Page 2 of 3

Re: Joker Feedback

PostPosted: Thu Jul 21, 2016 9:44 am
by siya
vega01 wrote:Hi,

I got the following when trying to dump decrypted and decompressed 32-bit kernelcache from iOS 6.0 for iPhone 5,1 (build 10A405)
./joker.universal -k
Code: Select all
(2107.2.33.0.0)
Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
1: built-in?(2107.2.33.0.0) at 0x355000 (8000 bytes)
2: built-in?(2107.2.33.0.0) at 0x35d000 (17000 bytes)
3: built-in?(2107.2.33.0.0) at 0x374000 (1000 bytes)
4: built-in?(2107.2.33.0.0) at 0x375000 (5000 bytes)
5: built-in?(2107.2.33.0.0) at 0x37a000 (2000 bytes)
6: built-in?(2107.2.33.0.0) at 0x37c000 (6000 bytes)
7: com.apple.driver.AppleARMPlatform(284.7.0.0.0) at 0x382000 (3a000 bytes)
8: com.apple.driver.IOSlaveProcessor(7.0.0.0.0) at 0x3bc000 (5000 bytes)
9: com.apple.driver.AppleA5AE2(43.1.0.0.0) at 0x3c1000 (5000 bytes)
10: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x3c6000 (1d000 bytes)
11: com.apple.driver.IODARTFamily(31.0.0.0.0) at 0x3e3000 (b000 bytes)
12: com.apple.driver.AppleM2ScalerCSC(138.0.6.0.0) at 0x3ee000 (14000 bytes)
13: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x402000 (68000 bytes)
14: com.apple.driver.AppleVXD390(4.63.0.0.0) at 0x46a000 (27000 bytes)
15: com.apple.driver.AppleSamsungSPI(42.2.0.0.0) at 0x491000 (4000 bytes)
16: built-in?(42.2.0.0.0) at 0x495000 (1000 bytes)
17: com.apple.iokit.IOCryptoAcceleratorFamily(67.0.0.0.0) at 0x496000 (e000 bytes)
Segmentation fault: 11


joker version:
Code: Select all
3.0b with MACF Policies and (coming soon) IOUserClients!
Compiled on Jun 20 2016


Am I doing something wrong?

Edit: I got what I wanted by using the source. Thank you for sharing the tools and knowledge!


Hi, I have a similar Segmentation fault when I run it on 32-bit kernelcache from iOS 8.3 for iPhone 5,2

./joker.universal -k kerneldump

This is a 32-bit kernel from iOS 8.x, or later (2784.20.34.0.0)
This is not a Mach-O 64-bit file. Sorry (Magic: 0xfeedface)
Unable to get symbols from SYMTAB (fine for dumps)
Found iOS 8+ sysent table @39a4a4 (Addr: 0xa0f9b4a4)
Number of kexts way too small.. Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
1: Mach Kernel Pseudoextension (com.apple.kpi.mach) at 0x41d000 (2000 bytes)
2: Unsupported Pseudoextension (com.apple.kpi.unsupported) at 0x41f000 (3000 bytes)
3: I/O Kit Pseudoextension at 0x422000 (1a000 bytes)
4: Libkern Pseudoextension (com.apple.kpi.libkern) at 0x43c000 (9000 bytes)
5: BSD Kernel Pseudoextension (com.apple.kpi.bsd) at 0x445000 (7000 bytes)
6: com.apple.driver.AppleCredentialManager(33.10.2.0.0) at 0x44c000 (b000 bytes)
7: Private Pseudoextension (com.apple.kpi.private) at 0x457000 (6000 bytes)
8: com.apple.iokit.IOSlowAdaptiveClockingFamily(4.0.0.0.0) at 0x45d000 (4000 bytes)
9: com.apple.iokit.IOReportFamily(33.0.0.0.0) at 0x461000 (5000 bytes)
10: com.apple.driver.AppleARMPlatform(406.20.5.0.0) at 0x466000 (45000 bytes)
11: com.apple.driver.IOSlaveProcessor(8.0.0.0.0) at 0x4ab000 (4000 bytes)
12: com.apple.driver.AppleA5AE2(64.0.0.0.0) at 0x4af000 (5000 bytes)
13: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x4b4000 (31000 bytes)
14: com.apple.iokit.IOSurface(52.8.8.0.0) at 0x4e5000 (f000 bytes)
15: com.apple.driver.IODARTFamily(58.0.0.0.0) at 0x4f4000 (d000 bytes)
16: com.apple.driver.AppleM2ScalerCSCDriver(5.6.0.0.0) at 0x501000 (2a000 bytes)
17: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x52b000 (63000 bytes)
18: com.apple.driver.LSKDIOKitMSE(0.0.0.0.0) at 0x58e000 (2e000 bytes)
19: com.apple.driver.AppleVXD390(5.29.0.0.0) at 0x5bc000 (23000 bytes)
20: com.apple.driver.AppleSamsungSPI(81.5.2.0.0) at 0x5df000 (4000 bytes)
21: unrecognized.or.unhandledyet.Please.Report.Me at 0x5e3000 (2000 bytes)
22: com.apple.kec.corecrypto(235.10.8.0.0) at 0x5e5000 (46000 bytes)
Segmentation fault: 11


