Joker actual trap

Used for discussing the various tools in the book as well as encouraging members to share tools

Joker actual trap

Postby pzb » Sun Nov 25, 2018 9:07 pm

In trying to use Joker with BridgeOS 3.0 kernel caches, I've run into two problems.

First, when dumping Mach traps using joker/joker.universal -m 3.0-16P375/kernelcache.release.j137, it says "NOTE: Found an actual trap at #40, where kern_invalid was expected. Apple must have added a Mach trap!"

Second, when dumping sysctls, it terminates with "Segmentation fault: 11"

Is there a newer version of Joker that I'm missing or is it on ice in favor of JTool2?
Posts: 1
Joined: Sun Nov 25, 2018 5:21 am

Re: Joker actual trap

Postby morpheus » Mon Nov 26, 2018 3:02 pm

So, when joker tells you it's a new trap, it really is a new trap. That means that since joker was compiled (for iOS 11, BridgeOS 2.0, MacOS 13, Darwin 17), AAPL put a trap and didn't bother to document it. That's one of joker's best features - detecting new traps and sys calls

Second - yep, it's on ice alright. jtool2 --analyze on the kernelcache does the exact same thing, and then exceeds it. joker is now a small dylib linked into tool. I get the traps, sys calls, sysctls, as well as other symbols - all without decompressing the cache, and emitting output straight to the companion file. If you find any functionality I may have missed in --analyze, just let me know.
Site Admin
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm

Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests