A collection of reverse engineered Apple formats, protocols, or other interesting bits.
Join us on Discord - Discord Rules
Repo inspired by Papers we Love
Linking your Discord and GitHub
We want this collection to be around for new jailbreakers and hobbiests for years to come, so we must say: this
collection accepts (with gratitude) pull-requests that improve it, but under no circumstances
will a PR based on AppleInternal, or any other copyrighted works protected by the
DMCA be accepted. If
you need help determining this, tag the PR with license help, join the
Discord server, and ask a #Legit or higher role for help.
Violation of the DMCA or Copyright law is the responsibility of the submitter.
In order to keep the repo, docs and data tidy, we use a tool called overcommit to connect up the git hooks to a
set of quality checks. The fastest way to get setup is to run the following to make sure you have all the tools:
brew install hunspell
gem install overcommit bundler
bundle install
overcommit --installWiki's best serve prose, and part of the goal here is to leverage machine readable and ingestable information with human augmentation wherever possible. Also GitHub is more conducive to allowing any user to fork and PR the repo lowering the barrier to entry. The core team reviews PRs for quality before merging.
The contents of this repo are dual-licensed:
Licensed under the MIT license
Also licensed under the CC-BY-SA
We attempt to derive from machine sources and produce machine readable files (YAML) in this repo under _data. For
information about creating and extending data format see Data Format Guidance.
Updates and additions there should automatically be reflected in the documents
hack-different/apple-knowledge/_data
Another authoritative source of information is the open source code released by Apple themselves at one of the following locations:
- checkra1n/toolchain
- alephsecurity/xnu-qemu-arm64
- IDA Disassembler by HexRays
- VisUAL ARM Simulator
- Ghidra Disassembler
- Hopper Disassembler
blacktop/ipsw- jtool2
- frida
- https://github.com/Proteas/apple-cve
- kpwn / qwertyoruiop's Wiki
- kpwn / qwertyoruiop's Papers
- About Apple Prototype and CPFM
- OWASP: iOS Tampering and Reverse Engineering
- Kernel Debug Kit
- *OS Internals by Jonathan Levin
- T2 Dev Setup
- Apple 4CC
- bytepack/IntroToiOSReverseEngineering
- Remote Attack Surface
- Device List
- T2 Dev Team:
t8012/ Apple T2 / bridgeOS - The iPhone Wiki
- SMC (System Management Controller) for pre-T2
- acidanthera/VirtualSMC
- t8012/smcutil - Create SMC binaries from update payloads
- Mach
- Mach and the Mach Interface Generator by nemo
- Appl IPC by Ian Beer
- acidanthera/Lilu
- osy/AMFIExemption
- KTRR by Siguza
- Tick Tock by xerub
- Casa de PPL by Levin
- KTRW by Brandon Azad
- Qwertyoruiopz Attacking XNU: Part 1
- Qwertyoruiopz Attacking XNU: Part 2
- Kernel Heap by Stefan Esser
- Who needs task_for_pid anyway
- Apple Official Documentation
EFINVRAMSEP_memmapapple/darwin-xnuFactory_Firmware_Payloads- All About Kernels
- *OS iBoot
- SecureROM Binaries
- APFS - Apple Filesystem
- LwVM Lightweight Volume Manager
- NeXT / Apple "Bill of Materials" /
pkg/bom pbzx- Apple Disk Image -
dmg - Signed System Volumes (SSV) /
root_hash
- Property Lists
- iTunes database
- Apple iDevice Backup Format
- Apple Flavored PNG
- Apple IMA ADPCM
- AirPlay2
- Mach-O File Types - Mach-O / Signing / Entitlements
- img4 - Apple signed images, version 4
- TrustCache - Pre-authorized Binary Hashes
- EALF -
eficheckbaselines - ChunkList - Used to verify macOS Recovery / Internet Recovery
dyldand DSC (dyld Shared Cache)- Levin's Dyld
rickmark/yolo_dsc- Used as last resort and depend on Xcodearandomdev/DyldExtractor- Fixes up linking- dyld_shared_cache_util.cpp
- iBoot LocalPolicy, RemotePolicy and BAA signing
- Rosetta2
- Levin's - The Apple Sandbox
- iBSparkles Breaking Entitlements
- stek29 Shenanigans Shenanigans
- argp vs com.apple.security.sandbox
- SEP_memmap
- sep.yaml
- SEPROM
- http://mista.nu/research/sep-paper.pdf?_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US
- https://www.theiphonewiki.com/wiki/Seputil
- https://github.com/mwpcheung/AppleSEPFirmware
- https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf
- https://data.hackinn.com/ppt/2018腾讯安全国际技术峰会/SEPOS:A%20Guided%20Tour.pdf
- https://github.com/windknown/presentations/blob/master/Attack_Secure_Boot_of_SEP.pdf - blackbird
- ARM General
- Compilers
- ARM Mitigations
- Apple Hypervisor
- Basically all iDevice / iTunes
- DFU / Recovery
- usbmuxd - USB transport for iDevices
com.apple.restored- iDevice Restore Protocol- UTDM - USB Target Disk Mode
- USB-C Power Delivery - Vendor Defined Messages
- Lightning
- NVMe / NAND / PCIe
- gh2o/rvi_capture
- osy/ThunderboltPatcher
- Qi Wireless Charging
- Apple Wi-Fi Password Sharing
- AWDL - Apple Wireless Distribution Link
- Bluetooth Bonjour (Service Discovery)
- Apple Watch Pairing
com.apple.terminusd- Magic Pairing
- ATC - Air Traffic Control - iTunes Wi-Fi Sync
- RemoteXPC
- macOS Internet Recovery
- FDR - Factory Data Restore
- SysCfg - System Configuration - Serial Number and other Device Info
- APTicket - The root of an authorized version set
- AWDD - Apple Wireless Diagnostics (misnomer, more then wireless, system trace)
- iCloud Keychain (Umbrella for multiple formats)
- Mojo Serial
- XHC20 USB Capture
- limera1n
OpenJailbreak/greenpois0naxi0mX/ipwndfu- checkra1n
- unc0ver
- Taurine
- evasi0n writeup by geohot
- TaIG
Hack Different's Knowledge is a product of the entire community and belongs to the community. It is facilitated by the volunteer work of the Hack Different moderation team.
Portions of data and knowledge come from https://theiphonewiki.org, https://libimobiledevice.org and https://checkra.in as well as the individuals who brought you those projects. (And many more!)
Special mention to Jonathan Levin and Amit Singh for taking the time to publish books on these topics.
- Mac OS Internals by Singh
- Mac and iOS Internals by Levin
- *OS Internals - User Mode by Levin
- *OS Internals - Kernel Mode by Levin
- *OS Internals - Security by Levin
A list of all projects and their contributors is at CREDITS and is updated by a script. If there are persons not updated due to limitations please PR the CREDITS page and call them out.
Here’s to the crazy ones, the misfits, the rebels, the troublemakers
the round pegs in the square holes…
the ones who see things differently — they’re not fond of rules…
You can quote them, disagree with them, glorify or vilify them, but the only thing you can’t do is ignore them because they change things…
They push the human race forward, and while some may see them as the crazy ones,
we see genius,
because the ones who are crazy enough to think that they can change the world,
are the ones who do.
— Steve Jobs, 1997
Also dedicated to the volunteer work of those who use this for good, and deny the shadow to those who seek to harm.