ghidra_kernelcache
ghidra_kernelcache copied to clipboard
0x36
iOS 14b3 research kernelcache
On about 6-7 kexts one for example is IOHIDEventDummyService and IOACIPCFamily. It totally trashes all the psuedocode output with Low-level error: Size too small for fields of structure IOExternalMethodArguments.
Did you run it from KC.py or from python command line ? it seems like IOExternalMethodArguments is empty, please use KC.py instead, it will automatically define all the necessary data structures before symbolicating the kernelcache.
I had no choice but to run it from python command line as the script fails plus it seems that it is also a iometa issue as doing -Csov instead of -n -A reverts the issue but let give you the output log of what happens when i use KC.py
[+] Processing ApplePPMPolicyCPMSPowerServoLowerLayerCEs class with vtab=0xfffffff007876ad0
Traceback (most recent call last):
File "/Users/bootywarrior/Downloads/ghidra_kernelcache-master 4/KC.py", line 40, in
Better yet im going to reload the kernelcache fresh and then run this script to see
With some of them just looking at the script process some kexts it still does it to and thats clicking the play button in script manager for KC.py
" [+] Processing IOSlaveEndpoint class with vtab=0xfffffff0077b78f0 [+] Processing AppleUSBAudioEngine class with vtab=0xfffffff00790a498
Low-level Error: Size too small for fields of structure IOExternalMethodArguments [+] Processing IOTimeSyncEthernetLegacyInterfaceAdapter class with vtab=0xfffffff0078c60b8 [+] Processing AppleSmartIOEndpoint class with vtab=0xfffffff007831598 [+] Processing IOAccessoryPowerSourceItemBehavior class with vtab=0xfffffff0077f57c0 [+] Processing IODARTMapperNub class with vtab=0xfffffff00784c910 [+] Processing ApplePPMBatteryPowerMeasurement class with vtab=0xfffffff0078769b8 [+] Processing AppleUSBXHCI class with vtab=0xfffffff00788a3f0 [+] Processing AppleAPFSMedia class with vtab=0xfffffff00796de00 [+] Processing IOTimeSyncTimedEdgeGenerator class with vtab=0xfffffff007772578 [+] Processing IOPCI2PCIBridge class with vtab=0xfffffff007777e80 [+] Processing AppleHIDTransportProtocolZ2 class with vtab=0xfffffff0078248d8 [+] Processing CCIOReporterLogStream class with vtab=0xfffffff0077e8a10 [+] Processing IOUserIterator class with vtab=0xfffffff007724a68 [+] Processing AppleT8101SPMIController class with vtab=0xfffffff00794ae18 [+] Processing AppleSPUBasebandDriver class with vtab=0xfffffff0077d3030 [+] Processing IOGPUNamespace class with vtab=0xfffffff007982f08 [+] Processing IosaTiledCompressedMemMSR8 class with vtab=0xfffffff00787a858 [+] Processing IosaTiledCompressedMemMSR7 class with vtab=0xfffffff007887b88 [+] Processing AppleBCMWLANSkywalkRxSubmissionQueue class with vtab=0xfffffff0079bd2c8 [+] Processing IOHIDEventService class with vtab=0xfffffff0077b1fb8 [+] Processing IOUserNotification class with vtab=0xfffffff007724bb0 [+] Processing IOTimeSyncUnicastUDPv4PtPPort class with vtab=0xfffffff0078bc7e8 [+] Processing AppleSPUVisibleMemory class with vtab=0xfffffff00792c5f8 [+] Processing IOAVAudioDriver class with vtab=0xfffffff0078f7db8
Low-level Error: Size too small for fields of structure IOExternalMethodArguments [+] Processing AppleUSBAudioIsocPipe class with vtab=0xfffffff00790a378 [+] Processing IOSlowAdaptiveClockingManager class with vtab=0xfffffff007791c88 [+] Processing IO80211ServiceRequestDescriptor class with vtab=0xfffffff0078acc58 [+] Processing AppleOnboardSerialSync class with vtab=0xfffffff0077f2790 [+] Processing com_apple_driver_KeyDeliveryIOKitMSE class with vtab=0xfffffff0079e4d08 [+] Processing MCDataStreamInfoObject class with vtab=0xfffffff0077a8db0 [+] Processing IO80211AsyncUserClientParameters class with vtab=0xfffffff0078b2e10 [+] Processing AppleBCMWLANTxPowerManager class with vtab=0xfffffff0079c8fa8 [+] Processing IOAVInterface class with vtab=0xfffffff0078f6e48 [+] Processing DIDeviceIOUserClient class with vtab=0xfffffff0079fe298 [+] Processing IOWatchdogUserClient class with vtab=0xfffffff007980140 [+] Processing AppleBTMPMUAgent class with vtab=0xfffffff0079dff98 [+] Processing IosaRdmaControlMSR6 class with vtab=0xfffffff0078789a8 [+] Processing IosaRdmaControlMSR8 class with vtab=0xfffffff007879160 [+] Processing IOModemSerialStreamSync class with vtab=0xfffffff0077f0df0 [+] Processing AppleUSB30GLHub class with vtab=0xfffffff0078936e8 [+] Processing AppleMCA2Switch_TxCfg class with vtab=0xfffffff0079776d0 [+] Processing IOAVAbstractVideoInterface class with vtab=0xfffffff0078f4798 [+] Processing AGXCommandDescriptor class with vtab=0xfffffff00798a7e8 [+] Processing AppleMCA2Switch_ClockGenSel class with vtab=0xfffffff007976d28 [+] Processing AppleSPUGpioUnplugDriver class with vtab=0xfffffff0077d3610 [+] Processing IOAESAcceleratorCommand class with vtab=0xfffffff0077c80f8 [+] Processing IOSkywalkPacketBufferPool class with vtab=0xfffffff0077849d0
Low-level Error: PTRSUB with non-zero offset into array type [+] Processing AppleUSBTopCaseHIDDriver class with vtab=0xfffffff00792d070 [+] Processing AppleConvergedIPCBBControl class with vtab=0xfffffff00778bec8 [+] Processing AppleS5L8920XFPWM class with vtab=0xfffffff0077e4948 [+] Processing IOCECUserClient class with vtab=0xfffffff0078f1be8 [+] Processing UnifiedPipeline class with vtab=0xfffffff0079f8b98
Low-level Error: Size too small for fields of structure IOExternalMethodArguments [+] Processing AppleSimpleAsyncEventSource class with vtab=0xfffffff007999cb8 [+] Processing IOEthernetController class with vtab=0xfffffff00776c018 [+] Processing AppleConvergedIPCICEBBRTIInterface class with vtab=0xfffffff00778d8f8 [+] Processing AppleWirelessPowerPacket class with vtab=0xfffffff0078ea2a8 [+] Processing AppleUSBECMDataNC class with vtab=0xfffffff00796a1a0 [+] Processing AppleLMBacklightFunctionEnable class with vtab=0xfffffff0079108b0 [+] Processing IOAVSerializer class with vtab=0xfffffff0078f4678 [+] Processing AppleSPUAppDriverUserClient class with vtab=0xfffffff0077d8b68 [+] Processing AppleUSBHostBusCurrentClient class with vtab=0xfffffff0078413d0 [+] Processing IOSurfaceDeviceCache class with vtab=0xfffffff007849788 [+] Processing AppleNubT8027USBXHCICommandRing class with vtab=0xfffffff0078a2780 [+] Processing AppleARMSPICommand class with vtab=0xfffffff0077a31a8 [+] Processing H11ANEInUserClient class with vtab=0xfffffff0078a6620 [+] Processing AGXFamilyAccelerator class with vtab=0xfffffff00798bc58 [+] Processing IOSkywalkMemorySegment class with vtab=0xfffffff007786618 [+] Processing IO80211String class with vtab=0xfffffff0078b2ab8 [+] Processing IOCharacterDevice class with vtab=0xfffffff0078b2bd0 [+] Processing IOGPURangeAllocator class with vtab=0xfffffff0079861c0 [+] Processing AppleSPUSphereDriver class with vtab=0xfffffff007992fc0 [+] Processing IOGPUEventMachine class with vtab=0xfffffff007983ac0 [+] Processing AppleUSBDeviceAudioDevice class with vtab=0xfffffff0079062d0 [+] Processing AppleDialogPMUUserClient class with vtab=0xfffffff0079dbb30 [+] Processing RTBuddyStringDecoder class with vtab=0xfffffff0077c2260 [+] Processing AUASelectorUnitDictionary class with vtab=0xfffffff0079091c0 [+] Processing AppleUSBHostiOSDevice class with vtab=0xfffffff007949418 [+] Processing IOBlockStorageDriver class with vtab=0xfffffff007792fd8 [+] Processing IODTPlatformExpert class with vtab=0xfffffff00771fae0 [+] Processing IODMAEventSource class with vtab=0xfffffff00771cd08 [+] Processing AppleCS46L21IDPT class with vtab=0xfffffff0078635e0 [+] Processing IOMFBSwapIORequest class with vtab=0xfffffff0079ee600 [+] Processing AHTHSWorkLoop class with vtab=0xfffffff007822ae8 [+] Processing AppleARMCFIFlashController class with vtab=0xfffffff0077974d8 [+] Processing RTBuddy class with vtab=0xfffffff0077c3648 [+] Processing AGXMTLCounterSampler class with vtab=0xfffffff0079909a8 [+] Processing AGXScheduler class with vtab=0xfffffff00798e288 [+] Processing IOAppleConvergedIPCRTIDevice class with vtab=0xfffffff00777d8c8 "
I don't seem to have this issue, can you dump the content of IOExternalMethodArguments ?
I don't seem to have this issue, can you dump the content of IOExternalMethodArguments ?
What kernelcache are you using ? I’ve used the iOS 14b3 research kernelcache and I’ve used the iOS 15.2 kernelcache for iPhone XR on the dev version of ghidra 10.2 released by blacktop to handle the new dyld shared cache format. But I don’t know how to dump the ExternelMethodArguments but it sounds non trivial to figure it out. Give me about an hour and I’ll put it here