*OS Internals - The Forum

[morpheus]

The Joker tool has been updated to also provide a list of the kernel extensions packaged into the kextcache - along with their file offsets. This makes it easy to use this tool with dd. Case in point:

Code: Select all

 # Look for your kext of interest by grep(1)-ing:
morpheus@Erudite:JTool$ ./joker ~/Documents/iOS/6.1.3.kernel.iPhone4GSM | grep MobileFile
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)


Then:

Code: Select all

morpeus@Erudite:JTool$ dd if=~/Documents/iOS/6.1.3.kernel.iPhone4GSM  bs=1 skip=0x3cf000 count=100000 of=AMFI.kext
100000+0 records in
100000+0 records out
100000 bytes transferred in 0.230196 secs (434412 bytes/sec)
morpheus@Erudite:JTool$ file AMFI.kext
AMFI.kext: Mach-O kext bundle arm
morpheus@Erudite:JTool$ ./jtool -d AMFI.kext  | more
Processing AMFI.kext:
Disassembling from file offset 0xf3c, Address 0xffffffff80410f3c
-- 80410f3c     b590            PUSH  {r4,r7,lr}       
-- 80410f3e        4a08            LDR   R2, [PC, #32]     ; R2 = *(80410f60) = 0x121ca
-- 80410f40     4604            MOV   R4, R0            ; R4 = 0x0
-- 80410f42        4908            LDR   R1, [PC, #32]     ; R1 = *(80410f64) = 0x3d86
-- 80410f44     af01            ADD   R7, SP, #4        ; R7 += 4 = 4
-- 80410f46     447a            ADD   R2, PC            ; R2 += 80410f4a = 80423114
-- 80410f48     4620            MOV   R0, R4            ; R0 = 0x0
-- 80410f4a     4479            ADD   R1, PC            ; R1 += 80410f4e = 80414cd4AppleMobileFileIntegrityUserClient
.. etc , etc



This should make it very useful for people who want to reverse engineer Kexts, with or without IDA

[ralphie2001]

I'm feeling a bit stupid here, but when I download the joker tool from you website it comes down as only an x86_64 binary. How do I get an iOS build of the joker tool? Thanks.

[morpheus]

Hardly stupid! I had neglected to put an Arm version. Here's one, attached.

[backendbilly]

Hi Jonathan,

I'm using the latest joker tool to dump kext from iOS9. Using the -e option does not seem to be extracting kexts. The output looks like this:

Source Version: 3216.0.0.1.15
This is iOS 9.x, or later
Found iOS 8+ sysent table @3f2684 (Addr: 0x803f3684)
Processing kexts
Attempting to kextract 0x80735000
Got 181 kexts

Your older version outputted the file offset in the kernel but the new version does not as it tries to do it itself.

Thanks again for all your work.

[morpheus]

Usage, my friend. Usage. It's all about usage.

Code: Select all

~/Documents/Work/JTool/joker
Usage: joker [-ask] _filename_
 _filename_ should be a decrypted iOS kernelcache. Tested on ARMv7/s 3.x-9.0b1

 -m: dump UNIX Syscalls and Mach Traps
 -a: dump everything
 -k: dump kexts
 -e: kextract [b][kext_name_shown_in_-k][/b]
 -s: dump sysctls


e.g.

Code: Select all

Zephyr:9b morpheus$ ~/Documents/Work/JTool/joker -k kernel.9b.4S.decrypted | grep sand
0x80e50000: Seatbelt sandbox policy (com.apple.security.sandbox)
Zephyr:9b morpheus$ ~/Documents/Work/JTool/joker -e "Seatbelt sandbox policy" kernel.9b.4S.decrypted
Source Version:          3216.0.0.1.15
This is iOS 9.x, or later
Found iOS 8+ sysent table @3eb684 (Addr: 0x803ec684)
Processing kexts
Attempting to kextract Seatbelt sandbox policy
Found Seatbelt sandbox policy at load address: 80e50000, offset: e05000
Extracted Seatbelt sandbox policy

And that should work.

Incidentally, if anyone has *64-bit* dumps of the kernel (either from memory or by encryption keys), I would love one or two so as to make Joker 64-bit compatible.

[backendbilly]

Thanks that worked. I was thinking dd style extraction with offsets and number of bytes and not so much by name.

[backendbilly]

Hi Jonathan,

Is there a Linux version of the tool?

[morpheus]

Not at present. But if the public demands it, there's no real reason why there can't be one. Joker is largely derived from jtool, and the latter cross compiles neatly to Linux.

[zielenski]

Thanks for supporting these great tools and awesome customer loyalty.

Does this tool support OS X kernel cache?

[morpheus]

You're more than welcome. And thank you - it's nice to hear a good word here and there

As for OS X support in Joker - Not really, since in OS X all kexts are floating around anyways in /System/Library/Extensions, and Apple provides the KernelDebugKit with all the symbols. On iOS, where neither of those holds true, joker is useful.