Dumping The Kernel

Wherein links to *OS related articles will be posted (alongside the RSS), and you are welcome to ask any questions or post any comments.

Dumping The Kernel

Postby darkknight » Thu Sep 08, 2016 9:26 pm

Hi J/Siguza,
So I have not delved much into kernel, but I came across this article recently http://blog.offcellresearch.com/security/apple/ios/kernel/2016/08/23/who-needs-decrypted-kernels-anyways.html. And it seems to be the defacto way of getting dumps. The only way I knew of prior to this was via Siguza's scripts(or scripts similar to that) here https://github.com/Siguza/ios-kern-utils. So was wondering how one would go about the method mentioned in the article.

Thanks....
darkknight
 
Posts: 66
Joined: Mon Apr 18, 2016 10:49 pm

Re: Dumping The Kernel

Postby morpheus » Fri Sep 09, 2016 1:10 am

Both methods require a kernel exploit/jailbroken device. The one off of physical memory requires working with IOMemoryDescriptors to get the physical addresses, and dump them. The other method requires TFP0.

The second method is, by and large, easier - but will miss some of the jettisoned parts of the kernel (i.e. symbol table). The first method's advantage is that it gets the raw Mach-O. If you look at the article, Msolnik states it works better for him on newer devices , suspecting it's because of RAM differences - and it is. In newer devices if you get in early enough, the physical mem (RAM) hasn't been reused for other pages, and therefore you get a complete image.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Dumping The Kernel

Postby darkknight » Fri Sep 09, 2016 2:14 am

Administrator wrote:Both methods require a kernel exploit/jailbroken device. The one off of physical memory requires working with IOMemoryDescriptors to get the physical addresses, and dump them. The other method requires TFP0.

The second method is, by and large, easier - but will miss some of the jettisoned parts of the kernel (i.e. symbol table). The first method's advantage is that it gets the raw Mach-O. If you look at the article, Msolnik states it works better for him on newer devices , suspecting it's because of RAM differences - and it is. In newer devices if you get in early enough, the physical mem (RAM) hasn't been reused for other pages, and therefore you get a complete image.


AHA!!! Thanks for the explanation....
darkknight
 
Posts: 66
Joined: Mon Apr 18, 2016 10:49 pm

Re: Dumping The Kernel

Postby Siguza » Sat Sep 10, 2016 8:55 pm

I read that article, and I'm planning on implementing the described method in kern-utils to allow searching for and dumping arbitrary parts of physical RAM, but it might be quite some time before I actually get that working.

I don't know much about IOMemoryDescriptors, but if I'm not mistaken, modifying the page table directly (via TFP0) should also work. Preferably the one of the userland process so you don't have to clean it up — but if that is limited in some way, then the kernel's — winocm and qwertyoruiopz have done the latter, so that is definitely possible.
For iOS 8, you can use Luca's tte binary to modify the kernel's page table (you should reboot after doing that though) and combine that with a custom "scanmem" program to find the kernel header and dump from that offset. Not sure if that works on iOS 9 too (and if it does, it will only work with Pangu on 9.1, since the other versions don't have tfp0 AFAIK), but it would certainly be possible to replicate it with some work - the comments on winocm's "ttbthingy" are pretty useful as a basic guide.

Also, I should probably update the iPhone wiki's "Kernel Dumping" page with that info some time... :P
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Dumping The Kernel

Postby darkknight » Sun Sep 11, 2016 7:48 pm

Siguza wrote:I read that article, and I'm planning on implementing the described method in kern-utils to allow searching for and dumping arbitrary parts of physical RAM, but it might be quite some time before I actually get that working.

I don't know much about IOMemoryDescriptors, but if I'm not mistaken, modifying the page table directly (via TFP0) should also work. Preferably the one of the userland process so you don't have to clean it up — but if that is limited in some way, then the kernel's — winocm and qwertyoruiopz have done the latter, so that is definitely possible.
For iOS 8, you can use Luca's tte binary to modify the kernel's page table (you should reboot after doing that though) and combine that with a custom "scanmem" program to find the kernel header and dump from that offset. Not sure if that works on iOS 9 too (and if it does, it will only work with Pangu on 9.1, since the other versions don't have tfp0 AFAIK), but it would certainly be possible to replicate it with some work - the comments on winocm's "ttbthingy" are pretty useful as a basic guide.

Also, I should probably update the iPhone wiki's "Kernel Dumping" page with that info some time... :P

Thanks Siguza...
darkknight
 
Posts: 66
Joined: Mon Apr 18, 2016 10:49 pm


Return to Articles and Feedback

Who is online

Users browsing this forum: No registered users and 1 guest

cron