Changelog
Highlights
🎉 This release ships the long-awaited Sandbox Decompiler — a from-scratch reverse-engineered pipeline that turns Apple's private sandbox bytecode back into compileable SBPL.
All commands live under ipsw sb:
Decompile a profile from a kernelcache
# Decompile one profile to a file that `sandbox-compilerd` will accept
❯ ipsw sb dec kernelcache.release.iPhone18,1 com.apple.WebKit.WebContent -O WebContent.sb
# Or emit structured JSON for programmatic consumption
❯ ipsw sb dec kernelcache.release.iPhone18,1 com.apple.WebKit.WebContent --format jsonQuery across every profile at once
Build the graph once, then ask questions against it — no more grepping 287 .sb files by hand.
❯ ipsw sb graph export kernelcache.release.iPhone18,1 -O graph.json
# Which profiles can open this IOKit user client?
❯ ipsw sb query iokit-open IOSurfaceRootUserClient --graph graph.json
# Which profiles can look up a mach service, call a syscall, write a path, ...
❯ ipsw sb query mach-lookup com.apple.mobilegestalt.xpc --graph graph.json
❯ ipsw sb query syscall mmap --graph graph.json
❯ ipsw sb query path-write /private/var/mobile/tmp --graph graph.jsonDiff sandbox changes across macOS releases
❯ ipsw sb diff macOS-26.0.ipsw macOS-26.1.ipswList / inspect
❯ ipsw sb list kernelcache.release.iPhone18,1 # profile names
❯ ipsw sb opts kernelcache.release.iPhone18,1 # sandbox operations
❯ ipsw sb dump kernelcache.release.iPhone18,1 # raw binary blobsNew Features
- 98b7e6c: feat(dtree): add OTA/AEA support to
ipsw dtree(closes #1177) (@blacktop) - 652abdd: feat: add OTA input mode support to
ipsw diff(@blacktop) - 41f9b7b: feat: 🎉 Sandbox Decompiler 🎉 (@blacktop)
Bug fixes
- c03b181: fix(dl-db): add
hideFromLatestVersionssupport to AppleDB queries (@blacktop) - 2999a92: fix(dl-ota): --build filter to match prerequisite build in delta mode (@blacktop)
- 31371ea: fix(ota): AEA key lookup and cryptex extraction (@blacktop)
Dependency updates
- 74e555a: chore(deps): bump deps (@blacktop)
- 314ec71: chore(deps): bump deps (@blacktop)
- 0fced26: chore(deps): bump deps (@blacktop)
- 653e7e0: chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 (#1179) (@dependabot[bot])
- d9a1953: chore(deps): bump pnpm/action-setup from 5 to 6 (#1173) (@dependabot[bot])
Documentation updates
- f750366: docs: Bump pnpm version to 10 in docs workflow (@blacktop)
- 457c6f8: docs: Fix pnpm setup by pinning version instead of package_json_file (@blacktop)
- 5b705e4: docs: Use --no-frozen-lockfile in docs CI install (@blacktop)
- 400d3d0: docs: blog draft (@blacktop)
- 8aeda1d: docs: update CLI (@blacktop)
- 1b5898f: docs: update CLI docs (@blacktop)
- 4cb75d9: docs: use packageManager field for pnpm version in docs CI (@blacktop)
Other work
- bf9d2a4: chore(dl-ota): Add build prefix to OTA download destination filenames (@blacktop)
- 0037f3a: chore(ents): update entitlements DB for iOS [skip ci] (@github-actions[bot])
- 802b705: chore(ents): update entitlements DB for macOS [skip ci] (@github-actions[bot])
- e8369f7: chore(fcs): keys (@blacktop)
- eccc2e9: chore(fcs): update keys (@blacktop)
- 5fc638c: chore(fcs-keys): update FCS keys (beta) [skip ci] (@github-actions[bot])
- a2a5d1c: chore(fcs-keys): update FCS keys (beta) [skip ci] (@github-actions[bot])
- ceb688c: chore(fcs-keys): update FCS keys (stable,RC) [skip ci] (@github-actions[bot])
- 72faff1: chore(fcs-keys): update FCS keys (stable,RC) [skip ci] (@github-actions[bot])
Summary
Full Changelog: v3.1.671...v3.1.672
What to do next?
- Read the documentation
- Follow us on Twitter
- Follow us on Mastodon
- Follow us on Bluesky
- Join our Discord