|
|
Line 295: |
Line 295: |
|
| [[InnsbruckNanshan 11A24581k|11A24581k]] |
|
| [[InnsbruckNanshan 11A24581k|11A24581k]] |
|
| ? |
|
| ? |
|
+ |
| From [https://twitter.com/1nsane_dev @1nsane_dev] on twitter. |
|
| - |
|
| - |
|
|- |
|
|- |
Revision as of 20:30, 4 February 2020
This article discusses software internally used by Apple.
Acquiring a copy without Apple's consent is illegal and may result in being scammed. Engaging in illegal activity is not condoned. This information is provided for educational purposes only.
|
This is a documented list of known factory firmwares, used by Apple workers in California to do engineering tests on prototype devices and also by factory workers on production ones during manufacturing. Factory firmwares are based on production iOS ones, but adapted for internal engineering tests, development and debugging.
"Skankwerk" logo on 7.x and up
"Skankwerk" logo on 6.x and below
Prototype showing newer Skankwerk logo during boot
Prototype showing older Skankwerk logo during boot
They are also known as "NonUI (No User Interface)" builds, probably because most applications are command line ones. The SpringBoard replacement, named SwitchBoard, allows the launching of a GUI for some of those applications. Unlike production iOS firmwares, factory ones have the following differences:
- DEVELOPMENT/DEBUG fused bootloaders in
\Firmware\dfu\
and \Firmware\all_flash\all_flash.[board codename].factoryfa\
.
- DEVELOPMENT/DEBUG fused kernelcache with more symbols (located in
/System/Library/Caches/com.apple.kernelcaches
on the filesystem), and with individual kexts in /System/Library/Extensions
.
- DEVELOPMENT dyld_shared_cache in
/System/Library/Caches/com.apple.dyld
.
- DEBUG fused baseband firmware in
\Firmware\
.
- Skankwerk (gear) logo image file in
\Firmware\all_flash\all_flash.[board codename].factoryfa\
.
/AppleInternal
folder, which the hierarchy inside get priority over hierarchy in /
.
- No SpringBoard, requires the use of daemons to launch SwitchBoard.app as a multi-app launcher instead.
/usr
and subfolders contain many UNIX command line utilities.
- SSH daemon is pre-installed as dropbear, can be connected to over usb
- Boot loader passes arguments to kernel (unlike RELEASE boot loaders as of iOS 5.0) which makes it easy to disable AMFI
- It has some additional Private Frameworks in
/System/Library/PrivateFrameworks
for internal GUI apps and command line utilities.
- Most internal applications require the use of SkankKit (replacement for UIKit in nonUI firmwares) to produce special layers such as text on the framebuffer.
Unlike regular iOS Firmwares, factory ones are distributed in both IPSWs and "restore bundles". These bundles are unzipped IPSW files which can be restored on devices using internal restore software such as PurpleRestore. Release and factory firmware "restore bundles" have the same packaging structure (bootloaders, kernel, restore ramdisk, update ramdisk and root filesystem).
Some interesting facts about factory firmwares
- Design: Apple seems to use the same GUI design from the production firmware to the factory one.
Production iOS 1.x to 6.x skeuomorphism design is also present on 1.x to 6.x factory firmwares, but seems really more excessive than production ones. For example, the "skankwerk" boot logo represents a real gear and many GUI icons are realistic or simply photos of real life things (especially in Operator). For newer versions, production iOS 7.x to 9.x flat design is mostly used in 7.x to 9.x factory firmwares. For example, the new "skankwerk" boot logo is a flat, simple white gear. Some newer internal applications like Earthbound also use a "flat" design.
- Other: The "skank" word is used to name multiple elements of factory firmwares. For example, there is "skankphone", "skankbattery" (the green battery shown in SwitchBoard), "skankwerk" logo, "skankkit" framework, "purpleskank" (used by BurnIn) and most likely others. The "skank" word seems to be a reference to "Skunkworks" projects, which are secrecy projects that are usually innovative. Read more about "Skunkworks" on Wikipedia.
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
1.0
|
1A420
|
Alpine
|
03.06.01_G[1]
|
Originally available here, but was soon taken down.
|
4A57
|
04.02.13_G
|
-
|
1.1.2
|
3B48
|
04.02.13_G
|
-
|
1.1.3
|
4A102a
|
04.04.05_G
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
4.0
|
8A2130h
|
ApexNanshan
|
?
|
-
|
8A2180g
|
05.12.01
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
8.0
|
12A22121a
|
Okemo?
|
?
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
9.0
|
13A22120w
|
Monarch?
|
?
|
-
|
13A23161b
|
MonarchNanshan
|
?
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
3.2
|
7B3341e
|
Wildcat?
|
?
|
-
|
7B5286a
|
?
|
Found by SonnyDickson, documented on 9to5mac
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
4.3
|
8F3178a
|
Durango?
|
?
|
-
|
8F3191d
|
Durango
|
?
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
7.0.3
|
11B64940j
|
InnsbruckTaos?
|
?
|
-
|
7.1
|
11D167
|
Sochi?
|
?
|
-
|
Version
|
Build
|
Codename
|
Baseband
|
Comments
|
7.0.1
|
11B34640l
|
Innsbruck?
|
?
|
-
|