An IDA Plugin for analyzing iOS kernelcaches. Currently, this is still WIP.
- The goal is to support latest kernelcaches and IDA releases, improve accuracy, UI and add important features.
- Because this is a major refactor (This is now an actual IDA plugin!) and seems like the original authors no longer maintain their repository I've created this one.
- Hopefully this could gain more traction as more researchers will contribute with their ideas to automate the tedious reversing process.
You have three options:
- If you just wanna use it as an IDA plugin install it to your
~/.idapro/pluginsdirectory. - If you wish write scripts you may install it as a pip package
- If you want to contribute see CONTRIBUTING.md
For now it is better that you install it as a pip package and then run cli.py
usage: cli.py [-h] (--idb IDB | --kc KC) [--no-auto-analysis] [--enable-console-messages]
choose one of --idb or --kc
options:
-h, --help show this help message and exit
--idb IDB Path to IDB (*.i64)
--kc KC Path to KernelCache
Optional arguments:
--no-auto-analysis For IDB (.i64) input files, do not auto-analyze
--enable-console-messages
Enable IDA console messages (not really recommended)
Example:
python3 cli.py --idb /tmp/kernelcache.release.iPhone16.i64- This repository is based upon the original toolkit created by Brandon Azad, repo.
- The original tool was written for iOS versions 10,11,12 (we are currently at 18.0). While most of the libkern++ runtime hasn't changed there have been some major changes.
- The repository was also maintained for some time by multiple employees from Cellebrite, repo.
- The commit history has been reserved.
ida_kernelcache is released under the MIT license.
- Resolve TODOs for edge cases in all of the phases
- 93 Classes are subject to multiple inheritance
- 70 Virtual methods that have wrong function boundaries
- Classes that don't have a vtable, "optimized" classes
- Vtable entries with a non-unique source