Apple Data Formats and Knowledge
A collection of reverse engineered Apple formats, protocols, or other interesting bits.
Join us on Discord - Discord Rules
Repo inspired by Papers we Love
Our Tooling Repos
Our Homebrew Tap
Install our tap with brew tap hack-different/homebrew-jailbreak
Information about the maintaining of that tap can be found at homebrew-jailbreak
Contributing and a warning
Linking your Discord and GitHub
We want this collection to be around for new jailbreakers and hobbyists for years to come, so we must say: this
collection accepts (with gratitude) pull-requests that improve it, but under no circumstances
will a PR based on AppleInternal
, or any other copyrighted works protected by the
DMCA be accepted. If
you need help determining this, tag the PR with license help
, join the
Discord server, and ask a #Legit
or higher role for help.
Violation of the DMCA or Copyright law is the responsibility of the submitter.
Primary Data Source
We attempt to derive from machine sources and produce machine readable files (YAML) in this repo under _data
. For
information about creating and extending data format see Data Format Guidance.
Updates and additions there should automatically be reflected in the documents
hack-different/apple-knowledge/_data
Another authoritative source of information is the open source code released by Apple themselves at one of the following locations:
- Open Source at Apple Wesbite
- Apple's GitHub profile
- apple-oss-distributions's Github profile
- Apple Gifts
Tools
Libraries for Binary Analysis and Modification
Tools for Binary Analysis and Modification
- mootool - FOSS Ruby Mach-O Tool (aims to replicate jtool2 feature set)
- ktool - FOSS Python Mach-O Tool
checkra1n/toolchain
alephsecurity/xnu-qemu-arm64
- IDA Disassembler by Hex-Rays
- Binary Ninja Disassembler
- VisUAL ARM Simulator
- Ghidra Disassembler
- Hopper Disassembler
- Capstone Engine
- Unicorn Engine
- QEMU
blacktop/ipsw
- jtool2
- frida
Guides and General
Proteas/apple-cve
- kpwn / qwertyoruiop's Wiki
- kpwn / qwertyoruiop's Papers
- About Apple Prototype and CPFM
- OWASP: iOS Tampering and Reverse Engineering
- Kernel Debug Kit
- *OS Internals by Jonathan Levin
- T2 Dev Setup
- Apple 4CC
bytepack/IntroToiOSReverseEngineering
- Remote Attack Surface
- Lakr233's Research
Devices
- Device List
- T2
- Wi-Fi / Bluetooth
- The iPhone Wiki
- SMC (System Management Controller) for pre-T2
acidanthera/VirtualSMC
t8012/smcutil
- Create SMC binaries from update payloads
Kernel General
- Mach
- Mach and the Mach Interface Generator by nemo
- Apple IPC by Ian Beer
acidanthera/Lilu
osy/AMFIExemption
- Siguza's Research on KTRR
- Tick Tock by xerub
- Casa de PPL by Levin
- KTRW by Brandon Azad
- Qwertyoruiopz Attacking XNU: Part 1
- Qwertyoruiopz Attacking XNU: Part 2
- Kernel Heap by Stefan Esser
- Levin's Who needs
task_for_pid()
anyway... - Apple Official Documentation
Protocols / Formats
Bootloader Related
- EFI
NVRAM
SEP_memmap
- All About Kernels
Factory_Firmware_Payloads
- iBoot
- SecureROM
Archive / Disk Formats
- APFS - Apple Filesystem
- LwVM Lightweight Volume Manager
- NeXT / Apple "Bill of Materials" /
pkg
/bom
pbzx
- Apple Disk Image -
dmg
- Signed System Volumes (SSV) /
root_hash
Databases / Serialization
- Property Lists
- iTunes database
- Apple iDevice Backup Format
Image, Sound and Other Resources
- Apple Flavored PNG
- Apple IMA ADPCM
- AirPlay2
Software Update / Installers
Code and Signature Formats
- Mach-O File Types - Mach-O / Signing / Entitlements
sbingner/ldid
- Codesign toolProcursusTeam/ldid
- Alternative to sbingner/ldid with some updates for iOS 15 and general fixes- m4b Mach Binaries
- J's Entitlements Database
- Levin's Code Signing
- Apple CTF / Compact Type Format
- img4 - Apple signed images, version 4
- TheiPhoneWiki's documentation on IMG4 files
xerub/img4lib
m1stadev/PyIMG4
- A Python library/CLI tool for parsing IMG4tihmstar/img4tool
h3adshotzz/img4helper
- TrustCache - Pre-authorized Binary Hashes
- EALF -
eficheck
baselines - ChunkList - Used to verify macOS Recovery / Internet Recovery
dyld
and DSC (dyld Shared Cache)- Levin's Dyld
rickmark/yolo_dsc
- Used as last resort and depend on Xcodearandomdev/DyldExtractor
- Fixes up linking- dyld_shared_cache_util.cpp
- iBoot LocalPolicy, RemotePolicy and BAA signing
- Rosetta2
- Swift
Sandbox or 'Seatbelt'
- Levin's - The Apple Sandbox
- Apple Sandbox Guide v1.0
- OWASP - Reversing the Apple Sandbox
- iBSparkles Breaking Entitlements
- stek29: Shenanigans, Shenanigans!
