06 Jun 2014
Stubbed SDK
Earlier this week Apple announced iOS 8.0 and the first beta was made available on the developers portal. Along with the OS, Apple obviously pushed the new Xcode beta version which contains the iOS8.0 SDK, the set of “tools” needed to build applications targeting iOS 8.0.
Everything looks the same as before, but if you look under the hood of the SDK, you will notice a very important change.
Filippos-MacBook-Pro:iPhoneOS7.1.sdk filippo$ du -sh usr/lib System/Library/{Private,}Frameworks
45M usr/lib
342M System/Library/PrivateFrameworks
133M System/Library/Frameworks
Filippos-MacBook-Pro:iPhoneOS8.0.sdk filippo$ du -sh usr/lib System/Library/{Private,}Frameworks
5.9M usr/lib
11M System/Library/PrivateFrameworks
7.8M System/Library/FrameworksUp to iOS 7.x, all the binaries shipped with the SDK were “real” images: by “real” I mean that they contained not only the symbols needed for the frameworks/libraries to be linked, but also the code implemented in those binaries. That made reverse engineering much easier, as you just needed to download the SDK and load the binary of your interested into IDA/Hopper.
Filippos-MacBook-Pro:iPhoneOS7.1.sdk filippo$ otool -l usr/lib/liblockdown.dylib
usr/lib/liblockdown.dylib (architecture armv7):
[...]
Section
sectname __text
segname __TEXT
addr 0x00000b60
size 0x00004fd8
offset 2912
align 2^2 (4)
reloff 0
nreloc 0
flags 0x80000400
reserved1 0
reserved2 0
[...]
Filippos-MacBook-Pro:iPhoneOS7.1.sdk filippo$ otool -tv usr/lib/liblockdown.dylib
usr/lib/liblockdown.dylib (architecture armv7):
(__TEXT,__text) section
_locklog:
00000b60 b081 sub sp, #0x4
00000b62 b5f0 push {r4, r5, r6, r7, lr}
[...]With iOS 8.0, Apple is no longer shipping “real” binaries with the SDK, but just stubs: all the libraries/frameworks only contain the symbols required for linkage, but they actually have no code in them.
Filippos-MacBook-Pro:iPhoneOS8.0.sdk filippo$ otool -l usr/lib/liblockdown.dylib
usr/lib/liblockdown.dylib (architecture armv7):
[...]
Section
sectname __text
segname __TEXT
addr 0x00000000
size 0x00000000
offset 0
align 2^2 (4)
reloff 0
nreloc 0
flags 0x80000400
reserved1 0
reserved2 0
[...]
Filippos-MacBook-Pro:iPhoneOS8.0.sdk filippo$ otool -tv usr/lib/liblockdown.dylib
usr/lib/liblockdown.dylib (architecture armv7):
(__TEXT,__text) section
usr/lib/liblockdown.dylib (architecture armv7s):
(__TEXT,__text) section
usr/lib/liblockdown.dylib (architecture arm64):
(__TEXT,__text) section
Filippos-MacBook-Pro:iPhoneOS8.0.sdk filippo$This means that the only way (as of now) to reverse engineer any of those components is to extract them from the dyld_shared_cache. Unfortunately, iOS 8.0 dropped support for the iPhone 4, which means that there is no (public) way to get the keys to decrypt the Root Filesystem image included in the IPSWs for all other devices.
The only way to retrieve the shared cache is to pull that from the device; that can be done by building a simple application which just copies the shared cache from /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm{v7|v7s|64} to its own file sharing directory for example, so you can easily copy it on your Mac through iTunes file sharing.
In order to retrieve a “sane” cache, without any slide applied to it, don’t remember to set the F_GLOBAL_NOCACHE flag on the file descriptor of the cache.
int cache_fd = open(cachePath, O_RDONLY);
fcntl(cache_fd, F_GLOBAL_NOCACHE, 1);
// copy the file to another fd pointing to a file in your app's documents directory
...
I haven’t verified all the different tools which allows you to extract the different images from the shared cache, but IDA should be able to handle it.
Ciao,
Filippo Bigarella
at 23:00