*OS Internals - The Forum

by **siya** » Thu Jul 21, 2016 9:44 am

vega01 wrote:Hi,

I got the following when trying to dump decrypted and decompressed 32-bit kernelcache from iOS 6.0 for iPhone 5,1 (build 10A405)
./joker.universal -k
Code: Select all
(2107.2.33.0.0) Trying method #2 Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT 1: built-in?(2107.2.33.0.0) at 0x355000 (8000 bytes) 2: built-in?(2107.2.33.0.0) at 0x35d000 (17000 bytes) 3: built-in?(2107.2.33.0.0) at 0x374000 (1000 bytes) 4: built-in?(2107.2.33.0.0) at 0x375000 (5000 bytes) 5: built-in?(2107.2.33.0.0) at 0x37a000 (2000 bytes) 6: built-in?(2107.2.33.0.0) at 0x37c000 (6000 bytes) 7: com.apple.driver.AppleARMPlatform(284.7.0.0.0) at 0x382000 (3a000 bytes) 8: com.apple.driver.IOSlaveProcessor(7.0.0.0.0) at 0x3bc000 (5000 bytes) 9: com.apple.driver.AppleA5AE2(43.1.0.0.0) at 0x3c1000 (5000 bytes) 10: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x3c6000 (1d000 bytes) 11: com.apple.driver.IODARTFamily(31.0.0.0.0) at 0x3e3000 (b000 bytes) 12: com.apple.driver.AppleM2ScalerCSC(138.0.6.0.0) at 0x3ee000 (14000 bytes) 13: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x402000 (68000 bytes) 14: com.apple.driver.AppleVXD390(4.63.0.0.0) at 0x46a000 (27000 bytes) 15: com.apple.driver.AppleSamsungSPI(42.2.0.0.0) at 0x491000 (4000 bytes) 16: built-in?(42.2.0.0.0) at 0x495000 (1000 bytes) 17: com.apple.iokit.IOCryptoAcceleratorFamily(67.0.0.0.0) at 0x496000 (e000 bytes) Segmentation fault: 11

joker version:
Code: Select all
3.0b with MACF Policies and (coming soon) IOUserClients! Compiled on Jun 20 2016

Am I doing something wrong?

Edit: I got what I wanted by using the source. Thank you for sharing the tools and knowledge!

Hi, I have a similar Segmentation fault when I run it on 32-bit kernelcache from iOS 8.3 for iPhone 5,2

./joker.universal -k kerneldump

This is a 32-bit kernel from iOS 8.x, or later (2784.20.34.0.0)
This is not a Mach-O 64-bit file. Sorry (Magic: 0xfeedface)
Unable to get symbols from SYMTAB (fine for dumps)
Found iOS 8+ sysent table @39a4a4 (Addr: 0xa0f9b4a4)
Number of kexts way too small.. Trying method #2
Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT
1: Mach Kernel Pseudoextension (com.apple.kpi.mach) at 0x41d000 (2000 bytes)
2: Unsupported Pseudoextension (com.apple.kpi.unsupported) at 0x41f000 (3000 bytes)
3: I/O Kit Pseudoextension at 0x422000 (1a000 bytes)
4: Libkern Pseudoextension (com.apple.kpi.libkern) at 0x43c000 (9000 bytes)
5: BSD Kernel Pseudoextension (com.apple.kpi.bsd) at 0x445000 (7000 bytes)
6: com.apple.driver.AppleCredentialManager(33.10.2.0.0) at 0x44c000 (b000 bytes)
7: Private Pseudoextension (com.apple.kpi.private) at 0x457000 (6000 bytes)
8: com.apple.iokit.IOSlowAdaptiveClockingFamily(4.0.0.0.0) at 0x45d000 (4000 bytes)
9: com.apple.iokit.IOReportFamily(33.0.0.0.0) at 0x461000 (5000 bytes)
10: com.apple.driver.AppleARMPlatform(406.20.5.0.0) at 0x466000 (45000 bytes)
11: com.apple.driver.IOSlaveProcessor(8.0.0.0.0) at 0x4ab000 (4000 bytes)
12: com.apple.driver.AppleA5AE2(64.0.0.0.0) at 0x4af000 (5000 bytes)
13: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x4b4000 (31000 bytes)
14: com.apple.iokit.IOSurface(52.8.8.0.0) at 0x4e5000 (f000 bytes)
15: com.apple.driver.IODARTFamily(58.0.0.0.0) at 0x4f4000 (d000 bytes)
16: com.apple.driver.AppleM2ScalerCSCDriver(5.6.0.0.0) at 0x501000 (2a000 bytes)
17: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x52b000 (63000 bytes)
18: com.apple.driver.LSKDIOKitMSE(0.0.0.0.0) at 0x58e000 (2e000 bytes)
19: com.apple.driver.AppleVXD390(5.29.0.0.0) at 0x5bc000 (23000 bytes)
20: com.apple.driver.AppleSamsungSPI(81.5.2.0.0) at 0x5df000 (4000 bytes)
21: unrecognized.or.unhandledyet.Please.Report.Me at 0x5e3000 (2000 bytes)
22: com.apple.kec.corecrypto(235.10.8.0.0) at 0x5e5000 (46000 bytes)
Segmentation fault: 11

