Difference between revisions of "Kernel Dumping"

From The iPhone Wiki
Jump to: navigation, search
(Created page with "Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once y...")
 
m (formatting)
 
(2 intermediate revisions by one other user not shown)
Line 4: Line 4:
 
the kernel.
 
the kernel.
   
== Code to dump the Kernel ==
+
== Code ==
#include <stdio.h>
+
#include <stdio.h>
#include <unistd.h>
+
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
+
#include <CoreFoundation/CoreFoundation.h>
#include <sys/types.h>
+
#include <sys/types.h>
#include <sys/sysctl.h>
+
#include <sys/sysctl.h>
#include <mach/mach.h>
+
#include <mach/mach.h>
  +
 
  +
 
printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r);
+
printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r);
return 0;
+
return 0;
}
+
}
uint32_t i;
+
uint32_t i;
pointer_t buf;
+
pointer_t buf;
unsigned int sz;
+
unsigned int sz;
+
vm_address_t addr = 0x80002000;
+
vm_address_t addr = 0x80002000;
FILE *fp = fopen("kernel.bin", "wb+");
+
FILE *fp = fopen("kernel.bin", "wb+");
if(!fp)
+
if (fp != NULL)
{
+
{
printf("Failed to open kernel.bin\n");
+
printf("Failed to open kernel.bin\n");
return -1;
+
return -1;
}
+
}
  +
 
  +
fclose(fp);
addr += 2048;
 
  +
printf("Kernel dump is done\n");
}
 
  +
}
printf("Kernel dump is done\n");
 
mach_port_t kernel_task=0;
+
mach_port_t kernel_task = 0;
int main(int argc, char** argv)
+
int main(int argc, char** argv)
{
+
{
kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task);
+
kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task);
+
if( r != 0)
+
if (r != 0)
{
+
{
while( addr < (0x80002000 + 0x1F0000))
+
while (addr < (0x80002000 + 0x1F000000))
{
+
{
vm_read(kernel_task, addr, 2048, &buf, &sz);
+
vm_read(kernel_task, addr, 2048, &buf, &sz);
if( buf == NULL || sz == 0)
+
if (buf == NULL || sz == 0)
continue;
+
continue;
uint8_t* p = (uint8_t*) buf;
+
uint8_t* p = (uint8_t*)buf;
fwrite(p, 2048, 1, fp);
+
fwrite(p, 2048, 1, fp);
+
+
addr += 2048;
+
}
fclose(fp);
+
return 0;
return -1;
 
}
 

Latest revision as of 20:23, 30 March 2015

Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once you have dumped all the kernel memory, you fwrite() everything into a .bin file, once the kernel is dumped into a file you can use ios-jailbreak-patchfinder to find every offset needed to patch the kernel.

Code

#include <stdio.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <mach/mach.h>

mach_port_t kernel_task = 0;

int main(int argc, char** argv)
{
  kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task);
  
  if (r != 0)
  {
      printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r);
      return 0;
  }
  uint32_t i;
  pointer_t buf;
  unsigned int sz;
  
  vm_address_t addr = 0x80002000;
  FILE *fp = fopen("kernel.bin", "wb+");
  if (fp != NULL)
  {
      printf("Failed to open kernel.bin\n");
      return -1;
  }
  
  while (addr < (0x80002000 + 0x1F000000))
  {
      vm_read(kernel_task, addr, 2048, &buf, &sz);
      if (buf == NULL || sz == 0)
          continue;
      uint8_t* p = (uint8_t*)buf;
      fwrite(p, 2048, 1, fp);
      
      addr += 2048;
  }
  fclose(fp);
  printf("Kernel dump is done\n");
  return 0;
}