The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel"
Line 1: | Line 1: | ||
− | The '''kernel''' of [[iOS]] is the {{wp|XNU|XNU kernel}}. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at |
+ | The '''kernel''' of [[iOS]] is the {{wp|XNU|XNU kernel}}. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space. |
− | On production devices, the kernel is always stored as a pre-linked kernelcache stored at '''/System/Library/Caches/com.apple.kernelcaches/kernelcache'''. On development devices the kernel is stored in its normal place, at '''/mach_kernel'''. |
+ | On production devices, the kernel is always stored as a pre-linked kernelcache stored at '''/System/Library/Caches/com.apple.kernelcaches/kernelcache'''. On development devices the kernel is stored in its normal place, at '''/mach_kernel'''. On startup, the [[kernelcache]] is decompressed and run. |
− | Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section). |
+ | Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section). |
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G: |
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G: |
Revision as of 14:25, 10 February 2012
The kernel of iOS is the Template:Wp. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space.
On production devices, the kernel is always stored as a pre-linked kernelcache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache. On development devices the kernel is stored in its normal place, at /mach_kernel. On startup, the kernelcache is decompressed and run.
Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:
Podicum:~ root# ./kextstat 0 __kernel__ 1 kpi.bsd 2 kpi.dsep 3 kpi.iokit 4 kpi.libkern 5 kpi.mach 6 kpi.private 7 kpi.unsupported 8 driver.AppleARMPlatform <1 3 4 5 6 7> 9 iokit.IOStorageFamily <1 3 4 5 6 7> 10 driver.DiskImages <1 3 4 5 6 7 9> 11 driver.FairPlayIOKit <1 3 4 5 6 7> 12 driver.IOSlaveProcessor <3 4> 13 driver.IOP_s5l8930x_firmware <3 4 12> 14 iokit.AppleProfileFamily <1 3 4 5 6 7> 15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7> 16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15> 17 iokit.IONetworkingFamily <1 3 4 5 6 7> 18 iokit.IOUserEthernet <1 3 4 5 6 16 17> 19 platform.AppleKernelStorage <3 4 7> 20 iokit.IOSurface <1 3 4 5 6 7 8> 21 iokit.IOStreamFamily <3 4 5> 22 iokit.IOAudio2Family <1 3 4 5 21> 23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22> 24 iokit.EncryptedBlockStorage <1 3 4 5 9 15> 25 iokit.IOFlashStorage <1 3 4 5 7 9 24> 26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25> 27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26> 28 kext.AppleMatch <1 4> 29 security.sandbox <1 2 3 4 5 6 7 16 28> 30 driver.AppleS5L8930X <1 3 4 5 7 8> 31 iokit.IOHIDFamily <1 3 4 5 6 7 16> 32 driver.AppleM68Buttons <1 3 4 5 7 8 31> 33 iokit.IOUSBDeviceFamily <1 3 4 5> 34 iokit.IOSerialFamily <1 3 4 5 6 7> 35 driver.AppleOnboardSerial <1 3 4 5 7 34> 36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35> 37 driver.AppleProfileTimestampAction <1 3 4 5 14> 38 driver.AppleProfileThreadInfoAction <1 3 4 6 14> 39 driver.AppleProfileKEventAction <1 3 4 14> 40 driver.AppleProfileRegisterStateAction <1 3 4 14> 41 driver.AppleProfileCallstackAction <1 3 4 5 6 14> 42 driver.AppleProfileReadCounterAction <3 4 6 14> 43 driver.AppleARMPL192VIC <3 4 5 7 8> 44 driver.AppleCDMA <1 3 4 5 7 8 15> 45 driver.IODARTFamily <3 4 5> 46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45> 47 iokit.IOSDIOFamily <1 3 4 5 7> 48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47> 49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25> 50 driver.AppleSamsungSPI <1 3 4 5 7 8> 51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35> 52 driver.AppleSamsungPKE <3 4 5 7 8 15> 53 driver.AppleS5L8920X <1 3 4 5 7 8> 54 driver.AppleSamsungI2S <1 3 4 5 7 8> 55 driver.AppleEmbeddedUSB <1 3 4 5 7 8> 56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55> 57 iokit.IOUSBFamily <1 3 4 5 7> 58 driver.AppleUSBEHCI <1 3 4 5 7 57> 59 driver.AppleUSBComposite <1 3 4 57> 60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59> 