Kernelcache Analysis
Kernelcache chứa XNU kernel + tất cả kernel extensions. Đây là binary bạn sẽ RE nhiều nhất.
Lấy Kernelcache
Từ IPSW File
# Download IPSW
# Từ ipsw.me — chọn device + iOS version
# IPSW là ZIP file
unzip iPhone_X_15.4_IPSW.ipsw -d ipsw_extracted/
# Kernelcache file:
ls ipsw_extracted/kernelcache.*
# → kernelcache.release.iphone10 (hoặc tương tự)
Từ Jailbroken Device
# Copy trực tiếp
scp root@DEVICE_IP:/System/Library/Caches/com.apple.kernelcaches/kernelcache ./
# Hoặc dùng img4tool trên device
Decompress / Decrypt
IM4P Format (iOS 10+)
# Install pyimg4
pip3 install pyimg4
# Extract from IM4P container
python3 -m pyimg4 im4p extract \
-i kernelcache.release.iphone10 \
-o kernelcache.macho
# Hoặc dùng img4tool
img4tool -e -o kernelcache.macho kernelcache.release.iphone10
LZFSE Compression
# Nếu output vẫn compressed:
# Install lzfse
brew install lzfse
# Decompress
lzfse -decode -i kernelcache.compressed -o kernelcache.macho
# Verify
file kernelcache.macho
# → Mach-O 64-bit arm64e fileset
Load Vào IDA Pro
1. File → Open → kernelcache.macho
2. Processor type: ARM Little-endian
3. Chờ auto-analysis (15-60 phút tùy machine)
4. Apply symbols từ KDK:
File → Load file → DWARF file
→ Chọn kernel.release.*.dSYM từ KDK
→ Full function names + type information
5. Nếu MH_FILESET (iOS 12+):
IDA tự detect fileset entries
→ Mỗi kext là separate module
→ Navigate: View → Open subviews → Segments
Load Vào Ghidra
1. File → Import File → kernelcache.macho
2. Language: AARCH64:LE:64:AppleSilicon
3. Options: chọn "Load all entries" cho fileset
4. Analyze: Analysis → Auto Analyze
5. Chờ analysis hoàn tất (có thể rất lâu)
Tìm Symbols Quan Trọng
Nếu Có KDK Symbols
Tìm trực tiếp bằng tên:
- allproc
- kernel_task
- rootvnode
- pmap_image4_trust_caches
- zone_array (list of all zones)
Nếu Không Có Symbols (Stripped Kernelcache)
Dùng patchfinder techniques:
1. Tìm strings → trace xrefs:
"allproc" string → function referencing it → global variable
2. Tìm known instruction patterns:
MRS X0, TPIDR_EL1 → typically in current_thread()
3. Tìm syscall table:
Search for known syscall handler addresses
→ Table structure reveals all handlers
4. Tìm IOKit class names:
"__ZN" prefix → C++ mangled names
Search "IOSurfaceRootUserClient" → class vtable
Automated Patchfinding
# Ví dụ: tìm allproc
# Pattern: function loads address from ADRP+ADD, then reads linked list
# Hoặc dùng existing tools:
# - iBoot/kernelcache patchfinder (nhiều open-source implementations)
# - Kernel Patchfinder trong Dopamine source code
Binary Diffing Workflow
1. Download 2 IPSW files (e.g., iOS 16.5 và 16.5.1)
2. Extract + decompress cả 2 kernelcaches
3. Load vào IDA → tạo 2 IDB files
4. Dùng Diaphora/BinDiff so sánh:
- "Changed" functions → security patches
- "Added" functions → new features/mitigations
- "Removed" functions → deprecated code
5. Focus on "Changed" → đọc diff → identify the vulnerability fixed
6. Research: old version has the bug → potential exploit target