quick Decision Guide

| I want to... | Command |
|--------------|---------|
| Get latest iOS kernel for research | `ipsw download ipsw --device <ID> --latest --kernel` |
| Get dyld_shared_cache for class-dump | `ipsw download ipsw --device <ID> --latest --dyld` |
| Download full IPSW for restore | `ipsw download ipsw --device <ID> --latest` |
| Get beta/developer firmware | `ipsw download ota --device <ID> --beta` |
| Analyze macOS internals | `ipsw download macos --latest` |
| Get kernel debug symbols | `ipsw download kdk --latest` |
| Read xnu source code | `ipsw download git xnu` |
| Check if firmware is still signed | `ipsw download tss --device <ID> --build <BUILD>` |

### IPSW vs OTA: When to Use Which

| Criteria | `download ipsw` | `download ota` |
|----------|-----------------|----------------|
| File size | Larger (full image) | Smaller (delta) |
| Contains full filesystem | Yes | Partial |
| Best for kernel extraction | Yes | Yes |
| Best for dyld_shared_cache | Yes | Yes |
| Beta/seed releases | Limited | Yes (`--beta`) |
| Restore device | Yes | No |

---

## Table of Contents
- [IPSW Downloads](#ipsw-downloads)
- [OTA Downloads](#ota-downloads)
- [Remote Extraction](#remote-extraction)
- [Local Extraction](#local-extraction)
- [Kernel Development Kits](#kernel-development-kits)
- [macOS Downloads](#macos-downloads)
- [Other Downloads](#other-downloads)

---

## IPSW Downloads

**Download latest IPSW for device:**
```bash
ipsw download ipsw --device iPhone16,1 --latest
```

**Download specific iOS version:**
```bash
ipsw download ipsw --device iPhone14,2 --version 15.1
```

**Download specific build:**
```bash
ipsw download ipsw --device iPhone11,2 --build 16B92
```

**Download all IPSWs for a version:**
```bash
ipsw download ipsw --version 17.0
```

**Download with kernel extraction:**
```bash
ipsw download ipsw --device iPhone16,1 --latest --kernel
```

**Download with dyld_shared_cache extraction:**
```bash
ipsw download ipsw --device iPhone16,1 --latest --dyld --dyld-arch arm64e
```

**Get download URLs only (no download):**
```bash
ipsw download ipsw --device iPhone16,1 --latest --urls
```

**Resume interrupted download:**
```bash
ipsw download ipsw --device iPhone16,1 --latest --resume-all
```

**Filter by device family:**
```bash
ipsw download ipsw --version 17.0 --white-list iPhone
ipsw download ipsw --version 17.0 --black-list iPad
```

---

## OTA Downloads

**Download latest OTA:**
```bash
ipsw download ota --platform ios --device iPhone16,1 --latest
```

**Download with kernel extraction:**
```bash
ipsw download ota --platform ios --device iPhone16,1 --kernel
```

**Download with dyld_shared_cache:**
```bash
ipsw download ota --platform ios --device iPhone16,1 --dyld
```

**Beta/seed OTAs:**
```bash
ipsw download ota --platform ios --device iPhone16,1 --beta
```

---

## Remote Extraction

Extract components from remote IPSW/OTA without downloading entire file.

**Extract kernel remotely:**
```bash
ipsw extract --kernel --remote https://updates.cdn-apple.com/path/to/ipsw
```

**Extract dyld_shared_cache remotely:**
```bash
ipsw extract --dyld --dyld-arch arm64e --remote https://updates.cdn-apple.com/path/to/ipsw
```

**Extract files matching pattern remotely:**
```bash
ipsw extract --files --pattern '.*\.plist$' --remote https://url/to/ipsw
```

**Get IPSW URL then extract:**
```bash
# Get URL
ipsw download ipsw --device iPhone16,1 --latest --urls

# Extract from URL
ipsw extract --kernel --remote <URL_FROM_ABOVE>
```

---

## Local Extraction

**Extract kernel:**
```bash
ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw
```

**Extract dyld_shared_cache:**
```bash
ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw
```

**Extract both kernel and dyld:**
```bash
ipsw extract --kernel --dyld iPhone16,1_18.0_Restore.ipsw
```

**Extract DeviceTree:**
```bash
ipsw extract --dtree iPhone16,1_18.0_Restore.ipsw
```

**Extract iBoot:**
```bash
ipsw extract --iboot iPhone16,1_18.0_Restore.ipsw
```

**Extract SEP firmware:**
```bash
ipsw extract --sep iPhone16,1_18.0_Restore.ipsw
```

**Extract files by pattern:**
```bash
ipsw extract --files --pattern '.*Info\.plist$' iPhone16,1_18.0_Restore.ipsw
```

**Extract to specific directory:**
```bash
ipsw extract --kernel --output ./extracted/ iPhone16,1_18.0_Restore.ipsw
```

**Get system version info:**
```bash
ipsw extract --sys-ver iPhone16,1_18.0_Restore.ipsw
```

**JSON output:**
```bash
ipsw extract --kernel --json iPhone16,1_18.0_Restore.ipsw
```

---

## Kernel Development Kits

KDKs contain debug symbols and type information for kernel analysis.

