This is a quick write-up for developers who know how to use a disassembler.
You must have already decrypted and decompressed a kernelcache, and have access to a disassembler (IDA Pro, Hopper, etc.).
Kernelcache keys are available on The iPhone Wiki, and the kcache tool can decrypt and decompress your kernels in one easy command.
General Information
- Subtract
0x80001000
from all addresses you find using your disassembler - If no results appear for one of the hex strings, remove a few bytes from the end.
find_OSSerializer_serialize()
- Search for
OSSerializer::serialize
find_OSSymbol_getMetaClass()
- Search for
OSSymbol::getMetaClass
find_calend_gettime()
- Search for the hex string
90b501af82b0044601a86946fff7
find_bufattr_cpx()
- Search for
_bufattr_cpx
find_clock_ops()
- Search for
_clock_get_system_value
- From there, look for the
ldr r1, [r0, #0x8]
line - To the right of that line, you will see something like
; 0x8001f0e5,0x80404424
- Click on the second address there (in this example,
0x80404424
) - From there, the address you want will be on the next line (in this example,
0x80404428
)
find_copyin()
- Search for
_copyin
find_bx_lr()
- Search for
_bufattr_cpx
- From there, you will be able to see the address of
bx lr
find_write_gadget()
- Search for the hex string
0c1080e51eff2fe1
find_vm_kernel_addrperm()
- Search for
_buf_kernel_addrperm_addr
- From there, look for the
ldr r1, [r1, #0x58]
line - To the right of that line, you will see something like
; 0x80456848
- Subtract
0x4
from this value, and you will get the address
find_kernel_pmap()
- Search for
_kernel_pmap
find_flush_dcache()
- Search for the hex string
0000a0e35e0f07ee
find_invalidate_tlb()
- Search for the hex string
0000a0e3170f08ee4bf07ff56ff07ff51eff2f
find_task_for_pid()
- Search for the hex string
f0b503af2de9000d84b0014691e8410800210391
find_setreuid()
- Search for the hex string
f0b503af2de9000d87b0044602910394d1f800b04d68dff7