{"id":51015,"date":"2026-02-18T17:18:02","date_gmt":"2026-02-18T22:18:02","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=51015"},"modified":"2026-02-18T17:18:02","modified_gmt":"2026-02-18T22:18:02","slug":"apples-car-file-format","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2026\/02\/18\/apples-car-file-format\/","title":{"rendered":"Apple&rsquo;s .car File Format"},"content":{"rendered":"<p><a href=\"https:\/\/dbg.re\/posts\/car-file-format\/\">Ordinal0<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=47014002\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/dbg.re\/posts\/car-file-format\/\">\n<p>In this post, I&rsquo;ll walk through the process of reverse engineering the <code>.car<\/code> file format, explain its internal structures, and show how to parse these files programmatically. This knowledge could be useful for security research and building developer tools that does not rely on Xcode or Apple&rsquo;s proprietary tools.<\/p>\n<p>As part of this research, I&rsquo;ve built a custom parser and compiler for <code>.car<\/code> files that doesn&rsquo;t depend on any of Apple&rsquo;s private frameworks or proprietary tools. To make this research practical, I&rsquo;ve compiled my parser to WebAssembly so it runs entirely in your browser, so no server uploads required. You can drop any <code>.car<\/code> file into the <a href=\"https:\/\/dbg.re\/posts\/car-file-format#interactive-demo\">interactive demo<\/a> below to explore its content.<\/p>\n<p>[&#8230;]<\/p>\n<p>From the decompiled <code>BOMStorageOpenWithSys<\/code> function shown above, we can infer the overall layout of a BOM file. It begins with a fixed-size header, followed by a block index table and a variables table.<\/p>\n<p>[&#8230;]<\/p>\n<p>While standard BOM files store installer package manifests, <code>.car<\/code> files repurpose the container for asset storage.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Ordinal0 (via Hacker News): In this post, I&rsquo;ll walk through the process of reverse engineering the .car file format, explain its internal structures, and show how to parse these files programmatically. This knowledge could be useful for security research and building developer tools that does not rely on Xcode or Apple&rsquo;s proprietary tools. As part [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2026-02-18T22:18:06Z","apple_news_api_id":"5acf9e44-1ad3-4c85-b051-802c6165a01c","apple_news_api_modified_at":"2026-02-18T22:18:06Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AWs-eRBrTTIWwUYAsYWWgHA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2352,30,2742,270,1231],"class_list":["post-51015","post","type-post","status-publish","format-standard","hentry","category-technology","tag-asset-catalog-car","tag-mac","tag-macos-tahoe-26","tag-parser","tag-webassembly"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51015","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=51015"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51015\/revisions"}],"predecessor-version":[{"id":51016,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51015\/revisions\/51016"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=51015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=51015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=51015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}