Kernel Dumping

From The Apple Wiki

Dumping the kernel is a method used to find offsets in the kernel, the reason this works is because since KASLR is added you have to find the new offsets for each boot, once you have dumped all the kernel memory, you fwrite() everything into a .bin file, once the kernel is dumped into a file you can use ios-jailbreak-patchfinder to find every offset needed to patch the kernel.


#include <stdio.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <mach/mach.h>

mach_port_t kernel_task = 0;

int main(int argc, char** argv)
  kern_return_t r = task_for_pid(mach_task_self(), 0, &kernel_task);
  if (r != 0)
      printf("task_for_pid returned %x : missing tfp0 kernel patch or wrong entitlements\n", r);
      return 0;
  uint32_t i;
  pointer_t buf;
  unsigned int sz;
  vm_address_t addr = 0x80002000;
  FILE *fp = fopen("kernel.bin", "wb+");
  if (fp != NULL)
      printf("Failed to open kernel.bin\n");
      return -1;
  while (addr < (0x80002000 + 0x1F000000))
      vm_read(kernel_task, addr, 2048, &buf, &sz);
      if (buf == NULL || sz == 0)
      uint8_t* p = (uint8_t*)buf;
      fwrite(p, 2048, 1, fp);
      addr += 2048;
  printf("Kernel dump is done\n");
  return 0;