Targeting the iOS Kernel - Reverse Engineering Mac OS X
Targeting the iOS Kernel - Reverse Engineering Mac OS X Targeting the iOS Kernel - Reverse Engineering Mac OS X
GDB and iOS KDP • GDB comming with the iOS SDK has ARM support • it also has KDP support • however it can only speak KDP over UDP • KDP over serial is not supported Stefan Esser • Targeting the iOS Kernel • April 2011 • 62
KDP over serial • KDP over serial is sending fake ethernet UDP over serial • SerialKDPProxy by David Elliott is able to act as serial/UDP proxy $ SerialKDPProxy /dev/tty.usbserial-A600exos Opening Serial Waiting for packets, pid=362 ^@AppleS5L8930XIO::start: chip-revision: C0 AppleS5L8930XIO::start: PIO Errors Enabled AppleARMPL192VIC::start: _vicBaseAddress = 0xccaf5000 AppleS5L8930XGPIOIC::start: gpioicBaseAddress: 0xc537a000 AppleARMPerformanceController::traceBufferCreate: _pcTraceBuffer: 0xcca3a000 ... AppleS5L8930XPerformanceController::start: _pcBaseAddress: 0xccb3d000 AppleARMPerformanceController configured with 1 Performance Domains AppleS5L8900XI2SController::start: i2s0 i2sBaseAddress: 0xcb3ce400 i2sVersion: 2 ... AppleS5L8930XUSBPhy::start : registers at virtual: 0xcb3d5000, physical: 0x86000000 AppleVXD375 - start (provider 0x828bca00) AppleVXD375 - compiled on Apr 4 2011 10:19:48 Stefan Esser • Targeting the iOS Kernel • April 2011 • 63
- Page 11 and 12: Part II The iOS Kernelcache Stefan
- Page 13 and 14: Getting the iOS Kernelcache (II)
- Page 15 and 16: Kernelcache is just a Mach-O Binary
- Page 17 and 18: iOS Kernelcache vs. IDA • IDA can
- Page 19 and 20: Helping IDA - Kernel Extensions •
- Page 21 and 22: Helping IDA - findAndMarkKEXT.py St
- Page 23 and 24: IOKit Driver Classes (I) • IOKit
- Page 25 and 26: IOKit Object Hierarchy - Full View
- Page 27 and 28: Part IV iOS Kernel Where Are your S
- Page 29 and 30: Kernel Symbols - Manual Symbolizati
- Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s
- Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste
- Page 35 and 36: Using IOKit Class Hierarchy for Sym
- Page 37 and 38: Exporting Symbols • IDA cannot ex
- Page 39 and 40: iOS Kernel Attack Surface • simpl
- Page 41 and 42: Finding and Marking the Syscall Tab
- Page 43 and 44: Attacking through Network Protocols
- Page 45 and 46: Attacking through Network Protocols
- Page 47 and 48: Attacking through Devices (II) com.
- Page 49 and 50: Dumping List of Sysctl Handlers mai
- Page 51 and 52: Attacking from User-Land: IOKit Dri
- Page 53 and 54: iOS Kernel Debugging • no support
- Page 55 and 56: iPhone Dock Connector (Pin-Out) PIN
- Page 57 and 58: Ingredients (I) • 470 kΩ resisto
- Page 59 and 60: Ingredients (III) • FT232RL Break
- Page 61: Final USB and USB Serial Cable •
- Page 65 and 66: Using GDB... $ /Developer/Platforms
- Page 67: Links • xpwntool - https://github
GDB and <strong>i<strong>OS</strong></strong> KDP<br />
• GDB comming with <strong>the</strong> <strong>i<strong>OS</strong></strong> SDK has ARM support<br />
• it also has KDP support<br />
• however it can only speak KDP over UDP<br />
• KDP over serial is not supported<br />
Stefan Esser • <strong>Targeting</strong> <strong>the</strong> <strong>i<strong>OS</strong></strong> <strong>Kernel</strong> • April 2011 •<br />
62