Under the Bridge

A quick tour of the BridgeOS 2.0 image

By Jonathan Levin, @Morpheus

morpheus@Zephyr (~/Documents/iOS/BridgeOS) %mv ~/Downloads/BridgeOSUpdateCustomer.pkg .                    13:58
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %ls                                                             13:58
BridgeOSUpdateCustomer.pkg
The MacOS .pkg format is a xar(1) archive. So we can unpack it thus:
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %xar -tvf BridgeOSUpdateCustomer.pkg                            13:58
-rw-r--r--      root/wheel         57873 2017-11-15 08:54:37 Bom
-rw-r--r--      root/wheel           979 2017-11-15 08:58:38 PackageInfo
-rw-------      root/wheel     145404848 2017-11-15 08:50:21 Payload
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %xar -xvf BridgeOSUpdateCustomer.pkg                            13:58
Bom
PackageInfo
Payload
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %file *                                                         13:59
Bom:                        Mac OS X bill of materials (BOM) file
BridgeOSUpdateCustomer.pkg: xar archive version 1, SHA-1 checksum
PackageInfo:                XML 1.0 document text, ASCII text
Payload:                    data
The NeXTSTEP legacy bill-of-materials file can be read with lsbom(1). This tells us what files to expect after a successful unpacking of the package.
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %lsbom Bom | head                                               13:59
.	40755	0/0
./usr	40755	0/0
./usr/standalone	40755	0/0
./usr/standalone/firmware	40755	0/0
./usr/standalone/firmware/bridgeOSCustomer.bundle	40755	0/0
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents	40755	0/0
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Info.plist	100644	0/0	556	370148924
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources	40755	0/0
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/BuildManifest.plist	100644	0/0	40147	1438141321
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/UpdateBundle.zip	100644	0/0	145808131921118635
The payload file is a 'pbzx', Apple's favorite compression for OTA images, which I wrote a decompressor for. Using the latest version of the decompressor which has built-in liblzma/xz integration, we get:
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %cat Payload| ../pbzx/pbzx.MacOS > p                           14:08
Flags: 0x1000000
Chunk #1 (flags: 1000000, length: 16643368 bytes) 
OK!  (16777216 bytes)
Chunk #2 (flags: 1000000, length: 16745384 bytes) 
OK!  (16777216 bytes)
Chunk #3 (flags: 1000000, length: 16743924 bytes) 
OK!  (16777216 bytes)
Chunk #4 (flags: 1000000, length: 16777216 bytes) 
Warning: Can't find XZ header. Instead have 0x896df8e2(?).. This is likely not XZ data.
Chunk #5 (flags: 1000000, length: 16777216 bytes) 
Warning: Can't find XZ header. Instead have 0xb1cf31d6(?).. This is likely not XZ data.
Chunk #6 (flags: 1000000, length: 16777216 bytes) 
Warning: Can't find XZ header. Instead have 0x689e4b8e(?).. This is likely not XZ data.
Chunk #7 (flags: 1000000, length: 16777216 bytes) 
Warning: Can't find XZ header. Instead have 0x12e2ab71(?).. This is likely not XZ data.
Chunk #8 (flags: 1000000, length: 16542900 bytes) 
OK!  (16777216 bytes)
Chunk #9 (flags: b1a400, length: 11620252 bytes) 
OK!  (11641856 bytes)
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %file p                                                        14:09
../../p: ASCII cpio archive (pre-SVR4 or odc)
The "not XZ data" is because there are times the pbzx just contains the raw chunk of data, uncompressed. The tool warns about it, but copies it to the output, so it normally doesn't cause any errors. So, since we have a cpio(1) archive, we decompress:
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %mkdir x                                                       14:09
morpheus@Zephyr (~/Documents/iOS/BridgeOS) %cd x                                                          14:09
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %cat ../p | cpio -ivd                                        14:09
.
./usr
./usr/standalone
./usr/standalone/firmware
./usr/standalone/firmware/bridgeOSCustomer.bundle
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Info.plist
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/BuildManifest.plist
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/UpdateBundle.zip
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/_CodeSignature
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/_CodeSignature/CodeDirectory
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/_CodeSignature/CodeRequirements
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/_CodeSignature/CodeResources
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/_CodeSignature/CodeSignature
./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/version.plist
It's obvious the payload is in the UpdateBundle.zip - we could see that from the lsbom(1) output (somewhere up there) as it's the biggest file. This is the moment of truth, since if anything is corrupt in the download/pbzx/cpio, the zip won't decompress well.. 
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %unzip ./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/UpdateBundle.zip
Archive:  ./usr/standalone/firmware/bridgeOSCustomer.bundle/Contents/Resources/UpdateBundle.zip
   creating: META-INF/
  inflating: META-INF/com.apple.ZipMetadata.plist  
  inflating: Info.plist              
   creating: boot/
  inflating: boot/058-69774-293.dmg  
  inflating: boot/BuildManifest.plist  
   creating: boot/Firmware/
   creating: boot/Firmware/AOP/ <-- Audio coprocessor firmware, unenc
  inflating: boot/Firmware/AOP/aopfw-t8012aop.im4p  
   creating: boot/Firmware/MacEFI/
  inflating: boot/Firmware/MacEFI/J137.im4p  
   creating: boot/Firmware/all_flash/
  inflating: boot/Firmware/all_flash/DeviceTree.j137ap.im4p  
  inflating: boot/Firmware/all_flash/DeviceTree.j137ap.im4p.plist  
 extracting: boot/Firmware/all_flash/LLB.j137.RELEASE.im4p  
  inflating: boot/Firmware/all_flash/LLB.j137.RELEASE.im4p.plist  
 extracting: boot/Firmware/all_flash/iBoot.j137.RELEASE.im4p  
  inflating: boot/Firmware/all_flash/iBoot.j137.RELEASE.im4p.plist  
 extracting: boot/Firmware/all_flash/sep-firmware.j137.RELEASE.im4p  
  inflating: boot/Firmware/all_flash/sep-firmware.j137.RELEASE.im4p.plist  
   creating: boot/Firmware/dfu/
 extracting: boot/Firmware/dfu/iBEC.j137.RELEASE.im4p  
  inflating: boot/Firmware/dfu/iBEC.j137.RELEASE.im4p.plist  
 extracting: boot/Firmware/dfu/iBSS.j137.RELEASE.im4p  
  inflating: boot/Firmware/dfu/iBSS.j137.RELEASE.im4p.plist  
   creating: boot/Firmware/usr/
   creating: boot/Firmware/usr/local/
   creating: boot/Firmware/usr/local/standalone/
  inflating: boot/kernelcache.release.j137  
   creating: payload/
   creating: payload/replace/
  inflating: payload.bom             
 extracting: payload.bom.signature   
   creating: payloadv2/
  inflating: payloadv2/links.txt     
 extracting: payloadv2/payload       
  inflating: payloadv2/prepare_payload  
  inflating: post.bom                
  inflating: pre.bom
But it did! :-) So now inspect the kernelcache:
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %~/Documents/Work/JTool/joker -dec boot/kernelcache.release.j137 
mmapped: 0x1225c1000
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! 
Compressed Size: 11219886, Uncompressed: 22167552. Unknown (CRC?): 0x7c83e050, Unknown 1: 0x1
Got kernel at 436
got mem 0x123075000
mmapped: 0x123075000
This is a 64-bit kernel from iOS 11.0 , or later This is a 64-bit kernel from iOS 11.x (b1+), or later (4570.20.58.0.0)
ARM64 Exception Vector is at file offset @0xc7000 (Addr: 0xfffffff0070cb000)
The 'j' line was used with iPads, and isn't the 'x' line that the MacBook Pro Touchbar used. And since we used -dec with joker, we have a decompressed kernel in /tmp, so:
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %ls -l /tmp/kernel                                           14:12
-rw-------  1 morpheus  wheel  22167552 Nov 18 14:12 /tmp/kernel
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %jtool -l /tmp/kernel                                        14:12
LC 00: LC_SEGMENT_64          Mem: 0xfffffff007004000-0xfffffff007064000	__TEXT
	Mem: 0xfffffff0070058a0-0xfffffff00701da44		__TEXT.__const	
	Mem: 0xfffffff00701da44-0xfffffff007062420		__TEXT.__cstring	(C-String Literals)
	Mem: 0xfffffff007062420-0xfffffff007063ff2		__TEXT.__os_log	
LC 01: LC_SEGMENT_64          Mem: 0xfffffff007064000-0xfffffff0070c8000	__DATA_CONST
	Mem: 0xfffffff007064000-0xfffffff007064210		__DATA_CONST.__mod_init_func	(Module Init Function Ptrs)
	Mem: 0xfffffff007064210-0xfffffff007064418		__DATA_CONST.__mod_term_func	(Module Termination Function Ptrs)
	Mem: 0xfffffff007068000-0xfffffff0070c52d8		__DATA_CONST.__const	
LC 02: LC_SEGMENT_64          Mem: 0xfffffff0070c8000-0xfffffff0075a4000	__TEXT_EXEC
	Mem: 0xfffffff0070c8000-0xfffffff0075a0720		__TEXT_EXEC.__text	(Normal)
LC 03: LC_SEGMENT_64          Mem: 0xfffffff0075a4000-0xfffffff0075a8000	__KLD
	Mem: 0xfffffff0075a4000-0xfffffff0075a5734		__KLD.__text	(Normal)
	Mem: 0xfffffff0075a5734-0xfffffff0075a5f0f		__KLD.__cstring	(C-String Literals)
	Mem: 0xfffffff0075a5f10-0xfffffff0075a5f78		__KLD.__const	
	Mem: 0xfffffff0075a5f78-0xfffffff0075a5f80		__KLD.__mod_init_func	(Module Init Function Ptrs)
	Mem: 0xfffffff0075a5f80-0xfffffff0075a5f88		__KLD.__mod_term_func	(Module Termination Function Ptrs)
	Mem: 0xfffffff0075a5f88-0xfffffff0075a5f89		__KLD.__bss	(Zero Fill)
LC 04: LC_SEGMENT_64          Mem: 0xfffffff0075a8000-0xfffffff0075ac000	__LAST
	Mem: 0xfffffff0075a8000-0xfffffff0075a8028		__LAST.__pinst	
	Mem: 0xfffffff0075a8028-0xfffffff0075a8030		__LAST.__mod_init_func	(Module Init Function Ptrs)
	Mem: 0xfffffff0075a8030-0xfffffff0075a8030		__LAST.__last	(Zero Fill)
LC 05: LC_SEGMENT_64          Mem: 0xfffffff0075ac000-0xfffffff007658000	__DATA
	Mem: 0xfffffff0075ac000-0xfffffff0075e6684		__DATA.__data	
	Mem: 0xfffffff0075e6684-0xfffffff0075e8994		__DATA.__sysctl_set	
	Mem: 0xfffffff0075e8994-0xfffffff0075e8994		__DATA.__llvm_prf_cnts	
	Mem: 0xfffffff0075e8994-0xfffffff0075e8994		__DATA.__llvm_prf_data	
	Mem: 0xfffffff0075e8994-0xfffffff0075e8994		__DATA.__llvm_prf_names	
	Mem: 0xfffffff0075e8994-0xfffffff0075e8994		__DATA.__llvm_prf_vnds	
	Mem: 0xfffffff0075e9000-0xfffffff0076550c4		__DATA.__bss	(Zero Fill)
	Mem: 0xfffffff007656000-0xfffffff0076570f0		__DATA.__common	(Zero Fill)
LC 06: LC_SEGMENT_64          Mem: 0xfffffff006370000-0xfffffff006714000	__PRELINK_TEXT
	Mem: 0xfffffff006370000-0xfffffff006714000		__PRELINK_TEXT.__text	
LC 07: LC_SEGMENT_64          Mem: 0xfffffff006714000-0xfffffff006ebc000	__PLK_TEXT_EXEC
	Mem: 0xfffffff006714000-0xfffffff006ebc000		__PLK_TEXT_EXEC.__text	
LC 08: LC_SEGMENT_64          Mem: 0xfffffff0076b8000-0xfffffff0077b4000	__PRELINK_DATA
	Mem: 0xfffffff0076b8000-0xfffffff0077b4000		__PRELINK_DATA.__data	
LC 09: LC_SEGMENT_64          Mem: 0xfffffff006ebc000-0xfffffff007004000	__PLK_DATA_CONST
	Mem: 0xfffffff006ebc000-0xfffffff007004000		__PLK_DATA_CONST.__data	
LC 10: LC_SEGMENT_64          Mem: 0xfffffff0077b4000-0xfffffff0077b4000	__PLK_LLVM_COV
	Mem: 0xfffffff0077b4000-0xfffffff0077b4000		__PLK_LLVM_COV.__llvm_covmap	
LC 11: LC_SEGMENT_64          Mem: 0xfffffff0077b4000-0xfffffff0077b4000	__PLK_LINKEDIT
	Mem: 0xfffffff0077b4000-0xfffffff0077b4000		__PLK_LINKEDIT.__data	
LC 12: LC_SEGMENT_64          Mem: 0xfffffff0077b4000-0xfffffff007900000	__PRELINK_INFO
	Mem: 0xfffffff0077b4000-0xfffffff007900000		__PRELINK_INFO.__info	
LC 13: LC_SEGMENT_64          Mem: 0xfffffff007658000-0xfffffff0076b77b0	__LINKEDIT
LC 14: LC_SYMTAB             
	Symbol table is at offset 0x614018 (6373400), 4632 entries
	String table is at offset 0x626198 (6447512), 136728 bytes
LC 15: LC_DYSYMTAB           	   No local symbols
	 4632 external symbols at index  0
	   No undefined symbols
	   No TOC
	   No modtab
	   No Indirect symbols

LC 16: LC_UUID               	UUID: AFA78BB9-59FE-33BA-A412-13E134E9698A
LC 17: LC_BUILD_VERSION      	Build Version:           Platform: BridgeOS 2.0.0
LC 18: LC_SOURCE_VERSION     	Source Version:          4570.20.58.0.0
LC 19: LC_UNIXTHREAD         	Entry Point:             0xfffffff0070d00c0
LC 20: LC_FUNCTION_STARTS    	Offset: 6355032, Size: 18368 (0x60f858-0x614018)

morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) % strings /tmp/kernel | grep Darw                          14:20
Darwin Kernel Version 17.2.0: Thu Sep 21 17:29:18 PDT 2017; root:xnu-4570.20.58~3/RELEASE_ARM64_T8010
Darwin
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %~/Documents/Work/JTool/joker -k /tmp/kernel               14:20
mmapped: 0x12a94c000
This is a 64-bit kernel from iOS 11.0 , or later This is a 64-bit kernel from iOS 11.x (b1+), or later (4570.20.58.0.0)
ARM64 Exception Vector is at file offset @0xc7000 (Addr: 0xfffffff0070cb000)
0xfffffff006370000: MAC Framework Pseudoextension (com.apple.kpi.dsep)
0xfffffff006370080: Private Pseudoextension (com.apple.kpi.private)
0xfffffff006370100: I/O Kit Pseudoextension (com.apple.kpi.iokit)
0xfffffff006370180: Libkern Pseudoextension (com.apple.kpi.libkern)
0xfffffff006370200: BSD Kernel Pseudoextension (com.apple.kpi.bsd)
0xfffffff006370280: AppleFSCompressionTypeZlib (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
0xfffffff006371040: Mach Kernel Pseudoextension (com.apple.kpi.mach)
0xfffffff0063710c0: Unsupported Pseudoextension (com.apple.kpi.unsupported)
0xfffffff006371140: corecrypto (com.apple.kec.corecrypto)
0xfffffff0063846c0: IOSlowAdaptiveClockingFamily (com.apple.iokit.IOSlowAdaptiveClockingFamily)
0xfffffff006384c40: I/O Kit Storage Family (com.apple.iokit.IOStorageFamily)
0xfffffff006385c80: IOReportFamily (com.apple.iokit.IOReportFamily)
0xfffffff006386480: AppleARMPlatform (com.apple.driver.AppleARMPlatform)
0xfffffff00638f680: AppleH9CameraInterface (com.apple.driver.AppleH9CameraInterface)
0xfffffff0063968c0: AppleDiskImageDriver (com.apple.driver.DiskImages)
0xfffffff006397680: AppleDiskImagesKernelBacked (com.apple.driver.DiskImages.KernelBacked)
0xfffffff006397e40: I/O Kit PCI Family (com.apple.iokit.IOPCIFamily)
0xfffffff00639a200: AppleUSBCommon (com.apple.driver.usb.AppleUSBCommon)
0xfffffff00639ac80: I/O Kit Driver for USB Devices (com.apple.driver.AppleUSBHostMergeProperties)
0xfffffff00639b240: IOUSBDeviceFamily (com.apple.iokit.IOUSBDeviceFamily)
0xfffffff00639e580: IOKit Serial Port Family (com.apple.iokit.IOSerialFamily)
0xfffffff00639eec0: AppleMobileFileIntegrity (com.apple.driver.AppleMobileFileIntegrity)
0xfffffff0063ace00: IOHIDFamily (com.apple.iokit.IOHIDFamily)
0xfffffff0063ae640: I/O Kit Networking Family (com.apple.iokit.IONetworkingFamily)
0xfffffff0063b0040: IOSkywalkFamily (com.apple.iokit.IOSkywalkFamily)
0xfffffff0063b1740: AppleOnboardSerial (com.apple.driver.AppleOnboardSerial)
0xfffffff0063b3900: IOAccessoryManager (com.apple.iokit.IOAccessoryManager)
0xfffffff0063b7a80: IOSlaveProcessor (com.apple.driver.IOSlaveProcessor)
0xfffffff0063b8000: AppleA7IOP (com.apple.driver.AppleA7IOP)
0xfffffff0063bb500: RTBuddy (com.apple.driver.RTBuddy)
0xfffffff0063c7100: AppleARMPMU (com.apple.driver.AppleARMPMU)
0xfffffff0063c9b40: AppleEmbeddedTempSensor (com.apple.driver.AppleEmbeddedTempSensor)
0xfffffff0063cce00: AppleSMC (com.apple.driver.AppleSMC)
0xfffffff0063d27c0: AppleEmbeddedPCIeUpLinkMgmt (com.apple.driver.AppleEmbeddedPCIeUpLinkMgmt)
0xfffffff0063e0bc0: AppleDiskImagesUDIFDiskImage (com.apple.driver.DiskImages.UDIFDiskImage)
0xfffffff0063e1600: BridgeAudioPCIEP (com.apple.driver.AppleBridgeAudioPCIEP)
0xfffffff0063e3ec0: AppleUSBDeviceMux (com.apple.driver.AppleUSBDeviceMux)
0xfffffff0063e56c0: AppleHurricaneErrorHandler (com.apple.driver.AppleHurricaneErrorHandler)
0xfffffff0063e6d80: IODARTFamily (com.apple.driver.IODARTFamily)
0xfffffff0063e82c0: AppleS5L8960XDART (com.apple.driver.AppleS5L8960XDART)
0xfffffff0063e9a80: AppleSamsungSPI (com.apple.driver.AppleSamsungSPI)
0xfffffff0063eaa00: AppleS8000DWI (com.apple.driver.AppleS8000DWI)
0xfffffff0063eb1c0: pthread (com.apple.kec.pthread)
0xfffffff0063ecc00: FairPlayIOKit (com.apple.driver.FairPlayIOKit)
0xfffffff006406d00: IOTextEncryptionFamily (com.apple.IOTextEncryptionFamily)
0xfffffff006407640: Regular Expression Matching Engine (com.apple.kext.AppleMatch)
0xfffffff0064079c0: Seatbelt sandbox policy (com.apple.security.sandbox)
0xfffffff00646b800: IOSurface (com.apple.iokit.IOSurface)
0xfffffff00646f140: Apple M2 Scaler and Color Space Converter Driver (com.apple.driver.AppleM2ScalerCSCDriver)
0xfffffff00648cd40: IOAcceleratorFamily (com.apple.iokit.IOAcceleratorFamily)
0xfffffff006491100: AppleNANDConfigAccess (com.apple.driver.AppleNANDConfigAccess)
0xfffffff006491640: AppleDiagnosticDataAccessReadOnly (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
0xfffffff006491dc0: IOHDCPFamily (com.apple.iokit.IOHDCPFamily)
0xfffffff006496e80: Libm.kext (com.apple.kec.Libm)
0xfffffff00649d340: IOAudio2Family (com.apple.iokit.IOAudio2Family)
0xfffffff00649dbc0: IOCECFamily (com.apple.iokit.IOCECFamily)
0xfffffff00649e540: IOAVFamily (com.apple.iokit.IOAVFamily)
0xfffffff0064af580: AppleT8012 (com.apple.driver.AppleT8012)
0xfffffff0064b1c80: AppleDiskImagesRAMBackingStore (com.apple.driver.DiskImages.RAMBackingStore)
0xfffffff0064b2240: AppleARMIISAudio (com.apple.iokit.AppleARMIISAudio)
0xfffffff0064b2f00: AppleEmbeddedAudio (com.apple.driver.AppleEmbeddedAudio)
0xfffffff0064b8b00: ApplePDMAudioT8012 (com.apple.driver.AppleT8012PDMAudio)
0xfffffff0064bc0c0: IOBufferCopyEngineFamily (com.apple.iokit.IOBufferCopyEngineFamily)
0xfffffff0064bfc40: AppleCSEmbeddedAudio (com.apple.driver.AppleCSEmbeddedAudio)
0xfffffff0064c1500: IOKit USB host family (com.apple.iokit.IOUSBHostFamily)
0xfffffff0064d1b00: AppleUSBVHCICommon (com.apple.driver.usb.AppleUSBVHCICommon)
0xfffffff0064d3f00: VHCI Controller Firmware Driver (com.apple.driver.usb.AppleUSBVHCIFirmware)
0xfffffff0064dcf00: AppleEffaceableStorage (com.apple.driver.AppleEffaceableStorage)
0xfffffff0064deac0: IOCryptoAcceleratorFamily (com.apple.iokit.IOCryptoAcceleratorFamily)
0xfffffff0064df980: AppleSEPManager (com.apple.driver.AppleSEPManager)
0xfffffff0064f5300: AppleSEPKeyStore (com.apple.driver.AppleSEPKeyStore)
0xfffffff0064f7680: AppleS5L8940XI2C (com.apple.driver.AppleS5L8940XI2C)
0xfffffff0064f8100: AppleEffaceableNOR (com.apple.driver.AppleEffaceableNOR)
0xfffffff0064f8740: AppleBCENORFlashDeviceEP (com.apple.driver.AppleBCENORFlashDeviceEP)
0xfffffff0064f98c0: AppleTAS5764Amp (com.apple.driver.AppleTAS5764Amp)
0xfffffff0064f9fc0: ApplePMGR (com.apple.driver.ApplePMGR)
0xfffffff006506ac0: AppleT8010CLPC (com.apple.driver.AppleT8010CLPC)
0xfffffff00650cc00: LSKDIOKitMSE (com.apple.driver.LSKDIOKitMSE)
0xfffffff006521300: HFS (com.apple.filesystems.hfs.kext)
0xfffffff0065334c0: AppleEmbeddedSimpleSPINORFlasherDriver (com.apple.AppleEmbeddedSimpleSPINORFlasher)
0xfffffff006534700: AppleEmbeddedUSB (com.apple.driver.AppleEmbeddedUSB)
0xfffffff006535dc0: AppleSynopsysOTGDevice (com.apple.driver.AppleSynopsysOTGDevice)
0xfffffff006538500: AppleEmbeddedLightSensor (com.apple.driver.AppleEmbeddedLightSensor)
0xfffffff006539d00: AppleSamsungSerial (com.apple.driver.AppleSamsungSerial)
0xfffffff00653a400: I/O Kit HID Event Driver Safe Boot (com.apple.iokit.IOHIDEventDriverSafeBoot)
0xfffffff00653a400: AppleBSDKextStarter (com.apple.driver.AppleBSDKextStarter)
0xfffffff00653a9c0: ProvInfoIOKit (com.apple.driver.ProvInfoIOKit)
0xfffffff00653ec40: AppleEmbeddedPCIE (com.apple.driver.AppleEmbeddedPCIE)
0xfffffff006545400: IONVMeFamily (com.apple.iokit.IONVMeFamily)
0xfffffff006550f80: AppleT8012PMGR (com.apple.driver.AppleT8012PMGR)
0xfffffff006553900: AppleHIDKeyboard (com.apple.driver.AppleHIDKeyboard)
0xfffffff006554a00: IOHIDRelayManager (com.apple.driver.IOHIDRelayManager)
0xfffffff006555240: IOTimeSyncFamily (com.apple.iokit.IOTimeSyncFamily)
0xfffffff006556e40: IOBufferCopyController (com.apple.iokit.IOBufferCopyController)
0xfffffff006557e80: AppleEmbeddedPUPConfigMgmt (com.apple.driver.AppleEmbeddedPUPConfigMgmt)
0xfffffff00655a1c0: IOUserEthernet (com.apple.iokit.IOUserEthernet)
0xfffffff00655ab00: AppleSEPCredentialManager (com.apple.driver.AppleSEPCredentialManager)
0xfffffff00655bd80: AppleFirmwareUpdateKext (com.apple.driver.AppleFirmwareUpdateKext)
0xfffffff00655eb00: MacEFIManager (com.apple.driver.MacEFIManager)
0xfffffff006563c00: AppleSPU (com.apple.driver.AppleSPU)
0xfffffff006566640: AppleAOPAudio (com.apple.driver.AppleAOPAudio)
0xfffffff00656c0c0: AppleEmbeddedPUPFirmwareService (com.apple.driver.AppleEmbeddedPUPFirmwareService)
0xfffffff00656c800: AppleM68Buttons (com.apple.driver.AppleM68Buttons)
0xfffffff00656db80: AppleS5L8960XWatchDogTimer (com.apple.driver.AppleS5L8960XWatchDogTimer)
0xfffffff00656e700: AppleUSBEthernetDevice (com.apple.driver.AppleUSBEthernetDevice)
0xfffffff00656f880: AppleS8000AES (com.apple.driver.AppleS8000AES)
0xfffffff0065713c0: AppleEffaceableBlockDevice (com.apple.driver.AppleEffaceableBlockDevice)
0xfffffff006571b80: AppleANS2OOB (com.apple.iokit.AppleANS2OOB)
0xfffffff006573040: I/O Kit HID Event Driver (com.apple.iokit.IOHIDEventDriver)
0xfffffff006573040: EncryptedBlockStorage (com.apple.iokit.EncryptedBlockStorage)
0xfffffff006573800: AppleT8010SOCTuner (com.apple.driver.AppleT8010SOCTuner)
0xfffffff006574440: LSKDIOKit (com.apple.driver.LSKDIOKit)
0xfffffff006591e00: apfs (com.apple.filesystems.apfs)
0xfffffff0065b1c80: AppleMCA2_T8012 (com.apple.driver.AppleMCA2-T8012)
0xfffffff0065b7840: IOMobileGraphicsFamily (com.apple.iokit.IOMobileGraphicsFamily)
0xfffffff0065bcf80: AppleMobileDispM8 (com.apple.driver.AppleMobileDispM8)
0xfffffff0065ce780: AppleMobileApNonce (com.apple.driver.AppleMobileApNonce)
0xfffffff0065cf7c0: AppleDiskImagesFileBackingStore (com.apple.driver.DiskImages.FileBackingStore)
0xfffffff0065cfe80: AVEBridge (com.apple.AVEBridge)
0xfffffff0065d0880: IOHIDRelayService (com.apple.driver.IOHIDRelayService)
0xfffffff0065d15c0: AppleDialogPMU (com.apple.driver.AppleDialogPMU)
0xfffffff0065d1e80: AppleD2449PMU (com.apple.driver.AppleD2449PMU)
0xfffffff0065d32c0: AppleBSDKextStarterVPN (com.apple.driver.AppleBSDKextStarterVPN)
0xfffffff0065d32c0: AppleSSM (com.apple.driver.AppleSSM)
0xfffffff0065d4000: AppleS5L8920XPWM (com.apple.driver.AppleS5L8920XPWM)
0xfffffff0065d4580: AppleDiskImagesReadWriteDiskImage (com.apple.driver.DiskImages.ReadWriteDiskImage)
0xfffffff0065d4ac0: AppleT8010PCIe (com.apple.driver.AppleT8010PCIe)
0xfffffff0065d7400: H264 Video Encoder (com.apple.driver.AppleAVE2)
0xfffffff0066f3900: AppleInterruptController (com.apple.driver.AppleInterruptController)
0xfffffff0066f47c0: AppleS5L8960XGPIOIC (com.apple.driver.AppleS5L8960XGPIOIC)
0xfffffff0066f5600: KernelRelayDevice (com.apple.driver.KernelRelayDevice)
0xfffffff0066fa0c0: AppleJPEGDriver (com.apple.driver.AppleJPEGDriver)
0xfffffff0066ffa40: AppleSART (com.apple.driver.AppleSART)
0xfffffff006700940: AppleSynopsysMIPIDSI (com.apple.driver.AppleSynopsysMIPIDSI)
0xfffffff006702880: AppleT8015DART (com.apple.driver.AppleT8015DART)
0xfffffff006704440: AppleSPMI (com.apple.driver.AppleSPMI)
0xfffffff006704d40: AppleT8012SmartIO (com.apple.driver.AppleT8012SmartIO)
0xfffffff00670f1c0: AppleUSBNetworking (com.apple.driver.usb.networking)
0xfffffff00670f800: AppleUSBDeviceNCM (com.apple.driver.AppleUSBDeviceNCM)
0xfffffff0067103c0: IOStreamFamily (com.apple.iokit.IOStreamFamily)
0xfffffff006710b80: AppleSamsungPKE (com.apple.driver.AppleSamsungPKE)
0xfffffff006711140: AppleHIDKeyboardEmbedded (com.apple.driver.AppleHIDKeyboardEmbedded)
0xfffffff006711140: AppleS5L8960XNCO (com.apple.driver.AppleS5L8960XNCO)
0xfffffff0067116c0: AppleS5L8960XUSB (com.apple.driver.AppleS5L8960XUSB)
0xfffffff006712000: AppleSummitLCD (com.apple.driver.AppleSummitLCD)
Got 145 kexts
So we have:

.. and now for the image. Why put a PBZX in a ZIP in a PBZX eludes me, but...

morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %cat payloadv2/payload | ../../pbzx/pbzx.MacOS > p           14:20
Flags: 0x1000000
Chunk #1 (flags: 1000000, length: 4816048 bytes) 
OK!  (16777216 bytes)
Chunk #2 (flags: 1000000, length: 7874752 bytes) 
OK!  (16777216 bytes)
Chunk #3 (flags: 1000000, length: 3079704 bytes) 
OK!  (16777216 bytes)
Chunk #4 (flags: 1000000, length: 5389264 bytes) 
OK!  (16777216 bytes)
Chunk #5 (flags: 1000000, length: 4841232 bytes) 
OK!  (16777216 bytes)
Chunk #6 (flags: 1000000, length: 4940540 bytes) 
OK!  (16777216 bytes)
Chunk #7 (flags: 1000000, length: 4019124 bytes) 
OK!  (16777216 bytes)
Chunk #8 (flags: 1000000, length: 4791232 bytes) 
OK!  (16777216 bytes)
Chunk #9 (flags: 1000000, length: 2703368 bytes) 
OK!  (16777216 bytes)
Chunk #10 (flags: 1000000, length: 2521412 bytes) 
OK!  (16777216 bytes)
Chunk #11 (flags: 1000000, length: 3169308 bytes) 
OK!  (16777216 bytes)
Chunk #12 (flags: 1000000, length: 3729376 bytes) 
OK!  (16777216 bytes)
Chunk #13 (flags: 1000000, length: 7176888 bytes) 
OK!  (16777216 bytes)
Chunk #14 (flags: 1000000, length: 8234504 bytes) 
OK!  (16777216 bytes)
Chunk #15 (flags: 1000000, length: 6086444 bytes) 
OK!  (16777216 bytes)
Chunk #16 (flags: 1000000, length: 5591828 bytes) 
OK!  (16777216 bytes)
Chunk #17 (flags: 1000000, length: 5803520 bytes) 
OK!  (16777216 bytes)
Chunk #18 (flags: 1000000, length: 3437516 bytes) 
OK!  (16777216 bytes)
Chunk #19 (flags: 3e338e, length: 636632 bytes) 
OK!  (4075520 bytes)
Using my OTA Tool, we get:
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %mkdir y 
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x) %cd y 
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %otaa  -e '*' ../p 
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls -F                                                     14:24
Library/ System/  bin/     etc*     private/ sbin/    tmp*     usr/
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls bin                                                     14:25
df ps
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls sbin                                                    14:25
dmesg         fsck_hfs      ifconfig      mknod         mount_fdesc   nologin       route
dynamic_pager fstyp_msdos   kextunload    mount         mount_hfs     ping          rtsol
fsck          fstyp_ntfs    launchd       mount_apfs    newfs_apfs    ping6         umount
fsck_apfs     halt          md5           mount_devfs   newfs_hfs     quotacheck
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls usr/bin                                                 14:25
MacEFIUtil  buttontool  hidutil     sysdiagnose tailspin    vm_stat     zprint
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls usr/sbin                                                14:25
ac                distnoted         ioreg             rtadvd            taskpolicy
bridgeaudiod      filecoordinationd notifyd           sysctl
cfprefsd          gpt               nvram             syslogd
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls usr/libexec                                            14:25
AppleUVCCamera             diagnosticd                misagent                   securityd
CrashHousekeeping          eosd                       mobile_obliterator         seputil
IOAccelMemoryInfoCollector eostraced                  mobilewatchdog             smcDiagnose
LASecureIOd                fdrserviced                msutil                     tailspind
NANDTaskScheduler          fseventsd                  mtmergeprops               telnetd
UserEventAgent             getty                      multiversed                transitd
amfid                      hidd                       nfcd_relay                 trustd
aveserverd                 init_data_protection       path_helper                upsshutdown
bkremoted                  ioupsd                     pcapd                      vndevice
bridgeOSUpdated            keybagd                    relayd                     xartstoraged
cc_fips_test               logd                       remotectl                  xpcproxy
corebrightnessd            lskdd                      rtbuddyd                   xpcroleaccountd
dfrd                       lskdmsed                   sandboxd
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls Library                                                14:26
Audio               Logs                MobileDevice
Keychains           Managed Preferences Preferences
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls -F System/Library                                      14:26
AWD/                        CacheDelete/                Frameworks/                 Preferences/
AccessoryUpdaterBundles/    Caches/                     HIDPlugins/                 PrivateFrameworks/
AppleUSBDevice/             CoreServices/               LaunchDaemons/              SoftwareUpdateCertificates/
AssetTypeDescriptors/       DFR/                        MultiversePlugins/          SystemConfiguration/
Audio/                      Extensions/                 Obliteration/               UserEventPlugins/
Bundles/                    Filesystems/                Perl/
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls  -F System/Library/PrivateFrameworks                   14:26
APFS.framework/                       IOMobileFramebuffer.framework/
AggregateDictionary.framework/        LoggingSupport.framework/
AggregateDictionaryHistory.framework/ MediaKit.framework/
AppleFSCompression.framework/         MobileAccessoryUpdater.framework/
AppleJPEG.framework/                  MobileDeviceLink.framework/
AppleM8CameraInterface.framework/     MobileInstallation.framework/
AppleSauce.framework/                 MobileKeyBag.framework/
AssertionServices.framework/          MobileObliteration.framework/
AudioServerApplication.framework/     MobileSoftwareUpdate.framework/
AudioServerDriver.framework/          MobileSystemServices.framework/
BaseBoard.framework/                  MultitouchSupport.framework/
BiometricSupport.framework/           MultiverseSupport.framework/
Bom.framework/                        Network.framework/
BridgeAccessibilitySupport.framework/ NetworkStatistics.framework/
BridgeXPC.framework/                  OAuth.framework/
CommonAuth.framework/                 OSAnalytics.framework/
CoreAnalytics.framework/              PASampling.framework/
CoreBrightness.framework/             PowerLog.framework/
CoreServicesInternal.framework/       ProtocolBuffer.framework/
CoreSpeech.framework/                 RemoteServiceDiscovery.framework/
CoreSymbolication.framework/          RemoteXPC.framework/
CrashReporterSupport.framework/       ServiceManagement.framework/
Dis.framework/                        StreamingZip.framework/
EZSockets.framework/                  Symbolication.framework/
EmbeddedOSSupport.framework/          UserManagement.framework/
FileProvider.framework/               VideoToolbox.framework/
FoundationODR.framework/              VoiceTrigger.framework/
GPUSupport.framework/                 dfrdSupport.framework/
GraphicsServices.framework/           kperf.framework/
Heimdal.framework/                    kperfdata.framework/
IOAccelMemoryInfo.framework/          ktrace.framework/
IOAccelerator.framework/
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls  -F System/Library/Frameworks                          14:26
AVFAudio.framework/            CoreFoundation.framework/      ImageIO.framework/
Accelerate.framework/          CoreGraphics.framework/        MobileCoreServices.framework/
AudioToolbox.framework/        CoreMedia.framework/           OpenGL.framework/
AudioUnit.framework/           CoreVideo.framework/           OpenGLES.framework/
CFNetwork.framework/           Foundation.framework/          System.framework/
CoreAudio.framework/           GSS.framework/                 SystemConfiguration.framework/
CoreData.framework/            IOKit.framework/
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls private/etc                                             14:26
asl           fstab         hosts         networks      notify.conf   passwd        services
asl.conf      group         master.passwd newsyslog.d   pam.d         protocols     ttys
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %head  private/etc/master.passwd                            14:26
##
# User Database
# 
# This file is the authoritative user database.
##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501::0:0:Mobile User:/var/mobile:/bin/sh
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls System/Library/CoreServices                            14:30
BridgeVersion.plist DumpPanic           ReportCrash         SystemVersion.plist powerd.bundle
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %ls System/Library/CoreServices/SystemVersion.plist        14:30
System/Library/CoreServices/SystemVersion.plist
morpheus@Zephyr (~/Documents/iOS/BridgeOS/x/y) %cat System/Library/CoreServices/SystemVersion.plist       14:30
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BuildID</key>
	<string>B6A89ECA-A279-11E7-8C4B-7DE9B500EB51</string>
	<key>ProductBuildVersion</key>
	<string>15P254</string>
	<key>ProductCopyright</key>
	<string>1983-2017 Apple Inc.</string>
	<key>ProductName</key>
	<string>Bridge OS</string>
	<key>ProductVersion</key>
	<string>2.0</string>
	<key>SystemImageID</key>
	<string>D3FEF8FA-A280-11E7-8A45-CFDAC4397AD6</string>
</dict>
</plist>

This tells us: