User:LeoI07/Drafts/Dumping Firmwares

If you have a device with a preinstalled-only or internal OS installed, it's a good idea to take a dump of it for archival purposes, as it can't simply be downloaded from Apple. This guide will outline the steps to dump both the filesystem(s) and the NOR/iBoot partition.

You will need to have shell access to the device. On macOS and most internal OS's this is included by default, whereas for release versions of iOS and its derivatives, you will need to either boot an SSH ramdisk, or jailbreak the device and install OpenSSH.

= Filesystem = The most complete filesystem dump you can make is a copy of the internal storage to a disk image. This will dump both the root filesystem and any additional partitions (i.e. preboot, recovery). Keep in mind that this also includes any user files and settings, so make sure to reset the device to factory settings if you don't want that to be included.

Macs
Boot into the recoveryOS and open Terminal. Then type this command: dd bs=4096 status=progress of=/path/to/Dump.dmg

With APFS support (64-bit, running 10.3 or later)
From a terminal on a computer running macOS or Linux, type the second command if the device is jailbroken with Dopamine, or the first command if otherwise. ssh root@ "cat /dev/disk0" | dd bs=4096 skip=6 status=progress of=/path/to/Dump.dmg

ssh mobile@ "sudo cat /dev/disk0" | dd bs=4096 skip=6 status=progress of=/path/to/Dump.dmg The  argument removes the 24 KiB LwVM header, making the image mountable on macOS. Remove this argument if you wish to keep the LwVM header, or replace the dd part of the above commands with the following to dump it separately: dd bs=4096 count=6 of=/path/to/LwVM_Header.bin

Compressing the dump
Both of these methods produce uncompressed dumps, which take up a lot of space. The best way to compress it is to make a compressed .dmg file on macOS, using one of two commands: hdiutil convert -format ULMO -o /path/to/Compressed_Dump.dmg -puppetstrings /path/to/Dump.dmg

diskutil image create from --format ULMO /path/to/Dump.dmg /path/to/Compressed_Dump.dmg Unlike the gzip method, this makes dumps that are both compressed and mountable on macOS.

= NOR/iBoot partition =

Apple silicon Macs
On Macs with Apple silicon (except the Developer Transition Kit), the LLB and ANS2 firmware are stored on SPI NOR, so dumping them requires the nordump tool.

Preparation
The nordump tool won't run unless you take different steps depending on the macOS version installed on the Mac you're dumping from.

macOS 13.0 beta 3 or earlier
After compiling the tool, enter this command: codesign -f -s - /path/to/nordump

macOS 13.0 beta 4 or later
Reboot into the recoveryOS and open Terminal. Then run the following commands: nvram boot-args=amfi_get_out_of_my_way=1 bputil -a reboot

Dumping
Run this command: /path/to/nordump /path/to/NOR This will dump the complete contents of the NOR to files in a directory named "NOR".

After dumping, if the Mac is running macOS 13.0 beta 4 or later, you will need to reverse the changes made in the preparation step using these commands: sudo nvram -d boot-args sudo bputil -f

Other devices with IMG4 support
If dumping from a Developer Transition Kit (2020), open Terminal and type the following command: cat /dev/disk1 > /path/to/Firmware.bin For other devices, type the latter command if the device is jailbroken with Dopamine, otherwise the former command, from a terminal on a computer running macOS or Linux. ssh root@ "cat /dev/disk1" > /path/to/Firmware.bin

ssh mobile@ "sudo cat /dev/disk1" > /path/to/Firmware.bin