Skip to main content

Parse OTAs

Download the latest beta OTA

❯ ipsw download ota --platform ios --device iPhone15,2 --beta

To only download the OTA's dyld_shared_cache(s) and kernelcache

❯ ipsw download ota --platform ios --device iPhone15,2 --beta --dyld --kernel
NOTE

If you are downloading OTAs for iOS16.x or macOS13.x or newer this will only work when ran on a macOS Ventura host as it calls into a private API to apply the patch.

Working with AEA Encrypted OTAs

Modern OTAs are AEA encrypted (just like IPSWs). The good news is ipsw handles this automatically 😎

Fully Automatic (requires internet)
❯ ipsw ota info 72d75590b7c4eb278fcf0c5cf352b6407f93b58f46a724bd8bb4ce2be24239f1.aea

If the OTA has AEA metadata in its header, ipsw will automatically fetch the decryption key from Apple's servers. No flags needed.

Build an OTA AEA Keys Database

Download AEA keys as a JSON database for offline use

❯ ipsw download ota --platform ios --latest --fcs-keys
• Added 18 new entries to ota_fcs_keys.json (total: 18)

Now add more keys (it appends)

❯ ipsw download ota --platform ios --beta --fcs-keys
• Added 35 new entries to ota_fcs_keys.json (total: 53)
note

Unlike IPSW AEA keys (which are per-release), OTA AEA keys are per-file. Each device/build combo gets its own unique key.

Use the OTA Keys Database
❯ ipsw ota extract --key-db ota_fcs_keys.json some_ota.aea --kernel

The database automatically looks up the key by the OTA's hash-based filename. Works offline 🚀

Manual Key

You can still provide the key manually if needed

❯ ipsw ota info --key-val 9F7hR1YOTfRRi8herR0y3lTTqu+BsLZWuNeyWYIBj0M= some_ota.aea
note

Priority order: --key-db--key-val → filename embedded key → automatic metadata lookup

Troubleshooting Key Lookup

If you encounter issues with AEA decryption, try these steps:

"Failed to decrypt AEA" error:

# 1. Check if the OTA is in your key database
cat ota_fcs_keys.json | grep -i "filename"

# 2. Try automatic key lookup (requires internet)
❯ ipsw ota info --insecure some_ota.aea

"No AEA key found in database" error:

  • Verify the OTA filename matches an entry in ota_fcs_keys.json
  • Try downloading keys for that specific version: ipsw download ota --version X.X --fcs-keys
  • The database uses hash-based filenames (without .aea extension)

Offline decryption not working:

  • Ensure you've built the key database first with --fcs-keys
  • Check the database file exists: ls -lh ota_fcs_keys.json
  • Verify database is valid JSON: jq . ota_fcs_keys.json

Network issues with automatic lookup:

  • Use --insecure flag if behind corporate proxy
  • Or use --key-db / --key-val for offline decryption
  • Build key database ahead of time for air-gapped environments

Download the latest RSR (Rapid Security Release) OTA

❯ ipsw download ota --platform ios --device iPhone15,2 --build 20C5049e --beta --rsr
• Getting iOS 16.2 OTA build=20C7750490e device=iPhone15,2 model=D73AP type="iOS162BetaRSR"
92.97 MiB / 92.97 MiB [==========================================================|] 58.85 MiB/s
info

The --build flag is required for RSR OTAs

Show OTA Info

❯ ipsw ota info iOS16.2_OTAs/iPhone15,2_1418867a3b673659e7bcd30c3823ff997b4ba990.zip
[OTA Info]
==========
Version = 16.2
BuildVersion = 20C5058d
OS Type = Beta
FileSystem = 098-19014-027.dmg (Type: APFS)

Devices
-------

iPhone 14 Pro
> iPhone15,2_D73AP_20C5058d
- TimeStamp: 14 Nov 2022 22:15:41 MST
- KernelCache: kernelcache.release.iphone15
- CPU: A16 Bionic (ARMv8.6-A), ID: t8120
- BootLoaders
* iBEC.d73.RELEASE.im4p
* iBoot.d73.RELEASE.im4p
* iBSS.d73.RELEASE.im4p
* LLB.d73.RELEASE.im4p
* sep-firmware.d73.RELEASE.im4p

List files in OTA

❯ ipsw ota ls OTA.zip | head
• Listing files in OTA zip...
[ OTA zip files ] --------------------------------------------------
-rw-r--r-- 2022-11-28T05:58:49-07:00 3.9 kB Info.plist
-rw-r--r-- 2022-11-28T05:41:25-07:00 29 MB post.bom
-rw-r--r-- 2022-11-28T05:41:25-07:00 35 kB pre.bom
-rw-r--r-- 2022-11-28T05:37:39-07:00 171 kB boot/BuildManifest.plist
-r--r--r-- 2022-11-28T02:54:40-07:00 1.0 kB boot/Restore.plist
-r--r--r-- 2022-11-28T00:43:23-07:00 386 B boot/RestoreVersion.plist
-r--r--r-- 2022-11-28T00:43:03-07:00 539 B boot/SystemVersion.plist
-rwxr--r-- 2022-11-18T01:59:39-07:00 20 MB boot/kernelcache.release.iphone15
-rw-r--r-- 2022-11-28T02:54:39-07:00 229 B boot/Firmware/098-18456-028.dmg.root_hash

