Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.

Dumping Firmwares

From The Apple Wiki

If you have a device with a preinstalled-only or internal OS installed, it's a good idea to take a dump of it for archival purposes, as it can't simply be downloaded from Apple. This guide will outline the steps to dump both the filesystem(s) and the NOR/iBoot partition.

You will need to have shell access to the device. On macOS and most internal OS's this is included by default, whereas for release versions of iOS and its derivatives, you will need to either boot an SSH ramdisk, or jailbreak the device and install OpenSSH.

Filesystem

The most complete filesystem dump you can make is a copy of the internal storage to a disk image. This will dump both the root filesystem and any additional partitions (i.e. preboot, recovery). Note that in this case, the data partition is not included, as its encrypted.

Please note: this must be done while the device is not booted (excpet for macOS with macOS recovery).

Macs

1. Connect an external drive to the Mac. The drive must have at least as much free space as the Mac's storage (filled up)

2. Boot into the recoveryOS or from a macOS install USB.

3. run dd if=/dev/disk0 bs=16M status=progress | "/Volumes/Macintosh HD/usr/bin/gzip" > /Volumes/(insertexternaldrivehere)/disk0.img.gz in a terminal window

iOS devices

dd method

This is the optimal method, however, this is not always possible, as it requires an SSH ramdisk, which might not be bootable on your device. You also must copy these commands exactly (change the filename if you want though) to avoid risk of potential data loss on the device aswell. Run the command iproxy 2222 22 and run the first command if said device is an iPhone 4 or earlier (repeat for all other partitions (i.e. disk0s1s3+), the second command if the device is an iPhone 4S or above, and the third is for if the device is an APFS.


ssh root@localhost -p 2222 "dd if=/dev/rdisk0s1s1" bs=8192 | gzip > rootfs.img.gz
ssh root@localhost -p 2222 "dd if=/dev/rdisk0s1s1" bs=4096 | gzip > rootfs.img.gz
ssh root@localhost -p 2222 "dd if=/dev/rdisk0" bs=4096 | gzip > dump.img.gz


NOTE: You will have to run gtar to grab the data partition as in a dd dump after rebooting to the OS, as it is encrypted with device-specific keys (only possible on internal/jailbroken/sshable OSes).

ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/var" > data.tar.gz 
tar method

For devices where loading an SSH Ramdisk is not doable, you must use the tar method. From a terminal on a computer with OpenSSH installed (preinstalled on most modern OSes), run this command iproxy 2222 22, make a new terminal window, copy a version of GNU tar (not bsdtar) for iOS to the device via SCP, and run these commands:

ssh root@localhost -p2222 'gtar -czvf - /' > fs.tar.gz (note that this one results in a full dump)

If you don't want everything in one file, run:

ssh root@localhost -p2222 'gtar --same-owner -cpzvf —exclude=/private/* - /" > rootfs.tar.gz
ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/etc" > etc.tar.gz
ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/var" > data.tar.gz
ssh root@localhost -p2222 'gtar --same-owner -cpzvf - /private/preboot/" > preboot.tar.gz

NOR/iBoot partition

Apple Silicon Macs

On Apple Silicon Macs, the LLB is stored on SPI NOR, so dumping it requires the nordump tool.

Preparation

The nordump tool won't run unless you take different steps depending on the macOS version installed on the Mac you're dumping from.

macOS 13.0 beta 3 or earlier

After compiling the tool, enter this command:

codesign -f -s - nordump
macOS 13.0 beta 4 or later

Reboot into the recoveryOS and open Terminal. Then run the following commands:

nvram boot-args=amfi_get_out_of_my_way=1
bputil -a
reboot

Dumping

Run this command:

nordump NOR

This will dump the complete contents of the NOR to files in a directory named "NOR".

After dumping, if the Mac is running macOS 13.0 beta 4 or later, you will need to reverse the changes made in the preparation step using these commands:

sudo nvram -d boot-args
sudo bputil -f

Other devices with IMG4 support

From a terminal on a computer with OpenSSH installed (preinstalled on most modern OSes), run this command after running iproxy 2222 22 (note that sudo may be needed or changing it to disk2 on iOS 16+)

 ssh -p 2222 root@localhost "dd if=/dev/disk1" | dd of=bootchain.bin