macosapple-m1kernel-extensionxnu

How to access unexported symbol from Kext?


I tried to load kext module on M1 machine running 11.4 Beta (20F5046g) Big Sur and encounter some error messages on binding at kext module loading.

Accessing kernel symbol exported from Apple kext modules

First, to access the kernel functions exported from apple's kext module, com.apple.kpi.unsupported, I used the below extern declaration.

extern int  cpu_number(void);

Also, I added the com.apple.kpi.unsupported on the info.plist

    <key>OSBundleLibraries</key>
    <dict>
            <key>com.apple.kpi.libkern</key>
            <string>20.5</string>
            <key>com.apple.kpi.unsupported</key>
            <string>20.5.0</string>
    </dict>

The compilation doesn't raise any errors, but when I try to load the module, it prints below message.

Error Domain=KMErrorDomain Code=31 "Error occurred while building a collection: 
    1: One or more binaries has an error which prevented linking.  See other errors.
    2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific: 
    1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
" UserInfo={NSLocalizedDescription=Error occurred while building a collection: 
    1: One or more binaries has an error which prevented linking.  See other errors.
    2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific: 
    1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol

Can I access the kernel symbol specified in the kernel symbol list but not exported from apple's kext module?

I also would like to access kernel function called SecureDTInitEntryIterator. I found that this symbol is listed on the kernel symbol located in the /System/Library/Kernels/kernel. However, $kextfind -defines-symbol _SecureDTIterateEntries doesn't return any corresponding kext module names.

As an IOS newbie, I guess that this symbol is not exported from any apple's kexy module. Is there any way to access this function from my kext module? I think I can just type cast the address where the symbol is located within the kernel space with the function prototype, but I am looking for a systematic approach if there exists.


Solution

  • I have just checked, and the crucial detail appears to be that you are trying to access this function on arm64/aarch64. As it turns out, it's exported in the "unsupported" KPI for x86_64, but not on arm64:

    There's no straightforward way of accessing unexported symbols. If you know the offset of a symbol in the exact version of the running kernel, you should be able to compute the address by offsetting from a known function address; at least, this worked on x86-64. arm64 may require extra effort due to PAC (pointer authentication).

    As this circumvents Apple's policies, I don't recommend using this type of technique in a shipping product.