**List available KDKs:**
```bash
ipsw download kdk --list
```

**Download specific KDK:**
```bash
ipsw download kdk --version 13.0
```

**Download latest KDK:**
```bash
ipsw download kdk --latest
```

After download, use with `ipsw ctfdump` for type analysis:
```bash
ipsw ctfdump /Library/Developer/KDKs/KDK_13.0/kernel.development task
```

---

## macOS Downloads

**Download macOS installer:**
```bash
ipsw download macos --version 14.0
```

**Download latest macOS:**
```bash
ipsw download macos --latest
```

**List available macOS versions:**
```bash
ipsw download macos --list
```

---

## Other Downloads

**Apple open source distributions:**
```bash
ipsw download git xnu
ipsw download git dyld
```

**Firmware keys from iPhone Wiki:**
```bash
ipsw download keys --device iPhone16,1 --build 21A326
```

**SHSH blobs / signing status:**
```bash
ipsw download tss --device iPhone16,1 --build 21A326
```

**App Store IPAs (requires auth):**
```bash
ipsw download ipa --bundle-id com.example.app
```

---

## Device Identifiers

Common device identifiers for downloads:

| Device | Identifier |
|--------|------------|
| iPhone 15 Pro Max | iPhone16,2 |
| iPhone 15 Pro | iPhone16,1 |
| iPhone 15 Plus | iPhone15,5 |
| iPhone 15 | iPhone15,4 |
| iPhone 14 Pro Max | iPhone15,3 |
| iPhone 14 Pro | iPhone15,2 |
| iPad Pro 12.9" (M2) | iPad14,5 |
| iPad Pro 11" (M2) | iPad14,3 |
| Apple Watch Ultra 2 | Watch7,5 |
| Apple TV 4K (3rd) | AppleTV14,1 |

**List all devices:**
```bash
ipsw device-list
```

**Get device info:**
```bash
ipsw device-info iPhone16,1
```

---

## Configuration

Create `~/.ipsw/config.yml` for persistent settings:

```yaml
download:
  resume-all: true
  output: ~/Downloads/ipsw
  proxy: http://proxy.example.com:8080
```

---

## Common Workflows

**Get kernel for latest iOS on iPhone 15 Pro:**
```bash
ipsw download ipsw --device iPhone16,1 --latest --kernel
```

**Build local firmware collection:**
```bash
for device in iPhone16,1 iPhone15,2 iPad14,5; do
    ipsw download ipsw --device $device --latest --kernel --dyld
done
```

**Compare kernels between versions:**
```bash
ipsw download ipsw --device iPhone16,1 --version 17.0 --kernel
ipsw download ipsw --device iPhone16,1 --version 17.1 --kernel
ipsw kernel kexts --diff kernelcache_17.0 kernelcache_17.1
```

```

### references/dyld.md

```markdown
# dyld_shared_cache Analysis Reference

Complete reference for analyzing Apple's dyld_shared_cache (DSC) with ipsw.

## Table of Contents
- [Finding the DSC](#finding-the-dsc)
- [DSC Info & Structure](#dsc-info--structure)
- [Symbol Lookup](#symbol-lookup)
- [Disassembly](#disassembly)
- [Objective-C Analysis](#objective-c-analysis)
- [String Search](#string-search)
- [Address Conversions](#address-conversions)
- [Cross-References](#cross-references)
- [Extracting Dylibs](#extracting-dylibs)

---

## Finding the DSC

**macOS system DSC location:**
```bash
/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
```

**iOS DSC (after extraction from IPSW):**
```bash
ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw
# Creates: dyld_shared_cache_arm64e
```

**List dylibs in DSC:**
```bash
ipsw dyld info --dylibs dyld_shared_cache_arm64e
```

---

## DSC Info & Structure

**Basic info:**
```bash
ipsw dyld info dyld_shared_cache_arm64e
```

**List all dylibs:**
```bash
ipsw dyld info --dylibs dyld_shared_cache_arm64e
```

**JSON output for scripting:**
```bash
ipsw dyld info --dylibs --json dyld_shared_cache_arm64e
```

**Diff two DSCs (find added/removed dylibs):**
```bash
ipsw dyld info --diff dyld_shared_cache_v1 dyld_shared_cache_v2
```

**Launch closures:**
```bash
ipsw dyld info --closures dyld_shared_cache_arm64e
```

---

## Symbol Lookup

**Find symbol address:**
```bash
ipsw dyld symaddr dyld_shared_cache_arm64e _malloc
```

**Find symbol in specific dylib (faster):**
```bash
ipsw dyld symaddr dyld_shared_cache_arm64e _malloc --image libsystem_malloc.dylib
```

**Find all symbols matching pattern:**
```bash
ipsw dyld symaddr dyld_shared_cache_arm64e --all '_NS.*Error'
```

**Include bind symbols:**
```bash
ipsw dyld symaddr dyld_shared_cache_arm64e _malloc --binds
```

**Batch lookup from JSON file:**
```bash
# Create sym_lookup.json:
# [{"pattern": "_malloc", "image": "libsystem_malloc.dylib"},
#  {"pattern": "_objc_msgSend", "image": "libobjc.A.dylib"}]
ipsw dyld symaddr dyld_shared_cache_arm64e --in sym_lookup.json --output results.json
```

**Address to symbol:**
```bash
ipsw dyld a2s dyld_shared_cache_arm64e 0x1bc39e1e0
```

---

## Disassembly

**Disassemble by symbol name:**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _malloc
```

**Disassemble with image hint (faster):**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _NSLog --image Foundation
```

**Disassemble by virtual address:**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --vaddr 0x1b19d6940
```

**Disassemble with demangled symbols:**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol '_$s.*' --demangle
```

**Quiet mode (faster, less verbose):**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _malloc --quiet
```

**JSON output:**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _malloc --json
```

**With syntax highlighting (pipe to bat):**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _malloc --color | bat -l asm
```

**LLM-powered decompilation:**
```bash
ipsw dyld disass dyld_shared_cache_arm64e --symbol _malloc --dec --dec-llm copilot --dec-lang C
```

---

## Objective-C Analysis

**Dump all ObjC classes:**
```bash
ipsw dyld objc --class dyld_shared_cache_arm64e
```

**Dump classes from specific dylib:**
```bash
ipsw dyld objc --class dyld_shared_cache_arm64e --image UIKit
```

**Dump protocols:**
```bash
ipsw dyld objc --proto dyld_shared_cache_arm64e
```

**Dump selectors:**
```bash
ipsw dyld objc --sel dyld_shared_cache_arm64e
```

**Dump imp-caches:**
```bash
ipsw dyld objc --imp-cache dyld_shared_cache_arm64e
```

---

## String Search

**Search for string in DSC:**
```bash
ipsw dyld str dyld_shared_cache_arm64e "error"
```

**Search in specific dylib:**
```bash
ipsw dyld str dyld_shared_cache_arm64e "password" --image Security
```

---

## Address Conversions

**Address to offset:**
```bash
ipsw dyld a2o dyld_shared_cache_arm64e 0x1bc39e1e0
```

**Offset to address:**
```bash
ipsw dyld o2a dyld_shared_cache_arm64e 0x39e1e0
```

**Dump data at virtual address:**
```bash
ipsw dyld dump dyld_shared_cache_arm64e 0x1bc39e1e0 --size 256
```

---

## Cross-References

**Find xrefs to address:**
```bash
ipsw dyld xref dyld_shared_cache_arm64e 0x1813450bc
```

**Search all dylibs for xrefs:**
```bash
ipsw dyld xref dyld_shared_cache_arm64e 0x1813450bc --all
```

**Search specific dylib:**
```bash
ipsw dyld xref dyld_shared_cache_arm64e 0x1813450bc --image UIKit
```

**Find imports from dependent dylibs:**
```bash
ipsw dyld xref dyld_shared_cache_arm64e 0x1813450bc --imports
```

---

## Extracting Dylibs

**Extract single dylib:**
```bash
ipsw dyld extract dyld_shared_cache_arm64e UIKit --output ./extracted/
```

**Extract with ObjC metadata:**
```bash
ipsw dyld extract dyld_shared_cache_arm64e UIKit --objc
```

**Extract with stubs:**
```bash
ipsw dyld extract dyld_shared_cache_arm64e UIKit --stubs
```

**Split entire DSC (requires Xcode):**
```bash
ipsw dyld split dyld_shared_cache_arm64e --output ./split_cache/
```

---

## Performance Tips

1. **Symbol caching**: First symbol lookup creates `.a2s` cache file - subsequent lookups are 10-15x faster
2. **Use --image flag**: Specifying the dylib dramatically speeds up symbol resolution
3. **Use --quiet**: Reduces output verbosity and speeds up disassembly
4. **Batch operations**: Use `--in` flag with JSON for multiple symbol lookups

