`ipsw download ipsw --kernel` now fetches firmware keys from
theapplewiki and decrypts encrypted kernelcaches inline. Unencrypted
members in the same IPSW pass through unchanged.
- pkg/img4: DecryptPayload reuses Payload.GetData for decompression,
removing the duplicate LZSS/LZFSE branches.
- pkg/kernelcache: ParseImg4Data switches to img4.ParsePayload and
exports ErrEncryptedKernelCache so callers can detect the missing-key
case via errors.Is.
- internal/commands/extract: new keyed remote path with all-or-nothing
preflight; the encryption-status peek lets unencrypted variants
succeed even when the wiki has no entry for them.
closes#1193
Add API endpoints and CLI support for discovering C++ classes and symbolication of kernelcaches, refactor Mach-O handling, and improve symbol collection.
- API: add /kernel/cpp and /kernel/symbolicate routes, request param structs, response types, and openKernel helper. Use cpp scanner and signature parsing to return classes and symbol maps.
- CLI: wire scanner LogStats flag, refactor kernel symbolicate command (schema writer helper, improved signature parsing, and symbol matching logic). Add tests for symbolicator schema and kernel symbol matching.
- Signature pkg: add kernel C++ symbol extraction (pkg/signature/kernel_cpp.go) and SymbolicateMachO to symbolicate already-open Mach-Os; integrate C++ symbols into symbol map and update signature matching/logging behavior.
- Internal: refactor in-memory DB lookups (findMachOByUUID, findSymbolByAddr) to reduce duplication. Improve symbols collection for kernel Mach-Os (collectKernelMachoSymbols, extra kernel symbols from signature/C++), add helpers to append symbols.
- Kernelcache CPP: add LogStats option and conditional logging of scan stats.
- Crashlog/ips: update wording to reflect kernel symbols are from kernel analysis and store KernelSymbols earlier in processing; parse signatures only when configured.
Also add unit tests for new symbolication helpers and kernel C++ signature handling. Overall this consolidates kernel symbol discovery, improves reuse, and surfaces C++-derived symbols in symbol maps.
Update all disassembly code to use new cgo-based decoder API with
stack-allocated instruction structs instead of heap-allocated
pointers. Add instruction filtering to skip decoding operations that
register tracking doesn't care about, avoiding expensive CGo calls.
Key changes:
- Replace Decompose with DecomposeInto using stack allocation
- Add mayBeTrackedInstruction filter for common tracked ops
- Introduce helper functions for safe operand/register access
- Fix metaclass pointer index to use caller index for efficiency
- Remove root file special-casing in pointer index builder
- Add comprehensive unit tests for tracking options and helpers
- Updated disassembly functions to utilize the new `disassemble.Inst` type instead of `disassemble.Instruction`.
- Modified operand retrieval functions to accommodate the new instruction structure.
- Enhanced error handling and logging for instruction decoding failures.
- Improved JSON output for disassembly to ensure disassembly strings are preserved.
- Refactored various components across the disassembly package, including Mach-O and dyld handling, to streamline instruction processing.
- Added tests to validate the new disassembly behavior and ensure backward compatibility.
- Introduced `types.go` to define core structures and configurations for the scanner.
- Implemented the `Scanner` type for discovering classes in kernelcache Mach-O files.
- Added methods for scanning, resolving vtables, and handling class metadata.
- Created `vtable.go` to manage vtable-related functionalities, including detection and resolution of vtables.
- Implemented various utility functions for class name recovery and symbol handling.
- Established mechanisms for deduplication of discovered classes and handling of potential virtual function stubs.
blacktop
ThePraeceps