Claude Code Plugins

Community-maintained marketplace

Feedback

ipsw

@blacktop/ipsw-skill
30
0

Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name ipsw
description Apple firmware and binary reverse engineering with the ipsw CLI tool. Use when analyzing iOS/macOS binaries, disassembling functions in dyld_shared_cache, dumping Objective-C headers from private frameworks, downloading IPSWs or kernelcaches, extracting entitlements, analyzing Mach-O files, or researching Apple security. Triggers on requests involving Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms.

IPSW - Apple Reverse Engineering Toolkit

Install: brew install blacktop/tap/ipsw

Choose Your Workflow

Goal Start Here
Download/extract firmware Firmware Acquisition
Reverse engineer userspace Userspace RE
Analyze kernel/KEXTs Kernel Analysis
Research entitlements Entitlements
Dump private API headers Class Dump
Analyze standalone binary Mach-O Analysis

Firmware Acquisition

# Download latest IPSW for device
ipsw download ipsw --device iPhone16,1 --latest

# Download with automatic kernel/DSC extraction
ipsw download ipsw --device iPhone16,1 --latest --kernel --dyld

# Extract components from local IPSW
ipsw extract --kernel iPhone16,1_18.0_Restore.ipsw
ipsw extract --dyld --dyld-arch arm64e iPhone16,1_18.0_Restore.ipsw

# Remote extraction (no full download)
ipsw extract --kernel --remote <IPSW_URL>

See references/download.md for device identifiers and advanced options.

Userspace RE (dyld_shared_cache)

macOS DSC: /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

Essential Commands

Command Purpose
dyld a2s <DSC> <ADDR> Address → symbol (triage crash LR/PC)
dyld symaddr <DSC> <SYM> --image <DYLIB> Symbol → address
dyld disass <DSC> --vaddr <ADDR> Disassemble at address
dyld disass <DSC> --symbol <SYM> --image <DYLIB> Disassemble by symbol
dyld xref <DSC> <ADDR> --all Find all references to address
dyld dump <DSC> <ADDR> --size 256 Dump raw bytes at address
dyld str <DSC> "pattern" --image <DYLIB> Search strings
dyld objc --class <DSC> --image <DYLIB> List ObjC classes
dyld extract <DSC> <DYLIB> -o ./out/ Extract dylib for external tools

Common Workflow

# 1. Resolve address from crash/trace
ipsw dyld a2s $DSC 0x1bc39e1e0
# → -[SomeClass someMethod:] + 0x40

# 2. Disassemble around that address
ipsw dyld disass $DSC --vaddr 0x1bc39e1e0

# 3. Find who calls this function
ipsw dyld xref $DSC 0x1bc39e1a0 --all

# 4. Extract string/data referenced in disassembly
ipsw dyld dump $DSC 0x1bc39e200 --size 64

Tip: Always use --image <DYLIB> - it's 10x+ faster.

See references/dyld.md for complete DSC commands.

Kernel Analysis

# List all KEXTs
ipsw kernel kexts kernelcache.release.iPhone16,1

# Extract specific KEXT
ipsw kernel extract kernelcache sandbox --output ./kexts/

# Dump syscalls
ipsw kernel syscall kernelcache

# Diff KEXTs between versions
ipsw kernel kexts --diff kernelcache_17.0 kernelcache_18.0

See references/kernel.md for KEXT extraction and kernel analysis.

Entitlements

# Single binary entitlements
ipsw macho info --ent /path/to/binary

# Build searchable database from IPSW
ipsw ent --sqlite ent.db --ipsw iOS18.ipsw

# Query database
ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox"
ipsw ent --sqlite ent.db --key "platform-application"
ipsw ent --sqlite ent.db --key "com.apple.private.tcc.manager"

See references/entitlements.md for common entitlements and query patterns.

Class Dump

Dump Objective-C headers from binaries or dyld_shared_cache:

# Dump all headers from framework in DSC
ipsw class-dump $DSC SpringBoardServices --headers -o ./headers/

# Dump specific class
ipsw class-dump $DSC Security --class SecKey

# Filter by pattern
ipsw class-dump $DSC UIKit --class 'UIApplication.*' --headers -o ./headers/

# Include runtime addresses (for hooking)
ipsw class-dump $DSC Security --re

See references/class-dump.md for filtering and output options.

Mach-O Analysis

# Full binary info
ipsw macho info /path/to/binary

# Disassemble function
ipsw macho disass /path/to/binary --symbol _main

# Get entitlements and signature
ipsw macho info --ent /path/to/binary
ipsw macho info --sig /path/to/binary

See references/macho.md for complete Mach-O commands.

Reference Files

Tips

  1. Symbol caching: First a2s/symaddr creates .a2s cache - subsequent lookups are instant
  2. Use --image flag: Specifying dylib is 10x+ faster for DSC operations
  3. JSON output: Most commands support --json for scripting
  4. Device IDs: Use ipsw device-list to find device identifiers