Since 32-bit kernelcaches can be obtained in entirety, before LINKEDIT and PRELINK_INFO are removed, joker can both list as well as extract kexts (what I call 'kextract'):
Zephyr:JTool morpheus$ joker ~/Documents/iOS/9b/kernel.9b.4S.decryptedįound iOS 8+ sysent table (Addr: 0x803ec684) It will also print the sysent table address. With just a filename, it will provide you with a brief identification of the file in question, by looking at the LC_SOURCE_VERSION. j: Jtool compatible output (to companion file)Ģ.2.1 (w/64 kextraction, MIG) Stable version (and kextraction on 64-bit!) _filename_ should be a decrypted iOS kernelcache, or kernel dump. With no arguments, joker will strive to explain itself: The tool is primarily designed for iOS (naturally), but since the XNU data structures are pretty much identical, it works pretty well with some switches ( -m, -s) on the OS X kernel, as well. It uses the same machlib as its sibling jtool, and the two in fact can finally play well together (see below) joker is another humble contribution I can provide to the community, and to all reversers out there. This hasn't stopped jailbreakers in the past, and will hopefully not stop us in the future. 32-bit kernelcaches can be decrypted thanks to the holy work by and others, but no 64-bit kernelcache keys exist (publicly), and the only way to "see" the kernel is by dumping it. And - let's not forget - the kernelcache is encrypted. The kernelcache, being prelinked, requires less symbols to begin with (and tables in memory, as all LINKEDIT segments, are jettisoned). Apple tries their damn hardest to make reversing the kernel as hard as possible: With every release, more symbols are stripped. Joker is a quick and dirty iOS kernelcache handling utility I've written to assist in my reverse engineering. Deprecated! The functionality of joker is now built-in to Jtool2 when used with -analyze on any kernelcache
0 kommentar(er)
