Version and Platform (required):
- Binary Ninja Version: 5.3.9417-dev Ultimate, 8f260d72
- OS: macos
- OS Version: 26.3.1
- CPU Architecture: arm64
Bug Description:
macOS 11 / iOS 16 moved their kernel caches to the newer MH_FILESET format. Prior to that, they used MH_EXECUTE. Binary Ninja ends up loading these older kernel caches as if they were any other Mach-O executable.
I see a couple of problems when loading kernelcache.release.iPhone9,1_3 from iOS 19H364:
- Analysis is much slower than I'd expect, even given the relatively large binary size (~43MB). Phases 2 and 3 are particularly slow. The initial phase takes ~3 minutes, with the final two phases taking over 45 minutes as they discover and analyze an additional ~80,000 functions.
- The kernel cache contains indirect calls via pointers in sections the Mach-O headers indicate are writable. These appear to be used for cross-image calls (i.e., kext to kernel). Since the pointer appears to be writable we do not resolve the indirect call target, which severely hampers analysis.
- C++ vtables for IOKit classes are not detected or processed.
Steps To Reproduce:
ipsw download appledb --os iOS --version 15.7.8 --device iPhone9,1
ipsw extract --kernel iPhone_4.7_P3_15.7.8_19H364_Restore.ipsw
Then open 19H364__iPhone9,1_3/kernelcache.release.iPhone9,1_3 and wait.
Version and Platform (required):
Bug Description:
macOS 11 / iOS 16 moved their kernel caches to the newer
MH_FILESETformat. Prior to that, they usedMH_EXECUTE. Binary Ninja ends up loading these older kernel caches as if they were any other Mach-O executable.I see a couple of problems when loading
kernelcache.release.iPhone9,1_3from iOS 19H364:Steps To Reproduce:
Then open
19H364__iPhone9,1_3/kernelcache.release.iPhone9,1_3and wait.