- argp vs com.apple.security.sandbox
malus-security/sandblaster
Secure Enclave Processor
- SEP_memmap
- sep.yaml
- SEPROM
nyuszika7h/sepfinder
justtryingthingsout/sepsplit-rs
- Demystifying the Secure Enclave Processor
seputil
- SEPOS: A Guided Tour
- Attack Secure Boot of SEP - blackbird
- iPhone Data Protection in Depth
- Overcoming iPhone Data Protection
ARM / x86
- ARM General
- Apple CPUs
- Compilers
- ARM Mitigations
Hypervisor / Virtualization
- Apple Hypervisor
Baseband
baseband.yaml
in Data Files- Qualcomm
Coprocessors
- hollance/neural-engine
- RTKit - "Realtime" Kit
USB / Wired Protocols / Low Level Hardware
- Basically all iDevice / iTunes
- DFU / Recovery
- usbmuxd - USB transport for iDevices
com.apple.restored
- iDevice Restore Protocol- UTDM - USB Target Disk Mode
- USB-C Power Delivery - Vendor Defined Messages
- Lightning
- NVMe / NAND / PCIe
gh2o/rvi_capture
osy/ThunderboltPatcher
- Qi Wireless Charging
Network / Wireless / Transit
- Apple Wi-Fi Password Sharing
- AWDL - Apple Wireless Distribution Link
- Bluetooth Bonjour (Service Discovery)
- iCloud
- Apple Watch Pairing
com.apple.terminusd
- Magic Pairing: Securing Bluetooth Peripherals
- ATC - Air Traffic Control - iTunes Wi-Fi Sync
- RemoteXPC
- macOS Internet Recovery
- iCloud Keychain (Umbrella for multiple formats)
System Configuration and State
- FDR - Factory Data Restore
- SysCfg - System Configuration - Serial Number and other Device Info
- APTicket - The root of an authorized version set
Diagnostic Protocols
- AWDD - Apple Wireless Diagnostics (misnomer, more than wireless, system trace)
- Mojo Serial
- Apple "tailspin"
- Apple
tracev3
Unified Logging - XHC20 USB Capture
Jailbreaks
- limera1n
OpenJailbreak/greenpois0n
0x7ff/gaster
axi0mX/ipwndfu
LinusHenze/Fugu
- checkra1n
- unc0ver
- Taurine
- Odyssey
- Chimera
- rootlessJB writeup
- evasi0n writeup by geohot
- Fugu14 writeup
- TaIG
Jailbreak Tooling
Jailbreak Slides
X-Plat
Safety / Protection
CREDITS
Hack Different - Apple Knowledge is a product of the entire community and belongs to the community. It is facilitated by the volunteer work of the Hack Different moderation team.
If you have issue with the design or workflow of this repository, blame me (rickmark
)
as I setup and configured most of it. (it me). If you have feedback, join the #apple-knowledge
channel of the
discord server.
Portions of data and knowledge come from TheiPhoneWiki, libimobiledevice's website, and checkra1n's website, as well as the individuals who brought you those projects (and many more!)
Special mention to Jonathan Levin and Amit Singh for taking the time to publish books on these topics.
- Mac OS Internals by Singh
- Mac and iOS Internals by Levin
- *OS Internals - User Mode by Levin
- *OS Internals - Kernel Mode by Levin
- *OS Internals - Security by Levin
A list of all projects and their contributors is at CREDITS and is updated by a script. If there are persons not updated due to limitations, please PR the CREDITS page and call them out.
overcommit
, the linters, and the build
Setting up Main article is in BUILD
To keep the repo, docs, and data tidy, we use a tool called overcommit
to connect up the git hooks to a
set of quality checks. The fastest way to get setup is to run the following to make sure you have all the tools:
brew install hunspell
gem install overcommit bundler
bundle install
overcommit --install
Why not <insert wiki here>
Wiki's best serve prose, and part of the goal here is to leverage machine readable and ingestable information with human augmentation wherever possible.
As of 2022, GitHub has 56 million users. That means that there are 56 million people who are able to contribute directly to this repo via a fork and PR, in opposition to wiki's which have a relatively small number of potential editors. The PR process also allows for modifications to be reviewed, commented and debated before inclusion.
License
The contents of this repo are dual-licensed:
Code and data licensed under the MIT license
Documents also licensed under the CC-BY-SA
{style="border-width:0"} {rel=license} Apple Knowledge{:xmlns:dct="http://purl.org/dc/terms/", :property="dct:title"} by Hack Different{:xmlns:cc="http://creativecommons.org/ns#", :property="cc:attributionName", :rel="cc:attributionURL"} is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/ licenses/by-sa/4.0/){:rel="license"}
Dedication
Here’s to the crazy ones, the misfits, the rebels, the troublemakers
the round pegs in the square holes…
the ones who see things differently — they’re not fond of rules…
You can quote them, disagree with them, glorify or vilify them, but the only thing you can’t do is ignore them because they change things…
They push the human race forward, and while some may see them as the crazy ones,
we see genius,
because the ones who are crazy enough to think that they can change the world,
are the ones who do.
— Steve Jobs, 1997
Also dedicated to the volunteer work of those who use this for good, and deny the shadow to those who seek to harm.