ipsw
Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.
Best use case
ipsw is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.
Teams using ipsw should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/skill/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ipsw Compares
| Feature / Agent | ipsw | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# IPSW - Apple Reverse Engineering Toolkit **Install:** `brew install blacktop/tap/ipsw` ## Choose Your Workflow | Goal | Start Here | |------|------------| | Download/extract firmware | [Firmware Acquisition](#firmware-acquisition) | | Reverse engineer userspace | [Userspace RE](#userspace-re-dyld_shared_cache) | | Analyze kernel/KEXTs | [Kernel Analysis](#kernel-analysis) | | Research entitlements | [Entitlements](#entitlements) | | Dump private API headers | [Class Dump](#class-dump) | | Analyze standalone binary | [Mach-O Analysis](#mach-o-analysis) | --- ## Firmware Acquisition ```bash # Download latest IPSW for device ipsw download ipsw --device iPhone16,1 --latest # Download with automatic kernel/DSC extraction ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld # Extract components from local IPSW ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw # Remote extraction (no full download) ipsw extract --kernel --remote <IPSW_URL> ``` See [references/download.md](references/download.md) for device identifiers and advanced options. --- ## Userspace RE (dyld_shared_cache) **macOS DSC:** `/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e` ### Essential Commands | Command | Purpose | |---------|---------| | `dyld a2s <DSC> <ADDR>` | Address → symbol (triage crash LR/PC) | | `dyld symaddr <DSC> <SYM> --image <DYLIB>` | Symbol → address | | `dyld disass <DSC> --vaddr <ADDR>` | Disassemble at address | | `dyld disass <DSC> --symbol <SYM> --image <DYLIB>` | Disassemble by symbol | | `dyld xref <DSC> <ADDR> --all` | Find all references to address | | `dyld dump <DSC> <ADDR> --size 256` | Dump raw bytes at address | | `dyld str <DSC> "pattern" --image <DYLIB>` | Search strings | | `dyld objc --class <DSC> --image <DYLIB>` | List ObjC classes | | `dyld extract <DSC> <DYLIB> -o ./out/` | Extract dylib for external tools | ### Common Workflow ```bash # 1. Resolve address from crash/trace ipsw dyld a2s $DSC 0x1bc39e1e0 # → -[SomeClass someMethod:] + 0x40 # 2. Disassemble around that address ipsw dyld disass $DSC --vaddr 0x1bc39e1e0 # 3. Find who calls this function ipsw dyld xref $DSC 0x1bc39e1a0 --all # 4. Extract string/data referenced in disassembly ipsw dyld dump $DSC 0x1bc39e200 --size 64 ``` **Tip:** Always use `--image <DYLIB>` - it's 10x+ faster. See [references/dyld.md](references/dyld.md) for complete DSC commands. --- ## Kernel Analysis ```bash # List all KEXTs ipsw kernel kexts kernelcache.release.iPhone16,1 # Extract specific KEXT ipsw kernel extract kernelcache sandbox --output ./kexts/ # Dump syscalls ipsw kernel syscall kernelcache # Diff KEXTs between versions ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0 ``` See [references/kernel.md](references/kernel.md) for KEXT extraction and kernel analysis. --- ## Entitlements ```bash # Single binary entitlements ipsw macho info --ent /path/to/binary # Build searchable database from IPSW ipsw ent --sqlite ent.db --ipsw iOS18.ipsw # Query database ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox" ipsw ent --sqlite ent.db --key "platform-application" ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager" ``` See [references/entitlements.md](references/entitlements.md) for common entitlements and query patterns. --- ## Class Dump Dump Objective-C headers from binaries or dyld_shared_cache: ```bash # Dump all headers from framework in DSC ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/ # Dump specific class ipsw class-dump $DSC Security --class SecKey # Filter by pattern ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/ # Include runtime addresses (for hooking) ipsw class-dump $DSC Security --re ``` See [references/class-dump.md](references/class-dump.md) for filtering and output options. --- ## Mach-O Analysis ```bash # Full binary info ipsw macho info /path/to/binary # Disassemble function ipsw macho disass /path/to/binary --symbol _main # Get entitlements and signature ipsw macho info --ent /path/to/binary ipsw macho info --sig /path/to/binary ``` See [references/macho.md](references/macho.md) for complete Mach-O commands. --- ## Reference Files - [references/download.md](references/download.md) - Firmware download, device IDs, extraction - [references/dyld.md](references/dyld.md) - Complete DSC commands (a2s, xref, dump, str, extract) - [references/kernel.md](references/kernel.md) - Kernel and KEXT analysis - [references/entitlements.md](references/entitlements.md) - Entitlements database and queries - [references/class-dump.md](references/class-dump.md) - ObjC header dumping - [references/macho.md](references/macho.md) - Mach-O binary analysis ## Tips 1. **Symbol caching:** First `a2s`/`symaddr` creates `.a2s` cache - subsequent lookups are instant 2. **Use --image flag:** Specifying dylib is 10x+ faster for DSC operations 3. **JSON output:** Most commands support `--json` for scripting 4. **Device IDs:** Use `ipsw device-list` to find device identifiers
Related Skills
Daily Logs
Record the user's daily activities, progress, decisions, and learnings in a structured, chronological format.
Socratic Method: The Dialectic Engine
This skill transforms Claude into a Socratic agent — a cognitive partner who guides
Sokratische Methode: Die Dialektik-Maschine
Dieser Skill verwandelt Claude in einen sokratischen Agenten — einen kognitiven Partner, der Nutzende durch systematisches Fragen zur Wissensentdeckung führt, anstatt direkt zu instruieren.
College Football Data (CFB)
Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.
College Basketball Data (CBB)
Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.
Betting Analysis
Before writing queries, consult `references/api-reference.md` for odds formats, command parameters, and key concepts.
Research Proposal Generator
Generate high-quality academic research proposals for PhD applications following Nature Reviews-style academic writing conventions.
Paper Slide Deck Generator
Transform academic papers and content into professional slide deck images with automatic figure extraction.
Medical Imaging AI Literature Review Skill
Write comprehensive literature reviews following a systematic 7-phase workflow.
Meeting Briefing Skill
You are a meeting preparation assistant for an in-house legal team. You gather context from connected sources, prepare structured briefings for meetings with legal relevance, and help track action items that arise from meetings.
Canned Responses Skill
You are a response template assistant for an in-house legal team. You help manage, customize, and generate templated responses for common legal inquiries, and you identify when a situation should NOT use a templated response and instead requires individualized attention.
Copywriting
## Purpose