```

### references/kernel.md

```markdown
# Kernel & KEXT Analysis Reference

Complete reference for analyzing kernelcaches and kernel extensions with ipsw.

## Table of Contents
- [Kernelcache Basics](#kernelcache-basics)
- [KEXT Extraction](#kext-extraction)
- [KEXT Comparison](#kext-comparison)
- [Syscalls & Mach Traps](#syscalls--mach-traps)
- [MIG Subsystems](#mig-subsystems)
- [Symbolication](#symbolication)
- [CTF/DWARF Analysis](#ctfdwarf-analysis)
- [Kernel Disassembly](#kernel-disassembly)

---

## Kernelcache Basics

**Get kernelcache version:**
```bash
ipsw kernel version kernelcache.release.iPhone15,2
```

**Decompress kernelcache:**
```bash
ipsw kernel dec kernelcache.release.iPhone15,2 --output kernelcache.decompressed
```

**List kernel extensions:**
```bash
ipsw kernel kexts kernelcache.release.iPhone15,2
```

**JSON output:**
```bash
ipsw kernel kexts --json kernelcache.release.iPhone15,2
```

---

## KEXT Extraction

**Extract specific KEXT:**
```bash
ipsw kernel extract kernelcache.release.iPhone15,2 sandbox
```

**Extract KEXT to specific directory:**
```bash
ipsw kernel extract kernelcache.release.iPhone15,2 sandbox --output ./kexts/
```

**Extract all KEXTs:**
```bash
ipsw kernel extract kernelcache.release.iPhone15,2 --all --output ./kexts/
```

**Extract with specific architecture:**
```bash
ipsw kernel extract kernelcache.release.iPhone15,2 IOKit --arch arm64e
```

**Common security-relevant KEXTs:**
```bash
# Sandbox
ipsw kernel extract kernelcache sandbox

# AppleMobileFileIntegrity (code signing)
ipsw kernel extract kernelcache AppleMobileFileIntegrity

# IOKit base
ipsw kernel extract kernelcache com.apple.iokit.IOKit

# Networking
ipsw kernel extract kernelcache com.apple.iokit.IONetworkingFamily
```

---

## KEXT Comparison

**Diff KEXTs between versions:**
```bash
ipsw kernel kexts --diff kernelcache_18A8395 kernelcache_18E5178a
```

Output shows:
- Added KEXTs
- Removed KEXTs
- Version changes

---

## Syscalls & Mach Traps

**Dump syscall table:**
```bash
ipsw kernel syscall kernelcache.release.iPhone15,2
```

**Dump mach_traps:**
```bash
ipsw kernel mach kernelcache.release.iPhone15,2
```

**Search for specific syscall:**
```bash
ipsw kernel syscall kernelcache.release.iPhone15,2 | grep execve
```

---

## MIG Subsystems

**Dump MIG subsystems:**
```bash
ipsw kernel mig kernelcache.release.iPhone15,2
```

MIG (Mach Interface Generator) subsystems define IPC interfaces for kernel services.

---

## Symbolication

**Symbolicate kernelcache:**
```bash
ipsw kernel symbolicate kernelcache.release.iPhone15,2
```

**Dump symbol sets:**
```bash
ipsw kernel symbolsets kernelcache.release.iPhone15,2
```

---

## CTF/DWARF Analysis

CTF (Compact C Type Format) and DWARF provide kernel type information useful for reverse engineering.

**Requires KDK (Kernel Development Kit)**

**Download KDK:**
```bash
ipsw download kdk --version 13.0
```

**Dump type info:**
```bash
ipsw ctfdump KDK/kernel.development.t8101 task > task.h
```

**Dump all kernel types:**
```bash
ipsw ctfdump KDK/kernel.development.t8101 --all
```

**Diff struct between versions:**
```bash
ipsw kernel dwarf --diff --type task KDK_13.0/kernel KDK_13.1/kernel
```

Shows:
- Added/removed struct fields
- Offset changes
- Size changes

---

## Kernel Disassembly

**Disassemble kernel function:**
```bash
ipsw macho disass kernelcache.release.iPhone15,2 --symbol _kernel_bootstrap
```

**From fileset entry (modern kernelcaches):**
```bash
ipsw macho disass kernelcache.release.iPhone15,2 --fileset-entry "com.apple.kernel" --symbol _kernel_bootstrap
```

**IOKit function:**
```bash
ipsw macho disass kernelcache.release.iPhone15,2 --fileset-entry "com.apple.iokit.IOKit" --symbol _IOLog
```

**KEXT function:**
```bash
ipsw macho disass kernelcache.release.iPhone15,2 --fileset-entry "com.apple.security.sandbox" --symbol _sandbox_check
```

---

## Common Research Patterns

**Find sandbox hooks:**
```bash
ipsw kernel extract kernelcache sandbox
ipsw macho info --symbols sandbox.kext | grep "hook\|policy"
```

**Analyze AMFI:**
```bash
ipsw kernel extract kernelcache AppleMobileFileIntegrity
ipsw macho info --symbols AppleMobileFileIntegrity.kext | grep "verify\|trust\|sign"
```

**Track kernel changes between versions:**
```bash
# Extract from two versions
ipsw kernel extract kernelcache_v1 sandbox --output v1/
ipsw kernel extract kernelcache_v2 sandbox --output v2/

