ipsw-skill

🥈Silver

AI skill for Apple firmware and binary reverse engineering using the ipsw CLI tool. Supports Claude Code, Codex CLI, and Gemini CLI. Helps operations teams analyze firmware, extract binaries, and identify vulnerabilities.

5040Updated 2w ago

Intermediate30min to implementautomation

Saves ~30 min per use

Quick InstallView Source

git clone https://github.com/blacktop/ipsw-skill.git

Works with:

Claude

Overview

About This Skill

How to Use

[{"step":"Install prerequisites: Ensure ipsw CLI is installed (brew install ipsw) and you have the IPSW file for your target device/version. Verify with `ipsw version`.","tip":"Download IPSW files from Apple's official servers using `ipsw download --device \"iPhone15,2\" --version 17.4.1`"},{"step":"Run the analysis: Execute the prompt in your CLI tool (Claude Code/Codex/Gemini) with placeholders filled. Example for iPhone 15 Pro: `ipsw analyze-firmware --ipsw /path/to/iOS_17.4.1_iPhone15Pro_IPSW.ipsw --vuln-db cve --output /tmp/analysis`","tip":"For large firmwares, use `--parallel 4` to speed up extraction. Monitor memory usage with `htop` during analysis."},{"step":"Review results: Examine the generated report for high-severity vulnerabilities. Use `ipsw extract --kernelcache` to get additional details about kernel components if needed.","tip":"Cross-reference CVE IDs with Apple's security updates page to confirm patch availability. Use `ipsw info --firmware` to check for newer versions."},{"step":"Take action: Prioritize remediation based on severity. For unpatched vulnerabilities, implement compensating controls like network segmentation or app restrictions.","tip":"For enterprise environments, use Mobile Device Management (MDM) tools to enforce updates. Consider creating custom profiles to block vulnerable binaries if patches aren't immediately available."},{"step":"Document findings: Save the analysis report and any extracted binaries to your organization's security repository. Include timestamps and tool versions for audit trails.","tip":"Use `ipsw dump --symbols` to extract debug symbols for further reverse engineering if needed."}]

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/blacktop/ipsw-skill

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Use the ipsw CLI tool to analyze the iOS [VERSION] IPSW file for [DEVICE_MODEL]. Extract the kernelcache and dyld_shared_cache, then identify all executable binaries in the root filesystem. For each binary, check for known vulnerabilities using [VULNERABILITY_DATABASE] and generate a report listing: 1) Binary path and architecture, 2) Detected CVEs, 3) Potential impact, and 4) Recommended mitigation steps. Focus on binaries with high severity vulnerabilities (CVSS >= 7.0).

Example Output

## Firmware Security Analysis Report
Generated: 2024-05-15 | Analyst: AI Security Bot | IPSW: iOS 17.4.1 (21E237) | Device: iPhone 15 Pro (A17 Pro)

### Executive Summary
Analyzed 12,487 files in the iOS 17.4.1 firmware. Identified 4 high-severity vulnerabilities (CVSS 7.5-9.1) affecting critical system components. All vulnerabilities have public exploits available. Immediate patching recommended.

### Critical Findings

**1. Kernel Exploit (CVE-2024-23292)**
- Binary: /usr/libexec/lockdownd (arm64e)
- Severity: 9.1 (Critical)
- Description: Memory corruption in lockdownd service allows arbitrary code execution with kernel privileges. Exploit demonstrated at Pwn2Own 2024.
- Impact: Complete device compromise, sandbox escape, persistent malware installation.
- Mitigation: Apple released iOS 17.4.2 patch on 2024-05-08. Update immediately.
- References: [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23292), [Exploit DB](https://www.exploit-db.com/exploits/51823)

**2. TrustedBSD Policy Bypass (CVE-2024-23293)**
- Binary: /usr/lib/system/libsystem_kernel.dylib
- Severity: 8.7 (High)
- Description: Improper validation in sandbox policy enforcement allows apps to bypass system restrictions.
- Impact: Malicious apps can access sensitive user data, camera, microphone without permissions.
- Mitigation: No patch available. Recommend disabling third-party apps until iOS 17.4.3 release.
- Workaround: Use Apple's built-in apps only.

**3. dyld Shared Cache Vulnerability (CVE-2024-23294)**
- Binary: /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e
- Severity: 7.8 (High)
- Description: Buffer overflow in dyld cache loading mechanism enables code injection.
- Impact: Arbitrary code execution with system privileges during app launch.
- Mitigation: Apple security update pending. Monitor [Apple Security Updates](https://support.apple.com/en-us/HT201222) for release.

**4. WebContent Process Exploit (CVE-2024-23295)**
- Binary: /System/Library/PrivateFrameworks/WebKit.framework/WebContent
- Severity: 7.5 (High)
- Description: Type confusion vulnerability in JavaScriptCore allows remote code execution.
- Impact: Malicious web pages can execute arbitrary code on device.
- Mitigation: Update to iOS 17.4.2. Disable JavaScript in Safari settings temporarily.

### Recommendations
1. **Immediate Actions**: Update all devices to iOS 17.4.2 or later
2. **Monitoring**: Deploy endpoint detection for the 4 identified CVEs
3. **Policy Update**: Restrict sideloading of apps until patches are verified
4. **Reporting**: Submit findings to your organization's vulnerability management system

### Technical Details
Analysis performed using ipsw CLI v3.12.4 on macOS 14.4.1. Firmware extracted to /tmp/ios17.4.1_analysis. Full binary list and vulnerability database available in attached artifacts.

---
*This report was generated automatically. Verify all findings with official Apple security advisories.*