Page 1 of 1

jtool problems with Apple Watch

PostPosted: Wed Jan 06, 2016 11:27 pm
by pranjal
jtool not working
Hi there, I keep trying to use jtool to extract the dyld_shared_cache from the Apple Watch (armv7k), but I'm getting an error when using it. Here's the error:
Code: Select all
Unable to recognize this file - 49445944

And here's my usage:
Code: Select all
jtool  -v -l <path to file>

The path is definitely an unmodified cache from the payloadv2 directory of an Apple Watch OTA update, and I'm not sure why it's not recognizing the file. Any suggestions? Thanks!

Re: jtool problems with Apple Watch

PostPosted: Thu Jan 07, 2016 9:37 pm
by morpheus
The file you're looking at is the DYDIFF patch of the S/L/C. Therefore it's not in a format that JTool (or any other tool) can understand.

However, you might find a surprise waiting for you in ~/Library/Developer/XCode/WatchOS DeviceSupport :-)

Re: jtool problems with Apple Watch

PostPosted: Thu Jan 07, 2016 10:02 pm
by pranjal
I really enjoyed seeing that. Thank you so much for your help.
I also have a question. Where do you learn this stuff? I'm only 15, and I've been making iOS apps for a long time. I'm good at Objective C, C++, C and Swift, but I just can't wrap my head around reverse engineering, and I'd love a little advice as to where I can begin.

Re: jtool problems with Apple Watch

PostPosted: Thu Jan 07, 2016 10:21 pm
by pranjal
Also, I can't dump any of the frameworks I found with class-dump or class-dump-z. Am I doing something wrong?

Re: jtool problems with Apple Watch

PostPosted: Fri Jan 08, 2016 7:32 pm
by morpheus
A) Read, read, and read. There's a bunch of articles on the main site which demonstrate REing, and MOXiI 2 - unlike its predecessor - will be all RE driven. Expect a major announcement in a few weeks on that.

B) Get past the tools and get to know how to reverse yourself. Using IDA or jtool or tool or what not is better if you can figure out where the automated tool falls short - and it will.

C) Libraries in the S/L/C undergo deep linking that removes the data some of the automated tools latch onto to get the objc const. In particular, S/L/C linking splits __DATA into __DATA_DIRTY and CONST. point the tool at the right section, because that's a great example of when it falls short :)

Re: jtool problems with Apple Watch

PostPosted: Fri Jan 08, 2016 10:35 pm
by pranjal
Alright. I thought that I should just keep reading. Thanks so much for the help!