Difference between revisions of "Kernelcache"

From The iPhone Wiki
Jump to: navigation, search
m (Updating.)
(new kernelcache format)
Line 162: Line 162:
   
 
</pre>
 
</pre>
  +
  +
As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.
  +
  +
The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.

Revision as of 18:25, 6 June 2019

The kernelcache is basically the kernel itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an IMG3 (iPhone OS 2.0 and above) or 8900 (iPhone OS 1.0 through 1.1.4) container.

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 (iPhone3,1)) using this tool, showing 153 kexts, is as follows:

KextCache begins at : 0x80396000 (File Offset: 3493888)
Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern)
Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported)
Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit)
Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private)
Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd)
Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform)
Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI)
Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep)
Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)
Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily)
Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor)
Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI)
Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU)
Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC)
Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI)
Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage)
Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked)
Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore)
Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver)
Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage)
Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut)
Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB)
Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM)
Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX)
Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor)
Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M)
Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager)
Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial)
Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio)
Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice)
Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio)
Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily)
Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily)
Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC)
Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess)
Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA)
Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL)
Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager)
Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet)
Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio)
Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage)
Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB)
Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro)
Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily)
Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART)
Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS)
Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X)
Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp)
Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp)
Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer)
Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice)
Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit)
Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2)
Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction)
Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough)
Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily)
Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto)
Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike)
Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction)
Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx)
Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction)
Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI)
Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer)
Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware)
Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess)
Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI)
Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC)
Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI)
Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family)
Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore)
Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM)
Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial)
Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB)
Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT)
Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter)
Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI)
Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch)
Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger)
Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio)
Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio)
Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90)
Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth)
Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice)
Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver)
Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction)
Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy)
Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily)
Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE)
Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO)
Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox)
Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard)
Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore)
Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface)
Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet)
Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP)
Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X)
Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S)
Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons)
Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375)
Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux)
Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp)
Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver)
Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily)
Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535)
Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD)
Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub)
Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass)
Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC)
Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost)
Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater)
Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey)
Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls)
Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard)
Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction)
Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice)
Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)

As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.

The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.