See if dyld is in the OTA files

❯ ipsw ota ls iPhone15,2_1418867a3b673659e7bcd30c3823ff997b4ba990.zip | grep dyld
• Listing files in OTA zip...
• Listing files in OTA payload...
(OTA might not actually contain all these files if it is a partial update file)
-rwxr-xr-x 2022-11-28T00:43:03-07:00 926 kB usr/lib/dyld

Extract file(s) from OTA zip or payloads that match a regex pattern

❯ ipsw ota extract OTA.zip '^System/Library/.*/dyld_shared_cache.*$'
• Extracting ^System/Library/.*/dyld_shared_cache.*$...
• Extracting -rwxr-xr-x 1.5 GB /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e to iPhone14,2_D63AP_19C5026i/dyld_shared_cache_arm64e
• Extracting -rwxr-xr-x 787 MB /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.1 to iPhone14,2_D63AP_19C5026i/dyld_shared_cache_arm64e.1
• Extracting -rwxr-xr-x 480 MB /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.symbols to iPhone14,2_D63AP_19C5026i/dyld_shared_cache_arm64e.symbols
info

🆕 iOS 16.x/macOS 13.x OTAs now contain a RIDIFF10 cryptex volumes that contain the dyld_shared_cache files

Extract file(s) from OTA RIDIFF10 cryptex volumes

❯ ipsw ota patch rsr iPhone15,2_1418867a3b673659e7bcd30c3823ff997b4ba990.zip --output /tmp/PATCHES
• Patching cryptex-app to /tmp/PATCHES/20C5058d__iPhone15,2/AppOS/098-19380-032.dmg
• Patching cryptex-system-arm64e to /tmp/PATCHES/20C5058d__iPhone15,2/SystemOS/098-18456-028.dmg
❯ tree /tmp/PATCHES/20C5058d__iPhone15,2/
/tmp/PATCHES/20C5058d__iPhone15,2/
├── AppOS
│ └── 098-19380-032.dmg
└── SystemOS
└── 098-18456-028.dmg

3 directories, 2 files

To extract the dyld_shared_cache files from the cryptex volumes, you can now mount the volume and then copy the files out

open /tmp/PATCHES/20C5058d__iPhone15,2/SystemOS/098-18456-028.dmg # mount the volume
find /Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex/ -name "dyld_shared_cache*" | head
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/DriverKit/System/Library/dyld/dyld_shared_cache_arm64e.symbols
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/DriverKit/System/Library/dyld/dyld_shared_cache_arm64e
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.33
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.34
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.02
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.05
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.04
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.03
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.35
/Volumes/SydneyCSeed20C5058d.D73DeveloperSystemCryptex//System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e.32

How to apply a RSR OTA patch

You must first download and "patch" the base OTA file

❯ ipsw download ota --platform ios --device iPhone15,2 --beta
❯ ipsw ota patch rsr iPhone15,2_17280b5c6122ee9c11e60081a2610e9766e8b892.zip --output /tmp/PATCHES
• Patching cryptex-app to /tmp/PATCHES/20C5049e__iPhone15,2/AppOS/098-19380-026.dmg
• Patching cryptex-system-arm64e to /tmp/PATCHES/20C5049e__iPhone15,2/SystemOS/098-18456-023.dmg

Now download the corresponding RSR OTA patch that belongs to the base OTA file

❯ ipsw download ota --platform ios --device iPhone15,2 --build 20D5024e --beta --rsr
info

To get the --build value, you can use ipsw download ota --show-latest-build like so

❯ ipsw download ota --platform ios --device iPhone15,2 --show-latest-build --beta
"20D5024e"

Now apply the patch to the base OTA file

❯ ipsw ota patch rsr --input /tmp/PATCHES/20C5049e__iPhone15,2 --output /tmp/PATCHES/ RSR_OTA.zip
• Patching cryptex-app to /tmp/PATCHES/20C7750490e__iPhone15,2/AppOS/098-50146-002.dmg
• Patching cryptex-system-arm64e to /tmp/PATCHES/20C7750490e__iPhone15,2/SystemOS/098-50080-002.dmg
❯ tree /tmp/PATCHES/20C7750490e__iPhone15,2/ # Notice the new build number
/tmp/PATCHES/20C7750490e__iPhone15,2/
├── AppOS
│ └── 098-50146-002.dmg
└── SystemOS
└── 098-50080-002.dmg

3 directories, 2 files

Now you have the RSR patched files ready to start diffing 😏 🎉

NOTE

For now the ipsw ota patch rsr command will only work on macOS Ventura as it calls into a private API to apply the patch. We plan on adding cross-platform support in the future.