Difference between revisions of "Kernel Dumping"

From The iPhone Wiki
Jump to: navigation, search
(Created page with "Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once y...")
 
Line 11: Line 11:
 
#include <sys/sysctl.h>
 
#include <sys/sysctl.h>
 
#include <mach/mach.h>
 
#include <mach/mach.h>
 
 
mach_port_t kernel_task=0;
 
mach_port_t kernel_task=0;
 
 
int main(int argc, char** argv)
 
int main(int argc, char** argv)
 
{
 
{

Revision as of 17:12, 28 March 2015

Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once you have dumped all the kernel memory, you fwrite() everything into a .bin file, once the kernel is dumped into a file you can use ios-jailbreak-patchfinder to find every offset needed to patch the kernel.

Code to dump the Kernel

 #include <stdio.h>
 #include <unistd.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <sys/types.h>
 #include <sys/sysctl.h>
 #include <mach/mach.h>
 mach_port_t kernel_task=0;
 int main(int argc, char** argv)
 {
   kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task);
   
   if( r != 0)
   {
       printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r);
       return 0;
   }
   uint32_t i;
   pointer_t buf;
   unsigned int sz;
   
   vm_address_t addr = 0x80002000;
   FILE *fp = fopen("kernel.bin", "wb+");
   if(!fp) 
   {
       printf("Failed to open kernel.bin\n");
       return -1;
   }
                               
   while( addr < (0x80002000 + 0x1F0000))
   {
       vm_read(kernel_task, addr, 2048, &buf, &sz);
       if( buf == NULL || sz == 0)
           continue;
       uint8_t* p = (uint8_t*) buf;
       fwrite(p, 2048, 1, fp);
       
       
           
       addr += 2048;
   }
   fclose(fp);
   printf("Kernel dump is done\n");
   return -1;
 }