The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel Dumping"
Line 33: | Line 33: | ||
} |
} |
||
− | while( addr < (0x80002000 + |
+ | while( addr < (0x80002000 + 0x1F000000)) |
{ |
{ |
||
vm_read(kernel_task, addr, 2048, &buf, &sz); |
vm_read(kernel_task, addr, 2048, &buf, &sz); |
Revision as of 22:28, 28 March 2015
Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once you have dumped all the kernel memory, you fwrite() everything into a .bin file, once the kernel is dumped into a file you can use ios-jailbreak-patchfinder to find every offset needed to patch the kernel.
Code to dump the Kernel
#include <stdio.h> #include <unistd.h> #include <CoreFoundation/CoreFoundation.h> #include <sys/types.h> #include <sys/sysctl.h> #include <mach/mach.h> mach_port_t kernel_task=0; int main(int argc, char** argv) { kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task); if( r != 0) { printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r); return 0; } uint32_t i; pointer_t buf; unsigned int sz; vm_address_t addr = 0x80002000; FILE *fp = fopen("kernel.bin", "wb+"); if(!fp) { printf("Failed to open kernel.bin\n"); return -1; } while( addr < (0x80002000 + 0x1F000000)) { vm_read(kernel_task, addr, 2048, &buf, &sz); if( buf == NULL || sz == 0) continue; uint8_t* p = (uint8_t*) buf; fwrite(p, 2048, 1, fp); addr += 2048; } fclose(fp); printf("Kernel dump is done\n"); return -1; }