[DEV] iOS 10.2.1

[Derewith]

//I read the issue posting guidelines.

Hello guys, just to know..
I was looking for
allproc_offset = 0x000000 & rootvnode_offset = 0x00000;
for (iPhone 4.7 10.2.1 [14D27] ).

Then I used lzssdec from xdadevtools to decript the kernelcache.release.n71 but i can't decompile the file using "Hooper Disassembler v4". ( So i can't get the correct offsets ).
( i uploaded the kernelcache.release.n71 -> here )

( bytes [0x1B7] > are this correct ) ?

./lzssdec -o 0x1B7 < kernelcache.release.n71 >kernelcache1.decrypted 
xxd kernelcache1.decrypted | head -1
file kernelcache1.decrypted

Can anyone help me find this offsets?

---

Guide from match_portal

• for >= iOS 10 unzip the ipsw and hexdump the kernel.release.* file like this:

$ hexdump -C kernelcache.release.n51 | head
00000000  30 83 b5 9b 0d 16 04 49  4d 34 50 16 04 6b 72 6e  |0......IM4P..krn|
00000010  6c 16 1c 4b 65 72 6e 65  6c 43 61 63 68 65 42 75  |l..KernelCacheBu|
00000020  69 6c 64 65 72 2d 31 31  36 32 2e 32 30 2e 31 04  |ilder-1162.20.1.|
00000030  83 b5 9a de 63 6f 6d 70  6c 7a 73 73 83 13 7d ae  |....complzss..}.|
00000040  01 64 80 00 00 b5 29 5e  00 00 00 01 00 00 00 00  |.d....)^........|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 ff cf fa ed  fe 0c 00 00 01 d5 00 f6  |................|
000001c0  f0 02 f6 f0 14 f6 f0 38  0e 9a f3 f1 20 f6 f1 00  |.......8.... ...|
000001d0  19 ff f1 f5 f0 5f 9f 5f  54 45 58 54 09 02 1c 03  |....._._TEXT....|

• note down the offset of the ff cf fa ed fe byte sequence (in this case it's 0x1b4)

• compile lzssdec from http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/lzssdec.cpp

• run a command like: lzssdec -o 0x1b4 < kernel.release.n51 > kernel.decompressed

• open the decompressed kernelcache in a recent version of IDA Pro (with support for iOS kextcaches)

• say yes when IDA asks to split by kext

• let the auto-analysis run - depending on how fast your computer is this might take a while! (it takes my 2013 MBP about 30 minutes)

• go view -> open subviews -> segments and find the __TEXT:HEADER segment, the start should be FFFFFFF007004000
  if it isn't note this down as you'll need to work out a couple of offsets relative to this

• go view -> open subviews -> names and find the kernproc data symbol.

• subtract the __TEXT:HEADER value from that, this is the kernproc offset
  eg for iPhone 5S 10.1.1 kernproc is at FFFFFFF0075AE0E0 making the offset: 0x5AA0E0

• now the harder one! We need to find allproc which isn't exported so is harder to find:

• go view -> open subviews -> strings and find the string "pgrp_add : pgrp is dead adding process"

• hit 'x' on the autogenerated string symbol name; you should see this symbol referenced from two functions

• open the smaller of those functions in the IDA graph view

• this is pgrp_add in the XNU source

• scroll to the bottom of the CFG, the final three nodes all reference the same global variable with code like this:
  ADRP X8, #qword_FFFFFFF0075A8128@PAGE
  LDR X9, [X8,#qword_FFFFFFF0075A8128@PAGEOFF]

• that's the address of allproc - subtract the kernel base to get the offset, in this case it's: 0x5A4128`

[Mila432]

#64

[Derewith]

@GusToughSon @Mila432 , i know but if someone can give me them it will be nice.

[ghost]

#162

iOS 10.2.1 fixes exploits used by Yalu; you cannot add support for it.

[ghost]

As @lolman8776 stated, you can't use Yalu with 10.2.1, for Apple patched the exploit Yalu used.

[matteyeux]

Hey @Derewith use can use joker to decompress kernelcache automatically.
BTW Yalu is fixed on 10.2.1+

[Derewith]

Thanks to @lolman8776 , @TheLukeGuy , @matteyeux