# Compare symbols
diff <(ipsw macho info --symbols v1/sandbox.kext) \
     <(ipsw macho info --symbols v2/sandbox.kext)
```

**Find IOUserClient subclasses:**
```bash
ipsw macho info --objc kernelcache.release.iPhone15,2 | grep "IOUserClient"
```

```

### references/entitlements.md

```markdown
# Entitlements Analysis Reference

Complete reference for analyzing and searching entitlements with ipsw.

## Table of Contents
- [Single Binary Entitlements](#single-binary-entitlements)
- [Entitlements Database](#entitlements-database)
- [Database Queries](#database-queries)
- [Common Entitlements](#common-entitlements)

---

## Single Binary Entitlements

**Dump entitlements from binary:**
```bash
ipsw macho info --ent /path/to/binary
```

**Dump DER-encoded entitlements:**
```bash
ipsw macho info --ent-der /path/to/binary
```

**Check for specific entitlement:**
```bash
ipsw macho info --ent /path/to/binary | grep "platform-application"
```

---

## Entitlements Database

Build a searchable database of entitlements across multiple IPSWs.

**Create SQLite database:**
```bash
ipsw ent --sqlite entitlements.db --ipsw iPhone16,1_18.0_Restore.ipsw
```

**Add multiple IPSWs:**
```bash
ipsw ent --sqlite entitlements.db --ipsw *.ipsw
```

**Create PostgreSQL database:**
```bash
ipsw ent --pg-host db.example.com --pg-user postgres --ipsw *.ipsw
```

**From folder of Mach-O binaries:**
```bash
ipsw ent --sqlite entitlements.db --input ./extracted_binaries/
```

**Replace existing builds (update database):**
```bash
ipsw ent --sqlite entitlements.db --ipsw new_version.ipsw --replace
```

**Dry run (preview without changes):**
```bash
ipsw ent --sqlite entitlements.db --ipsw new.ipsw --replace --dry-run
```

---

## Database Queries

**Search by entitlement key:**
```bash
ipsw ent --sqlite entitlements.db --key platform-application
```

**Search by entitlement value:**
```bash
ipsw ent --sqlite entitlements.db --value LockdownMode
```

**Search by file name:**
```bash
ipsw ent --sqlite entitlements.db --file WebContent
```

**Filter by iOS version:**
```bash
ipsw ent --sqlite entitlements.db --key com.apple.private.security.sandbox --version 18.0
```

**Limit results:**
```bash
ipsw ent --sqlite entitlements.db --key sandbox --limit 100
```

**Get statistics:**
```bash
ipsw ent --sqlite entitlements.db --stats
```

---

## Common Entitlements

### Security & Privileges

| Entitlement | Description |
|-------------|-------------|
| `platform-application` | App runs as platform binary |
| `com.apple.private.security.no-sandbox` | Exempt from sandbox |
| `com.apple.private.skip-library-validation` | Skip library signature validation |
| `com.apple.rootless.install` | Can modify SIP-protected files |
| `com.apple.rootless.storage.TCC` | Access TCC database |

### Hardware & System

| Entitlement | Description |
|-------------|-------------|
| `com.apple.developer.kernel.*` | Kernel-related capabilities |
| `com.apple.private.amfi.*` | AMFI bypass capabilities |
| `com.apple.private.memorystatus` | Memory management |
| `com.apple.private.iokit-user-client-class` | IOKit user client access |

### Data & Privacy

| Entitlement | Description |
|-------------|-------------|
| `com.apple.private.tcc.manager` | TCC database management |
| `com.apple.private.tcc.allow` | TCC bypass for specific services |
| `keychain-access-groups` | Keychain access |
| `com.apple.private.MobileContainerManager.allowed` | Container access |

### Networking

| Entitlement | Description |
|-------------|-------------|
| `com.apple.private.network.socket-access` | Raw socket access |
| `com.apple.private.network.restricted.ports` | Bind to privileged ports |
| `com.apple.private.necp.match` | Network extension control |

---

## Research Patterns

**Find all platform binaries:**
```bash
ipsw ent --sqlite ent.db --key platform-application
```

**Find sandbox escapes:**
```bash
ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox"
ipsw ent --sqlite ent.db --key "com.apple.private.security.sandbox"
```

**Find TCC bypasses:**
```bash
ipsw ent --sqlite ent.db --key "com.apple.private.tcc"
```

**Find kernel capabilities:**
```bash
ipsw ent --sqlite ent.db --key "com.apple.developer.kernel"
ipsw ent --sqlite ent.db --key "com.apple.private.kernel"
```

**Track entitlement changes between versions:**
```bash
# Build databases for each version
ipsw ent --sqlite ent_17.0.db --ipsw iOS17.0.ipsw
ipsw ent --sqlite ent_17.1.db --ipsw iOS17.1.ipsw

