Targeting the iOS Kernel - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Activating KDP on the iPhone • KDP is only activated if the boot-arg “debug“ is set • boot-args can be set with special version of redsn0w / syringe • or faked with a custom kernel • patch your kernel to get into KDP anytime (e.g. breakpoint in unused syscall) Name Value Meaning DB_HALT 0x01 Halt at boot-time and wait for debugger attach. DB_KPRT 0x08 Send kernel debugging kprintf output to serial port. ... ... Other values might work but might be complicated to use. Stefan Esser • Targeting the iOS Kernel • April 2011 • 64
Using GDB... $ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gdb -arch armv7 \ kernelcache.iPod4,1_4.3.2_8H7.symbolized GNU gdb 6.3.50-20050815 (Apple version gdb-1510) (Fri Oct 22 04:12:10 UTC 2010) ... (gdb) target remote-kdp (gdb) attach 127.0.0.1 Connected. (gdb) i r r0 0x00 r1 0x11 r2 0x00 r3 0x11 r4 0x00 r5 0x8021c814 -2145269740 r6 0x00 r7 0xc5a13efc -979288324 r8 0x00 r9 0x27 39 r10 0x00 r11 0x00 r12 0x802881f4 -2144828940 sp 0xc5a13ee4 -979288348 lr 0x8006d971 -2147034767 pc 0x8006e110 -2147032816 Stefan Esser • Targeting the iOS Kernel • April 2011 • 65
Page 1 and 2:
Targeting the iOS Kernel Stefan Ess
Page 3 and 4:
Motivation • iPhone security heav
Page 5 and 6:
Part I Introduction Stefan Esser
Page 7 and 8:
Finding Vulnerabilities in the iOS
Page 9 and 10:
Interesting Kernel Bugs - OS X OS X
Page 11 and 12:
Part II The iOS Kernelcache Stefan
Page 13 and 14: Getting the iOS Kernelcache (II)
Page 15 and 16: Kernelcache is just a Mach-O Binary
Page 17 and 18: iOS Kernelcache vs. IDA • IDA can
Page 19 and 20: Helping IDA - Kernel Extensions •
Page 21 and 22: Helping IDA - findAndMarkKEXT.py St
Page 23 and 24: IOKit Driver Classes (I) • IOKit
Page 25 and 26: IOKit Object Hierarchy - Full View
Page 27 and 28: Part IV iOS Kernel Where Are your S
Page 29 and 30: Kernel Symbols - Manual Symbolizati
Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s
Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste
Page 35 and 36: Using IOKit Class Hierarchy for Sym
Page 37 and 38: Exporting Symbols • IDA cannot ex
Page 39 and 40: iOS Kernel Attack Surface • simpl
Page 41 and 42: Finding and Marking the Syscall Tab
Page 43 and 44: Attacking through Network Protocols
Page 45 and 46: Attacking through Network Protocols
Page 47 and 48: Attacking through Devices (II) com.
Page 49 and 50: Dumping List of Sysctl Handlers mai
Page 51 and 52: Attacking from User-Land: IOKit Dri
Page 53 and 54: iOS Kernel Debugging • no support
Page 55 and 56: iPhone Dock Connector (Pin-Out) PIN
Page 57 and 58: Ingredients (I) • 470 kΩ resisto
Page 59 and 60: Ingredients (III) • FT232RL Break
Page 61 and 62: Final USB and USB Serial Cable •
Page 63: KDP over serial • KDP over serial
Page 67: Links • xpwntool - https://github
show all

Targeting the iOS Kernel - Reverse Engineering Mac OS X

Create successful ePaper yourself

Delete template?

Save as template?