61 driver.AppleUSBOHCI <1 3 4 5 57> 62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61> 63 driver.AppleUSBHub <1 3 4 5 57> 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63> 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64> 66 driver.AppleARM7M <3 4 8 12> 67 driver.EmbeddedIOP <3 4 5 12> 68 driver.AppleVXD375 <1 3 4 5 7 8 11> 69 driver.AppleD1815PMU <1 3 4 5 7 8 31> 70 iokit.AppleARMIISAudio <1 3 4 5 7 22> 71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70> 72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71> 73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31> 74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31> 75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31> 76 iokit.IOAcceleratorFamily <1 3 4 5 7 8> 77 IMGSGX535 <1 3 4 5 7 8 76> 78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8> 79 driver.AppleJPEGDriver <1 3 4 5 7 8> 80 driver.AppleH3CameraInterface <1 3 4 5 7 8> 81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45> 82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8> 83 driver.AppleDisplayPipe <1 3 4 5 7 8 82> 84 driver.AppleCLCD <1 3 4 5 7 8 82 83> 85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8> 86 driver.ApplePinotLCD <1 3 4 5 7 8> 87 driver.AppleSamsungSWI <1 3 4 5 7 8> 88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22> 89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88> 90 driver.AppleTVOut <1 3 4 5 7 8> 91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22> 92 driver.AppleSamsungDPTX <3 4 5 7 8 88> 93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55> 94 driver.AppleNANDFTL <1 3 4 5 7 9 25> 95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94> 96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6> 97 IOTextEncryptionFamily <1 3 4 5 7 11> 98 driver.AppleBSDKextStarter <3 4> 99 nke.ppp <1 3 4 5 6 7> 100 nke.l2tp <1 3 4 5 6 7 99> 101 nke.pptp <1 3 4 5 6 7 99> 102 iokit.IO80211Family <1 3 4 5 6 7 17> 103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102> 104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103> 105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94> 106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26> 107 driver.IOFlashNVRAM <1 3 4 5 6 7 25> 108 driver.AppleNANDFirmware <1 3 4 5 25> 109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108> 110 driver.AppleBluetooth <1 3 4 5 7 8> 111 driver.AppleMultitouchSPI <1 3 4 5 7 8> 112 driver.AppleUSBMike <1 3 4 5 8 22 33> 113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33> 114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>
For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:
Podicum:~ root# ./jkextstat -b sandbox -x <dict> <key>CFBundleIdentifier</key> <string>com.apple.security.sandbox</string> <key>CFBundleVersion</key> <string>154.7</string> <key>OSBundleCPUSubtype</key> <integer>9</integer> <key>OSBundleCPUType</key> <integer>12</integer> <key>OSBundleDependencies</key> <array> <integer>6</integer> <integer>7</integer> <integer>5</integer> <integer>3</integer> <integer>28</integer> <integer>1</integer> <integer>4</integer> <integer>16</integer> <integer>2</integer> </array> <key>OSBundleExecutablePath</key> <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string> <key>OSBundleIsInterface</key> <false/> <key>OSBundleLoadAddress</key> <integer>2153734144</integer> <key>OSBundleLoadSize</key> <integer>36864</integer> <key>OSBundleLoadTag</key> <integer>29</integer> <key>OSBundleMachOHeaders</key> <data> zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2 TzkVrtqsgOViBQ0= </data> <key>OSBundlePath</key> <string>/System/Library/Extensions/Sandbox.kext</string> <key>OSBundlePrelinked</key> <true/> <key>OSBundleRetainCount</key> <integer>0</integer> <key>OSBundleStarted</key> <true/> <key>OSBundleUUID</key> <data> FqyDtjZPORWu2qyA5WIFDQ== </data> <key>OSBundleWiredSize</key> <integer>36864</integer> <key>OSKernelResource</key> <false/> </dict>
(The tool itself will be released soon)
External Links
Article by Stefan Esser about exploiting the kernel