Basically, the app uses xpwntool and especially dmg.exe to Decrypt the ROOT FS DMG file inside the.IPSW Firmware using appropriate Firmware Keys, then using the same keys it encrypts back your modified ROOT File System DMG. The same thing applies to ramdisk DMGs inside the IPSW Firmware.
Firmwares come as .ipsw files, which are .zip files in disguise.
Here's what the folder structure looks like (example: iPhone5,4 on iOS 9.2.1):
All of these files can be extracted using keys and xpwn.
Firmware keys are posted on
For the kernelcache, run:
xpwntool path/to/cache /path/to/output -k KEY -iv IV -decrypt
The root filesystem is in the largest DMG file of the .ipsw. To extract it, download dmg (OS X, Windows). Make sure dmg or dmg.exe is in your path and execute one of the following:
./dmg input.dmg output.dmg -k KEY
(OS X)dmg.exe input.dmg output.dmg -k KEY
(Windows)