Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

iOS16/macOS13 changed the dyld_shared_cache format again

See original GitHub issue

Hello!

There were some minor-ish changes to the shared_cache in iOS16. There is a NEW stub-island variant. I believe you can detect this new version as a cacheType=2 (from the header)

As a nicety, they have added the sub_cache extension to the sub_cache_entry structure so you can know after parsing the “primary” cache file all of it’s sub_cache file names.

The /usr/lib/dyld binary has been moved into the cache and I believe they are re-using the accerlatorInfoAddr and accleratorInfoSize fields from the header to now be the dyldTextAddr and addr to the _dyld_start func.

The stubs have all been moved into sub_caches (no longer inside the dylibs themselves) these stub-subcaches can be identified by their size (~KBs), they will only contain a _TEXT mapping and after the header/mapping etc there will be no MachO headers it will just be stubs ASM. I’m not sure if the stub_island sub_caches come right after the subcache with the dylibs that need them yet so you might have to “map” all the islands in order for the branch-to-stub symbols to resolve.

If you have ANY other question please don’t hesitate to ask and I’ll dig into it with you.

Issue Analytics

State:
Created a year ago
Comments:6

Top GitHub Comments

2reactions

ryanmkurtzcommented, Jul 5, 2022

The new base dyld_shared_cache and kernelcache files should now be loadable into Ghidra.

You can also import individual dylib’s from Ghidra’s filesystem interface, but the same limitations that existed in iOS15 still apply (huge files, missing objc info, unfixed chained pointers, etc). Work still needs to be done in this area. These issues are independent of the new format so they should get their own tickets (such as #4175)

0reactions

blacktopcommented, Jun 14, 2022

LOL, I def should try to contribute to ghidra after all the good you have done for me and the RE world 😞 Maybe after I “finish” ipsw I have more time 😁 If you hit me up on Twitter I can share an IPSW url with you or you can wait, I think Apple will release “public” betas in 3 weeks?

Top Results From Across the Web

dyld shared cache info | Apple Developer Forums

Can someone actually explain me what dyld_shared_cache_x86_64 and other files located at /System/Library/dyld are? I know that dyld is the dynamic libraries ...

Is it safe to delete these 4 files in the folder called dyld

When loading [an executable file], dyld will first check if is in the share cache, and if it is will use that pre-bound...

dyld_shared_cache - iPhone Development Wiki

Starting with macOS 11, update_dyld_shared_cache is deprecated and, as in iOS, the only copy of the libraries is in the "cache". The cache...

Playing with Mach-O binaries and dyld - LSE Blog

When I first had “fun” with the Linux ELF format, I was told to call ... only images not in dyld shared cache...

Extracting libraries from dyld_shared_cache | Worth Doing Badly

macOS and iOS improve startup time and memory usage by combining all system libraries into the dyld shared cache: a file containing every ......