Difference between revisions of "Kernel"

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==

{{main|Kernel ASLR}}

As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==

The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==

Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:

_nand-part-poison

_panicd_corename

_panicd_ip

_router_ip

acc_debug

aesdev

als_enable_debug

amfi

amfi_allow_any_signature

amfi_get_out_of_my_way

amfi_unrestrict_task_for_pid

AppleEmbeddedUSBArbitrator-debug

AppleS5L8930XUSBArbitrator-debug

AppleUSBPhy-debug

arm7m-enable-jtag

-b

backlight-level

backlight-logging

baseband-spi-sclk-period

bcom.chip.driveStrength_mA

bcom.chip.watermark

bcom.clock.sd-rate

bcom.devif.fn2-block-size

bcom.devif.rx-retries

bcom.devif.transaction-log

bcom.devif.tx-retries

bcom.feature.flags

bcom.ps.inactivity.timeout

bcom.wte.thread-priority

boot-uuid

brightness

burnin-size

cameraclocks

charger-debug

cpus

cs_debug

cs_enforcement_disable

darkwake

dart

dcc

debug

disable-usb-iap

dp_async_event_fail_hard

dp_audio_driver_level

dp_audio_driver_mask

dp_audio_interface_level

dp_audio_interface_mask

dp_controller_level

dp_controller_mask

dp_device_level

dp_device_mask

dp_display_interface_level

dp_display_interface_mask

dp_interface_level

dp_interface_mask

dp_log_level

dp_max_channel_count_lpcm

dp_max_sample_rate_lpcm

dp_max_sample_size_lpcm

dp_min_channel_count_lpcm

dp_min_sample_rate_lpcm

dp_min_sample_size_lpcm

dp_service_level

dp_service_mask

dpsm

dvb

dvc

dvd

effaceable-enable-full-scan

effaceable-enable-wipe

enable-acsleep

fairshare_minblockedtime

fill

fixedpriority_quantum

fix-parity

force-usb-host

force-usb-power

hdmi_max_channel_count_lpcm

hdmi_max_sample_rate_lpcm

hdmi_max_sample_size_lpcm

hdmi_min_channel_count_lpcm

hdmi_min_sample_rate_lpcm

hdmi_min_sample_size_lpcm

hdmi_protection_type

hp-detect-invert

hp-pop-workaround

hp-switch-force-config

hp-switch-ramp

hsic

i2c-logsize

i2c-verbose

ifa_debug

ifnet_debug

initmcl

io

iopfmi-timeout

iotrace

jpeg-log

jtag

kdp_crashdump_pkt_size

kdp_ip_addr

kdp_match_mac

kdp_match_name

keepsyms

kextlog

link_recovery_enabled

mbuf_debug

mbuf_pool

mcache_flags

mleak_sample_factor

mseg

msgbuf

mt-bytes

mt-strings

mtxspin

nand-boot-malloc

nand-check-vs

nand-commands

nand-disable-driver

nand-dump-vs-table

nand-enable-adm

nand-enable-reformat

nand-enable-yaftl

nand-erase

nand-erase-install

nand-fbbt-publish

nand-force-restore

nand-idle-timeout-ms

nand-ignore-ptab

nand-index-cache-size

nand-latency-us

nand-max-pages

nand-neuralize

nand-nvram-debug

nand-ppn-debug

nand-ppn-vs-debug

nand-qual

nand-queue-entries

nand-read-blocks-max

nand-read-dccycle-clks

nand-read-hold-clks

nand-readonly

nand-read-setup-clks

nand-reorder-defer-max

nand-reorder-defer-size-trigger

nand-reorder-read-promote-max

nand-reset-burnin

nand-save-rma-data

nand-set-rma

nand-sftl-cache-drain

nand-sleep-debug-panic

nand-slow-timings

nand-wearlevel-timeout-ms

nand-whiten-metadata

nand-wipe

nand-write-blocks-max

nand-write-hold-clks

nand-write-setup-clks

nbuf

ncl

net.inet6.ip6.scopedroute

net_affinity

net_rtref

network-type

-no64exec

-novfscache

panicd_port

pcp

pctb

pdmvr

pio-error

pmu-chargetrap

pmu-debug

ppn-clean

-progress

prox_enable_debug

pthtest

rd

remote_nmi

rootdev

-s

sdio.clock.base-rate

sdio.clock.sd-rate

sdio.debug.abort-init

sdio.debug.init-delay

sdio.log.flags

sdio.log.level

sdio.transfer.max-pio-blocks

sdio.transfer.max-pio-size

sdio.transfer.mode

serial

sgx_panic_on_recovery

shadev

slto_us

socket_debug

torchcltm0

usb

usb_dev_nmi

usb_dev_reset

-vnode_cache_defeat

wdt

wfi

wlan.ap.channel

wlan.debug.abort-init

wlan.debug.generate-mac

wlan.log.flags

wlan.log.level

wlan.log.timestamp

wlan.netmanager.stats-timer-interval

wlan.panic.factory

wqsize

WTE

-x

== Versions ==

iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mavericks' XNU is 2422, whereas iOS is 2423. This is not surprising, considering that iOS has novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mavericks 10.9:

Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64

iOS 7.0.4:

Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM_[[S5L8960]]X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List ===

The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"

|-

! Version

! Build

! Comment

|-

| [[Alpine 1A420 (iPhone)|1A420]]

| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB

| from prototype - not sure if version is 100% correct.

|-

| 1.0

| Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_S5L8900XRB

| rowspan="3" | Not sure if version is 100% correct.

|-

| 1.0.1

| class="rborderplz" rowspan="2" | Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_S5L8900XRB

|-

| class="rborderplz" | 1.0.2

|-

| 1.1.1

| Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_S5L8900XRB

| First kernel that was [[8900_File_Format#8900|8900]] encrypted - not sure if version is 100% correct.

|-

| 1.1.2

| Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_S5L8900XRB

| Not sure if version is 100% correct.

|-

| 1.1.3

| rowspan="3" | Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_S5L8900XRB

|

|-

| 1.1.4

|

|-

| 1.1.5

| iPod touch only

|-

| 2.0

| Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X

|

|-

| 2.0.1

| ?

|

|-

| 2.0.2

| ?

|

|-

| 2.1

| ?

|

|-

| 2.1.1

| Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X

|

|-

| 2.2

| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X

|

|-

| 2.2.1

| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X

|

|-

| 3.0

| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X

|

|-

| 3.0.1

|

|-

| 3.1

| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X

|

|-

| 3.1.2

| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X

|

|-

| 3.1.3

| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X

|

|-

| 3.2

| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X

| rowspan="3" | iPad Only

|-

| 3.2.1

| class="rborderplz" | Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X

|-

| 3.2.2

| class="rborderplz" | Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X

|-

| 4.0

| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.0.1

|

|-

| 4.0.2

| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.1

| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.2.1

| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.3

| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.3.1

|

|-

| 4.3.2

| rowspan="2" | Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.3.3

|

|-

| 4.3.4

| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X

|

|-

| 4.3.5

|

|-

| 5.0

| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X

|

|-

| 5.0.1

| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X

|

|-

| 5.1b

| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X

|

|-

| 5.1

| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X

|

|-

| 5.1.1

| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.0b

| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.0

| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X

|

|-

| 6.0.1

| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X

|

|-

| 6.0.2

| iPhone 5 only.

|-

| 6.1b

| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.1b2

| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.1b3

| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.1b4

| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.1b5

| rowspan="5" | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X

|

|-

| 6.1

|

|-

| 6.1.1b

|

|-

| 6.1.1

| iPhone 4S only

|-

| 6.1.2

|

|-

| 6.1.3b2

| rowspan="4" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8930]]X

|

|-

| 6.1.3

|

|-

| 6.1.4

| iPhone 5 only.

|-

| 6.1.5

| iPod touch 4 only.

|-

| 7.0b

| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0b2

| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0b3

| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-22423.1.40~11/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0b4

| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0b5

| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0b6

|

|-

| 7.0[[Golden Master|GM]]

| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X

|

|-

| 7.0

|

|-

| 7.0.1

| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X

| [[iPhone 5c]] and [[iPhone 5s|5s]] only

|-

| 7.0.2

|

|-

| 4.3.5 (Custom)

| Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:22 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_[[S5L8930]]X

| [[User:Winocm|winocm]]'s custom kernel.

|-

| 7.0.3

| rowspan="2" | Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM_[[S5L8960]]X

|

|-

| 7.0.4

|

|-

| 7.1b

| Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_[[S5L8930]]X

== Source Code ==

As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:

2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered

Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''

'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''

'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''

'''information on how and where to obtain such Source Code'''.

with ''Source Code'' defined in §1.8:

1.8 "Source Code" means the human readable form of a program or other work that is

suitable for making modifications to it, including all modules it contains, plus any

associated interface definition files, scripts used to control compilation and installation

of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:

* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)

* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)

* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])

* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)

* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)

* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)

* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)<!-- or does CF handle the parsing? -->

* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)

* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)

It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS''<!-- reword needed --> as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==

iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent<!-- how recent? --> iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat

0 __kernel__

1 kpi.bsd

2 kpi.dsep

3 kpi.iokit

4 kpi.libkern

5 kpi.mach

6 kpi.private

7 kpi.unsupported

8 driver.AppleARMPlatform <1 3 4 5 6 7>

9 iokit.IOStorageFamily <1 3 4 5 6 7>

10 driver.DiskImages <1 3 4 5 6 7 9>

11 driver.FairPlayIOKit <1 3 4 5 6 7>

12 driver.IOSlaveProcessor <3 4>

13 driver.IOP_s5l8930x_firmware <3 4 12>

14 iokit.AppleProfileFamily <1 3 4 5 6 7>

15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>

16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>

17 iokit.IONetworkingFamily <1 3 4 5 6 7>

18 iokit.IOUserEthernet <1 3 4 5 6 16 17>

19 platform.AppleKernelStorage <3 4 7>

20 iokit.IOSurface <1 3 4 5 6 7 8>

21 iokit.IOStreamFamily <3 4 5>

22 iokit.IOAudio2Family <1 3 4 5 21>

23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>

24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>

25 iokit.IOFlashStorage <1 3 4 5 7 9 24>

26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>

27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>

28 kext.AppleMatch <1 4>

29 security.sandbox <1 2 3 4 5 6 7 16 28>

30 driver.AppleS5L8930X <1 3 4 5 7 8>

31 iokit.IOHIDFamily <1 3 4 5 6 7 16>

32 driver.AppleM68Buttons <1 3 4 5 7 8 31>

33 iokit.IOUSBDeviceFamily <1 3 4 5>

34 iokit.IOSerialFamily <1 3 4 5 6 7>

35 driver.AppleOnboardSerial <1 3 4 5 7 34>

36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>

37 driver.AppleProfileTimestampAction <1 3 4 5 14>

38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>

39 driver.AppleProfileKEventAction <1 3 4 14>

40 driver.AppleProfileRegisterStateAction <1 3 4 14>

41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>

42 driver.AppleProfileReadCounterAction <3 4 6 14>

43 driver.AppleARMPL192VIC <3 4 5 7 8>

44 driver.AppleCDMA <1 3 4 5 7 8 15>

45 driver.IODARTFamily <3 4 5>

46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>

47 iokit.IOSDIOFamily <1 3 4 5 7>

48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>

49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>

50 driver.AppleSamsungSPI <1 3 4 5 7 8>

51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>

52 driver.AppleSamsungPKE <3 4 5 7 8 15>

53 driver.AppleS5L8920X <1 3 4 5 7 8>

54 driver.AppleSamsungI2S <1 3 4 5 7 8>

55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>

56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>

57 iokit.IOUSBFamily <1 3 4 5 7>

58 driver.AppleUSBEHCI <1 3 4 5 7 57>

59 driver.AppleUSBComposite <1 3 4 57>

60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>

61 driver.AppleUSBOHCI <1 3 4 5 57>

62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>

63 driver.AppleUSBHub <1 3 4 5 57>

64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>

65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>

66 driver.AppleARM7M <3 4 8 12>

67 driver.EmbeddedIOP <3 4 5 12>

68 driver.AppleVXD375 <1 3 4 5 7 8 11>

69 driver.AppleD1815PMU <1 3 4 5 7 8 31>

70 iokit.AppleARMIISAudio <1 3 4 5 7 22>

71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>

72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>

73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>

74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>

75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>

76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>

77 IMGSGX535 <1 3 4 5 7 8 76>

78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>

79 driver.AppleJPEGDriver <1 3 4 5 7 8>

80 driver.AppleH3CameraInterface <1 3 4 5 7 8>

81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>

82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>

83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>

84 driver.AppleCLCD <1 3 4 5 7 8 82 83>

85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>

86 driver.ApplePinotLCD <1 3 4 5 7 8>

87 driver.AppleSamsungSWI <1 3 4 5 7 8>

88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>

89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>

90 driver.AppleTVOut <1 3 4 5 7 8>

91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>

92 driver.AppleSamsungDPTX <3 4 5 7 8 88>

93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>

94 driver.AppleNANDFTL <1 3 4 5 7 9 25>

95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>

96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>

97 IOTextEncryptionFamily <1 3 4 5 7 11>

98 driver.AppleBSDKextStarter <3 4>

99 nke.ppp <1 3 4 5 6 7>

100 nke.l2tp <1 3 4 5 6 7 99>

101 nke.pptp <1 3 4 5 6 7 99>

102 iokit.IO80211Family <1 3 4 5 6 7 17>

103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>

104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>

105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>

106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>

107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>

108 driver.AppleNANDFirmware <1 3 4 5 25>

109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>

110 driver.AppleBluetooth <1 3 4 5 7 8>

111 driver.AppleMultitouchSPI <1 3 4 5 7 8>

112 driver.AppleUSBMike <1 3 4 5 8 22 33>

113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>

114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:

<plist>

<dict>

<key>CFBundleIdentifier</key>

<string>com.apple.security.sandbox</string>

<key>CFBundleVersion</key>

<string>154.7</string>

<key>OSBundleCPUSubtype</key>

<integer>9</integer>

<key>OSBundleCPUType</key>

<integer>12</integer>

<key>OSBundleDependencies</key>

<array>

<integer>6</integer>

<integer>7</integer>

<integer>5</integer>

<integer>3</integer>

<integer>28</integer>

<integer>1</integer>

<integer>4</integer>

<integer>16</integer>

<integer>2</integer>

</array>

<key>OSBundleExecutablePath</key>

<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>

<key>OSBundleIsInterface</key>

<false/>

<key>OSBundleLoadAddress</key>

<integer>2153734144</integer>

<key>OSBundleLoadSize</key>

<integer>36864</integer>

<key>OSBundleLoadTag</key>

<integer>29</integer>

<key>OSBundleMachOHeaders</key>

<data>

zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA

AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f

VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf

X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA

AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf

gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA

AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA

AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA

AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA

AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2

TzkVrtqsgOViBQ0=

</data>

<key>OSBundlePath</key>

<string>/System/Library/Extensions/Sandbox.kext</string>

<key>OSBundlePrelinked</key>

<true/>

<key>OSBundleRetainCount</key>

<integer>0</integer>

<key>OSBundleStarted</key>

<true/>

<key>OSBundleUUID</key>

<data>

FqyDtjZPORWu2qyA5WIFDQ==

</data>

<key>OSBundleWiredSize</key>

<integer>36864</integer>

<key>OSKernelResource</key>

<false/>

</dict>

</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

== See Also ==

* [[Kernel Syscalls]]

* [[Kernel Sysctls]]

* [[Kernel Task]]

* [[Kernel Symbols]]

* [[kdebug]]

* [[kernelcache]]

* [[Tutorial:Booting XNU on A4 Devices]]

== External Links ==

* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)

* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]

* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]

* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]

* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]