IPSW

IPSW
Filename extension	.ipsw
Internet media type	application/x-itunes-ipsw
Magic number	504B0304
Developed by	Apple
Type of format	Archive

Last updated April 12, 2024

IPSW, iPhone Software, is a file format used to install iOS, iPadOS, tvOS, HomePod, watchOS, and most recently, macOS firmware for devices equipped with Apple silicon.^[3] All Apple devices share the same IPSW file format for iOS firmware and their derivatives, allowing users to flash their devices through Finder or iTunes on macOS or Windows, respectively. Users can flash Apple silicon Macs through Apple Configurator 2.^[4]

Structure

The .ipsw file itself is a compressed archive file (renamed Zip archive) containing at least three Apple Disk Image files with one containing the root file system of the OS and two ram disks for restore and update. tvOS, audioOS and macOS also include a disk image for the recovery environment (recoveryOS).

The file also holds the kernel caches, and a "Firmware" folder which contains iBoot, LLB (Low-Level Bootloader), iBSS (iBoot Single Stage), iBEC (iBoot Epoch Change), the Secure Enclave Processor firmware, the Device Tree, Firmware Images (Apple logo, battery images, Recovery mode screen and more), baseband firmware files in .bbfw format (renamed zip file), and other firmware files.

There are two more files named "BuildManifest.plist" and "Restore.plist", both property lists that contain compatibility information and SHA-256 hashes for different components.^{[ citation needed ]}

BuildManifest.plist is sent to Apple's TSS server and checked in order to obtain SHSH blobs before every restore. Without SHSH blobs, the device will refuse to restore, thus making downgrades very difficult to achieve.^[5]

Security and rooting

The archive is not password-protected, but iBoot, LLB, iBEC, iBSS, iBootData and the Secure Enclave Processor firmware images inside it are encrypted with AES. Until iOS 10, all the firmware files (including the root file system and Restore and Update ramdisks) were encrypted. While Apple does not release these keys, they can be extracted using different iBoot or bootloader exploits, such as limera1n (created by George Hotz, more commonly known as geohot). Since then, many tools were created for the decryption and modification of the root file system.^{[ citation needed ]}

Government data access

After the 2015 San Bernardino attack, the FBI recovered the shooter's iPhone 5C, which belonged to the San Bernardino County Department of Public Health.^[6] The FBI recovered iCloud backups from one and a half months before the shooting, and wanted to access encrypted files on the device. The U.S. government ordered Apple to produce an IPSW file that would allow investigators to brute force the passcode of the iPhone.^[7] The order used the All Writs Act, originally created by the Judiciary Act of 1789, to demand the firmware, in the same way as other smartphone manufacturers have been ordered to comply.

Tim Cook responded on the company's webpage, outlining a need for encryption, and arguing that if they produce a backdoor for one device, it would inevitably be used to compromise the privacy of other iPhone users:^[8]

The FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession...
The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

Related Research Articles

FileVault is a disk encryption program in Mac OS X 10.3 Panther (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

Multi-booting is the act of installing multiple operating systems on a single computer, and being able to choose which one to boot. The term dual-booting refers to the common configuration of specifically two operating systems. Multi-booting may require a custom boot loader.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

New World ROM computers are Macintosh models that do not use a Macintosh Toolbox ROM on the logic board. Due to Mac OS X not requiring the availability of the Toolbox, this allowed ROM sizes to shrink dramatically, and facilitated the use of flash memory for system firmware instead of the now more expensive and less flexible Mask ROM that most previous Macs used. A facility for loading the Toolbox from the startup device was, however, made available, allowing the use of Mac OS 8 and Mac OS 9 on New World machines.

<span class="mw-page-title-main">Hackintosh</span> Non-Apple computer running macOS

A Hackintosh is a computer that runs Apple's Macintosh operating system macOS on computer hardware that is not authorized for the purpose by Apple. This can also include running Macintosh software on hardware it is not originally authorized for. Benefits of "Hackintoshing" can include cost, ease of repair and piecemeal upgrade, and freedom to use customized choices of components that are not available in the branded Apple products. macOS can also be run on several non-Apple virtualization platforms, although such systems are not usually described as Hackintoshes. Hackintosh laptops are sometimes referred to as "Hackbooks".

The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.

The EFIsystem partition or ESP is a partition on a data storage device that is used by computers that have the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start operating systems and various utilities.

On Apple devices running iOS and iOS-based operating systems, jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by the manufacturer. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.

BootX is a software-based bootloader designed and developed by Apple Inc. for use on the company's Macintosh computer range. BootX is used to prepare the computer for use, by loading all required device drivers and then starting-up Mac OS X by booting the kernel on all PowerPC Macintoshes running the Mac OS X 10.2 operating system or later versions.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

In computing, a SHSH blob is a digital signature that Apple generates and uses to control the iOS versions that users can install on their iOS devices generally only allowing the newest iOS version to be installable. Apple's public name for this process is System Software Authorization. The term “SHSH blob” is unofficial and based on abbreviations for signed hash and binary large object. An alternative term, ECID SHSH, refers to the device's ECID, a unique identification number embedded in its hardware)

The hacking of consumer electronics is an common practice that users perform to customize and modify their devices beyond what is typically possible. This activity has a long history, dating from the days of early computer, programming, and electronics hobbyists.

The Apple–FBI encryption dispute concerns whether and to what extent courts in the United States can compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected. There is much debate over public access to strong encryption.

iBoot is the stage 2 bootloader for all Apple products. It replaces the old bootloader, BootX. Compared with its predecessor, iBoot improves authentication performed in the boot chain.

The Apple T2 security chip is a system on a chip "SoC" tasked with providing security and controller features to Apple's Intel based Macintosh computers. It is a 64-bit ARMv8 chip and runs bridgeOS. T2 has its own RAM and is essentially a computer of its own, running in parallel to and responding to requests by the main computer that the user interacts with.

<span class="mw-page-title-main">Evil maid attack</span> Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

Grayshift is an American mobile device forensics company which makes a device named GrayKey to crack iPhones, iPads, and Android devices.

Bootloader unlocking is the process of disabling the bootloader security that makes secure boot possible. It can make advanced customizations possible, such as installing a custom firmware. On smartphones this can be a custom Android distribution or another mobile operating system. Some bootloaders are not locked at all, others can be unlocked using a standard command, others need assistance from the manufacturer. Some do not include an unlocking method and can only be unlocked through a software exploit.

The Linux kernel can run on a variety of devices made by Apple, including devices where the unlocking of the bootloader is not possible with an official procedure, such as iPhones and iPads.

The iOS operating system utilizes many security features in both hardware and software, from the boot process to biometrics.

References

↑ "IPSW file - How do I open a .ipsw file? [Step-by-step]".
↑ "Open .IPSW File".
↑ "ipsw". OS X Daily. Retrieved August 19, 2021.
↑ "Revive or restore a Mac with Apple silicon with Apple Configurator 2". Apple Support (in Chinese). Retrieved November 16, 2022.
↑ "Last iOS 9.3.2 iPSW". www.howtoisolve.com. November 10, 2016.
↑ Andrew Blankstein (February 16, 2016). "Judge Forces Apple to Help Unlock San Bernardino Shooter iPhone". NBC News.
↑ "Apple ordered to unlock San Bernardino shooter's iPhone". Ars Technica UK. February 17, 2016.
↑ Tim Cook (February 16, 2016). "A Message to Our Customers". Archived from the original on February 17, 2016. The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "IPSW file - How do I open a .ipsw file? [Step-by-step]".

[2] "Open .IPSW File".

[3] "ipsw". OS X Daily. Retrieved August 19, 2021.

[4] "Revive or restore a Mac with Apple silicon with Apple Configurator 2". Apple Support (in Chinese). Retrieved November 16, 2022.

[5] "Last iOS 9.3.2 iPSW". www.howtoisolve.com. November 10, 2016.

[6] Andrew Blankstein (February 16, 2016). "Judge Forces Apple to Help Unlock San Bernardino Shooter iPhone". NBC News.

[7] "Apple ordered to unlock San Bernardino shooter's iPhone". Ars Technica UK. February 17, 2016.

[8] Tim Cook (February 16, 2016). "A Message to Our Customers". Archived from the original on February 17, 2016. The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]