2

I want to play with reverse engineering the Apple Neural Engine driver, which is a kernel extensions (com.apple.driver.AppleH11ANEInterface). These used to be in /System/Library/Extensions/, but on my M1 MacBook Pro with Sonoma (14.2.1) the Extensions directory doesn't include the binaries themselves, only metadata and resources.

Instead, all kext binaries are all bundled together in /System/Volumes/Preboot/<...>/System/Library/Caches/com.apple.kernelcaches/kernelcache, as verified by kmutil inspect -v --bundle-identifier com.apple.driver.AppleH11ANEInterface.

How can I extract the binaries out of kernelcache file? Specifically I'm looking for the AppleH11ANEInterface binary.

The kernelcache file seems to be a IMG4 format, but existing tools like pyimg4 are failing to extract it.

Thanks

Improve this question
1
  • 1
    Have you looked at the ipsw tool from blacktop which specifically offers this functionality? github.com/blacktop/ipsw Commented Jan 10, 2024 at 17:21

1 Answer 1

Reset to default
1

I was able to get this working with ipsw @Jon mentioned. You just need to install it with brew, decompress the kcache

ipsw kernel dec /System/Volumes/Preboot/<...>/System/Library/Caches/com.apple.kernelcaches/kernelcache -o <output dir>

then extract the kext you want:

ipsw kernel extract <path to kernelcache.decompressed> com.apple.driver.AppleH11ANEInterface
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.