subCacheUUID field should probably be subCachesOffset instead

[mstange]

ipsw/hack/extras/Dyld.bt

Lines 116 to 117 in 05af7d2

	uint32 subCacheUUID;
	uint32 numSubCaches; // number of dyld_shared_cache .1,.2,.3 files

It seems like the field before the numSubCaches field is pointing at a list of subcache info structs which has length numSubCaches. The subcache info struct is 24 bytes big, 16 bytes UUID + 8 bytes something else.

This allows you to get the UUID for each subcache.

[mstange]

Some evidence from /usr/lib/dsc_extractor.bundle:

[blacktop]

Yes, it is definitely not a "UUID" I figured that out a month ago here:

ipsw/pkg/dyld/file.go

Line 151 in 05af7d2

// if ff.Headers[uuid].SubCachesUUID != ff.Headers[ff.UUID].SubCachesUUID { FIXME: what IS this field actually?

It appears to be an offset to the end of the imagesTextOffsetsection (the dylib path strings) in the subCaches, but in the "primary" cache you are right it seems to point to a small amount of data that the subCache's do not contain. Good find with respects to the UUIDs!

[blacktop]

The stuff that I thought looked like bit-field flags after progClosuresTrieWithSubCachesSize might tell you what kind of cache it is an how to interpret the (incorrect) subCacheUUID field perhaps? Or maybe one of these fields:

    uint32 unknown8;
    uint32 unknown9;

[blacktop]

What I was always MOST interested in what the mysterious unknown10Offset field. I see that it's an offset to a struct of what looks like large arrays of offsets? That might be where the patchInfo went.

[mstange]

Edit: this is wrong

The unknown10Offset field is already present in dyld 852.2, which is public:
https://opensource.apple.com/source/dyld/dyld-852.2/dyld3/shared-cache/dyld_cache_format.h.auto.html

Or are you saying that the existing header definition cannot be used for subcaches, and that the subcaches have other data in those places?

[mstange]

Oh, oops, never mind. I got confused because some fields later in the header look very similar to other fields earlier in the header.

[blacktop]

So you can tell how the field should be interpreted IF the numSubCaches is greater than 0. I have updated my 010 template to reflect it. Thank you for your help!

[blacktop]

Also the "8 bytes something else." is the "end offset" of the contamination of the sub caches (so far) or the totalSize. So for subCache.1 the field is it's size and for subCache.2 it's the size of subCache.1 + subCache.2 and so on.

[mstange]

Ah, nice. So cumulativeSize might be an appropriate name.

[blacktop]

Yes! That's perfect.

[mstange]

The cumulativeSize field is called cacheVMOffset: https://github.com/apple-oss-distributions/dyld/blob/5c9192436bb195e7a8fe61f22a229ee3d30d8222/cache-builder/dyld_cache_format.h#L496