# Query and compare
ipsw ent --sqlite ent_17.0.db --key "sandbox" > ent_17.0.txt
ipsw ent --sqlite ent_17.1.db --key "sandbox" > ent_17.1.txt
diff ent_17.0.txt ent_17.1.txt
```

**Find new private entitlements:**
```bash
ipsw ent --sqlite ent.db --key "com.apple.private" --version 18.0
```

---

## Tips

1. **Build comprehensive database**: Include multiple iOS versions to track entitlement evolution
2. **Focus on private entitlements**: `com.apple.private.*` often indicates interesting capabilities
3. **Check file context**: Match entitlements with binary functionality for attack surface analysis
4. **Cross-reference with sandbox**: Entitlements often correlate with sandbox profiles

```

### references/class-dump.md

```markdown
# Objective-C Class Dumping Reference

Complete reference for dumping Objective-C headers with ipsw.

## Table of Contents
- [Basic Usage](#basic-usage)
- [From dyld_shared_cache](#from-dyld_shared_cache)
- [From Mach-O Binary](#from-mach-o-binary)
- [Filtering Classes](#filtering-classes)
- [Header Generation](#header-generation)
- [Output Formatting](#output-formatting)
- [Swift Dumping](#swift-dumping)

---

## Basic Usage

**From DSC dylib:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit
```

**From standalone Mach-O:**
```bash
ipsw class-dump /path/to/binary
```

---

## From dyld_shared_cache

**Dump specific framework:**
```bash
ipsw class-dump dyld_shared_cache_arm64e Foundation
```

**Dump private framework:**
```bash
ipsw class-dump dyld_shared_cache_arm64e SpringBoardServices
```

**Dump all dylibs:**
```bash
ipsw class-dump dyld_shared_cache_arm64e --all
```

**Common frameworks for RE:**
```bash
# UI frameworks
ipsw class-dump dyld_shared_cache_arm64e UIKit
ipsw class-dump dyld_shared_cache_arm64e SwiftUI

# Security
ipsw class-dump dyld_shared_cache_arm64e Security
ipsw class-dump dyld_shared_cache_arm64e LocalAuthentication

# System services
ipsw class-dump dyld_shared_cache_arm64e SpringBoard
ipsw class-dump dyld_shared_cache_arm64e MobileContainerManager

# Networking
ipsw class-dump dyld_shared_cache_arm64e CFNetwork
ipsw class-dump dyld_shared_cache_arm64e Network
```

---

## From Mach-O Binary

**Dump app binary:**
```bash
ipsw class-dump /Applications/Example.app/Contents/MacOS/Example
```

**Dump framework:**
```bash
ipsw class-dump /System/Library/Frameworks/Foundation.framework/Foundation
```

**Dump daemon:**
```bash
ipsw class-dump /usr/libexec/securityd
```

---

## Filtering Classes

**Filter by class name regex:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --class 'UIView.*'
```

**Filter by protocol regex:**
```bash
ipsw class-dump dyld_shared_cache_arm64e Foundation --proto 'NSCoding'
```

**Filter by category regex:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --cat 'UIView.*'
```

