IPSW

IPSW is a file format used in iTunes to install iOS firmware. All Apple devices share the same IPSW file format for iOS firmware, allowing users to flash their devices though iTunes on OS X and Windows.

Structure

The .ipsw file itself is a compressed archive file (similar to a Zip archive) containing three Apple Disk Image files with one containing the root file system of iOS and two ram disks for restore and update.

The file also holds a "Firmware" folder in which contains iBSS, iBEC, DFU, Battery Images (low. full, charging), and also the baseband firmware files in .bbfw format (Baseband firmware).

There are two more files named "Build Manifest" and "Restore Manifest", both in Apple Proprietary List (.plist) format that checks the compatibility, holds the hashes in base64 format and instructs the device where to find the specific Firmware parts during the restore.

BuildManifest.plist is sent to Apple TSS server and checked in order to obtain SHSH blob at every restore. Without SHSH blobs, the firmware will refuse to restore, thus making downgrades impossible in official fashion, due to Apple's limitation.^[1]

Security and rooting

The archive is not password protected, but the DMG images inside it are encrypted with AES. While Apple doesn't release these keys, they can be extracted using different iBoot or bootloader exploits, such as limera1n (created by George Hotz, more commonly known as geohot). Since then, many tools were created for the decryption and modification of the root file system.

Government data access

After the 2015 San Bernardino attack, the FBI recovered the shooter's iPhone 5C, which belonged to the San Bernardino County Department of Public Health.^[2] The FBI recovered iCloud backups from one and a half months before the shooting, and wanted to access encrypted files on the device. The U.S. government ordered Apple to produce an IPSW file that would allow investigators to brute force the passcode of the iPhone.^[3] The order used the All Writs Act, originally created by the Judiciary Act of 1789, to demand the firmware, in the same way as other smartphone manufacturers have been ordered to comply.

Tim Cook responded on the company's webpage, outlining a need for encryption, and arguing that if they produce a backdoor for one device, it would inevitably be used to compromise the privacy of other iPhone users:^[4]

The FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession...

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

References

• About iPSW File Extension
• About iPSW File on The iPhone Wiki
• Apple Support Page About iPSW
• More about the BASEBAND files