The iPhone Wiki - User contributions [en]

Tfp0 patch

2014-01-12T23:44:20Z

Winocm: Created page with "{{DISPLAYTITLE:task-for-pid0 Patch}} * task_for_pid requires entitlements 'get-task-allow' to make AMFI happy. * task_for_pid cannot get kernel_task without a patch. * Thi..."

{{DISPLAYTITLE:task-for-pid0 Patch}}
* task_for_pid requires entitlements 'get-task-allow' to make [[AMFI]] happy.
* task_for_pid cannot get kernel_task without a patch.
* This patch allows you to get the kernel Mach task, you can then use vm_read and vm_write to modify the kernel VM region.
[[Category:Kernel Patches]]

User:Winocm

2014-01-02T04:30:47Z

Winocm:

== Achievements and Tools ==
* Creator of [[opensn0w]]
* Creator of [http://github.com/darwin-on-arm Darwin on ARM] (includes utilities/software like the [[kernel]], [[image3maker]], dtc-AppleDeviceTree, kernel extensions and much much more.)
* Co-creator of [[p0sixspwn]]

== Links ==
* [http://winocm.com/ Homepage]
* [http://github.com/winocm GitHub]
* [http://twitter.com/winocm winocm on Twitter]

[[Category:Hackers]]

P0sixspwn

2014-01-02T04:25:24Z

Winocm:

{{lowercase}}
'''p0sixspwn''' is an [[untethered jailbreak]] for iOS 6.1.3-6.1.5 by [[User:winocm|winocm]], [[User:Ih8sn0w|iH8sn0w]] and [https://twitter.com/SquiffyPwn SquiffyPwn]. It was initially made available as an Cydia package on [[Saurik]]'s repo to untether already jailbroken devices. It works with all devices that support iOS 6.1.3-6.1.5, except for Apple TV 3. On 30 December 2013, a Mac OS X program was released to perform a jailbreak. A Windows version is coming soon.

==Changelog==
* '''1.3-2''' Fixes iMessage, LTE issues and Apple TV 2G support.
* '''1.2-1''' Various bug fixes.
* '''1.1-3''' Automatically reboot after two minutes if device did not boot due to 60 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-2''' Automatically reboot after one minute if device did not boot due to 30 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-1''' Automatically reboot after 30 seconds if device did not boot. (iH8sn0w's repo only)
* '''1.0-9''' [[n90ap|iPhone 4 GSM]] boot loop fix
* '''1.0-5''' the initial release of the untether

== Download ==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! Download
! Changes
|-
! 1.0.0
| class="nobborderplz" rowspan="3" | [[wikipedia:OS X|Mac OS X]]
| <code>b5a66f4e58ab4c813fc851d479b28188eb5115ec</code>
| style="text-decoration: line-through;" | [https://mega.co.nz/#!0xtw0DAT!YVZmNXsn-kl1kH655zgpMGz8hSVVgk8FU3qlTPNfSdU Mega]
|
* Initial release.
|-
! 1.0.1
| <code>ae5b3907660b161b2ff94a2e2cfef97195404a89</code>
| style="text-decoration: line-through;" | [https://mega.co.nz/#!l8lniKxL!ODQrFDGbOUpm2hvU-mQggm25IgNk3_TmSO1r7tlU178 Mega]
|
* Resolves issues with iPod touch 5 not being detected.
|-
! 1.0.2
| <code>259e95fd16468260c8831ca17186f50b7d14ba41</code>
| [https://mega.co.nz/#!DVtmGLqa!BX2-OQUliBcfdlenMLa93mKxk244KpD9Z71p_DAeil8 Mega]
| class="nobborderplz" rowspan="2" |
* Resolves issues with LTE/data.
|}

== Exploits ==
* posix_spawn kernel information leak (by [[i0n1c]])
* mach_msg_ool_descriptor_ts for heap shaping
* dyld S_ATTR_LOC_RELOC/function reexport (also used in [[evasi0n7]])
* DeveloperDiskImage race condition (by [[comex]])
* MobileBackup2 arbitrary symbolic link restore (also used in [[evasi0n]])
* launchd.conf

== External Links ==
*[http://blog.ih8sn0w.com/2013/12/613-615-3gsa4-untether-cydia-package.html iH8sn0w's blog post on the release.]
* [http://p0sixspwn.com/ p0sixspwn]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

The iPhone Wiki:Community portal

2013-11-27T18:22:18Z

Winocm:

{{Talk Archive}}
{{see also|Unsolved problems}}
==iPhone-Elite==
I think we should include all this old stuff before it gets lost: [http://code.google.com/p/iphone-elite/ code.google.com/p/iphone-elite/]. I mean the wiki articles there. Most infos should be already here, but I'm sure a lot of things are missing too.
--[[User:Http|http]] 15:02, 26 June 2012 (MDT)

==Boot-args cleanup==
We need to clean up the boot-args pages. First the technical part: What I understand is that iBoot loads the kernel. And when loading it, it can pass some parameters to select certain behavior. So this only works with an iBoot or bootrom exploit. I understand that in earlier firmware versions there was simply an iBoot variable, but that doesn't exist or work anymore, now passing theses args requires a different or patched iBoot. There are various parameters in different kernel versions. The description for these arguments is scattered over various places:
*[[Kernel#Boot-Args]] A section with the latest boot arguments list. This should be a short introduction and having a link "main article".
*[[Boot-args (iBoot variable)]] separate page for boot arguments, but mainly for the iBoot variable that doesn't exist any longer
*[{{FULLURL:Boot arguments|redirect=no}} Boot arguments] (redirect)
*[[:Talk:Restore_Mode]] describing the iBoot variable problem
*Various pages referencing boot-args, like [[Research: Re-allowing unsigned ramdisks and boot-args with the 2.* iBoot]] (here we should have a link on the second title)
*My earlier comment [[:Talk:Kernel#boot-args]]
*This comment here.
So what do we want to do about this mess? I suggest to move the current [[Kernel]] content to the redirect page [[Boot arguments]] (or to another new page, maybe [[boot-args]]). The current content of [[Boot-args (iBoot variable)]] and all other content should get merged into there. Then change all references to this new page and on the [[Kernel]] page write just something short with "main article there". What do you think? --[[User:Http|http]] ([[User talk:Http|talk]]) 21:31, 13 February 2013 (UTC)
:I like [[Boot Arguments]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 02:01, 14 February 2013 (UTC)
::One addition: Maybe we should use [[boot-args]] as the main page, because all links are written like that. --[[User:Http|http]] ([[User talk:Http|talk]]) 07:37, 14 February 2013 (UTC)

==The iPhone Wiki re-design==
The design of the iPhone wiki is now quite old and I think it should be updated. I made a [http://oi42.tinypic.com/30ib9y8.jpg concept]. --[[User:Jaggions|Jaggions]] ([[User talk:Jaggions|talk]]) 10:30, 14 June 2013 (UTC)
:I disagree. If anything add an iPhone 5 to the logo but everything else is ok. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:05, 14 June 2013 (UTC)
:I wouldn't change the logo to an iPhone 5, especially with iOS 7 and a new iPhone (that will probably look the same as the 5, admittedly) around the corner. I contemplated updating the CSS for iOS 7's UI but decided not to because of the UI's supposed volatility (during the beta period) and I don't have a live version to toy around with. (I personally don't like its current state, but that's not a factor in why I'm not changing it yet.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 16:25, 14 June 2013 (UTC)
::Can we not do flat? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 21:02, 14 June 2013 (UTC)
::This is what I was thinking. When iOS 7 finally comes out, we could change the CSS to look like that instead. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 21:11, 14 June 2013 (UTC)
:::iOS 7 looks ugly. We do not want it like that. Maybe a bit more modern but nothing much. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:16, 14 June 2013 (UTC)
::::''You'' may not want it like that. That's your opinion. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 01:55, 15 June 2013 (UTC)
:::::We could make a poll, and see if most users agree or disagree. --[[User:Jaggions|Jaggions]] ([[User talk:Jaggions|talk]]) 10:05, 15 June 2013 (UTC)
:The idea looks nice. But before we make any changes, let's wait until iOS7 comes out. And I'd prefer to just add another skin instead (if possible). I'm still using the classic MonoBook skin by the way. You shouldn't impose design changes to everyone. --[[User:Http|http]] ([[User talk:Http|talk]]) 14:38, 15 June 2013 (UTC)
::The problem with skins is that geohot needs to set them up... An idea I have is that we copy the Vector skin verbatim to a new skin (<code>iOS6</code>) and move the modifications (not general stuff) to [[Mediawiki:iOS6.css]]. Then we can do another verbatim copy to <code>iOS7</code> and modify [[Mediawiki:iOS7.css]]. We could then set the default skin to either <code>iOS6</code> or <code>iOS7</code> so you don't need to be logged in to see them like currently. Then if someone doesn't like them, like you, just change your settings to your preferred skin. The only way around needing geohot is if he opens up the credentials to FTP or whatever to someone. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 21:17, 15 June 2013 (UTC)
:::I like [[User:5urd|5urd]]'s suggestion. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:29, 15 June 2013 (UTC)
What about just removing the text-shadow element for now? I think pages would be easier to read without it. Here's an example: [[:File:Noshadow.png]]. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:11, 29 August 2013 (UTC)
:Yeah removing the shadow will make everything seem more flat but like [[User:http|http]] I'm still using the classic [http://theiphonewiki.com/w/index.php?title=Main_Page&useskin=monobook MonoBook skin] --[[User:Jaggions|Jaggions]] ([[User talk:Jaggions|talk]]) 21:19, 31 August 2013 (UTC)

==Hacker page==
I would like to be added to the list of hackers for my work with the Private Dev Team and the [[Chronic Dev (team)|Chronic Dev Team]] in addition to my release of the Phoenix Semi-Untethered. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 18:36, 22 July 2013 (UTC)
:Did you find any exploits? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 18:54, 22 July 2013 (UTC)
::No. [[User:phyrrus9|phyrrus9]], a team member found the vulnerability. I am the one who exploited it. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]])
:::I can back up this "claim". I was a part of it. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:52, 28 July 2013 (UTC)
::::Whatever happened to this? --[[User:Phyrrus9|phyrrus9]]

==Orphaned articles==
This is an interesting search: [[Special:LonelyPages]] - "The following pages are not linked from or transcluded into other pages in The iPhone Wiki." I'm not sure where all of those articles should be linked, but figuring that out could be a useful project for somebody. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 05:57, 28 August 2013 (UTC)

==Easy tasks for new editors==
* Finish converting the remaining error codes listed here [[MobileDevice_Library#Known_Error_Codes]] into the proper mach_return_t codes they should be displayed as. (convert the negative number listed into hex, strip any leading "FF" so it should be in the format "0xe80000" followed by two numbers) --[[User:Dirkg|Dirkg]] ([[User talk:Dirkg|talk]]) 22:40, 28 August 2013 (UTC)

== A1XXX model numbers vs. "GSM"/"CDMA"/"Global"/"Cellular"/etc. ==
I know that this topic was [[The iPhone Wiki:Community portal/2013#iPhone 5|already discussed earlier this year]], but it didn't seem to come to a consensus, and the introduction of the [[iPhone 5c]] and [[iPhone 5s]] brought a lot of model numbers. Some of them may "overlap" (think models A1429 and A1442 for the [[iPhone 5]]), but there's simply too many to give names to. There are at least two that can connect to CDMA networks, and all of them can connect to GSM. In addition, with the sheer amount of models, it doesn't seem likely for one model to be treated as a "global" model. Therefore, I changed the iPhone 5c to use model numbers. I would like to do the same to some of the devices that are already present on the wiki though— the same ones from when I first brought up this idea. The GSM/CDMA names work very well for the [[iPad 2]] and [[iPhone 4]]. Things are slightly murkier for the [[iPad 3|iPad (3rd gen.)]], [[iPad 4|iPad (4th gen.)]], [[iPad mini 1G]], and [[iPhone 5]] though; all of those devices' cellular models can connect to GSM networks, so it seems like nonsense to call some of them the "GSM model." The A1XXX model numbers are also how Apple tells the difference between the different models of these devices. Have any opinions changed? Or perhaps someone new might have something to say about this? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 06:06, 13 September 2013 (UTC)

:I actually like the idea as it does get complicated now with the new devices coming like said and we would have to do this for all devices. Although, if we did this, we would have to move all the key pages that have keys on to support this. That would not be a big problem as we could limit the moves to say 20 per day. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 09:47, 13 September 2013 (UTC)

