iokit-dumper-arm64 + libdump

iokit-dumper-arm64 is the static iOS AArch64 version for iokit-dumper.
It uses a dumped 64-bit kernelcache to rebuild the IOKit classes hierarchy for a specific image in the kernelcache, and generate a DOT graph for it. You can see some example generated graphs below, in the Examples section.

How to use

Firstly, to generate DOT graphs you will need dot installed. Do:

brew install graphviz

And test with:

dot -v

Now, the arguments accepted by iokit-dumper-arm64:

• -f: It specifies the kernelcache path to work with.
• -o: It specifies the output path. The output file name is auto-generated. If not specified, default path used will be /tmp.
• -n: it specifies the image to dump name. If not specified, all images will be dumped. Pass the string kernel to dump the kernel hierarchy. Pass a KEXT bundle name (Ex. com.apple.iokit.IOHIDFamily) to dump that KEXT hierarchy.
• -c: Auto convert. If specified, it automatically runs a dot command at the end of the dumping process to generate a PDF file containing the graph.

Example usage to dump kernel hierarchy to Desktop:

./iokit-dumper-arm64 -f /path/to/kernelcache.dump -n kernel -o /Users/$USER/Desktop/ -c

libdump

libdump is a kind-of AArch64 emulator. It is quite sloppy and relies on capstone. It has been written specifically for this project, but it could become a totally separated project in the future.

Notes

I have added some basic support for unencrypted kernelcaches, but it has not been tested on enough cases to say it's perfect. Also the code needs a major refactor and cleanup, so keep in mind that stuff may happen.

If you feel like contrinuting, do not hesitate doing so! Just submit a pull request. I would really appreciate some help.

Future updates are planned, and improvements are coming.

Thanks

• i0n1c (https://twitter.com/i0n1c) - for providing DOT source files from his tool (https://github.com/stefanesser/ios-kerneldocs). Was very useful to improve the DOT file generation code and for double checking my algorithm was working correctly.
• jlevin (https://twitter.com/Morpheus______) - for providing useful tools such as joker, which helped me out a lot with this project.

Examples

Here are some generated graphs as an example:

IOAudio2Family

IOHIDFamily

IOAcceleratorFamily2

TODO

A list of to-do for updates.

• Code cleanup
• Fix KEXT identification algorithm (it is buggy in some cases)
• Unencrypted kernelcaches support
• Add graph customization and details