The iPhone Wiki - User contributions [en]

ITunes Backup

2013-04-16T06:08:44Z

Chopin4g: /* Record (variable size) */

{{lowercase}}
The following description is to describe the '''backup system of [[iTunes]]''', which is often used for forensic analysis of iDevices. This description is for the format used in the latest iTunes 10.5.3 - older versions are slightly different (see [[Understanding iPhone Backup Files|old article]]). The description is only for non-encrypted backups.

On the iDevice there is a file <code>/System/Library/Backup/Domains.plist</code> which determines what files to backup. There is a differentiation between "domains" and relative files.

In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder has a name made of 20 bytes in hex numbers (lower case) for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.

In each backup, there are four files with infos, which are described later:
*Info.plist
*Manifest.mdbd
*Manifest.plist
*Status.plist
There are also the files themselves, but with a new file name.

The file names are made by a SHA-1 hash of their name, together with their path and domain. Between the domain and the path there is a dash. Example:
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.

The data itself is encrypted with AES-256 CBC.

===iTunes backup location===
*Windows XP: <code>%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}</code>
*Windows Vista/7/8: <code>%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID}</code>
*OS X: <code>~/Library/Application Support/MobileSync/Backup/{UDID}</code>

=== Info.plist ===
This is a plaintext plist that contains the following dict:
*Build Version (string): 9A406 (iOS build version of the device that was backed up)
*Device Name (string): (name of the device that was backed up)
*Display Name (string): (name of the device that was backed up)
*GUID (string): unknown 16-byte GUID without any dashes
*ICCID (string)
*IMEI (string)
*Last Backup Date (date): format "yyyy-mm-ddThh:mm:ssZ"
*Phone Number (string)
*Product Type (string): iPhone4,1
*Product Version (string): 5.0.1
*Serial Number (string)
*Sync Settings (dict):
**Calendar Day Limit (integer): 30
**Calendars Collections: (array of dict, 1 element):
***AMSCollectionDisplayName (string): Calendar
***AMSCollectionFiltered (bool): false
***AMSCollectionName (string): Calendar
***AMSCollectionReadOnly (bool): false
**Data Class Info: (array of dict, 5 elements)
***[0] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Bookmarks
****kAMSDataClassReset (bool): false
***[1] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Calendars
****kAMSDataClassReset (bool): false
***[2] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Accounts
****kAMSDataClassReset (bool): false
***[3] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.MailAccounts
****kAMSDataClassReset (bool): false
***[4] dict:
****kAMSDataClassEnabled (bool): true
****kAMSDataClassName (string): com.apple.Notes
****kAMSDataClassReset (bool): false
**New Record Calendar Name (string): Home
**iTunes User ID (string): (8-byte hex code)
*Target Identifier (string): 20-byte hex code
*Terget Type (string): Device
*Unique Identifier (string): same 20-byte hex code
*iBooks Data 2 (data): (base-64 encoded blob, see below)
*iTunes Files (dict):
**IC-Info.siv (data): (base-64 encoded blob, see below)
**PhotosFolderAlbums (data): (base-64 encoded blob, see below)
**PhotosFolderName (data): (base-64 encoded blob, see below)
**PhotosFolderPrefs (data): (base-64 encoded blob, see below)
**ShowMarketing (data): (empty)
**iTunesPrefs (data): (base-64 encoded blob, see below)
**iTunesPrefs.plist (data): (base-64 encoded blob, see below)
*iTunes Settings (dict):
**LibraryApplications (array of string): The array of string contains the identification string of each application, for example <code>com.apple.store.caseprogram</code>
*iTunes Version (string): 10.5.3

==== iBooks Data 2 ====
This blob is actually another plist (dict):
*1.2 (dict):
**BKBookmark (array of dict):
***[0] dict:
****bookDatabaseKey (string)
****date (integer)
****deletedFlag (bool)
****highlightColor (integer)
****lastModification (integer)
****locationBPlist (data): (base-64 encoded blob, see below)
****ordinal (integer)
****serverSyncUniqueId (string): Reading Location
****type (integer): 1
*CollectionsData-1.2 (dict):
**BKCollection (array of 2 dict):
***[0] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -2
****title (string): PDFs
***[1] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -1
****title (string): Books
**rolling_version (integer): 17

===== Location BPList =====
This is actually a binary plist with the following content (dict): (example):
*class (string): BKEpubLocation
*endOffset (real): 0,0
*endPath (array of dict):
**[0] dict
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dcit
***index (integer): 3
***tagName (string): p
*startOffset (real): 0.0
*startPath (array of dict):
**[0] dict:
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dict:
***index (integer): 3
***tagName (string): p
*super (dict):
**class (string): BKLocation
**ordinal (integer): 3

==== IC-Info.siv ====
binary file, content unknown

==== PhotosFolderAlbums ====
[[frpd]] binary file. Starts with 0x66 0x72 0x70 0x64 ('frpd'). Then only very few bytes and the content is mostly zero. Then at 0x68 and 0x26C, 0x470, 0x674, etc. there are folder names (in unicode, starting with the name length).

==== PhotosFolderName ====
A 0x200 byte long file, starting with the text "Pictures" (in unicode) and the name length before it. Rest filled with zeroes.

==== iTunesPrefs ====
This is another [[frpd]] file. It contains names of computers found on the network, like iPodPrefs below.

==== iTunesPrefs.plist ====
plist with this content (dict):
*ApplicationIDs (array of string): list of applications (like <code>com.apple.iBooks</code>
*AudiobookPlaylistIDs (array): (empty)
*AudioTrackIDs (array): (empty)
*BookTrackIDs (array of integer): (signed long integer values)
*LibraryBookTrackIDs (array of integer): (signed long integer values)
*MoviePlaylistIDs (array): (empty)
*MovieTrackIDs (array): (empty)
*MusicAlbumIDs (array): (empty)
*MusicArtistIDs (array): (empty)
*MusicGenreNames (array): (empty)
*MusicPlaylistIDs (array of integer): (signed long integer values)
*MusicTrackIDs (array): (empty)
*PodcastChannelIDs (array): (empty)
*PodcastPlaylistIDs (array): (empty)
*PodcastTrackIDs (array of integer): (signed long integer values)
*RingtoneTrackIDs (array): (empty)
*TVShowAlbumIDs (array): (empty)
*TVShowNames (array): (empty)
*TVShowPlaylistIDs (array): (empty)
*TVShowTrackIDs (array): (empty)
*iPodPrefs (data): (base-64 encoded blob, see below)
*iTunesUChannelIDs (array): (empty)
*iTunesUPlaylistIDs (array): (empty)
*iTunesUTrackIDs (array): (empty)

===== iPodPrefs =====
[[frpd]] file, content unknown, but it contains server names on the network it was sync'd to, like iTunesPrefs above.

=== Manifest.mbdb ===
Binary file containing many text strings. Probably a database of file names in the backup. Format (from [http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat here]):
==== Header ====
6 bytes: 'mbdb\5\0'
==== Record (variable size) ====
string Domain Backup domain (one of
"AppDomain-com.some.user.installed.app",
"CameraRollDomain",
"DatabaseDomain"
"HomeDomain",
"KeychainDomain",
"ManagedPreferencesDomain",
"MediaDomain",
"MobileDeviceDomain",
"RootDomain",
"SystemPreferencesDomain",
"WirelessDomain",
... others?
string Path
string LinkTarget absolute path
string DataHash SHA-1 of file contents, actual file objects only
string encryptionKey Encryption key for encrypted backups
uint16 Mode Unix file permissions. See /usr/include/stat.h and stat(2)
file mode: 0xAxxx symbolic link (aka S_IFLNK or 00120000)
0x4xxx directory (aka S_IFDIR or 0040000)
0x8xxx regular file (aka S_IFREG or 0100000)
Mask out ~ 0xf000 (aka S_IFMT) for file permissions
uint32 inode inode number
uint32 uid owner
uint32 gid group
uint32 mtime time of last modification
uint32 atime time of last access
uint32 ctime time of last change of status
uint64 length file size (always 0 for link or directory)
uint8 protectionclass unknown
uint8 PropertyCount number of properties following
Property is a couple of strings:
string name
string value can be a string or aa binary content
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).

To determine the actual filename corresponding to a record (this will be the actual file in the mobile backup directory), calculate a sha-1 checksum of the Domain and Path seperated by '-' as follows:
SHA1(<Domain>-<Path>)

It is possible to modify files in a mobile backup by understanding this structure as well. If you change the file contents, update the DataHash and length

=== Manifest.plist ===
Binary plist with the following content (dict):
*Applications (dict):
**com.apple.iBooks (dict)
***CFBundleIdentifier (string): com.apple.iBooks
***CFBundleVersion (string): 804
***Path (string): /private/var/mobile/Applications/[GUID]/iBooks.app
**etc. for other apps
*BackupKeyBag (data): (base-64 encoded blob, see below)
*Date (date): yyyy-mm-ddThh:mm:ssZ
*IsEncrypted (bool): false
*Lockdown (dict):
**BuildVersion (string): 9A406
**DeviceName (string)
**ProductType (string): iPhone4,1
**ProductVersion (string): 5.0.1
**SerialNumber (string)
**UniqueDeviceID (string): 20-byte hex
**com.apple.Accessibility (dict):
***InvertDisplayEnabledByiTunes (bool): false
***MonoAudioEnabledByiTunes (bool): false
***VoiceOverTouchEnabledByiTunes (bool): false
***ZoomTouchEnabledByiTunes (bool): false
**com.apple.MobileDeviceCrashCopy (dict):
***ShouldPrompt (bool): false
***ShouldSubmit (bool): false
**com.apple.TerminalFlashr (dict): (empty)
**com.apple.iTunes.backup (dict):
***LastBackupComputerName (string)
***LastBackupComputerType (string): PC
**com.apple.itunesstored (dict):
***AccountAvailableServiceTypes (integer): 0
***AccountKind (integer): 0
***AccountServiceTypes (integer): 0
***AccountSocialEnabled (bool): false
***AccountStoreFront (string): (unknown text string)
***AccountURLBagType (string): production
***AppleID (string)
***CreditDisplayString (string): (empty string)
***DSPersonID (integer)
***TempStorefront (string): (unknown text string)
**com.apple.mobile.data_sync (dict):
***Bookmarks (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Calendars (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Contacts (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
**com.apple.mobile.iTunes.accessories (dict): (empty)
**com.apple.mobile.wireless_lockdown (dict): (empty)
*SystemDomainsVersion (string): 12.0
*Version (string): 9.0
*WasPasscodeSet (bool): false

==== BackupKeyBag ====
Binary file in the following format:
*4-byte block identifier
*4-byte block length (most significant byte first), length 4 means total block length of 0xC bytes.
*data
First block is "VERS" with a version number of 3. There are a lot of block types: VERS, TYPE, UUID, HMCK, WRAP, SALT, ITER, UUID, CLAS, WRAP, KTYP, WPKY, etc.

=== Status.plist ===
Binary plist with the following content (dict):
*BackupState (string): new
*Date (date): "yyyy-mm-ddThh:mm:ssZ"
*IsFullBackup (bool): false
*SnapshotState (string): finished
*UUID (string)
*Version (string): 2.4

== Files ==
Here is a list of commonly used files:
{| class="wikitable" style="font-size: small; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!domain
!path and file name
!SHA-1 backup file name
|-
|HomeDomain
|Library/SMS/sms.db
|3d0d7e5fb2ce288813306e4d4636395e047a3d28
|-
|HomeDomain
|Library/AddressBook/AddressBook.sqlitedb
|31bb7ba8914766d4ba40d6dfb6113c8b614be442
|-
|HomeDomain
|Library/Notes/notes.sqlite
|ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
|-
|WirelessDomain
|Library/CallHistory/call_history.db
|2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca
|}

== References ==
*[[:/System/Library/Backup]]
*[[Backup the iPhone Flash for restore without iTunes]]
*[[Understanding iPhone Backup Files]]
*[http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf iPhone 3GS Forensics]
*[http://www.scip.ch/?labs.20110512 SCIP backup infos (german only)]
*[http://stackoverflow.com/questions/6569004/how-to-parse-the-manifest-mbdb-file-in-an-ios-5-0-beta-2-without-manifest-mbdx SHA-1 hash generation]
*[http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat description of mbdx and mbdb files]

ITunes Backup

2013-04-16T06:03:48Z

Chopin4g: /* Manifest.mbdb */

{{lowercase}}
The following description is to describe the '''backup system of [[iTunes]]''', which is often used for forensic analysis of iDevices. This description is for the format used in the latest iTunes 10.5.3 - older versions are slightly different (see [[Understanding iPhone Backup Files|old article]]). The description is only for non-encrypted backups.

On the iDevice there is a file <code>/System/Library/Backup/Domains.plist</code> which determines what files to backup. There is a differentiation between "domains" and relative files.

In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder has a name made of 20 bytes in hex numbers (lower case) for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.

In each backup, there are four files with infos, which are described later:
*Info.plist
*Manifest.mdbd
*Manifest.plist
*Status.plist
There are also the files themselves, but with a new file name.

The file names are made by a SHA-1 hash of their name, together with their path and domain. Between the domain and the path there is a dash. Example:
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.

The data itself is encrypted with AES-256 CBC.

===iTunes backup location===
*Windows XP: <code>%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}</code>
*Windows Vista/7/8: <code>%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID}</code>
*OS X: <code>~/Library/Application Support/MobileSync/Backup/{UDID}</code>

=== Info.plist ===
This is a plaintext plist that contains the following dict:
*Build Version (string): 9A406 (iOS build version of the device that was backed up)
*Device Name (string): (name of the device that was backed up)
*Display Name (string): (name of the device that was backed up)
*GUID (string): unknown 16-byte GUID without any dashes
*ICCID (string)
*IMEI (string)
*Last Backup Date (date): format "yyyy-mm-ddThh:mm:ssZ"
*Phone Number (string)
*Product Type (string): iPhone4,1
*Product Version (string): 5.0.1
*Serial Number (string)
*Sync Settings (dict):
**Calendar Day Limit (integer): 30
**Calendars Collections: (array of dict, 1 element):
***AMSCollectionDisplayName (string): Calendar
***AMSCollectionFiltered (bool): false
***AMSCollectionName (string): Calendar
***AMSCollectionReadOnly (bool): false
**Data Class Info: (array of dict, 5 elements)
***[0] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Bookmarks
****kAMSDataClassReset (bool): false
***[1] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Calendars
****kAMSDataClassReset (bool): false
***[2] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Accounts
****kAMSDataClassReset (bool): false
***[3] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.MailAccounts
****kAMSDataClassReset (bool): false
***[4] dict:
****kAMSDataClassEnabled (bool): true
****kAMSDataClassName (string): com.apple.Notes
****kAMSDataClassReset (bool): false
**New Record Calendar Name (string): Home
**iTunes User ID (string): (8-byte hex code)
*Target Identifier (string): 20-byte hex code
*Terget Type (string): Device
*Unique Identifier (string): same 20-byte hex code
*iBooks Data 2 (data): (base-64 encoded blob, see below)
*iTunes Files (dict):
**IC-Info.siv (data): (base-64 encoded blob, see below)
**PhotosFolderAlbums (data): (base-64 encoded blob, see below)
**PhotosFolderName (data): (base-64 encoded blob, see below)
**PhotosFolderPrefs (data): (base-64 encoded blob, see below)
**ShowMarketing (data): (empty)
**iTunesPrefs (data): (base-64 encoded blob, see below)
**iTunesPrefs.plist (data): (base-64 encoded blob, see below)
*iTunes Settings (dict):
**LibraryApplications (array of string): The array of string contains the identification string of each application, for example <code>com.apple.store.caseprogram</code>
*iTunes Version (string): 10.5.3

==== iBooks Data 2 ====
This blob is actually another plist (dict):
*1.2 (dict):
**BKBookmark (array of dict):
***[0] dict:
****bookDatabaseKey (string)
****date (integer)
****deletedFlag (bool)
****highlightColor (integer)
****lastModification (integer)
****locationBPlist (data): (base-64 encoded blob, see below)
****ordinal (integer)
****serverSyncUniqueId (string): Reading Location
****type (integer): 1
*CollectionsData-1.2 (dict):
**BKCollection (array of 2 dict):
***[0] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -2
****title (string): PDFs
***[1] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -1
****title (string): Books
**rolling_version (integer): 17

===== Location BPList =====
This is actually a binary plist with the following content (dict): (example):
*class (string): BKEpubLocation
*endOffset (real): 0,0
*endPath (array of dict):
**[0] dict
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dcit
***index (integer): 3
***tagName (string): p
*startOffset (real): 0.0
*startPath (array of dict):
**[0] dict:
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dict:
***index (integer): 3
***tagName (string): p
*super (dict):
**class (string): BKLocation
**ordinal (integer): 3

==== IC-Info.siv ====
binary file, content unknown

==== PhotosFolderAlbums ====
[[frpd]] binary file. Starts with 0x66 0x72 0x70 0x64 ('frpd'). Then only very few bytes and the content is mostly zero. Then at 0x68 and 0x26C, 0x470, 0x674, etc. there are folder names (in unicode, starting with the name length).