may I know how do u solve this? Thanks

Re: Joker Feedback

PostPosted: Thu Jul 21, 2016 5:11 pm
by vega01
Hi,

For now I only wanted to dump some kexts, so I read the source to understand what the program does and did it myself - just by using standard unix tools. Frankly saying I also wanted to know the kernelcache internals, so this wasn't a waste of time. But this method is not enough when you want the full functionality of joker or you want to dump many kexts. AFAIK you cannot fix the bug yourself, because you don't have the required machlib.

Hope this will help you in any way.

Re: Joker Feedback

PostPosted: Sat Jul 23, 2016 1:30 pm
by matteyeux
Hi Jonathan,
Can you add a feature to get the magical offset of a kernelcache ?
Thank you.

Re: Joker Feedback

PostPosted: Tue Nov 15, 2016 11:22 am
by in7egral
version:
Code: Select all
3.0 with MACF Policies, stub symbolication, SPLIT KEXTS, Sandbox Profiles (beta, collections only at this point) , kpp and (coming soon) IOUserClients!
Compiled on Sep  9 2016


iOS kernel version:
Code: Select all
./partialzip http://appldnld.apple.com/ios9.3.2/031-62167-20160516-CFF6D768-13A8-11E6-A516-5BD8400DF7EB/iPhone5,1_9.3.2_13F69_Restore.ipsw kernelcache.release.n41
xpwntool kernelcache.release.n41 kernelcache.release.decrypted.n41 -iv *** -k ***


Code: Select all
joker.universal -K com.apple.iokit.IOHIDFamily ios932_kernelcache.release.decrypted.n41
This is a 32-bit kernel from iOS 9.x, or later (3248.50.21.0.0)
Found iOS 8+ sysent table @3f1654 (Addr: 0x803f2654)
Number of kexts way too small.. Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
Writing kext out to /tmp/com.apple.iokit.IOHIDFamily.kext
Unable to find __TEXT.__stubs in kext com.apple.iokit.IOHIDFamily. Won't symbolicate
MAC policy not found. This is fine for kernels prior to iOS 9.2, but please let J know if yours is newer

Re: Joker Feedback

PostPosted: Sat Dec 24, 2016 7:46 pm
by Siguza
The -m flag adds (2 * adv) too much to the file offset/address of mach_trap_table when printing (i.e. that's the offset you're searching for, but the table starts two pointer lengths before that).

Re: Joker Feedback

PostPosted: Sun Jan 15, 2017 12:10 am
by Siguza
"joker -K all" segfaults on the iPhone SE (n69) 10.2 kernel.

Re: Joker Feedback

PostPosted: Sun Apr 16, 2017 4:01 pm
by Siguza
Still an issue with joker 3.2 and kernels from 10.3.1.

Re: Joker Feedback

PostPosted: Tue Sep 26, 2017 10:41 pm
by Siguza
Hey, as of version 4 joker seems to include the entire kernel symbol table in the companion files that it produces during kextraction. Could you add a way to only include addresses that are actually from that kext, please? (Maybe a JMINIMAL env variable or so?)

Re: Joker Feedback

PostPosted: Mon Oct 02, 2017 10:05 pm
by smdg
Just a minor annoyance but it is easily fixed... when using "joker -j" it creates the companion file with a name of Joker's choosing. It's no great problem at the shell prompt but I have a script that calls Joker to create the companion file and it has either to scan the directory for the new file or parse the stdout from Joker to discover the filename. Any chance we could invoke this option as "joker -j <filename>" where an optional filename can be specified for the output file?

Re: Joker Feedback

PostPosted: Wed Oct 04, 2017 2:00 am
by morpheus
I'll add both Siguza's JMINIMAL and -j filename. And also the new ARM64 kernel symbols for AMCC/RORGN and friends. Stay tuned.