Skip to main content

Parse Img4

img4 dec

Decrypt an Im4p file

Download just iBoot

❯ ipsw download pattern -v 13.4 -d iPhone12,3 iBoot

Decrypt it with things from tweets 😏

❯ ipsw img4 dec --iv-key <IVKEY> iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p
   • Parsing Im4p
      • Detected LZFSE compression
      • Decrypting file to iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p.dec

It's a thing of beauty 😍

❯ hexdump -C -s 512 -n 144 iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p.dec

00000200  69 42 6f 6f 74 20 66 6f  72 20 64 34 32 31 2c 20  |iBoot for d421, |
00000210  43 6f 70 79 72 69 67 68  74 20 32 30 30 37 2d 32  |Copyright 2007-2|
00000220  30 31 39 2c 20 41 70 70  6c 65 20 49 6e 63 2e 00  |019, Apple Inc..|
00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000240  52 45 4c 45 41 53 45 00  00 00 00 00 00 00 00 00  |RELEASE.........|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000280  69 42 6f 6f 74 2d 35 35  34 30 2e 31 30 32 2e 34  |iBoot-5540.102.4|

img4 extract

Ever wonder how to mount the RAM disks in the IPSW ?

❯ ipsw info iPhone15,2_16.3_20D47_Restore.ipsw

[IPSW Info]
===========
Version        = 16.3
BuildVersion   = 20D47
OS Type        = Production
FileSystem     = 098-24861-056.dmg
SystemOS       = 098-24573-060.dmg
AppOS          = 098-24753-064.dmg
RestoreRamDisk = [098-24758-064.dmg 098-25526-064.dmg]
<SNIP>

The RestoreRamDisk DMGs 098-24758-064.dmg and 098-25526-064.dmg are the arm64eCustomerRamDisk and the arm64eUpdateRamDisk, however, you cannot mount them as they are actually im4p files. 😕

You can now extract the Img4 payloads with the following command:

unzip -p iPhone15,2_16.3_20D47_Restore.ipsw 098-25526-064.dmg > 098-25526-064.dmg
❯ ipsw img4 extract 098-25526-064.dmg
   • Parsing Im4p
      • Exracting payload to file 098-25526-064.dmg.payload

Rename the payload back to a DMG

mv 098-25526-064.dmg.payload 098-25526-064.dmg.payload.dmg

And now you can open the 🆕 DMG to mount the RAM disk image.

open 098-25526-064.dmg.payload.dmg
ls -l /Volumes/SydneyD20D47.arm64eUpdateRamDisk/
total 0
drwxr-xr-x   5 blacktop  staff  160 Jan 28 12:35 System
drwxr-xr-x   8 blacktop  staff  256 Jan 13 21:39 bin
dr-xr-xr-x   2 blacktop  staff   64 Dec 16 20:57 dev
lrwxr-xr-x   1 blacktop  staff   11 Jan 13 21:39 etc -> private/etc
drwxr-xr-x   4 blacktop  staff  128 Jan 28 12:40 mnt1
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt2
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt3
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt4
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt5
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt6
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt7
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt8
drwxr-xr-x   2 blacktop  staff   64 Dec  8  2020 mnt9
drwxr-xr-x   5 blacktop  staff  160 Jan 28 12:39 private
drwxr-xr-x  16 blacktop  staff  512 Jan 13 21:39 sbin
drwxr-xr-x  10 blacktop  staff  320 Jan 28 12:37 usr
lrwxr-xr-x   1 blacktop  staff   11 Jan 13 21:39 var -> private/var
note

This is one of the last places you can find the individual framework dylibs

ls -l /Volumes/SydneyD20D47.arm64eUpdateRamDisk/System/Library/Frameworks/

total 0
drwxr-xr-x  5 blacktop  staff  160 Jan 13 21:39 CFNetwork.framework
drwxr-xr-x  4 blacktop  staff  128 Jan 13 21:39 Combine.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 CoreFoundation.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 CoreServices.framework
drwxr-xr-x  4 blacktop  staff  128 Jan 13 21:39 Foundation.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 IOKit.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 IOSurface.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 MobileCoreServices.framework
drwxr-xr-x  4 blacktop  staff  128 Jan 13 21:39 Network.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 Security.framework
drwxr-xr-x  3 blacktop  staff   96 Jan 13 21:39 SystemConfiguration.framework

img4 kbags

Extract keybags from im4p

❯ ipsw img4 kbag iBoot.ipad6f.RELEASE.im4p
   • Parsing Im4p

Keybags:
-
  type: PRODUCTION
    iv: e59e7976e1f88c7a3e76c22c75f518ff
   key: 9daae21aeb6189554aa9acb67e229dfc67ec3d04f2f881c2929ff58663cece96
-
  type: DEVELOPMENT
    iv: 510a264622ca1f66909f57fd65405c9c
   key: 7a65aeb58f7900283539388f12ca0930170747ffbe4db10f8a775aaf25636bbb