Joker tool updated

Used for discussing the various tools in the book as well as encouraging members to share tools

Joker tool updated

Postby morpheus » Sun Apr 21, 2013 6:14 pm

The Joker tool has been updated to also provide a list of the kernel extensions packaged into the kextcache - along with their file offsets. This makes it easy to use this tool with dd. Case in point:


Code: Select all
 # Look for your kext of interest by grep(1)-ing:
morpheus@Erudite:JTool$ ./joker ~/Documents/iOS/6.1.3.kernel.iPhone4GSM | grep MobileFile
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)


Then:

Code: Select all
morpeus@Erudite:JTool$ dd if=~/Documents/iOS/6.1.3.kernel.iPhone4GSM  bs=1 skip=0x3cf000 count=100000 of=AMFI.kext
100000+0 records in
100000+0 records out
100000 bytes transferred in 0.230196 secs (434412 bytes/sec)
morpheus@Erudite:JTool$ file AMFI.kext
AMFI.kext: Mach-O kext bundle arm
morpheus@Erudite:JTool$ ./jtool -d AMFI.kext  | more
Processing AMFI.kext:
Disassembling from file offset 0xf3c, Address 0xffffffff80410f3c
-- 80410f3c     b590            PUSH  {r4,r7,lr}       
-- 80410f3e        4a08            LDR   R2, [PC, #32]     ; R2 = *(80410f60) = 0x121ca
-- 80410f40     4604            MOV   R4, R0            ; R4 = 0x0
-- 80410f42        4908            LDR   R1, [PC, #32]     ; R1 = *(80410f64) = 0x3d86
-- 80410f44     af01            ADD   R7, SP, #4        ; R7 += 4 = 4
-- 80410f46     447a            ADD   R2, PC            ; R2 += 80410f4a = 80423114
-- 80410f48     4620            MOV   R0, R4            ; R0 = 0x0
-- 80410f4a     4479            ADD   R1, PC            ; R1 += 80410f4e = 80414cd4AppleMobileFileIntegrityUserClient
.. etc , etc



This should make it very useful for people who want to reverse engineer Kexts, with or without IDA
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker tool updated

Postby ralphie2001 » Thu May 30, 2013 1:00 pm

I'm feeling a bit stupid here, but when I download the joker tool from you website it comes down as only an x86_64 binary. How do I get an iOS build of the joker tool? Thanks.
ralphie2001
 
Posts: 1
Joined: Thu May 30, 2013 12:54 pm

Re: Joker tool updated

Postby morpheus » Tue Jun 04, 2013 4:23 pm

Hardly stupid! I had neglected to put an Arm version. Here's one, attached.
Attachments
joker.zip
(37.23 KiB) Downloaded 1542 times
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker tool updated

Postby backendbilly » Mon Jun 15, 2015 3:33 am

Hi Jonathan,

I'm using the latest joker tool to dump kext from iOS9. Using the -e option does not seem to be extracting kexts. The output looks like this:

Source Version: 3216.0.0.1.15
This is iOS 9.x, or later
Found iOS 8+ sysent table @3f2684 (Addr: 0x803f3684)
Processing kexts
Attempting to kextract 0x80735000
Got 181 kexts

Your older version outputted the file offset in the kernel but the new version does not as it tries to do it itself.

Thanks again for all your work.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker tool updated

Postby morpheus » Mon Jun 15, 2015 11:59 am

Usage, my friend. Usage. It's all about usage.


Code: Select all
~/Documents/Work/JTool/joker
Usage: joker [-ask] _filename_
 _filename_ should be a decrypted iOS kernelcache. Tested on ARMv7/s 3.x-9.0b1

 -m: dump UNIX Syscalls and Mach Traps
 -a: dump everything
 -k: dump kexts
 -e: kextract [b][kext_name_shown_in_-k][/b]
 -s: dump sysctls


e.g.

Code: Select all
Zephyr:9b morpheus$ ~/Documents/Work/JTool/joker -k kernel.9b.4S.decrypted | grep sand
0x80e50000: Seatbelt sandbox policy (com.apple.security.sandbox)
Zephyr:9b morpheus$ ~/Documents/Work/JTool/joker -e "Seatbelt sandbox policy" kernel.9b.4S.decrypted
Source Version:          3216.0.0.1.15
This is iOS 9.x, or later
Found iOS 8+ sysent table @3eb684 (Addr: 0x803ec684)
Processing kexts
Attempting to kextract Seatbelt sandbox policy
Found Seatbelt sandbox policy at load address: 80e50000, offset: e05000
Extracted Seatbelt sandbox policy


And that should work.

Incidentally, if anyone has *64-bit* dumps of the kernel (either from memory or by encryption keys), I would love one or two so as to make Joker 64-bit compatible.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker tool updated

Postby backendbilly » Mon Jun 15, 2015 3:56 pm

Thanks that worked. I was thinking dd style extraction with offsets and number of bytes and not so much by name.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker tool updated

Postby backendbilly » Tue Jun 16, 2015 2:27 pm

Hi Jonathan,

Is there a Linux version of the tool?
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker tool updated

Postby morpheus » Wed Jun 17, 2015 2:25 pm

Not at present. But if the public demands it, there's no real reason why there can't be one. Joker is largely derived from jtool, and the latter cross compiles neatly to Linux.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker tool updated

Postby zielenski » Mon Jul 27, 2015 7:00 pm

Thanks for supporting these great tools and awesome customer loyalty.

Does this tool support OS X kernel cache?
zielenski
 
Posts: 1
Joined: Mon Jul 27, 2015 6:52 pm

Re: Joker tool updated

Postby morpheus » Mon Jul 27, 2015 7:15 pm

You're more than welcome. And thank you - it's nice to hear a good word here and there :)

As for OS X support in Joker - Not really, since in OS X all kexts are floating around anyways in /System/Library/Extensions, and Apple provides the KernelDebugKit with all the symbols. On iOS, where neither of those holds true, joker is useful.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests