iOS Shared Cache Extraction
Having fallen off the iOS-exploration train due to completing my Masters and other commitments, I have finally climbed back aboard in pursuit of understanding the telephony stack.
Like most things in iOS that are used frequently, the vast majority of the frameworks and libraries used in the telephony stack reside in the DYLD shared cache located at
In this post I am going to explain how to go about extracting this cache file so that you can then work with each library individually.
Get The Cache
The first step in all of this is to copy the cache over to your local machine. I did this using a program called iExplorer, but you can just as easily do it over SSH. As a side note, you can connect to your iDevice using SSH over USB if you install a tool called iProxy.
The easiest way I found to extract the cache is to use a program provided by Apple called
dsc_extractor. You can get the source for
dsc_extractor by downloading the
dyld package from Apples open source page at: http://opensource.apple.com/.
After downloading the package, unarchive it then go to the launch-cache subdirectory.
$ tar -xvzf dyld-210.2.3.tar.gz
$ cd dyld-210.2.3/launch-cache/
At this point we need to apply a patch to the
dsc_extractor code so that it can be compiled and function properly. The patch to be applied is available on GitHub at https://gist.github.com/lightbulbone/6092321
The patch can be applied using the patch command; once patched dsc_extractor can then be compiled.
$ patch < dsc_extractor.patch
$ clang++ -o dsc_extractor dsc_extractor.cpp dsc_iterator.cpp
You should now have a working copy of
Extracting The Cache The last step is pretty simple. All you need to do is run dsc_extractor.
$ dsc_extractor dyld_shared_cache_armv7 armv7/
If you then look inside the
armv7/ folder you’ll find all the extracted libraries used on iOS.
As a quick side note, you can also open the cache file directly in IDA Pro. I found this be a bit cumbersome although you may have better luck.
Until next time, happy hacking!