**Combine filters:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --class 'UITableView.*' --proto 'UITableViewDelegate'
```

---

## Header Generation

**Generate ObjC headers:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --headers --output ./headers/
```

**Generate headers for all frameworks:**
```bash
ipsw class-dump dyld_shared_cache_arm64e --all --headers --output ./all_headers/
```

**Include dependencies (private frameworks):**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --headers --deps --output ./headers/
```

**Include references:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --headers --refs --output ./headers/
```

---

## Output Formatting

**With addresses (verbose/RE mode):**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --re
```

Shows method addresses useful for hooking/patching.

**With demangled names:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --demangle
```

**Color themes:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --theme nord
ipsw class-dump dyld_shared_cache_arm64e UIKit --theme github
```

---

## Swift Dumping

**Swift class-dump (WIP):**
```bash
ipsw swift-dump dyld_shared_cache_arm64e SwiftUI
```

**Swift from Mach-O:**
```bash
ipsw swift-dump /path/to/swift_binary
```

---

## Common Research Patterns

**Find security-related classes:**
```bash
ipsw class-dump dyld_shared_cache_arm64e Security --class '.*Keychain.*'
ipsw class-dump dyld_shared_cache_arm64e Security --class '.*Trust.*'
ipsw class-dump dyld_shared_cache_arm64e Security --class '.*Credential.*'
```

**Find network classes:**
```bash
ipsw class-dump dyld_shared_cache_arm64e CFNetwork --class '.*URL.*'
ipsw class-dump dyld_shared_cache_arm64e CFNetwork --class '.*HTTP.*'
```

**Find UI controllers:**
```bash
ipsw class-dump dyld_shared_cache_arm64e UIKit --class '.*ViewController$'
```

**Dump private APIs:**
```bash
# SpringBoard internals
ipsw class-dump dyld_shared_cache_arm64e SpringBoardServices --headers --output ./sb_headers/

# Biometric authentication
ipsw class-dump dyld_shared_cache_arm64e BiometricKit --headers --output ./bio_headers/

# App installation
ipsw class-dump dyld_shared_cache_arm64e MobileInstallation --headers --output ./install_headers/
```

**Compare class interfaces between iOS versions:**
```bash
ipsw class-dump dsc_17.0 UIKit --class UITableView > UITableView_17.0.h
ipsw class-dump dsc_17.1 UIKit --class UITableView > UITableView_17.1.h
diff UITableView_17.0.h UITableView_17.1.h
```

---

## Tips

1. **Use --re for hooking**: The `--re` flag shows method addresses needed for runtime hooking
2. **Start specific**: Use `--class` filter first, then broaden if needed
3. **Check dependencies**: Many classes reference private frameworks; use `--deps` to include them
4. **Headers for Xcode**: Generated headers can be used in Xcode projects for private API access

