Difference between revisions of "Kernelcache"

From The iPhone Wiki
Jump to: navigation, search
m
m (Updating.)
Line 1: Line 1:
The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iOS 2.0 and above) or [[S5L File Formats#8900|8900]] (iOS 1.0 through 1.1.4) container.
+
The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iPhone OS 2.0 and above) or [[S5L File Formats#8900|8900]] (iPhone OS 1.0 through 1.1.4) container.
   
 
[[Category:Filesystem]]
 
[[Category:Filesystem]]
   
The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache ([[n90ap|iPhone 4 (iPhone3,1)]]) using this tool, showing 153 kexts, is as follows:
+
The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache ([[N90AP|iPhone 4 (iPhone3,1)]]) using this tool, showing 153 kexts, is as follows:
   
 
<pre>
 
<pre>

Revision as of 12:00, 13 October 2015

The kernelcache is basically the kernel itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an IMG3 (iPhone OS 2.0 and above) or 8900 (iPhone OS 1.0 through 1.1.4) container.

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 (iPhone3,1)) using this tool, showing 153 kexts, is as follows:

KextCache begins at : 0x80396000 (File Offset: 3493888)
Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern)
Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported)
Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit)
Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private)
Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd)
Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform)
Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI)
Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep)
Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)
Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily)
Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor)
Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI)
Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU)
Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC)
Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI)
Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage)
Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked)
Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore)
Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver)
Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage)
Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut)
Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB)
Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM)
Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX)
Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor)
Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M)
Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager)
Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial)
Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio)
Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice)
Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio)
Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily)
Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily)
Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC)
Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess)
Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA)
Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL)
Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager)
Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet)
Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio)
Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage)
Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB)
Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro)
Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily)
Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART)
Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS)
Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X)
Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp)
Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp)
Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer)
Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice)
Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit)
Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2)
Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction)
Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough)
Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily)
Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto)
Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike)
Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction)
Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx)
Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction)
Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI)
Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer)
Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware)
Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess)
Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI)
Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC)
Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI)
Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family)
Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore)
Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM)
Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial)
Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB)
Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT)
Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter)
Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI)
Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch)
Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger)
Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio)
Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio)
Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90)
Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth)
Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice)
Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver)
Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction)
Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy)
Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily)
Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE)
Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO)
Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox)
Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard)
Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore)
Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface)
Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet)
Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP)
Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X)
Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S)
Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons)
Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375)
Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux)
Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp)
Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver)
Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily)
Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535)
Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD)
Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub)
Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass)
Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC)
Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost)
Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater)
Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey)
Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls)
Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard)
Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction)
Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice)
Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)