The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernelcache"
(Updated for GSM iPhone 4) |
(Add introduction of a useful kernelcache analyzing tool) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] ( |
+ | The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iPhone OS 2.0 and above) or [[S5L File Formats#8900|8900]] (iPhone OS 1.0 through 1.1.4) container. |
[[Category:Filesystem]] |
[[Category:Filesystem]] |
||
− | The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 |
+ | The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache ([[N90AP|iPhone 4 (iPhone3,1)]]) using this tool, showing 153 kexts, is as follows: |
<pre> |
<pre> |
||
Line 161: | Line 161: | ||
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM) |
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM) |
||
+ | </pre> |
||
+ | |||
+ | As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder. |
||
+ | |||
+ | The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols. |
||
+ | |||
+ | The tool ioskextdump developed by cocoahuke used a disassembly framework Capstone to further analyze iOS kernelcache and dump information that's incredibly useful for vulnerability research - including |
||
+ | * Name, Address, size, vtable of all IOKit base classes and derived classes |
||
+ | * The inheritance for all IOKit derived classes |
||
+ | * All function addresses and corresponding positions in the vtable |
||
+ | * Symbolizes every functions in each derived class |
||
+ | * Lists all override functions in each derived class |
||
+ | * Detects IOExternalMethodDispatch structure in each UserClient class |
||
+ | |||
+ | The developer has made adjustments to support iOS 8-13 kernelcache, as well as for different architectures such as arm32, arm64, x86_64. The following is an output snippet of analyzing iOS 12.3 kernelcache using ioskextdump_ios10, showing the detailed information of IOHIDLibUserClient. There are a total of 1860 IOKit classes in this output, you can download the full output here. |
||
+ | |||
+ | <pre> |
||
+ | ******** 1:com.apple.iokit.IOHIDFamily ******* |
||
+ | (0xfffffff005ff7ee8)->OSMetaClass:OSMetaClass call 4 args list |
||
+ | x0:0xfffffff00775bb40 |
||
+ | x1:IOHIDLibUserClient |
||
+ | x2:0xfffffff007668400 |
||
+ | x3:0x150 |
||
+ | vtable start from addr 0xfffffff006deef70 |
||
+ | Inheritance relationship: IOUserClient->IOService->IORegistryEntry->OSObject |
||
+ | |||
+ | override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c |
||
+ | override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010 |
||
+ | override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028 |
||
+ | override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0 |
||
+ | override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8 |
||
+ | override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370 |
||
+ | override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04 |
||
+ | override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c |
||
+ | override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac |
||
+ | override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8 |
||
+ | override: IOUserClient_externalMethod loc:0xfffffff006def4a8 imp:0xfffffff005ff60d0 |
||
+ | override: IOUserClient_initWithTask loc:0xfffffff006def4c0 imp:0xfffffff005ff585c |
||
+ | override: IOUserClient_clientClose loc:0xfffffff006def4c8 imp:0xfffffff005ff59e0 |
||
+ | override: IOUserClient_registerNotificationPort loc:0xfffffff006def4e0 imp:0xfffffff005ff65c8 |
||
+ | override: IOUserClient_clientMemoryForType loc:0xfffffff006def4f8 imp:0xfffffff005ff67a8 |
||
+ | override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c |
||
+ | override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010 |
||
+ | override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028 |
||
+ | override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0 |
||
+ | override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8 |
||
+ | override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370 |
||
+ | override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04 |
||
+ | override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c |
||
+ | override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac |
||
+ | override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8 |
||
+ | |||
+ | 0 func:0xfffffff005ff514c scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0 |
||
+ | 1 func:0xfffffff005ff5164 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 2 func:0xfffffff005ff5170 scalar_i:0x0 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 3 func:0xfffffff005ff5188 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 |
||
+ | 4 func:0xfffffff005ff51a0 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 5 func:0xfffffff005ff51d0 scalar_i:0x3 struct_i:0x0 scalar_o:0x1 struct_o:0x0 |
||
+ | 6 func:0xfffffff005ff5254 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 |
||
+ | 7 func:0xfffffff005ff52d4 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 |
||
+ | 8 func:0xfffffff005ff5314 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 9 func:0xfffffff005ff5350 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 10 func:0xfffffff005ff538c scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 11 func:0xfffffff005ff5398 scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
+ | 12 func:0xfffffff005ff53a4 scalar_i:0x3 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff |
||
+ | 13 func:0xfffffff005ff5660 scalar_i:0x3 struct_i:0xffffffff scalar_o:0x0 struct_o:0x0 |
||
+ | 14 func:0xfffffff005ff57d8 scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0 |
||
+ | 15 func:0xfffffff005ff57e4 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff |
||
+ | 16 func:0xfffffff005ff5810 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 |
||
</pre> |
</pre> |
Latest revision as of 22:02, 13 December 2021
The kernelcache is basically the kernel itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an IMG3 (iPhone OS 2.0 and above) or 8900 (iPhone OS 1.0 through 1.1.4) container.
The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 (iPhone3,1)) using this tool, showing 153 kexts, is as follows:
KextCache begins at : 0x80396000 (File Offset: 3493888) Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern) Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach) Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported) Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit) Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private) Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd) Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform) Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI) Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep) Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily) Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity) Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily) Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor) Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily) Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient) Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI) Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI) Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU) Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC) Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI) Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage) Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily) Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages) Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked) Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore) Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver) Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage) Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage) Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut) Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB) Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite) Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub) Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost) Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM) Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily) Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family) Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily) Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily) Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX) Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily) Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver) Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor) Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M) Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage) Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager) Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily) Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial) Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio) Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice) Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio) Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily) Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily) Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice) Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC) Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess) Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA) Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL) Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager) Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet) Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio) Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage) Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB) Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro) Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily) Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface) Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe) Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD) Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART) Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS) Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X) Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp) Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp) Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer) Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice) Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit) Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit) Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2) Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily) Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction) Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough) Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily) Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto) Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike) Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction) Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore) Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx) Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction) Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI) Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer) Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware) Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess) Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI) Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC) Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI) Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family) Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore) Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM) Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial) Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB) Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT) Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter) Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI) Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch) Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger) Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily) Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio) Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio) Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware) Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90) Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth) Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor) Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice) Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver) Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction) Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy) Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily) Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE) Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO) Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox) Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard) Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore) Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl) Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO) Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface) Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage) Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib) Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet) Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP) Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X) Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S) Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons) Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375) Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux) Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp) Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver) Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily) Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535) Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD) Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub) Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass) Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction) Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC) Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost) Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater) Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey) Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls) Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard) Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction) Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly) Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL) Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice) Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC) Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)
As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.
The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.
The tool ioskextdump developed by cocoahuke used a disassembly framework Capstone to further analyze iOS kernelcache and dump information that's incredibly useful for vulnerability research - including
- Name, Address, size, vtable of all IOKit base classes and derived classes
- The inheritance for all IOKit derived classes
- All function addresses and corresponding positions in the vtable
- Symbolizes every functions in each derived class
- Lists all override functions in each derived class
- Detects IOExternalMethodDispatch structure in each UserClient class
The developer has made adjustments to support iOS 8-13 kernelcache, as well as for different architectures such as arm32, arm64, x86_64. The following is an output snippet of analyzing iOS 12.3 kernelcache using ioskextdump_ios10, showing the detailed information of IOHIDLibUserClient. There are a total of 1860 IOKit classes in this output, you can download the full output here.
******** 1:com.apple.iokit.IOHIDFamily ******* (0xfffffff005ff7ee8)->OSMetaClass:OSMetaClass call 4 args list x0:0xfffffff00775bb40 x1:IOHIDLibUserClient x2:0xfffffff007668400 x3:0x150 vtable start from addr 0xfffffff006deef70 Inheritance relationship: IOUserClient->IOService->IORegistryEntry->OSObject override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010 override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028 override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0 override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8 override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370 override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04 override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8 override: IOUserClient_externalMethod loc:0xfffffff006def4a8 imp:0xfffffff005ff60d0 override: IOUserClient_initWithTask loc:0xfffffff006def4c0 imp:0xfffffff005ff585c override: IOUserClient_clientClose loc:0xfffffff006def4c8 imp:0xfffffff005ff59e0 override: IOUserClient_registerNotificationPort loc:0xfffffff006def4e0 imp:0xfffffff005ff65c8 override: IOUserClient_clientMemoryForType loc:0xfffffff006def4f8 imp:0xfffffff005ff67a8 override: IOUserClient_IOUserClient loc:0xfffffff006deef70 imp:0xfffffff005ff500c override: IOUserClient_~IOUserClient loc:0xfffffff006deef78 imp:0xfffffff005ff5010 override: IOUserClient_getMetaClass loc:0xfffffff006deefa8 imp:0xfffffff005ff5028 override: IOUserClient_free loc:0xfffffff006deefd8 imp:0xfffffff005ff63c0 override: IORegistryEntry_setProperties loc:0xfffffff006def0c8 imp:0xfffffff005ff65a8 override: IOService_didTerminate loc:0xfffffff006def1d0 imp:0xfffffff005ff6370 override: IOService_start loc:0xfffffff006def218 imp:0xfffffff005ff5a04 override: IOService_stop loc:0xfffffff006def220 imp:0xfffffff005ff5e9c override: IOService_attach loc:0xfffffff006def2c8 imp:0xfffffff005ff7dac override: IOService_message loc:0xfffffff006def388 imp:0xfffffff005ff64a8 0 func:0xfffffff005ff514c scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0 1 func:0xfffffff005ff5164 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 2 func:0xfffffff005ff5170 scalar_i:0x0 struct_i:0x0 scalar_o:0x0 struct_o:0x0 3 func:0xfffffff005ff5188 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 4 func:0xfffffff005ff51a0 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 5 func:0xfffffff005ff51d0 scalar_i:0x3 struct_i:0x0 scalar_o:0x1 struct_o:0x0 6 func:0xfffffff005ff5254 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 7 func:0xfffffff005ff52d4 scalar_i:0x2 struct_i:0x0 scalar_o:0x1 struct_o:0x0 8 func:0xfffffff005ff5314 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 9 func:0xfffffff005ff5350 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0 10 func:0xfffffff005ff538c scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0 11 func:0xfffffff005ff5398 scalar_i:0xffffffff struct_i:0x0 scalar_o:0x0 struct_o:0x0 12 func:0xfffffff005ff53a4 scalar_i:0x3 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff 13 func:0xfffffff005ff5660 scalar_i:0x3 struct_i:0xffffffff scalar_o:0x0 struct_o:0x0 14 func:0xfffffff005ff57d8 scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0 15 func:0xfffffff005ff57e4 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0xffffffff 16 func:0xfffffff005ff5810 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0