Difference between revisions of "Kernelcache"

From The iPhone Wiki
Jump to: navigation, search
(Updated for GSM iPhone 4)
(Add introduction of a useful kernelcache analyzing tool)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iOS 2.0 and above) or [[S5L File Formats#8900|8900]] (iOS 1.0 through 1.1.4) container.
+
The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iPhone OS 2.0 and above) or [[S5L File Formats#8900|8900]] (iPhone OS 1.0 through 1.1.4) container.
   
 
[[Category:Filesystem]]
 
[[Category:Filesystem]]
   
The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 GSM) using this tool, showing 153 kexts, is as follows:
+
The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache ([[N90AP|iPhone 4 (iPhone3,1)]]) using this tool, showing 153 kexts, is as follows:
   
 
<pre>
 
<pre>
Line 161: Line 161:
 
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)
 
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)
   
  +
</pre>
  +
  +
As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.
  +
  +
The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.
  +
  +
The tool ioskextdump developed by cocoahuke used a disassembly framework Capstone to further analyze iOS kernelcache and dump information that's incredibly useful for vulnerability research - including
  +
* Name, Address, size, vtable of all IOKit base classes and derived classes
  +
* The inheritance for all IOKit derived classes
  +
* All function addresses and corresponding positions in the vtable
  +
* Symbolizes every functions in each derived class
  +
* Lists all override functions in each derived class
  +
* Detects IOExternalMethodDispatch structure in each UserClient class
  +
  +
The developer has made adjustments to support iOS 8-13 kernelcache, as well as for different architectures such as arm32, arm64, x86_64. The following is an output snippet of analyzing iOS 12.3 kernelcache using ioskextdump_ios10, showing the detailed information of IOHIDLibUserClient. There are a total of 1860 IOKit classes in this output, you can download the full output here.
  +
  +
<pre>
  +
******** 1:com.apple.iokit.IOHIDFamily *******
  +
(0xfffffff005ff7ee8)->OSMetaClass:OSMetaClass call 4 args list
  +
x0:0xfffffff00775bb40
  +
x1:IOHIDLibUserClient
  +
x2:0xfffffff007668400
  +
x3:0x150
  +
vtable start from addr 0xfffffff006deef70
  +
Inheritance relationship: IOUserClient->IOService->IORegistryEntry->OSObject
  +
  +
override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c
  +
override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010
  +
override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028
  +
override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0
  +
override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8
  +
override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370
  +
override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04
  +
override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c
  +
override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac
  +
override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8
  +
override: IOUserClient_externalMethod loc:0xfffffff006def4a8 imp:0xfffffff005ff60d0
  +
override: IOUserClient_initWithTask loc:0xfffffff006def4c0 imp:0xfffffff005ff585c
  +
override: IOUserClient_clientClose loc:0xfffffff006def4c8 imp:0xfffffff005ff59e0
  +
override: IOUserClient_registerNotificationPort loc:0xfffffff006def4e0 imp:0xfffffff005ff65c8
  +
override: IOUserClient_clientMemoryForType loc:0xfffffff006def4f8 imp:0xfffffff005ff67a8
  +
override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c
  +
override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010
  +
override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028
  +
override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0
  +
override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8
  +
override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370
  +
override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04
  +
override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c
  +
override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac
  +
override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8
  +
  +
0 func:0xfffffff005ff514c scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0
  +
1 func:0xfffffff005ff5164 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
2 func:0xfffffff005ff5170 scalar_i:0x0 struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
3 func:0xfffffff005ff5188 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0
  +
4 func:0xfffffff005ff51a0 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
5 func:0xfffffff005ff51d0 scalar_i:0x3 struct_i:0x0 scalar_o:0x1 struct_o:0x0
  +
6 func:0xfffffff005ff5254 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0
  +
7 func:0xfffffff005ff52d4 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0
  +
8 func:0xfffffff005ff5314 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
9 func:0xfffffff005ff5350 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
10 func:0xfffffff005ff538c scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
11 func:0xfffffff005ff5398 scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0
  +
12 func:0xfffffff005ff53a4 scalar_i:0x3 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff
  +
13 func:0xfffffff005ff5660 scalar_i:0x3 struct_i:0xffffffff scalar_o:0x0 struct_o:0x0
  +
14 func:0xfffffff005ff57d8 scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0
  +
15 func:0xfffffff005ff57e4 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff
  +
16 func:0xfffffff005ff5810 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
 
</pre>
 
</pre>

Latest revision as of 22:02, 13 December 2021

The kernelcache is basically the kernel itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an IMG3 (iPhone OS 2.0 and above) or 8900 (iPhone OS 1.0 through 1.1.4) container.

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 (iPhone3,1)) using this tool, showing 153 kexts, is as follows:

KextCache begins at : 0x80396000 (File Offset: 3493888)
Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern)
Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported)
Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit)
Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private)
Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd)
Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform)
Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI)
Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep)
Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)
Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily)
Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor)
Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI)
Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU)
Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC)
Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI)
Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage)
Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked)
Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore)
Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver)
Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage)
Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut)
Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB)
Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM)
Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX)
Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor)
Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M)
Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager)
Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial)
Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio)
Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice)
Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio)
Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily)
Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily)
Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC)
Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess)
Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA)
Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL)
Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager)
Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet)
Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio)
Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage)
Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB)
Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro)
Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily)
Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART)
Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS)
Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X)
Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp)
Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp)
Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer)
Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice)
Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit)
Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2)
Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction)
Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough)
Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily)
Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto)
Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike)
Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction)
Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx)
Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction)
Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI)
Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer)
Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware)
Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess)
Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI)
Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC)
Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI)
Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family)
Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore)
Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM)
Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial)
Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB)
Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT)
Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter)
Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI)
Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch)
Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger)
Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio)
Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio)
Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90)
Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth)
Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice)
Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver)
Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction)
Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy)
Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily)
Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE)
Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO)
Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox)
Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard)
Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore)
Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface)
Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet)
Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP)
Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X)
Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S)
Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons)
Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375)
Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux)
Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp)
Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver)
Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily)
Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535)
Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD)
Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub)
Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass)
Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC)
Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost)
Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater)
Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey)
Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls)
Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard)
Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction)
Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice)
Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)

As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.

The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.

The tool ioskextdump developed by cocoahuke used a disassembly framework Capstone to further analyze iOS kernelcache and dump information that's incredibly useful for vulnerability research - including

  • Name, Address, size, vtable of all IOKit base classes and derived classes
  • The inheritance for all IOKit derived classes
  • All function addresses and corresponding positions in the vtable
  • Symbolizes every functions in each derived class
  • Lists all override functions in each derived class
  • Detects IOExternalMethodDispatch structure in each UserClient class

The developer has made adjustments to support iOS 8-13 kernelcache, as well as for different architectures such as arm32, arm64, x86_64. The following is an output snippet of analyzing iOS 12.3 kernelcache using ioskextdump_ios10, showing the detailed information of IOHIDLibUserClient. There are a total of 1860 IOKit classes in this output, you can download the full output here.

******** 1:com.apple.iokit.IOHIDFamily *******
(0xfffffff005ff7ee8)->OSMetaClass:OSMetaClass call 4 args list
x0:0xfffffff00775bb40
x1:IOHIDLibUserClient
x2:0xfffffff007668400
x3:0x150
vtable start from addr 0xfffffff006deef70
Inheritance relationship: IOUserClient->IOService->IORegistryEntry->OSObject

override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c
override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010
override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028
override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0
override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8
override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370
override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04
override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c
override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac
override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8
override: IOUserClient_externalMethod loc:0xfffffff006def4a8 imp:0xfffffff005ff60d0
override: IOUserClient_initWithTask loc:0xfffffff006def4c0 imp:0xfffffff005ff585c
override: IOUserClient_clientClose loc:0xfffffff006def4c8 imp:0xfffffff005ff59e0
override: IOUserClient_registerNotificationPort loc:0xfffffff006def4e0 imp:0xfffffff005ff65c8
override: IOUserClient_clientMemoryForType loc:0xfffffff006def4f8 imp:0xfffffff005ff67a8
override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c
override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010
override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028
override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0
override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8
override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370
override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04
override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c
override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac
override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8

0 func:0xfffffff005ff514c  scalar_i:0x0  struct_i:0x0  scalar_o:0x2  struct_o:0x0
1 func:0xfffffff005ff5164  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0
2 func:0xfffffff005ff5170  scalar_i:0x0  struct_i:0x0  scalar_o:0x0  struct_o:0x0
3 func:0xfffffff005ff5188  scalar_i:0x2  struct_i:0x0  scalar_o:0x1  struct_o:0x0
4 func:0xfffffff005ff51a0  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0
5 func:0xfffffff005ff51d0  scalar_i:0x3  struct_i:0x0  scalar_o:0x1  struct_o:0x0
6 func:0xfffffff005ff5254  scalar_i:0x2  struct_i:0x0  scalar_o:0x1  struct_o:0x0
7 func:0xfffffff005ff52d4  scalar_i:0x2  struct_i:0x0  scalar_o:0x1  struct_o:0x0
8 func:0xfffffff005ff5314  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0
9 func:0xfffffff005ff5350  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0
10 func:0xfffffff005ff538c  scalar_i:0xffffffff  struct_i:0x0  scalar_o:0x0  struct_o:0x0
11 func:0xfffffff005ff5398  scalar_i:0xffffffff  struct_i:0x0  scalar_o:0x0  struct_o:0x0
12 func:0xfffffff005ff53a4  scalar_i:0x3  struct_i:0x0  scalar_o:0x0  struct_o:0xffffffff
13 func:0xfffffff005ff5660  scalar_i:0x3  struct_i:0xffffffff  scalar_o:0x0  struct_o:0x0
14 func:0xfffffff005ff57d8  scalar_i:0x0  struct_i:0x0  scalar_o:0x2  struct_o:0x0
15 func:0xfffffff005ff57e4  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0xffffffff
16 func:0xfffffff005ff5810  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0