Identifying policy kexts in iOS kernelcache

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Identifying policy kexts in iOS kernelcache

Postby darkknight » Sun Oct 08, 2017 5:26 pm

So I used kdump and dumped the running kernel from a iOS 9.3.3(qwertyoruiop's jailbreakme) device. I then used joker(joker -K all *gave segfault v4.0b*) to extract the kexts and then did a grep on the companion files in the tmp directory for mac_policy_register. This however did not return any results. Guessing this is due to some parts of the kernel being jettisoned at this point?

Also from page 48 Output 4-4, are those the only policy clients on iOS? I did this on .n66 (grep the ARM companion files for mac_policy_register) and got back a number of hits. So was just checking that I wasn't missing anything.
darkknight
 
Posts: 66
Joined: Mon Apr 18, 2016 10:49 pm

Re: Identifying policy kexts in iOS kernelcache

Postby morpheus » Tue Oct 10, 2017 8:20 pm

Ill fix that segfault. Sorry about that.

The policy clients in iOS are AMFI and Sandbox, but the symbols are resolved and prebound already, so doing jtool -S for symbols might not bring up the results expected.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Identifying policy kexts in iOS kernelcache

Postby darkknight » Tue Oct 10, 2017 11:44 pm

morpheus wrote:Ill fix that segfault. Sorry about that.

The policy clients in iOS are AMFI and Sandbox, but the symbols are resolved and prebound already, so doing jtool -S for symbols might not bring up the results expected.

jtool? So I am following the example on page 48 to generate Output 4-4 using joker

Extract KEXT's
Code: Select all
Michaels-MacBook-Pro:amfid dark_knight$ joker.universal -K all kernelcache.release.n66
mmapped: 0x12b278000
still HERE
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 12800032, Uncompressed: 25100288. Unknown (CRC?): 0x79bf5756, Unknown 1: 0x1
btw, KPP is at 12800469 (0xc351d5)..And I saved it for you in /tmp/kpp
Got kernel at 438
got mem 0x12beba000
mmapped: 0x12beba000


And grep for mac_policy_register
Code: Select all
Michaels-MacBook-Pro:amfid dark_knight$ grep mac_policy_register /tmp/*ARM*
/tmp/com.apple.AGX.kext.ARM64.6B3EA0A6-C84A-39D1-8EB3-41532A54EEED:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.AGX.kext.ARM64.6B3EA0A6-C84A-39D1-8EB3-41532A54EEED:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.AGXFirmwareKextG5P.kext.ARM64.CF4B2852-B9A7-3611-877C-FA23B4C30B63:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.AGXFirmwareKextG5P.kext.ARM64.CF4B2852-B9A7-3611-877C-FA23B4C30B63:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.IOTextEncryptionFamily.kext.ARM64.29706301-2C25-3276-BB2F-D5E951B3FA80:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.IOTextEncryptionFamily.kext.ARM64.29706301-2C25-3276-BB2F-D5E951B3FA80:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.audio.IOBorealisOwl.kext.ARM64.03CEFB7D-8F6D-3FF1-ACE4-26C860DAAD06:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.audio.IOBorealisOwl.kext.ARM64.03CEFB7D-8F6D-3FF1-ACE4-26C860DAAD06:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.ASIOKit.kext.ARM64.7528C949-AD85-3E30-853E-0D721F3854CB:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.ASIOKit.kext.ARM64.7528C949-AD85-3E30-853E-0D721F3854CB:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleA7IOP.kext.ARM64.CE3B67F2-8829-3BF6-9582-E1E2E1629B5:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleA7IOP.kext.ARM64.CE3B67F2-8829-3BF6-9582-E1E2E1629B5:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleARMPlatform.kext.ARM64.FE2BF0BF-EEE6-312B-BFCD-E304AD69CB78:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleAVEH8.kext.ARM64.49A97413-890C-371B-A022-1299B2387BE:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleAVEH8.kext.ARM64.49A97413-890C-371B-A022-1299B2387BE:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleAuthCP.kext.ARM64.FFFB4995-1441-357C-A2F1-F863E0B71D66:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleAuthCP.kext.ARM64.FFFB4995-1441-357C-A2F1-F863E0B71D66:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleBSDKextStarter.kext.ARM64.EAE4856F-3089-37B8-B155-0227D50BBF92:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleBSDKextStarter.kext.ARM64.EAE4856F-3089-37B8-B155-0227D50BBF92:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleBasebandN71.kext.ARM64.9740314B-C7B9-3D9B-B3F7-EAEC5845D7C1:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleBasebandN71.kext.ARM64.9740314B-C7B9-3D9B-B3F7-EAEC5845D7C1:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleBasebandPCI.kext.ARM64.BD02C3B2-E71F-3AA3-BA0E-3D5AE62E3B83:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleBasebandPCI.kext.ARM64.BD02C3B2-E71F-3AA3-BA0E-3D5AE62E3B83:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleBiometricSensor.kext.ARM64.3FB49D38-89E0-3F47-886B-6FA030839CBC:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleBiometricSensor.kext.ARM64.3FB49D38-89E0-3F47-886B-6FA030839CBC:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleBluetooth.kext.ARM64.78F46ACA-5F65-3210-9A32-DED0B069E12:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleBluetooth.kext.ARM64.78F46ACA-5F65-3210-9A32-DED0B069E12:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleCS35L19Amp.kext.ARM64.B43A5E26-6382-3D26-B335-3AB1BCB85D29:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleCS35L19Amp.kext.ARM64.B43A5E26-6382-3D26-B335-3AB1BCB85D29:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleCSEmbeddedAudio.kext.ARM64.23107EFB-310E-35A7-943D-1947BCB2793A:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleCSEmbeddedAudio.kext.ARM64.23107EFB-310E-35A7-943D-1947BCB2793A:0xfffffff0074d8384:_mac_policy_register
/tmp/com.apple.driver.AppleChestnutDisplayPMU.kext.ARM64.162FA426-51E6-301E-ACA0-23AB405B9A9:0xfffffff0064514d8:_mac_policy_register
/tmp/com.apple.driver.AppleChestnutDisplayPMU.kext.ARM64.162FA426-51E6-301E-ACA0-23AB405B9A9:0xfffffff0074d8384:_mac_policy_register


If the above is incorrect, how do you list the policy clients?
darkknight
 
Posts: 66
Joined: Mon Apr 18, 2016 10:49 pm

Re: Identifying policy kexts in iOS kernelcache

Postby morpheus » Wed Oct 18, 2017 10:00 am

The new version of joker emits all kernel symbols, hence why you see mac_policy_register. I did that because I needed to debug something and forgot about it (left it in the code I released). I'll remove that in a future version. My bad.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest