-
Notifications
You must be signed in to change notification settings - Fork 36
Home
Welcome to the iExtractor wiki!
iExtractor is a collection of tools and scripts to automate data extraction from iOS firmware files (i.e. IPSW files).
iExtractor uses existing tools and layers of Bash shell scripts to automate the extraction and processing of data from IPSW (iPhone Software) firmware files. It runs on macOS and partially on Linux (certain tools and features only work on macOS).
iExtractor may be used by people interested in iOS internals to automate the processing of data for multiple iOS versions or simply to learn more about IPSW files, kernelcaches and sandbox profiles. By using a single command you will go through all steps from downloading the public Apple-provided IPSW file, to unpacking the kernel, to reversing the sandbox profiles. You can customize the scripts or build your own to process multiple IPSW files or to get a particular piece of information.
A tool similar to iExtractor is ipsw_decrypt.py. ipsw_decrypt.py is a Python script that decrypts all encrypted information inside an IPSW file. iExtractor also extracts kernel extensions, reverses sandbox profiles and extracts system dynamic libraries from the dyld shared cache.
Check the README file for information about installing and using iExtractor. Check the wiki pages below for more detailed information.
The firmware-metadata/ folder in the repository stores metadata for each firmware; each metadata file inside the folder is named after the firmware ID (e.g. iPhone5,1_9.3_13E237). Inside each metadata file we store the download URL and the decryption keys; for example
$ cat iPhone5,1_9.3_13E237
firmware_keys_url: https://www.theiphonewiki.com/wiki/Eagle_13E237_(iPhone5,1)
firmware_download_url: http://appldnld.apple.com/iOS9.3/031-55518-20160328-92D092CC-F29A-11E5-A1E1-DC0EF816D560/iPhone5,1_9.3_13E237_Restore.ipsw
rootfs_key: 2a66fd6377af8f60d5e300ac3aa8d9c44a1c0dee94579ad3f8a26515debbf381bb971ae8
kernelcache_iv: 17026ef62f8da01dc0f4e7d2b8b54d4c
kernelcache_key: 4ca5ec9e8dc9c5f77412c699fe724a5bfe101a79e1f2134e53bbb990e62a8c96
Keys are listed on The iPhone Wiki. The download URL is available on ipsw.me and, for most versions, on The iPhone Wiki.
The config file defines the IPSW_STORE and OUT_STORE variables. This where the downloaded IPSW files and the extracted files are stored, respectively. The downloaded IPSW files are stored directly in the IPSW_STORE folder. Extracted files are stored in a subfolder of the OUT_STORE named after the firmware ID. The listing below shows the hierarchy of the IPSW_STORE folder (in/) and the OUT_STORE folder (out/):
.
|-- in/
| |-- iPhone5,1_9.3_13E237_Restore.ipsw
| `-- iPhone_4.0_64bit_11.1.2_15B202_Restore.ipsw
`-- out/
|-- iPhone5,1_9.3_13E237/
| |-- 058-25481-332.dmg
| |-- 058-25512-331.dmg
| |-- 058-25517-331.dmg
| |-- BuildManifest.plist
| |-- Firmware/
| |-- Restore.plist
| |-- com.apple.security.sandbox.kext
| |-- decrypted.dmg
| |-- dyld_shared_cache/
| |-- fs.tar.gz
| |-- kernelcache.decrypted
| |-- kernelcache.mach.arm
| |-- kernelcache.release.n41
| |-- reversed_profiles/
| |-- sandbox_bundle
| `-- sb_ops
`-- iPhone_4.0_64bit_11.1.2_15B202/
|-- 058-84556-102.dmg
|-- 058-84705-099.dmg
|-- 058-85048-102.dmg
|-- BuildManifest.plist
|-- Firmware/
|-- Restore.plist
|-- com.apple.security.sandbox.kext
|-- com.apple.security.sandbox.kext.ARM64.48E3D31D-C7FB-300C-9BDC-1C578EE2AA5B
|-- decrypted.dmg
|-- dyld_shared_cache/
|-- fs.tar.gz
|-- kernelcache.decrypted
|-- kernelcache.mach.arm
|-- kernelcache.release.iphone6
|-- kernelcache.release.iphone8b
|-- reversed_profiles/
|-- sandbox_bundle
`-- sb_ops
TODO
TODO
TODO
TODO
TODO