Apple Firmware Analysis Revolutionized: New Tool Indexes IPSW Entitlements to Save Storage and Accelerate Research
Researchers have unveiled a tool for analyzing Apple firmware (IPSW) that significantly reduces storage requirements and accelerates work with system images. The impetus for its development was the rapid growth in IPSW file sizes: for instance, images for the iPhone 12 Pro Max and MacBook Air M1 can reach tens of gigabytes. Storing every version in full proved inefficient, so engineers devised a system that extracts only the essential data.
The solution performs automatic indexing of IPSW collections without retaining the images themselves, structures metadata within a database, and provides a web interface for search and filtering. An API is also implemented, facilitating seamless integration into analytical pipelines.
The initial focus lies on executable files. Each binary is indexed with extracted entitlements — special application permissions granting access to system resources. Simultaneously, the frameworks in use are logged, enabling the construction of a dependency map. All information is stored in a relational database, allowing rapid navigation from a binary’s name to its permissions and associated libraries.
Alternative tools exist, such as Jonathan Levin’s service newosxbook.com, the entdb project on GitHub, or ipsw by @blacktop. Yet, the new solution emphasizes complete self-hosting, a crucial factor in preserving confidentiality.
The authors provide detailed insight into how entitlements are stored in Mach-O binaries. Specifically, the CS_SuperBlob structure contains both signatures and entitlements, with the relevant data located in blocks marked by the magic value CSMAGIC_EMBEDDED_ENTITLEMENTS. Within lies a binary Plist enumerating access keys, such as com.apple.private.security.disk-device-access or com.apple.private.kernel.system-override.
The technical implementation is crafted in Rust, employing sea_orm for database interaction, axum for HTTP routing, and utoipa for API documentation. The interface is built with ReactJS. The database currently supports both SQLite and PostgreSQL, with future plans for MySQL compatibility.
For mounting and extracting images, the tool leverages the ipsw utility, enabling firmware to be treated like a file system. This approach proves invaluable for exploring internal structures or validating changes.
According to data gathered via the ipsw.me API, as of the release of iOS 26.0 there were over 3,875 firmware builds for iPhone, 6,375 for iPad, 1,500 for Mac, and 20 for Apple Vision Pro (VisionOS). To prevent uncontrolled database growth, the developers optimized the storage schema, introducing many-to-many tables and avoiding data duplication.
The tool enables users to search for all binaries utilizing a specific entitlement, trace dependencies, compare IPSW versions, or analyze differences across iOS, macOS, tvOS, and watchOS. Its API streamlines automation, allowing for regular indexing of new firmware and immediate detection of changes.
The visual component is already available, with examples of the interface and system architecture published.
Future plans include automatic generation of public and private headers with each new release of iOS and macOS. This would make it possible to build a comprehensive catalog of classes, methods, and attributes, including Apple’s internal APIs.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
