The iPhone Wiki - User contributions [en]

Kernelcache

2019-06-06T18:25:19Z

Morpheus: new kernelcache format

The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iPhone OS 2.0 and above) or [[S5L File Formats#8900|8900]] (iPhone OS 1.0 through 1.1.4) container.

[[Category:Filesystem]]

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache ([[N90AP|iPhone 4 (iPhone3,1)]]) using this tool, showing 153 kexts, is as follows:

<pre>
KextCache begins at : 0x80396000 (File Offset: 3493888)
Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern)
Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported)
Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit)
Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private)
Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd)
Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform)
Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI)
Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep)
Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)
Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily)
Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor)
Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI)
Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU)
Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC)
Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI)
Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage)
Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked)
Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore)
Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver)
Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage)
Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut)
Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB)
Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM)
Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX)
Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor)
Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M)
Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager)
Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial)
Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio)
Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice)
Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio)
Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily)
Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily)
Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC)
Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess)
Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA)
Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL)
Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager)
Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet)
Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio)
Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage)
Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB)
Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro)
Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily)
Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART)
Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS)
Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X)
Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp)
Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp)
Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer)
Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice)
Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit)
Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2)
Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction)
Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough)
Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily)
Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto)
Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike)
Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction)
Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx)
Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction)
Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI)
Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer)
Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware)
Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess)
Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI)
Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC)
Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI)
Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family)
Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore)
Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM)
Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial)
Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB)
Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT)
Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter)
Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI)
Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch)
Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger)
Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio)
Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio)
Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90)
Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth)
Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice)
Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver)
Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction)
Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy)
Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily)
Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE)
Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO)
Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox)
Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard)
Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore)
Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface)
Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet)
Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP)
Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X)
Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S)
Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons)
Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375)
Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux)
Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp)
Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver)
Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily)
Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535)
Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD)
Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub)
Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass)
Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC)
Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost)
Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater)
Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey)
Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls)
Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard)
Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction)
Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice)
Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)

</pre>

As of the iPhone11 (iPhone XS/R) and iOS 12, Apple has moved to a new kernelcache format. This is recognizable by an LC_SOURCE_VERSION which is much Lower than that of XNU's (1469 for iOS12, 17xx for iOS13), likely an artifact of misconfiguration on Apple's side, since it matches the source version of the kernelcache builder.

The new kernelcaches are monolithic and tightly linked, in that KEXT code is interspersed with the kernel's own. They are also fully stripped of all symbols. The joker tool's most useful feature, Kextraction (extracting kexts from the kernelcache) can therefore no longer be used (and, in fact, there is no straightforward way to extract kexts anymore from these caches). Joker has been superseded by jtool2's --analyze option, which can effectively symbolicate 1000s (3,000-8,000, depending on iOS version) of symbols.

YukonSeed 17A5492t (iPhone11,2)

2019-06-06T18:20:49Z

Morpheus: Added key for 13b1 d321 - http://newosxbook.com/forum/viewtopic.php?f=7&t=19686

iBoot.d321.RELEASE.im4p from iOS 13 beta 1 -

Decrypted kbag for A12: 411934D668DAF37113BB49E0144174EF5E86E6A5FF42CACAA9DA9D728A3612965003A840FD65196FB17BFBA368E27F75

(LLB/iBEC/iBSS are irrelevant - they're all the same image as iBoot)

Up to Speed

2018-01-19T21:58:02Z

Morpheus:

So, all of this sounds intimidating. [[Jailbreak]], sign, [[secpack]], [[unlock]], [[Baseband Device|baseband]], [[iBoot]], [[seczone]], [[JailbreakMe]], [[pwnage]] - there are lots of terms to learn, but most of them are defined here on the wiki. The basics:

* [[Activation]] - to bypass the required [[iTunes]] signup.
* [[Jailbreak]] - to allow full write and execute privileges on any Apple TV, iPad, iPhone or iPod touch.
* [[Unlock]] - to allow the use of any mobile phone carrier's SIM.

Think of iPhone as a little computer, even though Apple doesn't want you to. It has a [[S5L8900|processor]], RAM, a "[[NAND|hard drive]]", an operating system, and a [[Baseband Device|cellular modem]] on the serial port.

=== Ways to learn about how jailbreaks work ===

''(If you're more interested in learning how to develop for jailbroken devices, such as extensions/tweaks, check out the [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki] instead.)''

The basic idea here is that there are lots of ways to learn more about jailbreaking, for people of all experience levels and backgrounds. You might want to learn enough to actually find vulnerabilities in iOS (which is a huge undertaking), or you might just enjoy learning a little bit out of curiosity. Go through this list and pick something that looks fun to read!

* You can read about general exploitation techniques on Wikipedia, starting with [https://en.wikipedia.org/wiki/Vulnerability_(computing)#Software_vulnerabilities software vulnerabilities] and [https://en.wikipedia.org/wiki/Privilege_escalation privilege escalation]. Learning about types of vulnerabilities can be fun even if you don't have any background yet in programming or security research - it's like learning about how puzzles work. To learn more about security research in general (useful for the beginner), try these links: [http://www.reddit.com/r/netsec/wiki/start Getting Started in Information Security by /r/netsec], [http://www.reddit.com/r/netsecstudents/wiki/resources /r/netsecstudents resources], and [http://pentest.cryptocity.net/ Application Security and Vulnerability Analysis].

* To learn a bit about what a jailbreak actually does to an iOS device, [https://news.ycombinator.com/item?id=4127801 see this conversation with saurik] - it explains the main technical changes that a typical jailbreak accomplishes. Here's also another [http://www.reddit.com/r/jailbreak/comments/17q6tk/is_the_ios_jailbreak_scene_dumber_than_android_or/c87w1hg conversation with saurik with a bit about the history of iOS jailbreaking and comparing it to Android rooting] - "I often recommend that people who are interested in one day being able to hack something like iOS go spend some time cutting their teeth on simpler systems, such as Android".

* Read [http://winocm.moe/research/2013/09/20/resources-for-getting-started/ winocm's recommendations for how to get started with iOS hacking]: learning ARM, understanding low-level parts of iOS, reading open source code in iOS and OS X, learning programming, learning about security/fuzzing, and then learning iOS-specific tools and tricks. She's also written a bunch of [http://winocm.moe/ other posts about iOS security research].

* Read [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 ''iOS Hacker's Handbook''], published in May 2012: "The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it."

* pod2g also [http://www.idownloadblog.com/2012/12/20/pod2g-interview/ recommends] these books: [http://www.amazon.com/gp/product/0470395362/ref=as_li_qf_sp_asin_il_tl ''Mac Hacker's Handbook''], [http://www.amazon.com/gp/product/0321278542/ref=as_li_qf_sp_asin_il_tl ''Mac OS X Internals: A Systems Approach''], and [http://www.amazon.com/gp/product/1597494860/ref=as_li_qf_sp_asin_il_tl ''A Guide to Kernel Exploitation: Attacking the Core'']. And here are even more that can be useful: [http://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651 ''Mac OS X and iOS Internals: To the Apple's Core''], [http://www.amazon.com/Hacking-Securing-iOS-Applications-Hijacking/dp/1449318746 ''Hacking and Securing iOS Applications''], [http://www.amazon.com/OS-X-iOS-Kernel-Programming/dp/1430235365 ''OS X and iOS Kernel Programming''], and [http://www.amazon.com/Professional-Cocoa-Application-Security-Graham/dp/0470525959 ''Professional Cocoa Application Security''].

* Listen to the [[25C3 presentation "Hacking the iPhone"]]. This was in 2008, but it explains the basics in detail.

* See [http://techchannel.att.com/play-video.cfm/2013/1/8/Conference-TV-CSAW-THREADS-2012-iOS-Jailbreak-Analysis the presentation "Strategic Analysis of the iOS Jailbreaking Development Community"] by Dino Dai Zovi in November 2012.

* [[i0n1c]] has given several presentations on iOS jailbreaking techniques, and there are PDFs of his slides available online, including: [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf "iOS Kernel Exploitation"], [http://reverse.put.as/wp-content/uploads/2011/06/D2T1-Stefan-Esser-iPhone-Exploitation-One-ROPe-to-Bind-Them-All.pdf "iPhone Exploitation: One ROPe to bind them all?"], [http://antid0te.com/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf "iOS 5: An Exploitation Nightmare?"], and [http://www.slideshare.net/i0n1c/ruxcon-2014-stefan-esser-ios8-containers-sandboxes-and-entitlements "iOS8 Containers, Sandboxes and Entitlements"]. He has also recommended a couple of books: [http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X ''The Shellcoder's Handbook''] and [http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426 ''The Art of Software Security Assessment'']. You may also find it interesting to read [https://www.sektioneins.de/en/blog/13-07-03-trainingFrankfurt.html his outline for a workshop on developing kernel exploits] - note the requirements (knowing ARM assembly, ROP, buffer overflows, integer overflows; having access to IDA Pro, Hexrays, BinDiff).

* Check out [http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit this analysis of JailbreakMe 3.0] ([[Saffron]]).

* If you're interested in [[Baseband Device|baseband]] hacking and unofficial software unlocks, there are slides from a presentation by [[MuscleNerd]]: [http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20MuscleNerd%20-%20Evolution%20of%20iPhone%20Baseband%20and%20Unlocks.pdf "Evolution of the iPhone Baseband and Unlocks"] (PDF).

* Members of the team that built [[Corona]] for iOS 5.0.1 gave presentations about it, and there are PDFs of their slides available here: [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Corona%20Jailbreak%20for%20iOS%205.0.1.pdf Corona for A4] and [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Absinthe%20Jailbreak%20for%20iOS%205.0.1.pdf Corona/Absinthe for A5].

* Here's some analysis of [[evasi0n]] [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ from Accuvant Labs] and [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html from Azimuth Security], along with [http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/ a high-level explanation from planetbeing]. The evad3rs team gave [https://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf a presentation about evasi0n with slides available]. geohot wrote a [http://geohot.com/e7writeup.html detailed analysis] of [[evasi0n7]].

* Play with [http://damnvulnerableiosapp.com/ Damn Vulnerable iOS Application (DVIA)], "a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment".

* Study the available [[Open Source Jailbreaking Tools|open source jailbreaking tools]].

* Read [[fuzzing]] for some explanation of how that technique has been used on iOS, and read [[how to reverse]] for some inspiration.

* If you want to really get started, learn assembler for [[ARM]] processors. [http://opensecuritytraining.info/Training.html Open Security Training] has "Introduction to ARM" materials, for example.

* [http://www.newosxbook.com/index.php?page=notes Jonathan Levin] posts interesting iOS reverse engineering research. His series of books on "*OS Internals" are a definitive reference. In particular, Volume III deals exclusively with security, insecurity, and dissects every modern jailbreak from evasi0n (6.0) through async_wake (11.1.2) in detail.

===Now===
* Read the [[timeline]].
* Read the [[unsolved problems]] page to see where you can help.

LiberiOS

2018-01-19T21:55:45Z

Morpheus:

{{Infobox software
| name = LiberiOS
| title = LiberiOS
| developer = [https://twitter.com/Morpheus______ Jonathan Levin (@Morpheus______)]
| released = {{Start date|2017|12|25|df=yes}}
| latest release version = 11.0.3
| latest release date = {{Start date and age|2018|01|19|df=yes}}
| operating system = iOS
| language = English
| genre = Jailbreaking
| website = [http://newosxbook.com/liberios/ LiberiOS]
}}
'''LiberiOS''' is a [[semi-untethered jailbreak]] for devices running iOS 11.0 - 11.1.2. It was released on December 25, 2017, just one day after the tvOS 11 jailbreak [[LiberTV]]. This jailbreak, like its sibling, makes use of his [[QiLin]] Toolkit.

The very first version of the jailbreak included [[Cydia]] for the purposes of shsh blob saving only, because [[saurik]] had yet to update it for iOS 11. On January 19, 2018, Jonathan stated he would never add Cydia support to LiberiOS, owing to derogatory remarks and false statements made by [[saurik]] on reddit forums. Although a complete jailbreak, LiberiOS is classified as a "dev" or "pro" jailbreak, meant primarily for security researchers and less for the tweak-phile.

The jailbreak drops a complete set of Jonathan Levin's compiled binary utilities (from opensource.apple.com) into /jb (so as to negate any potential for conflict with existing binaries). Jonathan's own toolset is installed in /jb/usr/local/bin. The user can either move the binaries from the shell environment to their respective locations, or use /jb/makeMeAtHome.sh to set up paths and drop into a ZSH environment which will make use of these paths, thereby leaving the root filesystem almost unaffected.

The jailbreak also disables auto updates by redirecting mesu.apple.com to 127.0.0.1. This has the side effect of making stock apps uninstallable. That said, this is not a real issue since they can be installed prior to jailbreaking, or at any time the mesu.apple.com entry can be removed from /etc/hosts. Other App Store applications are unaffected.

== Version Change Log ==
{| class="wikitable"
|-
! Version
! Date
! Changes
|-
| 11.0
| 25 December, 2017
| Initial release
|-
| 11.0.1
| 29 December, 2017
|
*Now with a proper GUI thanks to the talented @horatiohno
*Supports all i-Devices, thanks to @ARX8x
*Also even more stable due to proper cleanup in one special case. Shouldn't crash on you, but let me know if it does.
*AMFId can be killed, be reborn, but will be just as debilitated :-)
*Arbitrary Dylib loading works. NO, CYDIA SUBSTRATE WON'T. Not my problem - @Saurik owns this one
|-
| 11.0.3
| 19 January, 2018
| fixes for odd use cases. Most notably FAT self-signed. Should be diamond solid. QiLin API improved
|}

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Semi-untethered jailbreak

2018-01-19T21:51:47Z

Morpheus:

A '''semi-untethered jailbreak''' is similar to an [[untethered jailbreak]], but it gives the ability to start the device on its own. On each boot, the device startup sequence is unmodified and it boots into its original, non-jailbroken configuration. However, rather than having to run a tool from a computer to jailbreak, like a [[tethered jailbreak|tethered]] or [[semi-tethered jailbreak|semi-tethered]] cases, the user is able to re-jailbreak their device with the help of an app (usually sideloaded using [[Cydia Impactor]]) running on their device. In the case of the iOS 9.2-9.3.3 jailbreak, a Safari-based exploit was available, thereby meaning a website could be used to rejailbreak.

Some semi-untethered jailbreaks can be completed entirely on the device using a sideloaded app (which still requires a computer). Others require a computer to be used first, and then an app or website can be used to rejailbreak after each reboot.

Semi-Untethered jailbreaks have become the norm, as the last known code signing bypass - which is required for execution on boot - has been exploited by Pangu with iOS 9.0-9.1 and the shared cache malformation bug.

==See Also==
*[[Jailbreak]]
*[[Jailbreak Exploits]]
*[[Untethered jailbreak]]
*[[Tethered jailbreak]]
*[[Semi-tethered jailbreak]]

[[Category:Jailbreaking]]

LiberiOS

2018-01-19T21:48:00Z

Morpheus: /* Version Change Log */

LiberiOS

2018-01-19T21:46:36Z

Morpheus:

LiberTV

2018-01-19T21:44:25Z

Morpheus:

{{Infobox software
| name = LiberTV
| title = LiberTV
| screenshot = [[File:LiberTV.jpg|250px]]
| developer = [https://twitter.com/Morpheus______ Jonathan Levin (@Morpheus______)]
| released = {{Start date and age|2017|03|03|df=yes}}
| latest release version = 1.1
| latest release date = {{Start date and age|2017|12|25|df=yes}}
| language = [[wikipedia:English|English]]
| status = Current
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://newosxbook.com/forum/viewtopic.php?f=12&t=16823 Version 1.0 (tvOS 10)] [http://newosxbook.com/libertv/ Version 1.1 (tvOS 11)]
}}
'''LiberTV''' is a [[semi-untethered jailbreak]] released for [[tvOS]]. Developed by Jonathan Levin (Morpheus), the original LiberTV was released on March 3, 2017, supporting tvOS 10.0-10.1. A new version was released on December 24, 2017, supporting tvOS 11.0-11.1.

LiberTV works in the same way as [[yalu]] and the later versions of [[Pangu9]], by sideloading an IPA using [[saurik]]'s [[Cydia Impactor]].

After Version 1.0 was released, Levin stated that LiberTV is also able to support tvOS 9.1-9.2.2, and support will come in a future update. However, this never happened. Levin also stated that support for tvOS 10.1.1 is possible, and that LiberTV would be updated for 9.1-10.1.1 once he has found a suitable bug. This update was never released as he instead opted to release an 11.0-11.1 version instead.

Because the 11.x uses a bug that was introduced in XNU 4570 (proc_info list_uptrs) for its information leak, there are no plans to back port LiberTV to older versions, which are obsolete anyway. LiberTV 11 is the first jailbreak to make use of the [[QiLin]] toolkit

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

QiLin

2018-01-19T21:43:49Z

Morpheus: Created page with "The QiLin (麒麟) Toolkit was developed by Jonathan Levin to provide a standardized API for present and future jailbreaks. Having noticed that most PoC exploits end up provid..."

The QiLin (麒麟) Toolkit was developed by Jonathan Levin to provide a standardized API for present and future jailbreaks. Having noticed that most PoC exploits end up providing the kernel_task send right, Jonathan Levin came up with the idea of providing a full post-exploitation toolkit with a simple API that could easily be compiled against and linked with.

The QiLin homepage (http://www.NewOSXBook.com/QiLin/) contains the object file required (qilin.o) and the header file (qilin.h). Once these are dropped into an XCode project, QiLin can be used for numerous tasks, including:

- Unsandboxing a process
- Entitling a process
- Bestowing root privileges
- Entitling a process
- Unpacking binary utilities
- Bestowing platform binary status

A full writeup about how QiLin operates can be found in MacOS Internals, Volume III - Chapter 25, which is also available as a free download from http://NewOSXBook.com/QiLin/qilin.pdf

LiberTV

2018-01-19T21:38:44Z

Morpheus:

{{Infobox software
| name = LiberTV
| title = LiberTV
| screenshot = [[File:LiberTV.jpg|250px]]
| developer = [https://twitter.com/Morpheus______ Jonathan Levin (@Morpheus______)]
| released = {{Start date and age|2017|03|03|df=yes}}
| latest release version = 1.1
| latest release date = {{Start date and age|2017|12|25|df=yes}}
| language = [[wikipedia:English|English]]
| status = Current
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://newosxbook.com/forum/viewtopic.php?f=12&t=16823 Version 1.0 (tvOS 10)] [http://newosxbook.com/libertv/ Version 1.1 (tvOS 11)]
}}
'''LiberTV''' is a [[semi-untethered jailbreak]] released for [[tvOS]]. Developed by Jonathan Levin (Morpheus), the original LiberTV was released on March 3, 2017, supporting tvOS 10.0-10.1. A new version was released on December 24, 2017, supporting tvOS 11.0-11.1.

LiberTV works in the same way as [[yalu]] and the later versions of [[Pangu9]], by sideloading an IPA using [[saurik]]'s [[Cydia Impactor]].

After Version 1.0 was released, Levin stated that LiberTV is also able to support tvOS 9.1-9.2.2, and support will come in a future update. However, this never happened. Levin also stated that support for tvOS 10.1.1 is possible, and that LiberTV would be updated for 9.1-10.1.1 once he has found a suitable bug. This update was never released as he instead opted to release an 11.0-11.1 version instead.

Because the 11.x uses a bug that was introduced in XNU 4570 (proc_info list_uptrs) for its information leak, there are no plans to back port LiberTV to older versions, which are obsolete anyway.

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

TvOS

2017-02-28T00:57:58Z

Morpheus: /* Research */ TvOS JB update

{{lowercase}}
'''tvOS''' is the operating system that is used on the [[Apple TV]], as of the [[J42dAP|Apple TV 4G]]. It's a forked version of [[iOS]]. The first version released was stylized and marketed as tvOS 9.0, which was based on iOS 9.1.

== Research ==
Since the first public version of tvOS, Apple provides a complete filesystem image in the form of an OTA update. This allows people to reconstruct the entire system partition along with all binaries, in order to perform static analysis on them.

Additionally, Apple has not actually fixed any bugs from Pangu's iOS 9.0.x jailbreak in iOS 9.1 aside from the kernel exploit (CVE-2015-6974). Because of this, Pangu9 could be modified (notably, exploiting a different kernel vulnerability) to jailbreak tvOS 9.0.

An overview analysis of tvOS OTA updates can be found in http://newosxbook.com/articles/OTA3.html.

The Yalu Jailbreak has been ported to support TvOS versions 10.0-10.1. q.v. http://newosxbook.com/forum/viewtopic.php?f=11&t=16820&p=18268#p18268
[[Category:Firmware]]

Yalu

2017-02-28T00:56:22Z

Morpheus: /* yalu102 */ TvOS edit

{{lowercase}}
{{Infobox software
| name = yalu
| title = yalu
| author = [https://twitter.com/qwertyoruiop Luca Todesco (qwertyoruiop)]
| developer = [https://twitter.com/qwertyoruiop Luca Todesco (qwertyoruiop)]
| discontinued =
| latest prerelease version = 102-beta 1
| language = [[wikipedia:English|English]]
| status = Beta
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://yalu.qwertyoruiop.com yalu]
}}
''yalu'' is a series of [[untethered jailbreak]]s released for iOS. Developed by Luca Todesco (qwertyoruiop), yalu was initially released as an incomplete iOS 8.4.1 code sign and sandbox bypass, which has since been added to by others. Todesco then released a new version of yalu in beta, in the form of an IPA, supporting some devices running iOS 10.1-10.1.1.

==The incomplete 8.4.1 yalu==
Released [https://github.com/kpwn/yalu on GitHub], yalu for 8.4.1 supports various unknown devices. Some users have managed to use the code released to achieve a fully untethered jailbreak, but nothing has been publicly released.

==yalu for iOS 10.1-10.1.1==
Sometimes known as ''YaluX'' or ''yalu + mach_portal'', yalu for iOS 10.1 is currently in beta, and supports the iPad Pro, the iPhone 6s and 6s Plus, the iPhone SE and the iPhone 7 and 7 Plus. Issues have arisen with devices using TSMC manufactured chips.

When initially released, the jailbreak was intended for developers only, and users are warned about the jailbreak being unstable and buggy. Substrate is deliberately broken in an attempt to deter users from using it. However, several fixes have been made available, many resulting in issues with tweaks and forcing some users to restore.

The jailbreak utilizes several of Ian Beer's exploits discovered in the kernel of iOS 10.1.

Several beta versions have been released, with the latest, beta 4 and beta 4-1 being retracted due to bugs and errors. Beta 3 is the latest 'stable' working version.

The jailbreak is patched as of iOS 10.2, though Todesco has said he will update yalu to support iOS 10.2.

yalu is downloaded as an IPA, and sideloaded onto the device using [[saurik]]'s [[Cydia Impactor]].

==yalu102==
On January 25, 2017, Todesco released the incomplete source code to a new version of Yalu, one supporting every version from iOS 10.0 through 10.2, onto [https://github.com/kpwn/yalu102 GitHub].
On January 26, he formally released an "alpha, beta 1" version of this on his site in the form of an IPA. This jailbreak has support for Cydia Substrate, and works on the iPad Pro, iPhone 6s and iPhone SE.

On January 29, yalu102 was officially updated to support all 64-bit devices on iOS 10.2, excluding the iPad Air 2, iPad mini 4, and all iPhone 7 models.

On January 30, yalu102 was officially updated to support all 64-bit devices on iOS 10.2, excluding the iPhone 7 and iPhone 7 Plus.

On February 26th, yalu102 was unofficially ported to support TvOS (up to and including 10.1) , marking the first Jailbreak for TVOS 10.x and demonstrating the universality of the Mach voucher bug, upon which it was based.

Main Page

2016-07-24T11:15:25Z

Morpheus: Undo revision 53576 by Morpheus (talk)

[[File:Iptwiki.png|center]]
{{:Main Page/Welcome}}

== Jailbreak Status ==
{| class="wikitable" style="font-size:1em; width:100%;"
|-
! style="height:3em;" | [[Models|Device]]
! [[Apple Watch]]
! [[Apple TV 3G]]
! [[J42dAP|Apple TV 4G]]
! [[iPad 2]] and up
! [[iPad mini]] and up
! [[iPhone 4S]] and up
! [[iPod touch 5G]] and up
|-
! style="height:3em;" | Latest public [[firmware]]
| 2.2.2 (13V604)
| 7.2.1/8.4.1 (12H523)
| 9.2.2 (13Y825)
| colspan="4" | 9.3.3 (13G34)
|-
! style="height:3em;" | Jailbreak available?
| colspan="8" {{no}}
|-
For older devices and versions, see [[Jailbreak]].

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Software ==
* [[Apple Internal Apps]]
* [[:Category:File Formats|File formats]]
* [[/|Filesystem]]
* [[Firmware]]
** [[Beta Firmware]]
** [[Factory Firmware]]
** [[OTA Updates]]
* [[iTunes]]
** [[iTunes Errors]]
** [[iTunes Modes]]
** [[MobileDevice Library]]
* [[Keys]]
** [[AES Keys]]
** [[CERT|Apple Certificate]]
** [[Baseband RSA Keys|RSA Keys]]
** [[Baseband TEA Keys|TEA Keys]]
** [[Firmware Keys]]
*** [[Decrypting Firmwares]]
** [[GID Key]]
** [[NCK]]
* [[Protocols]]
** [[Baseband Bootrom Protocol]]
** [[DFU (Protocol)|DFU]]
** [[Interactive Mode|Baseband Bootloader Protocol]]
** [[Normal Mode]]
** [[Recovery Mode (Protocols)|Recovery Mode]]
** [[Restore Mode]]
* [[System Log|System Log (syslog)]]

==== [[:Category:Jailbreaks|Jailbreak Software]] ====
* [[Absinthe]]
* [[blackra1n]]
* [[Corona]]
* [[evasi0n]]
* [[evasi0n7]]
* [[Geeksn0w]]
* [[Greenpois0n (jailbreak)|greenpois0n]]
* [[JailbreakMe]]
* [[limera1n]]
* [[p0sixspwn]]
* [[Pangu]]
* [[Pangu8]]
* [[Pangu9]]
* [[PPJailbreak]]
* [[purplera1n]]
* [[PwnageTool]]
* [[redsn0w]]
* [[Rocky Racoon]]
* [[Seas0nPass]]
* [[sn0wbreeze]]
* [[Spirit]]
* [[TaiG]]
* [[unthredera1n]]

==== [[:Category:Patches|Patches]] ====
* [[Kernel Patches|Kernel]]
** [[AMFI Binary Trust Cache Patch]]
** [[PE i can has debugger Patch]]
** [[Sandbox Patch]]
** [[Vm map enter Patch]]
** [[Vm map protect Patch]]
* [[:Category:Ramdisk Patches|Ramdisk]]: [[ASR]]

==== [[:Category:Exploits|Vulnerabilities and Exploits]] ====
* [[0x24000 Segment Overflow]] (24kpwn)
* [[BPF STX Kernel Write Exploit]]
* [[CVE-2013-0964]]
* [[HFS Heap Overflow]]
* [[HFS Legacy Volume Name Stack Buffer Overflow]] (feedface)
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]]
* [[Limera1n Exploit]]
* [[Malformed CFF Vulnerability]]
* [[MobileBackup Copy Exploit]]
* [[ndrv_setspec() Integer Overflow]]
* [[Packet Filter Kernel Exploit]]
* [[Racoon String Format Overflow Exploit]]
* [[SHA-1 Image Segment Overflow]] (SHAtter)
* [[usb_control_msg(0x21, 2) Exploit]]
* [[usb_control_msg(0xA1, 1) Exploit]] (steaks4uce)
* [[Symbolic Link Vulnerability]]

====Various Software====
* [[Cydia.app|Cydia]]
* [[EDA]]
* [[iFaith]]
* [[SemiRestore7]]
* [[SemiRestore8]]
* [[SemiRestore9]]
* [[Sund0wn]]
* [[TinyUmbrella]]

====Bad stuff====
* [[Malware for iOS]]
* [[Misuse of enterprise and developer certificates]]
* [[Scam Jailbreaks and Unlocks]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Hardware ==
==== Devices ====
{{see also|Models|Prototypes}}
* [[List of Apple TVs|Apple TV]]
** Apple TV 2G ([[K66AP]])
** [[Apple TV 3G]] ([[J33AP]], [[J33IAP]])
** Apple TV 4G ([[J42dAP]])
* [[Apple Watch]]
** 38 mm ([[N27aAP]])
** 42 mm ([[N28aAP]])
* [[List of iPads|iPad]]
** iPad ([[K48AP]])
** [[iPad 2]] ([[K93AP]], [[K94AP]], [[K95AP]], [[K93AAP]])
** [[iPad 3]] ([[J1AP]], [[J2AP]], [[J2AAP]])
** [[iPad 4]] ([[P101AP]], [[P102AP]], [[P103AP]])
** [[iPad Air]] ([[J71AP]], [[J72AP]], [[J73AP]])
** [[iPad Air 2]] ([[J81AP]], [[J82AP]])
** [[iPad Pro (12.9 inch)]] ([[J98aAP]], [[J99aAP]])
** [[iPad Pro (9.7 inch)]] ([[J127AP]], [[J128AP]])
* [[List of iPad minis|iPad mini]]
** [[iPad mini]] ([[P105AP]], [[P106AP]], [[P107AP]])
** [[iPad mini 2]] ([[J85AP]], [[J86AP]], [[J87AP]])
** [[iPad mini 3]] ([[J85mAP]], [[J86mAP]], [[J87mAP]])
** [[iPad mini 4]] ([[J96AP]], [[J97AP]])
* [[List of iPhones|iPhone]]
** iPhone ([[M68AP]])
** iPhone 3G ([[N82AP]])
** iPhone 3GS ([[N88AP]])
** [[iPhone 4]] ([[N90AP]], [[N90BAP]], [[N92AP]])
** iPhone 4S ([[N94AP]])
** [[iPhone 5]] ([[N41AP]], [[N42AP]])
** [[iPhone 5c]] ([[N48AP]], [[N49AP]])
** [[iPhone 5s]] ([[N51AP]], [[N53AP]])
** iPhone 6 ([[N61AP]])
** iPhone 6 Plus ([[N56AP]])
** [[iPhone 6s]] ([[N71AP]], [[N71mAP]])
** [[iPhone 6s Plus]] ([[N66AP]], [[N66mAP]])
** [[iPhone SE]] ([[N69AP]], [[N69uAP]])
* [[List of iPod touches|iPod touch]]
** iPod touch ([[N45AP]])
** iPod touch 2G ([[N72AP]])
** iPod touch 3G ([[N18AP]])
** iPod touch 4G ([[N81AP]])
** [[iPod touch 5G]] ([[N78AP]], [[N78aAP]])
** iPod touch 6G ([[N102AP]])

==== [[Application Processor]]s ====
* [[S5L8900]] ([[M68AP|iPhone]], [[N45AP|iPod touch]], [[N82AP|iPhone 3G]])
* [[S5L8720]] ([[N72AP|iPod touch 2G]])
* [[S5L8920]] ([[N88AP|iPhone 3GS]])
* [[S5L8922]] ([[N18AP|iPod touch 3G]])
* [[S5L8930]] A4 ([[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch 4G]], [[K66AP|Apple TV 2G]])
* [[S5L8940]] A5 ([[K93AP|iPad 2 (iPad2,1)]], [[K94AP|iPad 2 (iPad2,2)]], [[K95AP|iPad 2 (iPad2,3)]], [[N94AP|iPhone 4S]])
* [[S5L8942]] A5 Rev A ([[J33AP|Apple TV 3G (AppleTV3,1)]], [[K93AAP|iPad 2 (iPad2,4)]], [[iPod touch 5G]], [[iPad mini]])
* [[S5L8945]] A5X ([[iPad 3]])
* [[S5L8947]] A5 Rev B ([[J33IAP|Apple TV 3G (AppleTV3,2)]])
* [[S5L8950]] A6 ([[iPhone 5]], [[iPhone 5c]])
* [[S5L8955]] A6X ([[iPad 4]])
* [[S5L8960]] A7 ([[iPhone 5s]], [[iPad mini 2]], [[iPad mini 3]])
* [[S5L8965]] A7 Variant ([[iPad Air]])
* [[T7000]] A8 ([[J42dAP|Apple TV 4G]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[N102AP|iPod touch 6G]])
* [[T7001]] A8X ([[iPad Air 2]])
* [[S7002]] S1 ([[Apple Watch]])
* [[S8000]] A9 ([[wikipedia:Samsung Electronics|Samsung]]) ([[N71AP|iPhone 6s]], [[N66AP|iPhone 6s Plus]], [[N69uAP|iPhone SE]])
* [[S8001]] A9X ([[iPad Pro]])
* [[S8003]] A9 ([[wikipedia:TSMC|TSMC]]) ([[N71mAP|iPhone 6s]], [[N66mAP|iPhone 6s Plus]], [[N69AP|iPhone SE]])

==== [[Baseband Device]]s ====
* [[S-Gold 2|PMB8876 or S-Gold 2]] ([[M68AP|iPhone]])
* [[X-Gold 608|PMB8878 or X-Gold 608]] ([[N82AP|iPhone 3G]], [[N88AP|iPhone 3GS]], [[K48AP|iPad (3G model)]])
* [[XMM6180|XMM6180 or X-Gold 618]] ([[iPhone 4]] ([[N90AP|iPhone3,1]], [[N90BAP|iPhone3,2]]), [[K94AP|iPad 2 (iPad2,2)]])
* [[MDM6600]] ([[N92AP|iPhone 4 (iPhone3,3)]], [[K95AP|iPad 2 (iPad2,3)]])
* [[MDM6610]] ([[N94AP|iPhone 4S]])
* [[MDM9600]] ([[iPad 3]])
* [[MDM9615]] ([[iPad 4]], [[iPad Air]] , [[iPad mini]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5]], [[iPhone 5c]], [[iPhone 5s]])
* [[MDM9625]] ([[iPad Air 2]], [[iPad Pro (12.9 inch)]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone SE]])
* [[MDM9635]] ([[iPad Pro (9.7 inch)]], [[iPhone 6s]], [[iPhone 6s Plus]])
|}

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Development ==
==== [[:Category:Hackers|iPhone Hackers]] ====
* [[User:chpwn|chpwn]]
* [[User:comex|comex]]
* [[User:geohot|geohot]]
* [[User:iH8sn0w|iH8sn0w]]
* [[User:MuscleNerd|MuscleNerd]]
* [[pimskeks]]
* [[User:planetbeing|planetbeing]]
* [[User:pod2g|pod2g]]
* [[User:posixninja|posixninja]]
* [[saurik]]
* [[User:winocm|winocm]]

==== iPhone Hacker Teams ====
* [[Chronic Dev (team)|Chronic Dev]]
* [[iPhone Dev Team]]
* [[Dream Team]]
* [[Evad3rs|evad3rs]]

==== Application Development ====
* [[Bypassing iPhone Code Signatures]]
* [[/System/Library/Frameworks|Frameworks]]
* [[Misuse of developer certificates]]
* [[MobileDevice Library]]
* [[Mobile Substrate]]
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [http://iphonedevwiki.net iPhoneDevWiki]

==== Application Copy Protection ====
* [[Bugging Debuggers]]
* [[Copy Protection Overview]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Help ==
==== Guides ====
* [[Tutorials]]
* [[Useful Links]]

==== Definitions ====
* [[Activation]] and [[Hacktivation]]
* [[ASLR]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[Bootchain]]
* [[Bootrom]] / [[VROM]]
* [[Bricked]]
* [[CHIPID]]
* [[DFU Mode]]
* [[Failbreak]]
* [[iBoot (Bootloader)|iBoot]]
* [[IMG3 File Format|IMG3]] tags
** [[BORD]]
** [[CERT]]
** [[CHIP]]
** [[CPID]]
** [[ECID]]
** [[KBAG]]
** [[PROD]]
** [[SDOM]]
** [[SEPO]]
** [[SHSH]]
** [[TYPE]]
** [[VERS]]
* [[Jailbreak]]
** [[Tethered jailbreak]]
** [[Untethered jailbreak]]
* [[Firmware downgrading]]
** [[Tethered Downgrade]]
* [[Kernel]]
* [[launchd]]
* [[LLB]]
* [[NAND]]
* [[Unlock]]
* [[Userland]]
|}
__NOTOC____NOEDITSECTION__

Main Page

2016-07-24T11:11:45Z

Morpheus: 9.3.3 pangu jailbreaks 64-bit devices

[[File:Iptwiki.png|center]]
{{:Main Page/Welcome}}

== Jailbreak Status ==
{| class="wikitable" style="font-size:1em; width:100%;"
|-
! style="height:3em;" | [[Models|Device]]
! [[Apple Watch]]
! [[Apple TV 3G]]
! [[J42dAP|Apple TV 4G]]
! [[iPad 2]] and up
! [[iPad mini]] and up
! [[iPhone 4S]] and up
! [[iPod touch 5G]] and up
|-
! style="height:3em;" | Latest public [[firmware]]
| 2.2.2 (13V604)
| 7.2.1/8.4.1 (12H523)
| 9.2.2 (13Y825)
| colspan="4" | 9.3.3 (13G34)
|-
! style="height:3em;" | Jailbreak available?
| colspan="8" {{ yes (64-bit devices)}}
|-
For older devices and versions, see [[Jailbreak]].

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Software ==
* [[Apple Internal Apps]]
* [[:Category:File Formats|File formats]]
* [[/|Filesystem]]
* [[Firmware]]
** [[Beta Firmware]]
** [[Factory Firmware]]
** [[OTA Updates]]
* [[iTunes]]
** [[iTunes Errors]]
** [[iTunes Modes]]
** [[MobileDevice Library]]
* [[Keys]]
** [[AES Keys]]
** [[CERT|Apple Certificate]]
** [[Baseband RSA Keys|RSA Keys]]
** [[Baseband TEA Keys|TEA Keys]]
** [[Firmware Keys]]
*** [[Decrypting Firmwares]]
** [[GID Key]]
** [[NCK]]
* [[Protocols]]
** [[Baseband Bootrom Protocol]]
** [[DFU (Protocol)|DFU]]
** [[Interactive Mode|Baseband Bootloader Protocol]]
** [[Normal Mode]]
** [[Recovery Mode (Protocols)|Recovery Mode]]
** [[Restore Mode]]
* [[System Log|System Log (syslog)]]

==== [[:Category:Jailbreaks|Jailbreak Software]] ====
* [[Absinthe]]
* [[blackra1n]]
* [[Corona]]
* [[evasi0n]]
* [[evasi0n7]]
* [[Geeksn0w]]
* [[Greenpois0n (jailbreak)|greenpois0n]]
* [[JailbreakMe]]
* [[limera1n]]
* [[p0sixspwn]]
* [[Pangu]]
* [[Pangu8]]
* [[Pangu9]]
* [[PPJailbreak]]
* [[purplera1n]]
* [[PwnageTool]]
* [[redsn0w]]
* [[Rocky Racoon]]
* [[Seas0nPass]]
* [[sn0wbreeze]]
* [[Spirit]]
* [[TaiG]]
* [[unthredera1n]]

==== [[:Category:Patches|Patches]] ====
* [[Kernel Patches|Kernel]]
** [[AMFI Binary Trust Cache Patch]]
** [[PE i can has debugger Patch]]
** [[Sandbox Patch]]
** [[Vm map enter Patch]]
** [[Vm map protect Patch]]
* [[:Category:Ramdisk Patches|Ramdisk]]: [[ASR]]

==== [[:Category:Exploits|Vulnerabilities and Exploits]] ====
* [[0x24000 Segment Overflow]] (24kpwn)
* [[BPF STX Kernel Write Exploit]]
* [[CVE-2013-0964]]
* [[HFS Heap Overflow]]
* [[HFS Legacy Volume Name Stack Buffer Overflow]] (feedface)
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]]
* [[Limera1n Exploit]]
* [[Malformed CFF Vulnerability]]
* [[MobileBackup Copy Exploit]]
* [[ndrv_setspec() Integer Overflow]]
* [[Packet Filter Kernel Exploit]]
* [[Racoon String Format Overflow Exploit]]
* [[SHA-1 Image Segment Overflow]] (SHAtter)
* [[usb_control_msg(0x21, 2) Exploit]]
* [[usb_control_msg(0xA1, 1) Exploit]] (steaks4uce)
* [[Symbolic Link Vulnerability]]

====Various Software====
* [[Cydia.app|Cydia]]
* [[EDA]]
* [[iFaith]]
* [[SemiRestore7]]
* [[SemiRestore8]]
* [[SemiRestore9]]
* [[Sund0wn]]
* [[TinyUmbrella]]

====Bad stuff====
* [[Malware for iOS]]
* [[Misuse of enterprise and developer certificates]]
* [[Scam Jailbreaks and Unlocks]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Hardware ==
==== Devices ====
{{see also|Models|Prototypes}}
* [[List of Apple TVs|Apple TV]]
** Apple TV 2G ([[K66AP]])
** [[Apple TV 3G]] ([[J33AP]], [[J33IAP]])
** Apple TV 4G ([[J42dAP]])
* [[Apple Watch]]
** 38 mm ([[N27aAP]])
** 42 mm ([[N28aAP]])
* [[List of iPads|iPad]]
** iPad ([[K48AP]])
** [[iPad 2]] ([[K93AP]], [[K94AP]], [[K95AP]], [[K93AAP]])
** [[iPad 3]] ([[J1AP]], [[J2AP]], [[J2AAP]])
** [[iPad 4]] ([[P101AP]], [[P102AP]], [[P103AP]])
** [[iPad Air]] ([[J71AP]], [[J72AP]], [[J73AP]])
** [[iPad Air 2]] ([[J81AP]], [[J82AP]])
** [[iPad Pro (12.9 inch)]] ([[J98aAP]], [[J99aAP]])
** [[iPad Pro (9.7 inch)]] ([[J127AP]], [[J128AP]])
* [[List of iPad minis|iPad mini]]
** [[iPad mini]] ([[P105AP]], [[P106AP]], [[P107AP]])
** [[iPad mini 2]] ([[J85AP]], [[J86AP]], [[J87AP]])
** [[iPad mini 3]] ([[J85mAP]], [[J86mAP]], [[J87mAP]])
** [[iPad mini 4]] ([[J96AP]], [[J97AP]])
* [[List of iPhones|iPhone]]
** iPhone ([[M68AP]])
** iPhone 3G ([[N82AP]])
** iPhone 3GS ([[N88AP]])
** [[iPhone 4]] ([[N90AP]], [[N90BAP]], [[N92AP]])
** iPhone 4S ([[N94AP]])
** [[iPhone 5]] ([[N41AP]], [[N42AP]])
** [[iPhone 5c]] ([[N48AP]], [[N49AP]])
** [[iPhone 5s]] ([[N51AP]], [[N53AP]])
** iPhone 6 ([[N61AP]])
** iPhone 6 Plus ([[N56AP]])
** [[iPhone 6s]] ([[N71AP]], [[N71mAP]])
** [[iPhone 6s Plus]] ([[N66AP]], [[N66mAP]])
** [[iPhone SE]] ([[N69AP]], [[N69uAP]])
* [[List of iPod touches|iPod touch]]
** iPod touch ([[N45AP]])
** iPod touch 2G ([[N72AP]])
** iPod touch 3G ([[N18AP]])
** iPod touch 4G ([[N81AP]])
** [[iPod touch 5G]] ([[N78AP]], [[N78aAP]])
** iPod touch 6G ([[N102AP]])

==== [[Application Processor]]s ====
* [[S5L8900]] ([[M68AP|iPhone]], [[N45AP|iPod touch]], [[N82AP|iPhone 3G]])
* [[S5L8720]] ([[N72AP|iPod touch 2G]])
* [[S5L8920]] ([[N88AP|iPhone 3GS]])
* [[S5L8922]] ([[N18AP|iPod touch 3G]])
* [[S5L8930]] A4 ([[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch 4G]], [[K66AP|Apple TV 2G]])
* [[S5L8940]] A5 ([[K93AP|iPad 2 (iPad2,1)]], [[K94AP|iPad 2 (iPad2,2)]], [[K95AP|iPad 2 (iPad2,3)]], [[N94AP|iPhone 4S]])
* [[S5L8942]] A5 Rev A ([[J33AP|Apple TV 3G (AppleTV3,1)]], [[K93AAP|iPad 2 (iPad2,4)]], [[iPod touch 5G]], [[iPad mini]])
* [[S5L8945]] A5X ([[iPad 3]])
* [[S5L8947]] A5 Rev B ([[J33IAP|Apple TV 3G (AppleTV3,2)]])
* [[S5L8950]] A6 ([[iPhone 5]], [[iPhone 5c]])
* [[S5L8955]] A6X ([[iPad 4]])
* [[S5L8960]] A7 ([[iPhone 5s]], [[iPad mini 2]], [[iPad mini 3]])
* [[S5L8965]] A7 Variant ([[iPad Air]])
* [[T7000]] A8 ([[J42dAP|Apple TV 4G]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[N102AP|iPod touch 6G]])
* [[T7001]] A8X ([[iPad Air 2]])
* [[S7002]] S1 ([[Apple Watch]])
* [[S8000]] A9 ([[wikipedia:Samsung Electronics|Samsung]]) ([[N71AP|iPhone 6s]], [[N66AP|iPhone 6s Plus]], [[N69uAP|iPhone SE]])
* [[S8001]] A9X ([[iPad Pro]])
* [[S8003]] A9 ([[wikipedia:TSMC|TSMC]]) ([[N71mAP|iPhone 6s]], [[N66mAP|iPhone 6s Plus]], [[N69AP|iPhone SE]])

==== [[Baseband Device]]s ====
* [[S-Gold 2|PMB8876 or S-Gold 2]] ([[M68AP|iPhone]])
* [[X-Gold 608|PMB8878 or X-Gold 608]] ([[N82AP|iPhone 3G]], [[N88AP|iPhone 3GS]], [[K48AP|iPad (3G model)]])
* [[XMM6180|XMM6180 or X-Gold 618]] ([[iPhone 4]] ([[N90AP|iPhone3,1]], [[N90BAP|iPhone3,2]]), [[K94AP|iPad 2 (iPad2,2)]])
* [[MDM6600]] ([[N92AP|iPhone 4 (iPhone3,3)]], [[K95AP|iPad 2 (iPad2,3)]])
* [[MDM6610]] ([[N94AP|iPhone 4S]])
* [[MDM9600]] ([[iPad 3]])
* [[MDM9615]] ([[iPad 4]], [[iPad Air]] , [[iPad mini]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5]], [[iPhone 5c]], [[iPhone 5s]])
* [[MDM9625]] ([[iPad Air 2]], [[iPad Pro (12.9 inch)]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone SE]])
* [[MDM9635]] ([[iPad Pro (9.7 inch)]], [[iPhone 6s]], [[iPhone 6s Plus]])
|}

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Development ==
==== [[:Category:Hackers|iPhone Hackers]] ====
* [[User:chpwn|chpwn]]
* [[User:comex|comex]]
* [[User:geohot|geohot]]
* [[User:iH8sn0w|iH8sn0w]]
* [[User:MuscleNerd|MuscleNerd]]
* [[pimskeks]]
* [[User:planetbeing|planetbeing]]
* [[User:pod2g|pod2g]]
* [[User:posixninja|posixninja]]
* [[saurik]]
* [[User:winocm|winocm]]

==== iPhone Hacker Teams ====
* [[Chronic Dev (team)|Chronic Dev]]
* [[iPhone Dev Team]]
* [[Dream Team]]
* [[Evad3rs|evad3rs]]

==== Application Development ====
* [[Bypassing iPhone Code Signatures]]
* [[/System/Library/Frameworks|Frameworks]]
* [[Misuse of developer certificates]]
* [[MobileDevice Library]]
* [[Mobile Substrate]]
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [http://iphonedevwiki.net iPhoneDevWiki]

==== Application Copy Protection ====
* [[Bugging Debuggers]]
* [[Copy Protection Overview]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Help ==
==== Guides ====
* [[Tutorials]]
* [[Useful Links]]

==== Definitions ====
* [[Activation]] and [[Hacktivation]]
* [[ASLR]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[Bootchain]]
* [[Bootrom]] / [[VROM]]
* [[Bricked]]
* [[CHIPID]]
* [[DFU Mode]]
* [[Failbreak]]
* [[iBoot (Bootloader)|iBoot]]
* [[IMG3 File Format|IMG3]] tags
** [[BORD]]
** [[CERT]]
** [[CHIP]]
** [[CPID]]
** [[ECID]]
** [[KBAG]]
** [[PROD]]
** [[SDOM]]
** [[SEPO]]
** [[SHSH]]
** [[TYPE]]
** [[VERS]]
* [[Jailbreak]]
** [[Tethered jailbreak]]
** [[Untethered jailbreak]]
* [[Firmware downgrading]]
** [[Tethered Downgrade]]
* [[Kernel]]
* [[launchd]]
* [[LLB]]
* [[NAND]]
* [[Unlock]]
* [[Userland]]
|}
__NOTOC____NOEDITSECTION__

Kernel

2016-07-13T21:47:41Z

Morpheus: /* Kernel Extensions */ added joker tool references.

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. To learn about what "kernel" means in general, see [https://en.wikipedia.org/wiki/Kernel_(operating_system) the Wikipedia article].

Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein [[wikipedia:Control_Register#CR3|CR3]] is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]].

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This makes exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

The list of boot-args can be extracted from any kernel dump once the address of _PE_parse_boot_argn is determined (which is usually automatically). A list from iOS 8.4 is shown below:

# perform a full disassembly, isolate decompiled lines (^;) with PE_parse.. and isolate string between quotes, sorted uniquely:
# morpheus@Zephyr (~)$ '''jtool -d __TEXT.__text kernel.8.4.dump | grep PE_parse |grep '^; '| cut -d\" -f2 | cut -d\" -f1 | sort -u'''
-b
-disable_atm
-factory_debug
-l
-multiq-deep-drain
-no-zp
-no64exec
-novfscache
-oldmezname
-panic_on_exception_triage
-progress
-qos-policy-allow
-s
-vm16k
-vnode_cache_defeat
-x
-zc
-zinfop
-zp
aks_default_class
assert
bg_preempt
boot-uuid
colors
cpumon_ustackshots_trigger_pct
darkwake
dart
dcc
debug
diag
disable_exc_resource
fill
hwm_user_cores
ifa_debug
ifnet_debug
imp_interactive_receiver
inaddr_nhash
initmcl
interrupt_accounting
io
io_throttle_period_tier1
io_throttle_period_tier2
io_throttle_period_tier3
io_throttle_window_tier1
io_throttle_window_tier2
io_throttle_window_tier3
iosched
iotrace
jcon
jtag
keepsyms
kernel_stack_pages
kextlog
kmapoff
lcks
lo_txstart
longterm
max_cpumon_interval
max_cpumon_percentage
max_task_pmem
maxmem
maxoffset
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mtxspin
multiq_drain_band_limit
multiq_drain_depth_limit
multiq_drain_urgent_first
nbuf
ncl
net.inet.ip.scopedroute
net.inet6.ip6.scopedroute
net_affinity
net_rtref
net_rxpoll
network-type
panic_on_cs_killed
preempt
qos_override_mode
rd
rootdev
rte_debug
sched
sched_decay_penalty
sched_decay_usage_age_factor
sched_pri_decay_limit
sched_use_combined_fgbg_decay
serial
serverperfmode
slto_us
socket_debug
task_policy_suppression_disable
task_wakeups_monitor_interval
task_wakeups_monitor_rate
task_wakeups_monitor_ustackshots_trigger_pct
tbi
trace
trace_panic
trace_typefilter
trace_wake
unrestrict_coalition_syscalls
vm_compression_limit
vm_compressor
vm_compressor_immediate
vm_compressor_threads
wfi
wqsize
zalloc_debug
zlog
zp-factor
zp-scale
zrecs
zsize

== Versions ==
In the beginning iOS had consistently maintained a fairly higher kernel version than the corresponding version of OS X, but over time iOS and OS X have "moved nearer" together. And now, OS X El Capitan's XNU is 3247.1.106~1 and iOS 9.0 is 3248.1.2~3. This is not surprising, considering that iOS introduced novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and later made it to OS X. It seems that Apple is gradually uniting the iOS and OS X kernels over time and with iOS 9 and OS X El Capitan the version numbers are nearer to each other then ever before. The following demonstrates the OS versions at present (via terminal '''uname -a''' command):

OS X El Capitan 10.11.5:

Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64

iOS 9.3.2:

Darwin Kernel Version 15.5.0: Mon Apr 18 16:44:07 PDT 2016; root:xnu-3248.50.21~4\/RELEASE_ARM64_[[S8000]]X

tvOS 9.2:
Darwin Kernel Version 15.4.0: Wed Feb 24 12:51:38 PST 2016; root:xnu-3248.41.4~47/RELEASE_ARM64_[[T7000]]

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List (iOS) ===
The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.
{| class="wikitable"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_[[S5L8900]]XRB
| from prototype - not sure if version is 100% correct.
|-
| 1.0
| Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_[[S5L8900]]XRB
| rowspan="3" | Not sure if version is 100% correct.
|-
| 1.0.1
| class="rborderplz" rowspan="2" | Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_[[S5L8900]]XRB
|-
| class="rborderplz" | 1.0.2
|-
| 1.1.1
| Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_[[S5L8900]]XRB
| First kernel that was [[8900_File_Format#8900|8900]] encrypted - not sure if version is 100% correct.
|-
| 1.1.2
| Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_[[S5L8900]]XRB
| Not sure if version is 100% correct.
|-
| 1.1.3
| rowspan="3" | Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_[[S5L8900]]XRB
|
|-
| 1.1.4
|
|-
| 1.1.5
| iPod touch only
|-
| 2.0
| rowspan="3" | Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
|
|-
| 2.0.2
|
|-
| 2.1
| rowspan="2" | Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.1.1
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| rowspan="3" | iPad Only
|-
| 3.2.1
| class="rborderplz" | Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
|-
| 3.2.2
| class="rborderplz" | Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
|-
| 4.0
| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
|
|-
| 4.3.2
| rowspan="2" | Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
|
|-
| 4.3.4
| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
|
|-
| 5.0b5
| Darwin Kernel Version 11.0.0: Tue Aug 2 22:31:30 PDT 2011; root:xnu-1878.4.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1 beta
| Darwin Kernel Version 11.0.0: Wed Oct 19 19:05:07 PDT 2011; root:xnu-1878.4.45~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0.1 beta 2
| rowspan="2" | Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
|
|-
| 5.1 beta
| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1 beta 2
| Darwin Kernel Version 11.0.0: Sun Dec 4 18:57:33 PST 2011; root:xnu-1878.10.68~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1 beta 3
| Darwin Kernel Version 11.0.0: Mon Jan 2 18:46:01 PST 2012; root:xnu-1878.10.74~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta
| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 2
| Darwin Kernel Version 13.0.0: Sun Jun 17 19:47:47 PDT 2012; root:xnu-2107.1.61~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 3
| Darwin Kernel Version 13.0.0: Sun Jul 8 20:15:17 PDT 2012; root:xnu-2107.2.9~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 4
| Darwin Kernel Version 13.0.0: Sun Jul 29 20:15:28 PDT 2012; root:xnu-2107.2.26~4/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.2
| iPhone 5 only.
|-
| 6.1 beta
| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 2
| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 3
| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 4
| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 5
| rowspan="5" | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1
|
|-
| 6.1.1 beta
|
|-
| 6.1.1
| iPhone 4S only
|-
| 6.1.2
|
|-
| 6.1.3 beta 2
| rowspan="5" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:35:42 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8920]]X
|
|-
| 6.1.3
|
|-
| 6.1.4
| iPhone 5 only.
|-
| 6.1.5
| iPod touch 4 only.
|-
| 6.1.6
| iPod touch 4 and iPhone 3GS only.
|-
| 7.0 beta
| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 2
| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 3
| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-2423.1.40~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 4
| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 5
| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 6
|
|-
| 7.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0
|
|-
| 7.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X
| [[iPhone 5c]] and [[iPhone 5s|5s]] only
|-
| 7.0.2
|
|-
| 7.0.3
| rowspan="4" | Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 7.0.4
|
|-
| 7.0.5
| iPhone 5c (iPhone5,4) and iPhone 5s (iPhone6,2) only.
|-
| 7.0.6
|
|-
| 7.1 beta
| Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 2
| Darwin Kernel Version 14.0.0: Tue Dec 10 21:25:34 PST 2013; root:xnu-2423.10.38.1.1~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 3
| Darwin Kernel Version 14.0.0: Thu Jan 2 01:55:45 PST 2014; root:xnu-2423.10.45~5/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 4
| Darwin Kernel Version 14.0.0: Mon Jan 13 03:33:00 PST 2014; root:xnu-2423.10.49.0.1~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 5
| Darwin Kernel Version 14.0.0: Mon Jan 27 23:55:13 PST 2014; root:xnu-2423.10.58~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1
| Darwin Kernel Version 14.0.0: Fri Feb 21 19:41:10 PST 2014; root:xnu-2423.10.67~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.1
| Darwin Kernel Version 14.0.0: Fri Mar 28 21:22:10 PDT 2014; root:xnu-2423.10.70~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.2
| Darwin Kernel Version 14.0.0: Thu May 15 23:17:54 PDT 2014; root:xnu-2423.10.71~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0 beta
| Darwin Kernel Version 14.0.0: Mon May 26 22:09:06 PDT 2014; root:xnu-2729.0.0.0.9~2/RELEASE_ARM_[[S5L8942]]X
|
|-
| 8.0 beta 2
| Darwin Kernel Version 14.0.0: Sat Jun 14 16:36:40 PDT 2014; root:xnu-2775.0.0.1.1~3/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0 beta 3
| Darwin Kernel Version 14.0.0: Wed Jul 2 18:51:34 PDT 2014; root:xnu-2783.1.21~19/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0 beta 4
| Darwin Kernel Version 14.0.0: Wed Jul 16 21:55:26 PDT 2014; root:xnu-2783.1.40.0.3~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0 beta 5
| Darwin Kernel Version 14.0.0: Wed Jul 30 23:04:17 PDT 2014; root:xnu-2783.1.62~20/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 19 15:09:47 PDT 2014; root:xnu-2783.1.72~8/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0
|
|-
| 8.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Thu Sep 18 21:52:21 PDT 2014; root:xnu-2783.1.72~23/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0.2
|
|-
| 8.1 beta
| Darwin Kernel Version 14.0.0: Sat Sep 27 18:49:49 PDT 2014; root:xnu-2783.3.12~18/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1 beta 2
| Darwin Kernel Version 14.0.0: Fri Oct 3 21:52:09 PDT 2014; root:xnu-2783.3.13~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1
| Darwin Kernel Version 14.0.0: Fri Oct 7 00:04:37 PDT 2014; root:xnu-2783.3.13~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1 beta
| Darwin Kernel Version 14.0.0: Sun Nov 2 20:21:29 PDT 2014; root:xnu-2783.3.21~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Nov 3 22:54:30 PDT 2014; root:xnu-2783.3.22~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.2
|
|-
| 8.1.3
| Darwin Kernel Version 14.0.0: Mon Jan 2 21:29:20 PST 2015; root:xnu-2783.3.26~3/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.2 beta 3
| Darwin Kernel Version 14.0.0: Sun Dec 14 20:59:15 PST 2014; root:xnu-2783.5.29.0.1~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2 beta 4
| Darwin Kernel Version 14.0.0: Tue Jan 6 21:02:10 PST 2015; root:xnu-2783.5.32~9/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2 beta 5
| Darwin Kernel Version 14.0.0: Mon Jan 26 22:16:17 PST 2015; root:xnu-2783.5.37~11/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2
| Darwin Kernel Version 14.0.0: Mon Feb 9 22:07:57 PST 2015; root:xnu-2783.5.38~5/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.3 beta 3
| Darwin Kernel Version 14.0.0: Mon Mar 4 20:55:58 PST 2015; root:xnu-2784.20.25~26/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3 beta 4
| Darwin Kernel Version 14.0.0: Thu Mar 19 00:16:36 PST 2015; root:xnu-2784.20.31~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3
| Darwin Kernel Version 14.0.0: Sun Mar 29 19:44:04 PDT 2015; root:xnu-2784.20.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.4 beta
| Darwin Kernel Version 14.0.0: Wed Apr 8 21:26:37 PDT 2015; root:xnu-2784.30.1~29/RELEASE_ARM64_[[T7000]]X
|
|-
| 8.4 beta 2
| Darwin Kernel Version 14.0.0: Wed Apr 21 21:49:05 PDT 2015; root:xnu-2784.30.2~9/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4 beta 3
| Darwin Kernel Version 14.0.0: Tue May 5 23:09:22 PDT 2015; root:xnu-2784.30.5~7/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4 beta 4
| Darwin Kernel Version 14.0.0: Tue Wed 3 23:19:49 PDT 2015; root:xnu-2784.30.7~13/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4
| Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4.1
| Darwin Kernel Version 14.0.0: Wed Aug 5 19:24:44 PDT 2015; root:xnu-2784.40.6~18/RELEASE_ARM_[[S5L8950]]X
|
|-
| 9.0 beta
| Darwin Kernel Version 15.0.0: Fri May 29 22:14:48 PDT 2015; root:xnu-3216.0.0.1.15~2/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0 beta 2
| Darwin Kernel Version 15.0.0: Mon Jun 15 21:51:54 PDT 2015; root:xnu-3247.1.6.1.1~2/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0 beta 4
| Darwin Kernel Version 15.0.0: Sat Jul 11 20:01:45 PDT 2015; root:xnu-3247.1.56~13\/RELEASE_ARM64_[[T7001]]
|
|-
| 9.0 beta 5
| Darwin Kernel Version 15.0.0: Mon Aug 3 19:58:41 PDT 2015; root:xnu-3247.1.88.1.1~1\/RELEASE_ARM64_[[T7001]]
|
|-
| 9.0[[Golden Master|GM]]
| Darwin Kernel Version 15.0.0: Thu Aug 6 22:27:22 PDT 2015; root:xnu-3248.1.2~3\/RELEASE_ARM_[[S5L8940]]X
|
|-
| 9.0
| rowspan="3" | Darwin Kernel Version 15.0.0: Thu Aug 20 13:11:13 PDT 2015; root:xnu-3248.1.3~1\/RELEASE_ARM_[[S5L8950]]X
|
|-
| 9.0.1
|
|-
| 9.0.2
|
|-
| 9.1 beta
| Darwin Kernel Version 15.0.0: Sat Aug 29 17:41:04 PDT 2015; root:xnu-3248.10.27~10\/RELEASE_ARM_[[S5L8940]]X
|
|-
| 9.1 beta 2
| Darwin Kernel Version 15.0.0: Mon Sep 14 01:24:55 PDT 2015; root:xnu-3248.10.38~3\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 3
| Darwin Kernel Version 15.0.0: Fri Sep 25 17:14:21 PDT 2015; root:xnu-3248.10.41~11\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 4
| rowspan="3" | Darwin Kernel Version 15.0.0: Fri Oct 2 14:07:07 PDT 2015; root:xnu-3248.10.42~4\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 5
|
|-
| 9.1
|
|-
| 9.2 beta
| Darwin Kernel Version 15.0.0: Sun Oct 18 23:34:30 PDT 2015; root:xnu-3248.20.33.0.1~7\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.2 beta 2
| ?
|
|-
| 9.2 beta 3
| Darwin Kernel Version 15.0.0: Fri Nov 6 22:12:13 PST 2015; root:xnu-3248.21.1~2\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2 beta 4
| rowspan="2" | Darwin Kernel Version 15.0.0: Fri Nov 13 16:08:07 PST 2015; root:xnu-3248.21.2~1\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2
|
|-
| 9.2.1 beta
| rowspan="3" | Darwin Kernel Version 15.0.0: Wed Dec 9 22:19:38 PST 2015; root:xnu-3248.31.3~2\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2.1 beta 2
|
|-
| 9.2.1
|
|-
| 9.3 beta
| rowspan="2" | Darwin Kernel Version 15.4.0: Tue Jan 5 21:24:25 PST 2016; root:xnu-3248.40.155.1.1~3\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.3 beta 1.1
|
|-
| 9.3 beta 2
| Darwin Kernel Version 15.4.0: Tue Jan 19 00:18:39 PST 2016; root:xnu-3248.40.166.0.1~10\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 3
| Darwin Kernel Version 15.4.0: Sun Jan 31 22:48:58 PST 2016; root:xnu-3248.40.173.0.1~13\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 4
| Darwin Kernel Version 15.4.0: Sun Feb 14 23:17:56 PST 2016; root:xnu-3248.41.3~16\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 5
| rowspan="2" | Darwin Kernel Version 15.4.0: Sun Feb 22 01:48:23 PST 2016; root:xnu-3248.41.4~36\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 6
|
|-
| 9.3 beta 7
| rowspan="3" | Darwin Kernel Version 15.4.0: Fri Feb 19 13:54:52 PST 2016; root:xnu-3248.41.4~28\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3
|
|-
| 9.3.1
|
|-
| 9.3.2 beta
| Darwin Kernel Version 15.5.0: Thu Mar 31 17:49:02 PDT 2016; root:xnu-3248.50.18~19\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3.2 beta 2
| Darwin Kernel Version 15.5.0: Tue Apr 5 15:12:03 PDT 2016; root:xnu-3248.50.20~12\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3.2 beta 3
| rowspan="3" | Darwin Kernel Version 15.5.0: Mon Apr 18 16:44:07 PDT 2016; root:xnu-3248.50.21~4\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3.2 beta 4
|
|-
| 9.3.2
|
|-
| 9.3.3 beta
| Darwin Kernel Version 15.6.0: Tue May 17 19:53:27 PDT 2016; root:xnu-3248.60.3~3\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.3.3 beta 2
| Darwin Kernel Version 15.6.0: Tue May 31 19:52:45 PDT 2016; root:xnu-3248.60.4~1\/RELEASE_ARM64_[[S8000]]X
|
|-
| 10.0 beta
| Darwin Kernel Version 16.0.0: Wed May 25 21:19:24 PDT 2016; root:xnu-3705.0.0.2.3~1\/RELEASE_ARM64_[[S8000]]X
|
|-
| 10.0 beta 2
| Darwin Kernel Version 16.0.0: Tue Jun 28 21:38:14 PDT 2016; root:xnu-3757~291\/RELEASE_ARM64_[[S8000]]X
|
|}

=== Version List (tvOS)===
{| class="wikitable"
|-
! Version
! Build
! Comment
|-
| 9.2
| Darwin Kernel Version 15.4.0: Wed Feb 24 12:51:38 PST 2016; root:xnu-3248.41.4~47/RELEASE_ARM64_[[T7000]]
|
|}
== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[PList File Format|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[PList File Format|plist]]s (in the __PRELINK_INFO section).

The kernelcache can also be directly unpacked (if decrypted) using the Jonathan Levin's joker tool from http://NewOSXBook.com/tools/joker.html. With the advent of iOS 10 betas and out-of-box plaintext kernelcaches, this tool can be used after unpacking and applying lzssdec to decompress the kernelcache to its full size.

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in iOS 4.x and OS X 10.6. With that said, the [[Kernel Extension|kext]]s ''do'' exist. As an alternative, consider using kextstat from the iOS BinUtils package (http://NewOSXBook.com/tool/iOSBinaries.html) or the open source modified version "JKextstat" (http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c), which can also dump the raw XML data.

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

==[[User:Winocm|Winocm's]] custom kernel==
[[User:Winocm|Winocm]] uses a custom kernel which the version can be found below.
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_[[S5L8930]]X

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]
* [[Tutorial:Booting XNU on A4 Devices]]
* [[History:_Kernel_Manipulation| History:Kernel Manipulation]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

Kernel

2016-05-02T18:40:31Z

Morpheus: /* Kernel Extensions */ who wrote that g++ bullshit?! Anyway, fixed to both my binpack and the open source link.

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. To learn about what "kernel" means in general, see [https://en.wikipedia.org/wiki/Kernel_(operating_system) the Wikipedia article].

Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein [[wikipedia:Control_Register#CR3|CR3]] is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]].

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This makes exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

The list of boot-args can be extracted from any kernel dump once the address of _PE_parse_boot_argn is determined (which is usually automatically). A list from iOS 8.4 is shown below:

# perform a full disassembly, isolate decompiled lines (^;) with PE_parse.. and isolate string between quotes, sorted uniquely:
# morpheus@Zephyr (~)$ '''jtool -d __TEXT.__text kernel.8.4.dump | grep PE_parse |grep '^; '| cut -d\" -f2 | cut -d\" -f1 | sort -u'''
-b
-disable_atm
-factory_debug
-l
-multiq-deep-drain
-no-zp
-no64exec
-novfscache
-oldmezname
-panic_on_exception_triage
-progress
-qos-policy-allow
-s
-vm16k
-vnode_cache_defeat
-x
-zc
-zinfop
-zp
aks_default_class
assert
bg_preempt
boot-uuid
colors
cpumon_ustackshots_trigger_pct
darkwake
dart
dcc
debug
diag
disable_exc_resource
fill
hwm_user_cores
ifa_debug
ifnet_debug
imp_interactive_receiver
inaddr_nhash
initmcl
interrupt_accounting
io
io_throttle_period_tier1
io_throttle_period_tier2
io_throttle_period_tier3
io_throttle_window_tier1
io_throttle_window_tier2
io_throttle_window_tier3
iosched
iotrace
jcon
jtag
keepsyms
kernel_stack_pages
kextlog
kmapoff
lcks
lo_txstart
longterm
max_cpumon_interval
max_cpumon_percentage
max_task_pmem
maxmem
maxoffset
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mtxspin
multiq_drain_band_limit
multiq_drain_depth_limit
multiq_drain_urgent_first
nbuf
ncl
net.inet.ip.scopedroute
net.inet6.ip6.scopedroute
net_affinity
net_rtref
net_rxpoll
network-type
panic_on_cs_killed
preempt
qos_override_mode
rd
rootdev
rte_debug
sched
sched_decay_penalty
sched_decay_usage_age_factor
sched_pri_decay_limit
sched_use_combined_fgbg_decay
serial
serverperfmode
slto_us
socket_debug
task_policy_suppression_disable
task_wakeups_monitor_interval
task_wakeups_monitor_rate
task_wakeups_monitor_ustackshots_trigger_pct
tbi
trace
trace_panic
trace_typefilter
trace_wake
unrestrict_coalition_syscalls
vm_compression_limit
vm_compressor
vm_compressor_immediate
vm_compressor_threads
wfi
wqsize
zalloc_debug
zlog
zp-factor
zp-scale
zrecs
zsize

== Versions ==
In the beginning iOS had consistently maintained a fairly higher kernel version than the corresponding version of OS X, but over time iOS and OS X have "moved nearer" together. And now, OS X El Capitan's XNU is 3247.1.106~1 and iOS 9.0 is 3248.1.2~3. This is not surprising, considering that iOS introduced novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and later made it to OS X. It seems that Apple is gradually uniting the iOS and OS X kernels over time and with iOS 9 and OS X El Capitan the version numbers are nearer to each other then ever before. The following demonstrates the OS versions at present (via terminal '''uname -a''' command):

OS X El Capitan 10.11.4:

Darwin Kernel Version 15.4.0: Fri Feb 26 22:08:05 PST 2016; root:xnu-3248.40.184~3/RELEASE_X86_64

iOS 9.3.1:

Darwin Kernel Version 15.4.0: Fri Feb 19 13:54:52 PST 2016; root:xnu-3248.41.4~28\/RELEASE_ARM64_[[S8000]]X

tvOS 9.2:
Darwin Kernel Version 15.4.0: Wed Feb 24 12:51:38 PST 2016; root:xnu-3248.41.4~47/RELEASE_ARM64_[[T7000]]

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List (iOS) ===
The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.
{| class="wikitable"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_[[S5L8900]]XRB
| from prototype - not sure if version is 100% correct.
|-
| 1.0
| Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_[[S5L8900]]XRB
| rowspan="3" | Not sure if version is 100% correct.
|-
| 1.0.1
| class="rborderplz" rowspan="2" | Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_[[S5L8900]]XRB
|-
| class="rborderplz" | 1.0.2
|-
| 1.1.1
| Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_[[S5L8900]]XRB
| First kernel that was [[8900_File_Format#8900|8900]] encrypted - not sure if version is 100% correct.
|-
| 1.1.2
| Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_[[S5L8900]]XRB
| Not sure if version is 100% correct.
|-
| 1.1.3
| rowspan="3" | Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_[[S5L8900]]XRB
|
|-
| 1.1.4
|
|-
| 1.1.5
| iPod touch only
|-
| 2.0
| rowspan="3" | Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
|
|-
| 2.0.2
|
|-
| 2.1
| rowspan="2" | Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.1.1
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| rowspan="3" | iPad Only
|-
| 3.2.1
| class="rborderplz" | Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
|-
| 3.2.2
| class="rborderplz" | Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
|-
| 4.0
| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
|
|-
| 4.3.2
| rowspan="2" | Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
|
|-
| 4.3.4
| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
|
|-
| 5.0b5
| Darwin Kernel Version 11.0.0: Tue Aug 2 22:31:30 PDT 2011; root:xnu-1878.4.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1 beta
| Darwin Kernel Version 11.0.0: Wed Oct 19 19:05:07 PDT 2011; root:xnu-1878.4.45~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0.1 beta 2
| rowspan="2" | Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
|
|-
| 5.1 beta
| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1 beta 2
| Darwin Kernel Version 11.0.0: Sun Dec 4 18:57:33 PST 2011; root:xnu-1878.10.68~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1 beta 3
| Darwin Kernel Version 11.0.0: Mon Jan 2 18:46:01 PST 2012; root:xnu-1878.10.74~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta
| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 2
| Darwin Kernel Version 13.0.0: Sun Jun 17 19:47:47 PDT 2012; root:xnu-2107.1.61~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 3
| Darwin Kernel Version 13.0.0: Sun Jul 8 20:15:17 PDT 2012; root:xnu-2107.2.9~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0 beta 4
| Darwin Kernel Version 13.0.0: Sun Jul 29 20:15:28 PDT 2012; root:xnu-2107.2.26~4/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.2
| iPhone 5 only.
|-
| 6.1 beta
| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 2
| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 3
| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 4
| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1 beta 5
| rowspan="5" | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1
|
|-
| 6.1.1 beta
|
|-
| 6.1.1
| iPhone 4S only
|-
| 6.1.2
|
|-
| 6.1.3 beta 2
| rowspan="5" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:35:42 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8920]]X
|
|-
| 6.1.3
|
|-
| 6.1.4
| iPhone 5 only.
|-
| 6.1.5
| iPod touch 4 only.
|-
| 6.1.6
| iPod touch 4 and iPhone 3GS only.
|-
| 7.0 beta
| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 2
| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 3
| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-2423.1.40~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 4
| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 5
| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0 beta 6
|
|-
| 7.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0
|
|-
| 7.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X
| [[iPhone 5c]] and [[iPhone 5s|5s]] only
|-
| 7.0.2
|
|-
| 7.0.3
| rowspan="4" | Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 7.0.4
|
|-
| 7.0.5
| iPhone 5c (iPhone5,4) and iPhone 5s (iPhone6,2) only.
|-
| 7.0.6
|
|-
| 7.1 beta
| Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 2
| Darwin Kernel Version 14.0.0: Tue Dec 10 21:25:34 PST 2013; root:xnu-2423.10.38.1.1~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 3
| Darwin Kernel Version 14.0.0: Thu Jan 2 01:55:45 PST 2014; root:xnu-2423.10.45~5/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 4
| Darwin Kernel Version 14.0.0: Mon Jan 13 03:33:00 PST 2014; root:xnu-2423.10.49.0.1~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1 beta 5
| Darwin Kernel Version 14.0.0: Mon Jan 27 23:55:13 PST 2014; root:xnu-2423.10.58~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1
| Darwin Kernel Version 14.0.0: Fri Feb 21 19:41:10 PST 2014; root:xnu-2423.10.67~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.1
| Darwin Kernel Version 14.0.0: Fri Mar 28 21:22:10 PDT 2014; root:xnu-2423.10.70~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.2
| Darwin Kernel Version 14.0.0: Thu May 15 23:17:54 PDT 2014; root:xnu-2423.10.71~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0 beta
| Darwin Kernel Version 14.0.0: Mon May 26 22:09:06 PDT 2014; root:xnu-2729.0.0.0.9~2/RELEASE_ARM_[[S5L8942]]X
|
|-
| 8.0 beta 2
| Darwin Kernel Version 14.0.0: Sat Jun 14 16:36:40 PDT 2014; root:xnu-2775.0.0.1.1~3/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0 beta 3
| Darwin Kernel Version 14.0.0: Wed Jul 2 18:51:34 PDT 2014; root:xnu-2783.1.21~19/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0 beta 4
| Darwin Kernel Version 14.0.0: Wed Jul 16 21:55:26 PDT 2014; root:xnu-2783.1.40.0.3~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0 beta 5
| Darwin Kernel Version 14.0.0: Wed Jul 30 23:04:17 PDT 2014; root:xnu-2783.1.62~20/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 19 15:09:47 PDT 2014; root:xnu-2783.1.72~8/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0
|
|-
| 8.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Thu Sep 18 21:52:21 PDT 2014; root:xnu-2783.1.72~23/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0.2
|
|-
| 8.1 beta
| Darwin Kernel Version 14.0.0: Sat Sep 27 18:49:49 PDT 2014; root:xnu-2783.3.12~18/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1 beta 2
| Darwin Kernel Version 14.0.0: Fri Oct 3 21:52:09 PDT 2014; root:xnu-2783.3.13~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1
| Darwin Kernel Version 14.0.0: Fri Oct 7 00:04:37 PDT 2014; root:xnu-2783.3.13~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1 beta
| Darwin Kernel Version 14.0.0: Sun Nov 2 20:21:29 PDT 2014; root:xnu-2783.3.21~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Nov 3 22:54:30 PDT 2014; root:xnu-2783.3.22~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.2
|
|-
| 8.1.3
| Darwin Kernel Version 14.0.0: Mon Jan 2 21:29:20 PST 2015; root:xnu-2783.3.26~3/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.2 beta 3
| Darwin Kernel Version 14.0.0: Sun Dec 14 20:59:15 PST 2014; root:xnu-2783.5.29.0.1~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2 beta 4
| Darwin Kernel Version 14.0.0: Tue Jan 6 21:02:10 PST 2015; root:xnu-2783.5.32~9/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2 beta 5
| Darwin Kernel Version 14.0.0: Mon Jan 26 22:16:17 PST 2015; root:xnu-2783.5.37~11/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2
| Darwin Kernel Version 14.0.0: Mon Feb 9 22:07:57 PST 2015; root:xnu-2783.5.38~5/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.3 beta 3
| Darwin Kernel Version 14.0.0: Mon Mar 4 20:55:58 PST 2015; root:xnu-2784.20.25~26/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3 beta 4
| Darwin Kernel Version 14.0.0: Thu Mar 19 00:16:36 PST 2015; root:xnu-2784.20.31~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3
| Darwin Kernel Version 14.0.0: Sun Mar 29 19:44:04 PDT 2015; root:xnu-2784.20.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.4 beta
| Darwin Kernel Version 14.0.0: Wed Apr 8 21:26:37 PDT 2015; root:xnu-2784.30.1~29/RELEASE_ARM64_[[T7000]]X
|
|-
| 8.4 beta 2
| Darwin Kernel Version 14.0.0: Wed Apr 21 21:49:05 PDT 2015; root:xnu-2784.30.2~9/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4 beta 3
| Darwin Kernel Version 14.0.0: Tue May 5 23:09:22 PDT 2015; root:xnu-2784.30.5~7/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4 beta 4
| Darwin Kernel Version 14.0.0: Tue Wed 3 23:19:49 PDT 2015; root:xnu-2784.30.7~13/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4
| Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4.1
| Darwin Kernel Version 14.0.0: Wed Aug 5 19:24:44 PDT 2015; root:xnu-2784.40.6~18/RELEASE_ARM_[[S5L8950]]X
|
|-
| 9.0 beta
| Darwin Kernel Version 15.0.0: Fri May 29 22:14:48 PDT 2015; root:xnu-3216.0.0.1.15~2/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0 beta 2
| Darwin Kernel Version 15.0.0: Mon Jun 15 21:51:54 PDT 2015; root:xnu-3247.1.6.1.1~2/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0 beta 4
| Darwin Kernel Version 15.0.0: Sat Jul 11 20:01:45 PDT 2015; root:xnu-3247.1.56~13\/RELEASE_ARM64_[[T7001]]
|
|-
| 9.0 beta 5
| Darwin Kernel Version 15.0.0: Mon Aug 3 19:58:41 PDT 2015; root:xnu-3247.1.88.1.1~1\/RELEASE_ARM64_[[T7001]]
|
|-
| 9.0[[Golden Master|GM]]
| Darwin Kernel Version 15.0.0: Thu Aug 6 22:27:22 PDT 2015; root:xnu-3248.1.2~3\/RELEASE_ARM_[[S5L8940]]X
|
|-
| 9.0
| rowspan="3" | Darwin Kernel Version 15.0.0: Thu Aug 20 13:11:13 PDT 2015; root:xnu-3248.1.3~1\/RELEASE_ARM_[[S5L8950]]X
|
|-
| 9.0.1
|
|-
| 9.0.2
|
|-
| 9.1 beta
| Darwin Kernel Version 15.0.0: Sat Aug 29 17:41:04 PDT 2015; root:xnu-3248.10.27~10\/RELEASE_ARM_[[S5L8940]]X
|
|-
| 9.1 beta 2
| Darwin Kernel Version 15.0.0: Mon Sep 14 01:24:55 PDT 2015; root:xnu-3248.10.38~3\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 3
| Darwin Kernel Version 15.0.0: Fri Sep 25 17:14:21 PDT 2015; root:xnu-3248.10.41~11\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 4
| rowspan="3" | Darwin Kernel Version 15.0.0: Fri Oct 2 14:07:07 PDT 2015; root:xnu-3248.10.42~4\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.1 beta 5
|
|-
| 9.1
|
|-
| 9.2 beta
| Darwin Kernel Version 15.0.0: Sun Oct 18 23:34:30 PDT 2015; root:xnu-3248.20.33.0.1~7\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.2 beta 2
| ?
|
|-
| 9.2 beta 3
| Darwin Kernel Version 15.0.0: Fri Nov 6 22:12:13 PST 2015; root:xnu-3248.21.1~2\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2 beta 4
| rowspan="2" | Darwin Kernel Version 15.0.0: Fri Nov 13 16:08:07 PST 2015; root:xnu-3248.21.2~1\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2
|
|-
| 9.2.1 beta
| rowspan="3" | Darwin Kernel Version 15.0.0: Wed Dec 9 22:19:38 PST 2015; root:xnu-3248.31.3~2\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.2.1 beta 2
|
|-
| 9.2.1
|
|-
| 9.3 beta
| rowspan="2" | Darwin Kernel Version 15.4.0: Tue Jan 5 21:24:25 PST 2016; root:xnu-3248.40.155.1.1~3\/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.3 beta 1.1
|
|-
| 9.3 beta 2
| Darwin Kernel Version 15.4.0: Tue Jan 19 00:18:39 PST 2016; root:xnu-3248.40.166.0.1~10\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 3
| Darwin Kernel Version 15.4.0: Sun Jan 31 22:48:58 PST 2016; root:xnu-3248.40.173.0.1~13\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 4
| Darwin Kernel Version 15.4.0: Sun Feb 14 23:17:56 PST 2016; root:xnu-3248.41.3~16\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 5
| rowspan="2" | Darwin Kernel Version 15.4.0: Sun Feb 22 01:48:23 PST 2016; root:xnu-3248.41.4~36\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3 beta 6
|
|-
| 9.3 beta 7
| rowspan="3" | Darwin Kernel Version 15.4.0: Fri Feb 19 13:54:52 PST 2016; root:xnu-3248.41.4~28\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3
|
|-
| 9.3.1
|
|-
| 9.3.2 beta
| Darwin Kernel Version 15.5.0: Thu Mar 31 17:49:02 PDT 2016; root:xnu-3248.50.18~19\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3.2 beta 2
| Darwin Kernel Version 15.5.0: Tue Apr 5 15:12:03 PDT 2016; root:xnu-3248.50.20~12\/RELEASE_ARM64_[[S8000]]X
|
|-
| 9.3.2 beta 3
| Darwin Kernel Version 15.5.0: Mon Apr 18 16:44:07 PDT 2016; root:xnu-3248.50.21~4\/RELEASE_ARM64_[[S8000]]X
|
|}

=== Version List (tvOS)===
{| class="wikitable"
|-
! Version
! Build
! Comment
|-
| 9.2
| Darwin Kernel Version 15.4.0: Wed Feb 24 12:51:38 PST 2016; root:xnu-3248.41.4~47/RELEASE_ARM64_[[T7000]]
|
|}
== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[PList File Format|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[PList File Format|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in iOS 4.x and OS X 10.6. With that said, the [[Kernel Extension|kext]]s ''do'' exist. As an alternative, consider using kextstat from the iOS BinUtils package (http://NewOSXBook.com/tool/iOSBinaries.html) or the open source modified version "JKextstat" (http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c), which can also dump the raw XML data.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[N81AP|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

==[[User:Winocm|Winocm's]] custom kernel==
[[User:Winocm|Winocm]] uses a custom kernel which the version can be found below.
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_[[S5L8930]]X

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]
* [[Tutorial:Booting XNU on A4 Devices]]
* [[History:_Kernel_Manipulation| History:Kernel Manipulation]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

Jailbreak Exploits

2016-04-24T03:00:53Z

Morpheus: /* Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1) */ - * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) wasn't used here.

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch 3G]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch 4G]] and [[K66AP|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] (8.1.3 / 8.2 / 8.3 / 8.4) and [[PPJailbreak]] ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

== Programs which are used in order to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

TvOS

2016-03-06T08:50:51Z

Morpheus: Corrected: TvOS 9.0 is iOS 9.1, not 9.0. Added notes about my research and possible jailbreak.

{{lowercase}}
'''tvOS''' is the Operating System that is used by the [[J42dAP|Apple TV 4G]]. It's a stripped down version of [[iOS]]. The first version released was stylized and marketed as tvOS 9.0, which was based on iOS 9.1. Since then, TvOS versions trail those of iOS by 0.1 (i.e. TvOS 9.1 is based on iOS 9.2, etc).

== Research ==

As demonstrated in http://NewOSXBook.com/OTA3.html, Apple provides a complete OTA image of TvOS, which enables one to reconstruct the entire system partition along with all binaries, in order to perform static analysis on them.

Additionally, Apple has not actually fixed any bugs from Pangu's iOS 9.0.x Jailbreak in 9.1 but the kernel exploit (CVE-2015-6974), the Pangu9 jailbreak could be used with some modifications (notably, a different kernel bug) in order to achieve a TvOS 9.0 jailbreak. Note that the same could not be said for TvOS 9.1 and later, as iOS 9.2 (from which 9.1 is derived) has patched many vulnerabilities.

An overview analysis of TvOS can be found in http://NewOSXBook.com/articles/TVoS.html.

[[Category:Firmware]]

Kdebug

2015-12-26T13:00:11Z

Morpheus: Added KDV - a utility to dump kdebug messages

{{lowercase}}
'''kdebug''' is a XNU built-in debugging facility, which has been around OS X from its early days, and is present - to varying extents - in iOS. In OS X, sc_usage(1), fs_usage(1) and latency(1) make use of it. The facility can be enabled and controlled via sysctl(2) calls, similar to the following code.

#define KDEBUG_ENABLE_TRACE 0x1
#define KDEBUG_ENABLE_ENTROPY 0x2
#define KDEBUG_ENABLE_CHUD 0x4

// N.B - must SETBUF before facility can be enabled.

int mib[4];
mib[0] = CTL_KERN;
mib[1] = KERN_KDEBUG;
mib[2] = KERN_KDENABLE; /* or a host of other codes from kdebug.h */
mib[3] = /* One of above values, 0 disables */;

if (sysctl(mib, 4, NULL, &needed, NULL, 0) < 0)
{
perror("sysctl, KERN_KDENABLE\n");
}

kdebug's most useful feature is to enable kernel-level tracing, but can also be enabled for entropy collection (i.e. /dev/random like behavior), among other things. The CHUD (Computer Hardware Understanding) interfaces are very powerful, though woefully poorly documented, and private to Apple (and probably deserve a future Wiki entry on their own). They likely exist in iOS4, though a sysctl to enable them in iOS 5 fails.

The user mode header, <sys/kdebug.h> is partial, at best. A complete header can be found in the [http://www.opensource.apple.com/source/xnu/xnu-1699.24.23/bsd/sys/kdebug.h XNU source code].

In OS X, most of the kdebug functionality can be met (and exceeded) by DTrace. This is not an option with iOS, which does not have DTrace. The kdebug facility, however, is supported. iOS 5.01 has been verified to support it to a similar extent as OS X, including clean compilation and execution of sc_usage(1). The same cannot be said for iOS 4, wherein the binaries compile, but do not execute properly.

A utility to display kdebug output for both OS X and iOS can be found at http://NewOSXBook.com/tools/kdv.html

Pangu9

2015-10-17T02:49:17Z

Morpheus: Setting the etymology of the jailbreak :)

{{Infobox software
| name = Pangu9
| title = Pangu9
| screenshot = [[File:Pangu9.png|355px]]
| caption = Pangu9 v1.0.0 on Windows
| author = Pangu Team
| developer = Pangu Team
| released = {{Start date|2015|10|14|df=yes}}
| discontinued =
| latest release version = 1.0.1 (Windows) / {{Start date and age|2015|10|15|df=yes}}
| latest release date =
| latest preview version =
| latest preview date =
| programming language = [[wikipedia:C (programming language)|C]]
| operating system = [[wikipedia:Microsoft Windows|Windows]]
| size =
| platform = [[wikipedia:Microsoft Windows|Windows]]
| language = [[wikipedia:English language|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://en.pangu.io en.pangu.io] (English)
}}

'''Pangu9''' is an [[untethered jailbreak]] for all devices on iOS 9.0 through 9.0.2, except the [[Apple TV]] and [[Apple Watch]]. It was initially released on 14 October 2015.

== Supported Devices ==
All devices capable of running [[iOS]] 9.0-9.0.2, except the [[Apple TV]] and [[Apple Watch]] family, are supported.

== Download ==
=== Windows ===
{| class="wikitable"
! Version
! SHA-1 Hash
! Download
! Changes
|-
| 1.0.0
| <code>c48e1c1f84c1d5ff6046cc4eb7344335b314ba4b</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.0.0.exe 25PP]
| Pangu jailbreak tool for iOS 9.0-9.0.2
|-
| 1.0.1
| <code>05a0727085de1dd60eb4ec3a7bc343dd317d55d5</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.0.1.exe 25PP]
| Fix a bug that leads to 0A error code. Fix failure of launching on some PC. Improved success rate Ensure the removal of the Pangu app.
|}

== Name ==
"Pangu" is the name of the "[[wikipedia:Pangu|the first living being and the creator of all in some versions of Chinese mythology]]".

The 9.0-9.0.2 untether is nicknamed "Fuxi Qin". This continues the tradition of Chinese mythology from the previous jailbreaks (Pangu Axe, XuanYuan Sword), by referring to the instrument (琴) carried by the legendary emperor Fuxi (伏羲)

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

NAND

2015-10-15T12:00:58Z

Morpheus: /* Partitions */ Correcting utterly wrong statements about NAND only having two partitions.. It has six! One (FSYS) is visible

[[File:8GBflash.jpg|thumb|right|An 8 GiB Samsung <code>KMCMN0000M-B998</code> NAND chip]]
'''NAND''', so called because of its use of [[wikipedia:NAND gate|NOT AND (NAND) gates]], is a type of [[wikipedia:Flash memory|non-volatile memory chip]] that is used in all [[iDevice]]s. This chip is where all the ''storage'' of the device is located. In the case of [[iOS]], the chips can range anywhere from 4 GiB to 128 GiB.

== Partitions ==
{{see also|/private/etc/fstab}}
Although the NAND houses two visible filesystems, it actually has more partitions, including: NVRM (the NVRam store), SCFG (system configuration), BOOT (iBoot + more) and others. The visible filesystems are in a partition called FSYS, and are further split into two [[/private/etc/fstab|partitions]], a root partition ranging from 256(?) MiB to ~2 GiB, and a user partition occupying the rest, by using the Lightweight Volume Manager (LwVM). It is important to emphasize that these are LOGICAL rather than PHYSICAL partitions. The root partition is mounted to the [[/|root of the filesystem]] (<code>/</code>). The user partition is located after the root partition on the chip and is mounted to [[/private/var]].
=== Size of Partitions ===
The size of the root partition has varied throughout [[iOS]]'s history, while the user partition just fills the rest of the space of the NAND chip. Here is a comparison of the size of the root partition compared to iOS version:
* 256 MiB: ?
* 512 MiB: ? - 4.0
* 1024 MiB: 4.0 - 8.0
* 2048 MiB: 8.0 - present

== Jailbreaking ==
{{main|Jailbreak}}
Jailbreaking, in it's simplest form, involves modifying [[/private/etc/fstab]] before being parsed by the [[kernelcache|kernel]] to mount the [[/|root partition]] as read-write (<code>rw</code>), as opposed to read-only (<code>ro</code>). The only use of a so called "bare-bones" jailbreak is a proof-of-concept. A semi known example (the only publicly disclosed) of a "bare-bones" jailbreak is the [[K66AP|Apple TV 2G]] from [[Mojave 8M89 (AppleTV2,1)|4.0]] (4.1) to [[Jasper 8C150 (AppleTV2,1)|4.1]] (4.2). Not all jailbreak payloads modify [[/private/etc/fstab]], some of them remount the [[/|root partition]] manually.

== Data Layout ==
As NAND chips are not hard drives, their "sector" sizes are different than that of a typical hard drive. In fact, they aren't even called sectors, but instead called a "page".

The difference between a page and a sector is that a ''modern'' hard drive sector contains either 512 or 4096 bytes of data with anywhere from roughly 30 to 250 bytes of [[wikipedia:Error detection and correction|error correction code]] (ECC) data, while a page contains 8192 bytes of data and ''no'' ECC. ECC is most likely not used as flash memory uses transistors, which are more reliable than magnetism to store data. It has, however, been [http://www.micron.com/~/media/Documents/Products/Software%20Article/SWNL_implementing_ecc.pdf proposed to implement ECC in flash memory] as the smaller [[wikipedia:Semiconductor device fabrication|fabrication process]] has shrunk to the width of about [[wikipedia:22 nanometer|150]] helium atoms (<code>.14 nm</code>, or <code>22 nm</code> total).

The next level up from a page is a block which is a collection of 128 pages (1 MiB). A block can be compared to a 4K sector hard drive that emulates 512 byte sectors.

The layout of an 8 GiB chip containing [[iOS]] has been documented by [[CPICH]]. He [https://twitter.com/cpich3g/status/15966288660660224 notes] that an [[iPhone 4]] is documented, but it could easily be adapted to any other device or [[firmware]]. He uploaded the document to [http://freepdfhosting.com/29256fdff9.pdf FreePDFHosting], but it was later removed after 30 days as per their policy. [[User:MuscleNerd|MuscleNerd]] rasterized the document's pages and uploaded the images here:
<gallery>
File:N1.png|Page 1
File:N2.png|Page 2
File:N3.png|Page 3
File:N4.png|Page 4
File:N5.png|Page 5
</gallery>

== See Also ==
* [[/private/etc/fstab]]
* [[Jailbreak]]

== External Links ==
* [http://freepdfhosting.com/29256fdff9.pdf NAND Layout of iPhone 4] (dead link) documented by [[CPICH]]
* [http://esec-lab.sogeti.com/ SOGETI ESEC-Labs] on the [http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf encryption of iOS devices]

Kernel Symbols

2015-10-11T12:14:57Z

Morpheus: OBsolete page, added ref to Joker

iOS's XNU is largely stripped, and contains fewer and fewer symbols with its newer versions. Whereas in pre 3.0 most symbols were visible, nowadays only symbols required for KExt linkage remain so.

This page is started in the hopes of bringing together efforts of the various jailbreakers so as to pool already symbolified sections of the kernel. Because addresses change along with the different builds, please add the symbols under the right kernel version (i.e. release + device). If not 100% sure about a symbol, indicate the level of confidence.

Started with [[N81AP|iPod touch 4G]], because this is the main kernel the author has largely (>80%) symbolicated. Please add your own. Even if your build is different, the address space doesn't change that much. As of iOS 6 ASLR will shift these symbols by a given offset.

The table below is obsolete - The Joker tool from http://NewOSXBook.com/tools/joker.html exists for the sole purpose of auto-symbolicating kernels, and works on all kernels through XNU 32xx, and symbolicates the symbols below, as well as MIG tables and various other important functions.

{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!symbol
!5.0.x [[N81AP|iPod touch 4G]]
!5.0.1 [[N94AP|iPhone 4S]]
!5.1 [[N81AP|iPod touch 4G]]
!6.0 beta 1 [[N81AP|iPod touch 4G]]
!6.0 [[N81AP|iPod touch 4G]]
!6.0.1 [[N81AP|iPod touch 4G]]
!Notes
|-
|_exception_triage
|0x80016C34
| ???
| ...
| ...
|0x80018774
|0x80018774
|The Mach exception processing logic.
|-
|sysent
|0x802CCBAC
|0x802CBBAC
|0x802CCBAC
|0x802F00B8
|0x802F00B8
|0x802F00B8
|Through this you can obtain all of XNU's 438 system calls, e.g. _exit @0x8019DE04 on iPod, 0x8019D278 on iPhone 4S, etc.
|-
|syscall_names
|0x802D2C6C
|0x802D1C6C-0x802D2340
|0x802D2C5C-0x802D4338
|0x802A6538-0x802A7540
|0x802E8FB0-0x802E969C
|0x802E8FB0-0x802E969C
|The char[][] containing the textual names of all system calls
|-
|AppleMobileFileIntegrity_Start
|0x805E499C
| ???
|0x805D5B94
| ...
| ...
| ...
|Initialization of AMFI, the kext responsible for [[sandbox]] policies and entitlements
|-
|bsd_init
|0x802B77C0
| ???
|0x802B8A24
| ...
|0x802B85B4
|0x802B9618
|BSD layer initialization logic. Branches out to initialize virtually every BSD subsystem. Same as OS X XNU, with minor exception (e.g. kernel_memorystatus/jetsam, iptap..)
|-
|ExceptionVectorsBase
|0x80078000
|0x80078000
|0x80078000
| ...
| ...
| ...
|Address of CPU exception handlers in kernel space: fleh_reset, fleh_undef, fleh_swi, fleh_prefabt, _fleh_dataabt, _fleh_addrexc and fleh_irq can be obtained from here
|}

Note: For most of the above symbols, a fairly decent source code can be obtained from the public open source XNU available [http://opensource.apple.com here]. Bear in mind that ml_, PE_ and other machine specific functions will naturally be implemented quite differently. (but, it's a start!).

OTA Updates

2015-10-04T20:40:20Z

Morpheus: adding followup article

{{float toc|right}}
'''OTA Updates''' ('''Over-the-Air Updates''', also know as ''wireless updates'') were introduced with iOS 5. This allows a user of a device to go into Settings > General > Software Update and download and install the latest iOS software on-device, without the need for [[iTunes]]. The device contacts [http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml mesu.apple.com] to check for updates. The updates are delivered in plain unencrypted ZIP files.

== OTA Update contents ==
We now know three versions of OTA updates. OTA update bundle contains an Info.plist file and two folders: ''META-INF'' and ''AssetData''. ''META-INF'' has only one file ''com.apple.ZipMetadata.plist'' which describes bundle contents.

''AssetData'' contains three Bill-Of-Materials files (they can be viewed with ''lsbom'' and created with ''mkbom''). ''pre.bom'' states filesystem before update, ''post.bom'' - after and payload.bom describes the patches to be applied during update process. It also contains ''boot'' folder where [[bootchain]]-related files are stored (iBoot, kernelcache, etc.), ''payloadv2'' or ''payload'' (depends on PackageVersion value of ''AssetData/Info.plist'' file) and ''Info.plist'' file which describes the update. ''Info.plist'' file from ''AssetData'' folder contains ''PackageVersion'' field which can be 1.0, 2.0 or 3.0.

=== Format 1.0 ===
These updates do not contain ''payload.bom'' file and are deprecated. These updates do not contain any .bom files.
*'''archive.cpio.gz''' - the actual cpio patch archive (encrypted). Contains a list of BSDIFF40 patches and baseband firmware updates, if available, with the associated flashing tools (bbupdater/imeisv).
*'''Info.plist.signature''' - asymmetric signature of Info.plist validated against /System/Library/Lockdown/iPhoneSoftwareUpdate.pem.
*'''libupdate_brain.dylib''' - stage 2 update process library (encrypted).

=== Format 2.0 ===
All updates with 2.0 package version have ''payload'' folder inside ''AssetData'' instead of ''archive.cpio.gz'' file from 1.0 updates. It contains only two folders: ''added'' folder with unencrypted files which are to be added during update process and ''patches'' folder. ''patches'' folder is used to store BSDIFF40 patches that are applied to files during update process. They can be easily applied manually with [http://www.daemonology.net/bsdiff/ bsdiff] utility. ''patches'' folder file hierarchy is similar to devices [https://theiphonewiki.com/wiki// root file system] (ex. patch for ''/sbin/launchctl'' will be found at ''AssetData/payload/patches/sbin/launchctl''). ''AssetData'' also contains ''payload.bom.signature'' that replaces ''Info.plist.signature''. ''payload.bom.signature'' is used to check ''payload.bom'' which contains CRC32 of all files inside ''AssetData'' folder.

=== Format 3.0 ===
''payloadv2'' folder replaced ''payload'' folder in updates with package version 3.0. It has no ''added'' folder anymore, but instead contains ''links.txt'' file which describes symlinks that should be created during update, removed.txt which is actually a list of files to delete before (!) update, ''prepare_patches'' which might contain patches that are to be applied before update ([https://theiphonewiki.com/Update_Ramdisk update ramdisk] patch), ''payload'' and ''prepare_payload'' files which might store new files (files that did not exist in previous iOS version), but files from ''prepare_payload'' are extracted before files from ''payload'', and ''patches'' folder which has the same file hierarchy as in pre-8.1.2 updates, but contains patches in BXDIFF41 format (they can be extracted with ''bxpatch'' utility from [http://github.com/npupyshev/bxdiff there]). I'll describe almost each file's structure.
*'''links.txt''' is just a list of strings. Strings that begin with '=' are symlink targets and following strings that begin with '+' are places where symlinks should be created.
*'''removed.txt''' contains a list of files that should be removed before update starts.
*'''payload''' and '''prepare_payload''' are files in some proprietary format. More details about them and a tool to extract them can be found here [http://newosxbook.com/articles/OTA.html "Taking apart iOS OTA Updates: Peeking into Over-The-Air Update bundles in iOS"] - by Jonathan Levin. A script built over that tool which will automatically retrieve a binary from a device and patch it with the OTA update can be found in the [http://newosxbook.com/articles/OTA2.html "followup article"].

=== See Also ===
* [[Software Update Service]]

== Issues With [[Jailbreak]]ing ==
*OTA Updates are often known to cause issues when jailbreaking a device. This became evident with [[evasi0n7]], because most devices that were updated OTA, had to be restored with iTunes first, since the jailbreak would often fail if it was not.
*You cannot update OTA, when jailbroken. If you try, it is likely that your device will either be stuck in a boot loop, or certain things will not work correctly. Newer jailbreaks such as [[evasi0n]] and [[evasi0n7]] disable the OTA search daemon, which prevents the device from searching for an update (it will just stay indefinitely at "Checking for Update..."). This can also be done manually on any jailbreak, by deleting or moving ''/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist'' and ''/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist'' from your device. It can also be done with tools such as iCleaner Pro.

== OTA updates list ==
* [[OTA Updates/Apple Watch|Apple Watch]]
* [[OTA Updates/Apple TV|Apple TV]]
* [[OTA Updates/iPad|iPad]]
* [[OTA Updates/iPad mini|iPad mini]]
* [[OTA Updates/iPhone|iPhone]]
* [[OTA Updates/iPod touch|iPod touch]]

[[Category:Firmware]]

TaiG

2015-08-28T23:06:36Z

Morpheus: /* Exploits and analysis */ Added 2nd writeup

{{about|the untethered jailbreaks for iOS 8.0-8.1.2 Windows and 8.1.3-8.4 for Windows and Mac|an alternative for Mac OS X|PPJailbreak}}
{{Infobox software
| name = TaiG
| title = TaiG
| author = TaiG
| developer = TaiG
| released = {{Start date|2014|11|29|df=yes}}
| discontinued =
| latest release version = 1.2.1 (8.0 ‑ 8.1.2)/{{Start date and age|2015|2|12|df=yes}} Windows: 2.4.3 (8.1.3 ‑ 8.4)/{{Start date and age|2015|8|4|df=yes}} Mac: 1.1.0 (8.1.3 ‑ 8.4)/{{Start date and age|2015|8|2|df=yes}}
| latest release date =
| programming language = ?
| operating system = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]]
| size =
| platform = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]]
| language = [[wikipedia:Chinese language|Chinese]] / [[wikipedia:English language|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://www.taig.com/en/ taig.com/en] (English) [http://taig.com taig.com] (Chinese)
}}

'''TaiG''' ('''Taiji''' in Chinese) ([[wikipedia:Help:IPA for English|/taɪ dʒi/]] or /taɪ tʃi/) is an [[untethered jailbreak]] for all devices on iOS 8.0-8.4, except the [[Apple TV]] and [[Apple Watch]]. It was initially released on 29 November, 2014 for 8.0 - 8.1.2 but since updated to support 8.1.3 - 8.4.

== Supported Devices ==
All devices capable of running [[iOS]] 8.0-8.4 (except the [[Apple TV]] family and [[Apple Watch]]) are supported.

=== iOS 8.2 Beta ===

TaiG's website originally claimed as early as [http://web.archive.org/web/20141204221416/http://taig.com/en/ 4 December 2014] that "support of iOS 8.2 has been completed by TaiG, [but] as 8.2 is still at beta stage, we have disabled support for 8.2 in [the] current public release." This claim remained through [http://web.archive.org/web/20141231032106/http://www.taig.com/ 31 December 2014], but was removed sometime before [http://web.archive.org/web/20150104165652/http://taig.com/en/ 4 January 2015].

On 23 February 2015, version 1.3 was released to jailbreak iOS 8.2 beta and beta 2.

== Download ==
=== Windows ===
{| class="wikitable"
! Version
! Language
! Download
! SHA-1
! Changes
|-
| 1.0.0
| rowspan="3" | English
| [http://apt.taig.com/installer/TaiG_1006.zip TaiG]
| <code>2538d85d3b42a2a65ec33aec86245c39047449d3</code>
| First version of TaiG which supports all devices with iOS 8.0 - 8.1.1 except Apple TV's.
|-
| 1.0.1
| [http://apt.taig.com/installer/TaiGJBreak_1010.zip TaiG]
| <code>7346849bb3ff3dd1e21530ae1bb7ee27f02f453a</code>
|
* Improve JB speed
* Improve stability
|-
| 1.0.2
| [http://apt.taig.com/installer/TaiGJBreak_1021.zip TaiG]
| <code>4edab617f9b951419eca4c32ddc6a5f8a2e94226</code>
|
* Able to remove 3K-Assistant via Cydia
|-
| rowspan="2" | 1.1.0
| Chinese
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_1101.zip TaiG]
| <code>2181179badac74cced2eb9ad5639b0f57be66f95</code>
| rowspan="2" |
* Avoid sandbox generate redundant info.
* Officially built TaiG source(apt.taig.com), users who Jailbroke with TaiG before V1.1.0, can fix this problem by install TaiG 8.0-8.1.1 Untether.
|-
| English
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_EN_1101.zip TaiG]
| class="rborderplz" | <code>d3b40bbbd6f9cf652ece4476b96dafae858f1bb0</code>
|-
| rowspan="2" | 1.2.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1201.zip TaiG]
| <code>42848662a637234ef14d67448e4cf8e427906b52</code>
| rowspan="2" |
* Add support for iOS 8.1.2
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_1201.zip TaiG]
| class="rborderplz" | <code>5c6e2939359e36622ca2b4ca71d0def628dbbaf3</code>
|-
| 1.2.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1210.zip TaiG]
| <code>95df3a271473b5dbed29c950f5441aecd231b47a</code>
|
* TaiG can support iTunes12.1 now(By download new driver from a post in 3K BBS)
|-
| rowspan="2" | 1.3.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1300.zip TaiG]
| <code>ca9364cd01ed89cd7b287d99bc061eca1b5d3870</code>
| rowspan="2" |
* TaiG can support all device with iOS8.2 Beta1&2 now
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_1300.zip TaiG]
| <code>54687293aa915da0660cd34dfdd538df832d9236</code>
|-
| rowspan="2" | 2.0.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2000.zip TaiG]
| <code>B38B98C99D789CCB664A4EEAFF49976D9D38B260</code>
| rowspan="2" |
* Officially released TaiG Jailbreak Tool V2.0.0, which support all device with iOS8.1.3-8.3.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2000.zip TaiG]
| <code>40FB5687A4452F9A556AFEAF6C28D00C7A62A9D4</code>
|-
| rowspan="2" | 2.1.2
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2120.zip TaiG]
| <code>16F5B1C1775B3A28244CB8EF6D966B7A102F0EF2</code>
| rowspan="2" |
* Fixes problems of getting stuck at 20% and 60%, and adaptate for latest iTunes.
* Compatible with Cydia Substrate(Mobile Substrate).
* Corrects the blank Settings problem while matching Apple Watch with iDevice.
* Fix issues of UIcache.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2120.zip TaiG]
| <code>65F55468216B0D584E4B48E1B910E4C87ECF6B00</code>
|-
| rowspan="2" | 2.1.3
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2130.zip TaiG]
| <code>B2CDDF98017DA7195E85236C5DCE33EFE9A84B74</code>
| rowspan="2" |
* Fix the issue of getting stuck at 20% while jailbreaking.
* Update the latest Cydia 1.1.18 and UIKitTools 1.1.1.0; fix the issue of icon missing after jailbreak.
* Fix long startup time of iPhone 4s after jailbreak.
* Fix the issue that TaiG Jailbreak Tool doesn't work on the virtual machine.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2130.zip TaiG]
| <code>60278237BA0435108A98F001FA7315B3EC365F87</code>
|-
| rowspan="2" | 2.2.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2200.zip TaiG]
| <code>FF95A038071FF6BDF241DA5987B0848A0D558511</code>
| rowspan="2" |
* TaiG released the original jailbreak tool V2.2.0. It supports all iDevices running iOS 8.1.3-8.4.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2200.zip TaiG]
| <code>6F2FD18267D3F7F68C63E988A91A95066F5E6BB1</code>
|-
| rowspan="2" | 2.2.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2210.zip TaiG]
| <code>53763BE89E12AE03D2B6BC44DE4CDFCAD8DF10A0</code>
| rowspan="2" |
* Fixes setreuid patch to prevent applications from obtaining to root privileges through setreuid.
* Increases stability.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2210.zip TaiG]
| <code>2E12A2ACEF206FFC276A4DAE3112197150C4F66C</code>
|-
| rowspan="2" | 2.3.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2300.zip TaiG]
| <code>F5D6D7BDE790828395FD1D994F35EB63EEBF7FD5</code>
| rowspan="2" |
* Integrates Cydia 1.1.19, which is perfectly compatible of iOS 8.3-8.4; removes setreuid patch.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2300.zip TaiG]
| <code>0CECE9B60C51AEE1C833703098279121CE23664C</code>
|-
| rowspan="2" | 2.3.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2310.zip TaiG]
| <code>A35F4F73B8194984FB726D155A0AF4FA16FAB5FF</code>
| rowspan="2" |
* Integrate the latest Cydia 1.1.20.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2310.zip TaiG]
| <code>A35F4F73B8194984FB726D155A0AF4FA16FAB5FF</code>
|-
| rowspan="2" | 2.4.1
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2410.zip TaiG]
| <code>BE569D71A0EA413150D7E3064A0F561CD1FBA7E8</code>
| rowspan="2" |
* Fix the issue of getting stuck at 60% based on users' feedback.
* Optimize the process of jailbreak; improve the process's stability.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2410.zip TaiG]
| <code>A8F3E920A082972A4ABB474FBC868969545FA83F</code>
|-
| rowspan="2" | 2.4.2 Beta
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2420.zip TaiG]
| <code> 60C9457043DDF0C7EED4E1C041CC52DCA8FA0471</code>
| rowspan="2" |
* Integrate the latest Cydia 1.1.23.
* Fix issues of getting stuck at 30% and 40%.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2420.zip TaiG]
| <code>FEF99FD48CE2CD0B83533E6275217FAB149BDB68</code>
|-
| rowspan="2" | 2.4.3
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2430.zip TaiG]
| <code>F585EE445328D15113E0A65D6D006C95FA0E8218</code>
| rowspan="2" |
* Optimize the process of jailbreak.
* Fix issues of getting stuck at 30% and 40%.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2430.zip TaiG]
| <code>4B3D8F1D3BDC0FB9FF489043C7F662D23A314D78</code>
|}

=== Mac ===
{| class="wikitable"
! Version
! Language
! Download
! SHA-1
! Changes
|-
| 1.0.0
| rowspan="2" | English
| [http://res.taig.com/installer/mac/TaiGjailbreak_V100.dmg TaiG]
| <code>45194B96957EC60F6D62812AC8449C1C52F53BA1</code>
| Officially released TaiG Jailbreak Tool for Mac V1.0.0, which support all device with iOS8.1.3-8.4.
|-
| 1.1.0
| [http://res.taig.com/installer/mac/TaiGjailbreak_V110.dmg TaiG]
| <code>4E4573C71C641BAEBD0AC5AC16038E7F3BBF7DB1</code>
| TaiG for Mac V1.1.0 fixes the blank screen on OS X 10.9.
|}

== Installed Packages ==
* APR (/usr/lib) (1.3.3-2; <code>apr-lib</code>)
* APT 0.7 (apt-key) (0.7.25.3-3; <code>apt7-key</code>)
* APT 0.7 Strict (lib) (0.7.25.3-13; <code>apt7-lib</code>)
* Base Structure (1-4; <code>base</code>)
* Big Boss Icon Set (1.0; <code>org.thebigboss.repo.icons</code>)
* Bourne-Again SHell (4.0.44-15; <code>bash</code>)
* bzip2 (1.0.5-7; <code>bzip2</code>)
* Core Utilities (/bin) (8.12-7p; <code>coreutils-bin</code>)
* Cydia Installer (1.1.19; <code>cydia</code>)
* Cydia Translations (1.1.12; <code>cydia-lproj</code>)
* Darwin Tools (1-4; <code>darwintools</code>)
* Debian Packager (1.14.25-9; <code>dpkg</code>)
* Debian Utilities (3.3.3ubuntu1-1p; <code>debianutils</code>)
* Diff Utilities (2.8.1-6; <code>diffutils</code>)
* Find Utilities (4.2.33-6; <code>findutils</code>)
* GNU Privacy Guard (1.4.8-4; <code>gnupg</code>)
* grep (2.5.4-3; <code>grep</code>)
* gzip (1.6-7; <code>gzip</code>)
* LZMA Utils (4.32.7-4; <code>lzma</code>)
* New Curses (5.7-13; <code>ncurses</code>)
* PAM (Apple) (32.1-3; <code>pam</code>)
* PAM Modules (36.1-4; <code>pam-modules</code>)
* pcre (8.30-5p; <code>pcre</code>)
* Profile Directory (0-2; <code>profile.d</code>)
* readline (6.0-7; <code>readline</code>)
* sed (4.1.5-7; <code>sed</code>)
* shell-cmds (118-6; <code>shell-cmds</code>)
* system-cmds (433.4-12; <code>system-cmds</code>)
* TaiG 8.1.3-8.X Untether (2.3.0;<code>taiguntether83x</code>)
* Tape Archive (1.19-8; <code>tar</code>)
* UIKit Tools (1.1.10; <code>uikittools</code>)

== Exploits and analysis ==
[http://newosxbook.com/articles/TaiG.html "The Annotated (informal) guide to TaiG - Part I"], and [http://newosxbook.com/articles/TaiG2.html "Part II"] by Jonathan Levin (iOS 8.0 - 8.1.2)

[http://newosxbook.com/articles/28DaysLater.html?tiw "28 Days Later - The Annotated (informal) guide to TaiG returns - Part I"], by Jonathan Levin (iOS 8.3 - iOS 8.4)

[http://newosxbook.com/articles/HIDeAndSeek.html?tiw "HIDden Treasures" (TaiG 2 - Part II)], by Jonathan Levin (iOS 8.3 - iOS 8.4)

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

TaiG

2015-07-24T15:20:50Z

Morpheus: /* Exploits and analysis */ added writeup

{{about|the untethered jailbreak for iOS 8.0-8.1.2 and 8.1.3-8.4 for Windows|the Mac version for 8.0 - 8.1.2|PPJailbreak}}
{{Infobox software
| name = TaiG
| title = TaiG
| author = TaiG
| developer = TaiG
| released = {{Start date|2014|11|29|df=yes}}
| discontinued =
| latest release version = 1.2.1 (8.0 ‑ 8.1.2)/{{Start date and age|2015|2|12|df=yes}} 2.4.3 (8.1.3 ‑ 8.4)/{{Start date and age|2015|7|20|df=yes}}
| latest release date =
| programming language = ?
| operating system = [[wikipedia:Microsoft Windows|Windows]]
| size =
| platform = [[wikipedia:Microsoft Windows|Windows]]
| language = [[wikipedia:Chinese language|Chinese]] / [[wikipedia:English language|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://www.taig.com/en/ taig.com/en] (English) [http://taig.com taig.com] (Chinese)
}}

'''TaiG''' ('''Taiji''' in Chinese) ([[wikipedia:Help:IPA for English|/taɪ dʒi/]] or /taɪ tʃi/) is an [[untethered jailbreak]] for all devices on iOS 8.0-8.4, except the [[Apple TV]] and [[Apple Watch]]. It was initially released on 29 November, 2014 for 8.0 - 8.1.2 but since updated to support 8.1.3 - 8.4.

== Supported Devices ==
All devices capable of running [[iOS]] 8.0-8.4 (except the [[Apple TV]] family and [[Apple Watch]]) are supported.

=== iOS 8.2 Beta ===

TaiG's website originally claimed as early as [http://web.archive.org/web/20141204221416/http://taig.com/en/ 4 December 2014] that "support of iOS 8.2 has been completed by TaiG, [but] as 8.2 is still at beta stage, we have disabled support for 8.2 in [the] current public release." This claim remained through [http://web.archive.org/web/20141231032106/http://www.taig.com/ 31 December 2014], but was removed sometime before [http://web.archive.org/web/20150104165652/http://taig.com/en/ 4 January 2015].

On 23 February 2015, version 1.3 was released to jailbreak iOS 8.2 beta and beta 2.

== Download ==
{| class="wikitable"
! Version
! Language
! Download
! SHA-1
! Changes
|-
| 1.0.0
| rowspan="3" | English
| [http://apt.taig.com/installer/TaiG_1006.zip TaiG]
| <code>2538d85d3b42a2a65ec33aec86245c39047449d3</code>
| First version of TaiG which supports all devices with iOS 8.0 - 8.1.1 except Apple TV's.
|-
| 1.0.1
| [http://apt.taig.com/installer/TaiGJBreak_1010.zip TaiG]
| <code>7346849bb3ff3dd1e21530ae1bb7ee27f02f453a</code>
|
* Improve JB speed
* Improve stability
|-
| 1.0.2
| [http://apt.taig.com/installer/TaiGJBreak_1021.zip TaiG]
| <code>4edab617f9b951419eca4c32ddc6a5f8a2e94226</code>
|
* Able to remove 3K-Assistant via Cydia
|-
| rowspan="2" | 1.1.0
| Chinese
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_1101.zip TaiG]
| <code>2181179badac74cced2eb9ad5639b0f57be66f95</code>
| rowspan="2" |
* Avoid sandbox generate redundant info.
* Officially built TaiG source(apt.taig.com), users who Jailbroke with TaiG before V1.1.0, can fix this problem by install TaiG 8.0-8.1.1 Untether.
|-
| English
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_EN_1101.zip TaiG]
| class="rborderplz" | <code>d3b40bbbd6f9cf652ece4476b96dafae858f1bb0</code>
|-
| rowspan="2" | 1.2.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1201.zip TaiG]
| <code>42848662a637234ef14d67448e4cf8e427906b52</code>
| rowspan="2" |
* Add support for iOS 8.1.2
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_1201.zip TaiG]
| class="rborderplz" | <code>5c6e2939359e36622ca2b4ca71d0def628dbbaf3</code>
|-
| 1.2.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1210.zip TaiG]
| <code>95df3a271473b5dbed29c950f5441aecd231b47a</code>
|
* TaiG can support iTunes12.1 now(By download new driver from a post in 3K BBS)
|-
| rowspan="2" | 1.3.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1300.zip TaiG]
| <code>ca9364cd01ed89cd7b287d99bc061eca1b5d3870</code>
| rowspan="2" |
* TaiG can support all device with iOS8.2 Beta1&2 now
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_1300.zip TaiG]
| <code>54687293aa915da0660cd34dfdd538df832d9236</code>
|-
| rowspan="2" | 2.0.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2000.zip TaiG]
| <code>B38B98C99D789CCB664A4EEAFF49976D9D38B260</code>
| rowspan="2" |
* Officially released TaiG Jailbreak Tool V2.0.0, which support all device with iOS8.1.3-8.3.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2000.zip TaiG]
| <code>40FB5687A4452F9A556AFEAF6C28D00C7A62A9D4</code>
|-
| rowspan="2" | 2.1.2
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2120.zip TaiG]
| <code>16F5B1C1775B3A28244CB8EF6D966B7A102F0EF2</code>
| rowspan="2" |
* Fixes problems of getting stuck at 20% and 60%, and adaptate for latest iTunes.
* Compatible with Cydia Substrate(Mobile Substrate).
* Corrects the blank Settings problem while matching Apple Watch with iDevice.
* Fix issues of UIcache.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2120.zip TaiG]
| <code>65F55468216B0D584E4B48E1B910E4C87ECF6B00</code>
|-
| rowspan="2" | 2.1.3
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2130.zip TaiG]
| <code>B2CDDF98017DA7195E85236C5DCE33EFE9A84B74</code>
| rowspan="2" |
* Fix the issue of getting stuck at 20% while jailbreaking.
* Update the latest Cydia 1.1.18 and UIKitTools 1.1.1.0; fix the issue of icon missing after jailbreak.
* Fix long startup time of iPhone 4s after jailbreak.
* Fix the issue that TaiG Jailbreak Tool doesn't work on the virtual machine.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2130.zip TaiG]
| <code>60278237BA0435108A98F001FA7315B3EC365F87</code>
|-
| rowspan="2" | 2.2.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2200.zip TaiG]
| <code>FF95A038071FF6BDF241DA5987B0848A0D558511</code>
| rowspan="2" |
* TaiG released the original jailbreak tool V2.2.0. It supports all iDevices running iOS 8.1.3-8.4.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2200.zip TaiG]
| <code>6F2FD18267D3F7F68C63E988A91A95066F5E6BB1</code>
|-
| rowspan="2" | 2.2.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2210.zip TaiG]
| <code>53763BE89E12AE03D2B6BC44DE4CDFCAD8DF10A0</code>
| rowspan="2" |
* Fixes setreuid patch to prevent applications from obtaining to root privileges through setreuid.
* Increases stability.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2210.zip TaiG]
| <code>2E12A2ACEF206FFC276A4DAE3112197150C4F66C</code>
|-
| rowspan="2" | 2.3.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2300.zip TaiG]
| <code>F5D6D7BDE790828395FD1D994F35EB63EEBF7FD5</code>
| rowspan="2" |
* Integrates Cydia 1.1.19, which is perfectly compatible of iOS 8.3-8.4; removes setreuid patch.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2300.zip TaiG]
| <code>0CECE9B60C51AEE1C833703098279121CE23664C</code>
|-
| rowspan="2" | 2.3.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_2310.zip TaiG]
| <code>A35F4F73B8194984FB726D155A0AF4FA16FAB5FF</code>
| rowspan="2" |
* Integrate the latest Cydia 1.1.20.
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_2310.zip TaiG]
| <code>A35F4F73B8194984FB726D155A0AF4FA16FAB5FF</code>
|-
| rowspan="2" | 2.4.1
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2410.zip TaiG]
| <code>BE569D71A0EA413150D7E3064A0F561CD1FBA7E8</code>
| rowspan="2" |
* Fix the issue of getting stuck at 60% based on users' feedback.
* Optimize the process of jailbreak; improve the process's stability.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2410.zip TaiG]
| <code>A8F3E920A082972A4ABB474FBC868969545FA83F</code>
|-
| rowspan="2" | 2.4.2 Beta
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2420.zip TaiG]
| <code> 60C9457043DDF0C7EED4E1C041CC52DCA8FA0471</code>
| rowspan="2" |
* Integrate the latest Cydia 1.1.23.
* Fix issues of getting stuck at 30% and 40%.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2420.zip TaiG]
| <code>FEF99FD48CE2CD0B83533E6275217FAB149BDB68</code>
|-
| rowspan="2" | 2.4.3
| Chinese
| [http://res.taig.com/installer/TaiGJBreak_2430.zip TaiG]
| <code>F585EE445328D15113E0A65D6D006C95FA0E8218</code>
| rowspan="2" |
* Optimize the process of jailbreak.
* Fix issues of getting stuck at 30% and 40%.
|-
| English
| [http://res.taig.com/installer/en/TaiGJBreak_EN_2430.zip TaiG]
| <code>4B3D8F1D3BDC0FB9FF489043C7F662D23A314D78</code>
|}

== Installed Packages ==
* APR (/usr/lib) (1.3.3-2; <code>apr-lib</code>)
* APT 0.7 (apt-key) (0.7.25.3-3; <code>apt7-key</code>)
* APT 0.7 Strict (lib) (0.7.25.3-13; <code>apt7-lib</code>)
* Base Structure (1-4; <code>base</code>)
* Big Boss Icon Set (1.0; <code>org.thebigboss.repo.icons</code>)
* Bourne-Again SHell (4.0.44-15; <code>bash</code>)
* bzip2 (1.0.5-7; <code>bzip2</code>)
* Core Utilities (/bin) (8.12-7p; <code>coreutils-bin</code>)
* Cydia Installer (1.1.19; <code>cydia</code>)
* Cydia Translations (1.1.12; <code>cydia-lproj</code>)
* Darwin Tools (1-4; <code>darwintools</code>)
* Debian Packager (1.14.25-9; <code>dpkg</code>)
* Debian Utilities (3.3.3ubuntu1-1p; <code>debianutils</code>)
* Diff Utilities (2.8.1-6; <code>diffutils</code>)
* Find Utilities (4.2.33-6; <code>findutils</code>)
* GNU Privacy Guard (1.4.8-4; <code>gnupg</code>)
* grep (2.5.4-3; <code>grep</code>)
* gzip (1.6-7; <code>gzip</code>)
* LZMA Utils (4.32.7-4; <code>lzma</code>)
* New Curses (5.7-13; <code>ncurses</code>)
* PAM (Apple) (32.1-3; <code>pam</code>)
* PAM Modules (36.1-4; <code>pam-modules</code>)
* pcre (8.30-5p; <code>pcre</code>)
* Profile Directory (0-2; <code>profile.d</code>)
* readline (6.0-7; <code>readline</code>)
* sed (4.1.5-7; <code>sed</code>)
* shell-cmds (118-6; <code>shell-cmds</code>)
* system-cmds (433.4-12; <code>system-cmds</code>)
* TaiG 8.1.3-8.X Untether (2.3.0;<code>taiguntether83x</code>)
* Tape Archive (1.19-8; <code>tar</code>)
* UIKit Tools (1.1.10; <code>uikittools</code>)

== Exploits and analysis ==
[http://newosxbook.com/articles/TaiG.html "The Annotated (informal) guide to TaiG - Part I"], and [http://newosxbook.com/articles/TaiG2.html "Part II"] by Jonathan Levin (iOS 8.0 - 8.1.2)

[http://newosxbook.com/articles/28DaysLater.html?tiw "28 Days Later - The Annotated (informal) guide to TaiG returns - Part I"], by Jonathan Levin (iOS 8.3 - iOS 8.4)

[[Category:Jailbreaks]]

Kernel

2015-07-20T19:49:11Z

Morpheus: /* Boot-Args */ updated boot-args list + method of extraction (musclenerd's script was obsolete and didnt work well)

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. To learn about what "kernel" means in general, see [https://en.wikipedia.org/wiki/Kernel_(operating_system) the Wikipedia article].

Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein [[wikipedia:Control_Register#CR3|CR3]] is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]].

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

The list of boot-args can be extracted from any kernel dump once the address of _PE_parse_boot_argn is determined (which is usually automatically). A list from iOS 8.4 is shown below:

# perform a full disassembly, isolate decompiled lines (^;) with PE_parse.. and isolate string between quotes, sorted uniquely:
# morpheus@Zephyr (~)$ '''jtool -d __TEXT.__text kernel.8.4.dump | grep PE_parse |grep '^; '| cut -d\" -f2 | cut -d\" -f1 | sort -u'''
-b
-disable_atm
-factory_debug
-l
-multiq-deep-drain
-no-zp
-no64exec
-novfscache
-oldmezname
-panic_on_exception_triage
-progress
-qos-policy-allow
-s
-vm16k
-vnode_cache_defeat
-x
-zc
-zinfop
-zp
aks_default_class
assert
bg_preempt
boot-uuid
colors
cpumon_ustackshots_trigger_pct
darkwake
dart
dcc
debug
diag
disable_exc_resource
fill
hwm_user_cores
ifa_debug
ifnet_debug
imp_interactive_receiver
inaddr_nhash
initmcl
interrupt_accounting
io
io_throttle_period_tier1
io_throttle_period_tier2
io_throttle_period_tier3
io_throttle_window_tier1
io_throttle_window_tier2
io_throttle_window_tier3
iosched
iotrace
jcon
jtag
keepsyms
kernel_stack_pages
kextlog
kmapoff
lcks
lo_txstart
longterm
max_cpumon_interval
max_cpumon_percentage
max_task_pmem
maxmem
maxoffset
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mtxspin
multiq_drain_band_limit
multiq_drain_depth_limit
multiq_drain_urgent_first
nbuf
ncl
net.inet.ip.scopedroute
net.inet6.ip6.scopedroute
net_affinity
net_rtref
net_rxpoll
network-type
panic_on_cs_killed
preempt
qos_override_mode
rd
rootdev
rte_debug
sched
sched_decay_penalty
sched_decay_usage_age_factor
sched_pri_decay_limit
sched_use_combined_fgbg_decay
serial
serverperfmode
slto_us
socket_debug
task_policy_suppression_disable
task_wakeups_monitor_interval
task_wakeups_monitor_rate
task_wakeups_monitor_ustackshots_trigger_pct
tbi
trace
trace_panic
trace_typefilter
trace_wake
unrestrict_coalition_syscalls
vm_compression_limit
vm_compressor
vm_compressor_immediate
vm_compressor_threads
wfi
wqsize
zalloc_debug
zlog
zp-factor
zp-scale
zrecs
zsize

== Versions ==
In the beginning iOS had consistently maintained a fairly higher kernel version than the corresponding version of OS X, but over time iOS and OS X "moved nearer" together. Now at the time of writing, OS X Yosemite's XNU is 2782, whereas iOS 8.4 is 2784. This is not surprising, considering that iOS introduced novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and later made it to OS X. It seems that Apple is planning to gradually unite iOS and OS X kernels over time and with iOS 8 and OS X Yosemite the at least the version numbers are nearer to each other then ever before. The following demonstrates the OS versions at present (via terminal '''uname -a''' command):

OS X Yosemite 10.10.4:

Darwin Kernel Version 14.4.0: Thu May 28 11:35:04 PDT 2015; root:xnu-2782.30.5~1/RELEASE_X86_64

iOS 8.4:

Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_[[S5L8960]]X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List ===
The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.
{| class="wikitable"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_[[S5L8900]]XRB
| from prototype - not sure if version is 100% correct.
|-
| 1.0
| Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_[[S5L8900]]XRB
| rowspan="3" | Not sure if version is 100% correct.
|-
| 1.0.1
| class="rborderplz" rowspan="2" | Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_[[S5L8900]]XRB
|-
| class="rborderplz" | 1.0.2
|-
| 1.1.1
| Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_[[S5L8900]]XRB
| First kernel that was [[8900_File_Format#8900|8900]] encrypted - not sure if version is 100% correct.
|-
| 1.1.2
| Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_[[S5L8900]]XRB
| Not sure if version is 100% correct.
|-
| 1.1.3
| rowspan="3" | Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_[[S5L8900]]XRB
|
|-
| 1.1.4
|
|-
| 1.1.5
| iPod touch only
|-
| 2.0
| rowspan="3" | Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
|
|-
| 2.0.2
|
|-
| 2.1
| rowspan="2" | Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.1.1
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| rowspan="3" | iPad Only
|-
| 3.2.1
| class="rborderplz" | Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
|-
| 3.2.2
| class="rborderplz" | Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
|-
| 4.0
| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
|
|-
| 4.3.2
| rowspan="2" | Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
|
|-
| 4.3.4
| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
|
|-
| 5.0b5
| Darwin Kernel Version 11.0.0: Tue Aug 2 22:31:30 PDT 2011; root:xnu-1878.4.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1b
| Darwin Kernel Version 11.0.0: Wed Oct 19 19:05:07 PDT 2011; root:xnu-1878.4.45~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0.1b2
| rowspan="2" | Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
|
|-
| 5.1b
| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1b2
| Darwin Kernel Version 11.0.0: Sun Dec 4 18:57:33 PST 2011; root:xnu-1878.10.68~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1b3
| Darwin Kernel Version 11.0.0: Mon Jan 2 18:46:01 PST 2012; root:xnu-1878.10.74~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b
| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b2
| Darwin Kernel Version 13.0.0: Sun Jun 17 19:47:47 PDT 2012; root:xnu-2107.1.61~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b3
| Darwin Kernel Version 13.0.0: Sun Jul 8 20:15:17 PDT 2012; root:xnu-2107.2.9~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b4
| Darwin Kernel Version 13.0.0: Sun Jul 29 20:15:28 PDT 2012; root:xnu-2107.2.26~4/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.2
| iPhone 5 only.
|-
| 6.1b
| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b2
| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b3
| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b4
| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b5
| rowspan="5" | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1
|
|-
| 6.1.1b
|
|-
| 6.1.1
| iPhone 4S only
|-
| 6.1.2
|
|-
| 6.1.3b2
| rowspan="5" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:35:42 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8920]]X
|
|-
| 6.1.3
|
|-
| 6.1.4
| iPhone 5 only.
|-
| 6.1.5
| iPod touch 4 only.
|-
| 6.1.6
| iPod touch 4 and iPhone 3GS only.
|-
| 7.0b
| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b2
| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b3
| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-2423.1.40~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b4
| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b5
| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b6
|
|-
| 7.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0
|
|-
| 7.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X
| [[iPhone 5c]] and [[iPhone 5s|5s]] only
|-
| 7.0.2
|
|-
| 7.0.3
| rowspan="4" | Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 7.0.4
|
|-
| 7.0.5
| iPhone 5c (iPhone5,4) and iPhone 5s (iPhone6,2) only.
|-
| 7.0.6
|
|-
| 7.1b
| Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1b2
| Darwin Kernel Version 14.0.0: Tue Dec 10 21:25:34 PST 2013; root:xnu-2423.10.38.1.1~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1b3
| Darwin Kernel Version 14.0.0: Thu Jan 2 01:55:45 PST 2014; root:xnu-2423.10.45~5/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1b4
| Darwin Kernel Version 14.0.0: Mon Jan 13 03:33:00 PST 2014; root:xnu-2423.10.49.0.1~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1b5
| Darwin Kernel Version 14.0.0: Mon Jan 27 23:55:13 PST 2014; root:xnu-2423.10.58~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1
| Darwin Kernel Version 14.0.0: Fri Feb 21 19:41:10 PST 2014; root:xnu-2423.10.67~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.1
| Darwin Kernel Version 14.0.0: Fri Mar 28 21:22:10 PDT 2014; root:xnu-2423.10.70~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.1.2
| Darwin Kernel Version 14.0.0: Thu May 15 23:17:54 PDT 2014; root:xnu-2423.10.71~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0b
| Darwin Kernel Version 14.0.0: Mon May 26 22:09:06 PDT 2014; root:xnu-2729.0.0.0.9~2/RELEASE_ARM_[[S5L8942]]X
|
|-
| 8.0b2
| Darwin Kernel Version 14.0.0: Sat Jun 14 16:36:40 PDT 2014; root:xnu-2775.0.0.1.1~3/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0b3
| Darwin Kernel Version 14.0.0: Wed Jul 2 18:51:34 PDT 2014; root:xnu-2783.1.21~19/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0b4
| Darwin Kernel Version 14.0.0: Wed Jul 16 21:55:26 PDT 2014; root:xnu-2783.1.40.0.3~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0b5
| Darwin Kernel Version 14.0.0: Wed Jul 30 23:04:17 PDT 2014; root:xnu-2783.1.62~20/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 19 15:09:47 PDT 2014; root:xnu-2783.1.72~8/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.0
|
|-
| 8.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Thu Sep 18 21:52:21 PDT 2014; root:xnu-2783.1.72~23/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.0.2
|
|-
| 8.1b
| Darwin Kernel Version 14.0.0: Sat Sep 27 18:49:49 PDT 2014; root:xnu-2783.3.12~18/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1b2
| Darwin Kernel Version 14.0.0: Fri Oct 3 21:52:09 PDT 2014; root:xnu-2783.3.13~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1
| Darwin Kernel Version 14.0.0: Fri Oct 7 00:04:37 PDT 2014; root:xnu-2783.3.13~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1b
| Darwin Kernel Version 14.0.0: Sun Nov 2 20:21:29 PDT 2014; root:xnu-2783.3.21~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Nov 3 22:54:30 PDT 2014; root:xnu-2783.3.22~1/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.1.2
|
|-
| 8.1.3
| Darwin Kernel Version 14.0.0: Mon Jan 2 21:29:20 PST 2015; root:xnu-2783.3.26~3/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.2b3
| Darwin Kernel Version 14.0.0: Sun Dec 14 20:59:15 PST 2014; root:xnu-2783.5.29.0.1~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2b4
| Darwin Kernel Version 14.0.0: Tue Jan 6 21:02:10 PST 2015; root:xnu-2783.5.32~9/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2b5
| Darwin Kernel Version 14.0.0: Mon Jan 26 22:16:17 PST 2015; root:xnu-2783.5.37~11/RELEASE_ARM_[[S5L8940]]X
|
|-
| 8.2
| Darwin Kernel Version 14.0.0: Mon Feb 9 22:07:57 PST 2015; root:xnu-2783.5.38~5/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.3b3
| Darwin Kernel Version 14.0.0: Mon Mar 4 20:55:58 PST 2015; root:xnu-2784.20.25~26/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3b4
| Darwin Kernel Version 14.0.0: Thu Mar 19 00:16:36 PST 2015; root:xnu-2784.20.31~1/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.3
| Darwin Kernel Version 14.0.0: Sun Mar 29 19:44:04 PDT 2015; root:xnu-2784.20.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 8.4b
| Darwin Kernel Version 14.0.0: Wed Apr 8 21:26:37 PDT 2015; root:xnu-2784.30.1~29/RELEASE_ARM64_[[T7000]]X
|
|-
| 8.4b2
| Darwin Kernel Version 14.0.0: Wed Apr 21 21:49:05 PDT 2015; root:xnu-2784.30.2~9/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4b3
| Darwin Kernel Version 14.0.0: Tue May 5 23:09:22 PDT 2015; root:xnu-2784.30.5~7/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4b4
| Darwin Kernel Version 14.0.0: Tue Wed 3 23:19:49 PDT 2015; root:xnu-2784.30.7~13/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 8.4
| Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0b
| Darwin Kernel Version 15.0.0: Fri May 29 22:14:48 PDT 2015; root:xnu-3216.0.0.1.15~2/RELEASE_ARM64_[[S5L8960]]X
|
|-
| 9.0b2
| Darwin Kernel Version 15.0.0: Mon Jun 15 21:51:54 PDT 2015; root:xnu-3247.1.6.1.1~2/RELEASE_ARM64_[[S5L8960]]X
|
|}

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[PList File Format|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[PList File Format|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

==[[User:Winocm|Winocm's]] custom kernel==
[[User:Winocm|Winocm]] uses a custom kernel which the version can be found below.
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_[[S5L8930]]X

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]
* [[Tutorial:Booting XNU on A4 Devices]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

NonUI builds

2015-06-06T12:55:06Z

Morpheus: Some more features

{{see also|Beta Firmware}}

This (will be) a documented list of known '''factory firmwares''', used by Apple workers in California to do engineering tests on prototype devices and also by factory workers on production ones during manufacturing. Factory firmwares are based on production iOS ones, but adapted for internal engineering tests, development and debugging. Unlike production iOS firmwares, factory ones have the following differences :
* Contain DEVELOPMENT Fused bootloaders in \Firmware\dfu\ and \Firmware\all_flash\all_flash.[board codename].factoryfa\.
* Contain DEVELOPMENT Fused kernel cache with more symbols, and with individual kexts in /System/Library/Extensions
* Contain Skankwerk (gear) logo image file in \Firmware\all_flash\all_flash.[board codename].factoryfa\.
* Have the /AppleInternal folder, which the hierarchy inside get priority over hierarchy in /.
* Launch SwitchBoard instead of SpringBoard as User Interface.
* /usr and subfolders contain many UNIX command line utilities.
* SSH daemon is pre-installed - as dropbear
* Boot loader passes arguments to kernel (unlike RELEASE boot loaders as of iOS 5.0) which makes it easy to disable AMFI
* It has some Private Frameworks in /System/Library/PrivateFrameworks for internal GUI apps and command line utilities.
* No SpringBoard, requires the use of daemons to launch [[SwitchBoard.app]] as a multi-app launcher instead.
* Most internal applications require the use of SkankKit to produce special layers such as text on the framebuffer.
{| class="wikitable"
|-
! Version
! Build
! Codename
! Baseband
! SHA1 Hash
! Comments
! File Size
! Device
|-
| rowspan="2" | 1.0
| [[Alpine 1A420|1A420]]
| rowspan="2" | Alpine
| [[03.06.01_G]][http://web.archive.org/web/20110730023951/http://imageshack.us/photo/my-images/399/iphone2go0.jpg/]
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code>
| Originally available [http://forums.macrumors.com/showpost.php?p=7249071&postcount=85 here], but was soon taken down.
| 109,813,128
| rowspan="2" | [[m68ap|iPhone]]
|-
| [[Alpine 4A57|4A57]]
| rowspan="9"|?
| rowspan="9"|?
| rowspan="9"| Runs [[SwitchBoard.app|SwitchBoard]], a simple launcher for other utilities.
| rowspan="9" class="rborderplz"|?
|-
| 3.1b
| [[Sierra 7C108b|7C108b]]
| Sierra
| [[n88ap|iPhone 3GS]]
|-
| Inf1
| [[Inferno 8A2062a|8A2062a]]
| Inferno
| [[n90ap|iPhone 4]]
|-
| rowspan="3"|?
| [[Inferno 7C144|7C144]]
| Inferno
| rowspan="2" | [[n18ap|iPod 3G]]
|-
| [[Inferno 7C1023e|7C1023e]]
| class="rborderplz" | Inferno
|-
| [[Inferno 8A2062a |8A2062a]]
| Inferno
| [[n90ap|iPhone 4]]
|-
| 6.0
| [[Inferno 10A23110z|10A23110z]]
| Inferno
| [[n41ap|iPhone 5]]
|-
| 7.0.3
| [[Inferno 11B64940j|11B64940j]]
| Inferno
| [[j86ap|iPad mini 2]]
|-
| 8.0
| [[Inferno 12A9331h|12A9331h]]
| Inferno
| [[n61ap|iPhone 6]]
|-

Talk:DeviceTree

2015-05-12T18:54:29Z

Morpheus:

== Is the parser broken? ==

Yesterday, I compiled this, an ran it on both an encrypted and decrypted version of the DeviceTree IMG3 for the iPod 4th Gen. For both files, it said that that file wasn't a valid IMG3 file. Does this only work for older devices, or does it need to be modified to work? --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 12:07, 11 May 2015 (UTC)
: Just tested it, looks like it works fine. xpwntool may be stripping your IMG3 header though, check with a hex editor. Is this tool linked on the img3 page as well? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 01:18, 12 May 2015 (UTC)
:: I believe I got a faulty IPSW, iTunes won't accept it. And no, it isn't on the [[IMG3 File Format|IMG3]] page. Should I put it there? --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 02:01, 12 May 2015 (UTC)
::: Seems like a more proper place to put it, since it is a img3/img4 utility and not just for the DeviceTree format. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 02:32, 12 May 2015 (UTC)
:::: Does anyone else agree/disagree? --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 12:05, 12 May 2015 (UTC)
::::: As the guy who wrote said parser I can say : A) it's generic for all IMG3, but dumps the device tree in more detail than others. B) It requires the IMG3 header, too. C) It's easier to ask me directly through the book's web site - - I don't always check RecentChanges in the Wiki.. [[User:Morpheus|Morpheus]] 14:54, 12 May 2015 (EDT)

Jailbreak Exploits

2015-04-15T21:08:02Z

Morpheus: minor corrections

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* IOKit crafted call maker utility ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* A new overlapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit - to defeat KASLR
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

Jailbreak Exploits

2015-04-15T21:07:07Z

Morpheus: Quit attributing every single kernel bug to 10n1c. Just because he whines doesn't mean he owns them all. 4491 was known before him

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* IOKit crafted call maker utility ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})
* IOHID memory overwrite
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* A new overlapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* MachOBundleHeaders - to leak kernel addresses (slid)
* mach_port_kobject exploit - to defeat KASLR
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

Apple Watch (1st generation)

2015-03-30T20:00:04Z

Morpheus: OS

[[File:Watch.jpg|right|thumb|Apple Watch]]

== Summary ==
This is the Apple Watch introduced by Tim Cook at Apple's 'Wish we could say more.' event on the 9th September 2014.

== Application Processor ==
This device uses the new Apple S1 processor, The processor is an ARMv7k architecture (32-bit). Internally, the watch is referred to as n27.

== Specifications ==
* RAM: [http://appleinsider.com/articles/14/09/22/rumor-apple-watch-to-feature-512mb-of-ram-4gb-of-storage 512MB]
* [http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/broadcom-wins-wifi-in-apple-watch/ BCM4334 Wi-Fi chip from Broadcom]
* NAND size: 4GB/8GB. It's also possible, that more will be available.
* Display: Retina.
* Screen: Sapphire crystal (Apple Watch/Apple Watch Edition)/Strengthened Ion-X glass (Apple Watch Sport)
* Compatibility: iOS 8.2 running on: iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus

== Operating System ==

The watch runs a slimmed down version of iOS 8.x. The user interface is managed by "Carousel" (instead of Springboard). Most frameworks are replaced with "Nano" equivalents.

== Versions ==
* Apple Watch
* Apple Watch Sport
* Apple Watch Edition (the body is made from gold)

== Third-party applications ==
Apple confirmed, that Watch will support third-party applications. The device will have an API called WatchKit.

[[File:Watch_apps.jpg|right|thumb|Some Watch icons]]
[[File:PairWatch.jpg|right|thumb]]

Currently announced third-party apps:
*Facebook
*Twitter (A07)
*City Mapper (E10)
*BMW
*HoneyWell (B07)
*Lutron (C07)
*Nike+
*American Airlines (B06)
*Starwood Hotels (C02)
*Major League Baseball (C10)
*PInterest (D07)
*Yahoo (D06)
*Comedy Central (A04)

== Links ==
*http://www.apple.com/watch/

Apple Watch (1st generation)

2015-03-30T19:58:22Z

Morpheus: /* Application Processor */

[[File:Watch.jpg|right|thumb|Apple Watch]]

== Summary ==
This is the Apple Watch introduced by Tim Cook at Apple's 'Wish we could say more.' event on the 9th September 2014.

== Application Processor ==
This device uses the new Apple S1 processor, The processor is an ARMv7k architecture (32-bit). Internally, the watch is referred to as n27.

== Specifications ==
* RAM: [http://appleinsider.com/articles/14/09/22/rumor-apple-watch-to-feature-512mb-of-ram-4gb-of-storage 512MB]
* [http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/broadcom-wins-wifi-in-apple-watch/ BCM4334 Wi-Fi chip from Broadcom]
* NAND size: 4GB/8GB. It's also possible, that more will be available.
* Display: Retina.
* Screen: Sapphire crystal (Apple Watch/Apple Watch Edition)/Strengthened Ion-X glass (Apple Watch Sport)
* Compatibility: iOS 8.2 running on: iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus

== Versions ==
* Apple Watch
* Apple Watch Sport
* Apple Watch Edition (the body is made from gold)

== Third-party applications ==
Apple confirmed, that Watch will support third-party applications. The device will have an API called WatchKit.

[[File:Watch_apps.jpg|right|thumb|Some Watch icons]]
[[File:PairWatch.jpg|right|thumb]]

Currently announced third-party apps:
*Facebook
*Twitter (A07)
*City Mapper (E10)
*BMW
*HoneyWell (B07)
*Lutron (C07)
*Nike+
*American Airlines (B06)
*Starwood Hotels (C02)
*Major League Baseball (C10)
*PInterest (D07)
*Yahoo (D06)
*Comedy Central (A04)

== Links ==
*http://www.apple.com/watch/

Apple Watch (1st generation)

2015-03-30T19:57:31Z

Morpheus: /* Application Processor */

[[File:Watch.jpg|right|thumb|Apple Watch]]

== Summary ==
This is the Apple Watch introduced by Tim Cook at Apple's 'Wish we could say more.' event on the 9th September 2014.

== Application Processor ==
This device uses the new Apple S1 processor, The processor is an ARMv7k architecture (32-bit). Internally, the phone is referred to as n27.

== Specifications ==
* RAM: [http://appleinsider.com/articles/14/09/22/rumor-apple-watch-to-feature-512mb-of-ram-4gb-of-storage 512MB]
* [http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/broadcom-wins-wifi-in-apple-watch/ BCM4334 Wi-Fi chip from Broadcom]
* NAND size: 4GB/8GB. It's also possible, that more will be available.
* Display: Retina.
* Screen: Sapphire crystal (Apple Watch/Apple Watch Edition)/Strengthened Ion-X glass (Apple Watch Sport)
* Compatibility: iOS 8.2 running on: iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus

== Versions ==
* Apple Watch
* Apple Watch Sport
* Apple Watch Edition (the body is made from gold)

== Third-party applications ==
Apple confirmed, that Watch will support third-party applications. The device will have an API called WatchKit.

[[File:Watch_apps.jpg|right|thumb|Some Watch icons]]
[[File:PairWatch.jpg|right|thumb]]

Currently announced third-party apps:
*Facebook
*Twitter (A07)
*City Mapper (E10)
*BMW
*HoneyWell (B07)
*Lutron (C07)
*Nike+
*American Airlines (B06)
*Starwood Hotels (C02)
*Major League Baseball (C10)
*PInterest (D07)
*Yahoo (D06)
*Comedy Central (A04)

== Links ==
*http://www.apple.com/watch/

Touch ID

2015-03-28T23:40:06Z

Morpheus: Correction: As of iOS 8, the dylib has been removed from the iOS SDK, and has been replaced by a stub (containing symbols, but no code). The dylib can still be obtained easily from the dyld_shared_cache on the device. Code is ARM64, but can be disassembl

The [[iPhone 5s]] and newer, [[iPad Air 2]] and newer, and [[iPad mini 3]] and newer comes equipped with '''Touch ID''', a fingerprint scanner. Currently, there is no official developer API for it, because it is intended for unlocking the device and purchasing items on [[iTunes Store]] only. According to [http://m.imore.com/apple-took-touch-id-security-one-step-further-secure-enclave-heres-how-and-what-it-means this article] the sensor is bound to each device uniquely. This means that Touch ID sensors seem to be tied to specific devices somehow similar to HDMI protected media path.

However there is a private API for it; its dylib file is in [[Xcode]] 5 in the path
<pre>Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/PrivateFrameworks/BiometricKit.framework/BiometricKit</pre>

As of iOS 8, the dylib has been removed from the iOS SDK, and has been replaced by a stub (containing symbols, but no code). The dylib can still be obtained easily from the dyld_shared_cache on the device. Code is ARM64, but can be disassembled by newer versions of IDA (6.4) or NewOSXBook.com's jtool.

== Process ==

=== Fingerprint Registration Process===
[[Image:Touchid process.jpg|thumb|Touch ID process]]
Apple has applied for belows process to be patented for TouchID in [http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220130308838%22.PGNR.&OS=DN/20130308838&RS=DN/20130308838 Apple Patent Application 20130308838].

* The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).
* The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).
* The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).
* The SEP stores this picture as a so-called template. Then it constructs a lower resolution version: a histogram of the most common ridge angles storing it together with the higer resolution template in the Secure Enclave.
* The SEP sends the lower resolution version to the main CPU.
* The main CPU stores the lower resultion version in a database (for a later authentication).

=== Fingerprint Authentication Process===

* The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).
* The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).
* The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).
* The SEP constructs a lower resolution version: a histogram of the most common ridge angles.
* The SEP sends the lower resolution version to the main CPU.
* The main compares the the lower resolution version for possible matches in its database.
* The main sends possible matches back to SEP or the authentication is rejected if no matches are found.
* The SEP takes the matches received by the main CPU and compares the initial image to high resolution versions of the received matches from main CPU.
* Access is granted in case of positive comparison or rejected in case of negative comparison.

==Inferred Information==
Based on a string dump, here is what is implied.

* It's codename is "mesa"
* It communicates over XPC to a binary that handles access to it
* There are kernel extensions to interface with it
* The kernel extension communicates to the secure keystore to set and verify fingerprints
* The fingerprint scanner calibrates itself and has upgradable firmware
* The fingerprint scanner uses normal image formats (i.e. UIImage) before setting and verifying fingerprints
* There's biometric lockout as well as passcode lockout
* The A7 chip contains a secure element marketed as the Secure Enclave. The string dump refers to SEP, the Secure Element Protocol. This chip is most likely one sourced from NXP. It contains physical security to ensure that the only operations of the chip involve setting new fingerprints and verifying fingerprints against the ones stored in it (i.e. challenge-response). This way, the fingerprint data cannot be extracted from it.

== String Dump ==
Below there is a full string dump of the framework, which can hint at its functionalities.
<pre>
initWithMachServiceName:options:
connectWithReplyBlock:
registerDelegate:withReplyBlock:
suspendWork:withReplyBlock:
enroll:withAuthToken:withReplyBlock:
match:withReplyBlock:
match:withOptions:withReplyBlock:
matchIdentities:withReplyBlock:
cancelWithReplyBlock:
updateIdentity:withReplyBlock:
removeIdentity:withReplyBlock:
getIdentityFromUUID:withReplyBlock:
identities:withReplyBlock:
resetEngineWithReplyBlock:
registerDSID:withAuthToken:withReplyBlock:
registerStoreToken:withReplyBlock:
getCountersignedStoreTokenWithReplyBlock:
getMaxIdentityCount:withReplyBlock:
enrollContinueWithReplyBlock:
pullAlignmentDataWithReplyBlock:
pullMatchTopologyDataWithReplyBlock:
getNodeTopologyForIdentity:withReplyBlock:
preventAutonomousMatchingMode:withReplyBlock:
getProvisioningStateWithReplyBlock:
getCalBlobVersionWithReplyBlock:
getSensorCalibrationStatusWithReplyBlock:
getCalibrationDataStateWithReplyBlock:
setDebugImages:withReplyBlock:
pullCaptureBufferWithReplyBlock:
pullDebugImageData:withReplyBlock:
provisionSensorWithReplyBlock:
unpairSensorWithReplyBlock:
lockSensorWithReplyBlock:
getSerialisedTemplateForIdentity:withReplyBlock:
interfaceWithProtocol:
setRemoteObjectInterface:
remoteObjectInterface
setWithObject:
setClasses:forSelector:argumentIndex:ofReply:
setWithObjects:
enrollResult:
matchResult:
statusMessage:
homeButtonPressed
setExportedInterface:
setExportedObject:
setInterruptionHandler:
resume
invalidate
remoteObjectProxyWithErrorHandler:
code
respondsToSelector:
connect
registerDelegate:
suspendWork:
enroll:withAuthToken:
match:
match:withOptions:
matchIdentities:
cancel
updateIdentity:
removeIdentity:
getIdentityFromUUID:
identities:
getMaxIdentityCount:
resetEngine
enrollContinue
pullAlignmentData
pullMatchTopologyData
getNodeTopologyForIdentity:
preventAutonomousMatchingMode:
getProvisioningState
registerDSID:withAuthToken:
registerStoreToken:
getCountersignedStoreToken:
getCalBlobVersion
getSensorCalibrationStatus
getCalibrationDataState
pullCaptureBuffer
pullDebugImageData:imageWidth:imageHeight:
provisionSensor
unpairSensor
lockSensor
setDebugImages:
getSerialisedTemplateForIdentity:
delegate
setDelegate:
interruptionHandler
_connection
_delegate
_interruptionHandler
setTopology:
setDetails:
topology
details
_topology
_details
initEnrollmentValues
message
messageDetails
objectForKeyedSubscript:
currentPrimaryComponentID
integerValue
doubleValue
statistics
enroll:
enrollResult:componentSet:
enrollProgress:
_fingerOn
_enrolling
_badImagePerFingerDown
_enrollmentStarTime
_touchesPerEnroll
_badImagesPerEnroll
_rejectedImagesPerEnroll
_primaryClusterAdditions
_primaryClusterFailedAdditions
_otherClustersAdditions
_joinEvents
_area
_primaryClusterArea
numberWithBool:
preferencesGetStringValue:
preferencesGetBOOLValue:
enableLogger:toPath:
manager
defaultCenter
appDidEnterBackground:
addObserver:selector:name:object:
appWillEnterForeground:
bundleForClass:
imageNamed:inBundle:
updateEnableLogger
dataWithBytes:length:
startEnrollLog
data
logRemoveIdentity:
bytes
imageFromRawImageData:
imageFromBitmapData:inRect:
pullDebugImageData:target:
getRadarAtachmentsForLastEnrollment
getRadarAtachmentsForLastMatch
length
stringWithString:
getModulationRatio
stringForProvisioningState:
getSensorPatchVersion
stringWithFormat:
getLogsForProcess:
sharedConnection
isFingerprintUnlockAllowed
setGracePeriod:passcode:completionBlock:
finishEnrollLogWithStatus:withIdentity:withTemplate:
matchResult:withDetails:
createMatchInfo:withTopology:withMatchImage:
logMatchResult:withTopology:withImage:withCaptureBuffer:withTemplate:
getBytes:length:
logEnrollMessage:withTopology:withImage:withCaptureBuffer:
logStatus:
enrollProgressMessage:
logRejectedImage:
size
drawInRect:
drawInRect:blendMode:alpha:
CGImage
scale
imageOrientation
imageWithCGImage:scale:orientation:
imageWithImage:inRect:
identityImage:
imageWithImage:withNode:withRect:alpha:
compositeTopologyImage:
imageTopology:forGroup:
imageFauxprint:withTheta:withLamda:
greenColor
imageWithImage:withTintColor:
dataWithData:
imageWithCGImage:
preferencesSetBOOLValue:forKey:
pullDebugImage:
getLoggerAttachmentsForRadar:
stringFromSensorConfiguration
matchIdentity:
topologyImage:
imageWithImage:withMaskImage:
inUse
setInUse:
enrollProgressConfigRenderMode
setEnrollProgressConfigRenderMode:
enrollProgressConfigRenderViewSize
setEnrollProgressConfigRenderViewSize:
renderMode
setRenderMode:
opacity
setOpacity:
_xpcClient
_enrollingMode
_matchingMode
_statistics
_scanbedImage
_fauxprintImage
_nodeRect
_images
_compSet
_rejectTouchCount
_rejectTouch
_showDebugImages
_enableLogger
_enrollImageSet
_isInternalInstall
_inUse
_enrollProgressConfigRenderMode
_renderMode
_opacity
_enrollProgressConfigRenderViewSize
setUuid:
decodeBytesForKey:returnedLength:
initWithUUIDBytes:
decodeIntForKey:
decodeObjectOfClass:forKey:
copy
getUUIDBytes:
encodeBytes:length:forKey:
encodeInt:forKey:
encodeObject:forKey:
biometricKitIdentity
supportsSecureCoding
encodeWithCoder:
initWithCoder:
uuid
type
setType:
attribute
setAttribute:
entity
setEntity:
name
setName:
stringByReplacingOccurrencesOfString:withString:
initWithCapacity:
setLength:
mutableBytes
defaultManager
createDirectoryAtPath:withIntermediateDirectories:attributes:error:
removeItemAtPath:error:
UUIDString
setMessageDetails:
setCaptureImage:
setRenderedImage:
progress
setProgress:
setCurrentPrimaryComponentID:
captureImage
renderedImage
setMessage:
_message
_progress
_currentPrimaryComponentID
_captureImage
_renderedImage
_messageDetails
setX:
setY:
angle
setAngle:
_angle
setTransformationCoordinates:
componentID
setComponentID:
transformationCoordinates
_componentID
_transformationCoordinates
pathComponents
com.apple.biometrickitd
T@"<BiometricKitDelegate>",N,V_delegate
interruptionHandler
T@?,C,N,V_interruptionHandler
topology
T@"NSDictionary",&,N,V_details
com.apple.fingerprint.enroll.attempts
com.apple.fingerprint.enroll.passes
com.apple.fingerprint.enroll.touchesPerEnroll
com.apple.fingerprint.enroll.badImagesPerEnroll
com.apple.fingerprint.enroll.rejectedImagesPerEnroll
com.apple.fingerprint.enroll.primaryClusterAdditions
com.apple.fingerprint.enroll.primaryClusterFailedAdditions
com.apple.fingerprint.enroll.otherClustersAdditions
com.apple.fingerprint.enroll.joinEvents
com.apple.fingerprint.enroll.clusterCount
com.apple.fingerprint.enroll.nodeCount
com.apple.fingerprint.enroll.primaryClusterNodeCount
com.apple.fingerprint.enroll.area
com.apple.fingerprint.enroll.primaryClusterArea
com.apple.fingerprint.enroll.passTime
com.apple.fingerprint.enroll.fails
com.apple.fingerprint.enroll.failTime
com.apple.ManagedConfiguration.profileListChanged
com.apple.biometrickitd.debugLogEnabled
com.apple.biometrickitd.debugLogPath
debugLogEnabled
debugLogPath
BKOptionSuppressHapticFeedback
BKOptionFilterOutHomeButtonEvents
BKOptionMatchForUnlock
InternalBuild
scanbed
synthetic
Uninitialized
Not Provisioned
Unprovisioned
Provisioned
Provisioned Locked
Unpaired
Unknown
biosensor,mesa
modulation-ratio
AppleBiometricSensor
patch-version
Mesa configuration:
Provisioning Status: %@
Calibrated:
- Version:
- Signed:
Modulation ratio:
Kernel:
Thick kernel
Thin kernel
Sensor Patch Version:
Steps to Reproduce:
inUse
TB,V_inUse
enrollProgressConfigRenderMode
Ti,N,V_enrollProgressConfigRenderMode
enrollProgressConfigRenderViewSize
T{CGSize=dd},N,V_enrollProgressConfigRenderViewSize
renderMode
Ti,N,V_renderMode
opacity
Tf,N,V_opacity
Notification callback.
BiometricKitErrorDomain
BKIdentityUUID
BKIdentityType
BKIdentityAttribute
BKIdentityEntityNumber
BKIdentityName
/var/mobile/BiometricKit/biometrickitd
BKEPDReason
BKEPDNewNodeID
BKEPDNewComponentID
BKEPDNewNodeCoordinates
BKEPDRemovedNodeID
BKEPDRemovedComponentID
BKEPDExtendedComponentID
BKEPDResultComponentID
BKEPDMergedInComponents
BKEPDRedundantNode
BKTDLargestCompArea
BKTDLargestCompNodes
BKTDTotalArea
BKTDTotalNodes
BKTemplateUpdated
Td,N,V_x
Td,N,V_y
angle
Td,N,V_angle
componentID
Tq,N,V_componentID
transformationCoordinates
T@"BiometricKitEnrollProgressCoordinates",&,N,V_transformationCoordinates
Remove identity: %@
Log package:%@
biometrickitd
%@.tar.gz
cd %@ && tar -cjf %@ %@
Time: % 8.3f
PASS
FAIL
Closing log with result %@
Template identity:
UUID : %@
Type : %i
Attrib: %i
Entity: %i
Error: Unable to get identity
Serialised template: %@
%@_%04d.bin
Status message: %@
Progress %i
Count of enrollments: %i
BiometricKitErrorTaskCancelled
BiometricKitErrorIdentityInvalid
BiometricKitErrorIdentityNotAllowed
BiometricKitErrorIdentityErrorInvalidData
BiometricKitErrorIdentityErrorUnknown
BiometricKitStatusFingerOn
BiometricKitStatusFingerOff
BiometricKitStatusEnrollmentComplete
BiometricKitStatusEnrollmentCancelled
BiometricKitStatusEnrollmentFailed
BiometricKitStatusEnrollmentTimeout
BiometricKitStatusUnknownError
BiometricKitStatusImageRejected
BiometricKitStatusNoCalibration
BiometricKitImageForProcessing
BiometricKitStatusTemplateListUpdated
BiometricKitStatusRequestFingerOff
BiometricKitStatusAutoMatchingStarted
BiometricKitStatusAutoMatchingStopped
BiometricKitStatusCaptureRestart
BiometricKitStatusScanTooShort
BiometricKitStatusAutoMatchingStartByHomeButton
BiometricKitStatusMatchingCancelled
BiometricKitStatusFingerOnBeforeFirstPasscodeUnlock
BiometricKitStatusFingerOnInPasscodeLockout
BiometricKitStatusFingerOnInBioLockout
BiometricKitStatusFingerOnTokenExpired
BiometricKitStatusESDRecovery
BiometricKitStatusImageRejectedUnknown
BiometricKitStatusImageRejectedBadBlocks
BiometricKitStatusImageRejectedChFPN
BiometricKitStatusImageRejectedCaFPN
BiometricKitStatusSensorOperationModeIdle
BiometricKitStatusSensorOperationModeCapture
BiometricKitStatusSensorOperationModePause
Other unknown status %i
Image #%i was rejected
Sensor patch version: %ld
Sensor patch version: unknown
Calibration Data: %@
Capture buffer: %@
Matcher: image refused
Matcher: image %s node %u
added as
replaced
Coordinates: %s[%i, %i, %i]
inverse of
Parent: %i
Processed image: %@
Enroll debug log, version 7
static const node_placement_t table_%02i =
%@{%i,%i,%i,%i,%i,%i,{
%@{%i,%i,%i,%i,%i}
%@},%i,%i,%i,%i,%i,0x%04x};
bin8
bin16
binXX
calibdata.bin
calibration-blob
Image #%i%s
was sent to matcher
Match result
Match details:
Matching score: %i
Match S2S count: %i
Matching node: %i
Updated node: %i
Not available
No match (artificial)
No match
Image #%i
Warning: the log is not complete, previous part of the log was deleted.
Starting enrollment
Starting matching
No known identities with enroll log are available.
Known identities with enroll log available:
%@ : %@
Match debug log, version 7
messages.log
OS version: %@ (%@)
Mesa: %@
Process name:%@
PrimaryUsagePage
PrimaryUsage
com.apple.iokit.hid.displayStatus
com.apple.mobile.keybagd.lock_status
AppleMesaSEPDriver
IOGeneralInterest
ScanningState
ScanningStateIdle
ScanningStateShortScanning
ScanningStateLongScanning
Unknown scanning state %i
Event: %@
HomeButtonPress
ExtendedDeviceLockState
MobileKeyBagDeviceIsUnlocked
MobileKeyBagDeviceIsLocked
MobileKeyBagDeviceIsLocking
MobileKeyBagDisabled
MobileKeyBagDeviceUnlockInProgress
MobileKeyBagDeviceInGracePeriod
MobileKeyBagDeviceInAssertDelay
MobileKeyBagDeviceInBioUnlock
Unknown lock state %i
DisplayOn
DisplayOff
/SourceCache/Mesa/Mesa-152/AppleBiometricServices/BiometricKit/BiometricKitDebugLog.m
/var/mobile/Library/Logs/CrashReporter/BiometricKit
v24@0:8@"BiometricKitIdentity"16
@"NSXPCConnection"
@"<BiometricKitDelegate>"
@"BiometricKitXPCClient"
@"BiometricKitStatistics"
@"UIImage"
[25{CGRect="origin"{CGPoint="x"d"y"d}"size"{CGSize="width"d"height"d}}]
[25@"UIImage"]
{?="count"i"capa"i"items"^^{?}"unusedImageCount"i"componentCount"i"componentCapa"i"bestComponentIndex"i"bestMapiComponentIndex"i"components"^^{?}"mapiNodeAddedIndex"s"mapiNodeRemovedIndex"s"updateCount"i"structureIsInconsistent"B}
{?="nodes"[25{?="imageData"@"NSData""width"I"height"I}]}
BiometricKitXpcProtocol
BiometricKitDelegateXpcProtocol
BiometricKitXPCClient
BiometricKitTemplateInfo
BiometricKitStatistics
BiometricKit
BiometricKitDelegate
BiometricKitIdentity
NSSecureCoding
NSCoding
BiometricKitMatchInfo
BiometricKitEnrollProgressInfo
BiometricKitEnrollProgressCoordinates
BiometricKitEnrollProgressMergedComponent
BiometricKitDebugLog
</pre>

{{stub|hardware}}

Jailbreak Exploits

2015-02-15T09:27:28Z

Morpheus: /* TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) */

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* IOKit crafted call maker utility ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* i0n1c's Kernel info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* a new afc symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]]) also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache

Kernel:

* MachOBundleHeaders - to leak kernel addresses (slid)
* mach_port_kobject exploit - to defeat KASLR
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

Jailbreak Exploits

2015-02-15T09:26:55Z

Morpheus: also dont need a tweet as a source.. TAIG2 @NewOSXBook clearly explains it

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* IOKit crafted call maker utility ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* i0n1c's Kernel info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* a new afc symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]]) also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache

Kernel:

* MachOBundleHeaders - to leak kernel addresses (slid)
* mach_port_kobject exploit - to defeat KASLR
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

Jailbreak Exploits

2015-02-15T09:25:23Z

Morpheus: ProxALS not actually used, at least not in TaiG. Not mach_ports_info. corrected, added MachOBundle and more

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* IOKit crafted call maker utility ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* i0n1c's Kernel info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* a new afc symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache

Kernel:

* MachOBundleHeaders - to leak kernel addresses (slid)
* mach_port_kobject exploit - to defeat KASLR
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

TaiG

2015-02-15T09:19:43Z

Morpheus: Adding Part 2 of my writeup

{{about|untethered jailbreak for iOS 8.0-8.1.2 for Windows|the Mac version|PPJailbreak}}
{{Infobox software
| name = TaiG
| title = TaiG
| author = TaiG
| developer = TaiG
| released = {{Start date|2014|11|29|df=yes}}
| discontinued =
| latest release version = 1.2.1
| latest release date = {{Start date and age|2015|2|12|df=yes}}
| latest preview version =
| latest preview date =
| programming language = ?
| operating system = [[wikipedia:Microsoft Windows|Windows]]
| size =
| platform = [[wikipedia:Microsoft Windows|Windows]]
| language = [[wikipedia:Chinese language|Chinese]] / [[wikipedia:English language|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://www.taig.com/en/ taig.com/en] (English) [http://taig.com taig.com] (Chinese)
}}

'''TaiG''' ('''Taiji''' in Chinese) ([[wikipedia:Help:IPA for English|/taɪ dʒi/]] or /taɪ tʃi/) is an [[untethered jailbreak]] for all devices on iOS 8.0-8.1.2, except the [[Apple TV]]. It was initially released on 29 November, 2014.

== Supported Devices ==
All devices capable of running [[iOS]] 8.0-8.1.2 except the [[Apple TV]] family, are supported.

=== iOS 8.2 Beta ===

TaiG's website originally claimed as early as [http://web.archive.org/web/20141204221416/http://taig.com/en/ 4 December 2014] that "support of iOS 8.2 has been completed by TaiG, [but] as 8.2 is still at beta stage, we have disabled support for 8.2 in [the] current public release." This claim remained through [http://web.archive.org/web/20141231032106/http://www.taig.com/ 31 December 2014], but was removed sometime before [http://web.archive.org/web/20150104165652/http://taig.com/en/ 4 January 2015].

== Download ==
{| class="wikitable"
! Version
! Language
! Download
! SHA-1
! Changes
|-
| 1.0.0
| rowspan="3" | English
| [http://apt.taig.com/installer/TaiG_1006.zip TaiG]
| <code>2538d85d3b42a2a65ec33aec86245c39047449d3</code>
| First version of TaiG which supports all devices with iOS 8.0 - 8.1.1 except Apple TV's.
|-
| 1.0.1
| [http://apt.taig.com/installer/TaiGJBreak_1010.zip TaiG]
| <code>7346849bb3ff3dd1e21530ae1bb7ee27f02f453a</code>
|
* Improve JB speed
* Improve stability
|-
| 1.0.2
| [http://apt.taig.com/installer/TaiGJBreak_1021.zip TaiG]
| <code>4edab617f9b951419eca4c32ddc6a5f8a2e94226</code>
|
* Able to remove 3K-Assistant via Cydia
|-
| rowspan="2" | 1.1.0
| Chinese
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_1101.zip TaiG]
| <code>2181179badac74cced2eb9ad5639b0f57be66f95</code>
| rowspan="2" |
* Avoid sandbox generate redundant info.
* Officially built TaiG source(apt.taig.com), users who Jailbroke with TaiG before V1.1.0, can fix this problem by install TaiG 8.0-8.1.1 Untether.
|-
| English
| [http://apt.taig.com/installer/channel/1205/TaiGJBreak_EN_1101.zip TaiG]
| class="rborderplz" | <code>d3b40bbbd6f9cf652ece4476b96dafae858f1bb0</code>
|-
| rowspan="2" | 1.2.0
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1201.zip TaiG]
| <code>42848662a637234ef14d67448e4cf8e427906b52</code>
| rowspan="2" |
* Add support for iOS 8.1.2
|-
| English
| [http://apt.taig.com/installer/en/TaiGJBreak_EN_1201.zip TaiG]
| class="rborderplz" | <code>5c6e2939359e36622ca2b4ca71d0def628dbbaf3</code>
|-
| 1.2.1
| Chinese
| [http://apt.taig.com/installer/TaiGJBreak_1210.zip TaiG]
| <code>95df3a271473b5dbed29c950f5441aecd231b47a</code>
|
* TaiG can support iTunes12.1 now(By download new driver from a post in 3K BBS)
|}

== Installed Packages ==
* APR (/usr/lib) (1.3.3-2; <code>apr-lib</code>)
* APT 0.7 (apt-key) (0.7.25.3-3; <code>apt7-key</code>)
* APT 0.7 Strict (lib) (0.7.25.3-13; <code>apt7-lib</code>)
* Base Structure (1-4; <code>base</code>)
* Big Boss Icon Set (1.0; <code>org.thebigboss.repo.icons</code>)
* Bourne-Again SHell (4.0.44-15; <code>bash</code>)
* bzip2 (1.0.5-7; <code>bzip2</code>)
* Core Utilities (/bin) (8.12-7p; <code>coreutils-bin</code>)
* Cydia Installer (1.1.16; <code>cydia</code>)
* Cydia Translations (1.1.12; <code>cydia-lproj</code>)
* Darwin Tools (1-4; <code>darwintools</code>)
* Debian Packager (1.14.25-9; <code>dpkg</code>)
* Debian Utilities (3.3.3ubuntu1-1p; <code>debianutils</code>)
* Diff Utilities (2.8.1-6; <code>diffutils</code>)
* Find Utilities (4.2.33-6; <code>findutils</code>)
* GNU Privacy Guard (1.4.8-4; <code>gnupg</code>)
* grep (2.5.4-3; <code>grep</code>)
* gzip (1.6-7; <code>gzip</code>)
* LZMA Utils (4.32.7-4; <code>lzma</code>)
* New Curses (5.7-13; <code>ncurses</code>)
* PAM (Apple) (32.1-3; <code>pam</code>)
* PAM Modules (36.1-4; <code>pam-modules</code>)
* pcre (8.30-5p; <code>pcre</code>)
* Profile Directory (0-2; <code>profile.d</code>)
* readline (6.0-7; <code>readline</code>)
* sed (4.1.5-7; <code>sed</code>)
* shell-cmds (118-6; <code>shell-cmds</code>)
* system-cmds (433.4-12; <code>system-cmds</code>)
* TaiG 8.0-8.1.X Untether (1.1 (using 1.2.0); <code>taiguntether</code>)
* TaiG AFC2 (0.1; <code>taigafc2</code>)
* Tape Archive (1.19-8; <code>tar</code>)
* UIKit Tools (1.1.9; <code>uikittools</code>)

== Exploits and analysis ==
[http://newosxbook.com/articles/TaiG.html "The Annotated (informal) guide to TaiG - Part I"], and [http://newosxbook.com/articles/TaiG2.html "Part II"] by Jonathan Levin

[[Category:Jailbreaks]]

User talk:EverythingApplesPro

2015-01-26T01:18:44Z

Morpheus: /* Talk */

==Talk==
Hi! Please don't re upload pictures. His pictures are perfectly valid, so upload another set, if it is different. Thank you! --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 23:38, 24 November 2014 (UTC)
:Also, just emailed him. His exact words: "No he can't replace the images that's not ok". So, please, someone reading this, roll them back, and if I can figure out how, I will.--[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 23:53, 24 November 2014 (UTC)
::Sorry, didn't know the icon was already made {{unsigned|EverythingApplesPro}}
:::That's ok, please just separately upload existing files from now on. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 00:39, 25 November 2014 (UTC)
Thanks, also sorry if I am editing/creating lots of information and pictures today, i have lots of information and cool things i can offer and i just got my account today. {{unsigned|EverythingApplesPro}}
:Thought I'd chime in. With images such as "[[:File:iPad mini retina ios7.jpeg|iPad mini retina ios7.jpeg]]", that's Ok, but if it's a different image such as with "[[:File:Grapecalmain.png|Grapecalmain.png]]", use a different file name. Thanks --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 07:51, 25 November 2014 (UTC)

I dont know why everythingapplepro deleted my edit, namely :

"This was made evident by a wave of alleged "prototypes" to have hit eBay during the fall of 2014. The "prototypes" in question were various devices that, for one reason or another, did not get formatted fully, and thus remained with a full image of SwitchBoard, root access (via SSH running on the device's USB interface), and a full suite of debug utilities"

When it is, in fact, very true. Apple themselves admitted to much [[User:morpheus|morpheus]] 25 January 2015

== Sign pages ==
Please use <code><nowiki>--~~~~</nowiki></code> to sign your talk page entries. --[[User:Jaggions|Jaggions]] ([[User talk:Jaggions|talk]]) 21:02, 1 December 2014 (UTC)

== Please don't upload hard-to-see pictures. ==

Is there any way you could screenshot it? I know it must be possible, others have done it. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 14:07, 13 December 2014 (UTC)

Probably, I'm trying to do a screenshot but i can't get it to work. If i take a better picture of it, would i replace the current one and override it or just upload the newer one ? --[[User:EverythingApplesPro|EverythingApplesPro]] ([[User talk:EverythingApplesPro|talk]]) 13 December 2014
: You can just upload a new version of the image, also please thumbnail the images like they are on the [[SwitchBoard.app]]. Try taking a screenshot through Xcode, if the developer image isn't already mounted on the device, Xcode should do it for you. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 18:36, 13 December 2014 (UTC)

Launchd

2015-01-22T14:04:53Z

Morpheus: No more source for this.

{{lowercase}}
'''launchd''' is the background process used to manage daemons running on the device. It is commanded using launchctl. The source code used to be available, but with OS X 10.10/iOS 8.0 has been moved into the closed source libxpc, and has undergone significant changes (e.g. single process rather than per-user launchd, and improved XPC functionality).

== External Links ==
* [[wikipedia:launchd|Wikipedia]]

{{stub|firmware}}
[[Category:Daemons]]

SwitchBoard.app

2014-11-01T03:37:49Z

Morpheus: explaining so called"prototypes"

'''SwitchBoard.app''' is one of Apple's internal utilities. It's a simple launcher of other developer utilities. It's usually located in [[Apple_Internal_Apps#Internal_diagnostic_apps_known_from_beta_firmwares_and_prototypes|/AppleInternal/Applications]] folder along the other internal applications. Currently, there is no SwitchBoard binary available for public.

SwitchBoard and diagnostic utilities are copied onto the device during restore from special firmware bundles which are seeded only to Apple official service centers. It may be installed onto devices through [[PurpleRestore]]. Switchboard and its internal utilities are, in fact, present on all i-Devices during manufacturing - The utilities run extensive tests on the devices, including sensors, thermal measurements and more - and only when all tests pass do the devices go through a final stage, involving formatting and installing the production image of iOS on them. This was made evident by a wave of alleged "prototypes" to have hit eBay during the fall of 2014. The "prototypes" in question were various iPhone 6 devices that, for one reason or another, did not get formatted fully, and thus remained with a full image of switchboard, root access (via drop bear running on the device's USB interface), and a full suite of debug utilities.

== Gallery ==
<gallery>
File:Switchboard.jpg|[[N88ap|iPhone 3GS]] running [[Sierra 7C108b]]
File:SwitchBoard_4G.jpg|[[iPhone 4]] running Inferno(?) [[8A2130h]]
File:SwitchBoard_iPod.png|[[iPod touch]] running [[Inferno 7C1023e]]
File:IPad-prototype.JPG|[[iPad]] running SwitchBoard
File:SwitchBoard.jpg|[[N82ap|iPhone 3G]] or [[N88ap|iPhone 3GS]]
</gallery>

[[Category:Apple Internal Apps]]
[[Category:Software]]

Talk:Tutorial:Mounting the Ramdisk of IPSW in Betas 4-7

2013-08-27T15:28:58Z

Morpheus: /* Deletion Request */

== What versions? ==
What versions are the beta 4-7 it is referring to? --[[User:5urd|5urd]] 00:58, 26 June 2011 (UTC)
:This page seems fairly recent, so, I'd say iOS 4.2? remember how that went through like 50 betas? --[[User:rdqronos|rdqronos]] 21:07, 27 June 2011 (UTC)
::No, the move was recent, the page goes back to '08. Maybe 2.0b4-2.0b7 because those are the only ones with a beta 6(p/f) and 7... --[[User:5urd|5urd]] 00:16, 28 June 2011 (UTC)

== Deletion Request ==

I don't want to have valuable information deleted, just because it's old. Feel free to improve, reorganize, mark as deprecated or whatever, but don't delete useful information. If you can prove that all this information is already somewhere else in this wiki, then, and only then, it's ok to delete. I'll remove the deletion mark to avoid that it stays there forever and then one day someone accidentally deleteds it. You can continue discussion nevertheless. --[[User:Http|http]] ([[User talk:Http|talk]]) 07:52, 16 June 2013 (UTC)

I vote delete.. specifically, why the heck is this tutorial so darn complicated? all you need to do is strip the IMG header, (first 64 bytes, with dd)
then you use 'file' and see:

bash-3.2# file restore.dmg
restore.dmg: Macintosh HFS Extended version 4 data last mounted by: '10.0', created: Thu Aug 8 04:07:48 2013, last modified: Sat Aug 24 14:31:00 2013, last checked: Thu Aug 8 07:07:48 2013, block size: 4096, number of blocks: 2342, free blocks: 0

Then you just use

hdiutil attach -imagekey diskimage-class=CRawDiskImage restore.dmg

And you are done. Tutorial is confusing. --[[User:morpheus|morpheus]]

System Log

2013-07-28T03:25:54Z

Morpheus: /* Read syslog from command line */

==bgm's trick for enabling system log==
# In the shell, do: echo "*.* /var/log/syslog" > /etc/syslog.conf
# Add the following tags to /System/Library/LaunchDaemons/com.apple.syslogd.plist after the tag <string>/usr/sbin/syslogd</string>
<string>-bsd_out</string>
<string>1</string>
This will tell the Daemon Launcher to call /usr/sbin/syslogd -bsd_out 1, and we have configured it to write all messages to [[:/var/log/syslog]]
# "reboot & enjoy your kernel and other messages" (bgm)

== Note ==
The syslog will grow very big quite quickly if you use [[WinterBoard]]'s debug setting, but the folder [[:/private/var/log]] is on the data partition (music, etc). 
If you keep your device full of music, be careful you don't fill the partition. Unix systems tend to break when they
cant write to the syslog. Keep an eye on it or employ some log rotation.

To disable, enter [[Terminal.app]] and run:
rm /var/log/syslog;
mknod /var/log/syslog c 3 2
This will delete (<tt>rm</tt>) the file and create a [[:/dev/null]]. (<tt>mknod *** c 3 2</tt>)

To reenable, enter [[Terminal.app]] and run:
rm /var/log/syslog
touch /var/log/syslog

This will delete (<tt>rm</tt>) the file and and make a blank regular file. (<tt>touch</tt>)

== SBSettings Toggle ==
An SBSettings [http://apt.thebigboss.org/onepackage.php?bundleid=sbsettingssyslogd toggle] for enabling/disabling syslog is available at BigBoss' Cydia repository. The <tt>syslog > /var/log/syslog</tt> package from [[User:Saurik|saurik]]'s repo is not a dependency and you must manually install it also.

== Read syslog from command line ==

apt-get install socat
socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

This gives an interactive shell with the syslog daemon (no need to enable file output). The watch command prints new messages as they arrive.

== Read i-Device syslog on Mac through lockdown ==

A binary (and its source code) to view ASL messages from Mac using the MobileDevice.framework has been made available on http://newosxbook.com/index.php?page=downloads.

== Reference ==
* [http://code.google.com/p/iphone-elite/wiki/IphoneSyslogd Google Code] 
* [http://code.google.com/p/iphone-elite/source/list?path=/wiki/IphoneSyslogd.wiki&start=398 Full History]

Kernelcache

2013-04-21T16:54:04Z

Morpheus: Updated for GSM iPhone 4

The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iOS 2.0 and above) or [[S5L File Formats#8900|8900]] (iOS 1.0 through 1.1.4) container.

[[Category:Filesystem]]

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPhone 4 GSM) using this tool, showing 153 kexts, is as follows:

<pre>
KextCache begins at : 0x80396000 (File Offset: 3493888)
Kext: Libkern Pseudoextension @0x80396000 (File: 0xffffffff) (com.apple.kpi.libkern)
Kext: Mach Kernel Pseudoextension @0x8039e000 (File: 0x35d000) (com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x8039f000 (File: 0x35e000) (com.apple.kpi.unsupported)
Kext: I/O Kit Pseudoextension @0x803a1000 (File: 0x360000) (com.apple.kpi.iokit)
Kext: Private Pseudoextension @0x803b8000 (File: 0x377000) (com.apple.kpi.private)
Kext: BSD Kernel Pseudoextension @0x803bd000 (File: 0x37c000) (com.apple.kpi.bsd)
Kext: AppleARMPlatform @0x803c3000 (File: 0x382000) (com.apple.driver.AppleARMPlatform)
Kext: AppleSamsungSPI @0x803fd000 (File: 0x3bc000) (com.apple.driver.AppleSamsungSPI)
Kext: MAC Framework Pseudoextension @0x80401000 (File: 0x3c0000) (com.apple.kpi.dsep)
Kext: IOCryptoAcceleratorFamily @0x80402000 (File: 0x3c1000) (com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x80410000 (File: 0x3cf000) (com.apple.driver.AppleMobileFileIntegrity)
Kext: IOHIDFamily @0x80427000 (File: 0x3e6000) (com.apple.iokit.IOHIDFamily)
Kext: AppleEmbeddedLightSensor @0x80447000 (File: 0x406000) (com.apple.driver.AppleEmbeddedLightSensor)
Kext: I/O Kit USB Family @0x80453000 (File: 0x412000) (com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x80483000 (File: 0x442000) (com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Driver for USB EHCI Controllers @0x80486000 (File: 0x445000) (com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8049c000 (File: 0x45b000) (com.apple.driver.AppleUSBOHCI)
Kext: AppleD1815PMU @0x804a8000 (File: 0x467000) (com.apple.driver.AppleD1815PMU)
Kext: AppleARMPL080DMAC @0x804bf000 (File: 0x47e000) (com.apple.driver.AppleARMPL080DMAC)
Kext: AppleMultitouchSPI @0x804c3000 (File: 0x482000) (com.apple.driver.AppleMultitouchSPI)
Kext: AppleKernelStorage @0x804d7000 (File: 0x496000) (com.apple.platform.AppleKernelStorage)
Kext: I/O Kit Storage Family @0x804da000 (File: 0x499000) (com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x804f2000 (File: 0x4b1000) (com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x804fe000 (File: 0x4bd000) (com.apple.driver.DiskImages.KernelBacked)
Kext: AppleDiskImagesRAMBackingStore @0x8050a000 (File: 0x4c9000) (com.apple.driver.DiskImages.RAMBackingStore)
Kext: AppleJPEGDriver @0x8050d000 (File: 0x4cc000) (com.apple.driver.AppleJPEGDriver)
Kext: EncryptedBlockStorage @0x80517000 (File: 0x4d6000) (com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x8051f000 (File: 0x4de000) (com.apple.iokit.IOFlashStorage)
Kext: AppleTVOut @0x80538000 (File: 0x4f7000) (com.apple.driver.AppleTVOut)
Kext: AppleEmbeddedUSB @0x8053c000 (File: 0x4fb000) (com.apple.driver.AppleEmbeddedUSB)
Kext: I/O Kit Driver for USB Composite Devices @0x80545000 (File: 0x504000) (com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x8054a000 (File: 0x509000) (com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x8054f000 (File: 0x50e000) (com.apple.driver.AppleEmbeddedUSBHost)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x80554000 (File: 0x513000) (com.apple.driver.AppleUSBOHCIARM)
Kext: AppleHIDKeyboardEmbedded @0x80559000 (File: 0x518000) (com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8055e000 (File: 0x51d000) (com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x80568000 (File: 0x527000) (com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8059d000 (File: 0x55c000) (com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x805b3000 (File: 0x572000) (com.apple.driver.AppleSamsungDPTX)
Kext: IODARTFamily @0x805d0000 (File: 0x58f000) (com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x805db000 (File: 0x59a000) (com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOSlaveProcessor @0x805ef000 (File: 0x5ae000) (com.apple.driver.IOSlaveProcessor)
Kext: AppleARM7M @0x805f4000 (File: 0x5b3000) (com.apple.driver.AppleARM7M)
Kext: AppleEffaceableStorage @0x805f8000 (File: 0x5b7000) (com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80602000 (File: 0x5c1000) (com.apple.driver.LightweightVolumeManager)
Kext: IOKit Serial Port Family @0x8060c000 (File: 0x5cb000) (com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x80616000 (File: 0x5d5000) (com.apple.driver.AppleOnboardSerial)
Kext: AppleARMIISAudio @0x80624000 (File: 0x5e3000) (com.apple.iokit.AppleARMIISAudio)
Kext: HighlandParkAudioDevice @0x8062b000 (File: 0x5ea000) (com.apple.driver.HighlandParkAudioDevice)
Kext: AppleBasebandAudio @0x8065e000 (File: 0x61d000) (com.apple.driver.AppleBasebandAudio)
Kext: IOUSBDeviceFamily @0x80661000 (File: 0x620000) (com.apple.iokit.IOUSBDeviceFamily)
Kext: I/O Kit Networking Family @0x8066e000 (File: 0x62d000) (com.apple.iokit.IONetworkingFamily)
Kext: AppleUSBEthernetDevice @0x80688000 (File: 0x647000) (com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleTCA6408GPIOIC @0x8068d000 (File: 0x64c000) (com.apple.driver.AppleTCA6408GPIOIC)
Kext: AppleNANDConfigAccess @0x80691000 (File: 0x650000) (com.apple.driver.AppleNANDConfigAccess)
Kext: AppleCDMA @0x80694000 (File: 0x653000) (com.apple.driver.AppleCDMA)
Kext: AppleNANDFTL @0x8069b000 (File: 0x65a000) (com.apple.driver.AppleNANDFTL)
Kext: IOAccessoryManager @0x806a4000 (File: 0x663000) (com.apple.iokit.IOAccessoryManager)
Kext: IOUserEthernet @0x806b8000 (File: 0x677000) (com.apple.iokit.IOUserEthernet)
Kext: AppleUSBAudio @0x806c0000 (File: 0x67f000) (com.apple.driver.AppleUSBAudio)
Kext: AppleDiskImagesUDIFDiskImage @0x806f0000 (File: 0x6af000) (com.apple.driver.DiskImages.UDIFDiskImage)
Kext: AppleS5L8930XUSB @0x806f7000 (File: 0x6b6000) (com.apple.driver.AppleS5L8930XUSB)
Kext: AppleEmbeddedGyro @0x806fb000 (File: 0x6ba000) (com.apple.driver.AppleEmbeddedGyro)
Kext: IOMobileGraphicsFamily @0x80704000 (File: 0x6c3000) (com.apple.iokit.IOMobileGraphicsFamily)
Kext: IOSurface @0x80713000 (File: 0x6d2000) (com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x80721000 (File: 0x6e0000) (com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x80731000 (File: 0x6f0000) (com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x8073f000 (File: 0x6fe000) (com.apple.driver.AppleS5L8930XDART)
Kext: AppleEmbeddedGPS @0x80744000 (File: 0x703000) (com.apple.driver.AppleEmbeddedGPS)
Kext: AppleS5L8920X @0x8074a000 (File: 0x709000) (com.apple.driver.AppleS5L8920X)
Kext: PPP @0x80757000 (File: 0x716000) (com.apple.nke.ppp)
Kext: L2TP @0x80761000 (File: 0x720000) (com.apple.nke.l2tp)
Kext: AppleEmbeddedAccelerometer @0x80767000 (File: 0x726000) (com.apple.driver.AppleEmbeddedAccelerometer)
Kext: AppleSynopsysOTGDevice @0x8076d000 (File: 0x72c000) (com.apple.driver.AppleSynopsysOTGDevice)
Kext: FairPlayIOKit @0x80777000 (File: 0x736000) (com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x807d7000 (File: 0x796000) (com.apple.driver.LSKDIOKit)
Kext: AppleAMC_r2 @0x807f5000 (File: 0x7b4000) (com.apple.driver.AppleAMC_r2)
Kext: AppleProfileFamily @0x8086e000 (File: 0x82d000) (com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x80899000 (File: 0x858000) (com.apple.driver.AppleProfileTimestampAction)
Kext: AppleAC3Passthrough @0x8089d000 (File: 0x85c000) (com.apple.driver.AppleAC3Passthrough)
Kext: IOTextEncryptionFamily @0x808a3000 (File: 0x862000) (com.apple.IOTextEncryptionFamily)
Kext: corecrypto @0x808a8000 (File: 0x867000) (com.apple.kec.corecrypto)
Kext: AppleUSBMike @0x808d3000 (File: 0x892000) (com.apple.driver.AppleUSBMike)
Kext: AppleProfileRegisterStateAction @0x808d7000 (File: 0x896000) (com.apple.driver.AppleProfileRegisterStateAction)
Kext: AppleDiskImagesFileBackingStore @0x808db000 (File: 0x89a000) (com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleEmbeddedProx @0x808df000 (File: 0x89e000) (com.apple.driver.AppleEmbeddedProx)
Kext: AppleProfileReadCounterAction @0x808e7000 (File: 0x8a6000) (com.apple.driver.AppleProfileReadCounterAction)
Kext: BasebandSPI @0x808eb000 (File: 0x8aa000) (com.apple.driver.BasebandSPI)
Kext: AppleSerialMultiplexer @0x80905000 (File: 0x8c4000) (com.apple.driver.AppleSerialMultiplexer)
Kext: AppleNANDFirmware @0x80924000 (File: 0x8e3000) (com.apple.driver.AppleNANDFirmware)
Kext: AppleImage3NORAccess @0x80928000 (File: 0x8e7000) (com.apple.driver.AppleImage3NORAccess)
Kext: AppleSamsungSWI @0x80930000 (File: 0x8ef000) (com.apple.driver.AppleSamsungSWI)
Kext: AppleARMPL192VIC @0x80934000 (File: 0x8f3000) (com.apple.driver.AppleARMPL192VIC)
Kext: AppleIOPFMI @0x80937000 (File: 0x8f6000) (com.apple.driver.AppleIOPFMI)
Kext: IO80211Family @0x80947000 (File: 0x906000) (com.apple.iokit.IO80211Family)
Kext: Broadcom 802.11 Driver @0x80996000 (File: 0x955000) (com.apple.driver.AppleBCMWLANCore)
Kext: IOFlashNVRAM @0x80a04000 (File: 0x9c3000) (com.apple.driver.IOFlashNVRAM)
Kext: AppleSamsungSerial @0x80a0a000 (File: 0x9c9000) (com.apple.driver.AppleSamsungSerial)
Kext: AppleBasebandUSB @0x80a0e000 (File: 0x9cd000) (com.apple.driver.AppleBasebandUSB)
Kext: AppleRGBOUT @0x80a11000 (File: 0x9d0000) (com.apple.driver.AppleRGBOUT)
Kext: AppleBSDKextStarter @0x80a19000 (File: 0x9d8000) (com.apple.driver.AppleBSDKextStarter)
Kext: AppleSamsungMIPIDSI @0x80a1c000 (File: 0x9db000) (com.apple.driver.AppleSamsungMIPIDSI)
Kext: Regular Expression Matching Engine @0x80a21000 (File: 0x9e0000) (com.apple.kext.AppleMatch)
Kext: AppleLTC4099Charger @0x80a25000 (File: 0x9e4000) (com.apple.driver.AppleLTC4099Charger)
Kext: IOMikeyBusFamily @0x80a29000 (File: 0x9e8000) (com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80a3b000 (File: 0x9fa000) (com.apple.driver.AppleEmbeddedAudio)
Kext: AppleCS42L61Audio @0x80a5c000 (File: 0xa1b000) (com.apple.driver.AppleCS42L61Audio)
Kext: IOP_s5l8930x_firmware @0x80a61000 (File: 0xa20000) (com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleBasebandN90 @0x80a8e000 (File: 0xa4d000) (com.apple.driver.AppleBasebandN90)
Kext: AppleMultitouchSPIN1F55 @0x80a97000 (File: 0xa56000) (com.apple.driver.AppleBluetooth)
Kext: AppleIntegratedProxALSSensor @0x80a9a000 (File: 0xa59000) (com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleCDCSerialDevice @0x80aa4000 (File: 0xa63000) (com.apple.driver.AppleCDCSerialDevice)
Kext: H3 H264 Video Encoder @0x80aac000 (File: 0xa6b000) (com.apple.driver.H2H264VideoEncoderDriver)
Kext: AppleProfileKEventAction @0x80acd000 (File: 0xa8c000) (com.apple.driver.AppleProfileKEventAction)
Kext: AppleS5L8930XUSBPhy @0x80ad1000 (File: 0xa90000) (com.apple.driver.AppleS5L8930XUSBPhy)
Kext: IOKit SDIO Family @0x80ad5000 (File: 0xa94000) (com.apple.iokit.IOSDIOFamily)
Kext: AppleSamsungPKE @0x80ae5000 (File: 0xaa4000) (com.apple.driver.AppleSamsungPKE)
Kext: AppleIOPSDIO @0x80ae9000 (File: 0xaa8000) (com.apple.driver.AppleIOPSDIO)
Kext: Seatbelt sandbox policy @0x80af1000 (File: 0xab0000) (com.apple.security.sandbox)
Kext: AppleHIDKeyboard @0x80afc000 (File: 0xabb000) (com.apple.driver.AppleHIDKeyboard)
Kext: AppleKeyStore @0x80aff000 (File: 0xabe000) (com.apple.driver.AppleKeyStore)
Kext: AppleHDQGasGaugeControl @0x80b0c000 (File: 0xacb000) (com.apple.driver.AppleHDQGasGaugeControl)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b10000 (File: 0xacf000) (com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: I/O Kit HID Event Driver @0x80b21000 (File: 0xae0000) (com.apple.driver.AppleH3CameraInterface)
Kext: AppleDiskImagesReadWriteDiskImage @0x80b40000 (File: 0xaff000) (com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleFSCompressionTypeZlib @0x80b43000 (File: 0xb02000) (com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: AppleUSBEthernet @0x80b48000 (File: 0xb07000) (com.apple.driver.AppleUSBEthernet)
Kext: EmbeddedIOP @0x80b51000 (File: 0xb10000) (com.apple.driver.EmbeddedIOP)
Kext: I/O Kit Driver for USB HID Devices @0x80b59000 (File: 0xb18000) (com.apple.driver.AppleS5L8930X)
Kext: AppleSamsungI2S @0x80b63000 (File: 0xb22000) (com.apple.driver.AppleSamsungI2S)
Kext: AppleM68Buttons @0x80b67000 (File: 0xb26000) (com.apple.driver.AppleM68Buttons)
Kext: AppleVXD375 @0x80b6b000 (File: 0xb2a000) (com.apple.driver.AppleVXD375)
Kext: AppleUSBDeviceMux @0x80b87000 (File: 0xb46000) (com.apple.driver.AppleUSBDeviceMux)
Kext: PPTP @0x80b8f000 (File: 0xb4e000) (com.apple.nke.pptp)
Kext: I/O Kit Driver for USB HID Devices @0x80b94000 (File: 0xb53000) (com.apple.iokit.IOUSBHIDDriver)
Kext: AppleMultitouchSPIZ2F13 @0x80b9a000 (File: 0xb59000) (com.apple.iokit.IOAcceleratorFamily)
Kext: IMGSGX535 Graphics Kernel Extension @0x80bb7000 (File: 0xb76000) (com.apple.IMGSGX535)
Kext: ApplePinotLCD @0x80be4000 (File: 0xba3000) (com.apple.driver.ApplePinotLCD)
Kext: I/O Kit Driver for USB Hubs @0x80be7000 (File: 0xba6000) (com.apple.driver.AppleUSBHub)
Kext: AppleEmbeddedCompass @0x80bf0000 (File: 0xbaf000) (com.apple.driver.AppleEmbeddedCompass)
Kext: AppleProfileThreadInfoAction @0x80bf8000 (File: 0xbb7000) (com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleBasebandCDC @0x80bfc000 (File: 0xbbb000) (com.apple.driver.AppleBasebandCDC)
Kext: AppleUSBEthernetHost @0x80c02000 (File: 0xbc1000) (com.apple.driver.AppleUSBEthernetHost)
Kext: AppleDPRepeater @0x80c07000 (File: 0xbc6000) (com.apple.driver.AppleDPRepeater)
Kext: I/O Kit HID Event Driver Safe Boot @0x80c36000 (File: 0xbf5000) (com.apple.driver.AppleCD3282Mikey)
Kext: tlsnke @0x80c3a000 (File: 0xbf9000) (com.apple.nke.tls)
Kext: AppleUSBHIDKeyboard @0x80c40000 (File: 0xbff000) (com.apple.driver.AppleUSBHIDKeyboard)
Kext: AppleProfileCallstackAction @0x80c43000 (File: 0xc02000) (com.apple.driver.AppleProfileCallstackAction)
Kext: AppleDiagnosticDataAccessReadOnly @0x80c47000 (File: 0xc06000) (com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: AppleNANDLegacyFTL @0x80c4a000 (File: 0xc09000) (com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleTetheredDevice @0x80c78000 (File: 0xc37000) (com.apple.driver.AppleTetheredDevice)
Kext: AppleUSBHSIC @0x80c7b000 (File: 0xc3a000) (com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x80c83000 (File: 0xc42000) (com.apple.driver.AppleUSBEHCIARM)

</pre>

Talk:Kernelcache

2013-04-09T00:09:16Z

Morpheus:

Would it be possible to boot an iPhone over usb (or transfer a kernelcache via irecovery to the phone so it boots). I was messing with kernelcaches in the firmware files and now my 2G is stuck in recovery mode. {{unsigned|M2m|15:40, September 7, 2010 (UTC)}}

Yes its possible, check out [http://github.com/fallensn0w/openiBooty openiBooty] for example. --[[User:Fallensn0w|Fallensn0w]] 16:02, 7 September 2010 (UTC)

Changed kernelcache dump to 6.1.3 final, not beta 2. -- Morpheus

Kernelcache

2013-04-09T00:08:51Z

Morpheus:

The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iOS 2.0 and above) or [[S5L File Formats#8900|8900]] (iOS 1.0 through 1.1.4) container.

[[Category:Filesystem]]

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3 kernelcache (iPod 4,1) is as follows:

<pre>
Kext: MAC Framework Pseudoextension @0x8039600(com.apple.kpi.dsep)
Kext: Private Pseudoextension @0x8039700(com.apple.kpi.private)
Kext: I/O Kit Pseudoextension @0x8039c00(com.apple.kpi.iokit)
Kext: Libkern Pseudoextension @0x803b300(com.apple.kpi.libkern)
Kext: BSD Kernel Pseudoextension @0x803bb00(com.apple.kpi.bsd)
Kext: AppleFSCompressionTypeZlib @0x803c100(com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: Mach Kernel Pseudoextension @0x803c600(com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x803c700(com.apple.kpi.unsupported)
Kext: I/O Kit USB Family @0x803c900(com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x803f900(com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Storage Family @0x803fc00(com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x8041400(com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x8042000(com.apple.driver.DiskImages.KernelBacked)
Kext: FairPlayIOKit @0x8042c00(com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x8048c00(com.apple.driver.LSKDIOKit)
Kext: AppleARMPlatform @0x804aa00(com.apple.driver.AppleARMPlatform)
Kext: AppleVXD375 @0x804e400(com.apple.driver.AppleVXD375)
Kext: IOSlaveProcessor @0x8050000(com.apple.driver.IOSlaveProcessor)
Kext: IOP_s5l8930x_firmware @0x8050500(com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleDiskImagesUDIFDiskImage @0x8053200(com.apple.driver.DiskImages.UDIFDiskImage)
Kext: IOStreamFamily @0x8053900(com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8053e00(com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x8054800(com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8057d00(com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x8059300(com.apple.driver.AppleSamsungDPTX)
Kext: IOUSBDeviceFamily @0x805b000(com.apple.iokit.IOUSBDeviceFamily)
Kext: AppleUSBDeviceMux @0x805bd00(com.apple.driver.AppleUSBDeviceMux)
Kext: PPP @0x805c500(com.apple.nke.ppp)
Kext: L2TP @0x805cf00(com.apple.nke.l2tp)
Kext: I/O Kit Networking Family @0x805d500(com.apple.iokit.IONetworkingFamily)
Kext: IO80211Family @0x805ef00(com.apple.iokit.IO80211Family)
Kext: IOKit Serial Port Family @0x8063e00(com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x8064800(com.apple.driver.AppleOnboardSerial)
Kext: Broadcom 802.11 Driver @0x8065600(com.apple.driver.AppleBCMWLANCore)
Kext: AppleSamsungSPI @0x806c400(com.apple.driver.AppleSamsungSPI)
Kext: I/O Kit Driver for USB Composite Devices @0x806c800(com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x806cd00(com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x806d200(com.apple.driver.AppleEmbeddedUSBHost)
Kext: AppleUSBEthernetHost @0x806d700(com.apple.driver.AppleUSBEthernetHost)
Kext: AppleARM7M @0x806dc00(com.apple.driver.AppleARM7M)
Kext: corecrypto @0x806e000(com.apple.kec.corecrypto)
Kext: IOTextEncryptionFamily @0x8070b00(com.apple.IOTextEncryptionFamily)
Kext: IOCryptoAcceleratorFamily @0x8071000(com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x8071e00(com.apple.driver.AppleMobileFileIntegrity)
Kext: Regular Expression Matching Engine @0x8073500(com.apple.kext.AppleMatch)
Kext: Seatbelt sandbox policy @0x8073900(com.apple.security.sandbox)
Kext: AppleProfileFamily @0x8074400(com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x8076f00(com.apple.driver.AppleProfileTimestampAction)
Kext: AppleNANDConfigAccess @0x8077300(com.apple.driver.AppleNANDConfigAccess)
Kext: AppleDiagnosticDataAccessReadOnly @0x8077600(com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: IOMobileGraphicsFamily @0x8077900(com.apple.iokit.IOMobileGraphicsFamily)
Kext: IODARTFamily @0x8078800(com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x8079300(com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOAcceleratorFamily @0x807a700(com.apple.iokit.IOAcceleratorFamily)
Kext: EncryptedBlockStorage @0x807c400(com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x807cc00(com.apple.iokit.IOFlashStorage)
Kext: AppleNANDFTL @0x807e500(com.apple.driver.AppleNANDFTL)
Kext: ApplePPNFTL @0x807ee00(com.apple.driver.ApplePPNFTL)
Kext: AppleDiskImagesRAMBackingStore @0x8081b00(com.apple.driver.DiskImages.RAMBackingStore)
Kext: IOHIDFamily @0x8081e00(com.apple.iokit.IOHIDFamily)
Kext: I/O Kit Driver for USB HID Devices @0x8083e00(com.apple.iokit.IOUSBHIDDriver)
Kext: AppleS5L8920X @0x8084400(com.apple.driver.AppleS5L8920X)
Kext: AppleARMPL192VIC @0x8085100(com.apple.driver.AppleARMPL192VIC)
Kext: AppleBluetooth @0x8085400(com.apple.driver.AppleBluetooth)
Kext: I/O Kit Driver for USB EHCI Controllers @0x8085700(com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8086d00(com.apple.driver.AppleUSBOHCI)
Kext: AppleEmbeddedUSB @0x8087900(com.apple.driver.AppleEmbeddedUSB)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x8088200(com.apple.driver.AppleUSBOHCIARM)
Kext: AppleNANDFirmware @0x8088700(com.apple.driver.AppleNANDFirmware)
Kext: AppleEmbeddedCompass @0x8088b00(com.apple.driver.AppleEmbeddedCompass)
Kext: AppleD1815PMU @0x8089300(com.apple.driver.AppleD1815PMU)
Kext: AppleProfileThreadInfoAction @0x808aa00(com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleEmbeddedGyro @0x808ae00(com.apple.driver.AppleEmbeddedGyro)
Kext: AppleSynopsysOTGDevice @0x808b700(com.apple.driver.AppleSynopsysOTGDevice)
Kext: AppleEmbeddedLightSensor @0x808c100(com.apple.driver.AppleEmbeddedLightSensor)
Kext: AppleSamsungSerial @0x808cd00(com.apple.driver.AppleSamsungSerial)
Kext: AppleUSBMike @0x808d100(com.apple.driver.AppleUSBMike)
Kext: AppleNANDLegacyFTL @0x808d500(com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleSamsungMIPIDSI @0x8090300(com.apple.driver.AppleSamsungMIPIDSI)
Kext: I/O Kit HID Event Driver Safe Boot @0x8090800(com.apple.driver.AppleBSDKextStarter)
Kext: AppleHIDKeyboard @0x8090b00(com.apple.driver.AppleHIDKeyboard)
Kext: IOKit SDIO Family @0x8090e00(com.apple.iokit.IOSDIOFamily)
Kext: AppleIOPSDIO @0x8091e00(com.apple.driver.AppleIOPSDIO)
Kext: AppleLTC4099Charger @0x8092600(com.apple.driver.AppleLTC4099Charger)
Kext: I/O Kit Driver for USB HID Devices @0x8092a00(com.apple.driver.AppleCDMA)
Kext: AppleProfileReadCounterAction @0x8093100(com.apple.driver.AppleProfileReadCounterAction)
Kext: AppleSamsungSWI @0x8093500(com.apple.driver.AppleSamsungSWI)
Kext: IOUserEthernet @0x8093900(com.apple.iokit.IOUserEthernet)
Kext: AppleUSBHSIC @0x8094100(com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x8094900(com.apple.driver.AppleUSBEHCIARM)
Kext: AppleAMC_r2 @0x8095000(com.apple.driver.AppleAMC_r2)
Kext: EmbeddedIOP @0x809c900(com.apple.driver.EmbeddedIOP)
Kext: ApplePinotLCD @0x809d100(com.apple.driver.ApplePinotLCD)
Kext: IOSurface @0x809d400(com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x809e200(com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x809f200(com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x80a0000(com.apple.driver.AppleS5L8930XDART)
Kext: I/O Kit Driver for USB Hubs @0x80a0500(com.apple.driver.AppleUSBHub)
Kext: AppleKernelStorage @0x80a0e00(com.apple.platform.AppleKernelStorage)
Kext: AppleM68Buttons @0x80a1100(com.apple.driver.AppleM68Buttons)
Kext: AppleUSBEthernetDevice @0x80a1500(com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleUSBHIDKeyboard @0x80a1a00(com.apple.driver.AppleUSBHIDKeyboard)
Kext: BasebandSPI @0x80a1d00(com.apple.driver.BasebandSPI)
Kext: AppleEffaceableStorage @0x80a3700(com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80a4100(com.apple.driver.LightweightVolumeManager)
Kext: IMGSGX535 Graphics Kernel Extension @0x80a4b00(com.apple.IMGSGX535)
Kext: I/O Kit HID Event Driver @0x80a7800(com.apple.driver.AppleIOPFMI)
Kext: AppleTetheredDevice @0x80a8800(com.apple.driver.AppleTetheredDevice)
Kext: AppleProfileKEventAction @0x80a8b00(com.apple.driver.AppleProfileKEventAction)
Kext: AppleRGBOUT @0x80a8f00(com.apple.driver.AppleRGBOUT)
Kext: IOFlashNVRAM @0x80a9700(com.apple.driver.IOFlashNVRAM)
Kext: AppleS5L8930XUSB @0x80a9d00(com.apple.driver.AppleS5L8930XUSB)
Kext: AppleDPRepeater @0x80aa100(com.apple.driver.AppleDPRepeater)
Kext: AppleARMPL080DMAC @0x80ad000(com.apple.driver.AppleARMPL080DMAC)
Kext: AppleAC3Passthrough @0x80ad400(com.apple.driver.AppleAC3Passthrough)
Kext: AppleIntegratedProxALSSensor @0x80ada00(com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleDiskImagesFileBackingStore @0x80ae400(com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleUSBAudio @0x80ae800(com.apple.driver.AppleUSBAudio)
Kext: AppleTVOut @0x80b1800(com.apple.driver.AppleTVOut)
Kext: tlsnke @0x80b1c00(com.apple.nke.tls)
Kext: AppleS5L8930XUSBPhy @0x80b2200(com.apple.driver.AppleS5L8930XUSBPhy)
Kext: AppleProfileRegisterStateAction @0x80b2600(com.apple.driver.AppleProfileRegisterStateAction)
Kext: IOAccessoryManager @0x80b2a00(com.apple.iokit.IOAccessoryManager)
Kext: AppleS5L8930X @0x80b3e00(com.apple.driver.AppleS5L8930X)
Kext: AppleBSDKextStarterVPN @0x80b4800(com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleARMIISAudio @0x80b4b00(com.apple.iokit.AppleARMIISAudio)
Kext: AppleEmbeddedProx @0x80b5200(com.apple.driver.AppleEmbeddedProx)
Kext: AppleMultitouchSPI @0x80b5a00(com.apple.driver.AppleMultitouchSPI)
Kext: H3 H264 Video Encoder @0x80b6e00(com.apple.driver.H2H264VideoEncoderDriver)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b8f00(com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: AppleUSBEthernet @0x80ba000(com.apple.driver.AppleUSBEthernet)
Kext: PPTP @0x80ba900(com.apple.nke.pptp)
Kext: AppleJPEGDriver @0x80bae00(com.apple.driver.AppleJPEGDriver)
Kext: AppleSamsungI2S @0x80bb800(com.apple.driver.AppleSamsungI2S)
Kext: AppleEmbeddedAccelerometer @0x80bbc00(com.apple.driver.AppleEmbeddedAccelerometer)
Kext: IOMikeyBusFamily @0x80bc200(com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80bd400(com.apple.driver.AppleEmbeddedAudio)
Kext: AppleLM48557Amp @0x80bf500(com.apple.driver.AppleLM48557Amp)
Kext: AppleProfileCallstackAction @0x80bf800(com.apple.driver.AppleProfileCallstackAction)
Kext: AppleMultitouchSPIN1F55 @0x80bfc00(com.apple.driver.AppleCD3282Mikey)
Kext: AppleMultitouchSPIZ2F13 @0x80c0000(com.apple.driver.AppleImage3NORAccess)
Kext: AppleH3CameraInterface @0x80c0800(com.apple.driver.AppleH3CameraInterface)
Kext: AppleSamsungPKE @0x80c2700(com.apple.driver.AppleSamsungPKE)
Kext: AppleKeyStore @0x80c2b00(com.apple.driver.AppleKeyStore)
Kext: AppleHIDKeyboardEmbedded @0x80c3800(com.apple.driver.AppleCS42L59Audio)

</pre>

Kernelcache

2013-04-08T20:45:46Z

Morpheus: dump of kernel cache

The kernelcache is basically the [[kernel]] itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an [[IMG3 File Format|IMG3]] (iOS 2.0 and above) or [[S5L File Formats#8900|8900]] (iOS 1.0 through 1.1.4) container.

[[Category:Filesystem]]

The joker tool, from http://newosxbook.com/ can be used to dump information from a decrypted kernelcache - including system call and Mach trap addresses (in the kernel) as well as a list of all the KEXTs contained therein and their load addresses. The output from a 6.1.3b2 kernelcache (iPod 4,1) is as follows:

<pre>
Kext: MAC Framework Pseudoextension @0x8039600(com.apple.kpi.dsep)
Kext: Private Pseudoextension @0x8039700(com.apple.kpi.private)
Kext: I/O Kit Pseudoextension @0x8039c00(com.apple.kpi.iokit)
Kext: Libkern Pseudoextension @0x803b300(com.apple.kpi.libkern)
Kext: BSD Kernel Pseudoextension @0x803bb00(com.apple.kpi.bsd)
Kext: AppleFSCompressionTypeZlib @0x803c100(com.apple.AppleFSCompression.AppleFSCompressionTypeZlib)
Kext: Mach Kernel Pseudoextension @0x803c600(com.apple.kpi.mach)
Kext: Unsupported Pseudoextension @0x803c700(com.apple.kpi.unsupported)
Kext: I/O Kit USB Family @0x803c900(com.apple.iokit.IOUSBFamily)
Kext: I/O Kit Driver for USB User Clients @0x803f900(com.apple.iokit.IOUSBUserClient)
Kext: I/O Kit Storage Family @0x803fc00(com.apple.iokit.IOStorageFamily)
Kext: AppleDiskImageDriver @0x8041400(com.apple.driver.DiskImages)
Kext: AppleDiskImagesKernelBacked @0x8042000(com.apple.driver.DiskImages.KernelBacked)
Kext: FairPlayIOKit @0x8042c00(com.apple.driver.FairPlayIOKit)
Kext: LSKDIOKit @0x8048c00(com.apple.driver.LSKDIOKit)
Kext: AppleARMPlatform @0x804aa00(com.apple.driver.AppleARMPlatform)
Kext: AppleVXD375 @0x804e400(com.apple.driver.AppleVXD375)
Kext: IOSlaveProcessor @0x8050000(com.apple.driver.IOSlaveProcessor)
Kext: IOP_s5l8930x_firmware @0x8050500(com.apple.driver.IOP_s5l8930x_firmware)
Kext: AppleDiskImagesUDIFDiskImage @0x8053200(com.apple.driver.DiskImages.UDIFDiskImage)
Kext: IOStreamFamily @0x8053900(com.apple.iokit.IOStreamFamily)
Kext: IOAudio2Family @0x8053e00(com.apple.iokit.IOAudio2Family)
Kext: IOAVFamily @0x8054800(com.apple.iokit.IOAVFamily)
Kext: IODisplayPortFamily @0x8057d00(com.apple.iokit.IODisplayPortFamily)
Kext: AppleSamsungDPTX @0x8059300(com.apple.driver.AppleSamsungDPTX)
Kext: IOUSBDeviceFamily @0x805b000(com.apple.iokit.IOUSBDeviceFamily)
Kext: AppleUSBDeviceMux @0x805bd00(com.apple.driver.AppleUSBDeviceMux)
Kext: PPP @0x805c500(com.apple.nke.ppp)
Kext: L2TP @0x805cf00(com.apple.nke.l2tp)
Kext: I/O Kit Networking Family @0x805d500(com.apple.iokit.IONetworkingFamily)
Kext: IO80211Family @0x805ef00(com.apple.iokit.IO80211Family)
Kext: IOKit Serial Port Family @0x8063e00(com.apple.iokit.IOSerialFamily)
Kext: AppleOnboardSerial @0x8064800(com.apple.driver.AppleOnboardSerial)
Kext: Broadcom 802.11 Driver @0x8065600(com.apple.driver.AppleBCMWLANCore)
Kext: AppleSamsungSPI @0x806c400(com.apple.driver.AppleSamsungSPI)
Kext: I/O Kit Driver for USB Composite Devices @0x806c800(com.apple.driver.AppleUSBComposite)
Kext: I/O Kit Driver for USB Devices @0x806cd00(com.apple.driver.AppleUSBMergeNub)
Kext: AppleEmbeddedUSBHost @0x806d200(com.apple.driver.AppleEmbeddedUSBHost)
Kext: AppleUSBEthernetHost @0x806d700(com.apple.driver.AppleUSBEthernetHost)
Kext: AppleARM7M @0x806dc00(com.apple.driver.AppleARM7M)
Kext: corecrypto @0x806e000(com.apple.kec.corecrypto)
Kext: IOTextEncryptionFamily @0x8070b00(com.apple.IOTextEncryptionFamily)
Kext: IOCryptoAcceleratorFamily @0x8071000(com.apple.iokit.IOCryptoAcceleratorFamily)
Kext: AppleMobileFileIntegrity @0x8071e00(com.apple.driver.AppleMobileFileIntegrity)
Kext: Regular Expression Matching Engine @0x8073500(com.apple.kext.AppleMatch)
Kext: Seatbelt sandbox policy @0x8073900(com.apple.security.sandbox)
Kext: AppleProfileFamily @0x8074400(com.apple.iokit.AppleProfileFamily)
Kext: AppleProfileTimestampAction @0x8076f00(com.apple.driver.AppleProfileTimestampAction)
Kext: AppleNANDConfigAccess @0x8077300(com.apple.driver.AppleNANDConfigAccess)
Kext: AppleDiagnosticDataAccessReadOnly @0x8077600(com.apple.driver.AppleDiagnosticDataAccessReadOnly)
Kext: IOMobileGraphicsFamily @0x8077900(com.apple.iokit.IOMobileGraphicsFamily)
Kext: IODARTFamily @0x8078800(com.apple.driver.IODARTFamily)
Kext: Apple M2 Scaler and Color Space Converter Driver @0x8079300(com.apple.driver.AppleM2ScalerCSCDriver)
Kext: IOAcceleratorFamily @0x807a700(com.apple.iokit.IOAcceleratorFamily)
Kext: EncryptedBlockStorage @0x807c400(com.apple.iokit.EncryptedBlockStorage)
Kext: IOFlashStorage @0x807cc00(com.apple.iokit.IOFlashStorage)
Kext: AppleNANDFTL @0x807e500(com.apple.driver.AppleNANDFTL)
Kext: ApplePPNFTL @0x807ee00(com.apple.driver.ApplePPNFTL)
Kext: AppleDiskImagesRAMBackingStore @0x8081b00(com.apple.driver.DiskImages.RAMBackingStore)
Kext: IOHIDFamily @0x8081e00(com.apple.iokit.IOHIDFamily)
Kext: I/O Kit Driver for USB HID Devices @0x8083e00(com.apple.iokit.IOUSBHIDDriver)
Kext: AppleS5L8920X @0x8084400(com.apple.driver.AppleS5L8920X)
Kext: AppleARMPL192VIC @0x8085100(com.apple.driver.AppleARMPL192VIC)
Kext: AppleBluetooth @0x8085400(com.apple.driver.AppleBluetooth)
Kext: I/O Kit Driver for USB EHCI Controllers @0x8085700(com.apple.driver.AppleUSBEHCI)
Kext: I/O Kit Driver for USB OHCI Controllers @0x8086d00(com.apple.driver.AppleUSBOHCI)
Kext: AppleEmbeddedUSB @0x8087900(com.apple.driver.AppleEmbeddedUSB)
Kext: Embedded I/O Kit Driver for USB OHCI Controllers @0x8088200(com.apple.driver.AppleUSBOHCIARM)
Kext: AppleNANDFirmware @0x8088700(com.apple.driver.AppleNANDFirmware)
Kext: AppleEmbeddedCompass @0x8088b00(com.apple.driver.AppleEmbeddedCompass)
Kext: AppleD1815PMU @0x8089300(com.apple.driver.AppleD1815PMU)
Kext: AppleProfileThreadInfoAction @0x808aa00(com.apple.driver.AppleProfileThreadInfoAction)
Kext: AppleEmbeddedGyro @0x808ae00(com.apple.driver.AppleEmbeddedGyro)
Kext: AppleSynopsysOTGDevice @0x808b700(com.apple.driver.AppleSynopsysOTGDevice)
Kext: AppleEmbeddedLightSensor @0x808c100(com.apple.driver.AppleEmbeddedLightSensor)
Kext: AppleSamsungSerial @0x808cd00(com.apple.driver.AppleSamsungSerial)
Kext: AppleUSBMike @0x808d100(com.apple.driver.AppleUSBMike)
Kext: AppleNANDLegacyFTL @0x808d500(com.apple.driver.AppleNANDLegacyFTL)
Kext: AppleSamsungMIPIDSI @0x8090300(com.apple.driver.AppleSamsungMIPIDSI)
Kext: I/O Kit HID Event Driver Safe Boot @0x8090800(com.apple.driver.AppleBSDKextStarter)
Kext: AppleHIDKeyboard @0x8090b00(com.apple.driver.AppleHIDKeyboard)
Kext: IOKit SDIO Family @0x8090e00(com.apple.iokit.IOSDIOFamily)
Kext: AppleIOPSDIO @0x8091e00(com.apple.driver.AppleIOPSDIO)
Kext: AppleLTC4099Charger @0x8092600(com.apple.driver.AppleLTC4099Charger)
Kext: I/O Kit Driver for USB HID Devices @0x8092a00(com.apple.driver.AppleCDMA)
Kext: AppleProfileReadCounterAction @0x8093100(com.apple.driver.AppleProfileReadCounterAction)
Kext: AppleSamsungSWI @0x8093500(com.apple.driver.AppleSamsungSWI)
Kext: IOUserEthernet @0x8093900(com.apple.iokit.IOUserEthernet)
Kext: AppleUSBHSIC @0x8094100(com.apple.driver.AppleUSBHSIC)
Kext: Embedded I/O Kit Driver for USB EHCI Controllers @0x8094900(com.apple.driver.AppleUSBEHCIARM)
Kext: AppleAMC_r2 @0x8095000(com.apple.driver.AppleAMC_r2)
Kext: EmbeddedIOP @0x809c900(com.apple.driver.EmbeddedIOP)
Kext: ApplePinotLCD @0x809d100(com.apple.driver.ApplePinotLCD)
Kext: IOSurface @0x809d400(com.apple.iokit.IOSurface)
Kext: AppleDisplayPipe @0x809e200(com.apple.driver.AppleDisplayPipe)
Kext: AppleCLCD @0x809f200(com.apple.driver.AppleCLCD)
Kext: AppleS5L8930XDART @0x80a0000(com.apple.driver.AppleS5L8930XDART)
Kext: I/O Kit Driver for USB Hubs @0x80a0500(com.apple.driver.AppleUSBHub)
Kext: AppleKernelStorage @0x80a0e00(com.apple.platform.AppleKernelStorage)
Kext: AppleM68Buttons @0x80a1100(com.apple.driver.AppleM68Buttons)
Kext: AppleUSBEthernetDevice @0x80a1500(com.apple.driver.AppleUSBEthernetDevice)
Kext: AppleUSBHIDKeyboard @0x80a1a00(com.apple.driver.AppleUSBHIDKeyboard)
Kext: BasebandSPI @0x80a1d00(com.apple.driver.BasebandSPI)
Kext: AppleEffaceableStorage @0x80a3700(com.apple.driver.AppleEffaceableStorage)
Kext: LightweightVolumeManager @0x80a4100(com.apple.driver.LightweightVolumeManager)
Kext: IMGSGX535 Graphics Kernel Extension @0x80a4b00(com.apple.IMGSGX535)
Kext: I/O Kit HID Event Driver @0x80a7800(com.apple.driver.AppleIOPFMI)
Kext: AppleTetheredDevice @0x80a8800(com.apple.driver.AppleTetheredDevice)
Kext: AppleProfileKEventAction @0x80a8b00(com.apple.driver.AppleProfileKEventAction)
Kext: AppleRGBOUT @0x80a8f00(com.apple.driver.AppleRGBOUT)
Kext: IOFlashNVRAM @0x80a9700(com.apple.driver.IOFlashNVRAM)
Kext: AppleS5L8930XUSB @0x80a9d00(com.apple.driver.AppleS5L8930XUSB)
Kext: AppleDPRepeater @0x80aa100(com.apple.driver.AppleDPRepeater)
Kext: AppleARMPL080DMAC @0x80ad000(com.apple.driver.AppleARMPL080DMAC)
Kext: AppleAC3Passthrough @0x80ad400(com.apple.driver.AppleAC3Passthrough)
Kext: AppleIntegratedProxALSSensor @0x80ada00(com.apple.driver.AppleIntegratedProxALSSensor)
Kext: AppleDiskImagesFileBackingStore @0x80ae400(com.apple.driver.DiskImages.FileBackingStore)
Kext: AppleUSBAudio @0x80ae800(com.apple.driver.AppleUSBAudio)
Kext: AppleTVOut @0x80b1800(com.apple.driver.AppleTVOut)
Kext: tlsnke @0x80b1c00(com.apple.nke.tls)
Kext: AppleS5L8930XUSBPhy @0x80b2200(com.apple.driver.AppleS5L8930XUSBPhy)
Kext: AppleProfileRegisterStateAction @0x80b2600(com.apple.driver.AppleProfileRegisterStateAction)
Kext: IOAccessoryManager @0x80b2a00(com.apple.iokit.IOAccessoryManager)
Kext: AppleS5L8930X @0x80b3e00(com.apple.driver.AppleS5L8930X)
Kext: AppleBSDKextStarterVPN @0x80b4800(com.apple.driver.DiskImages.ReadWriteDiskImage)
Kext: AppleARMIISAudio @0x80b4b00(com.apple.iokit.AppleARMIISAudio)
Kext: AppleEmbeddedProx @0x80b5200(com.apple.driver.AppleEmbeddedProx)
Kext: AppleMultitouchSPI @0x80b5a00(com.apple.driver.AppleMultitouchSPI)
Kext: H3 H264 Video Encoder @0x80b6e00(com.apple.driver.H2H264VideoEncoderDriver)
Kext: Broadcom WLAN SDIO Bus Driver @0x80b8f00(com.apple.driver.AppleBCMWLANBusInterfaceSDIO)
Kext: AppleUSBEthernet @0x80ba000(com.apple.driver.AppleUSBEthernet)
Kext: PPTP @0x80ba900(com.apple.nke.pptp)
Kext: AppleJPEGDriver @0x80bae00(com.apple.driver.AppleJPEGDriver)
Kext: AppleSamsungI2S @0x80bb800(com.apple.driver.AppleSamsungI2S)
Kext: AppleEmbeddedAccelerometer @0x80bbc00(com.apple.driver.AppleEmbeddedAccelerometer)
Kext: IOMikeyBusFamily @0x80bc200(com.apple.iokit.IOMikeyBusFamily)
Kext: AppleEmbeddedAudio @0x80bd400(com.apple.driver.AppleEmbeddedAudio)
Kext: AppleLM48557Amp @0x80bf500(com.apple.driver.AppleLM48557Amp)
Kext: AppleProfileCallstackAction @0x80bf800(com.apple.driver.AppleProfileCallstackAction)
Kext: AppleMultitouchSPIN1F55 @0x80bfc00(com.apple.driver.AppleCD3282Mikey)
Kext: AppleMultitouchSPIZ2F13 @0x80c0000(com.apple.driver.AppleImage3NORAccess)
Kext: AppleH3CameraInterface @0x80c0800(com.apple.driver.AppleH3CameraInterface)
Kext: AppleSamsungPKE @0x80c2700(com.apple.driver.AppleSamsungPKE)
Kext: AppleKeyStore @0x80c2b00(com.apple.driver.AppleKeyStore)
Kext: AppleHIDKeyboardEmbedded @0x80c3800(com.apple.driver.AppleCS42L59Audio)

</pre>

Kernel

2013-04-08T20:43:16Z

Morpheus: /* See Also */

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at [[/mach_kernel]].

== Stack ==
The kernel maintains its stack at <code>0xd2000000</code>.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:

_nand-part-poison
_panicd_corename
_panicd_ip
_router_ip
acc_debug
aesdev
als_enable_debug
amfi
amfi_allow_any_signature
amfi_get_out_of_my_way
amfi_unrestrict_task_for_pid
AppleEmbeddedUSBArbitrator-debug
AppleS5L8930XUSBArbitrator-debug
AppleUSBPhy-debug
arm7m-enable-jtag
-b
backlight-level
backlight-logging
baseband-spi-sclk-period
bcom.chip.driveStrength_mA
bcom.chip.watermark
bcom.clock.sd-rate
bcom.devif.fn2-block-size
bcom.devif.rx-retries
bcom.devif.transaction-log
bcom.devif.tx-retries
bcom.feature.flags
bcom.ps.inactivity.timeout
bcom.wte.thread-priority
boot-uuid
brightness
burnin-size
cameraclocks
charger-debug
cpus
cs_debug
cs_enforcement_disable
darkwake
dart
dcc
debug
disable-usb-iap
dp_async_event_fail_hard
dp_audio_driver_level
dp_audio_driver_mask
dp_audio_interface_level
dp_audio_interface_mask
dp_controller_level
dp_controller_mask
dp_device_level
dp_device_mask
dp_display_interface_level
dp_display_interface_mask
dp_interface_level
dp_interface_mask
dp_log_level
dp_max_channel_count_lpcm
dp_max_sample_rate_lpcm
dp_max_sample_size_lpcm
dp_min_channel_count_lpcm
dp_min_sample_rate_lpcm
dp_min_sample_size_lpcm
dp_service_level
dp_service_mask
dpsm
dvb
dvc
dvd
effaceable-enable-full-scan
effaceable-enable-wipe
enable-acsleep
fairshare_minblockedtime
fill
fixedpriority_quantum
fix-parity
force-usb-host
force-usb-power
hdmi_max_channel_count_lpcm
hdmi_max_sample_rate_lpcm
hdmi_max_sample_size_lpcm
hdmi_min_channel_count_lpcm
hdmi_min_sample_rate_lpcm
hdmi_min_sample_size_lpcm
hdmi_protection_type
hp-detect-invert
hp-pop-workaround
hp-switch-force-config
hp-switch-ramp
hsic
i2c-logsize
i2c-verbose
ifa_debug
ifnet_debug
initmcl
io
iopfmi-timeout
iotrace
jpeg-log
jtag
kdp_crashdump_pkt_size
kdp_ip_addr
kdp_match_mac
kdp_match_name
keepsyms
kextlog
link_recovery_enabled
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mt-bytes
mt-strings
mtxspin
nand-boot-malloc
nand-check-vs
nand-commands
nand-disable-driver
nand-dump-vs-table
nand-enable-adm
nand-enable-reformat
nand-enable-yaftl
nand-erase
nand-erase-install
nand-fbbt-publish
nand-force-restore
nand-idle-timeout-ms
nand-ignore-ptab
nand-index-cache-size
nand-latency-us
nand-max-pages
nand-neuralize
nand-nvram-debug
nand-ppn-debug
nand-ppn-vs-debug
nand-qual
nand-queue-entries
nand-read-blocks-max
nand-read-dccycle-clks
nand-read-hold-clks
nand-readonly
nand-read-setup-clks
nand-reorder-defer-max
nand-reorder-defer-size-trigger
nand-reorder-read-promote-max
nand-reset-burnin
nand-save-rma-data
nand-set-rma
nand-sftl-cache-drain
nand-sleep-debug-panic
nand-slow-timings
nand-wearlevel-timeout-ms
nand-whiten-metadata
nand-wipe
nand-write-blocks-max
nand-write-hold-clks
nand-write-setup-clks
nbuf
ncl
net.inet6.ip6.scopedroute
net_affinity
net_rtref
network-type
-no64exec
-novfscache
panicd_port
pcp
pctb
pdmvr
pio-error
pmu-chargetrap
pmu-debug
ppn-clean
-progress
prox_enable_debug
pthtest
rd
remote_nmi
rootdev
-s
sdio.clock.base-rate
sdio.clock.sd-rate
sdio.debug.abort-init
sdio.debug.init-delay
sdio.log.flags
sdio.log.level
sdio.transfer.max-pio-blocks
sdio.transfer.max-pio-size
sdio.transfer.mode
serial
sgx_panic_on_recovery
shadev
slto_us
socket_debug
torchcltm0
usb
usb_dev_nmi
usb_dev_reset
-vnode_cache_defeat
wdt
wfi
wlan.ap.channel
wlan.debug.abort-init
wlan.debug.generate-mac
wlan.log.flags
wlan.log.level
wlan.log.timestamp
wlan.netmanager.stats-timer-interval
wlan.panic.factory
wqsize
WTE
-x

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion 10.8.3:

Darwin Kernel Version 12.3.0: Sun Jan 6 22:37:10 PST 2013; root:xnu-2050.22.13~1/RELEASE_X86_64 x86_64

iOS 6.1.3:
Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_S5L8930X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

=== Version List ===

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if 100% correct.
|-
| 1.0.0
|
|
|-
| 1.0.1
|
|
|-
| 1.0.2
|
|
|-
| 1.1.1
|
|
|-
| 1.1.2
|
|
|-
| 1.1.3
|
|
|-
| 1.1.4
|
|
|-
| 2.0
|
|
|-
| 2.0.1
|
|
|-
| 2.0.2
|
|
|-
| 2.1
|
|
|-
| 2.2
|
|
|-
| 2.2.1
|
|
|-
| 3.0
|
|
|-
| 3.0.1
|
|
|-
| 3.1
|
|
|-
| 3.1.2
|
|
|-
| 3.1.3
|
|
|-
| 3.2
|
|
|-
| 3.2.1
|
|
|-
| 3.2.2
|
|
|-
| 4.0
|
|
|-
| 4.0.1
|
|
|-
| 4.0.2
|
|
|-
| 4.1
|
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
|
|
|-
| 4.3.1
|
|
|-
| 4.3.2
|
|
|-
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
|
|-
| 4.3.4
|
|
|-
| 4.3.5
| Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0.2
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1
| Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1.1
| Darwin Kernel Version 13.0.0: Sun Dec 16 19:58:44 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8940]]X
|
|-
| 6.1.2
| Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1.3
| Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8930]]X
|
|}

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

Backboardd

2013-03-05T03:57:34Z

Morpheus: + Lsof

{{lowercase}}
'''backboardd''' is a [[wikipedia:Daemon (computing)|daemon]] that runs alongside the [[SpringBoard]] daemon. It has been introduced in iOS 6, aiming to offload some of Springboard's responsibilities, chiefly that of event handling. Prior to its introduction, SpringBoard was effectively the UI event sink for iOS, as is WindowServer in OS X. With backboardd, all touch events are first processed by this daemon, then translated and relayed to the iOS application in the foreground (i.e. to its UIApplication event loop).

As a simple experiment, login over SSH to send a kill -STOP signal to the daemon, then touch your device. If you kill -CONT the daemon, you will see your touch events played out, as the events are consumed from I/O Kit by backboardd, and relayed to the foreground app.

The backboardd is also responsible for automatic screen dimming (via AutoBrightness and Backlight plugins) as well as opening and holding icon states for Springboard. This can be easily verified with an output of "lsof":

<pre>
Padmi:~ root# ./lsof-arm7-iOS4.2 -p 64
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
backboard 64 mobile cwd DIR 1,2 884 2 /
backboard 64 mobile txt REG 1,3 333104 435969 /private/var/stash/libexec.hIXve8/backboardd
backboard 64 mobile txt REG 1,2 39067948 42342 /System/Library/Frameworks/UIKit.framework/Shared@2x.artwork
backboard 64 mobile txt REG 1,3 8902 439760 /private/var/mobile/Library/Caches/com.apple.springboard.sharedimagecache/Persistent/NewsstandApplicationIconOverlay.cpbitmap
backboard 64 mobile txt REG 1,3 5767168 601899 /private/var/tmp/iconLabels_gray.V8prSQ
backboard 64 mobile txt REG 1,3 26694 439757 /private/var/mobile/Library/Caches/com.apple.springboard.sharedimagecache/Persistent/NewsstandShadowTopNotch.cpbitmap
backboard 64 mobile txt REG 1,3 19400560 436078 /private/var/stash/share.xUDAtn/icu/icudt49l.dat
backboard 64 mobile txt REG 1,2 120336 34879 /System/Library/Extensions/AppleMultitouchSPI.kext/PlugIns/MultitouchHID.plugin/MultitouchHID
backboard 64 mobile txt REG 1,2 70096 11359 /System/Library/HIDPlugins/AutoBrightness.plugin/AutoBrightness
backboard 64 mobile txt REG 1,2 27312 11354 /System/Library/HIDPlugins/Backlight.plugin/Backlight
backboard 64 mobile txt REG 1,3 20480 439566 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122736642270
backboard 64 mobile txt REG 1,3 65536 439565 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831221284115396
backboard 64 mobile txt REG 1,3 94880 601950 /private/var/mobile/Library/Caches/com.apple.IconsCache/com.klausthul.ktdictce_defaultRole-Icon.png_Icon@2x.png_Icon-Small.png_Icon-Small@2x.png_Icon-72.png_Icon-72@2x.png_Icon-Small-50.png_Icon-Small-50@2x.png-37
backboard 64 mobile txt REG 1,3 12140544 601932 /private/var/tmp/iconImages.eXOvjh
backboard 64 mobile txt REG 1,3 24576 511984 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122770392540
backboard 64 mobile txt REG 1,2 115152 779 /System/Library/AccessibilityBundles/BackBoard.axbundle/BackBoard
backboard 64 mobile txt REG 1,3 65536 439564 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831223638791652
backboard 64 mobile txt REG 1,3 12140544 601961 /private/var/tmp/ghostlyIcons.4GmCvg
backboard 64 mobile txt REG 1,3 65536 439657 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831221447664047
backboard 64 mobile txt REG 1,3 65536 439561 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122596967800
backboard 64 mobile txt REG 1,3 69632 439563 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831221404757235
backboard 64 mobile txt REG 1,3 81920 439656 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122477341617
backboard 64 mobile txt REG 1,3 65536 439556 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831221855203170
backboard 64 mobile txt REG 1,3 94208 439581 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831223601320839
backboard 64 mobile txt REG 1,3 94208 439580 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831222319862850
backboard 64 mobile txt REG 1,3 81920 439557 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831224201689474
backboard 64 mobile txt REG 1,3 65536 439570 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122373921450
backboard 64 mobile txt REG 1,3 110592 439655 /private/var/mobile/Library/Caches/com.apple.keyboards/images/3064683122583137537
backboard 64 mobile txt REG 1,3 94880 601955 /private/var/mobile/Library/Caches/com.apple.IconsCache/com.touchpress.orchestra_defaultRole-Icon-72_Icon-Small-50_Icon-Small_Icon-37
backboard 64 mobile txt REG 1,2 8353196 42333 /System/Library/Frameworks/UIKit.framework/Shared@2x~ipad.artwork
backboard 64 mobile txt REG 1,3 92486 426595 /private/var/mobile/Library/Caches/com.apple.springboard.sharedimagecache/Persistent/WallpaperIconDockShadow.cpbitmap
backboard 64 mobile txt REG 1,3 94880 601960 /private/var/mobile/Library/Caches/com.apple.IconsCache/com.apple.mobilesafari_CFBundleIcon[37]
backboard 64 mobile txt REG 1,3 94880 601962 /private/var/mobile/Library/Caches/com.apple.IconsCache/com.apple.mobilemail_CFBundleIcon[37]
backboard 64 mobile txt REG 1,3 81920 439560 /private/var/mobile/Library/Caches/com.apple.keyboards/images/30646831222343767418
... etc.. etc..
</pre>
[[Category:Daemons]]

Backboardd

2013-03-05T03:48:55Z

Morpheus: Explained what backboardd actually does, removed stub.