iOS Kernel Debugging

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

iOS Kernel Debugging

Postby sbz » Wed Mar 22, 2017 10:13 am

Hello,

Does anyone know how to debug a live iOS kernel? Do I need a jailbroken device for that?

I've acquired a DCSD cable, and I can see the messages from iBoot in the Serial terminal.

Thanks!
sbz
 
Posts: 3
Joined: Fri Feb 24, 2017 1:19 pm

Re: iOS Kernel Debugging

Postby Siguza » Wed Mar 22, 2017 10:27 am

There is no way you're getting into an iOS kernel without an exploit. So yes, you need a jailbroken device.
With most (but not all) jailbreaks you can get the kernel task port with task_for_pid(0) or host_get_special_port(4), but that only allows you to do on-device debugging.
If you're looking to do remote debugging, you'll either need to enable KDP, which (to my knowledge) requires some patches, or you need to implement a custom solution, such as e.g. the radare2 kernel debugging server by qwertyoruiop.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: iOS Kernel Debugging

Postby sbz » Thu Mar 23, 2017 10:30 am

Thanks for answering!

1. Once I get tfp0, how can I use it for debugging? Do I need to write my own tool for r/w kernel memory? what about breakpoints etc?
2. From your answer I understand that given that KDP isn't enabled (or given that I don't use a custom tool), I basically have no use for the DCSD cable. am I correct?
sbz
 
Posts: 3
Joined: Fri Feb 24, 2017 1:19 pm

Re: iOS Kernel Debugging

Postby Siguza » Thu Mar 23, 2017 8:51 pm

sbz wrote:Once I get tfp0, how can I use it for debugging? Do I need to write my own tool for r/w kernel memory? what about breakpoints etc?


Either through your own tools (really, the vm_read and vm_write APIs aren't that complicated), or by getting a tool that can attach to a mach port (if your "tfp0" is via host_special_port(4), then you might need to patch that in the tool you're using, but I consider that a minor change). I'd really give qwerty's rapd2 server things a try though.

sbz wrote:From your answer I understand that given that KDP isn't enabled (or given that I don't use a custom tool), I basically have no use for the DCSD cable. am I correct?


AFAIK, yes. Unless you've got some mad boot chain vulnerability, and are debugging your exploit there, ofc.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: iOS Kernel Debugging

Postby sbz » Sun Mar 26, 2017 2:44 pm

Thanks ... :)
sbz
 
Posts: 3
Joined: Fri Feb 24, 2017 1:19 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest