iOS 15 new shared cache format.

[0cyn]

latest revision has completely changed the format of the shared cache which may end up requiring a rewrite or seperate project to tackle. Here's a spot to compile info on the topic.

[arandomdev]

Okay, I believe this was introduced in iOS 15 beta. The Dyld Shared Cache (DSC) seems to be split into separate files, i.e.

• dyld_shared_cache_arm64
• dyld_shared_cache_arm64.1
• dyld_shared_cache_arm64.2
• dyld_shared_cache_arm64.3
• dyld_shared_cache_arm64.symbols

Looking at the header of each of these, we can find out a few things.

dyld_shared_cache_arm64

dyld_shared_cache_arm64
        magic: b'dyld_v1   arm64'
        mappingOffset: 456
        mappingCount: 1
        imagesOffset: 0
        imagesCount: 0
        dyldBaseAddress: 0
        codeSignatureOffset: 1070710784
        codeSignatureSize: 8372224
        slideInfoOffsetUnused: 0
        slideInfoSizeUnused: 0
        localSymbolsOffset: 0
        localSymbolsSize: 0
        uuid: [83, 218, 0, 137, 88, 97, 52, 244, 172, 33, 253, 129, 13, 125, 99, 19]
        cacheType: 1
        branchPoolsOffset: 0
        branchPoolsCount: 0
        accelerateInfoAddr: 0
        accelerateInfoSize: 0
        imagesTextOffset: 75832
        imagesTextCount: 2352
        patchInfoAddr: 8667632592
        patchInfoSize: 1361752
        otherImageGroupAddrUnused: 0
        otherImageGroupSizeUnused: 0
        progClosuresAddr: 0
        progClosuresSize: 0
        progClosuresTrieAddr: 0
        progClosuresTrieSize: 0
        platform: 2
        formatVersion: 0
        dylibsExpectedOnDisk: 0
        simulator: 0
        locallyBuiltCache: 0
        builtFromChainedFixups: 0
        padding: 0
        sharedRegionStart: 6442450944
        sharedRegionSize: 2236121088
        maxSlide: 113328128
        dylibsImageArrayAddr: 0
        dylibsImageArraySize: 0
        dylibsTrieAddr: 8667529216
        dylibsTrieSize: 103376
        otherImageArrayAddr: 0
        otherImageArraySize: 0
        otherTrieAddr: 0
        otherTrieSize: 0
        mappingWithSlideOffset: 512
        mappingWithSlideCount: 1

dyld_shared_cache_arm64.1

dyld_shared_cache_arm64.1
        magic: b'dyld_v1   arm64'
        mappingOffset: 456
        mappingCount: 1
        imagesOffset: 0
        imagesCount: 0
        dyldBaseAddress: 0
        codeSignatureOffset: 586416128
        codeSignatureSize: 4587520
        slideInfoOffsetUnused: 0
        slideInfoSizeUnused: 0
        localSymbolsOffset: 0
        localSymbolsSize: 0
        uuid: [158, 168, 231, 25, 184, 22, 50, 47, 187, 173, 79, 221, 157, 76, 52, 209]
        cacheType: 1
        branchPoolsOffset: 0
        branchPoolsCount: 0
        accelerateInfoAddr: 0
        accelerateInfoSize: 0
        imagesTextOffset: 75832
        imagesTextCount: 2352
        patchInfoAddr: 0
        patchInfoSize: 0
        otherImageGroupAddrUnused: 0
        otherImageGroupSizeUnused: 0
        progClosuresAddr: 0
        progClosuresSize: 0
        progClosuresTrieAddr: 0
        progClosuresTrieSize: 0
        platform: 2
        formatVersion: 0
        dylibsExpectedOnDisk: 0
        simulator: 0
        locallyBuiltCache: 0
        builtFromChainedFixups: 0
        padding: 0
        sharedRegionStart: 7513161728
        sharedRegionSize: 0
        maxSlide: 0
        dylibsImageArrayAddr: 0
        dylibsImageArraySize: 0
        dylibsTrieAddr: 0
        dylibsTrieSize: 0
        otherImageArrayAddr: 0
        otherImageArraySize: 0
        otherTrieAddr: 0
        otherTrieSize: 0
        mappingWithSlideOffset: 512
        mappingWithSlideCount: 1

dyld_shared_cache_arm64.2

dyld_shared_cache_arm64.2
        magic: b'dyld_v1   arm64'
        mappingOffset: 456
        mappingCount: 4
        imagesOffset: 0
        imagesCount: 0
        dyldBaseAddress: 0
        codeSignatureOffset: 276037632
        codeSignatureSize: 2162688
        slideInfoOffsetUnused: 0
        slideInfoSizeUnused: 0
        localSymbolsOffset: 0
        localSymbolsSize: 0
        uuid: [159, 214, 128, 158, 37, 36, 55, 108, 135, 193, 111, 161, 170, 112, 69, 63]
        cacheType: 1
        branchPoolsOffset: 0
        branchPoolsCount: 0
        accelerateInfoAddr: 0
        accelerateInfoSize: 0
        imagesTextOffset: 76168
        imagesTextCount: 2352
        patchInfoAddr: 0
        patchInfoSize: 0
        otherImageGroupAddrUnused: 0
        otherImageGroupSizeUnused: 0
        progClosuresAddr: 0
        progClosuresSize: 0
        progClosuresTrieAddr: 0
        progClosuresTrieSize: 0
        platform: 2
        formatVersion: 0
        dylibsExpectedOnDisk: 0
        simulator: 0
        locallyBuiltCache: 0
        builtFromChainedFixups: 0
        padding: 0
        sharedRegionStart: 8099577856
        sharedRegionSize: 0
        maxSlide: 0
        dylibsImageArrayAddr: 0
        dylibsImageArraySize: 0
        dylibsTrieAddr: 0
        dylibsTrieSize: 0
        otherImageArrayAddr: 0
        otherImageArraySize: 0
        otherTrieAddr: 0
        otherTrieSize: 0
        mappingWithSlideOffset: 680
        mappingWithSlideCount: 4

dyld_shared_cache_arm64.3

dyld_shared_cache_arm64.3
        magic: b'dyld_v1   arm64'
        mappingOffset: 456
        mappingCount: 2
        imagesOffset: 0
        imagesCount: 0
        dyldBaseAddress: 0
        codeSignatureOffset: 202293248
        codeSignatureSize: 1589248
        slideInfoOffsetUnused: 0
        slideInfoSizeUnused: 0
        localSymbolsOffset: 0
        localSymbolsSize: 0
        uuid: [245, 34, 192, 200, 68, 6, 50, 231, 187, 94, 165, 39, 97, 46, 114, 21]
        cacheType: 1
        branchPoolsOffset: 0
        branchPoolsCount: 0
        accelerateInfoAddr: 0
        accelerateInfoSize: 0
        imagesTextOffset: 75944
        imagesTextCount: 2352
        patchInfoAddr: 0
        patchInfoSize: 0
        otherImageGroupAddrUnused: 0
        otherImageGroupSizeUnused: 0
        progClosuresAddr: 0
        progClosuresSize: 0
        progClosuresTrieAddr: 0
        progClosuresTrieSize: 0
        platform: 2
        formatVersion: 0
        dylibsExpectedOnDisk: 0
        simulator: 0
        locallyBuiltCache: 0
        builtFromChainedFixups: 0
        padding: 0
        sharedRegionStart: 8476278784
        sharedRegionSize: 0
        maxSlide: 0
        dylibsImageArrayAddr: 0
        dylibsImageArraySize: 0
        dylibsTrieAddr: 0
        dylibsTrieSize: 0
        otherImageArrayAddr: 0
        otherImageArraySize: 0
        otherTrieAddr: 0
        otherTrieSize: 0
        mappingWithSlideOffset: 568
        mappingWithSlideCount: 2

dyld_shared_cache_arm64.symbols

dyld_shared_cache_arm64.symbols
        magic: b'dyld_v1   arm64'
        mappingOffset: 456
        mappingCount: 1
        imagesOffset: 0
        imagesCount: 0
        dyldBaseAddress: 0
        codeSignatureOffset: 460079104
        codeSignatureSize: 3604480
        slideInfoOffsetUnused: 0
        slideInfoSizeUnused: 0
        localSymbolsOffset: 16384
        localSymbolsSize: 460062720
        uuid: [44, 127, 111, 44, 107, 123, 62, 64, 173, 193, 47, 206, 7, 168, 149, 236]
        cacheType: 0
        branchPoolsOffset: 0
        branchPoolsCount: 0
        accelerateInfoAddr: 0
        accelerateInfoSize: 0
        imagesTextOffset: 0
        imagesTextCount: 0
        patchInfoAddr: 0
        patchInfoSize: 0
        otherImageGroupAddrUnused: 0
        otherImageGroupSizeUnused: 0
        progClosuresAddr: 0
        progClosuresSize: 0
        progClosuresTrieAddr: 0
        progClosuresTrieSize: 0
        platform: 2
        formatVersion: 0
        dylibsExpectedOnDisk: 0
        simulator: 0
        locallyBuiltCache: 0
        builtFromChainedFixups: 0
        padding: 0
        sharedRegionStart: 0
        sharedRegionSize: 0
        maxSlide: 0
        dylibsImageArrayAddr: 0
        dylibsImageArraySize: 0
        dylibsTrieAddr: 0
        dylibsTrieSize: 0
        otherImageArrayAddr: 0
        otherImageArraySize: 0
        otherTrieAddr: 0
        otherTrieSize: 0
        mappingWithSlideOffset: 512
        mappingWithSlideCount: 1

Basically different elements are separated, for example, all the local symbols are stored in the ".symbols" file. Also by examining the dyld source code, it's likely that the mapping info (located with mappingOffset) is placed directly after the header. Currently, the size of the header is 320 bytes, but the mappingOffset is set to 456, which means that we are missing some fields in the new header.

Unfortunately, until Apple open sources their new format, It would be hard to add support for this.

[blacktop]

Got 3 new header fields so far - https://github.com/blacktop/ipsw/blob/master/hack/extras/Dyld.bt (14 more to go)

• imagesOffset and imagesCount moved to the very bottom for some reason
• numSplits added to tell you how many dsc.1, dsc.2 etc files there are

[arandomdev]

Interesting! Did you disassemble dyld to get the size of the new fields? Until the actual release of the code, I guess I can look further into it.

[blacktop]

I was going to do that eventually, I am mostly using 010 Editor to jump around and make guesses at what the fields are, if they fields made sense as uint64 or uint32 etc is a try and guess procedure right now, but it got me 3 fields so far ;) There are so MANY new fields, this seems like a pretty big change, but it is very strange that they would move imagesOffset and imagesCount to the bottom and still keep the old field around?? An associate on twitter took the linkers WWDC 2021 lab and they said the in-memory cache will always look the same, but the on-disk might change (meaning that this new format is in flux??) 🤷

[arandomdev]

As for keeping the old field around, I think it's for some cross-compatibility so that older dyld loaders could still make sense of newer caches. Like it would be better for an older loader to read the imageOffset as 0 instead of a new value meant for a different field. But given apple's method of bundling both the loader and the cache together in the IPSW file, it wouldn't make too much of a difference.

Also, it doesn't make sense that they would just move the dyld_cache_image_info structure without some reason. Maybe they did something similar to dyld_cache_mapping_info and dyld_cache_mapping_and_slide_info, where this new image info structure contains more fields.

If possible can you link the Twitter conversation or elaborate more on it?

[blacktop]

https://twitter.com/_saagarjha/status/1402345391706677259

[blacktop]

got another field: (and correct name for "numSplits"

<SNIP>
    uint32 numSubCaches;     // number of dyld_shared_cache .1,.2,.3 files
    Uuid symbolSubCacheUUID; // unique value for .symbols sub-cache
<SNIP>

[arandomdev]

Nice! how are you getting these field names?

[blacktop]

RE of dsc_extractor.bundle

There is also a comparison of subcache UUIDs at the uint32 right above the numSubCaches field, but I am confused if it is a "partial UUID?" or just an ID? but there are all the same for the dsc and the dsc.1, dsc.2 etc. but it refers to it as a UUID which needs 16bytes ??

[blacktop]

Got a few more fields, but they are kinda strange, this format feels un-finalized 🤷

[arandomdev]

It might be a beta thing. They might not adopt this format for early iOS 15 releases.

[blacktop]

I've been meaning to blog about my findings for a while, but I've realized I write english like a complete moron. In the mean time I hope this makes sense to people?

NationalSecurityAgency/ghidra#3666 (comment)

[arandomdev]

This is really helpful, I’ll see what I can do with DyldExtractor when I get the chance.

[arandomdev]

I uploaded a beta branch here. It contains all the fixes for the new format, I'm just doing a lot of bug fixes now.

[arandomdev]

iOS 15 caches are now supported with version 2.0.0!