30 lines
1.2 KiB
Markdown
30 lines
1.2 KiB
Markdown
|
This information only applies to iBoot64 on iOS 8 or lower.
|
||
|
|
|
||
|
|
In order to dump iBoot, you need:
|
||
|
|
|
||
|
|
1. Kernel read/write (eg task_for_pid 0)
|
||
|
|
2. gPhysBase and gVirtBase
|
||
|
|
3. A pointer to the kernel pmap's level1 translation table entries.
|
||
|
|
|
||
|
|
Once those are obtained, just add a mapping for gPhysBase to the level1 table (code for this is available upon request; drop me a pm on freenode), mapping 1GB of physical memory at a given virtual address.
|
||
|
|
Additionally, make sure to clear the read only bit and set the EL0-accessible bit.
|
||
|
|
|
||
|
|
At this point, it's simple matter of memmem to figure out where iBoot is hiding in phys. Given a gPhysBase map at 0xffffffc3c0000000, this code should do the trick.
|
||
|
|
|
||
|
|
```
|
||
|
|
int main(int argc, char **argv, char **envp) {
|
||
|
|
char* base = (char*) 0xffffffc3c0000000;
|
||
|
|
char* sig = (char*) "FFiBoot for ";
|
||
|
|
char* iboot = (char*) memmem(base, (1<<30), sig+2, strlen(sig)-2);
|
||
|
|
while (*(iboot-1) == 'F' && *(iboot-2) == 'F') {
|
||
|
|
iboot ++;
|
||
|
|
/* should fix size up here but too lazy lol */
|
||
|
|
iboot = (char*) memmem(iboot, (1<<30), sig+2, strlen(sig)-2);
|
||
|
|
assert(iboot);
|
||
|
|
}
|
||
|
|
iboot = (char*) (((uintptr_t)iboot) & (~0xFFF));
|
||
|
|
printf("found iboot at %p\n", iboot);
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
````
|