Page 1 of 1

iOS Kernel Debugging

PostPosted: Wed Mar 22, 2017 10:13 am
by sbz
Hello,

Does anyone know how to debug a live iOS kernel? Do I need a jailbroken device for that?

I've acquired a DCSD cable, and I can see the messages from iBoot in the Serial terminal.

Thanks!

Re: iOS Kernel Debugging

PostPosted: Wed Mar 22, 2017 10:27 am
by Siguza
There is no way you're getting into an iOS kernel without an exploit. So yes, you need a jailbroken device.
With most (but not all) jailbreaks you can get the kernel task port with task_for_pid(0) or host_get_special_port(4), but that only allows you to do on-device debugging.
If you're looking to do remote debugging, you'll either need to enable KDP, which (to my knowledge) requires some patches, or you need to implement a custom solution, such as e.g. the radare2 kernel debugging server by qwertyoruiop.

Re: iOS Kernel Debugging

PostPosted: Thu Mar 23, 2017 10:30 am
by sbz
Thanks for answering!

1. Once I get tfp0, how can I use it for debugging? Do I need to write my own tool for r/w kernel memory? what about breakpoints etc?
2. From your answer I understand that given that KDP isn't enabled (or given that I don't use a custom tool), I basically have no use for the DCSD cable. am I correct?

Re: iOS Kernel Debugging

PostPosted: Thu Mar 23, 2017 8:51 pm
by Siguza
sbz wrote:Once I get tfp0, how can I use it for debugging? Do I need to write my own tool for r/w kernel memory? what about breakpoints etc?


Either through your own tools (really, the vm_read and vm_write APIs aren't that complicated), or by getting a tool that can attach to a mach port (if your "tfp0" is via host_special_port(4), then you might need to patch that in the tool you're using, but I consider that a minor change). I'd really give qwerty's rapd2 server things a try though.

sbz wrote:From your answer I understand that given that KDP isn't enabled (or given that I don't use a custom tool), I basically have no use for the DCSD cable. am I correct?


AFAIK, yes. Unless you've got some mad boot chain vulnerability, and are debugging your exploit there, ofc.

Re: iOS Kernel Debugging

PostPosted: Sun Mar 26, 2017 2:44 pm
by sbz
Thanks ... :)