iOS Loading kext

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

iOS Loading kext

Postby vtan » Fri Jun 26, 2015 10:20 pm

Hey Jonathan,

Or anyone else who can help. Would like to find out if you could share how to load a kext into iOS, please?

I know kextd is not available, so there is no kextload. But I believe it would still be possible to load a kext using the IOKit function OSKextLoad, but I have no clue how to even go about using it.

If there is some sample code that you could share, or some direction that you could point me in? I would be really grateful.

Thank you very much.

Vincent
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: iOS Loading kext - and bypassing KextD

Postby morpheus » Sat Jun 27, 2015 1:32 pm

Hi Vincent,

So, you are right about OSKextLoad being available - it is, in fact.Surprisingly, there are no entitlements for it, either. But - before you go about trying to use it, know that the iOS kernel will refuse because they removed KXLD from it. When I tested this on older iOS, I got a kernel panic, and in 8.3 the kernel politely refuses with "service not supported" returned from the MIG request.

Kexts can and are loaded in iOS on the fly - but with one caveat - they must already be prelinked in memory via the kernel cache. In this way, IOUSBMassStorage and others can be loaded on demand (e.g. when you connect the camera connection kit). But you can't simply use the code for kextload (in the attached, and it actually compiles neatly on iOS, too).


Note that:

A) It's still possible to load code into the kernel, either by finding a kernel memory overwrite, or patching tfp0 (task_for_pid so that it returns the PID 0, i.e. kernel task)

B) You can patch back the kextloading portion. But that's a bit out of scope for this answer (not to mention weapon-grade/0-day caliber, so you'll excuse for keeping quiet on this)

C) it's also very possible to unload kexts (*snicker*). That's a fun li'l experiment.

D) Kextd is inconsequential. The code here can be used to bypass it on OS X. That said, you'll run into a few (solvable) problems in OS X 10.11.

And naturally, you have to compile the kext properly for iOS (so that its Mach-O type is 11). And the info.plist, and all that jazz. I'll be explaining this in MOXiI 2, naturally, though likely only in Volume II. So stay tuned.

The attached code will show you (full verbosity) the kext loading process. At least, until the point the kernel refuses. The log will look something like this:

Phontifex:/tmp/kexts root# ./kex IOUSBMassStorageClass
Kext user-space log filter changed from 0xff2 to 0xffffffff.
Kext library recording diagnostics for: validation authentication dependencies warnings.
Running kernel architecture is arm64.
Kext library architecture set to arm64.
Unable to create Kext
Phontifex:/tmp/kexts root# ./kex IOUSBMassStorageClass.kext/
Kext user-space log filter changed from 0xff2 to 0xffffffff.
Kext library recording diagnostics for: validation authentication dependencies warnings.
Running kernel architecture is arm64.
Kext library architecture set to arm64.
Creating IOUSBMassStorageClass.kext.
Opening CFBundle for /private/var/tmp/kexts/IOUSBMassStorageClass.kext.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 recorded at index 0 in the identifier lookup dictionary.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 is already in the identifier lookup dictionary at index 0.
Recorded /private/var/tmp/kexts/IOUSBMassStorageClass.kext, id com.apple.iokit.IOUSBMassStorageClass, version 3.7.
Releasing CFBundle for /private/var/tmp/kexts/IOUSBMassStorageClass.kext
KEXT Created
Creating /System/Library/Extensions/System.kext.
Opening CFBundle for /System/Library/Extensions/System.kext.
com.apple.kernel, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kernel, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext, id com.apple.kernel, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext
/System/Library/Extensions/System.kext/PlugIns is not a system extensions folder; not looking for a cache.
Finished reading cache file .
Scanning /System/Library/Extensions/System.kext/PlugIns for kexts.
Found plugin AppleNMI.kext.
Creating AppleNMI.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/AppleNMI.kext.
com.apple.driver.AppleNMI, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.driver.AppleNMI, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/AppleNMI.kext, id com.apple.driver.AppleNMI, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/AppleNMI.kext
Found plugin ApplePlatformFamily.kext.
Creating ApplePlatformFamily.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/ApplePlatformFamily.kext.
com.apple.iokit.ApplePlatformFamily, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.iokit.ApplePlatformFamily, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/ApplePlatformFamily.kext, id com.apple.iokit.ApplePlatformFamily, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/ApplePlatformFamily.kext
Found plugin BSDKernel.kext.
Creating BSDKernel.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext.
com.apple.kpi.bsd, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.bsd, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext, id com.apple.kpi.bsd, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext
Found plugin IOKit.kext.
Creating IOKit.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/IOKit.kext.
com.apple.kpi.iokit, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.iokit, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/IOKit.kext, id com.apple.kpi.iokit, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/IOKit.kext
Found plugin IONVRAMFamily.kext.
Creating IONVRAMFamily.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/IONVRAMFamily.kext.
com.apple.iokit.IONVRAMFamily, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.iokit.IONVRAMFamily, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/IONVRAMFamily.kext, id com.apple.iokit.IONVRAMFamily, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/IONVRAMFamily.kext
Found plugin IOSystemManagement.kext.
Creating IOSystemManagement.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/IOSystemManagement.kext.
com.apple.iokit.IOSystemManagementFamily, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.iokit.IOSystemManagementFamily, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/IOSystemManagement.kext, id com.apple.iokit.IOSystemManagementFamily, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/IOSystemManagement.kext
Found plugin Libkern.kext.
Creating Libkern.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/Libkern.kext.
com.apple.kpi.libkern, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.libkern, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/Libkern.kext, id com.apple.kpi.libkern, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/Libkern.kext
Found plugin MACFramework.kext.
Creating MACFramework.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/MACFramework.kext.
com.apple.kpi.dsep, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.dsep, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/MACFramework.kext, id com.apple.kpi.dsep, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/MACFramework.kext
Found plugin Mach.kext.
Creating Mach.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/Mach.kext.
com.apple.kpi.mach, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.mach, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/Mach.kext, id com.apple.kpi.mach, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/Mach.kext
Found plugin Private.kext.
Creating Private.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/Private.kext.
com.apple.kpi.private, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.private, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/Private.kext, id com.apple.kpi.private, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/Private.kext
Found plugin Unsupported.kext.
Creating Unsupported.kext.
Opening CFBundle for /System/Library/Extensions/System.kext/PlugIns/Unsupported.kext.
com.apple.kpi.unsupported, version 14.0 recorded at index 0 in the identifier lookup dictionary.
com.apple.kpi.unsupported, version 14.0 is already in the identifier lookup dictionary at index 0.
Recorded /System/Library/Extensions/System.kext/PlugIns/Unsupported.kext, id com.apple.kpi.unsupported, version 14.0.
Releasing CFBundle for /System/Library/Extensions/System.kext/PlugIns/Unsupported.kext
/System/Library/Extensions/System.kext/PlugIns is not a system extensions folder; not looking for a cache.
DEPS: 0x14e5084b0
Validating IOUSBMassStorageClass.kext.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 removed from identifier lookup dictionary.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 recorded at index 0 in the identifier lookup dictionary.
Checking CFBundle of /private/var/tmp/kexts/IOUSBMassStorageClass.kext for executable URL.
Statting /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Opening /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Mapped executable file /private/var/tmp/kexts/IOUSBMassStorageClass (offset 0, 62124 bytes).
Resolving dependencies for IOUSBMassStorageClass.kext.
Flushing dependencies for IOUSBMassStorageClass.kext.
IOUSBMassStorageClass.kext found compatible dependency Mach.kext for com.apple.kpi.mach (kernel component).
IOUSBMassStorageClass.kext found compatible dependency IOKit.kext for com.apple.kpi.iokit (kernel component).
IOUSBMassStorageClass.kext found compatible dependency Libkern.kext for com.apple.kpi.libkern (kernel component).
IOUSBMassStorageClass.kext found compatible dependency BSDKernel.kext for com.apple.kpi.bsd (kernel component).
Validating Mach.kext.
com.apple.kpi.mach, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.mach, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Mach.kext.
Validating IOKit.kext.
com.apple.kpi.iokit, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.iokit, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for IOKit.kext.
Validating Libkern.kext.
com.apple.kpi.libkern, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.libkern, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Libkern.kext.
Validating BSDKernel.kext.
com.apple.kpi.bsd, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.bsd, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for BSDKernel.kext.
IOUSBMassStorageClass.kext - dependencies already resolved.
DEPENDENCIES: 1
IOUSBMassStorageClass.kext - dependencies already resolved.
ARRAY REF: 0x14e50a040
Authenticating IOUSBMassStorageClass.kext file/directory /private/var/tmp/kexts/IOUSBMassStorageClass.kext.
Kext is Authentic!
--> Kext: 0x14e600360 Valid: 0
Flushing load info for all kexts (with dependencies)
Flushing dependencies for BSDKernel.kext.
Clearing "has all dependencies" for IOUSBMassStorageClass.kext.
Flushing dependencies for Mach.kext.
Flushing dependencies for IOKit.kext.
Flushing dependencies for Libkern.kext.
Flushing dependencies for IOUSBMassStorageClass.kext.
Validating IOUSBMassStorageClass.kext.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 removed from identifier lookup dictionary.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 recorded at index 0 in the identifier lookup dictionary.
Checking CFBundle of /private/var/tmp/kexts/IOUSBMassStorageClass.kext for executable URL.
Statting /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Opening /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Mapped executable file /private/var/tmp/kexts/IOUSBMassStorageClass (offset 0, 62124 bytes).
Resolving dependencies for IOUSBMassStorageClass.kext.
Flushing dependencies for IOUSBMassStorageClass.kext.
IOUSBMassStorageClass.kext found compatible dependency Mach.kext for com.apple.kpi.mach (kernel component).
IOUSBMassStorageClass.kext found compatible dependency IOKit.kext for com.apple.kpi.iokit (kernel component).
IOUSBMassStorageClass.kext found compatible dependency Libkern.kext for com.apple.kpi.libkern (kernel component).
IOUSBMassStorageClass.kext found compatible dependency BSDKernel.kext for com.apple.kpi.bsd (kernel component).
Validating Mach.kext.
com.apple.kpi.mach, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.mach, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Mach.kext.
Validating IOKit.kext.
com.apple.kpi.iokit, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.iokit, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for IOKit.kext.
Validating Libkern.kext.
com.apple.kpi.libkern, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.libkern, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Libkern.kext.
Validating BSDKernel.kext.
com.apple.kpi.bsd, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.bsd, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for BSDKernel.kext.
IOUSBMassStorageClass.kext - dependencies already resolved.
IOUSBMassStorageClass.kext - dependencies already resolved.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Info.plist.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Mach.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/IOKit.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/Info.plist.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Info.plist.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/Info.plist.
IOUSBMassStorageClass.kext - dependencies already resolved.
Flushing load info for Mach.kext (with dependencies)
Flushing dependencies for Mach.kext.
Clearing "has all dependencies" for IOUSBMassStorageClass.kext.
Flushing load info for IOKit.kext (with dependencies)
Flushing dependencies for IOKit.kext.
Flushing load info for Libkern.kext (with dependencies)
Flushing dependencies for Libkern.kext.
Flushing load info for BSDKernel.kext (with dependencies)
Flushing dependencies for BSDKernel.kext.
Flushing load info for IOUSBMassStorageClass.kext (with dependencies)
Flushing dependencies for IOUSBMassStorageClass.kext.
Reading load info for 5 kexts.
Reading loaded kext info from kernel.
(kernel) User-space log flags changed from 0x0 to 0xffffffff.
(kernel) Received 'Get Loaded Kext Info' request from user space.
(kernel) Returning loaded kext info.
Loaded kext info:
{
"com.apple.kpi.mach" = {
"OSBundleWiredSize" = 6292
"CFBundleIdentifier" = "com.apple.kpi.mach"
"OSBundleUUID" = <7e2ea3d0 1946458d baae8aef f12c278e>
"OSBundleLoadAddress" = -549716246528
"OSBundleLoadTag" = 5
"OSBundleStarted" = true
"OSBundleCompatibleVersion" = "8.0.0d0"
"OSKernelResource" = true
"CFBundleVersion" = "14.0.0"
"OSBundlePath" = "/System/Library/Extensions/System.kext/PlugIns/Mach.kext"
"OSBundleRetainCount" = 126
"OSBundlePrelinked" = true
"OSBundleIsInterface" = true
"OSBundleLoadSize" = 6292
}
"com.apple.kpi.iokit" = {
"OSBundleWiredSize" = 108908
"CFBundleIdentifier" = "com.apple.kpi.iokit"
"OSBundleUUID" = <07804c50 7d204f02 9973425a df792a4b>
"OSBundleLoadAddress" = -549716189184
"OSBundleLoadTag" = 3
"OSBundleStarted" = true
"OSBundleCompatibleVersion" = "7.0"
"OSKernelResource" = true
"CFBundleVersion" = "14.0.0"
"OSBundlePath" =
"/System/Library/Extensions/System.kext/PlugIns/IOKit.kext"
"OSBundleRetainCount" = 132
"OSBundlePrelinked" = true
"OSBundleIsInterface" = true
"OSBundleLoadSize" = 108908
}
"com.apple.kpi.libkern" = {
"OSBundleWiredSize" = 36436
"CFBundleIdentifier" = "com.apple.kpi.libkern"
"OSBundleUUID" = <d6ef3307 908c4b25 a8520b92 828bde54>
"OSBundleLoadAddress" = -549716283392
"OSBundleLoadTag" = 4
"OSBundleStarted" = true
"OSBundleCompatibleVersion" = "8.0.0d0"
"OSKernelResource" = true
"CFBundleVersion" = "14.0.0"
"OSBundlePath" =
"/System/Library/Extensions/System.kext/PlugIns/Libkern.kext"
"OSBundleRetainCount" = 134
"OSBundlePrelinked" = true
"OSBundleIsInterface" = true
"OSBundleLoadSize" = 36436
}
"com.apple.kpi.bsd" = {
"OSBundleWiredSize" = 30900
"CFBundleIdentifier" = "com.apple.kpi.bsd"
"OSBundleUUID" = <766fd94f fc384dac b51000d8 eeff2ba4>
"OSBundleLoadAddress" = -549716316160
"OSBundleLoadTag" = 1
"OSBundleStarted" = true
"OSBundleCompatibleVersion" = "8.0.0b1"
"OSKernelResource" = true
"CFBundleVersion" = "14.0.0"
"OSBundlePath" =
"/System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext"
"OSBundleRetainCount" = 116
"OSBundlePrelinked" = true
"OSBundleIsInterface" = true
"OSBundleLoadSize" = 30900
}
}

Validating IOUSBMassStorageClass.kext.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 removed from identifier lookup dictionary.
com.apple.iokit.IOUSBMassStorageClass, version 3.7 recorded at index 0 in the identifier lookup dictionary.
Checking CFBundle of /private/var/tmp/kexts/IOUSBMassStorageClass.kext for executable URL.
Statting /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Opening /private/var/tmp/kexts/IOUSBMassStorageClass for map.
Mapped executable file /private/var/tmp/kexts/IOUSBMassStorageClass (offset 0, 62124 bytes).
Resolving dependencies for IOUSBMassStorageClass.kext.
Flushing dependencies for IOUSBMassStorageClass.kext.
Checking CFBundle of /System/Library/Extensions/System.kext/PlugIns/Mach.kext for executable URL.
Statting /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Mach for map.
Opening /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Mach for map.
Mapped executable file /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Mach (offset 0, 6292 bytes).
Mach.kext (version 14.0, UUID 2C698FB7-7A66-4A62-8F68-72F0367EFFFA): same version, different UUID (7E2EA3D0-1946-458D-BAAE-8AEFF12C278E) is loaded.
IOUSBMassStorageClass.kext found compatible dependency Mach.kext for com.apple.kpi.mach (kernel component).
Checking CFBundle of /System/Library/Extensions/System.kext/PlugIns/IOKit.kext for executable URL.
Statting /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/IOKit for map.
Opening /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/IOKit for map.
Mapped executable file /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/IOKit (offset 0, 108744 bytes).
IOKit.kext (version 14.0, UUID EC3136F9-E36F-48B6-9438-3DD56BE1759B): same version, different UUID (07804C50-7D20-4F02-9973-425ADF792A4B) is loaded.
IOUSBMassStorageClass.kext found compatible dependency IOKit.kext for com.apple.kpi.iokit (kernel component).
Checking CFBundle of /System/Library/Extensions/System.kext/PlugIns/Libkern.kext for executable URL.
Statting /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern for map.
Opening /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern for map.
Mapped executable file /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern (offset 0, 36436 bytes).
Libkern.kext (version 14.0, UUID 6EC4B266-0C57-4D56-B980-F4FC353EC896): same version, different UUID (D6EF3307-908C-4B25-A852-0B92828BDE54) is loaded.
IOUSBMassStorageClass.kext found compatible dependency Libkern.kext for com.apple.kpi.libkern (kernel component).
Checking CFBundle of /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext for executable URL.
Statting /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel for map.
Opening /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel for map.
Mapped executable file /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel (offset 0, 30900 bytes).
BSDKernel.kext (version 14.0, UUID 515E21F8-3AF4-422E-BB68-D4498C359C46): same version, different UUID (766FD94F-FC38-4DAC-B510-00D8EEFF2BA4) is loaded.
IOUSBMassStorageClass.kext found compatible dependency BSDKernel.kext for com.apple.kpi.bsd (kernel component).
Validating Mach.kext.
com.apple.kpi.mach, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.mach, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Mach.kext.
Validating IOKit.kext.
com.apple.kpi.iokit, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.iokit, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for IOKit.kext.
Validating Libkern.kext.
com.apple.kpi.libkern, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.libkern, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for Libkern.kext.
Validating BSDKernel.kext.
com.apple.kpi.bsd, version 14.0 removed from identifier lookup dictionary.
com.apple.kpi.bsd, version 14.0 recorded at index 0 in the identifier lookup dictionary.
Flushing dependencies for BSDKernel.kext.
IOUSBMassStorageClass.kext - dependencies already resolved.
IOUSBMassStorageClass.kext - dependencies already resolved.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Info.plist.
Authenticating Mach.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Mach.kext/Mach.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/IOKit.
Authenticating IOKit.kext file/directory /System/Library/Extensions/System.kext/PlugIns/IOKit.kext/Info.plist.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Info.plist.
Authenticating Libkern.kext file/directory /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel.
Authenticating BSDKernel.kext file/directory /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/Info.plist.
Adding /System/Library/Extensions/System.kext/PlugIns/Mach.kext to mkext.
/System/Library/Extensions/System.kext/PlugIns/Mach.kext added 6292-byte noncompressed executable to mkext.
Adding /System/Library/Extensions/System.kext/PlugIns/IOKit.kext to mkext.
/System/Library/Extensions/System.kext/PlugIns/IOKit.kext added 108744-byte noncompressed executable to mkext.
Adding /System/Library/Extensions/System.kext/PlugIns/Libkern.kext to mkext.
/System/Library/Extensions/System.kext/PlugIns/Libkern.kext added 36436-byte noncompressed executable to mkext.
Adding /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext to mkext.
/System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext added 30900-byte noncompressed executable to mkext.
Adding /private/var/tmp/kexts/IOUSBMassStorageClass.kext to mkext.
/private/var/tmp/kexts/IOUSBMassStorageClass.kext added 62124-byte noncompressed executable to mkext.
Created mkext for architecture arm64 containing 5 kexts.
Loading IOUSBMassStorageClass.kext.
Kernel error handling kext request - (os/kern) service not supported.
Failed to load IOUSBMassStorageClass.kext - (os/kern) service not supported.
-->KextLoad[WithOptions] returned: 0x2e
Diagnostics obtained @4e601b90
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict/>
</plist>


and the code (stupid PHP doesn't want to attach .txt or .c or whatever. *sigh*). You should be able to cut/paste, though


Code: Select all
#include "OSKextLib.h"

// N0 license. And I don't care if you use it in whatever capacity.
// Code I provide (or we @Technologeeks teach) is meant for people to actually *use* and learn from.
// (plus, this particular vector has been plugged nowadays in iOS anyway :-)
//
// Remember: AAPL might have closed the door, but oftentimes it may have left a window open.
//
// Compile: gcc[-iphone] kextload.c  -o kextload.osx -framework IOKit -framework CoreFoundation
//
// On OS X (10.10), this will entirely bypass kextd - as a PoC, copy a kext's binary from Contents/MacOS to the current dir,
// then invoke with the .kext dir as argument.
//

#if 0
// To not have to worry about includes in iOS, this cuts/pastes from OSKextLib

typedef struct __OSKext * OSKextRef;

typedef int OSKextVersion;
typedef void *CFRuntimeBase;
typedef UInt32 __OSKextDiagnostics ;


typedef struct __OSKextLoadInfo {
   /* Used whenever a dependency graph is needed (generating an mkext,
    * prelinked kernel, or linking/loading).
    */
    CFMutableArrayRef dependencies;    // may have some missing

   /* These are used when checking the kernel for loaded kexts,
    * or when loading/generating symbols from user space.
    */
    CFDictionaryRef   kernelLoadInfo;   // for lazy eval, cleared when we check
    uint32_t          loadTag;
    uint64_t          loadAddress;      // 64-bit for max coverage
    uint64_t          sourceAddress;    // For prelinking: where it starts in memory
    size_t            headerSize;       // xxx - needed?
    size_t            loadSize;         // xxx - haxx; do we need wiredSize?

   /* These only exist while loading from user space.
    */
    CFURLRef          executableURL;
    CFDataRef         executable;
    CFDataRef         linkedExecutable;
    CFDataRef         prelinkedExecutable;
    kmod_info_t     * kmod_info;
    uint64_t          kmodInfoAddress;
    uint64_t          linkStateAddress;
   
    struct {
        unsigned int  hasRawKernelDependency:1;
        unsigned int  hasKernelDependency:1;
        unsigned int  hasKPIDependency:1;
        unsigned int  hasPrivateKPIDependency:1;

        unsigned int  hasAllDependencies:1;
        unsigned int  dependenciesValid:1;
        unsigned int  dependenciesAuthentic:1;

        unsigned int  isLoaded:1;
        unsigned int  isStarted:1;
        unsigned int  otherCFBundleVersionIsLoaded:1;
        unsigned int  otherUUIDIsLoaded:1; // otherVersion is also set if this is
    } flags;
} __OSKextLoadInfo;

typedef struct __OSKextMkextInfo {
    CFURLRef               mkextURL;
    CFDataRef              mkextData;  // the whole mkext file!
    CFDataRef              executable;
    CFMutableDictionaryRef resources;
} __OSKextMkextInfo;



typedef struct __OSKext {

   /* base CFType information. */
    CFRuntimeBase         cfBase;

   /* Read/retained at creation time. */
    CFURLRef              bundleURL;
    CFStringRef           bundleID;


   /* Read by __OSKextProcessInfoDictionary(). */
    OSKextVersion         version;
    OSKextVersion         compatibleVersion;

   /* May be flushed, may need to reload from disk.
    */
    CFDictionaryRef       infoDictionary;  // read with IOCFUnserialize()

   /* Allocated and maintained as necessary. */
    __OSKextDiagnostics * diagnostics;
    __OSKextLoadInfo    * loadInfo;
    __OSKextMkextInfo   * mkextInfo;

    struct {
 unsigned int      isPluginChecked:1;
        unsigned int      isPlugin:1;

        unsigned int      isFromIdentifierCache:1; // must __OSKextRealize on access
        unsigned int      isFromMkext:1;      // i.e. *not* to be updated from bundleURL
    } staticFlags;

    struct {
       /* Set by __OSKextProcessInfoDictionary() */
        unsigned int      isKernelComponent:1;
        unsigned int      isInterface:1;
        unsigned int      declaresExecutable:1;
        unsigned int      loggingEnabled:1;
        unsigned int      plistHasEnableLoggingSet:1;
        unsigned int      plistHasIOKitDebugFlags:1;
        unsigned int      isLoadableInSafeBoot:1;

       /* Set as determined or on demand. */
        unsigned int      validated:1;  // all possible checks done
        unsigned int      invalid:1;       // at least 1 failure, or fully validated
        unsigned int      valid:1;         // all possible checks done & passed

        unsigned int      authenticated:1; // all possible checks done
        unsigned int      inauthentic:1;   // at least 1 failure, or all ok
        unsigned int      authentic:1;     // should we ever cache this?

        unsigned int      hasIOKitDebugProperty:1;
        unsigned int      warnForMismatchedKmodInfo:1;
    } flags;

} __OSKext, * __OSKextRef;




void
printDictionaryAsXML(CFDictionaryRef dict)
{
    CFDataRef xml = CFPropertyListCreateXMLData(kCFAllocatorDefault,
                                                (CFPropertyListRef)dict);
    if (xml) {
        write(STDOUT_FILENO, CFDataGetBytePtr(xml), CFDataGetLength(xml));
        CFRelease(xml);
    }
};



typedef int OSKextDiagnosticsFlags;
CFDictionaryRef OSKextCopyDiagnostics(OSKextRef aKext,
        OSKextDiagnosticsFlags typeFlags)
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


CF_EXPORT void
OSKextSetRecordsDiagnostics(OSKextDiagnosticsFlags flags)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


CF_EXPORT CFMutableArrayRef
OSKextCopyLoadList(
    OSKextRef aKext,
    Boolean   needAllFlag)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);;


CF_EXPORT OSReturn
OSKextReadLoadedKextInfo(
    CFArrayRef kexts,
    Boolean    flushDependenciesFlag)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);

CF_EXPORT Boolean
OSKextIsAuthentic(OSKextRef aKext)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);

CF_EXPORT void
OSKextSetLogFilter(
    UInt32    logFilter, // OSKextLogSpec logFilter,
    Boolean       kernelFlag)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);

CF_EXPORT OSKextRef
OSKextCreate(
    CFAllocatorRef allocator,
    CFURLRef       anURL)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


CFArrayRef OSKextCreateKextsFromURL(
    CFAllocatorRef allocator,
    CFURLRef anURL)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


CF_EXPORT Boolean
OSKextIsLoadable(OSKextRef aKext)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);

CF_EXPORT OSReturn
OSKextLoad(OSKextRef aKext)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


typedef int OSKextExcludeLevel;
CF_EXPORT OSReturn
OSKextLoadWithOptions(
    OSKextRef           aKext,
    OSKextExcludeLevel  startExclusion,
    OSKextExcludeLevel  addPersonalitiesExclusion,
    CFArrayRef          personalityNames,
    Boolean             delayAutounloadFlag)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);


CF_EXPORT Boolean
OSKextResolveDependencies(OSKextRef aKext)
                __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);

#endif


// This is the kext loader. Note than in iOS, this code *will* cause a panic
// since KXLD is missing.

void main(int argc, char **argv)
{

  CFStringRef  filePath = NULL;

CFURLRef fileURL = NULL;


 CFDictionaryRef diags = NULL;

#define kOSKextLogVerboseFlagsMask       ((UInt32) 0x00000ff0)

OSKextSetLogFilter( 0xFFFFFFFF,1);

OSKextSetLogFilter( 0xFFFFFFFF,0);
//3 |kOSKextLogVerboseFlagsMask, 1);


filePath = CFStringCreateWithCString(kCFAllocatorDefault, argv[1], kCFStringEncodingUTF8);

OSKextSetRecordsDiagnostics((UInt32) 0xFFFFFFFFU); //OSKextDiagnosticsFlags flags);

fileURL = CFURLCreateWithFileSystemPath( kCFAllocatorDefault,   
                                                 filePath,
                                                 kCFURLPOSIXPathStyle,
                                                 false /* not a directory */ );
  OSKextRef k = OSKextCreate
      ( CFAllocatorGetDefault(),
       fileURL);

  CFArrayRef    kextDeps;
  if (!k) { printf ("Unable to create Kext\n"); exit(1);}


  printf ("KEXT Created\n");

    if (k) {
filePath = CFStringCreateWithCString(kCFAllocatorDefault, "/System/Library/Extensions/System.kext", kCFStringEncodingUTF8);
fileURL = CFURLCreateWithFileSystemPath( kCFAllocatorDefault,   
                                                 filePath,
                                                 kCFURLPOSIXPathStyle,
                                                 false /* not a directory */ );

 kextDeps = OSKextCreateKextsFromURL(kCFAllocatorDefault, fileURL);
printf("DEPS: %p\n", kextDeps);
        }




//   CFArray dependencyURLs = CFArrayCreateMutable(kCFAllocatorDefault, /* capacity */ count, &kCFTypeArrayCallBacks);


 printf("DEPENDENCIES: %d\n", OSKextResolveDependencies(k));
//CFMutableDictionaryRef d = OSKextCopyInfoDictionary(k); printDictionaryAsXML(d);


  CFArrayRef ll = OSKextCopyLoadList (k,1);

  printf("ARRAY REF: %p\n",ll);

 
#if 0
CFStringRef urlSTRRef = CFURLGetString (OSKextGetURL(k));

      
  printf("URL: %s\n", CFStringGetCStringPtr(urlSTRRef, kCFStringEncodingMacRoman));



  printf("--> %p\n",_CFBundleCopyExecutableURLInDirectory(OSKextGetURL(k)));
#endif

  Boolean v ; //= OSKextValidate(k);

  if (OSKextIsAuthentic(k)) { printf("Kext is Authentic!\n");} else { printf("Kext is not authentic\n");}
 // if (OSKextIsLoadable(k)) { printf("Kext is loadable!\n");} else { printf("Kext is not loadable\n");}

  printf ("--> Kext: %p Valid: %d\n", k,v);
 


 //  printf ("EXEC: %p\n", k->loadInfo->executable);


 // This fails on dependencies..
 // OSReturn rc = OSKextLoad(k);

#define kOSKextExcludeNone (0)

  OSReturn rc = OSKextLoadWithOptions(k, // OSKextRef           aKext,
                kOSKextExcludeNone, // OSKextExcludeLevel  startExclusion,
            kOSKextExcludeNone, // OSKextExcludeLevel  addPersonalitiesExclusion,
            NULL, // CFArrayRef          personalityNames,
            1); // Boolean             delayAutounloadFlag)

  printf("-->KextLoad[WithOptions] returned: 0x%x\n", rc);
  diags = OSKextCopyDiagnostics(k, (UInt32) 0xFFFFFFFFU);
  printf("Diagnostics obtained @%x\n", diags);
  printDictionaryAsXML(diags);
 
  printf("RC: %d\n",rc);

}


J
morpheus
Site Admin
 
Posts: 469
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS Loading kext

Postby vtan » Sat Jun 27, 2015 6:43 pm

Hey Jonathan,

First off, I would like to say thank you very much for that detailed post. I really do appreciate you taking the time to answer my question. I'll go mess around with the code you provided and see how things go.

Secondly, I would like to say that I had no idea what one question would result in, I'm just trying to learn. From my point of view, I consider both you and Stefan to be masters in iOS and the easiest people for me to reach out to.

I had no idea that @Technologeeks was linked to you personally, otherwise I would have left my tweet neutral. I would like to apologize for any damage that may have caused. I have nothing against either one of you and would not like to get in-between anything that is going on. I just want to learn from the best and appreciate your time and any sharing of knowledge.

That being said, I would like to thank you for your detailed "notes" on TaiG and iOS9 and can't wait to get a hold of MOXII. Do hope I can keep asking questions here...
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: iOS Loading kext - and clarification to Mr. Esser

Postby morpheus » Sat Jun 27, 2015 7:44 pm

No worries, Vincent! I really appreciate this. Your questions, and all others' - are welcome here. This is the raison d'être of this forum. Stefan Esser apparently degraded my commenting about a kextload for iOS being "0day material" and "weapons grade", so I guess I might as well explain here. I'd appreciate if people convey that to him.

That code injection into kernel is possible in iOS is a given. That's the fundamental aspect of Jailbreaking - invading kernel memory. We need that so as to patch task_for_pid to get 0, enable rwx, and a bunch of other things which involve rewriting kernel executable code so as to "patch out" Apple's protections (collectively, these are planetbeing's patches, though TaiG and others have been modifying them for 64-bit kernels, as well).

That said, injecting arbitrary kexts into iOS would be disastrous in terms of security. @comex (whose work I'm a huge fan of) did a PoC at one point, and it has been abandoned. Imagine the easy and open door it leaves for malicious rootkits, including potentially cross platform root kits (as you could compile a kext for iOS very easily with a set of compiler args). THAT is why I was hoping to avoid discussion of that.

I am a firm, staunch believer that iOS should be jail breakable. I am not promoting or condoning malware. Setting up arbitrary kext loading would benefit malware (and secret organizations you wouldn't necessarily want on your most personal devices). Maybe that's why Esser's talk to RSA was rejected? Potentially explosive material (another aspect is code injection via the baseband - a holy grail of sorts).

Responding to that with "#WTF" as he did, and then calling me (via our team handle) a "jerk" (in an apparently by now deleted tweet) is childish and insulting, and so the reaction was harsh. When Mr. Esser accused us further of slandering him and stealing his courses, which is an outright *lie* (there was not a single tweet to that extent or anything which even mentioned him up to this morning) , the situation escalated further. It's one thing to behave in a rude, childish manner. It's quite another to spread lies.

Yes, our training overlaps. Naturally. But such is life. You can't hold a monopoly - if you want one, go work for AAPL itself. We both deal with OS X/iOS, and will certainly continue doing so. But as a company, we @TG also deal with Android/Linux, and I think he still does PHP. Our training takes a radically different approach (architectural, not exploiting) with my specific original material. I would be the first to acknowledge that he is truly an authority on iOS exploitation. In another world, we could probably do great things by cooperating.

But let it be perfectly clear - Our methods @Technologeeks are pure, and we never once tried to denigrate, steal customers, steal material, slander him, or any of the propaganda and entirely false accusations that he is spreading to his devout throng of followers. Heck, I never even met the guy (and not sure I want to after this!).

If Mr. Esser was personally hurt by my company's tweet and ardent defense (heck, I *am* its founder ;-), I hereby apologize (certainly for the German expletive!) and extend an olive branch. But I would expect him to also man up, and apologize for his insults, and specifically the utterly false claims. Getting a good word of appreciation or acknowledgment - not just for myself, but anyone - from Mr. Esser is nigh-impossible. It's quite another thing, however, to have to put up with libel and personal insults.

Keep those questions coming! :-)

Best of Karma,

J
morpheus
Site Admin
 
Posts: 469
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS Loading kext - Stay real

Postby i0n1c » Sat Jun 27, 2015 8:38 pm

What kind of propaganda forum is this?

Fact is I tweeted about this forum saying that "loaing a KEXT in iOS is weapon-grade/0-day caliber" and the Twitter account @Technologeeks comes immediately swinging at me with slandering tweets like:

At least he GETS a response. That's more than "I kn0w, will teach y0u f0r $$$, and y0u can never use it 0r I will whine incessantly"


This is slander because it implies that I am not sharing information unless it is for money and that students attending my training would not be allowed to use what they learn. Which is bullshit slander by a company offering competing trainings.

But it does stop there. The next tweet invokes godwin's law by using Nazi vocabulary: "HAIL" and "über alle".

All Hail Esser!B)u r l33t.We (and everyone)sucks.All vulns/0days (c) @i0n1c über alle! So quit following us(&try to be a bit polite)


It is a strict lie that I have accused Technologeeks of stealing material. I have however questions this kind of childish actions to slander me and my training courses publicly on Twitter. When this kind of bullshit comes from a company that offers trainings covering similar topics as my trainings, I will comment on this. BTW the tweet where I call whoever runs the Twitter account @technologeeks a jerk has never been deleted, because this is exactly what I think about whoever runs it.

Actually I expect that your next step is to delete all the nazi vocabulary tweets etc.... to further whitewash your version of the truth which is exactly the opposite of what happened....
i0n1c
 
Posts: 2
Joined: Sat Jun 27, 2015 8:26 pm

Re: iOS Loading kext

Postby morpheus » Sat Jun 27, 2015 8:53 pm

Wow. I'm honored! If that's the real you, that is. Can't tell by a handle.

First, let me say that tweeting with a hash tag of #WTF is what got this started (or did you delete that tweet?) Then, resorting to "jerk" (apparently, that's your new pet name for me, even after I had extended an apology! - https://twitter.com/i0n1c/status/614890488995426304), is what got worse.

Too bad you got to the forum under such circumstances. You could have majorly contributed here. But anyway .. Now, for the matter at hand:

"I kn0w, will teach y0u f0r $$$, and y0u can never use it 0r I will whine incessantly"

and you say, " I am not sharing information unless it is for money ".

Which is *exactly* the point. You ONLY share it for money. And then when people use it (exactly what are they paying so much for?!) you run after them?!

As for allegedly Nazi vocabulary, god forbid. Perish the thought. I myself am Jewish, and have lost a great portion of my family's previous generation in that time. Hail - https://en.wikipedia.org/wiki/Hail_the_Conquering_Hero , not THAT Hail. God no! Uber alle means "over all", not in a Nazi context. l33t is l33tspeak, not nazi. I am shuddered you would even mention that. Anything for publicity and beating this dead horse? Or are you the thought police now?

As for YOUR accusations:

"At this point I want to extend my gratitude to all my traininees who know the difference between use what you learn and pirating software." (contrary to us?)

And - worse - "Well @anmol_iam I believe people should be made aware of dirty methods @Technologeeks uses"

What dirty methods, pray tell? Again, we have done nothing to your sektioneins, nor had any interaction what-so-ever.

And ,FYI, we have been offering training since my book came out. That's 2012 or so. And I mentioned that too, we deliver training in the Android space. Praise the Gods that you're not there too. Don't worry - we have no plans to go into PHP, like, ever.

We have no quarrel with you. I, for one, as I said - AND WILL STATE AGAIN - acknowledge your obvious skill. In case you didn't get it, I extended an APOLOGY. To bury the hatchet. To move FORWARD. You, however, insist on calling me jerk. I will no longer stoop to this level and prolong this needless argument. My people are simply ignoring you on Twitter (and they told me YOU were following US, not the other way around), and if you don't have anything mature and POLITE to say, then this conversation will remain here as testament of free speech - (https://twitter.com/i0n1c/status/614890791769632768 - you're wrong) but ends here.


J
morpheus
Site Admin
 
Posts: 469
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS Loading kext

Postby i0n1c » Sat Jun 27, 2015 8:57 pm

Administrator wrote:"I kn0w, will teach y0u f0r $$$, and y0u can never use it 0r I will whine incessantly"

and you say, " I am not sharing information unless it is for money ".

Which is *exactly* the point. You ONLY share it for money. And then when people use it (exactly what are they paying so much for?!) you run after them?!

And there the slander is again... Claiming that I share knowledge only for money is slander and a lie.
Also claiming that I run after my students for using knowledge I teach them is a slandering lie.

Fact is however I run after trainees who take commercial software used during the training and distribute that to millions.
i0n1c
 
Posts: 2
Joined: Sat Jun 27, 2015 8:26 pm

Re: iOS Loading kext

Postby morpheus » Sat Jun 27, 2015 9:06 pm

*sigh* At least we've agreed no one even insinuated you're a Nazi. I appreciate that. Thank you.

You want to share information *not* for money? Please do. There is no monopoly on information. especially in trainings. Talk less, and do more. Share kernel symbols or dumps. Write articles outside conferences, share *free* tools and source (yes, you have github, but it deserves more than dump decrypted and a bunch of iDA plugins - and "open sourcing" TaiG is a mistake which serves nothing but shaming Apple (and showing the world TaiG are "thieves")). Heck - you know what, why not just contribute here! You've made the first step!

Again - too bad we didn't "meet" under better circumstances - we certainly could have learned a ton from one another. But.. as I said to Vincent, I will say to you - Best of Karma.

J
morpheus
Site Admin
 
Posts: 469
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS Loading kext

Postby backendbilly » Fri Jul 10, 2015 4:00 pm

Hi Jonathan,

I'm trying to compile the KextLoad above on iOS but having issue with the include file "OSKextLib.h". Any hints will be appreciated.
backendbilly
Site Admin
 
Posts: 121
Joined: Fri May 29, 2015 5:58 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest

cron