iBoot64helper

Introduction

iBoot64helper is now an IDA loader!

Just copy iBoot64helper.py to your ~/.idapro/loaders/ (or your IDA/loaders/) directory, launch IDA, and open a decrypted iBoot, iBEC, or SecureROM binary image.

<p align="center"><img src="screenshot-loader.png"/></p>

This aims to become an IDAPython utility to help with iBoot and SecureROM reverse engineering. Currently it a) locates the image's proper loading address, b) rebases the image, c) identifies functions based on common AArch64 function prologues, and d) finds and renames some interesting functions.

As you can see in the screenshot below, 3154 functions are recognized after running it on iBoot version 7459.100.504.0.1.

<p align="center"><img src="screenshot.png"/></p>

I will be adding features to it, identifying more functions, etc.

IDA support

iBoot64helper now supports IDA 7.7 and lower versions (only tested with IDA's builtin IDAPython for Python 3).

Decrypting images

For decrypting images you should use xerub's img4lib; the ultimate IMG4 utility.

SecureROM

If you have a device vulnerable to axi0mX's checkm8, you can use ./ipwndfu --dump-rom to get a dump of the SecureROM image from your device and use it with iBoot64helper.

References

• iOS RE Wiki
• img4lib
• checkm8