/ Directory / Playground / ipsw-skill
← All servers ↗ GitHub
● Community blacktop 🔑 Needs your key

ipsw-skill

by blacktop · blacktop/ipsw-skill

Drive the ipsw CLI from your agent — IPSW download/extract, kernelcache diffs, Mach-O triage, private-framework ObjC headers.

ipsw-skill teaches Claude (and compatible agents like Codex CLI / Gemini CLI) how to drive blacktop's ipsw — the Swiss-army CLI for Apple firmware and binary analysis. It knows the subcommands for downloading/extracting IPSWs and kernelcaches, dumping Objective-C headers from private frameworks, diffing kernels across versions, auditing entitlements, and inspecting Mach-O binaries. Aimed at Apple platform security researchers, reverse engineers, and engineers debugging framework-level behavior.

▶ Watch demo 📦 Install 💡 Use Cases

Why use it

Key features

Live Demo

What it looks like in practice

ipsw-skill.replay ▶ ready
0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "ipsw-skill": {
      "command": "claude",
      "args": [
        "plugin",
        "marketplace",
        "add",
        "blacktop/ipsw-skill"
      ],
      "_inferred": false
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "ipsw-skill": {
      "command": "claude",
      "args": [
        "plugin",
        "marketplace",
        "add",
        "blacktop/ipsw-skill"
      ],
      "_inferred": false
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "ipsw-skill": {
      "command": "claude",
      "args": [
        "plugin",
        "marketplace",
        "add",
        "blacktop/ipsw-skill"
      ],
      "_inferred": false
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "ipsw-skill": {
      "command": "claude",
      "args": [
        "plugin",
        "marketplace",
        "add",
        "blacktop/ipsw-skill"
      ],
      "_inferred": false
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "ipsw-skill",
      "command": "claude",
      "args": [
        "plugin",
        "marketplace",
        "add",
        "blacktop/ipsw-skill"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json
{
  "context_servers": {
    "ipsw-skill": {
      "command": {
        "path": "claude",
        "args": [
          "plugin",
          "marketplace",
          "add",
          "blacktop/ipsw-skill"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add ipsw-skill -- claude plugin marketplace add blacktop/ipsw-skill

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use ipsw-skill

Dump Obj-C headers from a private framework for API discovery

👤 Security researchers, SDK maintainers working against Apple internals ⏱ ~30 min advanced

When to use: You need the public surface (class + selector names) of a private framework to study behavior changes.

Prerequisites
  • ipsw CLI installed — brew install blacktop/tap/ipsw
  • A dyld_shared_cache extracted from an IPSW — Use ipsw extract on the IPSW you downloaded
Flow
  1. Download the IPSW
    Use ipsw download for the iOS version I specify.✓ Copied
    → IPSW saved locally
  2. Extract the shared cache
    Extract dyld_shared_cache from the IPSW.✓ Copied
    → Shared cache file extracted
  3. Dump headers for the target framework
    Dump Obj-C headers for <FrameworkName>.✓ Copied
    → Header dump with classes and selectors

Outcome: You have readable headers to diff across versions.

Pitfalls
  • Confusing simulator binaries with device binaries — Always specify the device/arch you're studying; simulator slices differ
Combine with: ghidrassistmcp

Diff kernelcaches across two iOS versions

👤 Kernel and XNU researchers ⏱ ~60 min advanced

When to use: A new iOS version dropped; you want to see what changed in the kernel.

Flow
  1. Extract both kernelcaches
    Extract the kernelcache from IPSW A and IPSW B.✓ Copied
    → Two kernelcache files on disk
  2. Diff
    Diff the two kernelcaches; list added/removed/modified symbols.✓ Copied
    → Change list with symbol categories

Outcome: A focused changelog of kernel-level changes.

Pitfalls
  • Treating symbol reordering as meaningful change — Let the tool group reordering vs real additions/removals
Combine with: reverse-engineering-assistant

Audit a Mach-O for entitlements and suspicious characteristics

👤 AppSec reviewers, developers auditing third-party dependencies ⏱ ~20 min intermediate

When to use: You want to check entitlements and imports of a binary before shipping it with your app.

Flow
  1. Inspect the Mach-O
    Show load commands, LC_CODE_SIGNATURE, and entitlements for <path>.✓ Copied
    → Entitlements plist + signature info
  2. List imports
    List imported symbols grouped by framework.✓ Copied
    → Clear import table

Outcome: A concise audit report you can save to the review thread.

Combine with: xcodebuild

Combinations

Pair with other MCPs for X10 leverage

ipsw-skill + ghidrassistmcp

Hand off functions of interest to Ghidra for deeper analysis

From the Mach-O imports, pick the suspicious function and open it in Ghidra.✓ Copied
ipsw-skill + reverse-engineering-assistant

Use the broader RE playbook alongside ipsw's Apple-specific tools

Combine the generic RE workflow with ipsw for dyld cache work.✓ Copied
ipsw-skill + xcodebuild

Build local apps and validate that they match the entitlements profile you expect

After xcodebuild, run ipsw entitlements on the archive to audit what ended up signed in.✓ Copied

Tools

What this MCP exposes

ToolInputsWhen to callCost
ipsw download version/device selector Get firmware to analyze bandwidth only
ipsw extract IPSW + target (dsc / kernelcache / ramdisk) Pull a specific artifact from the IPSW 0
ipsw dyld class-dump dyld_shared_cache + framework Study private framework APIs 0
ipsw kernel diff two kernelcaches Version-to-version kernel analysis 0
ipsw macho info/ent Mach-O path Binary triage 0

Cost & Limits

What this costs to run

API quota
None
Tokens per call
Output varies with artifact size; scope commands tightly
Monetary
Free; downloads cost bandwidth only
Tip
Use ipsw's filtering flags so the agent doesn't paste 50 MB of symbols into context.

Security

Permissions, secrets, blast radius

Credential storage: None required for basic operation
Data egress: ipsw download pulls IPSWs from Apple's public servers. No additional telemetry from the skill itself.

Troubleshooting

Common errors and fixes

ipsw: command not found

Install the CLI via Homebrew tap: brew install blacktop/tap/ipsw.

Verify: which ipsw
Download times out

Apple's servers can rate-limit; retry with --resume. Ensure your network allows large downloads.

Verify: curl -I https://appldnld.apple.com/...
Class-dump returns empty

Confirm you pointed at the shared cache for the correct device/arch. Simulator caches are separate from device ones.

Verify: ipsw dyld info <cache>

Alternatives

ipsw-skill vs others

AlternativeWhen to use it insteadTradeoff
ghidrassistmcpYou want full-blown disassembly and scripting via GhidraMuch heavier; slower startup
ida-pro-mcpYou already license IDA Pro and want MCP integrationCommercial tool
reverse-engineering-assistantYou want a broader RE workflow assistantNot Apple-specific

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills