Support iOS BootRom Images ? #4423
Comments
|
@ryanmkurtz This is the SecureRom Image |
|
@ryanmkurtz This is the iBoot image |
|
@ryanmkurtz This is the iBec image |
|
@ryanmkurtz This is the iBSS image |
|
Heres also one last good reference of a decompiler Script for the BootROM |
|
Thanks I'll investigate soon. |
|
It would be helpful if this ticket could describe how the current support is lacking. For example, when you analyze these binaries in Ghidra, what isn't working? |
ryanmkurtz
added
Status: Waiting on customer
|
Problem #1 It doesn't get the right address of loading i think ghidra naturally does that for all binaries ? but for the kernelcache thats not the case the higher bits are always initialized and the base address is found pronto. unlike iboot and other bootrom images it just get instantly intialized with start being 0x0 :( I would add my screenshots i have but i can't moving on to problem #2 |
|
Secondly I dont think it is correctly decompiling the binary such as the beginning in iboot are filled with alot of 00's after the "reset()" |
|
Not trying to compare scripts or decompilers here at all just trying to better some things because i love ghidra but i tested ghidra against ida pro along with the (https://github.com/hack-different/iBoot-IDA/) scripts as the primary loader unlike ghidra it puts the start address in ida pro as "iBoot:000000018001C000 EXPORT start |
If Ghidra has a loader for binary format like Mach-O, ELF, PE, etc, it will parse the headers for guidance on where to load the parts of the file into memory. These files don't seem to have any such headers, so Ghidra will use its generic BinaryLoader. When the BinaryLoader is used, it's up to to the user to go into the loader options to set the base address. For example, I loaded your iBoot image into Ghidra and set the base address to Can you point me at any online documentation about the format of these dumps, other than the IDA scripts? Are these files memory dumps or are they intended to be parsed and loaded into memory at different locations like a normal Mach-O would be? If they are memory dumps, do they all share the same address space? Do they reference each other or are they independent? |
|
Have you tried this? https://github.com/ExhoAR22/ghidra-iboot |
|
Heres one document i know of : |
Which is correct thats the loading address after manually doing it by hand in ghidra, also yep the xrefs and finding functions names themselves or strings are a bit blotchy in certain areas and as stated "figuratively 40%" of the code seems to be invalid decompiled code showing up as 00's which isn't right either. |
ryanmkurtz
added
Status: Prioritize
|
Thanks for the info. If you load the iBoot image in IDA, does the reference at
What about this?
|
|
Our team discussed if this is something we want to officially support and we decided against it. I suggest reaching out to the wider community, perhaps to the people who support it on IDA, to see if they are willing to implement and maintain a GhidraScript or Extension. |
ryanmkurtz
added
Reason: Won't support
Support SecureRom Dumps, iBoot, IBec, iBSS, and LLB images as references ida pro i think now natively support this and there are plenty of scripts for ida pro but none for ghidra nor hopper.
Reference : https://github.com/matteyeux/ida-iboot-loader
Reference : https://github.com/hack-different/iBoot-IDA Most up to date script
i will drop screenshots of how ghidra handles the bootrom images and also i will drop the files themselves
The text was updated successfully, but these errors were encountered: