0

I am reversing iOS firmware. Is there any way I can find the kernel binary code, which is called via IOConnectCallMethod?

re_things
  • 679
  • 1
  • 8
  • 29
Alex
  • 392
  • 1
  • 12
  • IOConnectCallMethod is located in the IOKit, and IOKit is just a stab functions to call some code in the kernel. There are no any libraries with kernel code. kernel code is executed in the kernel. if you want to find the code in the kernel, you need to find IOSericeOpen function in your target malware and determine service name, after that you need to find externalMethod number in the IOConnectCallMethod function. And last step - locate needed kernel extension and externalMethod. But anyway, your question is not clear. – re_things Nov 25 '16 at 22:57
  • Thank you a lot! To be clear, my question is to how locate needed kernel extension and externalMethod with known number. – Alex Nov 29 '16 at 15:02

1 Answers1

2

If we are talking about iOS kernel, first of all you should probably know that it's encrypted. @xerub uploaded 64 bit version keys on the theiphonewiki. Also you can use his wonderful tool img4 to decrypt it.

So, lets imagine that we already have decrypted kernelcache.release.n51 for iPhone 5s and you need to locate method 2 of GasGauge service.

  1. Look at the iokit/IOKit/IOUserClient.h source from xnu kernel:

enter image description here

From that we know that externalMethod is virtual method, and even more registerNotificationPort follows it (read - next entry of vtable).

  1. Locate a biggest vtable in the GasGauge driver and locate registerNotificationPort method in it, you need previous entry:

enter image description here

  1. Next step is locating table address inside externalMethod method:

enter image description here

As wee see here, original parent's IOUserClient::externalMethod will be executed in any case. So, it's additional way to find this method.

  1. After 24 QWORDs in the table you will see the first record:

enter image description here

But you should know that implementation of externalMethod method can be different from this in other driver. Main thing you should know - you need find this method and second argument (W1 register) is index of method. Another thing - there are kernel extensions like IOHID with more than one IOService objects. You should determine which one is your target.

re_things
  • 679
  • 1
  • 8
  • 29