Joker Feedback

Used for discussing the various tools in the book as well as encouraging members to share tools

Re: Joker Feedback

Postby siya » Thu Jul 21, 2016 9:44 am

vega01 wrote:Hi,

I got the following when trying to dump decrypted and decompressed 32-bit kernelcache from iOS 6.0 for iPhone 5,1 (build 10A405)
./joker.universal -k
Code: Select all
(2107.2.33.0.0)
Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
1: built-in?(2107.2.33.0.0) at 0x355000 (8000 bytes)
2: built-in?(2107.2.33.0.0) at 0x35d000 (17000 bytes)
3: built-in?(2107.2.33.0.0) at 0x374000 (1000 bytes)
4: built-in?(2107.2.33.0.0) at 0x375000 (5000 bytes)
5: built-in?(2107.2.33.0.0) at 0x37a000 (2000 bytes)
6: built-in?(2107.2.33.0.0) at 0x37c000 (6000 bytes)
7: com.apple.driver.AppleARMPlatform(284.7.0.0.0) at 0x382000 (3a000 bytes)
8: com.apple.driver.IOSlaveProcessor(7.0.0.0.0) at 0x3bc000 (5000 bytes)
9: com.apple.driver.AppleA5AE2(43.1.0.0.0) at 0x3c1000 (5000 bytes)
10: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x3c6000 (1d000 bytes)
11: com.apple.driver.IODARTFamily(31.0.0.0.0) at 0x3e3000 (b000 bytes)
12: com.apple.driver.AppleM2ScalerCSC(138.0.6.0.0) at 0x3ee000 (14000 bytes)
13: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x402000 (68000 bytes)
14: com.apple.driver.AppleVXD390(4.63.0.0.0) at 0x46a000 (27000 bytes)
15: com.apple.driver.AppleSamsungSPI(42.2.0.0.0) at 0x491000 (4000 bytes)
16: built-in?(42.2.0.0.0) at 0x495000 (1000 bytes)
17: com.apple.iokit.IOCryptoAcceleratorFamily(67.0.0.0.0) at 0x496000 (e000 bytes)
Segmentation fault: 11


joker version:
Code: Select all
3.0b with MACF Policies and (coming soon) IOUserClients!
Compiled on Jun 20 2016


Am I doing something wrong?

Edit: I got what I wanted by using the source. Thank you for sharing the tools and knowledge!


Hi, I have a similar Segmentation fault when I run it on 32-bit kernelcache from iOS 8.3 for iPhone 5,2

./joker.universal -k kerneldump

This is a 32-bit kernel from iOS 8.x, or later (2784.20.34.0.0)
This is not a Mach-O 64-bit file. Sorry (Magic: 0xfeedface)
Unable to get symbols from SYMTAB (fine for dumps)
Found iOS 8+ sysent table @39a4a4 (Addr: 0xa0f9b4a4)
Number of kexts way too small.. Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
1: Mach Kernel Pseudoextension (com.apple.kpi.mach) at 0x41d000 (2000 bytes)
2: Unsupported Pseudoextension (com.apple.kpi.unsupported) at 0x41f000 (3000 bytes)
3: I/O Kit Pseudoextension at 0x422000 (1a000 bytes)
4: Libkern Pseudoextension (com.apple.kpi.libkern) at 0x43c000 (9000 bytes)
5: BSD Kernel Pseudoextension (com.apple.kpi.bsd) at 0x445000 (7000 bytes)
6: com.apple.driver.AppleCredentialManager(33.10.2.0.0) at 0x44c000 (b000 bytes)
7: Private Pseudoextension (com.apple.kpi.private) at 0x457000 (6000 bytes)
8: com.apple.iokit.IOSlowAdaptiveClockingFamily(4.0.0.0.0) at 0x45d000 (4000 bytes)
9: com.apple.iokit.IOReportFamily(33.0.0.0.0) at 0x461000 (5000 bytes)
10: com.apple.driver.AppleARMPlatform(406.20.5.0.0) at 0x466000 (45000 bytes)
11: com.apple.driver.IOSlaveProcessor(8.0.0.0.0) at 0x4ab000 (4000 bytes)
12: com.apple.driver.AppleA5AE2(64.0.0.0.0) at 0x4af000 (5000 bytes)
13: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x4b4000 (31000 bytes)
14: com.apple.iokit.IOSurface(52.8.8.0.0) at 0x4e5000 (f000 bytes)
15: com.apple.driver.IODARTFamily(58.0.0.0.0) at 0x4f4000 (d000 bytes)
16: com.apple.driver.AppleM2ScalerCSCDriver(5.6.0.0.0) at 0x501000 (2a000 bytes)
17: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x52b000 (63000 bytes)
18: com.apple.driver.LSKDIOKitMSE(0.0.0.0.0) at 0x58e000 (2e000 bytes)
19: com.apple.driver.AppleVXD390(5.29.0.0.0) at 0x5bc000 (23000 bytes)
20: com.apple.driver.AppleSamsungSPI(81.5.2.0.0) at 0x5df000 (4000 bytes)
21: unrecognized.or.unhandledyet.Please.Report.Me at 0x5e3000 (2000 bytes)
22: com.apple.kec.corecrypto(235.10.8.0.0) at 0x5e5000 (46000 bytes)
Segmentation fault: 11


may I know how do u solve this? Thanks
siya
 
Posts: 2
Joined: Thu Jul 21, 2016 9:30 am

Re: Joker Feedback

Postby vega01 » Thu Jul 21, 2016 5:11 pm

Hi,

For now I only wanted to dump some kexts, so I read the source to understand what the program does and did it myself - just by using standard unix tools. Frankly saying I also wanted to know the kernelcache internals, so this wasn't a waste of time. But this method is not enough when you want the full functionality of joker or you want to dump many kexts. AFAIK you cannot fix the bug yourself, because you don't have the required machlib.

Hope this will help you in any way.
vega01
 
Posts: 19
Joined: Mon Sep 28, 2015 4:59 pm

Re: Joker Feedback

Postby matteyeux » Sat Jul 23, 2016 1:30 pm

Hi Jonathan,
Can you add a feature to get the magical offset of a kernelcache ?
Thank you.
matteyeux
 
Posts: 15
Joined: Tue Jan 05, 2016 7:59 pm

Re: Joker Feedback

Postby in7egral » Tue Nov 15, 2016 11:22 am

version:
Code: Select all
3.0 with MACF Policies, stub symbolication, SPLIT KEXTS, Sandbox Profiles (beta, collections only at this point) , kpp and (coming soon) IOUserClients!
Compiled on Sep  9 2016


iOS kernel version:
Code: Select all
./partialzip http://appldnld.apple.com/ios9.3.2/031-62167-20160516-CFF6D768-13A8-11E6-A516-5BD8400DF7EB/iPhone5,1_9.3.2_13F69_Restore.ipsw kernelcache.release.n41
xpwntool kernelcache.release.n41 kernelcache.release.decrypted.n41 -iv *** -k ***


Code: Select all
joker.universal -K com.apple.iokit.IOHIDFamily ios932_kernelcache.release.decrypted.n41
This is a 32-bit kernel from iOS 9.x, or later (3248.50.21.0.0)
Found iOS 8+ sysent table @3f1654 (Addr: 0x803f2654)
Number of kexts way too small.. Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
Writing kext out to /tmp/com.apple.iokit.IOHIDFamily.kext
Unable to find __TEXT.__stubs in kext com.apple.iokit.IOHIDFamily. Won't symbolicate
MAC policy not found. This is fine for kernels prior to iOS 9.2, but please let J know if yours is newer
in7egral
 
Posts: 2
Joined: Sun Sep 25, 2016 8:48 am

Re: Joker Feedback

Postby Siguza » Sat Dec 24, 2016 7:46 pm

The -m flag adds (2 * adv) too much to the file offset/address of mach_trap_table when printing (i.e. that's the offset you're searching for, but the table starts two pointer lengths before that).
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Joker Feedback

Postby Siguza » Sun Jan 15, 2017 12:10 am

"joker -K all" segfaults on the iPhone SE (n69) 10.2 kernel.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Joker Feedback

Postby Siguza » Sun Apr 16, 2017 4:01 pm

Still an issue with joker 3.2 and kernels from 10.3.1.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Joker Feedback

Postby Siguza » Tue Sep 26, 2017 10:41 pm

Hey, as of version 4 joker seems to include the entire kernel symbol table in the companion files that it produces during kextraction. Could you add a way to only include addresses that are actually from that kext, please? (Maybe a JMINIMAL env variable or so?)
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Joker Feedback

Postby smdg » Mon Oct 02, 2017 10:05 pm

Just a minor annoyance but it is easily fixed... when using "joker -j" it creates the companion file with a name of Joker's choosing. It's no great problem at the shell prompt but I have a script that calls Joker to create the companion file and it has either to scan the directory for the new file or parse the stdout from Joker to discover the filename. Any chance we could invoke this option as "joker -j <filename>" where an optional filename can be specified for the output file?
smdg
 
Posts: 6
Joined: Mon Nov 07, 2016 3:51 am

Re: Joker Feedback

Postby morpheus » Wed Oct 04, 2017 2:00 am

I'll add both Siguza's JMINIMAL and -j filename. And also the new ARM64 kernel symbols for AMCC/RORGN and friends. Stay tuned.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

PreviousNext

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron