Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

shared 2 more IDA scripts

  • Loading branch information...
commit a7ba63135534ea3e5af9cc47895c898508e64850 1 parent c3990b9
pod2g authored
View
289 idc-ios-boot-args/README
@@ -0,0 +1,289 @@
+IDA IDC script to search for all possible boot-args in an iOS kernel.
+
+Sample output:
+
+80009D8A boot-arg: debug
+80009E2A boot-arg: _panicd_ip
+80009E58 boot-arg: _router_ip
+80009E6C boot-arg: panicd_port
+80009E84 boot-arg: _panicd_corename
+80009FBA boot-arg: kdp_ip_addr
+8000B122 boot-arg: kdp_crashdump_pkt_size
+8000BD60 boot-arg: kdp_match_name
+8002320C boot-arg: fixedpriority_quantum
+8002328C boot-arg: fairshare_minblockedtime
+800239E8 boot-arg: fixedpriority_quantum
+8002D578 boot-arg: wqsize
+800601B8 boot-arg: fill
+800738C4 boot-arg: jtag
+800738FC boot-arg: wfi
+8007B660 boot-arg: slto_us
+8007B68C boot-arg: mtxspin
+8007EFF8 boot-arg: fix-parity
+80088914 boot-arg: ncl
+8008891E boot-arg: mbuf_pool
+800C61C2 boot-arg: ifa_debug
+800C97DA boot-arg: net_affinity
+800C97E6 boot-arg: net_rtref
+800C97F2 boot-arg: ifnet_debug
+80103AFA boot-arg: ifa_debug
+8010AB98 boot-arg: ifa_debug
+801134DA boot-arg: ifa_debug
+801331EC boot-arg: ifa_debug
+8013531C boot-arg: net.inet6.ip6.scopedroute
+801399EC boot-arg: ifa_debug
+8013FF1C boot-arg: ifa_debug
+801B0F70 boot-arg: mcache_flags
+801BFA9A boot-arg: mbuf_debug
+801BFB54 boot-arg: mleak_sample_factor
+801BFC38 boot-arg: initmcl
+801DAD32 boot-arg: pthtest
+801EB0BA boot-arg: kextlog
+801EB0E0 boot-arg: -x
+801EB100 boot-arg: keepsyms
+802057BA boot-arg: io
+802057D0 boot-arg: iotrace
+802239DE boot-arg: mseg
+80223DB6 boot-arg: mseg
+8022405A boot-arg: mseg
+802242FA boot-arg: mseg
+80229C1E boot-arg: dart
+8023678E boot-arg: network-type
+80236BC6 boot-arg: rd
+80236BD6 boot-arg: rootdev
+80236F74 boot-arg: boot-uuid
+802392DA boot-arg: darkwake
+802416C0 boot-arg: debug
+80241E76 boot-arg: -progress
+80242484 boot-arg: debug
+802425D4 boot-arg: dcc
+802B8BDC boot-arg: -s
+802B8BF8 boot-arg: -b
+802B8C14 boot-arg: -x
+802B8C30 boot-arg: -no64exec
+802B8C48 boot-arg: -vnode_cache_defeat
+802B8C62 boot-arg: ncl
+802B8C70 boot-arg: nbuf
+802B8C88 boot-arg: msgbuf
+802B8C9E boot-arg: -novfscache
+802BA080 boot-arg: socket_debug
+8037F754 boot-arg: usb
+8037F80C boot-arg: usb
+803989FA boot-arg: dp_async_event_fail_hard
+804374B0 boot-arg: cpus
+80438D96 boot-arg: i2c-logsize
+80438DC0 boot-arg: i2c-verbose
+8043EAC2 boot-arg: pctb
+8043FFE6 boot-arg: jtag
+80440010 boot-arg: dpsm
+8044017E boot-arg: dvc
+804401CE boot-arg: dvb
+80440228 boot-arg: dvd
+80440290 boot-arg: pdmvr
+804402CA boot-arg: pcp
+80443B90 boot-arg: wdt
+80443BBC boot-arg: serial
+80443CE6 boot-arg: -s
+80445158 boot-arg: brightness
+80446364 boot-arg: backlight-logging
+804465AE boot-arg: backlight-level
+804466DE boot-arg: brightness
+804C1740 boot-arg: dp_log_level
+804C1752 boot-arg: dp_controller_level
+804C1766 boot-arg: dp_device_level
+804C177A boot-arg: dp_service_level
+804C178E boot-arg: dp_interface_level
+804C17A2 boot-arg: dp_display_interface_level
+804C17B6 boot-arg: dp_audio_interface_level
+804C17CA boot-arg: dp_audio_driver_level
+804C17DE boot-arg: dp_controller_mask
+804C17F4 boot-arg: dp_device_mask
+804C180A boot-arg: dp_service_mask
+804C1820 boot-arg: dp_interface_mask
+804C1836 boot-arg: dp_display_interface_mask
+804C184C boot-arg: dp_audio_interface_mask
+804C1862 boot-arg: dp_audio_driver_mask
+804CDE1E boot-arg: dp_async_event_fail_hard
+804F3D80 boot-arg: dp_min_sample_rate_lpcm
+804F3D96 boot-arg: dp_max_sample_rate_lpcm
+804F3DD6 boot-arg: dp_min_sample_size_lpcm
+804F3DEC boot-arg: dp_max_sample_size_lpcm
+804F3E2C boot-arg: dp_min_channel_count_lpcm
+804F3E42 boot-arg: dp_max_channel_count_lpcm
+8050250E boot-arg: usb_dev_nmi
+8050251A boot-arg: usb_dev_reset
+8051FC1C boot-arg: debug
+8052055E boot-arg: kdp_match_name
+805207B6 boot-arg: kdp_match_name
+805207F6 boot-arg: kdp_match_mac
+80520CE0 boot-arg: debug
+80520D12 boot-arg: debug
+80522E56 boot-arg: debug
+80524D4A boot-arg: remote_nmi
+805344A6 boot-arg: wlan.debug.abort-init
+805569DA boot-arg: dcc
+805569E8 boot-arg: debug
+805569F6 boot-arg: serial
+8057A2D0 boot-arg: wlan.log.level
+8057A2F0 boot-arg: wlan.log.flags
+8057A302 boot-arg: wlan.log.timestamp
+8057A374 boot-arg: bcom.feature.flags
+8057A3E4 boot-arg: WTE
+8057A400 boot-arg: bcom.wte.thread-priority
+8057A422 boot-arg: bcom.ps.inactivity.timeout
+8057A454 boot-arg: wlan.panic.factory
+80587496 boot-arg: wlan.netmanager.stats-timer-interval
+8058CD26 boot-arg: wlan.debug.generate-mac
+8058CD5A boot-arg: wlan.panic.factory
+80598332 boot-arg: wlan.ap.channel
+805C020C boot-arg: AppleUSBPhy-debug
+805C02B2 boot-arg: hsic
+805C20D6 boot-arg: force-usb-host
+805C22AE boot-arg: AppleEmbeddedUSBArbitrator-debug
+805C9198 boot-arg: arm7m-enable-jtag
+805CCCCA boot-arg: aesdev
+805CDD72 boot-arg: shadev
+805D6BF6 boot-arg: amfi
+805D6C00 boot-arg: amfi_unrestrict_task_for_pid
+805D6C2A boot-arg: amfi_allow_any_signature
+805D6C54 boot-arg: amfi_get_out_of_my_way
+805D6C7E boot-arg: cs_enforcement_disable
+805D6C9E boot-arg: cs_debug
+806217A6 boot-arg: nand-fbbt-publish
+80624FE6 boot-arg: nand-ignore-ptab
+80625170 boot-arg: _nand-part-poison
+80625DE2 boot-arg: nand-readonly
+80627350 boot-arg: nand-readonly
+806309AA boot-arg: nand-disable-driver
+806309C0 boot-arg: nand-sleep-debug-panic
+80630AE2 boot-arg: nand-latency-us
+80630B02 boot-arg: nand-idle-timeout-ms
+80630B2E boot-arg: nand-wearlevel-timeout-ms
+80630BA0 boot-arg: nand-sftl-cache-drain
+80630D4E boot-arg: nand-read-blocks-max
+80630D70 boot-arg: nand-write-blocks-max
+80630E10 boot-arg: nand-queue-entries
+80630EE8 boot-arg: nand-reorder-defer-max
+80630F22 boot-arg: nand-reorder-defer-size-trigger
+80630F5C boot-arg: nand-reorder-read-promote-max
+80631DAA boot-arg: nand-boot-malloc
+80631DC8 boot-arg: nand-qual
+80647F28 boot-arg: nand-max-pages
+80648E7A boot-arg: nand-enable-reformat
+80648E8E boot-arg: burnin-size
+80648E9E boot-arg: nand-force-restore
+80648F0C boot-arg: ppn-clean
+80648F26 boot-arg: nand-wipe
+80648F48 boot-arg: nand-erase-install
+806490D8 boot-arg: nand-index-cache-size
+806490FA boot-arg: nand-readonly
+8064915A boot-arg: nand-set-rma
+8064916E boot-arg: nand-reset-burnin
+8069C97A boot-arg: arm7m-enable-jtag
+806B351A boot-arg: disable-usb-iap
+806C1848 boot-arg: pmu-debug
+806C1D28 boot-arg: pmu-chargetrap
+806C5FF6 boot-arg: force-usb-power
+806C6056 boot-arg: enable-acsleep
+806C6086 boot-arg: pmu-debug
+806E775C boot-arg: als_enable_debug
+80712B70 boot-arg: nand-enable-reformat
+80712D00 boot-arg: nand-index-cache-size
+80712D30 boot-arg: nand-check-vs
+80712D44 boot-arg: nand-erase
+80712D98 boot-arg: nand-wipe
+80712E1C boot-arg: nand-enable-yaftl
+80712E30 boot-arg: burnin-size
+80712E84 boot-arg: nand-force-restore
+80712E94 boot-arg: nand-whiten-metadata
+80712EDA boot-arg: nand-readonly
+80712F3A boot-arg: nand-neuralize
+80712FB6 boot-arg: nand-set-rma
+80712FCA boot-arg: nand-reset-burnin
+80735008 boot-arg: sdio.transfer.mode
+8073503A boot-arg: sdio.transfer.max-pio-blocks
+80735054 boot-arg: sdio.transfer.max-pio-size
+8073526C boot-arg: sdio.debug.abort-init
+80735294 boot-arg: sdio.log.level
+807352B4 boot-arg: sdio.log.flags
+80743818 boot-arg: sdio.clock.base-rate
+8074389E boot-arg: sdio.clock.sd-rate
+807438DC boot-arg: sdio.debug.init-delay
+807497B4 boot-arg: pmu-debug
+807497C6 boot-arg: charger-debug
+8077F48A boot-arg: disable-usb-iap
+807FABE8 boot-arg: jtag
+8084630E boot-arg: baseband-spi-sclk-period
+8085E26E boot-arg: effaceable-enable-wipe
+8085E296 boot-arg: effaceable-enable-full-scan
+80871490 boot-arg: sgx_panic_on_recovery
+8089AD2A boot-arg: nand-dump-vs-table
+8089B32A boot-arg: nand-slow-timings
+8089B596 boot-arg: nand-read-setup-clks
+8089B5A8 boot-arg: nand-read-hold-clks
+8089B5B6 boot-arg: nand-read-dccycle-clks
+8089B5C4 boot-arg: nand-write-setup-clks
+8089B5CE boot-arg: nand-write-hold-clks
+8089B874 boot-arg:
+8089BCA0 boot-arg: nand-enable-adm
+8089C696 boot-arg: iopfmi-timeout
+8089C6D8 boot-arg: nand-ppn-debug
+8089C706 boot-arg: nand-ppn-vs-debug
+8089C736 boot-arg: nand-save-rma-data
+8089CA36 boot-arg: nand-commands
+808B493E boot-arg: nand-nvram-debug
+808C5BB0 boot-arg: hsic
+808C5D32 boot-arg: AppleS5L8930XUSBArbitrator-debug
+808C9650 boot-arg: hdmi_min_sample_rate_lpcm
+808C9666 boot-arg: hdmi_max_sample_rate_lpcm
+808C96A2 boot-arg: hdmi_min_sample_size_lpcm
+808C96B8 boot-arg: hdmi_max_sample_size_lpcm
+808C96F4 boot-arg: hdmi_min_channel_count_lpcm
+808C970A boot-arg: hdmi_max_channel_count_lpcm
+808E7AC8 boot-arg: hdmi_min_sample_rate_lpcm
+808E7ADE boot-arg: hdmi_max_sample_rate_lpcm
+808E7B1A boot-arg: hdmi_min_sample_size_lpcm
+808E7B30 boot-arg: hdmi_max_sample_size_lpcm
+808E7B6C boot-arg: hdmi_min_channel_count_lpcm
+808E7B82 boot-arg: hdmi_max_channel_count_lpcm
+808E7BBE boot-arg: hdmi_protection_type
+808E7BD4 boot-arg: link_recovery_enabled
+809030FC boot-arg: als_enable_debug
+80943564 boot-arg: acc_debug
+809435D0 boot-arg: acc_debug
+8094361E boot-arg: acc_debug
+809436A6 boot-arg: acc_debug
+809437DE boot-arg: acc_debug
+8094383A boot-arg: acc_debug
+80943B20 boot-arg: acc_debug
+80943B94 boot-arg: acc_debug
+80943C0A boot-arg: acc_debug
+80943C58 boot-arg: acc_debug
+80943CAC boot-arg: acc_debug
+80943D00 boot-arg: acc_debug
+80943D58 boot-arg: acc_debug
+80943DA8 boot-arg: acc_debug
+80945778 boot-arg: acc_debug
+809457FC boot-arg: acc_debug
+80949B86 boot-arg: pio-error
+8094C792 boot-arg: arm7m-enable-jtag
+80957384 boot-arg: prox_enable_debug
+80963056 boot-arg: mt-strings
+80963074 boot-arg: mt-bytes
+8099A558 boot-arg: bcom.ps.inactivity.timeout
+8099A6EE boot-arg: bcom.clock.sd-rate
+8099A728 boot-arg: bcom.devif.tx-retries
+8099A762 boot-arg: bcom.devif.rx-retries
+8099A7A0 boot-arg: bcom.devif.fn2-block-size
+8099A7FC boot-arg: bcom.devif.transaction-log
+8099D45A boot-arg: bcom.chip.driveStrength_mA
+8099D4B0 boot-arg: bcom.chip.watermark
+809A8BA0 boot-arg: jpeg-log
+809D09D8 boot-arg: hp-detect-invert
+809D5D0C boot-arg: hp-switch-ramp
+809D5D2A boot-arg: hp-switch-force-config
+809D6A86 boot-arg: hp-pop-workaround
+80A03166 boot-arg: cameraclocks
+80A03248 boot-arg: torchcltm0
+
+~pod2g
View
21 idc-ios-boot-args/idc-ios-boot-args.idc
@@ -0,0 +1,21 @@
+// idc-ios-boot-args.idc ~pod2g 2013
+
+#include <idc.idc>
+
+static main() {
+ auto ref, i, instr, symb;
+ symb = LocByName("_PE_parse_boot_argn");
+ ref = RfirstB(symb);
+
+ while (ref != BADADDR) {
+ instr = ref;
+ for (i = 0; i < 10; i = i + 1) {
+ instr = PrevHead(instr, instr - 0x40); // up one instr
+ if (GetMnem(instr) == "LDR" && GetOpnd(instr, 0) == "R0") {
+ Message("%X boot-arg: %s\n", ref, GetString(Dword(GetOperandValue(instr, 1)), -1, 0));
+ break;
+ }
+ }
+ ref = RnextB(symb, ref);
+ }
+}
View
5 idpy-ios-kernel-fix-thumb-segments/README
@@ -0,0 +1,5 @@
+IDA Python script for iOS kernel reverse engineering:
+
+ - attempt to fix processor mode for kernel modules (Use split kext when loading the kernel)
+
+~pod2g
View
14 idpy-ios-kernel-fix-thumb-segments/idpy-ios-kernel-fix-thumb-segments.py
@@ -0,0 +1,14 @@
+# idpy-ios-kernel-fix-thumb-segments.py ~pod2g 2013
+
+from idaapi import *
+from idc import *
+
+for seg in Segments():
+ start = seg
+ if Word(start) & 0xff00 == 0xb500 and GetReg(seg, "T") == 0:
+ print "Switching from ARM to THUMB for segment: 0x%X" % seg;
+ MakeUnkn(start, 1);
+ for i in range (seg, seg + 0x40):
+ SetReg(i, "T", 1);
+ MakeCode(start);
+
Please sign in to comment.
Something went wrong with that request. Please try again.