Page 1 of 1

Dumping The Kernel

PostPosted: Thu Sep 08, 2016 9:26 pm
by darkknight
Hi J/Siguza,
So I have not delved much into kernel, but I came across this article recently http://blog.offcellresearch.com/security/apple/ios/kernel/2016/08/23/who-needs-decrypted-kernels-anyways.html. And it seems to be the defacto way of getting dumps. The only way I knew of prior to this was via Siguza's scripts(or scripts similar to that) here https://github.com/Siguza/ios-kern-utils. So was wondering how one would go about the method mentioned in the article.

Thanks....

Re: Dumping The Kernel

PostPosted: Fri Sep 09, 2016 1:10 am
by morpheus
Both methods require a kernel exploit/jailbroken device. The one off of physical memory requires working with IOMemoryDescriptors to get the physical addresses, and dump them. The other method requires TFP0.

The second method is, by and large, easier - but will miss some of the jettisoned parts of the kernel (i.e. symbol table). The first method's advantage is that it gets the raw Mach-O. If you look at the article, Msolnik states it works better for him on newer devices , suspecting it's because of RAM differences - and it is. In newer devices if you get in early enough, the physical mem (RAM) hasn't been reused for other pages, and therefore you get a complete image.

Re: Dumping The Kernel

PostPosted: Fri Sep 09, 2016 2:14 am
by darkknight
Administrator wrote:Both methods require a kernel exploit/jailbroken device. The one off of physical memory requires working with IOMemoryDescriptors to get the physical addresses, and dump them. The other method requires TFP0.

The second method is, by and large, easier - but will miss some of the jettisoned parts of the kernel (i.e. symbol table). The first method's advantage is that it gets the raw Mach-O. If you look at the article, Msolnik states it works better for him on newer devices , suspecting it's because of RAM differences - and it is. In newer devices if you get in early enough, the physical mem (RAM) hasn't been reused for other pages, and therefore you get a complete image.


AHA!!! Thanks for the explanation....

Re: Dumping The Kernel

PostPosted: Sat Sep 10, 2016 8:55 pm
by Siguza
I read that article, and I'm planning on implementing the described method in kern-utils to allow searching for and dumping arbitrary parts of physical RAM, but it might be quite some time before I actually get that working.

I don't know much about IOMemoryDescriptors, but if I'm not mistaken, modifying the page table directly (via TFP0) should also work. Preferably the one of the userland process so you don't have to clean it up — but if that is limited in some way, then the kernel's — winocm and qwertyoruiopz have done the latter, so that is definitely possible.
For iOS 8, you can use Luca's tte binary to modify the kernel's page table (you should reboot after doing that though) and combine that with a custom "scanmem" program to find the kernel header and dump from that offset. Not sure if that works on iOS 9 too (and if it does, it will only work with Pangu on 9.1, since the other versions don't have tfp0 AFAIK), but it would certainly be possible to replicate it with some work - the comments on winocm's "ttbthingy" are pretty useful as a basic guide.

Also, I should probably update the iPhone wiki's "Kernel Dumping" page with that info some time... :P

Re: Dumping The Kernel

PostPosted: Sun Sep 11, 2016 7:48 pm
by darkknight
Siguza wrote:I read that article, and I'm planning on implementing the described method in kern-utils to allow searching for and dumping arbitrary parts of physical RAM, but it might be quite some time before I actually get that working.

I don't know much about IOMemoryDescriptors, but if I'm not mistaken, modifying the page table directly (via TFP0) should also work. Preferably the one of the userland process so you don't have to clean it up — but if that is limited in some way, then the kernel's — winocm and qwertyoruiopz have done the latter, so that is definitely possible.
For iOS 8, you can use Luca's tte binary to modify the kernel's page table (you should reboot after doing that though) and combine that with a custom "scanmem" program to find the kernel header and dump from that offset. Not sure if that works on iOS 9 too (and if it does, it will only work with Pangu on 9.1, since the other versions don't have tfp0 AFAIK), but it would certainly be possible to replicate it with some work - the comments on winocm's "ttbthingy" are pretty useful as a basic guide.

Also, I should probably update the iPhone wiki's "Kernel Dumping" page with that info some time... :P

Thanks Siguza...