User:Orangera1n/Drafts/Dumping Firmwares

If you have a device with a preinstalled-only or internal OS installed, it's a good idea to take a dump of it for archival purposes, as it can't simply be downloaded from Apple. This guide will outline the steps to dump both the filesystem(s) and the NOR/iBoot partition.

You will need to have shell access to the device. On macOS and most internal OS's this is included by default, whereas for release versions of iOS and its derivatives, you will need to either boot an SSH ramdisk, or jailbreak the device and install OpenSSH.

= Filesystem = The most complete filesystem dump you can make is a copy of the internal storage to a disk image. This will dump both the root filesystem and any additional partitions (i.e. preboot, recovery). Note that in this case, the data partition is not included, as its encrypted.

Macs
1. Connect an external drive to the Mac. The drive must have at least as much free space as the Mac's storage capacity, or else Disk Utility won't let you proceed.

2. Boot into the recoveryOS or from a macOS install USB.

3. run  in a terminal window

dd method
From a terminal on a computer with OpenSSH installed (preinstalled on most modern OSes), boot an ssh ramdisk, run this command, and make a new terminal window and type the first command if the device is running iOS 4 or earlier, the second command if the device is older than the iPhone 4S and running iOS 5 or later, and the third command for devices newer than the iPhone 4S on iOS 5 and later.

ssh root@localhost -p2222 "cat /dev/disk0s1" | dd bs=8192 status=progress of=disk0s1.img

ssh root@localhost -p2222 "cat /dev/disk0s1s1" | dd bs=8192 skip=3 status=progress of=disk0s1.img

ssh root@localhost -p2222 "cat /dev/disk0s1s1" | dd bs=4096 skip=6 status=progress of=disk0s1.img

Repeat this process with each other partition (except the data partition due to encryption), and you have succesfully dumped the device.

tar method
From a terminal on a computer with OpenSSH installed (preinstalled on most modern OSes), boot an ssh ramdisk if possible, and run this command, make a new terminal window, copy a version of GNU tar (not bsdtar) to the device via SCP, and run these commands:

ssh root@localhost -p2222 'gtar -czvf - /' >fs.tar.gz (note that this one results in a full dump)

If you don't want everything in one file, run:

ssh root@localhost -p2222 'gtar --same-owner -cpzvf —exclude=/private/* - /" > rootfs.tar.gz

ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/etc" > etc.tar.gz

ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/var" > data.tar.gz

ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/preboot/" > preboot.tar.gz

= NOR/iBoot partition =

Apple Silicon Macs
On Apple Silicon Macs, the LLB is stored on SPI NOR, so dumping it requires the nordump tool.

Preparation
The nordump tool won't run unless you take different steps depending on the macOS version installed on the Mac you're dumping from.

macOS 13.0 beta 3 or earlier
After compiling the tool, enter this command: codesign -f -s - nordump

macOS 13.0 beta 4 or later
Reboot into the recoveryOS and open Terminal. Then run the following commands: nvram boot-args=amfi_get_out_of_my_way=1 bputil -a reboot

Dumping
Run this command: nordump NOR This will dump the complete contents of the NOR to files in a directory named "NOR".

After dumping, if the Mac is running macOS 13.0 beta 4 or later, you will need to reverse the changes made in the preparation step using these commands: sudo nvram -d boot-args sudo bputil -f

Other devices with IMG4 support
From a terminal on a computer with OpenSSH installed (preinstalled on most modern OSes), run this command after running  (note that sudo may be needed or changing it to disk2 on iOS 16+) ssh -p 2222 root@localhost "dd if=/dev/disk1" | dd of=bootchain.bin