```

### references/macho.md

```markdown
# Mach-O Binary Analysis Reference

Complete reference for analyzing Mach-O binaries with ipsw.

## Table of Contents
- [Binary Info](#binary-info)
- [Disassembly](#disassembly)
- [Entitlements](#entitlements)
- [Code Signature](#code-signature)
- [Objective-C Metadata](#objective-c-metadata)
- [Swift Metadata](#swift-metadata)
- [Symbols](#symbols)
- [Address Conversions](#address-conversions)
- [Universal/Fat Binaries](#universalfat-binaries)
- [Fileset Kernelcaches](#fileset-kernelcaches)

---

## Binary Info

**Full MachO info:**
```bash
ipsw macho info /path/to/binary
```

**Header only:**
```bash
ipsw macho info --header /path/to/binary
```

**Load commands:**
```bash
ipsw macho info --loads /path/to/binary
```

**Segments and sections:**
```bash
ipsw macho info --loads /path/to/binary | grep -A5 "LC_SEGMENT"
```

**JSON output:**
```bash
ipsw macho info --json /path/to/binary
```

**Function starts:**
```bash
ipsw macho info --starts /path/to/binary
```

**Fixup chains:**
```bash
ipsw macho info --fixups /path/to/binary
```

**Strings:**
```bash
ipsw macho info --strings /path/to/binary
```

---

## Disassembly

**Disassemble by symbol:**
```bash
ipsw macho disass /path/to/binary --symbol _main
```

**Disassemble by virtual address:**
```bash
ipsw macho disass /path/to/binary --vaddr 0x100001000
```

**Disassemble by file offset:**
```bash
ipsw macho disass /path/to/binary --off 0x4000
```

**Disassemble entry point:**
```bash
ipsw macho disass /path/to/binary --entry
```

**Disassemble entire section:**
```bash
ipsw macho disass /path/to/binary --section __TEXT.__text
```

**Limit instruction count:**
```bash
ipsw macho disass /path/to/binary --symbol _main --count 50
```

**With color:**
```bash
ipsw macho disass /path/to/binary --symbol _main --color
```

**Specific architecture (fat binary):**
```bash
ipsw macho disass /path/to/binary --symbol _main --arch arm64e
```

**JSON output:**
```bash
ipsw macho disass /path/to/binary --symbol _main --json
```

**LLM decompilation:**
```bash
ipsw macho disass /path/to/binary --symbol _main --dec --dec-llm copilot --dec-lang C
```

---

## Entitlements

**Dump entitlements (plist format):**
```bash
ipsw macho info --ent /path/to/binary
```

**Dump DER-encoded entitlements:**
```bash
ipsw macho info --ent-der /path/to/binary
```

**Check for specific entitlement:**
```bash
ipsw macho info --ent /path/to/binary | grep "platform-application"
```

---

## Code Signature

**Full signature info:**
```bash
ipsw macho info --sig /path/to/binary
```

**Dump signing certificate:**
```bash
ipsw macho info --dump-cert /path/to/binary
```

**Sign a binary (ad-hoc):**
```bash
ipsw macho sign /path/to/binary
```

**Sign with entitlements:**
```bash
ipsw macho sign /path/to/binary --ent entitlements.plist
```

**Sign with identity:**
```bash
ipsw macho sign /path/to/binary --id "Apple Development: ..."
```

---

## Objective-C Metadata

**Dump ObjC info:**
```bash
ipsw macho info --objc /path/to/binary
```

**Dump ObjC with references:**
```bash
ipsw macho info --objc-refs /path/to/binary
```

---

## Swift Metadata

**Basic Swift info:**
```bash
ipsw macho info --swift /path/to/binary
```

**All Swift metadata:**
```bash
ipsw macho info --swift-all /path/to/binary
```

---

## Symbols

**Dump all symbols:**
```bash
ipsw macho info --symbols /path/to/binary
```

**Address to symbol:**
```bash
ipsw macho a2s /path/to/binary 0x100001234
```

---

## Address Conversions

**Virtual address to file offset:**
```bash
ipsw macho a2o /path/to/binary 0x100001234
```

**File offset to virtual address:**
```bash
ipsw macho o2a /path/to/binary 0x1234
```

**Dump data at address:**
```bash
ipsw macho dump /path/to/binary 0x100001234 --size 256
```

---

## Universal/Fat Binaries

**List architectures:**
```bash
ipsw macho info --header /path/to/fat_binary
```

**Extract specific architecture:**
```bash
ipsw macho lipo /path/to/fat_binary --arch arm64 --output arm64_binary
```

**Create universal binary:**
```bash
ipsw macho bbl arm64_binary arm64e_binary --output universal_binary
```

---

## Fileset Kernelcaches

Modern kernelcaches use MH_FILESET format containing multiple embedded Mach-O binaries.

**List fileset entries:**
```bash
ipsw macho info --all-fileset-entries /path/to/kernelcache
```

**Analyze specific fileset entry:**
```bash
ipsw macho info --fileset-entry "com.apple.kernel" /path/to/kernelcache
```

**Disassemble from fileset entry:**
```bash
ipsw macho disass /path/to/kernelcache --fileset-entry "com.apple.iokit.IOKit" --symbol _IOLog
```

---

## Patching

**Patch load command:**
```bash
ipsw macho patch /path/to/binary --lc LC_VERSION_MIN_IPHONEOS --set version=14.0
```

**Add rpath:**
```bash
ipsw macho patch /path/to/binary --add-rpath @executable_path/../Frameworks
```

---

## Common Patterns

**Find all binaries with specific entitlement:**
```bash
find /Applications -name "*.app" -exec sh -c 'ipsw macho info --ent "$1/Contents/MacOS/"* 2>/dev/null | grep -l platform-application && echo "$1"' _ {} \;
```

**Analyze all binaries in directory:**
```bash
for f in /path/to/binaries/*; do
    echo "=== $f ==="
    ipsw macho info --header "$f"
done
```

```
ipsw | SkillHub