IPSW


IPSW is a file format used to install iOS, iPadOS, tvOS, HomePod, watchOS, and most recently, macOS firmware for devices equipped with Apple silicon. All Apple devices share the same IPSW file format for iOS firmware and their derivatives, allowing users to flash their devices through Finder or iTunes on macOS or Windows, respectively. Users can flash Apple silicon Macs through Apple Configurator 2.

Structure

The.ipsw file itself is a compressed archive file containing at least three Apple Disk Image files with one containing the root file system of the OS and two ram disks for restore and update. tvOS, audioOS and macOS also include a disk image for the recovery environment.
The file also holds the kernel caches, and a "Firmware" folder which contains iBoot, LLB, iBSS, iBEC, the Secure Enclave Processor firmware, the Device Tree, Firmware Images, baseband firmware files in.bbfw format, and other firmware files.
There are two more files named "BuildManifest.plist" and "Restore.plist", both property lists that contain compatibility information and SHA-256 hashes for different components.
BuildManifest.plist is sent to Apple's TSS server and checked in order to obtain SHSH blobs before every restore. Without SHSH blobs, the device will refuse to restore, thus making downgrades very difficult to achieve.
The IPSW file format plays a crucial role in managing the software updates and restores for a variety of Apple devices. Its use extends beyond just iPhones and iPads, as it now also covers Apple silicon Macs, which can be updated using Apple Configurator 2. These files are integral to the device's firmware and contain various critical components needed for proper functioning, such as the kernel, device drivers, and booting files. The careful organization of these components ensures that the device not only runs smoothly after an update or restore but also maintains security by verifying the integrity of the firmware files.
The inclusion of SHSH blobs, which are required for validating firmware restoration, further demonstrates the controlled environment that Apple enforces for updates and downgrades. These mechanisms help prevent users from inadvertently downgrading to insecure or outdated versions, protecting the security of the devices and the integrity of the Apple ecosystem as a whole.

Security and rooting

The archive is not password-protected, but iBoot, LLB, iBEC, iBSS, iBootData and the Secure Enclave Processor firmware images inside it are encrypted with AES. Until iOS 10, all the firmware files were encrypted. While Apple does not release these keys, they can be extracted using different iBoot or bootloader exploits, such as limera1n. Since then, many tools were created for the decryption and modification of the root file system.

Government data access

After the 2015 [San Bernardino attack], the FBI recovered the shooter's iPhone 5C, which belonged to the San Bernardino County Department of Public Health. The FBI recovered iCloud backups from one and a half months before the shooting, and wanted to access encrypted files on the device. The U.S. government ordered Apple to produce an IPSW file that would allow investigators to brute force the passcode of the iPhone. The order used the All Writs Act, originally created by the Judiciary Act of 1789, to demand the firmware, in the same way as other smartphone manufacturers have been ordered to comply.
Tim Cook responded on the company's webpage, outlining a need for encryption, and arguing that if they produce a backdoor for one device, it would inevitably be used to compromise the privacy of other iPhone users: