Starting with iOS 10.0 Apple decrypted the file system and kernel cache. All you have to do is download an IPSW, change the extension to .zip, and unarchive it. The largest size disk image inside the unarchived zip will be the root file system. Simply mount it to see its contents.
Links to download all iOS IPSWs.
Originally from /u/RowRocka on Reddit. Gently edited for clarity.
Links to download all iOS OTA ZIPs.
- Unzip the OTA
.zip. - Download Jonatan Levin's OTApack and unzip it into the same directory that you unzipped the OTA image to.
- Open up Terminal and
cdto the aforementioned directory. - Execute
./pbzx AssetData/payloadv2/payload > pb.xz - Unarchive the pb.xz file with The Unarchiver.
- Go back to Terminal and execute these commands:
mkdir rootfs
mv ./pb ./rootfs
cd rootfs
../otaa -e '*' ./pb- Done
- Unzip the OTA
.zip. - Go to
AssetData/boot. - Open a Terminal and
cdto the unzipped OTA image directory. - Execute
cp /AssetData/boot/kernelcache.release.***** (check what your filename is) ./ - Compile
lzssdec.cppfrom here. - Open the kernel cache file with a Hex editor (I recomend Hex Fiend) and find
0xFEEDFACE. Note the offset. - Execute
./lzssdec -o OFFSET_YOUVE_NOTED_IN_STEP_6 < kernelcache.release.***** > kernelcache.decrypted - Done