==== PhotosFolderName ====
A 0x200 byte long file, starting with the text "Pictures" (in unicode) and the name length before it. Rest filled with zeroes.

==== iTunesPrefs ====
This is another [[frpd]] file. It contains names of computers found on the network, like iPodPrefs below.

==== iTunesPrefs.plist ====
plist with this content (dict):
*ApplicationIDs (array of string): list of applications (like <code>com.apple.iBooks</code>
*AudiobookPlaylistIDs (array): (empty)
*AudioTrackIDs (array): (empty)
*BookTrackIDs (array of integer): (signed long integer values)
*LibraryBookTrackIDs (array of integer): (signed long integer values)
*MoviePlaylistIDs (array): (empty)
*MovieTrackIDs (array): (empty)
*MusicAlbumIDs (array): (empty)
*MusicArtistIDs (array): (empty)
*MusicGenreNames (array): (empty)
*MusicPlaylistIDs (array of integer): (signed long integer values)
*MusicTrackIDs (array): (empty)
*PodcastChannelIDs (array): (empty)
*PodcastPlaylistIDs (array): (empty)
*PodcastTrackIDs (array of integer): (signed long integer values)
*RingtoneTrackIDs (array): (empty)
*TVShowAlbumIDs (array): (empty)
*TVShowNames (array): (empty)
*TVShowPlaylistIDs (array): (empty)
*TVShowTrackIDs (array): (empty)
*iPodPrefs (data): (base-64 encoded blob, see below)
*iTunesUChannelIDs (array): (empty)
*iTunesUPlaylistIDs (array): (empty)
*iTunesUTrackIDs (array): (empty)

===== iPodPrefs =====
[[frpd]] file, content unknown, but it contains server names on the network it was sync'd to, like iTunesPrefs above.

=== Manifest.mbdb ===
Binary file containing many text strings. Probably a database of file names in the backup. Format (from [http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat here]):
==== Header ====
6 bytes: 'mbdb\5\0'
==== Record (variable size) ====
string Domain Backup domain (one of
"AppDomain-com.some.user.installed.app",
"CameraRollDomain",
"DatabaseDomain"
"HomeDomain",
"KeychainDomain",
"ManagedPreferencesDomain",
"MediaDomain",
"MobileDeviceDomain",
"RootDomain",
"SystemPreferencesDomain",
"WirelessDomain",
... others?
string Path
string LinkTarget absolute path
string DataHash SHA-1, some files only
string encryptionKey Encryption key for encrypted backups
uint16 Mode Unix file permissions. See /usr/include/stat.h and stat(2)
file mode: 0xAxxx symbolic link (aka S_IFLNK or 00120000)
0x4xxx directory (aka S_IFDIR or 0040000)
0x8xxx regular file (aka S_IFREG or 0100000)
Mask out ~ 0xf000 (aka S_IFMT) for file permissions
uint32 inode inode number
uint32 uid owner
uint32 gid group
uint32 mtime time of last modification
uint32 atime time of last access
uint32 ctime time of last change of status
uint64 length file size (always 0 for link or directory)
uint8 protectionclass unknown
uint8 PropertyCount number of properties following
Property is a couple of strings:
string name
string value can be a string or aa binary content
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).

To determine the actual filename corresponding to a record (this will be the actual file in the mobile backup directory), calculate a sha-1 checksum of the Domain and Path seperated by '-' as follows:
SHA1(<Domain>-<Path>)

=== Manifest.plist ===
Binary plist with the following content (dict):
*Applications (dict):
**com.apple.iBooks (dict)
***CFBundleIdentifier (string): com.apple.iBooks
***CFBundleVersion (string): 804
***Path (string): /private/var/mobile/Applications/[GUID]/iBooks.app
**etc. for other apps
*BackupKeyBag (data): (base-64 encoded blob, see below)
*Date (date): yyyy-mm-ddThh:mm:ssZ
*IsEncrypted (bool): false
*Lockdown (dict):
**BuildVersion (string): 9A406
**DeviceName (string)
**ProductType (string): iPhone4,1
**ProductVersion (string): 5.0.1
**SerialNumber (string)
**UniqueDeviceID (string): 20-byte hex
**com.apple.Accessibility (dict):
***InvertDisplayEnabledByiTunes (bool): false
***MonoAudioEnabledByiTunes (bool): false
***VoiceOverTouchEnabledByiTunes (bool): false
***ZoomTouchEnabledByiTunes (bool): false
**com.apple.MobileDeviceCrashCopy (dict):
***ShouldPrompt (bool): false
***ShouldSubmit (bool): false
**com.apple.TerminalFlashr (dict): (empty)
**com.apple.iTunes.backup (dict):
***LastBackupComputerName (string)
***LastBackupComputerType (string): PC
**com.apple.itunesstored (dict):
***AccountAvailableServiceTypes (integer): 0
***AccountKind (integer): 0
***AccountServiceTypes (integer): 0
***AccountSocialEnabled (bool): false
***AccountStoreFront (string): (unknown text string)
***AccountURLBagType (string): production
***AppleID (string)
***CreditDisplayString (string): (empty string)
***DSPersonID (integer)
***TempStorefront (string): (unknown text string)
**com.apple.mobile.data_sync (dict):
***Bookmarks (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Calendars (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Contacts (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
**com.apple.mobile.iTunes.accessories (dict): (empty)
**com.apple.mobile.wireless_lockdown (dict): (empty)
*SystemDomainsVersion (string): 12.0
*Version (string): 9.0
*WasPasscodeSet (bool): false

==== BackupKeyBag ====
Binary file in the following format:
*4-byte block identifier
*4-byte block length (most significant byte first), length 4 means total block length of 0xC bytes.
*data
First block is "VERS" with a version number of 3. There are a lot of block types: VERS, TYPE, UUID, HMCK, WRAP, SALT, ITER, UUID, CLAS, WRAP, KTYP, WPKY, etc.

=== Status.plist ===
Binary plist with the following content (dict):
*BackupState (string): new
*Date (date): "yyyy-mm-ddThh:mm:ssZ"
*IsFullBackup (bool): false
*SnapshotState (string): finished
*UUID (string)
*Version (string): 2.4

== Files ==
Here is a list of commonly used files:
{| class="wikitable" style="font-size: small; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!domain
!path and file name
!SHA-1 backup file name
|-
|HomeDomain
|Library/SMS/sms.db
|3d0d7e5fb2ce288813306e4d4636395e047a3d28
|-
|HomeDomain
|Library/AddressBook/AddressBook.sqlitedb
|31bb7ba8914766d4ba40d6dfb6113c8b614be442
|-
|HomeDomain
|Library/Notes/notes.sqlite
|ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
|-
|WirelessDomain
|Library/CallHistory/call_history.db
|2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca
|}

== References ==
*[[:/System/Library/Backup]]
*[[Backup the iPhone Flash for restore without iTunes]]
*[[Understanding iPhone Backup Files]]
*[http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf iPhone 3GS Forensics]
*[http://www.scip.ch/?labs.20110512 SCIP backup infos (german only)]
*[http://stackoverflow.com/questions/6569004/how-to-parse-the-manifest-mbdb-file-in-an-ios-5-0-beta-2-without-manifest-mbdx SHA-1 hash generation]
*[http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat description of mbdx and mbdb files]

ITunes Backup

2013-04-16T06:00:53Z

Chopin4g: /* Record (variable size) */

{{lowercase}}
The following description is to describe the '''backup system of [[iTunes]]''', which is often used for forensic analysis of iDevices. This description is for the format used in the latest iTunes 10.5.3 - older versions are slightly different (see [[Understanding iPhone Backup Files|old article]]). The description is only for non-encrypted backups.

On the iDevice there is a file <code>/System/Library/Backup/Domains.plist</code> which determines what files to backup. There is a differentiation between "domains" and relative files.

In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder has a name made of 20 bytes in hex numbers (lower case) for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.

In each backup, there are four files with infos, which are described later:
*Info.plist
*Manifest.mdbd
*Manifest.plist
*Status.plist
There are also the files themselves, but with a new file name.

The file names are made by a SHA-1 hash of their name, together with their path and domain. Between the domain and the path there is a dash. Example:
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.

The data itself is encrypted with AES-256 CBC.

===iTunes backup location===
*Windows XP: <code>%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}</code>
*Windows Vista/7/8: <code>%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID}</code>
*OS X: <code>~/Library/Application Support/MobileSync/Backup/{UDID}</code>

=== Info.plist ===
This is a plaintext plist that contains the following dict:
*Build Version (string): 9A406 (iOS build version of the device that was backed up)
*Device Name (string): (name of the device that was backed up)
*Display Name (string): (name of the device that was backed up)
*GUID (string): unknown 16-byte GUID without any dashes
*ICCID (string)
*IMEI (string)
*Last Backup Date (date): format "yyyy-mm-ddThh:mm:ssZ"
*Phone Number (string)
*Product Type (string): iPhone4,1
*Product Version (string): 5.0.1
*Serial Number (string)
*Sync Settings (dict):
**Calendar Day Limit (integer): 30
**Calendars Collections: (array of dict, 1 element):
***AMSCollectionDisplayName (string): Calendar
***AMSCollectionFiltered (bool): false
***AMSCollectionName (string): Calendar
***AMSCollectionReadOnly (bool): false
**Data Class Info: (array of dict, 5 elements)
***[0] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Bookmarks
****kAMSDataClassReset (bool): false
***[1] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Calendars
****kAMSDataClassReset (bool): false
***[2] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.Accounts
****kAMSDataClassReset (bool): false
***[3] dict:
****kAMSDataClassEnabled (bool): false
****kAMSDataClassName (string): com.apple.MailAccounts
****kAMSDataClassReset (bool): false
***[4] dict:
****kAMSDataClassEnabled (bool): true
****kAMSDataClassName (string): com.apple.Notes
****kAMSDataClassReset (bool): false
**New Record Calendar Name (string): Home
**iTunes User ID (string): (8-byte hex code)
*Target Identifier (string): 20-byte hex code
*Terget Type (string): Device
*Unique Identifier (string): same 20-byte hex code
*iBooks Data 2 (data): (base-64 encoded blob, see below)
*iTunes Files (dict):
**IC-Info.siv (data): (base-64 encoded blob, see below)
**PhotosFolderAlbums (data): (base-64 encoded blob, see below)
**PhotosFolderName (data): (base-64 encoded blob, see below)
**PhotosFolderPrefs (data): (base-64 encoded blob, see below)
**ShowMarketing (data): (empty)
**iTunesPrefs (data): (base-64 encoded blob, see below)
**iTunesPrefs.plist (data): (base-64 encoded blob, see below)
*iTunes Settings (dict):
**LibraryApplications (array of string): The array of string contains the identification string of each application, for example <code>com.apple.store.caseprogram</code>
*iTunes Version (string): 10.5.3

