Difference between revisions of "Kernel"

From The iPhone Wiki
Jump to: navigation, search
(no h1, use h2 (h1 is the page title))
Line 8: Line 8:
 
KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to flash, hdmi, and amfi [[http://theiphonewiki.com/wiki/index.php?title=AMFI AppleMobileFileIntegrity ]].
 
KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to flash, hdmi, and amfi [[http://theiphonewiki.com/wiki/index.php?title=AMFI AppleMobileFileIntegrity ]].
   
  +
== Kernel Extensions ==
 
 
<H1>Kernel Extensions</H1>
 
 
 
iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
 
iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
   
 
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:
 
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:
   
  +
Podicum:~ root# ./kextstat
<pre>
 
  +
0 __kernel__
Podicum:~ root# ./kextstat
 
  +
1 kpi.bsd
0 __kernel__
 
1 kpi.bsd
+
2 kpi.dsep
2 kpi.dsep
+
3 kpi.iokit
3 kpi.iokit
+
4 kpi.libkern
4 kpi.libkern
+
5 kpi.mach
5 kpi.mach
+
6 kpi.private
6 kpi.private
+
7 kpi.unsupported
  +
8 driver.AppleARMPlatform <1 3 4 5 6 7>
7 kpi.unsupported
 
  +
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
13 driver.IOP_s5l8930x_firmware <3 4 12>
 
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
+
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
+
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
+
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
  +
19 platform.AppleKernelStorage <3 4 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
 
22 iokit.IOAudio2Family <1 3 4 5 21>
+
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
+
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
+
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
+
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
+
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
  +
28 kext.AppleMatch <1 4>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
 
  +
29 security.sandbox <1 2 3 4 5 6 7 16 28>
28 kext.AppleMatch <1 4>
 
34 iokit.IOSerialFamily <1 3 4 5 6 7>
+
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
+
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
  +
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
 
39 driver.AppleProfileKEventAction <1 3 4 14>
+
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
+
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
+
42 driver.AppleProfileReadCounterAction <3 4 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
+
43 driver.AppleARMPL192VIC <3 4 5 7 8>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
+
44 driver.AppleCDMA <1 3 4 5 7 8 15>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
+
45 driver.IODARTFamily <3 4 5>
45 driver.IODARTFamily <3 4 5>
+
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
+
47 iokit.IOSDIOFamily <1 3 4 5 7>
47 iokit.IOSDIOFamily <1 3 4 5 7>
+
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
+
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
+
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
+
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
+
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
+
53 driver.AppleS5L8920X <1 3 4 5 7 8>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
+
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
+
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
+
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
+
57 iokit.IOUSBFamily <1 3 4 5 7>
57 iokit.IOUSBFamily <1 3 4 5 7>
+
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
+
59 driver.AppleUSBComposite <1 3 4 57>
59 driver.AppleUSBComposite <1 3 4 57>
+
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
+
61 driver.AppleUSBOHCI <1 3 4 5 57>
61 driver.AppleUSBOHCI <1 3 4 5 57>
+
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
+
63 driver.AppleUSBHub <1 3 4 5 57>
63 driver.AppleUSBHub <1 3 4 5 57>
+
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
+
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
+
66 driver.AppleARM7M <3 4 8 12>
66 driver.AppleARM7M <3 4 8 12>
+
67 driver.EmbeddedIOP <3 4 5 12>
67 driver.EmbeddedIOP <3 4 5 12>
+
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
+
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
+
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
+
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
+
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
+
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
+
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
+
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
+
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
+
77 IMGSGX535 <1 3 4 5 7 8 76>
77 IMGSGX535 <1 3 4 5 7 8 76>
+
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
+
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
+
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
+
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
+
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
+
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
+
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
+
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
+
86 driver.ApplePinotLCD <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
+
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
+
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
+
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
+
90 driver.AppleTVOut <1 3 4 5 7 8>
90 driver.AppleTVOut <1 3 4 5 7 8>
+
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
+
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
+
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
+
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
+
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
  +
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
 
  +
97 IOTextEncryptionFamily <1 3 4 5 7 11>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
 
  +
98 driver.AppleBSDKextStarter <3 4>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
 
