It was two weeks ago that I updated LZVN to support kernel extraction from a prelinkedkernel, and todays update adds extraction of the dictionary with:
./lzvn -d /System/Library/Prelinkedkernels/prelinkedkernel dictionary
And all kexts with:
./lzvn -d /System/Library/Prelinkedkernels/prelinkedkernel kexts
The extracted kexts are saved in kexts/Library/Extensions and/or kexts/System/Library/Extensions, in RAW format. The latter means that extracted kexts are saved like they are found in the prelinked kernel. Not like ‘normal’ kexts.
Note: Source code needs a few cleanups here and there, but it works.
Update: The Dictionary.plist is now saved in proper XML format, so that you can open it with Xcode, and the number of signed and unsigned (extracted) kexts is now also dumped in the output.
Edit: Here is a list with the signed kexts:
/System/Library/Extensions/System.kext/PlugIns/Mach.kext /System/Library/Extensions/System.kext/PlugIns/IOKit.kext /System/Library/Extensions/System.kext/PlugIns/Libkern.kext /System/Library/Extensions/System.kext/PlugIns/Private.kext /System/Library/Extensions/System.kext/PlugIns/Unsupported.kext /System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext /System/Library/Extensions/System.kext/PlugIns/MACFramework.kext
All other kexts are stored in unsigned format in the prelinkedkernel.
Have fun with it!
Pike's Universum 
Pingback: Apple’s kext signing bypassed… | Pike's Universum
Well (as always)!
What’s the next step? patching these extensions and repack it?
🙂
The first thing I did was to run stripSignature – a yet to be released command line tool – to strip the CodeSignature off of System.kext/PlugIns to see if the prelinkedkernel got rebuilt or not, and it did. In other words. Now I have a prelinkedkernel without a single signed kext in it. Nothing special, but I had to know if that was even possible.
Yea, intresting, and This looks promising for the future!