jalavoui Posted October 7, 2023 Share Posted October 7, 2023 (edited) Incomplete macOS 12+ dyld cache extractor. Used by OCLP to support some legacy GPUs and Wi-Fi hardware. https://github.com/moraea/dsce/tree/better-build this can be used like this to extract extensions, etc ./dsce /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h /System/Library/Extensions ./dsce /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine the result will ber written to the "Out" folder dsce.zip Edited November 29, 2023 by jalavoui 2 Link to comment Share on other sites More sharing options...
jalavoui Posted October 9, 2023 Author Share Posted October 9, 2023 (edited) there's a tool to extract /System/Library/KernelCollections https://github.com/vampirecat35/decompkernelcache Edited March 31 by jalavoui 2 Link to comment Share on other sites More sharing options...
jalavoui Posted April 20 Author Share Posted April 20 (edited) usage: ./decompkernelcache /System/Library/KernelCollections/SystemKernelExtensions.kc x -kexts for debugging only this kexts from cache need a lot of corrections for external function calls to get this function call zn11MetaClass the code bytes from kext in cache need tobe "fixed" like this (in orange) original bytes from cache are: so the __got table is imported like this and need to fix it to look like this and finally patch the wrong calls in code... currently the exported kexts can load in ida pro and ghidra that was the initial goal but they can't be used for anything else currently the disasm will produce this for those functions this const refs also need tobe fixed ida pro also looks for symbols in bootsystem.kc Edited May 2 by jalavoui 2 Link to comment Share on other sites More sharing options...
jalavoui Posted May 2 Author Share Posted May 2 (edited) added BootKernelExtensions.kc support Release.zip Edited May 6 by jalavoui 2 Link to comment Share on other sites More sharing options...
Slice Posted May 6 Share Posted May 6 On 10/7/2023 at 5:45 PM, jalavoui said: Incomplete macOS 12+ dyld cache extractor. Used by OCLP to support some legacy GPUs and Wi-Fi hardware. https://github.com/moraea/dsce/tree/better-build this can be used like this to extract extensions, etc ./dsce /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h /System/Library/Extensions ./dsce /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine the result will ber written to the "Out" folder dsce.zip 73.51 kB · 15 downloads Why I got only 31 files? I expected 663. Link to comment Share on other sites More sharing options...
jalavoui Posted May 6 Author Share Posted May 6 (edited) this is still very bugged. goal is extract kexts and make it load in ghidra for debug purposes ment to use with BootKernelExtensions.kc or syskernel not for extract from cache load it in xcode so you can check what its doing i have set in main() the file loading kdk extensions change code for calls but on sys.kc this is the address need to guess how they remap section address like __got, etc this is goal but atm i got very good coding! 1st todo is fix file size Edited May 7 by jalavoui Link to comment Share on other sites More sharing options...
Slice Posted May 7 Share Posted May 7 OK, I also decompkernelcache System and Boot and got all kexts. (for disassemble purpose ) Link to comment Share on other sites More sharing options...
deeveedee Posted May 7 Share Posted May 7 What is the goal of this thread/effort? Just curious (and fascinated). Thanks. Link to comment Share on other sites More sharing options...
Slice Posted May 7 Share Posted May 7 3 hours ago, deeveedee said: What is the goal of this thread/effort? Just curious (and fascinated). Thanks. If you want to patch some kext by your own method then you should look and disassemble it's binary. But where do you get it? Kexts inside SLE doesn't contain binary part. As an example Using the utilities above you can obtain these binaries 1 1 Link to comment Share on other sites More sharing options...
Andy Vandijck Posted June 11 Share Posted June 11 (edited) On 5/3/2024 at 12:18 AM, jalavoui said: added BootKernelExtensions.kc support Release.zip 82.23 kB · 3 downloads I have merged your changes in the form of decompkernelcache-kc. repo and bins: https://github.com/vampirecat35/decompkernelcache I have made builds for macOS, iOS 64-bit, WatchOS 64-bit, VisionOS, AppleTVOS, MinGW32, MinGW64, MSVC X64 and MSVC X86. Edited June 22 by Andy Vandijck Link to comment Share on other sites More sharing options...
jalavoui Posted June 11 Author Share Posted June 11 the code needs a few fixs but i guess it will help other devs for now 1 Link to comment Share on other sites More sharing options...
Chito Kim Posted October 13 Share Posted October 13 dsce can only extract a few kexts from /S/L/E. For now, it's restricted to metal,gl drivers etc. How do I analyse graphics kexts like AMDRadeonX6000? Load the whole dyld_shared_cache on ghidra? Link to comment Share on other sites More sharing options...
joevt Posted October 13 Share Posted October 13 I used https://github.com/keith/dyld-shared-cache-extractor while researching the patch in my fork of WhateverGreen that allows changing the dscTargetBPP setting from 12 to 8bpp to enable 4K240Hz for GPUs that support DSC. It seems to work ok except for the addresses don't seem to be correct. For example, in the CoreDisplay framework extracted by dyld-shared-cache-extractor, I see the following: There's a string literal here: aDsctargetbpp: 00007ff8025e80f2 db "dscTargetBPP", 0 which is used in a cfstring here: 00007ff840505778 dq 0x0000040043146b28, 0x00000000000007c8, 0x00000400025e80f2, 0x000000000000000c ; DATA XREF=_CGXMappedDisplayStart+3905 however, the addresses in the cfstring have 00000400 instead of 00007ff8 for the upper 32-bits. I don't know why. Maybe it's an issue with the disassembler. I'm using Hopper.app but otool shows the same addresses and data. I guess that makes sense since they're both looking at the same extracted binary. Do any of the other extractors output different results? I tried the "Read File From DYLD Cache..." command in Hopper.app and it produces better results: aDsctargetbpp: 00007ff8025e80f2 db "dscTargetBPP", 0 ; DATA XREF=cfstring_dscTargetBPP cfstring_dscTargetBPP: 00007ff840505778 dq 0x00007ff843146b28, 0x00000000000007c8, 0x00007ff8025e80f2, 0x000000000000000c ; "dscTargetBPP", DATA XREF=_CGXMappedDisplayStart+3905 The dyld shared cache contains many libraries and frameworks. For /S/L/E, it does not include kexts but has these items: AMDRadeonX5000GLDriver.bundle AGXGPURawCounterBundle.bundle AMDRadeonX4000GLDriver.bundle AMDRadeonX5000MTLDriver.bundle AMDRadeonX6000GLDriver.bundle AMDRadeonX6000MTLDriver.bundle AMDRadeonX6000Shared.bundle AMDShared.bundle AppleIntelICLGraphicsGLDriver.bundle AppleIntelICLGraphicsMTLDriver.bundle AppleIntelKBLGraphicsGLDriver.bundle AppleMultitouchDriver.kext AppleParavirtGPUMetalIOGPUFamily.bundle AMDMTLBronzeDriver.bundle AMDRadeonVADriver.bundle AMDRadeonVADriver2.bundle AMDRadeonX5000Shared.bundle AppleIntelKBLGraphicsMTLDriver.bundle AppleMetalOpenGLRenderer.bundle AppleParavirtGPUMetal.bundle For kexts, I've used the ones from the KDKs downloaded from Apple. open "https://developer.apple.com/download/more/?=kernel%20debug%20kit" 1 1 Link to comment Share on other sites More sharing options...
jalavoui Posted October 27 Author Share Posted October 27 (edited) yes kdk got the correct address bindings for strings,const,etc and load nicely on any debugger. i use it to study the code. but carefull cause the addresses are not the same as in BootKernelExtensions.kc or syskernel.kc so i use this tool to get them altough other address bindings break cause the extracted kext is no longer inside the .kc loading the kc on a disassembler gives better results cause all of them do some rebinds if i learn todo that then the tool would be much better Edited October 27 by jalavoui 1 Link to comment Share on other sites More sharing options...
STLVNUB Posted October 28 Share Posted October 28 (edited) Hey Guys, What Are You Using To Disassemble The Kext? Can You Share PLEASE? Edited October 28 by STLVNUB 1 Link to comment Share on other sites More sharing options...
joevt Posted October 29 Share Posted October 29 I use http://Hopperapp.com. Ghidra is free solution you can download. https://github.com/NationalSecurityAgency/ghidra There's probably a version of IDA from Hex-Rays that you can use. https://hex-rays.com/ida-pro 1 Link to comment Share on other sites More sharing options...
STLVNUB Posted October 29 Share Posted October 29 3 hours ago, joevt said: I use http://Hopperapp.com. Ghidra is free solution you can download. https://github.com/NationalSecurityAgency/ghidra There's probably a version of IDA from Hex-Rays that you can use. https://hex-rays.com/ida-pro Thank You 1 Link to comment Share on other sites More sharing options...
Recommended Posts