==== iBooks Data 2 ====
This blob is actually another plist (dict):
*1.2 (dict):
**BKBookmark (array of dict):
***[0] dict:
****bookDatabaseKey (string)
****date (integer)
****deletedFlag (bool)
****highlightColor (integer)
****lastModification (integer)
****locationBPlist (data): (base-64 encoded blob, see below)
****ordinal (integer)
****serverSyncUniqueId (string): Reading Location
****type (integer): 1
*CollectionsData-1.2 (dict):
**BKCollection (array of 2 dict):
***[0] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -2
****title (string): PDFs
***[1] dict:
****databaseKeys (array): (empty)
****lastModification_Since1970 (integer)
****ServerSyncUniqueId (string): Pdfs_Collenction_ID
****sortKey (integer): -1
****title (string): Books
**rolling_version (integer): 17

===== Location BPList =====
This is actually a binary plist with the following content (dict): (example):
*class (string): BKEpubLocation
*endOffset (real): 0,0
*endPath (array of dict):
**[0] dict
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dcit
***index (integer): 3
***tagName (string): p
*startOffset (real): 0.0
*startPath (array of dict):
**[0] dict:
***id (string): seeAlsoSection
***index (integer): 32
***tagName (string): div
**[1] dict:
***index (integer): 3
***tagName (string): p
*super (dict):
**class (string): BKLocation
**ordinal (integer): 3

==== IC-Info.siv ====
binary file, content unknown

==== PhotosFolderAlbums ====
[[frpd]] binary file. Starts with 0x66 0x72 0x70 0x64 ('frpd'). Then only very few bytes and the content is mostly zero. Then at 0x68 and 0x26C, 0x470, 0x674, etc. there are folder names (in unicode, starting with the name length).

==== PhotosFolderName ====
A 0x200 byte long file, starting with the text "Pictures" (in unicode) and the name length before it. Rest filled with zeroes.

==== iTunesPrefs ====
This is another [[frpd]] file. It contains names of computers found on the network, like iPodPrefs below.

==== iTunesPrefs.plist ====
plist with this content (dict):
*ApplicationIDs (array of string): list of applications (like <code>com.apple.iBooks</code>
*AudiobookPlaylistIDs (array): (empty)
*AudioTrackIDs (array): (empty)
*BookTrackIDs (array of integer): (signed long integer values)
*LibraryBookTrackIDs (array of integer): (signed long integer values)
*MoviePlaylistIDs (array): (empty)
*MovieTrackIDs (array): (empty)
*MusicAlbumIDs (array): (empty)
*MusicArtistIDs (array): (empty)
*MusicGenreNames (array): (empty)
*MusicPlaylistIDs (array of integer): (signed long integer values)
*MusicTrackIDs (array): (empty)
*PodcastChannelIDs (array): (empty)
*PodcastPlaylistIDs (array): (empty)
*PodcastTrackIDs (array of integer): (signed long integer values)
*RingtoneTrackIDs (array): (empty)
*TVShowAlbumIDs (array): (empty)
*TVShowNames (array): (empty)
*TVShowPlaylistIDs (array): (empty)
*TVShowTrackIDs (array): (empty)
*iPodPrefs (data): (base-64 encoded blob, see below)
*iTunesUChannelIDs (array): (empty)
*iTunesUPlaylistIDs (array): (empty)
*iTunesUTrackIDs (array): (empty)

===== iPodPrefs =====
[[frpd]] file, content unknown, but it contains server names on the network it was sync'd to, like iTunesPrefs above.

=== Manifest.mbdb ===
Binary file containing many text strings. Probably a database of file names in the backup. Format (from [http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat here]):
==== Header ====
6 bytes: 'mbdb\5\0'
==== Record (variable size) ====
string Domain Backup domain (one of
"AppDomain-com.some.user.installed.app",
"CameraRollDomain",
"DatabaseDomain"
"HomeDomain",
"KeychainDomain",
"ManagedPreferencesDomain",
"MediaDomain",
"MobileDeviceDomain",
"RootDomain",
"SystemPreferencesDomain",
"WirelessDomain",
... others?
string Path
string LinkTarget absolute path
string DataHash SHA-1, some files only
string encryptionKey Encryption key for encrypted backups
uint16 Mode Unix file permissions. See /usr/include/stat.h and stat(2)
file mode: 0xAxxx symbolic link (aka S_IFLNK or 00120000)
0x4xxx directory (aka S_IFDIR or 0040000)
0x8xxx regular file (aka S_IFREG or 0100000)
Mask out ~ 0xf000 (aka S_IFMT) for file permissions
uint32 inode inode number
uint32 uid owner
uint32 gid group
uint32 mtime time of last modification
uint32 atime time of last access
uint32 ctime time of last change of status
uint64 length file size (always 0 for link or directory)
uint8 protectionclass unknown
uint8 PropertyCount number of properties following
Property is a couple of strings:
string name
string value can be a string or aa binary content
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).

=== Manifest.plist ===
Binary plist with the following content (dict):
*Applications (dict):
**com.apple.iBooks (dict)
***CFBundleIdentifier (string): com.apple.iBooks
***CFBundleVersion (string): 804
***Path (string): /private/var/mobile/Applications/[GUID]/iBooks.app
**etc. for other apps
*BackupKeyBag (data): (base-64 encoded blob, see below)
*Date (date): yyyy-mm-ddThh:mm:ssZ
*IsEncrypted (bool): false
*Lockdown (dict):
**BuildVersion (string): 9A406
**DeviceName (string)
**ProductType (string): iPhone4,1
**ProductVersion (string): 5.0.1
**SerialNumber (string)
**UniqueDeviceID (string): 20-byte hex
**com.apple.Accessibility (dict):
***InvertDisplayEnabledByiTunes (bool): false
***MonoAudioEnabledByiTunes (bool): false
***VoiceOverTouchEnabledByiTunes (bool): false
***ZoomTouchEnabledByiTunes (bool): false
**com.apple.MobileDeviceCrashCopy (dict):
***ShouldPrompt (bool): false
***ShouldSubmit (bool): false
**com.apple.TerminalFlashr (dict): (empty)
**com.apple.iTunes.backup (dict):
***LastBackupComputerName (string)
***LastBackupComputerType (string): PC
**com.apple.itunesstored (dict):
***AccountAvailableServiceTypes (integer): 0
***AccountKind (integer): 0
***AccountServiceTypes (integer): 0
***AccountSocialEnabled (bool): false
***AccountStoreFront (string): (unknown text string)
***AccountURLBagType (string): production
***AppleID (string)
***CreditDisplayString (string): (empty string)
***DSPersonID (integer)
***TempStorefront (string): (unknown text string)
**com.apple.mobile.data_sync (dict):
***Bookmarks (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Calendars (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
***Contacts (dict):
****AccountNames (array of string, 1 element): iCloud
****Sources (array of string, 1 element): iCloud
**com.apple.mobile.iTunes.accessories (dict): (empty)
**com.apple.mobile.wireless_lockdown (dict): (empty)
*SystemDomainsVersion (string): 12.0
*Version (string): 9.0
*WasPasscodeSet (bool): false

==== BackupKeyBag ====
Binary file in the following format:
*4-byte block identifier
*4-byte block length (most significant byte first), length 4 means total block length of 0xC bytes.
*data
First block is "VERS" with a version number of 3. There are a lot of block types: VERS, TYPE, UUID, HMCK, WRAP, SALT, ITER, UUID, CLAS, WRAP, KTYP, WPKY, etc.

=== Status.plist ===
Binary plist with the following content (dict):
*BackupState (string): new
*Date (date): "yyyy-mm-ddThh:mm:ssZ"
*IsFullBackup (bool): false
*SnapshotState (string): finished
*UUID (string)
*Version (string): 2.4

== Files ==
Here is a list of commonly used files:
{| class="wikitable" style="font-size: small; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!domain
!path and file name
!SHA-1 backup file name
|-
|HomeDomain
|Library/SMS/sms.db
|3d0d7e5fb2ce288813306e4d4636395e047a3d28
|-
|HomeDomain
|Library/AddressBook/AddressBook.sqlitedb
|31bb7ba8914766d4ba40d6dfb6113c8b614be442
|-
|HomeDomain
|Library/Notes/notes.sqlite
|ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
|-
|WirelessDomain
|Library/CallHistory/call_history.db
|2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca
|}

== References ==
*[[:/System/Library/Backup]]
*[[Backup the iPhone Flash for restore without iTunes]]
*[[Understanding iPhone Backup Files]]
*[http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf iPhone 3GS Forensics]
*[http://www.scip.ch/?labs.20110512 SCIP backup infos (german only)]
*[http://stackoverflow.com/questions/6569004/how-to-parse-the-manifest-mbdb-file-in-an-ios-5-0-beta-2-without-manifest-mbdx SHA-1 hash generation]
*[http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat description of mbdx and mbdb files]

Kernel

2012-11-25T02:49:23Z

Chopin4g: added uname/build info for 4.3.5

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at [[/mach_kernel]].

== Stack ==
The kernel maintains its stack at <code>0xd2000000</code>.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion:

Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64

iOS 6:

Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! width="40" | Version
! width="400" | Build
! width="220" | Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if 100% correct.
|-
| 1.0.0
|
|
|-
| 1.0.1
|
|
|-
| 1.0.2
|
|
|-
| 1.1.1
|
|
|-
| 1.1.2
|
|
|-
| 1.1.3
|
|
|-
| 1.1.4
|
|
|-
| 2.0
|
|
|-
| 2.0.1
|
|
|-
| 2.0.2
|
|
|-
| 2.1
|
|
|-
| 2.2
|
|
|-
| 2.2.1
|
|
|-
| 3.0
|
|
|-
| 3.0.1
|
|
|-
| 3.1
|
|
|-
| 3.1.2
|
|
|-
| 3.1.3
|
|
|-
| 3.2
|
|
|-
| 3.2.1
|
|
|-
| 3.2.2
|
|
|-
| 4.0
|
|
|-
| 4.0.1
|
|
|-
| 4.0.2
|
|
|-
| 4.1
|
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_S5L8930X
|
|-
| 4.3
|
|
|-
| 4.3.1
|
|
|-
| 4.3.2
|
|
|-
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
|
|-
| 4.3.4
|
|
|-
| 4.3.5
| Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8930]]X
|
|}

This constant version scheme makes parsing with regex dead simple:
Darwin Kernel Version ([0-9]+)\.([0-9]+)\.([0-9]+): (Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}) ([0-9]{2}):([0-9]{2}):([0-9]{2}) ([A-Z]{3}) ([0-9]{4}); root:xnu-([0-9]+)\.([0-9]+)\.([0-9]+)~([0-9]+)/RELEASE_ARM_S5L([0-9]{4})X
with the results as:
Darwin Kernel Version $1\.$2\.$3: $4 $5 $6 $7:$8:$9 $10 $11; root:xnu-$12.$13.$14~$15/RELEASE_ARM_S5L$16X

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0.0, allowing for its jailbreak, which has yet to be made public. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.

== External Links ==
Article by [[I0n1c|Stefan Esser]] about [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]

Basic Source code of [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat] from the [http://www.amazon.com/gp/product/1118057651/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1118057651&linkCode=as2&tag=newosxbookcom-20 OSX/iOS internals book].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)

Kernel

2012-11-25T02:47:36Z

Chopin4g: added uname/build info for 6.0.1

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at [[/mach_kernel]].

== Stack ==
The kernel maintains its stack at <code>0xd2000000</code>.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion:

Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64

iOS 6:

Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! width="40" | Version
! width="400" | Build
! width="220" | Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if 100% correct.
|-
| 1.0.0
|
|
|-
| 1.0.1
|
|
|-
| 1.0.2
|
|
|-
| 1.1.1
|
|
|-
| 1.1.2
|
|
|-
| 1.1.3
|
|
|-
| 1.1.4
|
|
|-
| 2.0
|
|
|-
| 2.0.1
|
|
|-
| 2.0.2
|
|
|-
| 2.1
|
|
|-
| 2.2
|
|
|-
| 2.2.1
|
|
|-
| 3.0
|
|
|-
| 3.0.1
|
|
|-
| 3.1
|
|
|-
| 3.1.2
|
|
|-
| 3.1.3
|
|
|-
| 3.2
|
|
|-
| 3.2.1
|
|
|-
| 3.2.2
|
|
|-
| 4.0
|
|
|-
| 4.0.1
|
|
|-
| 4.0.2
|
|
|-
| 4.1
|
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_S5L8930X
|
|-
| 4.3
|
|
|-
| 4.3.1
|
|
|-
| 4.3.2
|
|
|-
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
|
|-
| 4.3.4
|
|
|-
| 4.3.5
|
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8930]]X
|
|}

This constant version scheme makes parsing with regex dead simple:
Darwin Kernel Version ([0-9]+)\.([0-9]+)\.([0-9]+): (Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}) ([0-9]{2}):([0-9]{2}):([0-9]{2}) ([A-Z]{3}) ([0-9]{4}); root:xnu-([0-9]+)\.([0-9]+)\.([0-9]+)~([0-9]+)/RELEASE_ARM_S5L([0-9]{4})X
with the results as:
Darwin Kernel Version $1\.$2\.$3: $4 $5 $6 $7:$8:$9 $10 $11; root:xnu-$12.$13.$14~$15/RELEASE_ARM_S5L$16X

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0.0, allowing for its jailbreak, which has yet to be made public. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.

== External Links ==
Article by [[I0n1c|Stefan Esser]] about [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]

Basic Source code of [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat] from the [http://www.amazon.com/gp/product/1118057651/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1118057651&linkCode=as2&tag=newosxbookcom-20 OSX/iOS internals book].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)

Kernel Symbols

2012-11-13T22:20:59Z

Chopin4g: added some symbols from 6.0gm and 6.0.1

iOS's XNU is largely stripped, and contains fewer and fewer symbols with its newer versions. Whereas in pre 3.0 most symbols were visible, nowadays only symbols required for KExt linkage remain so.

This page is started in the hopes of bringing together efforts of the various jailbreakers so as to pool already symbolified sections of the kernel. Because addresses change along with the different builds, please add the symbols under the right kernel version (i.e. release + device). If not 100% sure about a symbol, indicate the level of confidence.

Started with [[N81ap|iPod touch 4G]], because this is the main kernel the author has largely (>80%) symbolicated. Please add your own. Even if your build is different, the address space doesn't change that much. Bear in mind that - if Mountain Lion is any indication - iOS will soon introduce kernel level [[ASLR]], as well.

{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!symbol
!5.0.x [[N81ap|iPod touch 4G]]
!5.0.1 iPhone 4S
!5.1 [[N81ap|iPod touch 4G]]
!6.0b1 [[N81ap|iPod touch 4G]]
!6.0 [[N81ap|iPod touch 4G]]
!6.0.1 [[N81ap|iPod touch 4G]]
!Notes
|-
|_exception_triage
|0x80016C34
| ???
| ...
| ...
|0x80018774
|0x80018774
|The Mach exception processing logic.
|-
|sysent
|0x802CCBAC
|0x802CBBAC
|0x802CCBAC
|0x802F00B8
|0x802F00B8
|0x802F00B8
|Through this you can obtain all of XNU's 438 system calls, e.g. _exit @0x8019DE04 on iPod, 0x8019D278 on iPhone 4S, etc.
|-
|syscall_names
|0x802D2C6C
|0x802D1C6C-0x802D2340
|0x802D2C5C-0x802D4338
|0x802A6538-0x802A7540
|0x802E8FB0-0x802E969C
|0x802E8FB0-0x802E969C
|The char[][] containing the textual names of all system calls
|-
|AppleMobileFileIntegrity_Start
|0x805E499C
| ???
|0x805D5B94
| ...
| ...
| ...
|Initialization of AMFI, the kext responsible for [[sandbox]] policies and entitlements
|-
|bsd_init
|0x802B77C0
| ???
|0x802B8A24
| ...
|0x802B85B4
|0x802B9618
|BSD layer initialization logic. Branches out to initialize virtually every BSD subsystem. Same as OS X XNU, with minor exception (e.g. kernel_memorystatus/jetsam, iptap..)
|-
|ExceptionVectorsBase
|0x80078000
|0x80078000
|0x80078000
| ...
| ...
| ...
|Address of CPU exception handlers in kernel space: fleh_reset, fleh_undef, fleh_swi, fleh_prefabt, _fleh_dataabt, _fleh_addrexc and fleh_irq can be obtained from here
|}

Note: For most of the above symbols, a fairly decent source code can be obtained from the public open source XNU at opensource.apple. Bear in mind that ml_, PE_ and other machine specific functions will naturally be implemented quite differently. (but, it's a start!).