may I know how do u solve this? Thanks

by **vega01** » Thu Jul 21, 2016 5:11 pm

Hi,

For now I only wanted to dump some kexts, so I read the source to understand what the program does and did it myself - just by using standard unix tools. Frankly saying I also wanted to know the kernelcache internals, so this wasn't a waste of time. But this method is not enough when you want the full functionality of joker or you want to dump many kexts. AFAIK you cannot fix the bug yourself, because you don't have the required machlib.

Hope this will help you in any way.

by **matteyeux** » Sat Jul 23, 2016 1:30 pm

Hi Jonathan,
Can you add a feature to get the magical offset of a kernelcache ?
Thank you.

by **in7egral** » Tue Nov 15, 2016 11:22 am

version:

Code: Select all: 3.0 with MACF Policies, stub symbolication, SPLIT KEXTS, Sandbox Profiles (beta, collections only at this point) , kpp and (coming soon) IOUserClients! Compiled on Sep 9 2016

iOS kernel version:

Code: Select all: ./partialzip http://appldnld.apple.com/ios9.3.2/031-62167-20160516-CFF6D768-13A8-11E6-A516-5BD8400DF7EB/iPhone5,1_9.3.2_13F69_Restore.ipsw kernelcache.release.n41 xpwntool kernelcache.release.n41 kernelcache.release.decrypted.n41 -iv *** -k ***

Code: Select all: joker.universal -K com.apple.iokit.IOHIDFamily ios932_kernelcache.release.decrypted.n41 This is a 32-bit kernel from iOS 9.x, or later (3248.50.21.0.0) Found iOS 8+ sysent table @3f1654 (Addr: 0x803f2654) Number of kexts way too small.. Trying method #2 Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT Writing kext out to /tmp/com.apple.iokit.IOHIDFamily.kext Unable to find __TEXT.__stubs in kext com.apple.iokit.IOHIDFamily. Won't symbolicate MAC policy not found. This is fine for kernels prior to iOS 9.2, but please let J know if yours is newer

by **Siguza** » Sat Dec 24, 2016 7:46 pm

The -m flag adds (2 * adv) too much to the file offset/address of mach_trap_table when printing (i.e. that's the offset you're searching for, but the table starts two pointer lengths before that).

by **Siguza** » Sun Jan 15, 2017 12:10 am

"joker -K all" segfaults on the iPhone SE (n69) 10.2 kernel.

by **Siguza** » Sun Apr 16, 2017 4:01 pm

Still an issue with joker 3.2 and kernels from 10.3.1.

by **Siguza** » Tue Sep 26, 2017 10:41 pm

Hey, as of version 4 joker seems to include the entire kernel symbol table in the companion files that it produces during kextraction. Could you add a way to only include addresses that are actually from that kext, please? (Maybe a JMINIMAL env variable or so?)

by **smdg** » Mon Oct 02, 2017 10:05 pm

Just a minor annoyance but it is easily fixed... when using "joker -j" it creates the companion file with a name of Joker's choosing. It's no great problem at the shell prompt but I have a script that calls Joker to create the companion file and it has either to scan the directory for the new file or parse the stdout from Joker to discover the filename. Any chance we could invoke this option as "joker -j <filename>" where an optional filename can be specified for the output file?

by **morpheus** » Wed Oct 04, 2017 2:00 am

I'll add both Siguza's JMINIMAL and -j filename. And also the new ARM64 kernel symbols for AMCC/RORGN and friends. Stay tuned.

*OS Internals - The Forum

Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Re: Joker Feedback

Who is online