Starting with iOS 10.0 Apple decrypted the file system and kernel cache. All you have to do is download an IPSW
, change the extension to .zip
, and unarchive it. The largest size disk image inside the unarchived zip
will be the root file system. Simply mount it to see its contents.
Links to download all iOS IPSWs.
Originally from /u/RowRocka on Reddit. Gently edited for clarity.
Links to download all iOS OTA ZIPs.
- Unzip the OTA
.zip
. - Download Jonatan Levin's OTApack and unzip it into the same directory that you unzipped the OTA image to.
- Open up Terminal and
cd
to the aforementioned directory. - Execute
./pbzx AssetData/payloadv2/payload > pb.xz
- Unarchive the pb.xz file with The Unarchiver.
- Go back to Terminal and execute these commands:
mkdir rootfs
mv ./pb ./rootfs
cd rootfs
../otaa -e '*' ./pb
- Done
- Unzip the OTA
.zip
. - Go to
AssetData/boot
. - Open a Terminal and
cd
to the unzipped OTA image directory. - Execute
cp /AssetData/boot/kernelcache.release.***** (check what your filename is) ./
- Compile
lzssdec.cpp
from here. - Open the kernel cache file with a Hex editor (I recomend Hex Fiend) and find
0xFEEDFACE
. Note the offset. - Execute
./lzssdec -o OFFSET_YOUVE_NOTED_IN_STEP_6 < kernelcache.release.***** > kernelcache.decrypted
- Done