Reverse Engineering iOS: Decrypting the iPhone Kernelcache: From IPSW to Disassembly (Part 1)

Welcome to the first article in a series where I’ll be diving into reverse engineering iOS. This series is not just a guide, but also my own learning journey as a beginner in this space. If you’ve ever been curious about how iOS works under the hood, especially the lower-level aspects like the kernelcache, you’re in the right place.

In this series, I’ll document my progress and share everything I learn along the way. The goal? To make reverse engineering more accessible, while exploring how to decrypt and analyze iOS components piece by piece.

Prerequisites

Tools Required:

• Python 3
• pyimg4 for decrypting iOS images
• Ghidra, IDA Pro, or Hopper for disassembling the decrypted kernel
• A jailbroken iPhone (optional, but recommended for testing)
• Xcode (might be required later on when developing iOS apps)

Step 1: Downloading an IPSW

First, we need to grab the desired IPSW (iPhone Software) file. IPSW files contain all the firmware and software components necessary for iOS.
ipsw.me has all firmwares for all idevice models.

Make sure to pick the correct IPSW for your device model and iOS version, in my case i grabbed the latest iOS 18.0 for the 16 Pro.

Step 2: Rename the IPSW File to a .zip

IPSW’s are really just .zip files that can be extracted.

. Once the IPSW is downloaded, rename the .ipsw file to .zip and extract it.

Lets stop here for a sec and look at the insides of the IPSW if not interested please skip to the next step.
Few things we can identify such as the .dmg files which are Apple Disk Image files, one for the root filesystem and two ram disks for restore and update others can contain apps that come loaded with the OS. usually there are 5 .dmg files but this time around we have 7 of them in iOS 18, i have not researched this yet.

The Firmware folder contains some early stage boot files such as iBoot, LLB (Low-Level Bootloader), iBSS (iBoot Single Stage), iBEC (iBoot Epoch Change), the Secure Enclave Processor firmware, the Device Tree, Firmware Images (Apple logo, battery images, Recovery mode screen and more), baseband firmware files in .bbfw format (renamed zip file), and other firmware files.

There are two more files named “BuildManifest.plist” and “Restore.plist”, both property lists that contain compatibility information and SHA-256 hashes for different components, BuildManifest.plist is sent to Apple’s TSS server and checked in order to obtain SHSH blobs before every restore. Without SHSH blobs, the device will refuse to restore, thus making downgrades very difficult to achieve.

all in all we have the kernelcache file, its basically the kernel itself which we are most interested in, the file is packed in an IMG4 file format (Devices with the A7 and newer) the file also includes extensions aka ‘KEXTS’ they are are low-level modules that extend the functionality of the iOS kernel, typically used to manage hardware, drivers, and certain system processes in a secure and controlled environment.

Step 4: Decrypting the Kernelcache

iOS kernelcache files are encrypted, so before you can disassemble them, you need to decrypt the kernel.

pyimg4 is a tool that can decrypt iOS images, including the kernelcache.

you can install it using python by running the command:

python3 -m pip install pyimg4

Note: Some versions of iOS or specific devices may still require a key depending on the security features Apple has implemented, but often pyimg4 can decrypt kernelcaches without any issues. keys can be found here.

After decrypting, running the command file on the decrypted_kernel helps us identify the file type, in our case we got ‘Mach-O 64-bit arm64e’ let’s break it down…
Mach-O indicates that the file is a Mac OS binary.
64-bit ARM64e is an enhanced architecture variant of ARM designed for Apple devices, offering improved security features like pointer authentication (PAC) while maintaining compatibility with 64-bit applications.

Step 5: Disassemble the Decrypted Kernelcache with Ghidra, IDA Pro, or Hopper

Now that the kernelcache is decrypted, you can analyze it by disassembling it in tools like Ghidra, IDA Pro, or Hopper.

I chose to go with Ghidra since IDA Pro isn’t free to use and the free version is x86/x64 only, not arm. and the free version of Hopper allows me to use the app only for 30 minute sessions and saving disassembled files isn’t possible.

The journey continues in Part 2!