  +
99 nke.ppp <1 3 4 5 6 7>
98 driver.AppleBSDKextStarter <3 4>
 
8 driver.AppleARMPlatform <1 3 4 5 6 7>
+
9 iokit.IOStorageFamily <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
+
10 driver.DiskImages <1 3 4 5 6 7 9>
10 driver.DiskImages <1 3 4 5 6 7 9>
+
11 driver.FairPlayIOKit <1 3 4 5 6 7>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
+
12 driver.IOSlaveProcessor <3 4>
12 driver.IOSlaveProcessor <3 4>
+
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
+
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
19 platform.AppleKernelStorage <3 4 7>
+
20 iokit.IOSurface <1 3 4 5 6 7 8>
20 iokit.IOSurface <1 3 4 5 6 7 8>
+
21 iokit.IOStreamFamily <3 4 5>
21 iokit.IOStreamFamily <3 4 5>
+
22 iokit.IOAudio2Family <1 3 4 5 21>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
+
30 driver.AppleS5L8930X <1 3 4 5 7 8>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
+
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
+
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
+
33 iokit.IOUSBDeviceFamily <1 3 4 5>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
+
34 iokit.IOSerialFamily <1 3 4 5 6 7>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
+
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
+
39 driver.AppleProfileKEventAction <1 3 4 14>
99 nke.ppp <1 3 4 5 6 7>
+
100 nke.l2tp <1 3 4 5 6 7 99>
100 nke.l2tp <1 3 4 5 6 7 99>
+
101 nke.pptp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
+
102 iokit.IO80211Family <1 3 4 5 6 7 17>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
+
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
+
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
+
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
+
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
+
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
+
108 driver.AppleNANDFirmware <1 3 4 5 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
+
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
+
110 driver.AppleBluetooth <1 3 4 5 7 8>
110 driver.AppleBluetooth <1 3 4 5 7 8>
+
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
+
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
+
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
+
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>
 
</pre>
 
   
 
For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:
 
For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:
   
  +
<code>root# ./jkextstat -b sandbox -x</code>:
<pre>
 
  +
<plist>
Podicum:~ root# ./jkextstat -b sandbox -x
 
<dict>
+
<dict>
<key>CFBundleIdentifier</key>
+
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
+
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
+
<key>CFBundleVersion</key>
<string>154.7</string>
+
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
+
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
+
<integer>9</integer>
<key>OSBundleCPUType</key>
+
<key>OSBundleCPUType</key>
<integer>12</integer>
+
<integer>12</integer>
<key>OSBundleDependencies</key>
+
<key>OSBundleDependencies</key>
<array>
+
<array>
<integer>6</integer>
+
<integer>6</integer>
<integer>7</integer>
+
<integer>7</integer>
<integer>5</integer>
+
<integer>5</integer>
<integer>3</integer>
+
<integer>3</integer>
<integer>28</integer>
+
<integer>28</integer>
<integer>1</integer>
+
<integer>1</integer>
<integer>4</integer>
+
<integer>4</integer>
<integer>16</integer>
+
<integer>16</integer>
<integer>2</integer>
+
<integer>2</integer>
</array>
+
</array>
<key>OSBundleExecutablePath</key>
+
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
+
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
+
<key>OSBundleIsInterface</key>
<false/>
+
<false/>
<key>OSBundleLoadAddress</key>
+
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
+
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
+
<key>OSBundleLoadSize</key>
<integer>36864</integer>
+
<integer>36864</integer>
<key>OSBundleLoadTag</key>
+
<key>OSBundleLoadTag</key>
<integer>29</integer>
+
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
+
<key>OSBundleMachOHeaders</key>
<data>
+
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
+
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
+
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
+
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
+
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
+
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
+
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
+
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
+
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
+
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
+
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
+
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
+
TzkVrtqsgOViBQ0=
</data>
+
</data>
<key>OSBundlePath</key>
+
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
+
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
+
<key>OSBundlePrelinked</key>
<true/>
+
<true/>
<key>OSBundleRetainCount</key>
+
<key>OSBundleRetainCount</key>
<integer>0</integer>
+
<integer>0</integer>
<key>OSBundleStarted</key>
+
<key>OSBundleStarted</key>
<true/>
+
<true/>
<key>OSBundleUUID</key>
+
<key>OSBundleUUID</key>
<data>
+
<data>
FqyDtjZPORWu2qyA5WIFDQ==
+
FqyDtjZPORWu2qyA5WIFDQ==
</data>
+
</data>
<key>OSBundleWiredSize</key>
+
<key>OSBundleWiredSize</key>
<integer>36864</integer>
+
<integer>36864</integer>
<key>OSKernelResource</key>
+
<key>OSKernelResource</key>
<false/>
+
<false/>
</dict>
+
</dict>
  +
</plist>
 
 
</pre>
 
 
 
(The tool itself will be released soon)
 
   
 
== External Links ==
 
== External Links ==

Revision as of 23:32, 14 February 2012

The kernel of iOS is the Template:Wp. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space.

On production devices, the kernel is always stored as a pre-linked kernelcache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache. On development devices the kernel is stored in its normal place, at /mach_kernel. On startup, the kernelcache is decompressed and run.

Boot-Args

Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to flash, hdmi, and amfi [AppleMobileFileIntegrity ].

Kernel Extensions

iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).

