-

Question

-

rllbe opened this issue 3 years ago · comments

Sorry

Justin Sherman · Answer 1 · Sun Nov 28 2021 11:29:22 GMT+0800 (China Standard Time)

Hey, I was gonna respond but I didn't have time yesterday and Github was down for like two hours today. Please don't feel bad or anything, I'm happy to help you.

I remember you talked about joker and ipa downloads? First, if you're downloading ipa files, those aren't kernels, and second, joker is right for kernel stuff but it's sort of outdated. Its successor is jtool2, but I haven't used any of it's symbolication functionality so I can't speak for it.

The main way I figure out the offsets of the functions I want to hook is by cross referencing my kernel with XNU source. You can get the latest XNU tarball at this page -https://opensource.apple.com/tarballs/xnu/ usually what I do is find some string in the function I wanna hook, or near a call to it, and xref it in IDA and that always works.

Also, sometimes apple leaks kernels with symbols by accident. they did this two times with the first beta of iOS 12 and the fourth beta of iOS 14. Obviously the fourth beta of iOS 14 is the most recent so you should use that to cross reference with your kernel if you're having trouble finding a string to xref. I'm sure you can find it easily with google :)

rllbe · Answer 2 · Sun Nov 28 2021 18:49:16 GMT+0800 (China Standard Time)

Yeah thanks for your help. I just thought the "dyld_shared_cache" file on device was the kernel cache. I feel like an idiot. Now I figured out the correct way to get the kernel cache and got open1 address with my test devices. Maybe I'll just test them later and post those addresses here for you to add to the example.

For the ipa thing, I found someone shared a link to an ipa which dumps kernel cache from memory on device. The link is http://coffeebreakers.space/kdump.ipa but it's dead.

Again thanks for your kind help.

Justin Sherman · Answer 3 · Sun Nov 28 2021 22:10:05 GMT+0800 (China Standard Time)

No problem. You also no longer have to dump the kernel from memory since they aren't encrypted in the IPSW that belongs to your device/iOS version. The easiest way to get a kernel is to go to ipsw.me and download the IPSW that corresponds to your device. Then unzip it and you'll see kernelcache.release.xxx files, where xxx varies. They're compressed, though, and before IDA auto decompressed them, I'd use jtool2 to do that job:

jtool2 -dec kernelcache.release.xxx && mv /tmp/kernel kernelcache.release.xxx.dec

Also please don't feel bad 😅 nothing wrong with a couple questions

rllbe · Answer 4 · Sun Dec 05 2021 16:01:15 GMT+0800 (China Standard Time)

Yeah I just found a project which is very convenient on downloading and extracting/analyzing ipsw:
https://blacktop.github.io/ipsw/ (or brew install blacktop/tap/ipsw with homebrew)
With this tool installed just use ipsw download ipsw --device iPhone9,2 --build 18C66 and then ipsw kernel extract <the ipsw file> to get the kernel extracted and ready for jtool2 --analyze.

And here are some offsets for iPhone 7 Plus(iPhone9,2) iOS 14.3(18C66):
open1 = 0xfffffff0073185c4
faccessat_internal = 0xfffffff00731cac0
sysctl_root = 0xfffffff007584f20
and thanks for your great project :)

Justin Sherman · Answer 5 · Mon Dec 06 2021 04:53:26 GMT+0800 (China Standard Time)

awesome, thx for the offsets! I'll add them in a couple days