-
Notifications
You must be signed in to change notification settings - Fork 1
Process Firmware IMG with iOracle
Luke Deshotels edited this page Jul 7, 2017
·
7 revisions
There are X steps to complete when processing firmware IMG files with iOracle.
- Use iOracle to extract all relevant data from the jailbroken device(s) that will provide dynamic data (e.g., process ownership, sandbox extensions, and file access behaviors) to compliment the static data extracted from the firmware.
- Collect the .img files for the root file systems of the firmware versions you want to process.
- On a macOS system, run the iOracle/automatedDataExtraction/dataExtractorForIMGFile.sh. This script seems to have trouble if the input and output files are not all on the same system. I suspect this has something to do with mounting the file systems.
- Move the results of dataExtractorForIMGFile.sh to a Linux system with IDA Pro and process the results with dataExtractorForExtractedFileSystem.sh.
- Set up symlinks to dynamic analysis facts from step 1 in the prolog facts directory for the firmware version's analysis directory (e.g., iPad2,1_7.0.6_11B651/prologFacts).
- Set up symlinks to sandbox profile facts produced by Sandscout in the prolog facts directory for the firmware version's analysis directory (e.g., iPad2,1_7.0.6_11B651/prologFacts).