This repo contains the ipsw symbolication signature files.

Currently we are sitting at 63.85% on xnu

Get the signatures

git clone https://github.com/blacktop/symbolicator.git

Symbolicate a kernelcache with ipsw

ipsw kernel sym kernelcache --json --signatures /path/to/symbolicator-repo/kernel

Install IDA Plugin

plugins/ida/install.sh

Now you can apply the symbols to you kernelcache in IDA by pressing Alt+F8

The first time the IDB if loaded, the plugin will attempt to automatically load the symbols file (This is verified using an indication file with the suffix .symbols_loaded)

Supported Plugins/Scripts

• Binary Ninja
• Ghidra
• IDA Pro
• radare2

You can set these ENV VARS to control the the outputed signature's metadata

• TARGET The target binary. (e.g. com.apple.driver.AppleMobileFileIntegrity)
• MAX_VERSION The maximum version of the target darwin.
• MIN_VERSION The minimum version of the target darwin.
• JSON_FILE The path to the JSON file. (e.g. /path/to/sig.json)

To generate signatures for xnu

scripts/run.sh --kernel '/path/to/KDK/kernel'

To generate signatures for a kext

scripts/run.sh --kext '/path/to/KDK/kext'

• add support for global variables/constants
• byte pattern matching
• use arg count to assist in identifying anchor caller (as arg position/register)

Idea was originally inspired by Jonathan Levin's disarm 'matchers' file.

MIT Copyright (c) 2024 blacktop