Difference between revisions of "Dyld shared cache"

From iPhone Development Wiki
Jump to: navigation, search
(Cache extraction: more detail)
(Cache extraction: maybe this doesn't fit here)
Line 32: Line 32:
 
* Alternatively, you could use [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.
 
* Alternatively, you could use [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.
 
* [https://github.com/phoenix3200/decache decache] by phoenixdev also works quite well.
 
* [https://github.com/phoenix3200/decache decache] by phoenixdev also works quite well.
* [https://github.com/limneos/classdump-dyld classdump-dyld] by limneos works right on the device: "A class dumping command line tool that generates header files from app binaries, libraries, frameworks, bundles or the whole dyld_shared_cache. Eliminates the need to extract files from the dyld_shared_cache in order to class-dump them or get symbols."
 
  
 
== Cache retrieval ==
 
== Cache retrieval ==

Revision as of 19:58, 22 January 2014


Since iPhoneOS 3.1, all default (private and public) libraries have been combined into a big cache file to improve performance in /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX, where X can be:

X Device ARM Architecture
v6 ARMv6
v7 ARMv7
v7s
64 ARMv8

The original files are no longer useful for non-on-device-developers, so they are eliminated from the system.

If you're looking for binaries or libraries inside of /System/Library/Frameworks or /System/Library/PrivateFrameworks and you can't find them, this is why.

Cache extraction

Developers who do not use the SDK cannot link programs on iOS directly due to the missing dylibs. You first need to extract the appropriate dylibs from the dyld_shared_cache.

Options:

  • You could use dyld_decache by KennyTM~ to extract these dylibs.
  • Alternatively, you could use DySlim by comex to mount the whole cache file on Mac OS X.
  • decache by phoenixdev also works quite well.

Cache retrieval

Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:

  • Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the -mdynamic-no-pic compile flag.
  • Read the cache explicitly from the filesystem by setting the F_NOCACHE flag on the cache's file descriptor.
  • Copy the cache through AFC (filesystem browsers which use an AFC connection are fine).
  • Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.

References

  • Cache or Check? — an analysis of the dyld_shared_cache system by D. Howett.