The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:

Podicum:~ root# ./kextstat 
  0 __kernel__ 
  1 kpi.bsd 
  2 kpi.dsep 
  3 kpi.iokit 
  4 kpi.libkern 
  5 kpi.mach 
  6 kpi.private 
  7 kpi.unsupported 
  8 driver.AppleARMPlatform <1 3 4 5 6 7>
  9 iokit.IOStorageFamily <1 3 4 5 6 7>
 10 driver.DiskImages <1 3 4 5 6 7 9>
 11 driver.FairPlayIOKit <1 3 4 5 6 7>
 12 driver.IOSlaveProcessor <3 4>
 13 driver.IOP_s5l8930x_firmware <3 4 12>
 14 iokit.AppleProfileFamily <1 3 4 5 6 7>
 15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
 16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
 17 iokit.IONetworkingFamily <1 3 4 5 6 7>
 18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
 19 platform.AppleKernelStorage <3 4 7>
 20 iokit.IOSurface <1 3 4 5 6 7 8>
 21 iokit.IOStreamFamily <3 4 5>
 22 iokit.IOAudio2Family <1 3 4 5 21>
 23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
 24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
 25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
 26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
 27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
 28 kext.AppleMatch <1 4>
 29 security.sandbox <1 2 3 4 5 6 7 16 28>
 30 driver.AppleS5L8930X <1 3 4 5 7 8>
 31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
 32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
 33 iokit.IOUSBDeviceFamily <1 3 4 5>
 34 iokit.IOSerialFamily <1 3 4 5 6 7>
 35 driver.AppleOnboardSerial <1 3 4 5 7 34>
 36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
 37 driver.AppleProfileTimestampAction <1 3 4 5 14>
 38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
 39 driver.AppleProfileKEventAction <1 3 4 14>
 40 driver.AppleProfileRegisterStateAction <1 3 4 14>
 41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
 42 driver.AppleProfileReadCounterAction <3 4 6 14>
 43 driver.AppleARMPL192VIC <3 4 5 7 8>
 44 driver.AppleCDMA <1 3 4 5 7 8 15>
 45 driver.IODARTFamily <3 4 5>
 46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
 47 iokit.IOSDIOFamily <1 3 4 5 7>
 48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
 49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
 50 driver.AppleSamsungSPI <1 3 4 5 7 8>
 51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
 52 driver.AppleSamsungPKE <3 4 5 7 8 15>
 53 driver.AppleS5L8920X <1 3 4 5 7 8>
 54 driver.AppleSamsungI2S <1 3 4 5 7 8>
 55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
 56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
 57 iokit.IOUSBFamily <1 3 4 5 7>
 58 driver.AppleUSBEHCI <1 3 4 5 7 57>
 59 driver.AppleUSBComposite <1 3 4 57>
 60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
 61 driver.AppleUSBOHCI <1 3 4 5 57>
 62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
 63 driver.AppleUSBHub <1 3 4 5 57>
 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
 66 driver.AppleARM7M <3 4 8 12>
 67 driver.EmbeddedIOP <3 4 5 12>
 68 driver.AppleVXD375 <1 3 4 5 7 8 11>
 69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
 70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
 71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
 72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
 73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
 74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
 75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
 76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
 77 IMGSGX535 <1 3 4 5 7 8 76>
 78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
 79 driver.AppleJPEGDriver <1 3 4 5 7 8>
 80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
 81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
 82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
 83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
 84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
 85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
 86 driver.ApplePinotLCD <1 3 4 5 7 8>
 87 driver.AppleSamsungSWI <1 3 4 5 7 8>
 88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
 89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
 90 driver.AppleTVOut <1 3 4 5 7 8>
 91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
 92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
 93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
 94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
 95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
 96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
 97 IOTextEncryptionFamily <1 3 4 5 7 11>
 98 driver.AppleBSDKextStarter <3 4>
 99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

root# ./jkextstat -b sandbox -x:

<plist>
<dict>
        <key>CFBundleIdentifier</key>
        <string>com.apple.security.sandbox</string>
        <key>CFBundleVersion</key>
        <string>154.7</string>
        <key>OSBundleCPUSubtype</key>
        <integer>9</integer>
        <key>OSBundleCPUType</key>
        <integer>12</integer>
        <key>OSBundleDependencies</key>
        <array>
                <integer>6</integer>
                <integer>7</integer>
                <integer>5</integer>
                <integer>3</integer>
                <integer>28</integer>
                <integer>1</integer>
                <integer>4</integer>
                <integer>16</integer>
                <integer>2</integer>
        </array>
        <key>OSBundleExecutablePath</key>
        <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
        <key>OSBundleIsInterface</key>
        <false/>
        <key>OSBundleLoadAddress</key>
        <integer>2153734144</integer>
  <key>OSBundleLoadSize</key>
        <integer>36864</integer>
        <key>OSBundleLoadTag</key>
        <integer>29</integer>
        <key>OSBundleMachOHeaders</key>
        
        zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
        AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
        VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
        X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
        AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
        gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
        AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
        AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
        AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
        AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
        TzkVrtqsgOViBQ0=
        
        <key>OSBundlePath</key>
        <string>/System/Library/Extensions/Sandbox.kext</string>
        <key>OSBundlePrelinked</key>
        <true/>
        <key>OSBundleRetainCount</key>
        <integer>0</integer>
        <key>OSBundleStarted</key>
        <true/>
        <key>OSBundleUUID</key>
        
        FqyDtjZPORWu2qyA5WIFDQ==
        
        <key>OSBundleWiredSize</key>
        <integer>36864</integer>
        <key>OSKernelResource</key>
        <false/>
</dict>
</plist>

External Links

Article by Stefan Esser about exploiting the kernel

See Also