iOS 11 and nsurlsessiond

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

iOS 11 and nsurlsessiond

Postby scknight » Thu Jun 08, 2017 1:13 pm

I was wondering if anyone running the iOS 11 betas might have filesystem access? I'm hoping to obtain a sample of nsurlsessiond and CFNetwork.dylib from iOS 11 to compare to some research I've done on nsurlsessiond on iOS 9 and iOS 10

Thanks
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: iOS 11 and nsurlsessiond

Postby Siguza » Thu Jun 08, 2017 5:55 pm

Just extract them from the OTA (OTA bundles from here, J's pbzx and ota, and you'll need XZ Utils).
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: iOS 11 and nsurlsessiond

Postby darkknight » Thu Jun 08, 2017 8:54 pm

See instructions here:
http://newosxbook.com/articles/OTA3.html

Quick question @Siguza:
So unzipping the IPSW will give access to the decrypted kernel which you can then run joker on correct? E.g. joker -k kernelcache.release.iphone7....
And obtaining the file system as requested above you do through the OTA and respective tools right?

So I extracted the amfi kext - ./joker.universal -K com.apple.driver.AppleMobileFileIntegrity iOS/kernelcache.release.iphone7 hoping to identify the hooks covered in the amfi section of the book. However, it didn't correspond to the book.

What am I missing?
Thanks.
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: iOS 11 and nsurlsessiond

Postby morpheus » Thu Jun 08, 2017 10:29 pm

It specifically says joker can't handle lzvn compression yet. Decompress the kernel first with lzfse (get it from GitHub) then apply joker
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS 11 and nsurlsessiond

Postby darkknight » Thu Jun 08, 2017 11:05 pm

Not sure I follow, this is the output from iOS 11 Beta:
Code: Select all
joker.universal -k kernelcache.release.iphone7
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 13282924, Uncompressed: 26361856. Unknown (CRC?): 0x3b98d0ab, Unknown 1: 0x1
btw, KPP is at 13283363 (0xcab023)..And I saved it for you in /tmp/kpp
Got kernel at 440
This is a 64-bit kernel from iOS 11.x (b1+), or later (4397.0.0.2.4)
ARM64 Exception Vector is at file offset @0x93000 (Addr: 0xfffffff007097000)
0xfffffff005f80000: Mach Kernel Pseudoextension (com.apple.kpi.mach)
0xfffffff005f80080: Private Pseudoextension (com.apple.kpi.private)
0xfffffff005f80100: Unsupported Pseudoextension (com.apple.kpi.unsupported)
0xfffffff005f80180: I/O Kit Pseudoextension (com.apple.kpi.iokit)
0xfffffff005f80200: Libkern Pseudoextension (com.apple.kpi.libkern)
0xfffffff005f80280: BSD Kernel Pseudoextension (com.apple.kpi.bsd)
0xfffffff005f80300: I/O Kit Networking Family (com.apple.iokit.IONetworkingFamily)
0xfffffff005f81980: IOTimeSyncFamily (com.apple.iokit.IOTimeSyncFamily)
0xfffffff005f83440: IOSlowAdaptiveClockingFamily (com.apple.iokit.IOSlowAdaptiveClockingFamily)
0xfffffff005f839c0: I/O Kit Storage Family (com.apple.iokit.IOStorageFamily)


And then
Code: Select all
joker.universal -K com.apple.driver.AppleMobileFileIntegrity kernelcache.release.iphone7
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 13282924, Uncompressed: 26361856. Unknown (CRC?): 0x3b98d0ab, Unknown 1: 0x1
btw, KPP is at 13283363 (0xcab023)..And I saved it for you in /tmp/kpp
Got kernel at 440
This is a 64-bit kernel from iOS 11.x (b1+), or later (4397.0.0.2.4)
ARM64 Exception Vector is at file offset @0x93000 (Addr: 0xfffffff007097000)
Found com.apple.driver.AppleMobileFileIntegrity at load address: fffffff005fa2b00, offset: 646b00
Writing kext out to /tmp/com.apple.driver.AppleMobileFileIntegrity.kext
Workaround for Apple's offset bug in the kernelcache!
Unable to resolve kernel symbol at fffffff0063c9a68 (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063c3c24 (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063adca0 (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063c274c (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063deac4 (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063dadcc (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063dac08 (this is fine if it's a symbol from another kext)
Unable to resolve kernel symbol at fffffff0063e1b10 (this is fine if it's a symbol from another kext)
Symbolicated stubs to /tmp/com.apple.driver.AppleMobileFileIntegrity.kext.ARM64.4041C972-A1DC-3E9B-B2FF-3A1138E3172D


Isn't that expected behavior? You are saying I still need lzfse ?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: iOS 11 and nsurlsessiond

Postby Siguza » Fri Jun 09, 2017 1:57 am

@J: "kernelcache.iphone7" isn't from the iPhone 7, it's from the iPhone 6 or 6s (not sure which, but it's lzss rather than lzfse). The iPhone 7 ones end in ".d10" and ".d101". Yes, Apple did it as wrong as they possibly could.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: iOS 11 and nsurlsessiond

Postby darkknight » Fri Jun 09, 2017 4:53 am

Ok...so it seems joker is working properly?

Question I still have is when I extract the kext from the IPSW(iOS 10+) I get something similar to the attached.

How do I see the actual hooks as mentioned in the book? Method I use to extract the kext is the same as described earlier..
./joker.universal -k ../iOS10/kernelcache.release.iphone7
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 12557413, Uncompressed: 24592384. Unknown (CRC?): 0xd746c913, Unknown 1: 0x1
btw, KPP is at 12557850 (0xbf9e1a)..And I saved it for you in /tmp/kpp
Got kernel at 438
This is a 64-bit kernel from iOS 10.x (b7+), or later (3789.60.24.0.0)
ARM64 Exception Vector is at file offset @0x8b000 (Addr: 0xfffffff00708f000)
0xfffffff006098000: Mach Kernel Pseudoextension (com.apple.kpi.mach)
0xfffffff006098080: Private Pseudoextension (com.apple.kpi.private)
0xfffffff006098100: Unsupported Pseudoextension (com.apple.kpi.unsupported)
0xfffffff006098180: I/O Kit Pseudoextension (com.apple.kpi.iokit)
Attachments
Screen Shot 2017-06-08 at 9.40.42 PM.png
AMFI.kext iOS 10.3.2
Screen Shot 2017-06-08 at 9.40.42 PM.png (43.28 KiB) Viewed 1014 times
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: iOS 11 and nsurlsessiond

Postby scknight » Fri Jun 09, 2017 12:07 pm

Siguza wrote:Just extract them from the OTA (OTA bundles from here, J's pbzx and ota, and you'll need XZ Utils).


Thanks!
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: iOS 11 and nsurlsessiond

Postby LincolnP » Mon Jul 24, 2017 4:50 pm

Siguza wrote:Just extract them from the OTA (OTA bundles from here, J's pbzx and ota, and you'll need XZ Utils).


Thanks Siguzza.
LincolnP
 
Posts: 1
Joined: Tue Jul 18, 2017 1:46 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest

cron