Joker crashes on new kernel caches (GDB stack included)

Used for discussing the various tools in the book as well as encouraging members to share tools

Joker crashes on new kernel caches (GDB stack included)

Postby doadam » Thu Sep 08, 2016 12:00 pm

Hey,

I'm using joker on a decrypted iOS 10.x (b3+) kernel (after decompressing of course).
Everything works flawlessly except for the -k feature for the kexts. When running the tool on that kernel, it crashes after approximately a minute.

 $ gdb --args joker -j . -k kernelcache.release.n71m.decrypted
GNU gdb (GDB) Fedora 7.11.1-75.fc24
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from joker...done.
(gdb) r
Starting program: ~/.local/bin/joker -j . -k kernelcache.release.n71m.decrypted
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64
This is a 64-bit kernel from iOS 10.x (b3+), or later (3789.2.2.0.0)
Opened companion File: kernelcache.release.n71m.decrypted.ARM64.C120FABE-1159-35D3-817D-7FA832B8AE7B
Opening companion file
Found _secure_monitor at offset 0x7b0c, Addr: 0xffff7ff007083b0c
Found _start_cpu at offset 0x7018, Addr: 0xffff7ff007083018
Auto-Disassembling __TEXT_EXEC.__text from 0xfffffff00707c000 to find rest..
This may take a little while, but you only need to do this once
Disassembling from file offset 0x78000, Address 0xfffffff00707c000
GOT PE_Parse_boot_argn: 0xfffffff0074df360
GOT lck_grp_alloc_init: 0xfffffff0070ad584
GOT OSKextLog: 0xfffffff00743ef68
GOT lck_grp_init: 0xfffffff0070ad584
GOT PE_get_default: 0xfffffff0074df950
GOT __ZN9IOService15publishResourceEPKcP8OSObject: 0xfffffff007479178
GOT __ZN8OSSymbol17withCStringNoCopyEPKc: 0xfffffff00744c9fc
GOT __ZN9IOService15publishResourceEPKcP8OSObject: 0xfffffff00744c9fc
GOT __ZN9IOService15publishResourceEPKcP8OSObject: 0xfffffff007479178
GOT IOLog! 0xfffffff00745e914
ARM64 Exception Vector is at file offset @0x7b000 (Addr: 0xfffffff00707f000)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ab9fd3 in __strncpy_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7ab9fd3 in __strncpy_sse2_unaligned () from /lib64/libc.so.6
#1 0x0000000000403d28 in doKexts (mmapped=0x7ffff625b000 "\317\372\355\376\f", kextractThis=0x0, method=1) at joker.c:2304
#2 0x3e676e697274732f in ?? ()
#3 0x42534f3e79656b3c in ?? ()
#4 0x6d6f43656c646e75 in ?? ()
#5 0x56656c6269746170 in ?? ()



I find the tool extremely useful (specially after Apple no longer ships encrypted kernel caches). I would be happy to see this feature working for the next kernel caches Apple releases.

Best,
Adam.
doadam
 
Posts: 3
Joined: Mon Aug 29, 2016 1:24 pm

Re: Joker crashes on new kernel caches (GDB stack included)

Postby morpheus » Thu Sep 08, 2016 3:58 pm

I can confirm the crash, but only on Linux - I'm using it on MacOS and it works really well.

BTw, you don't need that "." after the -j.

And - you can use -k later on independently. The use of '-j' is meant only one, to create companion file. -K ... will auto-symbolicate the kexts. -k will just display the kexts, no symbolication. The core dump is because of parsing the __PRELINK_INFO, which for some reason only happens on Linux. I'll investigate and fix ASAP. In the interim, consider using MacOS version if you have it?
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker crashes on new kernel caches (GDB stack included)

Postby morpheus » Sat Sep 10, 2016 1:54 am

.. and the latest version of joker fixes and works beautifully on Linux, even on compressed kernelcaches.

For those intrigued, the bug was not defining __GNU_SOURCE, because memmem(3) is an extension on Linux, but builtin on MacOS..
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker crashes on new kernel caches (GDB stack included)

Postby doadam » Tue Sep 13, 2016 7:59 am

Thanks! I already got a Mac by the time for the process, but still good to know :)

EDIT: still crashes on the same file:

Code: Select all
GNU gdb (GDB) Fedora 7.11.1-75.fc24
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from joker...done.
(gdb) r
Starting program: /home/adamdo/.local/bin/joker --jtooldir . -k kernelcache.release.n71m.decrypted
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64
This is a 64-bit kernel from iOS 10.x (b7+), or later (3789.2.2.0.0)
ARM64 Exception Vector is at file offset @0x7b000 (Addr: 0xfffffff00707f000)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ab9fd3 in __strncpy_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7ab9fd3 in __strncpy_sse2_unaligned () from /lib64/libc.so.6
#1  0x00000000004045ff in doKexts (mmapped=0x7ffff625b000 "\317\372\355\376\f", kextractThis=0x0, method=1) at joker.c:2561
#2  0x2f3c657a6953656c in ?? ()
#3  0x746e693c3e79656b in ?? ()
#4  0x7a69732072656765 in ?? ()
#5  0x303e223436223d65 in ?? ()
#6  0x692f3c3430313378 in ?? ()
#7  0x3c3e72656765746e in ?? ()
#8  0x754246433e79656b in ?? ()
#9  0x65766544656c646e in ?? ()
#10 0x52746e656d706f6c in ?? ()
#11 0x6b2f3c6e6f696765 in ?? ()
#12 0x697274733c3e7965 in ?? ()
#13 0x464552444920676e in ?? ()
#14 0x6b3c3e2f2232223d in ?? ()
#15 0x6e754246433e7965 in ?? ()
#16 0x6973726556656c64 in ?? ()
#17 0x3e79656b2f3c6e6f in ?? ()
#18 0x3e676e697274733c in ?? ()
#19 0x2f3c302e302e3631 in ?? ()
#20 0x3c3e676e69727473 in ?? ()
doadam
 
Posts: 3
Joined: Mon Aug 29, 2016 1:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests

cron