Figure 3-54 Apple File Conduit 2
3.6 dyld_decache
After installing iFunBox and AFC2, most of you would be eager to start browsing the iOS
filesystem to explore the secrets hidden in iOS. But soon you’ll discover that there are no library
files under “/System/Library/Frameworks/” or “/System/Library/PrivateFrameworks/”.
What’s going on?
From iOS 3.1, many library files including frameworks are combined into a big cache, which
is located in “/System/Library/Caches/com.apple.dyld/ dyld_shared_cache_armx” (i.e.
dyld_shared_cache_armv7, dyld_shared_cache_armv7s or dyld_shared_cache_arm64). We can
use dyld_decache by KennyTM to extract the separate binaries from this cache, which
guarantees that the files we analyze are right from iOS, avoiding the possibility that static and
dynamic analysis targets mismatch each other. More about this cache, please refer to DHowett’s
blog at http://blog.howett.net/2009/09/cache-or-check/.
Before using dyld_decache, please use iFunBox (not scp) to copy
“/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armx” from iOS to OSX, then
download dyld_decache from
https://github.com/downloads/kennytm/Miscellaneous/dyld_decache[v0.1c].bz2 and grant
execute permission to the decompressed executable: