Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From Build Swift Apps
Apple firmware and binary reverse engineering with the ipsw CLI: download and extract IPSWs/kernelcaches, disassemble dyld_shared_cache, dump private headers/entitlements, analyze Mach-O and KEXTs, and search OBJC classes, strings, and cross-references.
npx claudepluginhub xopoko/build-swift-apps --plugin build-swift-appsHow this skill is triggered — by the user, by Claude, or both
Slash command
/build-swift-apps:apple-firmware-inspectorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Install: `brew install blacktop/tap/ipsw`.
Reverse engineers iOS apps using Frida for runtime method tracing, secret extraction, security bypass, and binary analysis in authorized pentests.
Reverse engineers iOS apps with Frida dynamic instrumentation to extract encryption keys, bypass security controls, and discover hidden functionality. For authorized penetration testing and binary analysis.
Uses Frida for dynamic reverse engineering of iOS apps: enumerates ObjC/Swift classes/methods, traces calls, extracts secrets, bypasses security for authorized pentests.
Share bugs, ideas, or general feedback.
Install: brew install blacktop/tap/ipsw.
When a device target is needed, resolve current identifiers with ipsw device-list or live data. Do not copy stale iPhone identifiers.
Firmware:
ipsw download ipsw --device "$DEVICE" --latest
ipsw download ipsw --device "$DEVICE" --latest --kernel --dyld
ipsw extract --kernel "$LATEST_IPSW"
ipsw extract --dyld --dyld-arch arm64e "$LATEST_IPSW"
ipsw extract --kernel --remote <IPSW_URL>
Userspace / dyld shared cache:
DSC=/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
ipsw dyld a2s "$DSC" 0xADDR
ipsw dyld symaddr "$DSC" "_symbol" --image Some.framework/Some
ipsw dyld disass "$DSC" --vaddr 0xADDR
ipsw dyld disass "$DSC" --symbol "_symbol" --image Some.framework/Some
ipsw dyld xref "$DSC" 0xADDR --all
ipsw dyld dump "$DSC" 0xADDR --size 256
ipsw dyld str "$DSC" "pattern" --image Some.framework/Some
ipsw dyld objc --class "$DSC" --image Some.framework/Some
ipsw dyld extract "$DSC" Some.framework/Some -o ./out/
Kernel/KEXT:
ipsw kernel kexts kernelcache.release.$DEVICE
ipsw kernel extract kernelcache sandbox --output ./kexts/
ipsw kernel syscall kernelcache
ipsw kernel kexts --diff "kernelcache_old" "kernelcache_new"
Entitlements:
ipsw macho info --ent /path/to/binary
ipsw ent --sqlite ent.db --ipsw "$LATEST_IPSW"
ipsw ent --sqlite ent.db --key "com.apple.private.security.no-sandbox"
Class dump:
ipsw class-dump "$DSC" SpringBoardServices --headers -o ./headers/
ipsw class-dump "$DSC" Security --class SecKey
ipsw class-dump "$DSC" UIKit --class 'UIApplication.*' --headers -o ./headers/
ipsw class-dump "$DSC" Security --re
Mach-O:
ipsw macho info /path/to/binary
ipsw macho disass /path/to/binary --symbol _main
ipsw macho info --sig /path/to/binary
a2s/symaddr creates cache; later lookups are faster.--image <DYLIB> for DSC operations; it is much faster.--json for scripting.references/download.mdreferences/dyld.mdreferences/kernel.mdreferences/entitlements.mdreferences/class-dump.mdreferences/macho.md