The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Kernel
The kernel of iOS is the XNU kernel. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.
Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate section
Contents
ASLR
- Main article: Kernel ASLR
As of iOS 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.
On production devices, the kernel is always stored as a statically linked cache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at /mach_kernel.
Stack
The kernel maintains its stack at 0xd2000000
.
Boot-Args
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.
KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and AMFI.
Here's a list of boot-args extracted with the IDA script by MuscleNerd:
_nand-part-poison _panicd_corename _panicd_ip _router_ip acc_debug aesdev als_enable_debug amfi amfi_allow_any_signature amfi_get_out_of_my_way amfi_unrestrict_task_for_pid AppleEmbeddedUSBArbitrator-debug AppleS5L8930XUSBArbitrator-debug AppleUSBPhy-debug arm7m-enable-jtag -b backlight-level backlight-logging baseband-spi-sclk-period bcom.chip.driveStrength_mA bcom.chip.watermark bcom.clock.sd-rate bcom.devif.fn2-block-size bcom.devif.rx-retries bcom.devif.transaction-log bcom.devif.tx-retries bcom.feature.flags bcom.ps.inactivity.timeout bcom.wte.thread-priority boot-uuid brightness burnin-size cameraclocks charger-debug cpus cs_debug cs_enforcement_disable darkwake dart dcc debug disable-usb-iap dp_async_event_fail_hard dp_audio_driver_level dp_audio_driver_mask dp_audio_interface_level dp_audio_interface_mask dp_controller_level dp_controller_mask dp_device_level dp_device_mask dp_display_interface_level dp_display_interface_mask dp_interface_level dp_interface_mask dp_log_level dp_max_channel_count_lpcm dp_max_sample_rate_lpcm dp_max_sample_size_lpcm dp_min_channel_count_lpcm dp_min_sample_rate_lpcm dp_min_sample_size_lpcm dp_service_level dp_service_mask dpsm dvb dvc dvd effaceable-enable-full-scan effaceable-enable-wipe enable-acsleep fairshare_minblockedtime fill fixedpriority_quantum fix-parity force-usb-host force-usb-power hdmi_max_channel_count_lpcm hdmi_max_sample_rate_lpcm hdmi_max_sample_size_lpcm hdmi_min_channel_count_lpcm hdmi_min_sample_rate_lpcm hdmi_min_sample_size_lpcm hdmi_protection_type hp-detect-invert hp-pop-workaround hp-switch-force-config hp-switch-ramp hsic i2c-logsize i2c-verbose ifa_debug ifnet_debug initmcl io iopfmi-timeout iotrace jpeg-log jtag kdp_crashdump_pkt_size kdp_ip_addr kdp_match_mac kdp_match_name keepsyms kextlog link_recovery_enabled mbuf_debug mbuf_pool mcache_flags mleak_sample_factor mseg msgbuf mt-bytes mt-strings mtxspin nand-boot-malloc nand-check-vs nand-commands nand-disable-driver nand-dump-vs-table nand-enable-adm nand-enable-reformat nand-enable-yaftl nand-erase nand-erase-install nand-fbbt-publish nand-force-restore nand-idle-timeout-ms nand-ignore-ptab nand-index-cache-size nand-latency-us nand-max-pages nand-neuralize nand-nvram-debug nand-ppn-debug nand-ppn-vs-debug nand-qual nand-queue-entries nand-read-blocks-max nand-read-dccycle-clks nand-read-hold-clks nand-readonly nand-read-setup-clks nand-reorder-defer-max nand-reorder-defer-size-trigger nand-reorder-read-promote-max nand-reset-burnin nand-save-rma-data nand-set-rma nand-sftl-cache-drain nand-sleep-debug-panic nand-slow-timings nand-wearlevel-timeout-ms nand-whiten-metadata nand-wipe nand-write-blocks-max nand-write-hold-clks nand-write-setup-clks nbuf ncl net.inet6.ip6.scopedroute net_affinity net_rtref network-type -no64exec -novfscache panicd_port pcp pctb pdmvr pio-error pmu-chargetrap pmu-debug ppn-clean -progress prox_enable_debug pthtest rd remote_nmi rootdev -s sdio.clock.base-rate sdio.clock.sd-rate sdio.debug.abort-init sdio.debug.init-delay sdio.log.flags sdio.log.level sdio.transfer.max-pio-blocks sdio.transfer.max-pio-size sdio.transfer.mode serial sgx_panic_on_recovery shadev slto_us socket_debug torchcltm0 usb usb_dev_nmi usb_dev_reset -vnode_cache_defeat wdt wfi wlan.ap.channel wlan.debug.abort-init wlan.debug.generate-mac wlan.log.flags wlan.log.level wlan.log.timestamp wlan.netmanager.stats-timer-interval wlan.panic.factory wqsize WTE -x
Versions
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as Kernel ASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:
OS X Mountain Lion:
Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64
iOS 6.1:
Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_S5L8950X
Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.
Version | Build | Comment |
---|---|---|
1A420 | Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB | from prototype - not sure if 100% correct. |
1.0.0 | ||
1.0.1 | ||
1.0.2 | ||
1.1.1 | ||
1.1.2 | ||
1.1.3 | ||
1.1.4 | ||
2.0 | ||
2.0.1 | ||
2.0.2 | ||
2.1 | ||
2.2 | ||
2.2.1 | ||
3.0 | ||
3.0.1 | ||
3.1 | ||
3.1.2 | ||
3.1.3 | ||
3.2 | ||
3.2.1 | ||
3.2.2 | ||
4.0 | ||
4.0.1 | ||
4.0.2 | ||
4.1 | ||
4.2.1 | Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_S5L8930X | |
4.3 | ||
4.3.1 | ||
4.3.2 | ||
4.3.3 | Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X | |
4.3.4 | ||
4.3.5 | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_S5L8930X | |
5.0 | Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_S5L8940X | |
5.0.1 | Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8940X | |
5.1 | Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_S5L8945X | |
5.1.1 | Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X | |
6.0 | Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X | |
6.0.1 | Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_S5L8930X | |
6.0.2 | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_S5L8950X | |
6.1 | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_S5L8950X | |
6.1.1 | Darwin Kernel Version 13.0.0: Sun Dec 16 19:58:44 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_S5L8940X |
Source Code
As XNU is based off of the BSD kernel, it is open source. The source is under a 3-clause BSD License for the original BSD portions with the portions added by Apple under the Apple Public Source License. The versions contained in iOS are not available, instead only versions used in OS X are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered Code (Original Code and/or Modifications) in object code, executable form only, You must include a prominent notice, in the code itself as well as in related documentation, stating that Source Code of the Covered Code is available under the terms of this License with information on how and where to obtain such Source Code.
with Source Code defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is suitable for making modifications to it, including all modules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an executable (object code).
It is worth noting that Apple does not list XNU as being an open source component of iOS. This can be seen by viewing opensource.apple.com and selecting any iOS version. As far as can be told, none of the versions of XNU are available in source version.
There are many other open souce components that iOS uses that are not listed, such as:
- CF (CoreFoundation - Cocoa)
- SQLite (SQLite - database utility)
- TimeZoneData (tz database - /usr/share/zoneinfo)
- curl(?) (libcurl - various HTTP operations)
- hfs (hfs - HFS driver)
- launchd (launchd - launch daemon)
- libxml2(?) (libxml2 - parser for XML plists)
- xnu (XNU - Kernel)
- zip (zip - extraction of various files)
It does not appear that Apple assumes what you see in the OS X pages are also on iOS as JavaScriptCore, WebCore, among others are listed on both OS X (10.8) and iOS (6.0), albeit different versions.
It is also worth noting that gdb (GCC debugger) and ld64 are listed as components in iOS 6.0. Why there are present is a mystery as they are not present on unaltered devices, but only through Cydia or Xcode's DeveloperImage.dmg
.
Kernel Extensions
iOS, sadly, does not have kexts floating around the file system, but they are indeed present. The kernelcache can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their plists (in the __PRELINK_INFO section).
The Cydia supplied kextstat does not work on iOS. Sadly, the reason is that kextstat relies on kmod_get_info(...)
, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the kexts do exist. The alternative, jkextstat, does work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name kextstat
, similar to how calling g++
just launches gcc
but with parameters to treat all .c
files as C++ files.
The following is the output from jkextstat on an iPod touch 4G running iOS 6(?):
Podicum:~ root# ./kextstat 0 __kernel__ 1 kpi.bsd 2 kpi.dsep 3 kpi.iokit 4 kpi.libkern 5 kpi.mach 6 kpi.private 7 kpi.unsupported 8 driver.AppleARMPlatform <1 3 4 5 6 7> 9 iokit.IOStorageFamily <1 3 4 5 6 7> 10 driver.DiskImages <1 3 4 5 6 7 9> 11 driver.FairPlayIOKit <1 3 4 5 6 7> 12 driver.IOSlaveProcessor <3 4> 13 driver.IOP_s5l8930x_firmware <3 4 12> 14 iokit.AppleProfileFamily <1 3 4 5 6 7> 15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7> 16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15> 17 iokit.IONetworkingFamily <1 3 4 5 6 7> 18 iokit.IOUserEthernet <1 3 4 5 6 16 17> 19 platform.AppleKernelStorage <3 4 7> 20 iokit.IOSurface <1 3 4 5 6 7 8> 21 iokit.IOStreamFamily <3 4 5> 22 iokit.IOAudio2Family <1 3 4 5 21> 23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22> 24 iokit.EncryptedBlockStorage <1 3 4 5 9 15> 25 iokit.IOFlashStorage <1 3 4 5 7 9 24> 26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25> 27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26> 28 kext.AppleMatch <1 4> 29 security.sandbox <1 2 3 4 5 6 7 16 28> 30 driver.AppleS5L8930X <1 3 4 5 7 8> 31 iokit.IOHIDFamily <1 3 4 5 6 7 16> 32 driver.AppleM68Buttons <1 3 4 5 7 8 31> 33 iokit.IOUSBDeviceFamily <1 3 4 5> 34 iokit.IOSerialFamily <1 3 4 5 6 7> 35 driver.AppleOnboardSerial <1 3 4 5 7 34> 36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35> 37 driver.AppleProfileTimestampAction <1 3 4 5 14> 38 driver.AppleProfileThreadInfoAction <1 3 4 6 14> 39 driver.AppleProfileKEventAction <1 3 4 14> 40 driver.AppleProfileRegisterStateAction <1 3 4 14> 41 driver.AppleProfileCallstackAction <1 3 4 5 6 14> 42 driver.AppleProfileReadCounterAction <3 4 6 14> 43 driver.AppleARMPL192VIC <3 4 5 7 8> 44 driver.AppleCDMA <1 3 4 5 7 8 15> 45 driver.IODARTFamily <3 4 5> 46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45> 47 iokit.IOSDIOFamily <1 3 4 5 7> 48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47> 49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25> 50 driver.AppleSamsungSPI <1 3 4 5 7 8> 51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35> 52 driver.AppleSamsungPKE <3 4 5 7 8 15> 53 driver.AppleS5L8920X <1 3 4 5 7 8> 54 driver.AppleSamsungI2S <1 3 4 5 7 8> 55 driver.AppleEmbeddedUSB <1 3 4 5 7 8> 56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55> 57 iokit.IOUSBFamily <1 3 4 5 7> 58 driver.AppleUSBEHCI <1 3 4 5 7 57> 59 driver.AppleUSBComposite <1 3 4 57> 60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59> 61 driver.AppleUSBOHCI <1 3 4 5 57> 62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61> 63 driver.AppleUSBHub <1 3 4 5 57> 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63> 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64> 66 driver.AppleARM7M <3 4 8 12> 67 driver.EmbeddedIOP <3 4 5 12> 68 driver.AppleVXD375 <1 3 4 5 7 8 11> 69 driver.AppleD1815PMU <1 3 4 5 7 8 31> 70 iokit.AppleARMIISAudio <1 3 4 5 7 22> 71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70> 72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71> 73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31> 74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31> 75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31> 76 iokit.IOAcceleratorFamily <1 3 4 5 7 8> 77 IMGSGX535 <1 3 4 5 7 8 76> 78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8> 79 driver.AppleJPEGDriver <1 3 4 5 7 8> 80 driver.AppleH3CameraInterface <1 3 4 5 7 8> 81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45> 82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8> 83 driver.AppleDisplayPipe <1 3 4 5 7 8 82> 84 driver.AppleCLCD <1 3 4 5 7 8 82 83> 85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8> 86 driver.ApplePinotLCD <1 3 4 5 7 8> 87 driver.AppleSamsungSWI <1 3 4 5 7 8> 88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22> 89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88> 90 driver.AppleTVOut <1 3 4 5 7 8> 91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22> 92 driver.AppleSamsungDPTX <3 4 5 7 8 88> 93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55> 94 driver.AppleNANDFTL <1 3 4 5 7 9 25> 95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94> 96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6> 97 IOTextEncryptionFamily <1 3 4 5 7 11> 98 driver.AppleBSDKextStarter <3 4> 99 nke.ppp <1 3 4 5 6 7> 100 nke.l2tp <1 3 4 5 6 7 99> 101 nke.pptp <1 3 4 5 6 7 99> 102 iokit.IO80211Family <1 3 4 5 6 7 17> 103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102> 104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103> 105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94> 106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26> 107 driver.IOFlashNVRAM <1 3 4 5 6 7 25> 108 driver.AppleNANDFirmware <1 3 4 5 25> 109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108> 110 driver.AppleBluetooth <1 3 4 5 7 8> 111 driver.AppleMultitouchSPI <1 3 4 5 7 8> 112 driver.AppleUSBMike <1 3 4 5 8 22 33> 113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33> 114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>
For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:
root# ./jkextstat -b sandbox -x
:
<plist> <dict> <key>CFBundleIdentifier</key> <string>com.apple.security.sandbox</string> <key>CFBundleVersion</key> <string>154.7</string> <key>OSBundleCPUSubtype</key> <integer>9</integer> <key>OSBundleCPUType</key> <integer>12</integer> <key>OSBundleDependencies</key> <array> <integer>6</integer> <integer>7</integer> <integer>5</integer> <integer>3</integer> <integer>28</integer> <integer>1</integer> <integer>4</integer> <integer>16</integer> <integer>2</integer> </array> <key>OSBundleExecutablePath</key> <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string> <key>OSBundleIsInterface</key> <false/> <key>OSBundleLoadAddress</key> <integer>2153734144</integer> <key>OSBundleLoadSize</key> <integer>36864</integer> <key>OSBundleLoadTag</key> <integer>29</integer> <key>OSBundleMachOHeaders</key> zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2 TzkVrtqsgOViBQ0= <key>OSBundlePath</key> <string>/System/Library/Extensions/Sandbox.kext</string> <key>OSBundlePrelinked</key> <true/> <key>OSBundleRetainCount</key> <integer>0</integer> <key>OSBundleStarted</key> <true/> <key>OSBundleUUID</key> FqyDtjZPORWu2qyA5WIFDQ== <key>OSBundleWiredSize</key> <integer>36864</integer> <key>OSKernelResource</key> <false/> </dict> </plist>
It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating Kernel ASLR. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.
See Also
External Links
- XNU Source (up to latest **OS X** version)
- i0n1c on exploiting the kernel
- Haifisch on kernel decryption and disassembly
- jkextstat.c
- OSX/iOS internals book