:I suggest we wait a bit until we see what models of the [[iPhone 5c]] and [[iPhone 5s]] will exist. But in general, I like the idea of using only the A1nnn numbers. The only issue I see right now is that Apple differentiates between A1532 GSM and A1532 CDMA. If there are real hardware differences between these two, then we're screwed again. That's why I suggest to wait until we know these exact model types. On the disambiguation page I added the GSM/CDMA model differentiation already (as Apple does). If they turn out to be the same, we can remove it again, but I wonder why Apple lists two models (with different bands supported) there now. Someone also added the "CDMA" mark to one of the others, but that's not how Apple marks them, so I suggest to remove that mark there again. If everything can be differentiated by these A-model-numbers, then yes, we should change the old pages too. Including all key pages. --[[User:Http|http]] ([[User talk:Http|talk]]) 14:44, 13 September 2013 (UTC)

::I do know there are 2 CDMA and 3-4 GSM for the [[iPhone 5c]] alone. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 16:04, 13 September 2013 (UTC)

:::Ahem… ''All'' of the iPhone 5c models can do GSM communications. Hence one of the reasons why I want to ditch the "GSM"/"Global"/etc. labels in favor of A1XXX model numbers. ;P --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 16:07, 13 September 2013 (UTC)

::::One thing is, what about iPod touch 5 as that has two model numbers that are the same device, same with iPhone5,2. How would we get around that? I suppose we could like both separated with a forward slash. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:19, 13 September 2013 (UTC)

:::::Yeah, we could just use something like "[[n42ap|iPhone 5 (Model A1429/A1442)]]." --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 22:45, 13 September 2013 (UTC)

::::::Yeah I thought that but what about the iPhone 4 GSM and GSM Rev A? They both seem to be A1432. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:10, 13 September 2013 (UTC)

:::::::This is why I'm against using the A1XXX model numbers instead of the current GSM/Global thing. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:25, 13 September 2013 (UTC)

::::::::I had no plans to change the way we refer to the iPhone 4 or iPad 2 (Apple does use GSM/CDMA, and for those devices it works fine). If a new iPhone 5S revision comes along, Apple will probably refer to it as a "Rev A" thing, and so will we. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 02:50, 14 September 2013 (UTC)

:Referencing Adam's reply above, if we had took that to the key pages, it'd be <code>[<nowiki/>[{BuildTrain} {Build} (A1432)]]</code> which would mess ''everything'' up. What could we do? Use <code>[<nowiki/>[{BuildTrain} {Build} (A1432 Rev A)]]</code>? No. That doesn't look good. The current way of referring to everything by their supported network type (GSM/CDMA/Global) helps in going to a different page.
:Let's say I'm on [[BrightonMaps 10B329 (iPhone 4 GSM)]] and I want to go the CDMA device. What do I do? Go to the URL and replace <code>GSM</code> with <code>CDMA</code>. With the model numbers, I'd have to navigate to [[Firmware]], then find the link, or find out what the model number of the CDMA variant is and replace the model number in the URL with that. 
:Ok, who navigates by the URL and search bar? ''I do''. And I'm sure there's '''many''' people out there that prefer to navigate with the search bar if they know the page name. If we go by model number, the AJAX search results just list pages with a model number in parenthesis. '''How does that help'''? I'd either have to ''know'' the model number of the device I want, or visit ''each one'' until I find the page I need.
:Sorry for the rant, but I am '''strongly''' against this. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:25, 13 September 2013 (UTC)

::I do suppose we could just trash the buildtrain all together to shorten it down too. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:32, 13 September 2013 (UTC)

:::Dropping the Build Train would only ''increase'' the workload. Besides, what's the harm with it? We've been using the same page title structure since forever, and it's worked. "''If it ain't broke, don't fix it''". The current system works, so ''why'', other than the fact that Apple refers to them differently, should we change this? In addition, we don't refer to everything the way Apple does. The [[iPad mini 1G]] is referred to as the "iPad mini". The [[iPad 3]] is refered to as "The New iPad". The [[iPad 4]] is refered to as "iPad with Retina Display"[http://www.apple.com/ipad/compare/]. Are the key pages titled <code>BrightonMaps 10B329 (The New iPad, Wi-Fi+3G for AT&T and Verizon)</code>? No. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:37, 14 September 2013 (UTC)

::::But the reason we want to not use the variants is because the new devices that are coming out are breaking he structure and also CDMA versions can use GSM in the 5c plus we have like 4 for GSM alone. I only meant drop buildtrain to shorten the urls down. For the iPhone 4 GSM Rev A we would have to list it as <code>iPhone 4 A1432 Rev</code> unless another idea is thought of. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 00:55, 14 September 2013 (UTC)

:::::No. Anything involving moving key pages to change their title I am ''completely'' against. As for the iPhone 5s and iPhone 5c, we ultimately have to wait. There may be different types, but if they all work with the same firmware, then what do we do then? Use <code>A1456/A1504</code>? I don't want to do that. It can get confusing in the future if that list were to be huge. With ''5'' different models for the iPhone 5c ''alone'', it's just not practical. For the fact that all support GSM, but not all support CDMA, we just do what we've ''been'' doing: "GSM" and "Global". --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 01:22, 14 September 2013 (UTC)

::::::There's nothing wrong with changing the titles of pages that don't even exist though. If *all* of the models use the same firmware, just go with "iPhone 5s." If they happen to be partitioned into two different firmwares again, that will certainly complicate things, but it wouldn't be worse than nonsense like "GSM," "GSM [<nowiki />Global]," "CDMA," "CDMA [<nowiki />Global]," or "GSM [<nowiki />Global Plus TD-LTE]." If it's just one oddball, we could just have "iPhone 5s" and "iPhone 5s A1XXX" (whatever the odd one is), and include a link on the former page to say "keys for model A1XXX are on this page." --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 02:50, 14 September 2013 (UTC)

::::I probably didn't phrase that well… I wasn't thinking of how Apple markets the product, but rather more along the lines of how they refer to it in, say, the tech specs page or support documents— the pages that shows the messier side to their simple sugar coating. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 02:50, 14 September 2013 (UTC)

::You keep misinterpreting/misrepresenting what I'm proposing. I never said anything about dropping, say, "iPhone 5" so firmware page titles would look like [[Sundance 10A405 (A1428)]]. I want to change the GSM/Global part to the A1XXX number, so it would probably show like [[Sundance 10A405 (iPhone 5 A1428)]]. (If a hardware revision were made, it would probably look like [[Sundance 10A405 (iPhone 5 A1428 Rev A)]].) From time to time, I edit URLs to browse the wiki too. But the GSM/Global identifiers don't work that well; again, '''all iPhone 5 models can connect to GSM'''. That's not really helpful. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 02:50, 14 September 2013 (UTC)

:::I suggest we drop the A and use Rev. As for the idea of changing to A1XXX, I see no issues and am for the idea. I admit it can cause chaos when we move the pages but we could limit the moving per day of course. Overall, I think it will be worth it. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:01, 14 September 2013 (UTC)

::::No. Don't drop the <code>A</code> from <code>Rev A</code>. Why would you even think to? You want to call them what Apple calls them, and the [[n90bap|revised iPhone 4 GSM]] is referred to with <code>Rev A</code>. In addition, there have been <code>Rev ''B''</code> things before, such as the [[S5L8947]] (A5 Rev B) used in the [[j33iap|revised Apple TV 3G]]. In addition, think of all the redirects we would need to keep for sites that link to key pages directly. I have even seen sites that still link with the URLs as <code>/wiki/index.php?title={Title}</code> instead of the year old change to <code>/wiki/{Title}</code>. The wiki handles that internally for us, but the redirects made in the moves would have to be kept. Currently, only the [[iPhone 5]] and [[iPad 4]] are the only devices referred to by their model numbers. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:53, 14 September 2013 (UTC)

:::That's why I don't want to change it. It's worked for us, and we have no idea how the new firmwares will be handled. I am betting that there will only be two firmware types - one for the GSM, and one for the Global (GSM+CDMA) model. The only reason they are split, IIRC, is because AT&T uses different LTE bands than rest of the GSM world.
:::Ultimately, the GSM/CDMA/Global monikors haven't caused any ''naming conflicts''. Ok, you don't want to use the ''marketing'' title. What about the way they are referred to on [[Apple Developer Center|ADC]], because that seems to be what you want. I may be misreading what you're saying again, but if we're going to do that, let's use their ''full'' title. Something <code>(iPad [4th generation Model A1458])</code> (iPad 4 Wi-Fi) and <code>(iPad Wi-Fi + Cellular [model for Verizon])</code> (iPad 3 Global). Does the first one tell you if the device is Wi-Fi or a Wi-Fi+3G model? Does the second one tell you ''at all'' that it is an [[iPad 3]], or that it supports GSM? No.
:::Apple has a history of being inconsistent. For example, the iPad 3 Wi-Fi is referred to on ADC (and iTunes) as "iPad Wi-Fi (3rd generation)" while the iPad 3 GSM is referred to as "iPad Wi-Fi + Cellular [model for AT&T]". What happened to the "3rd generation"? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:53, 14 September 2013 (UTC)

::::We could always list as <code>iPhone 4 (iPhone3,1)</code> etc instead if that would be better. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:13, 14 September 2013 (UTC)

::::Why is there a need to explicitly keep "Wi-Fi" in a key page's title? All you need is a way to distinguish what model it is from its other variants— the A1XXX model number does just that. It's not like we referred to the AppleTV3,2 as "Apple TV 3G (New Single-Core A5)" or something. And obviously, we can use common sense to address the 3rd generation iPad issue you brought up… Now you're just nitpicking. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 05:28, 15 September 2013 (UTC)
:::::Actually, I think we should wait until we see the firmware for iPhone 5c/5s and then decide. TBH, as [[User:5urd|5urd]] said, it is ok as it is but of course if once the new firmware is out it is more confusing, then we can think again. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 14:12, 15 September 2013 (UTC)

:::::Come to think of it, we can use a mix of both; we can keep the "Global" moniker, but drop the "GSM" moniker in favor of the A1XXX model number. (The "GSM" moniker is the one that's been bothering me.) I think this works well for the iPad 3 (which is actually split into "CDMA" and "Global—" it probably doesn't need to be done for this), iPad 4, iPad mini 1G, and iPhone 5, but this leaves the question of what to do for the iPhone 5C/5S. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 04:04, 19 September 2013 (UTC)

::::::That would look worse! If we are going to do it, we have to do it for '''''all'''''. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 09:40, 19 September 2013 (UTC)

:::::::What is the status on this now? --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:18, 9 November 2013 (UTC)

:::::This discussion has stagnated, but I'm firing it up again— I want to fix this before the end of the year, so this can probably be seen as an ultimatum. Now that Apple has pushed a 7.1 beta to developers, we now know how Apple's splitting the new iPhones up— and it's by A1XXX model numbers still. :\ That's probably the path the wiki will go down, but I do have another idea. The other idea I have in mind is using the A1XXX model number for the cellular devices launched last year. But for this year's iPhones, the FCC ID is actually different between the two, so we could actually use that. Before this gets nitpicked on, the last letter can get changed to an "X" to signify that it's a wildcard of sorts. It's not a pretty solution so I do expect it to get shot down (hence why I'm going with the A1XXX model numbers unless everyone says otherwise), but I'm still throwing it out there in case everyone actually likes that. Everyone is welcome to suggest alternatives, but I '''will''' eliminate that GSM label before the year ends. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 18:31, 18 November 2013 (UTC)

::::::That is worse, nobody knows the FCC ID off the top of their head. I would suggest "iPhone 5 (iPhone5,1)" if anything. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:37, 18 November 2013 (UTC)

:::::::Using "iPhone5,1" or "iPhone6,2" is even ''less'' friendly… The FCC ID can be looked up in Settings or the back of a device. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 19:06, 18 November 2013 (UTC)

::::::::Well that is not the point. I say either use the firmware name or leave it alone. See what others thing though. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 19:13, 18 November 2013 (UTC)

:::::::::I currently plan on using the A1XXX model numbers— the FCC ID proposal was just thrown out there in the off chance that someone might like it. I'm not really a fan of it myself, but the FCC ID is probably the simplest way to figure out if it's an iPhone6,1 or iPhone6,2 since both have multiple A1XXX model numbers. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 19:19, 18 November 2013 (UTC)

::::::I agree to get rid of the "GSM" name, as almost all iPhones support GSM. The Axxxx numbers would be nice, but as some phones have several numbers, like A1457/A1518/A1528/A1530 (what is actually different between them?) we can't use it. For the FCC-ID, we can't use that either, because for example the iPhone 5 with FCC-ID BCG-E2599A stands for the GSM/A1428 and also for the GSM+CDMA/A1429 version. So I suggest to either use the identifier (like iPhone2,1) or better the internal name (like n88ap). That would have the advantage to separate them further, because the iPhone 4 A1332 has two internal versions: iPhone3,1/n90ap and the iPhone3,2/n90bap. The bigger question is where you want to use this. That determines mainly the name. On all the key pages? Then it must be a name that is different between models that use different firmwares. And regarding key pages, maybe we should delete all the key pages from this wiki and move them into some database instead and provide a nice user interface and API around it and integrate that into the wiki somehow. That way we can change all pages with one simple edit. For the name, I prefer the internal name. --[[User:Http|http]] ([[User talk:Http|talk]]) 23:43, 18 November 2013 (UTC)

:::::::We would have to edit key pages too. They should not be removed however. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:46, 18 November 2013 (UTC)

:::::::Well, I wasn't trying to say that we had to decide on one way to differentiate ''everything''; "GSM" does work fine for, say, the iPhone 4. The proposal I brought up today was using the FCC ID only for this year's (2013's) iPhones— last year's cellular devices would get the A1XXX model numbers (i.e. two different solutions for two different years). But as of right now, I like how using A1XXX model numbers sounds for all of the affected devices, mostly because that's the path Apple's going in their developer portal. Something like "iPhone 5s (Model A1457/A1518/A1528/A1530)" is admittedly a mouthful for this year's iPhones though. At the moment, I'm inquiring about how to label it on [[Firmware]] and such pages, but I'm sure the outcome can be adapted for key page titles as well. As for differences between the models, it seems to be the supported LTE bands. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:49, 19 November 2013 (UTC)

:::::::::I still think that unless it is "iPhone 5 (iPhone5,1)" it will be complicated but on the other hand, I kind of like the idea that [[User:Http|http]] had, using the internal identifiers like this "iPhone 5 (n42ap)". The only problem is that it would cause quite a bit of a flood moving the key pages, although this can be done like 15 per day each or something. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 09:20, 19 November 2013 (UTC)

::::::::::I'm pretty sure the only key page that exists for an A5 (or newer) device is [[Telluride 9A406 (iPhone 4S)]]. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:40, 21 November 2013 (UTC)

:::::::::::That was an example. I know there are no more A5 pages, only the one you said and two beta for iPhone 4S. I just meant that it would show the design. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 13:36, November 21, 2013 (UTC)

== "GSM" Replacement Proposals ==
Since this discussion has become extremely lengthy, here are the proposals (to my understanding) for changing the labels, each of which can be subject to changes (i.e. dropping the word "Model" from Proposal A). In an effort to conserve space (ironically, this still adds a significant amount of length), I only included a few models, which should give an idea of the proposal. Basically anything with an A5 or newer is involved. Feel free to edit this list if I missed or totally misinterpreted something. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:25, 22 November 2013 (UTC)
# Proposal A (A1XXX numbers)
#* iPad 4 (Model A1458)
#* iPad 4 (Model A1459)
#* iPad 4 (Model A1460)
#* iPhone 5 (Model A1428)
#* iPhone 5 (Model A1429/A1442)
#* iPhone 5c (Model A1456/A1532)
#* iPhone 5c (Model A1507/A1516/A1526/A1529)
#* [[InnsbruckTaos 11B554a (iPad 4 A1458)]]
#* [[InnsbruckTaos 11B554a (iPhone 5 A1429/A1442)]]
#* [[InnsbruckTaos 11B554a (iPhone 5c Model A1507/A1516/A1526/A1529)]]
# Proposal B (A1XXX + FCC ID)
#* iPad 4 (Model A1458)
#* iPad 4 (Model A1459)
#* iPad 4 (Model A1460)
#* iPhone 5 (Model A1428)
#* iPhone 5 (Model A1429/A1442)
#* iPhone 5c (BCG‑E2644A)
#* iPhone 5c (BCG‑E2694X)
#* [[InnsbruckTaos 11B554a (iPad 4 A1458)]]
#* [[InnsbruckTaos 11B554a (iPhone 5 A1429/A1442)]]
#* [[InnsbruckTaos 11B554a (iPhone 5c BCG‑E2694X)]]
# Proposal C (-AP Identifier)
#* iPad 4 (p101ap)
#* iPad 4 (p102ap)
#* iPad 4 (p103ap)
#* iPhone 5 (n41ap)
#* iPhone 5 (n42ap)
#* iPhone 5c (n48ap)
#* iPhone 5c (n49ap)
#* [[InnsbruckTaos 11B554a (iPad 4 p101ap)]]
#* [[InnsbruckTaos 11B554a (iPhone 5c n42ap)]]
#* [[InnsbruckTaos 11B554a (iPhone 5c n49ap)]]
# Proposal D (iPhoneX,Y Identifier)
#* iPad 4 (iPad3,4)
#* iPad 4 (iPad3,5)
#* iPad 4 (iPad3,6)
#* iPhone 5 (iPhone5,1)
#* iPhone 5 (iPhone5,2)
#* iPhone 5c (iPhone5,3)
#* iPhone 5c (iPhone5,4)
#* [[InnsbruckTaos 11B554a (iPad3,4)]]
#* [[InnsbruckTaos 11B554a (iPhone5,2)]]
#* [[InnsbruckTaos 11B554a (iPhone5,4)]]

:I like this [[InnsbruckTaos 11B554a iPad 4 (3,4)]] or [[InnsbruckTaos 11B554a iPad 4 (iPad3,4)]]. I see there are 4 ways to approach this;
1. Change every single device. 
2. Change just devices with different variants, iPad 2+, iPad mini+, iPhone 4, iPhone 5+. 
3. Change A5+ only (which I hate the idea of). 
4. Change nothing at all. 
--[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 09:28, 22 November 2013 (UTC)
::My intention for this was to be a ''neutral'' (i.e. opinion-free) spot where all of the proposals were being mentioned, so people could easily see the proposed changes without any bias… v.v --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 20:54, 22 November 2013 (UTC)
:::TBH, I think it is better as it is, but I just stated my opinion that only A5+ would make in inconsistent. Though you could argue it is already, that is down to Apple and furthermore, just A5+ would still not eliminate iPhone 4 (GSM, GSM Rev A or CDMA). --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 17:07, November 22, 2013‎ (UTC)}}
:Do it like #4, and do them all. --[[User:CompilingEntropy|CompilingEntropy]] ([[User talk:CompilingEntropy|talk]]) 18:40, 23 November 2013 (UTC)
::::It will be a pain, but I like [[User:CompilingEntropy|CompilingEntropy]]'s idea as it would make it much much better in the end. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 16:25, 25 November 2013 (UTC)

== Key page template ==
I actually like the idea of a database to an extent. I bet I could put together an extension that creates a [[Special:SpecialPages|special page]] that allows read access to everyone (and r/w access to users). Any edits to the key "pages" wouldn't cause a [[Special:RecentChanges|recent changes]] log. If we ever needed to update the layout, we would just need to update the extension. We could even have an API.
The only limitation is that updates to the extension would require either [[User:geohot|George]] or [[User:Dialexio|Alex]] needing to upload the fix. If we were to set up an external site, then all links to it would need to be wrapped with <code>...</code>.
Maybe a simple extension that takes links and redirects you to the external site? That could work. Like, we would have a link to, say, <code>[[<nowiki/>Special:Keys/iPad1,1/9A405]]</code> which would give an HTTP <code>301 Moved Permanently</code> header to, say, <code><nowiki>http://ioskeys.com/iPad1,1/9A405</nowiki></code>. Granted, someone would have to pay for the domain, but it would solve this problem. I may be able to pay for the domain if I make enough money by the time I finish writing everything. Any opposition? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 16:48, 21 November 2013 (UTC)
:I do not like the idea. I like the idea of the database to a degree, but I think that the pages should remain on this wiki. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 17:03, 21 November 2013 (UTC)
::I don't see this solving any problem— the backlash against changing the key page template was because of (unnecessary?) changes to the arguments, and the frequency of how often such changes were being proposed/applied. How would a database prevent it? For instance, let's say the database columns are all decided on. Suddenly, it's decided that SHA-1 hashes should be added as well, or perhaps "VFDecryptKey" will be renamed to "FSKey." People submitting keys would still be bothered with having to adjust for those changes. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:40, 21 November 2013 (UTC)
:::That with the database is something I'll implement anyway (if not someone else is faster, as I'm quite busy). I just threw that in here as it might solve the problem of the frequent template updates (which is/was wrong anyway). From there it would be easy to create the VFDecrypt page with an overview link or lists of missing keys and that stuff, so the wiki would not need any direct links. But it would mean that we either completely remove all keys here from the wiki and embrace that solution or have them still duplicate (which then doesn't solve the problem). Dialexio: renaming columns can be handled without interface changes, but that's another topic. So let's forget about this database thing for now and we can discuss again when I have something. We certainly don't want to add extensions for that. So back to the discussion about the renaming: If I understood this correctly, you only want to rename A5+ devices and therefore no key pages would be affected. Is my understanding correct? --[[User:Http|http]] ([[User talk:Http|talk]]) 22:08, 21 November 2013 (UTC)
::::As long as the pages stay on this wiki, I do not mind. Although, a database could be pointless as with only 50 more pages to edit for the new format, there is no planned new format/changes again. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:16, 21 November 2013 (UTC)
::::About the renaming, that is correct; I'm only interested in changing the cellular labels on A5/+ devices. (Well, the iPad 2 can remain as-is.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:02, 22 November 2013 (UTC)
:::::Oh, well that would just make things more complicated/inconsistent. We should do all or none. About the template idea, there is also no need as it is not likely we will change the format again. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 00:35, 22 November 2013 (UTC)
::::::Do we really need to CHANGE THE FORMAT 50 TIMES IN A ROW? The old one before everything was messed with worked fine enough. [[User:Winocm|Winocm]] ([[User talk:Winocm|talk]]) 18:22, 27 November 2013 (UTC)

==Login prompt revision suggestion==
I wrote a suggestion here: [[MediaWiki talk:Loginprompt]] (since I don't have permission to edit [[MediaWiki:Loginprompt]] directly) - I'd be interested in whether it sounds like a good idea to other people. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 01:00, 8 October 2013 (UTC)

==Homepage suggestions==
Under "Application Development", what about linking to [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki]? It's also a community-edited technical resource, and it links to this wiki. It could be helpful to add a little more detail to "Get [[up to speed]] in the community.", like this: "Get [[up to speed]] in the community - learn about how jailbreaks work." Under "Definitions", it could be helpful to list all the firmware tags in one line or sub-list, similar to how Jailbreak is organized next to Tethered jailbreak and Untethered jailbreak, both to save space and help readers understand the list. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 23:01, 20 October 2013 (UTC)
:A link to the iPhoneDevWiki sounds good. I wonder if we should have an "External Links" or "Other Resources" section to include links to other sites (such as the [http://blog.iphone-dev.org/ iPhone Dev Team blog]) though. As for the "Up to Speed" page, I feel like the entire page could be reworked a bit— and perhaps even receive a new, clearer name ([[Introduction]]? [[Preface]]? Or something else?)— the current name makes it sound like it's for people that last paid attention to jailbreaking when the App Store didn't exist. And yeah, moving the IMG3 tags to a sub-list sounds like a really good idea. (Admittedly, I actually don't care for its inclusion in the first place, but that's just a personal preference.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:10, 21 October 2013 (UTC)
::There's already [[Useful Links]] with some links to other core community resources (which could be updated and rearranged) - I was just thinking that it'd be especially useful to link to iPhoneDevWiki prominently since it's likely for TheiPhoneWiki visitors to also be interested in relatively-organized technical information about development. Changing the name of "Up to Speed" sounds fine to me too - that page didn't get much attention since 2008 until I sort of commandeered it to serve as an "intro to jailbreaking" page. :) It could be renamed "getting started", as in "how to get started on learning about research into iOS devices, especially security research (such as jailbreaks)". [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:31, 21 October 2013 (UTC)
Also I'd love to see a dedicated section for "Good tasks for new editors", where we could maintain a list of relatively easy/straightforward suggested edits that wouldn't require vast technical knowledge, like updating that links page. Where would that go? Add it as a sub-section of [[The iPhone Wiki:Current events]] and link that section from the homepage or something? Or make a new page? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:40, 21 October 2013 (UTC)

==What is 0x5265c384 in the boot process?==
Does anybody know where <code>0x5265c384</code> points to in the boot process? I haven't been able to find anything on it. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 20:14, 23 October 2013 (UTC)

==License for contributions==
This wiki has never had an official license for contributions. Now, IANAL, but IIRC, this means that you can't use ''anything'' posted here unless it qualifies as fair-use. What I propose is that we set a license and add a notice that states that any contributions after a set date are to be licensed under that license (that's kindof a mouthful). I think we should use the [http://creativecommons.org/licenses/by-sa/3.0/ CC-by-SA 3.0] as [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|Wikipedia uses it]], but that's just me. Any ideas? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 19:53, 9 November 2013 (UTC)
:Well, the edit info already says all this:
Please note that all contributions to The iPhone Wiki may be edited, altered, or
removed by other contributors. If you do not want your writing to be edited mercilessly,
then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public
domain or similar free resource (see The [[:The iPhone Wiki:Copyrights|iPhone Wiki:Copyrights]] for details). '''Do not'''
'''submit copyrighted work without permission!'''
For me, that's enough. I don't need a 50 page license. But if you want to formalize this more, go ahead. --[[User:Http|http]] ([[User talk:Http|talk]]) 20:35, 9 November 2013 (UTC)

:Sounds good. It's good practice to have an official license, just in case any disputes happen someday, and to ensure that it's OK to copy text over to Wikipedia (for example). [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:32, 9 November 2013 (UTC)

==Future plans==
Now that I have SSH access, I've begun working on making several, somewhat-overdue changes to the wiki. The Renameuser extension was reinstated, so admins can now rename accounts. If you have another account, that can also get merged into your current account. If you happen to get locked out from both your account and the email used is no longer active, I can run a script to reset your password. I've also begun implementing a very noticeable change— as users of the Vector skin have noticed, the iOS 6-based theming is gone. It's a semi-temporary move though; it's going into its own skin, because… you know, choice is cool. People who like the Vector skin may not have liked the iOS theming, especially since IE 9 and lower didn't display it completely accurately. Therefore, it's going into its own theme. Once that's done I also plan on making a separate iOS 7-based skin. If there are any further thoughts or suggestions on how to improve the wiki, do let me know! --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 22:18, 9 November 2013 (UTC)

==TOC==
I was wondering if it may look better if we made the TOC show horizontal because currently, like on [[Firmware]], you have to scroll down quite a way to get to the actual devices. I know that you can click "hide" but that is not the point as it is still ugly imo. What do you all think? Also, someone on IRC has said that they have seen three people get the wrong IPSW with the numbering before the variants, thinking that it is the device model number. Any way that it could be changed to drop that numbering as I also agree it is oddly numbered? --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 19:09, 10 November 2013 (UTC)

User:Winocm

2013-11-26T16:31:56Z

Winocm:

<pre>
Darwin Kernel Version 13.0.0: Fri Nov 22 18:16:18 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_ARMPBA8
Darwin Kernel Version 13.0.0: Fri Nov 22 18:15:22 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_OMAP335X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:18:09 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_OMAP3430_RX51
Darwin Kernel Version 13.0.0: Fri Nov 22 18:15:50 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_OMAP3530
Darwin Kernel Version 13.0.0: Fri Nov 22 18:17:14 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_S5L8920X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:17:41 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_S5L8922X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:16:45 CST 2013; root:xnu-2050.48.13~7/DEBUG_ARM_S5L8930X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:28 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_ARMPBA8
Darwin Kernel Version 13.0.0: Fri Nov 22 18:18:37 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_OMAP335X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:21:14 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_OMAP3430_RX51
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:03 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_OMAP3530
Darwin Kernel Version 13.0.0: Fri Nov 22 18:20:20 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_S5L8920X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:20:47 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_S5L8922X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_S5L8930X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:22:24 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_ARMPBA8
Darwin Kernel Version 13.0.0: Fri Nov 22 18:21:39 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_OMAP335X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:23:57 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_OMAP3430_RX51
Darwin Kernel Version 13.0.0: Fri Nov 22 18:22:02 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_OMAP3530
Darwin Kernel Version 13.0.0: Fri Nov 22 18:23:12 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_S5L8920X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:23:35 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_S5L8922X
Darwin Kernel Version 13.0.0: Fri Nov 22 18:22:49 CST 2013; root:xnu-2050.48.13~7/RELEASE_ARM_S5L8930X
</pre>

hi

Kernel

2013-11-26T16:30:34Z

Winocm:

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:

_nand-part-poison
_panicd_corename
_panicd_ip
_router_ip
acc_debug
aesdev
als_enable_debug
amfi
amfi_allow_any_signature
amfi_get_out_of_my_way
amfi_unrestrict_task_for_pid
AppleEmbeddedUSBArbitrator-debug
AppleS5L8930XUSBArbitrator-debug
AppleUSBPhy-debug
arm7m-enable-jtag
-b
backlight-level
backlight-logging
baseband-spi-sclk-period
bcom.chip.driveStrength_mA
bcom.chip.watermark
bcom.clock.sd-rate
bcom.devif.fn2-block-size
bcom.devif.rx-retries
bcom.devif.transaction-log
bcom.devif.tx-retries
bcom.feature.flags
bcom.ps.inactivity.timeout
bcom.wte.thread-priority
boot-uuid
brightness
burnin-size
cameraclocks
charger-debug
cpus
cs_debug
cs_enforcement_disable
darkwake
dart
dcc
debug
disable-usb-iap
dp_async_event_fail_hard
dp_audio_driver_level
dp_audio_driver_mask
dp_audio_interface_level
dp_audio_interface_mask
dp_controller_level
dp_controller_mask
dp_device_level
dp_device_mask
dp_display_interface_level
dp_display_interface_mask
dp_interface_level
dp_interface_mask
dp_log_level
dp_max_channel_count_lpcm
dp_max_sample_rate_lpcm
dp_max_sample_size_lpcm
dp_min_channel_count_lpcm
dp_min_sample_rate_lpcm
dp_min_sample_size_lpcm
dp_service_level
dp_service_mask
dpsm
dvb
dvc
dvd
effaceable-enable-full-scan
effaceable-enable-wipe
enable-acsleep
fairshare_minblockedtime
fill
fixedpriority_quantum
fix-parity
force-usb-host
force-usb-power
hdmi_max_channel_count_lpcm
hdmi_max_sample_rate_lpcm
hdmi_max_sample_size_lpcm
hdmi_min_channel_count_lpcm
hdmi_min_sample_rate_lpcm
hdmi_min_sample_size_lpcm
hdmi_protection_type
hp-detect-invert
hp-pop-workaround
hp-switch-force-config
hp-switch-ramp
hsic
i2c-logsize
i2c-verbose
ifa_debug
ifnet_debug
initmcl
io
iopfmi-timeout
iotrace
jpeg-log
jtag
kdp_crashdump_pkt_size
kdp_ip_addr
kdp_match_mac
kdp_match_name
keepsyms
kextlog
link_recovery_enabled
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mt-bytes
mt-strings
mtxspin
nand-boot-malloc
nand-check-vs
nand-commands
nand-disable-driver
nand-dump-vs-table
nand-enable-adm
nand-enable-reformat
nand-enable-yaftl
nand-erase
nand-erase-install
nand-fbbt-publish
nand-force-restore
nand-idle-timeout-ms
nand-ignore-ptab
nand-index-cache-size
nand-latency-us
nand-max-pages
nand-neuralize
nand-nvram-debug
nand-ppn-debug
nand-ppn-vs-debug
nand-qual
nand-queue-entries
nand-read-blocks-max
nand-read-dccycle-clks
nand-read-hold-clks
nand-readonly
nand-read-setup-clks
nand-reorder-defer-max
nand-reorder-defer-size-trigger
nand-reorder-read-promote-max
nand-reset-burnin
nand-save-rma-data
nand-set-rma
nand-sftl-cache-drain
nand-sleep-debug-panic
nand-slow-timings
nand-wearlevel-timeout-ms
nand-whiten-metadata
nand-wipe
nand-write-blocks-max
nand-write-hold-clks
nand-write-setup-clks
nbuf
ncl
net.inet6.ip6.scopedroute
net_affinity
net_rtref
network-type
-no64exec
-novfscache
panicd_port
pcp
pctb
pdmvr
pio-error
pmu-chargetrap
pmu-debug
ppn-clean
-progress
prox_enable_debug
pthtest
rd
remote_nmi
rootdev
-s
sdio.clock.base-rate
sdio.clock.sd-rate
sdio.debug.abort-init
sdio.debug.init-delay
sdio.log.flags
sdio.log.level
sdio.transfer.max-pio-blocks
sdio.transfer.max-pio-size
sdio.transfer.mode
serial
sgx_panic_on_recovery
shadev
slto_us
socket_debug
torchcltm0
usb
usb_dev_nmi
usb_dev_reset
-vnode_cache_defeat
wdt
wfi
wlan.ap.channel
wlan.debug.abort-init
wlan.debug.generate-mac
wlan.log.flags
wlan.log.level
wlan.log.timestamp
wlan.netmanager.stats-timer-interval
wlan.panic.factory
wqsize
WTE
-x

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mavericks' XNU is 2422, whereas iOS is 2423. This is not surprising, considering that iOS has novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mavericks 10.9:

Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64

iOS 7.0.4:

Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM_[[S5L8960]]X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List ===
The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.
{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if version is 100% correct.
|-
| 1.0
| Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_S5L8900XRB
| rowspan="3" | Not sure if version is 100% correct.
|-
| 1.0.1
| class="rborderplz" rowspan="2" | Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_S5L8900XRB
|-
| class="rborderplz" | 1.0.2
|-
| 1.1.1
| Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_S5L8900XRB
| First kernel that was [[8900_File_Format#8900|8900]] encrypted - not sure if version is 100% correct.
|-
| 1.1.2
| Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_S5L8900XRB
| Not sure if version is 100% correct.
|-
| 1.1.3
| rowspan="3" | Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_S5L8900XRB
|
|-
| 1.1.4
|
|-
| 1.1.5
| iPod touch only
|-
| 2.0
| Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
| ?
|
|-
| 2.0.2
| ?
|
|-
| 2.1
| ?
|
|-
| 2.1.1
| Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| rowspan="3" | iPad Only
|-
| 3.2.1
| class="rborderplz" | Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
|-
| 3.2.2
| class="rborderplz" | Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
|-
| 4.0
| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
|
|-
| 4.3.2
| rowspan="2" | Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
|
|-
| 4.3.4
| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1b
| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b
| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.2
| iPhone 5 only.
|-
| 6.1b
| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b2
| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b3
| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b4
| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b5
| rowspan="5" | Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1
|
|-
| 6.1.1b
|
|-
| 6.1.1
| iPhone 4S only
|-
| 6.1.2
|
|-
| 6.1.3b2
| rowspan="4" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1.3
|
|-
| 6.1.4
| iPhone 5 only.
|-
| 6.1.5
| iPod touch 4 only.
|-
| 7.0b
| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b2
| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b3
| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-22423.1.40~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b4
| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b5
| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b6
|
|-
| 7.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0
|
|-
| 7.0.1
| rowspan="2" | Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X
| [[iPhone 5c]] and [[iPhone 5s|5s]] only
|-
| 7.0.2
|
|-
| 4.3.5 (Custom)
| Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_[[S5L8930]]X
| [[User:Winocm|winocm]]'s custom kernel.
|-
| 7.0.3
| rowspan="2" | Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM_[[S5L8960]]X
|
|-
| 7.0.4
|
|-
| 7.1b
| Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_[[S5L8930]]X
|
|}

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]
* [[Tutorial:Booting XNU on A4 Devices]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

Tutorial:Booting XNU on A4 Devices

2013-11-13T00:28:00Z

Winocm:

These steps will let you boot XNU on all [[A4]] devices. The tutorial was written for Macs with an iPhone 4 running iOS 6.1.3.

== Instructions ==
First you must install CTF tools etc. Follow [http://shantonu.blogspot.de/2012/07/building-xnu-for-os-x-108-mountain-lion.html these instructions] for 10.8. For 10.9, run these commands in Terminal.
$ curl -O http://opensource.apple.com/tarballs/dtrace/dtrace-118.tar.gz
$ curl -O http://opensource.apple.com/tarballs/AvailabilityVersions/AvailabilityVersions-6.tar.gz
$ git clone https://github.com/winocm/xnu
$ tar zxf dtrace-118.tar.gz
$ cd dtrace-118
$ mkdir -p obj sym dst
$ xcodebuild install -target ctfconvert -target ctfdump -target ctfmerge ARCHS="x86_64" SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
$ sudo ditto $PWD/dst/usr/local /usr/local
$ cd ..
$ tar zxf AvailabilityVersions-6.tar.gz
$ cd AvailabilityVersions-6
$ mkdir -p dst
$ make install SRCROOT=$PWD DSTROOT=$PWD/dst
$ sudo ditto $PWD/dst/usr/local `xcrun -sdk / -show-sdk-path`/usr/local
$ cd ..
$ cd xnu

Now you are in the xnu folder. Know you must make it for the [[A4]].
$ make TARGET_CONFIGS="debug arm S5L8930X"

Navigate to BUILD/obj/DEBUG_ARM_S5L8930X. In this folder are many files. mach_kernel is the bootable image.

Ok now you need the 4.x IPSW for your A4 device. If you have a newer iOS version, you need the [[Firmware|IPSW for iOS 4.1]] also.

You need [[redsn0w]] in order to boot the kernel. Open Terminal and navigate to the redsn0w folder. Now you type the following commands:
$ cd redsn0w.app/Contents/MacOS
$ ./redsn0w -i <'4.1 iPSW'> -k <'mach_kernel'>

Here a example command:
$ ./redsn0w -i /Users/Louis/Desktop/iOS\:Mac\ hack/XNU_Kernel_Panic_Apple_A4-Booting/iPhone3\,1_4.1_8B117_Restore.ipsw -k /Users/Louis/Desktop/xnu/BUILD/obj/DEBUG_ARM_S5L8930X/mach_kernel

Boot-args:
<pre>
-graphics-mode Enables video console graphics boot. Enables OS X style spinner and panic dialog.
-no-cache Disable L1i and L1d data/instruction caching completely.
silence_kprintf Remove kprintf serial output.
kprintf Send all kprintf output to the video console or serial console.
symbolicate-panics Symbolicate all panic backtraces.
kernel_read_only Enable/disable kernel R-X protection.
dataconstro Override kernel const data section R-- protection.
npvhash Specify the internal PV hash value (used internally in pmap. Keep it at N^2-1.)
-panic-reboot Reboot on panics (only if the PE_halt_restart hook is installed)
-early-fb-debug Early kprintf output is sent to framebuffer, use with kprintf=1.
-avoid-uarts Avoid initializing UARTs entirely (only on S5L89xx)
-force-uarts Force initializing UARTs. (only on S5L89xx)
omapfbres Specify OMAP3530 DSS display resolution size.
</pre>

Now you must get your device into DFU Mode.

Wait a few seconds and a white screen will flashes on your iDevice. Now you see the pineapple on your iDevice. 30-60 seconds later the kernel will be booted. You'll see 'Still waiting for root device' for a while, but a kernel panic will occur if you wait more than 10-30 minutes.

And that's it.

== External Links ==
* [http://3x7r00tripper.com/bootingxnuona4.php Original tutorial]

Tutorial:Booting XNU on A4 Devices

2013-11-13T00:21:14Z

Winocm: It makes me angry if you 'maintain' a fork and never remerge it with master.

These steps will let you boot XNU on all [[A4]] devices. The tutorial was written for Macs with an iPhone 4 running iOS 6.1.3.

== Instructions ==
First you must install CTF tools etc. Follow [http://shantonu.blogspot.de/2012/07/building-xnu-for-os-x-108-mountain-lion.html these instructions] for 10.8. For 10.9, run these commands in Terminal.
$ curl -O http://opensource.apple.com/tarballs/dtrace/dtrace-118.tar.gz
$ curl -O http://opensource.apple.com/tarballs/AvailabilityVersions/AvailabilityVersions-6.tar.gz
$ git clone https://github.com/winocm/xnu
$ tar zxf dtrace-118.tar.gz
$ cd dtrace-118
$ mkdir -p obj sym dst
$ xcodebuild install -target ctfconvert -target ctfdump -target ctfmerge ARCHS="x86_64" SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
$ sudo ditto $PWD/dst/usr/local /usr/local
$ cd ..
$ tar zxf AvailabilityVersions-6.tar.gz
$ cd AvailabilityVersions-6
$ mkdir -p dst
$ make install SRCROOT=$PWD DSTROOT=$PWD/dst
$ sudo ditto $PWD/dst/usr/local `xcrun -sdk / -show-sdk-path`/usr/local
$ cd ..
$ cd xnu

Now you are in the xnu folder. Know you must make it for the [[A4]].
$ make TARGET_CONFIGS="debug arm S5L8930X"

Navigate to BUILD/obj/DEBUG_ARM_S5L8930X. In this folder are many files. mach_kernel is the bootable image.

Ok now you need the 4.x IPSW for your A4 device. If you have a newer iOS version, you need the [[Firmware|IPSW for iOS 4.1]] also.

You need [[redsn0w]] in order to boot the kernel. Open Terminal and navigate to the redsn0w folder. Now you type the following commands:
$ cd redsn0w.app/Contents/MacOS
$ ./redsn0w -i <'4.1 iPSW'> -k <'mach_kernel'>

Here a example command:
$ ./redsn0w -i /Users/Louis/Desktop/iOS\:Mac\ hack/XNU_Kernel_Panic_Apple_A4-Booting/iPhone3\,1_4.1_8B117_Restore.ipsw -k /Users/Louis/Desktop/xnu/BUILD/obj/DEBUG_ARM_S5L8930X/mach_kernel

Boot-args:
-graphics-mode Enables graphics mode. Boots with an apple logo and a white spinner, kernel panics show the panic dialog

Now you must get your device into DFU Mode.

Wait a few seconds and a white screen will flashes on your iDevice. Now you see the pineapple on your iDevice. 30-60 seconds later the kernel will be booted. You'll see 'Still waiting for root device' for a while, but a kernel panic will occur if you wait more than 10-30 minutes.

And that's it.

== External Links ==
* [http://3x7r00tripper.com/bootingxnuona4.php Original tutorial]

User:Winocm

2013-09-29T20:31:00Z

Winocm:

<pre>
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:13:26 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:12:59 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:14:18 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:14:47 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:13:52 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8930X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:15:48 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:15:16 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:59 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:17:38 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:22 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8930X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:18:55 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:18:17 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:20:14 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:20:56 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:19:34 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8930X
</pre>

hi

User:Winocm

2013-09-29T20:30:48Z

Winocm:

Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:13:26 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:12:59 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:14:18 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:14:47 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:13:52 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEBUG_ARM_S5L8930X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:15:48 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:15:16 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:59 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:17:38 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:22 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_S5L8930X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:18:55 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_ARMPBA8
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:18:17 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_OMAP3530
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:20:14 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8920X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:20:56 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8922X
Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:19:34 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/RELEASE_ARM_S5L8930X

ok

Kernel

2013-09-29T20:28:45Z

Winocm: :)

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:

_nand-part-poison
_panicd_corename
_panicd_ip
_router_ip
acc_debug
aesdev
als_enable_debug
amfi
amfi_allow_any_signature
amfi_get_out_of_my_way
amfi_unrestrict_task_for_pid
AppleEmbeddedUSBArbitrator-debug
AppleS5L8930XUSBArbitrator-debug
AppleUSBPhy-debug
arm7m-enable-jtag
-b
backlight-level
backlight-logging
baseband-spi-sclk-period
bcom.chip.driveStrength_mA
bcom.chip.watermark
bcom.clock.sd-rate
bcom.devif.fn2-block-size
bcom.devif.rx-retries
bcom.devif.transaction-log
bcom.devif.tx-retries
bcom.feature.flags
bcom.ps.inactivity.timeout
bcom.wte.thread-priority
boot-uuid
brightness
burnin-size
cameraclocks
charger-debug
cpus
cs_debug
cs_enforcement_disable
darkwake
dart
dcc
debug
disable-usb-iap
dp_async_event_fail_hard
dp_audio_driver_level
dp_audio_driver_mask
dp_audio_interface_level
dp_audio_interface_mask
dp_controller_level
dp_controller_mask
dp_device_level
dp_device_mask
dp_display_interface_level
dp_display_interface_mask
dp_interface_level
dp_interface_mask
dp_log_level
dp_max_channel_count_lpcm
dp_max_sample_rate_lpcm
dp_max_sample_size_lpcm
dp_min_channel_count_lpcm
dp_min_sample_rate_lpcm
dp_min_sample_size_lpcm
dp_service_level
dp_service_mask
dpsm
dvb
dvc
dvd
effaceable-enable-full-scan
effaceable-enable-wipe
enable-acsleep
fairshare_minblockedtime
fill
fixedpriority_quantum
fix-parity
force-usb-host
force-usb-power
hdmi_max_channel_count_lpcm
hdmi_max_sample_rate_lpcm
hdmi_max_sample_size_lpcm
hdmi_min_channel_count_lpcm
hdmi_min_sample_rate_lpcm
hdmi_min_sample_size_lpcm
hdmi_protection_type
hp-detect-invert
hp-pop-workaround
hp-switch-force-config
hp-switch-ramp
hsic
i2c-logsize
i2c-verbose
ifa_debug
ifnet_debug
initmcl
io
iopfmi-timeout
iotrace
jpeg-log
jtag
kdp_crashdump_pkt_size
kdp_ip_addr
kdp_match_mac
kdp_match_name
keepsyms
kextlog
link_recovery_enabled
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mt-bytes
mt-strings
mtxspin
nand-boot-malloc
nand-check-vs
nand-commands
nand-disable-driver
nand-dump-vs-table
nand-enable-adm
nand-enable-reformat
nand-enable-yaftl
nand-erase
nand-erase-install
nand-fbbt-publish
nand-force-restore
nand-idle-timeout-ms
nand-ignore-ptab
nand-index-cache-size
nand-latency-us
nand-max-pages
nand-neuralize
nand-nvram-debug
nand-ppn-debug
nand-ppn-vs-debug
nand-qual
nand-queue-entries
nand-read-blocks-max
nand-read-dccycle-clks
nand-read-hold-clks
nand-readonly
nand-read-setup-clks
nand-reorder-defer-max
nand-reorder-defer-size-trigger
nand-reorder-read-promote-max
nand-reset-burnin
nand-save-rma-data
nand-set-rma
nand-sftl-cache-drain
nand-sleep-debug-panic
nand-slow-timings
nand-wearlevel-timeout-ms
nand-whiten-metadata
nand-wipe
nand-write-blocks-max
nand-write-hold-clks
nand-write-setup-clks
nbuf
ncl
net.inet6.ip6.scopedroute
net_affinity
net_rtref
network-type
-no64exec
-novfscache
panicd_port
pcp
pctb
pdmvr
pio-error
pmu-chargetrap
pmu-debug
ppn-clean
-progress
prox_enable_debug
pthtest
rd
remote_nmi
rootdev
-s
sdio.clock.base-rate
sdio.clock.sd-rate
sdio.debug.abort-init
sdio.debug.init-delay
sdio.log.flags
sdio.log.level
sdio.transfer.max-pio-blocks
sdio.transfer.max-pio-size
sdio.transfer.mode
serial
sgx_panic_on_recovery
shadev
slto_us
socket_debug
torchcltm0
usb
usb_dev_nmi
usb_dev_reset
-vnode_cache_defeat
wdt
wfi
wlan.ap.channel
wlan.debug.abort-init
wlan.debug.generate-mac
wlan.log.flags
wlan.log.level
wlan.log.timestamp
wlan.netmanager.stats-timer-interval
wlan.panic.factory
wqsize
WTE
-x

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 24xx. This is not surprising, considering that iOS has novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion 10.8.5:

Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64

iOS 7.0
Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

=== Version List ===

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if 100% correct.
|-
| 1.0
| ?
|
|-
| 1.0.1
| ?
|
|-
| 1.0.2
| ?
|
|-
| 1.1.1
| ?
|
|-
| 1.1.2
| ?
|
|-
| 1.1.3
| ?
|
|-
| 1.1.4
| ?
|
|-
| 1.1.5
| ?
| iPod touch only
|-
| 2.0
| Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
| ?
|
|-
| 2.0.2
| ?
|
|-
| 2.1
| ?
|
|-
| 2.1.1
| Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| rowspan="2" | Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 3.2.1
| Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 3.2.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 4.0
| rowspan="2" | Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| rowspan="2" | Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
|
|-
| 4.3.2
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
|
|-
| 4.3.4
| rowspan="2" | Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1b
| Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0b
| Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0.2
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
| iPhone 5 only.
|-
| 6.1b
| Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b2
| Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b3
| Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b4
| Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1b5
| Darwin Kernel Version 13.0.0: Sun Dec 16 19:58:12 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1
| Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1.1b
| rowspan="3" | Darwin Kernel Version 13.0.0: Sun Dec 16 19:58:12 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1.1
| iPhone 4S only
|-
| 6.1.2
|
|-
| 6.1.3b2
| rowspan="2" | Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1.3
|
|-
| 6.1.4
| Darwin Kernel Version 13.0.0: Wed Feb 13 21:40:10 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8950]]X
| iPhone 5 only.
|-
| 7.0b
| Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b2
| Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b3
| Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-22423.1.40~11/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b4
| Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b5
| rowspan="2" | Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0b6
|
|-
| 7.0[[Golden Master|GM]]
| rowspan="2" | Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 7.0
|
|-
| 7.0.1
| Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_[[S5L8960]]X
| [[iPhone 5c]] and [[iPhone 5s|5s]] only
|-
| 7.0.2
| Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:45 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5 (Custom)
| Darwin Kernel Version 12.4.0d1: Sun Sep 29 12:16:22 CDT 2013; root(rmss-MacBook-Pro.local):xnu-2050.24.16.1.obj~1/DEVELOPMENT_ARM_[[S5L8930]]X
|
|}

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

Image3maker

2013-08-25T16:28:54Z

Winocm: Created page with "{{DISPLAYTITLE:image3maker}} This tool is used to create Image3 files from arbitrary data. Additionally, it supports image versioning, setting the chip/security epoch, ECID, ..."

{{DISPLAYTITLE:image3maker}}

This tool is used to create Image3 files from arbitrary data. Additionally, it supports image versioning, setting the chip/security epoch, ECID, and so on for images.

AES functionality is not implemented yet, and neither is certificate stitching.

== Usage ==
<pre>
Usage: image3maker [options]

Generate an Image3 file.

-c, --certificateBlob [file] Use file as a certificate to add to the image.
-f, --dataFile [file] Use file as an input. (required)
-t, --imageTag [tag] 4-byte ASCII tag for image (required)
-s, --imageSecurityEpoch [epoch] Set epoch
Valid epochs are: s5l8920x, s5l8922x, s5l8930x
s5l8940x, s5l8942x, s5l8947x
s5l8950x, s5l8955x, s5l8747x
-v, --imageVersion [version] Set version string
-d, --imageDomain [securityDomain] Set specified security domain (manufacturer/Darwin)
-p, --imageProduction [prodValue] Mark image production value (production/development)
-h, --hardwareEpoch [epoch] Set chip epoch
-y, --chipType [chipType] Set chip type
-b, --boardType [boardType] Set board type
-e, --uniqueIdentifier [uniqueID] Set ECID for image
-a, --aesKey [aesKey] Set AES key for image encryption (implies -i/--aesIv)
-i, --aesIv [aesIv] Set AES IV for image encryption (implies -a/--aesKey)
-o, --outputFile [file] Output image3 file

Only AES256 keybags are supported by this program right now.
Have fun using this thingy. (ALL VALUES FOR THINGS SHOULD BE IN HEX!!!)</pre>

== Links ==
*[https://github.com/winocm/image3maker github link]

[[Category:Hacking Software]]

CVE-2013-0964

2013-08-18T15:43:49Z

Winocm:

'''CVE-2013-0964''' is an [[exploit|vulnerability]] in the [[kernel]] of [[iOS]]. It was initially discovered by [[mdowd|Mark Dowd]] and [[kernelpool|Tarjei Mandt]] who presented it at [[HiTB]] 2012 in Kuala Lumpur. This vulnerability allows userland processes access to the first page of the kernel, because the <code>copyin</code> and <code>copyout</code> arguments were not checked for their range when the length is small enough. Apple patched the vulnerability in iOS 6.1.

== Credit ==
* [[mdowd|Mark Dowd]]
* [[kernelpool|Tarjei Mandt]]

== Apple's description ==
<cite>
Impact: A user-mode process may be able to access the first page of kernel memory 
Description: The iOS kernel has checks to validate that the user-mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout.
</cite>

== Jailbreak ==
[[User:Planetbeing|planetbeing]] states that he worked out a nice [[jailbreak]] for it, that will never see the light of day. [[i0n1c]] responded that it is difficult to exploit it in a stable way and he would like to see a description for it.

== First page of memory ==
The first page of kernel memory (and eDRAM) contains the sleep token. The sleep token is used from LLB to resume the system and restore its context accordingly. To jump back to the kernel, the LLB checks for the 'MOSX,SUSP' signature in the image and then calls 'jump_to' to exit the bootloader and return control to the OS.

== Process ==
TODO: Describe copyin/copyout functions and the fix in detail.

TODO: Describe how this can get exploited in a stable way.

== References ==
# [http://support.apple.com/kb/HT5642 Apple: iOS 6.1 Software Update]

== External Links ==
* Mark Dowd & Tarjei Mandt's [http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf iOS6 presentation at HITB 2012 KUL D1T2]
* [https://twitter.com/planetbeing/status/296050713874796544 Planetbeing saying he had a jailbreak for it]
* [https://twitter.com/i0n1c/status/296163383357620225 i0n1c saying it's difficult to exploit it stable]

{{stub|exploit}}
[[Category:Exploits]]

Application Processor

2013-08-18T15:41:35Z

Winocm:

The '''application processor''' is the technical term given to a [[wikipedia:Central processing unit|processor]] of an [[iDevice]]. There have been many [[Main Page#Application Processors|incarnations]] of processors for [[wikipedia:Apple Inc.|Apple]]'s [[iDevice|mobile devices]].

== Features ==
Each revision is an [[wikipedia:ARM architecture|ARM]] [[wikipedia:System on a chip|SoC]] tailored to the device's needs. All of Apple's SoC platforms have proprietary PowerVR graphics, public key encryption accelerators, hardware crypto and so on. The cores are mainly generic ARM ones, however, in the case of [[S5L8950|Swift]], Apple used their own core design, compatible with ARMv7-A architecture and VFPv4 floating point.

== Processor List ==
* [[S5L8900]] ([[m68ap|iPhone 2G]], [[n45ap|iPod touch 1G]], [[n82ap|iPhone 3G]])
* [[S5L8720]] ([[n72ap|iPod touch 2G]])
* [[S5L8920]] ([[n88ap|iPhone 3GS]])
* [[S5L8922]] ([[n18ap|iPod touch 3G]])
* [[S5L8930]] A4 ([[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]], [[k66ap|Apple TV 2G]])
* [[S5L8940]] A5 ([[iPad 2]], [[n94ap|iPhone 4S]])
* [[S5L8942]] A5 Rev A ([[j33ap|Apple TV 3G]], [[k93aap|iPad 2 Wi-Fi Rev A]], [[iPod touch 5G]], [[iPad mini 1G]])
* [[S5L8945]] A5X ([[iPad 3]])
* [[S5L8947]] A5 Rev B ([[j33iap|Apple TV 3G Rev A]])
* [[S5L8950]] A6 ([[iPhone 5]])
* [[S5L8955]] A6X ([[iPad 4]])

== See Also ==
* [[AES Keys]]
** [[GID Key]]
** [[UID-key]]

[[Category:Application Processors]]

SHA-1 Image Segment Overflow

2013-08-18T15:37:40Z

Winocm: That isn't SHAtter, that's steaks4uce.

'''SHA-1 Image Segment Overflow''' or '''SHAtter''' was an exploit that allowed unsigned code execution from a flaw in the bootrom. It was never used in a public jailbreak due to the exploit used in [[limera1n]] being released first. SHAtter was patched in the [[S5L8940|A5]] devices and therefore, never released.

== Compatibility ==
SHAtter only works with [[S5L8930|A4]] devices:
* [[k48ap|iPad 1G]]
* [[iPhone 4]] (both models)
* [[n81ap|iPod touch 4G]]
* [[k66ap|Apple TV 2G]]

== Credit ==
* '''vulnerability''': [[User:posixninja|posixninja]] (7 May 2010), also discovered independently by [[User:geohot|geohot]]
* '''research''': [[User:posixninja|posixninja]], [[User:pod2g|pod2g]], also [[User:MuscleNerd|MuscleNerd]]
* '''exploit''': [[User:Pod2g|pod2g]]

==Background Info==
In April 2010 [[User:pod2g|pod2g]] wrote a USB [[wikipedia:Fuzz testing|fuzzer]] and tested every single [[USB control messages|USB control message]] possible on his [[N72ap|iPod touch 2G]].
The [[wikipedia:Fuzz testing|fuzzer]] found 2 vulnerabilities:
* a heap overflow caused by [[usb_control_msg(0xA1, 1) Exploit‎|usb_control_msg(0xA1, 1)]]
* a way to dump the bootrom using USB descriptors request

The team tested these two vulnerabilities on newer devices ([[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]]) and both were already fixed by Apple.

[[User:posixninja|posixninja]] continued the [[wikipedia:Fuzz testing|fuzzing]] on these devices and found that with a particular sequence of [[USB control messages|USB messages]] it was possible to dump the [[wikipedia:.bss|BSS]]+Heap+Stack (on new gens only).
Having a memory dump is really helpful to make exploits and it was also the first time we had this kind of dump. (Previous bootrom exploits like the [[0x24000 Segment Overflow]] were done blind!)

Also, his first attempts to dump the memory resulted in rebooting the device. Interesting! We'll see after that this reboot is the base of the [[SHA-1 Image Segment Overflow|SHAtter]] exploit.

Research began to figure out why the device would reboot. [[User:posixninja|posixninja]] found the reason and proposed different ideas to exploit this. He also reversed tons of assembly code of the bootrom in this period, giving a support discussion to the team. We're not talking about days, but months of work. So, major props to [[User:posixninja|posixninja]]: [[SHA-1 Image Segment Overflow|SHAtter]] would not have been possible without the clever vulnerability he found and the research he did on the bootrom.

In the meanwhile, [[User:pod2g|pod2g]] helped on the USB reversing side and found a way to have more control over the size of the USB packets sent. The finer-grained control of the packet sizes is the key of [[SHA-1 Image Segment Overflow|SHAtter]].

[[User:posixninja|posixninja]] and [[User:pod2g|pod2g]] worked on exploiting the vulnerability for days. Every attempt was a failure because the idea to attack the stack and bypass the [[IMG File Format|IMG3]] control routines was just impossible. It took them weeks to understand why they failed and why they couldn't exploit it this way.

They both gave up in July and focused on other subjects.

== Vulnerability ==
Explanation by [[p0sixninja]] at [[MyGreatFest]]:

It tricked the bootrom to think the size of the image uploading was larger then what it actually was. Then when it would try to load the image, it would see that it was wrong. Then it would try to wipe out the entire image with all zeros and go past it and start wiping out bootrom.

Exploitation was done by overwriting SHA-1 registers to zeros so then when it went to check images it would copy part of image into memory address zero (where the bootrom is). It would take the image uploaded and copy it over top of the bootrom (which turns out to be writable over the data portion).

[[Category:Bootrom Exploits]]

Kernel ASLR

2013-08-13T18:07:11Z

Winocm:

The goal of Kernel ASLR is to prevent an attacker from modifying or utilizing (kernel) data at known (fixed) addresses. The strategy to implement this is two-fold:
*Randomize the kernel image base
*Randomize the base of the <code>kernel_map</code> in some sense

===Kernel Image===
The kernel image base is randomized by the boot loader ([[iBoot (Bootloader)|iBoot]]). This is done by creating random data, doing a SHA-1 hash of it and then using a byte from the SHA-1 hash for the kernel slide. The slide is calculated with this formula:

base=0x01000000+(slide_byte*0x00200000)

If the slide is 0, the static offset of 0x21000000 is used instead.

The adjusted base is passed to the kernel in the boot arguments structure at offset <code>0x04</code>, which is equivalent to gBootArgs->virtBase.

===Kernel Map===
The kernel map is used for kernel allocations of all types (<code>kalloc()</code>, <code>kernel_memory_allocate()</code>, etc.) and spans all of kernel space (<code>0x80000000</code>-<code>0xFFFEFFFF</code>). The kernel based maps are submaps of the <code>kernel_map</code>, for example <code>zone_map</code>, <code>ipc_kernel_map</code>, etc.

The strategy is to randomize the base of the <code>kernel_map</code>. A random 9-bit value is generated right after <code>kmem_init()</code> which establishes <code>kernel_map</code>, is multiplied by the page size. The resulting value is used as the size for the initial <code>kernel_map</code> allocation. Future <code>kernel_map</code> (and submap) allocations are pushed forward by a random amount. The allocation is silently removed after the first garbage collection and reused. This behaviour can be overridden with the "<code>kmapoff</code>" boot parameter.

===Attacks===
Leaking the kernel base is really useful. <code>Kext_request()</code> allows applications to request information about kernel modules, divided into active and passive operations. Active operations (load, unload, start, stop, etc.) require root access. iOS removes the ability to load kernel extensions. Passive operations were originally (before iOS6) unrestricted and allowed unprivileged users to query kernel module base addresses. iOS6 inadvertently removed some limitations; only the load address requests are disallowed. So we can use <code>kKextRequestPredicateGetLoaded</code> to get load addresses and mach-o header dumps. The load address and mach-o segment headers are obscured to hide the ASLR slide, but mach-o section headers are not. This reveals the virtual addresses of loaded kernel sections.

This information leak has been closed with iOS 6.0.1.

See also [[ARM Exception Vector Info Leak]] from the [[evasi0n]] jailbreak.

==References==
*[[ASLR]]
*[http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf Mark Dowd & Tarjei Mandt's iOS6 presentation at HITB 2012 KUL D1T2]

Kernel

2013-08-13T18:06:38Z

Winocm:

The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]

== [[ASLR]] ==
{{main|Kernel ASLR}}
As of [[iOS]] 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup.

== Stack ==
The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

== Boot-Args ==
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].

Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:

_nand-part-poison
_panicd_corename
_panicd_ip
_router_ip
acc_debug
aesdev
als_enable_debug
amfi
amfi_allow_any_signature
amfi_get_out_of_my_way
amfi_unrestrict_task_for_pid
AppleEmbeddedUSBArbitrator-debug
AppleS5L8930XUSBArbitrator-debug
AppleUSBPhy-debug
arm7m-enable-jtag
-b
backlight-level
backlight-logging
baseband-spi-sclk-period
bcom.chip.driveStrength_mA
bcom.chip.watermark
bcom.clock.sd-rate
bcom.devif.fn2-block-size
bcom.devif.rx-retries
bcom.devif.transaction-log
bcom.devif.tx-retries
bcom.feature.flags
bcom.ps.inactivity.timeout
bcom.wte.thread-priority
boot-uuid
brightness
burnin-size
cameraclocks
charger-debug
cpus
cs_debug
cs_enforcement_disable
darkwake
dart
dcc
debug
disable-usb-iap
dp_async_event_fail_hard
dp_audio_driver_level
dp_audio_driver_mask
dp_audio_interface_level
dp_audio_interface_mask
dp_controller_level
dp_controller_mask
dp_device_level
dp_device_mask
dp_display_interface_level
dp_display_interface_mask
dp_interface_level
dp_interface_mask
dp_log_level
dp_max_channel_count_lpcm
dp_max_sample_rate_lpcm
dp_max_sample_size_lpcm
dp_min_channel_count_lpcm
dp_min_sample_rate_lpcm
dp_min_sample_size_lpcm
dp_service_level
dp_service_mask
dpsm
dvb
dvc
dvd
effaceable-enable-full-scan
effaceable-enable-wipe
enable-acsleep
fairshare_minblockedtime
fill
fixedpriority_quantum
fix-parity
force-usb-host
force-usb-power
hdmi_max_channel_count_lpcm
hdmi_max_sample_rate_lpcm
hdmi_max_sample_size_lpcm
hdmi_min_channel_count_lpcm
hdmi_min_sample_rate_lpcm
hdmi_min_sample_size_lpcm
hdmi_protection_type
hp-detect-invert
hp-pop-workaround
hp-switch-force-config
hp-switch-ramp
hsic
i2c-logsize
i2c-verbose
ifa_debug
ifnet_debug
initmcl
io
iopfmi-timeout
iotrace
jpeg-log
jtag
kdp_crashdump_pkt_size
kdp_ip_addr
kdp_match_mac
kdp_match_name
keepsyms
kextlog
link_recovery_enabled
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mt-bytes
mt-strings
mtxspin
nand-boot-malloc
nand-check-vs
nand-commands
nand-disable-driver
nand-dump-vs-table
nand-enable-adm
nand-enable-reformat
nand-enable-yaftl
nand-erase
nand-erase-install
nand-fbbt-publish
nand-force-restore
nand-idle-timeout-ms
nand-ignore-ptab
nand-index-cache-size
nand-latency-us
nand-max-pages
nand-neuralize
nand-nvram-debug
nand-ppn-debug
nand-ppn-vs-debug
nand-qual
nand-queue-entries
nand-read-blocks-max
nand-read-dccycle-clks
nand-read-hold-clks
nand-readonly
nand-read-setup-clks
nand-reorder-defer-max
nand-reorder-defer-size-trigger
nand-reorder-read-promote-max
nand-reset-burnin
nand-save-rma-data
nand-set-rma
nand-sftl-cache-drain
nand-sleep-debug-panic
nand-slow-timings
nand-wearlevel-timeout-ms
nand-whiten-metadata
nand-wipe
nand-write-blocks-max
nand-write-hold-clks
nand-write-setup-clks
nbuf
ncl
net.inet6.ip6.scopedroute
net_affinity
net_rtref
network-type
-no64exec
-novfscache
panicd_port
pcp
pctb
pdmvr
pio-error
pmu-chargetrap
pmu-debug
ppn-clean
-progress
prox_enable_debug
pthtest
rd
remote_nmi
rootdev
-s
sdio.clock.base-rate
sdio.clock.sd-rate
sdio.debug.abort-init
sdio.debug.init-delay
sdio.log.flags
sdio.log.level
sdio.transfer.max-pio-blocks
sdio.transfer.max-pio-size
sdio.transfer.mode
serial
sgx_panic_on_recovery
shadev
slto_us
socket_debug
torchcltm0
usb
usb_dev_nmi
usb_dev_reset
-vnode_cache_defeat
wdt
wfi
wlan.ap.channel
wlan.debug.abort-init
wlan.debug.generate-mac
wlan.log.flags
wlan.log.level
wlan.log.timestamp
wlan.netmanager.stats-timer-interval
wlan.panic.factory
wqsize
WTE
-x

== Versions ==
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as [[Kernel ASLR]], the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion 10.8.4:

Darwin Kernel Version 12.4.0: Wed May 1 17:57:12 PDT 2013; root:xnu-2050.24.15~1/RELEASE_X86_64 x86_64

iOS 6.1.3:
Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_S5L8930X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

=== Version List ===

{| class="wikitable sortable" style="font-size: smaller; text-align: center;"
|-
! Version
! Build
! Comment
|-
| [[Alpine 1A420 (iPhone)|1A420]]
| Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB
| from prototype - not sure if 100% correct.
|-
| 1.0
| ?
|
|-
| 1.0.1
| ?
|
|-
| 1.0.2
| ?
|
|-
| 1.1.1
| ?
|
|-
| 1.1.2
| ?
|
|-
| 1.1.3
| ?
|
|-
| 1.1.4
| ?
|
|-
| 1.1.5
| ?
| iPod touch only
|-
| 2.0
| Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_[[S5L8900]]X
|
|-
| 2.0.1
| ?
|
|-
| 2.0.2
| ?
|
|-
| 2.1
| ?
|
|-
| 2.1.1
| Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2
| Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_[[S5L8720]]X
|
|-
| 2.2.1
| Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_[[S5L8720]]X
|
|-
| 3.0
| Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.0.1
| Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1
| Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.2
| Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.1.3
| Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_[[S5L8920]]X
|
|-
| 3.2
| Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 3.2.1
| Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 3.2.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_[[S5L8930]]X
| iPad Only
|-
| 4.0
| Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.1
| Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.0.2
| Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.1
| Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.2.1
| Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3
| Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.1
| Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.2
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
|
|-
| 4.3.4
| Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 4.3.5
| Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
|
|-
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
|
|-
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.0.1
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:29:02 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.0.2
| Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_[[S5L8950]]X
| iPhone 5 only.
|-
| 6.1
| Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1.1
| Darwin Kernel Version 13.0.0: Sun Dec 16 19:58:44 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8940]]X
| iPhone 4S only
|-
| 6.1.2
| Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_[[S5L8950]]X
|
|-
| 6.1.3
| Darwin Kernel Version 13.0.0: Wed Feb 13 21:36:52 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8930]]X
|
|-
| 6.1.4
| Darwin Kernel Version 13.0.0: Wed Feb 13 21:40:10 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_[[S5L8950]]X
| iPhone 5 only.
|}

== Source Code ==
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per §2.3 in the APSL:
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, '''You must'''
'''include a prominent notice''', in the code itself as well as in related documentation, '''stating'''
'''that Source Code of the Covered Code is available''' under the terms of this License '''with'''
'''information on how and where to obtain such Source Code'''.
with ''Source Code'' defined in §1.8:
1.8 "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are ''not'' listed, such as:
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS'' as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.

It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.

== Kernel Extensions ==
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).

The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.

The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):

Podicum:~ root# ./kextstat
0 __kernel__
1 kpi.bsd
2 kpi.dsep
3 kpi.iokit
4 kpi.libkern
5 kpi.mach
6 kpi.private
7 kpi.unsupported
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

<code>root# ./jkextstat -b sandbox -x</code>:
<plist>
<dict>
<key>CFBundleIdentifier</key>
<string>com.apple.security.sandbox</string>
<key>CFBundleVersion</key>
<string>154.7</string>
<key>OSBundleCPUSubtype</key>
<integer>9</integer>
<key>OSBundleCPUType</key>
<integer>12</integer>
<key>OSBundleDependencies</key>
<array>
<integer>6</integer>
<integer>7</integer>
<integer>5</integer>
<integer>3</integer>
<integer>28</integer>
<integer>1</integer>
<integer>4</integer>
<integer>16</integer>
<integer>2</integer>
</array>
<key>OSBundleExecutablePath</key>
<string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
<key>OSBundleIsInterface</key>
<false/>
<key>OSBundleLoadAddress</key>
<integer>2153734144</integer>
<key>OSBundleLoadSize</key>
<integer>36864</integer>
<key>OSBundleLoadTag</key>
<integer>29</integer>
<key>OSBundleMachOHeaders</key>
<data>
zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
TzkVrtqsgOViBQ0=
</data>
<key>OSBundlePath</key>
<string>/System/Library/Extensions/Sandbox.kext</string>
<key>OSBundlePrelinked</key>
<true/>
<key>OSBundleRetainCount</key>
<integer>0</integer>
<key>OSBundleStarted</key>
<true/>
<key>OSBundleUUID</key>
<data>
FqyDtjZPORWu2qyA5WIFDQ==
</data>
<key>OSBundleWiredSize</key>
<integer>36864</integer>
<key>OSKernelResource</key>
<false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating [[Kernel ASLR]]. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher [[mdowd]].

== See Also ==
* [[Kernel Syscalls]]
* [[Kernel Sysctls]]
* [[Kernel Task]]
* [[Kernel Symbols]]
* [[kdebug]]
* [[kernelcache]]

== External Links ==
* [http://opensource.apple.com/source/xnu XNU Source] (up to latest **OS X** version)
* [[i0n1c]] on [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf exploiting the kernel]
* [[User:Haifisch|Haifisch]] on [http://dylanlaws.com/Kernel101 Decrypting the iOS kernel for disassembly]
* [http://newosxbook.com/src.jl?tree=listings&file=18-1-JKextstat.c jkextstat.c]
* [http://www.amazon.com/gp/product/1118057651 OSX/iOS internals book]

S5L8945

2013-08-06T00:25:08Z

Winocm:

[[Image:A5X.png|right]]
The '''S5L8945''' is the Apple A5X processor currently used in the "The New iPad", also called [[iPad 3]].

The processor uses the Cortex-A9 core, and an updated version of the 8940 architecture. S5L8945X also has a new security epoch, but the SoC also has identical caching, and other components as to the 8940. The processor (H4G) runs at 950MHz.

The software architecture as reported by "hostinfo" is: armv7f.

== Hardware ==
The A5X part number is APL5498 and the die markings repeat that same number as well. It is produced by Samsung with its low power 45nm CMOS process. The die measures 12.82mm × 12.71mm for an area of 162.94mm².

== Software ==
The chip contains [[Bootrom 1062.2]]. It runs [[ARM]] based instructions. The exact [[ARM]] reference has to be determined yet.

==Bootrom Exploits==
There are no known exploits.

S5L8940

2013-08-06T00:24:47Z

Winocm:

[[Image:A5.jpg|right]]
The '''S5L8940''' is the Apple A5 processor currently used in the [[iPad 2]] and the [[N94ap|iPhone 4S]]. Manufactured by Samsung, the processor itself is dual-core. The processor (H4P) is clocked at 850MHz in most configurations.

==GPU==

The S5L8940 chipset has a 45nm dual core PowerVR SGX543MP2 GPU which is clocked at 200MHz.

==Bootrom Exploits==

There are no known exploits.

Security Fusings

2013-08-01T18:50:16Z

Winocm:

A common misconception is that all [[iDevice|iDevices]] enforce certain flags in their bootloaders when certain "fuses" are "blown".

== Processor Security ==

Processor security flags are enforced by pulling several pins on the BGA low or high depending on the state of security needed. The same is done for board configuration.

For example, the device security state is set to 0000 by removing all resistors. This is the PVT configuration.

== Board Identifiers ==

Board identifiers are enforced by pulling several pins on the BGA low or high depending on the state of security needed.

For example, the device configuration [[N94ap|N94ap]] is set by pulling the pins to set the board ID: "0b1000" or 0x8. This measure saves costs by allowing Apple to reuse the same processor die with a specified ECID, but they can change the motherboard if necessary.

== "Fuses" ==

These so-called "fuses" are actually fixed resistors on the motherboard.

Security Fusings

2013-08-01T17:28:51Z

Winocm:

A common misconception is that all [[iDevice|iDevices]] enforce certain flags in their bootloaders when certain "fuses" are blown."

== Processor Security ==

Processor security flags are enforced by pulling several pins on the BGA low or high depending on the state of security needed. The same is done for board configuration.

For example, the device security state is set to 0000 by removing all resistors. This is the PVT configuration.

== Board Identifiers ==

Board identifiers are enforced by pulling several pins on the BGA low or high depending on the state of security needed.

For example, the device configuration [[N94ap|N94ap]] is set by pulling the pins to set the board ID: "0b1000" or 0x8.

== "Fuses" ==

These so-called "fuses" are actually fixed resistors on the motherboard.

Security Fusings

2013-08-01T17:28:44Z

Winocm: Created page with "A common misconception is that all iDevices enforce certain flags in their bootloaders when certain "fuses" are blown." == Processor Security == Processor securi..."

A common misconception is that all [[iDevice|iDevices]] enforce certain flags in their bootloaders when certain "fuses" are blown."

== Processor Security ==

Processor security flags are enforced by pulling several pins on the BGA low or high depending on the state of security needed. The same is done for board configuration.

For example, the device security state is set to 0000 by removing all resistors. This is the PVT configuration.

== Board Identifiers ==

Board identifiers are enforced by pulling several pins on the BGA low or high depending on the state of security needed.

For example, the device configuration [[N94ap||N94ap]] is set by pulling the pins to set the board ID: "0b1000" or 0x8.

== "Fuses" ==

These so-called "fuses" are actually fixed resistors on the motherboard.

PE i can has debugger Patch

2013-08-01T17:14:41Z

Winocm:

{{DISPLAYTITLE:PE_i_can_has_debugger Patch}}
*[[AppleMobileFileIntegrity|AMFI]] will allow non signed binaries
*disables various checks
*used inside the kernel debugger
*in older jailbreaks replaced by RETURN(1)

* Internal name for variable "dword_80284A00" in disassembly is _debug_enabled.

__text:801DD218
__text:801DD218 EXPORT _PE_i_can_has_debugger
__text:801DD218 _PE_i_can_has_debugger ; CODE XREF: sub_801DD23C+8↓p
__text:801DD218 ; sub_802D8A94+E↓p ...
__text:801DD218 CBZ R0, loc_801DD22E
__text:801DD21A LDR R2, =dword_80284A00 <== variable patched to 1
__text:801DD21C LDR R3, [R2]
__text:801DD21E CBNZ R3, loc_801DD226
__text:801DD220 STR R3, [R0]
__text:801DD222
__text:801DD222 loc_801DD222 ; CODE XREF: _PE_i_can_has_debugger+14
__text:801DD222 ; _PE_i_can_has_debugger+18↓j
__text:801DD222 LDR R0, [R2]
__text:801DD224 BX LR
__text:801DD226 ; ---------------------------------------------------------------------------
__text:801DD226
__text:801DD226 loc_801DD226 ; CODE XREF: _PE_i_can_has_debugger+6↑
__text:801DD226 LDR R3, =dword_802731A0
__text:801DD228 LDR R3, [R3]
__text:801DD22A STR R3, [R0]
__text:801DD22C B loc_801DD2..
__text:801DD22E ; ---------------------------------------------------------------------------
__text:801DD22E
__text:801DD22E loc_801DD22E ; ...
__text:801DD22E LDR R2, =dword_...
__text:801DD230 B loc_801DD2..
__text:801DD230 ; End of function _PE_i_can_has_debugger
__text:801DD230
__text:801DD230 ; ---------------------------------------------------------------------------
[[Category:Kernel Patches]]

Sandbox Patch

2013-08-01T17:12:41Z

Winocm:

{{DISPLAYTITLE:Sandbox Patch}}
*fixes the sandbox problems caused by moving files
*access outside '''/private/var/mobile''' is allowed
*access to '''/private/var/mobile/Library/Preferences/com.apple''' is going through original evaluation
*access to other subdirs of '''private/var/mobile/Library/Preferences''' is granted
*everything else goes through original checks

* Can optionally be patched by the original Sandbox hook routine, the TST/BEQ instruction tuple becomes a MOVS/MOVS/BEQ tuple. This patch makes all ignore sandbox profiles.

__text:804028B0 PUSH {R4-R7,LR} <== function is hooked so that a new sb_evaluate() is used
__text:804028B2 ADD R7, SP, #0xC
__text:804028B4 PUSH.W {R8,R10,R11}
__text:804028B8 SUB SP, SP, #0x104
__text:804028BA MOV R10, R0
__text:804028BC LDR R0, [R3,#0x2C]
__text:804028BE MOV R11, R1
__text:804028C0 STR R2, [SP,#0x11C+var_114]
__text:804028C2 MOV R5, R3
__text:804028C4 LDR.W R8, [R1]
__text:804028C8 CBZ R0, loc_804028EE
__text:804028CA ADD.W R1, R3, #0x3C
__text:804028CE ADD.W R2, R3, #0x40
__text:804028D2 LDR.W R4, =(_sock_gettype+1)
__text:804028D6 MOVS R3, #0
__text:804028D8 BLX R4 ; _sock_gettype
__text:804028DA ...
__text:804028DC
__text:804028DE
__text:804028E2
__text:804028E4
__text:804028E6

For further info see [https://github.com/comex/datautils0/blob/master/sandbox.S https://github.com/comex/datautils0/blob/master/sandbox.S].

[[Category:Kernel Patches]]

User:Winocm

2013-03-05T01:34:10Z

Winocm: Created page with "hi"

Lightning Connector

2013-03-05T01:33:38Z

Winocm:

{{float toc|left}}
[[File:Lighnting_USB.jpg|thumb|Lightning connector compared to USB]]
[[File:Lighnting_Mechnical_front.jpg|thumb|Lightning connector mechanical drawing (front)]]
[[File:Lighnting_sides.jpg|thumb|Lightning connector from aerial, front, top, and socket angles]]

'''Lightning''' is the "new" connector since the introduction of the [[iPhone 5]], [[iPad mini]], [[iPad 4]] and the [[n78ap|5th generation iPod touch]]. (For the old connector, see [[30-pin Connector]].) It was presented by Tim Cook at an Apple Special Event on September 12, 2012. Lightning matches up with the existing Thunderbolt branding as noted by Phil Schiller. According to Apple it as an all-digital connector and "features an adaptive interface that uses only the signals that each accessory requires and also is 80% smaller as well as orientation independent."
* Lightning is adaptive.
* All 8 pins are used for signals, and all or most can be switched to be used for power.
* The outer plug shell is used as ground reference and connected to the device shell.
* At least one (probably at most two) of the pins is used for detecting what sort of plug is plugged in.
* All plugs have to contain a controller/driver chip to implement the “adaptive” thing.
* The device watches for a momentary short on all pins (by the leading edge of the plug) to detect plug insertion/removal.
* The pins on the plug are deactivated until after the plug is fully inserted, when a wake-up signal on one of the pins cues the chip inside the plug. This avoids any shorting hazard while the plug isn’t inside the connector.
* The controller/driver chip tells the device what type it is, and for cases like the Lightning-to-USB cable whether a charger (that sends power) or a device (that needs power) is on the other end.
* The device can then switch the other pins between the SoC’s data lines or the power circuitry, as needed in each case.
* Once everything is properly set up, the controller/driver chip gets digital signals from the SoC and converts them – via serial/parallel, ADC/DAC, differential drivers or whatever – to whatever is needed by the interface on the other end of the adapter or cable. It could even re-encode these signals to some other format to use fewer wires, gain noise-immunity or whatever, and re-decode them on the other end; it’s all flexible. It could even convert to optical.

== Pinnout ==
=== Top (DHC marked) ===
{| class="wikitable" style="text-align:center;"
|-
! Pin
! Signal
! Description
|-
| 1
| V-
|
|-
| 2
| D+
|
|-
| 3
| D-
|
|-
| 4
| (dynamic)
|
|-
| 5
| (dynamic)
|
|-
| 6
| (dynamic)
|
|-
| 7
| (dynamic)
|
|-
| 8
| (dynamic)
|
|}
=== Bottom ===
{| class="wikitable" style="text-align:center;"
|-
! Pin
! Signal
! Description
|-
| 8
| V-
|
|-
| 2
| D+
|
|-
| 3
| D-
|
|-
| 1
| (dynamic)
|
|-
| 4
| (dynamic)
|
|-
| 6
| (dynamic)
|
|-
| 7
| (dynamic)
|
|-
| 5
| (dynamic)
|
|}
=== USB ===
{| class="wikitable" style="text-align:center;"
|-
! Pin
! Signal
! Description
|-
| 1
| V+
|
|-
| 2
| D-
|
|-
| 3
| D+
|
|-
| 4
| V-
|
|}

== Adapters ==

When a Lightning adapter is plugged in to the device it will connect to

https://mesu.apple.com/assets/com_apple_MobileAsset_MobileAccessoryUpdate_haywire/com_apple_MobileAsset_MobileAccessoryUpdate_haywire.xml

where, similar to an OTA iOS update, it looks for any new update bundles. This would only be for any in-between updates, though, since both iOS 6.0 and 6.1 come with predownloaded adapter firmware bundles located at /System/Library/PreinstalledAssets. (Each firmware bundle is about 11MB uncompressed.)

For fun, you can also monitor the device Console using Xcode or iPCU while connecting the adapter; you’ll see logs very similar to what happens during an iOS DFU restore, as the device loads firmware onto the Lightning adapter.

=== Lightning Digital AV Adapter ===

The Lightning Digital AV adapter is based off the Samsung S5L8700 series of chips. This series of processors is mainly used in the iPod nano, and the [[iPod touch 2G]]. The SoC used is the Samsung S5L8747.

The boot chain starts off very much like a normal iOS device, but img3 files for iBSS are uploaded, along with an APTicket. This APTicket remains static for every digital AV adapter. The kernel is then uploaded and then booted.

SoC peripherals look very much akin to other Samsung chips.

It appears the Lightning Digital AV Adapter has an ARM SoC CPU with part number H9TKNNN2GD and 256MB RAM. There is some discussion regarding the output image quality of this adapter as it appears the video is upscaled from max 1600×900 resoultion to 1080p and also visible (MPEG) compression artifacts. Apparently an Apple Engineer explained details of the adapter at [https://www.panic.com/blog/2013/03/the-lightning-digital-av-adapter-surprise/#comment-16841 www.panic.com]:

<cite>"Airplay is not involved in the operation of this adapter.</cite>

<cite>It is true that the kernel the adapter SoC boots is based off of XNU, but that’s where the similarities between iOS and the adapter firmware end. The firmware environment doesn’t even run launchd. There’s no shell in the image, there’s no utilities (analogous to what we used to call the “BSD Subsystem” in Mac OS X). It boots straight into a daemon designed to accept incoming data from the host device, decode that data stream, and output it through the A/V connectors. There’s a set of kernel modules that handle the low level data transfer and HDMI output, but that’s about it. I wish I could offer more details then this but I’m posting as AC for a damned good reason.</cite>

<cite>The reason why this adapter exists is because Lightning is simply not capable of streaming a “raw” HDMI signal across the cable. Lightning is a serial bus. There is no clever wire multiplexing involved. Contrary to the opinions presented in this thread, we didn’t do this to screw the customer. We did this to specifically shift the complexity of the “adapter” bit into the adapter itself, leaving the host hardware free of any concerns in regards to what was hanging off the other end of the Lightning cable. If you wanted to produce a Lightning adapter that offered something like a GPIB port (don’t laugh, I know some guys doing exactly this) on the other end, then the only support you need to implement on the iDevice is in software- not hardware. The GPIB adapter contains all the relevant Lightning -> GPIB circuitry.</cite>

<cite>It’s vastly the same thing with the HDMI adapter. Lightning doesn’t have anything to do with HDMI at all. Again, it’s just a high speed serial interface. Airplay uses a bunch of hardware h264 encoding technology that we’ve already got access to, so what happens here is that we use the same hardware to encode an output stream on the fly and fire it down the Lightning cable straight into the ARM SoC the guys at Panic discovered. Airplay itself (the network protocol) is NOT involved in this process. The encoded data is transferred as packetized data across the Lightning bus, where it is decoded by the ARM SoC and pushed out over HDMI.</cite>

<cite>This system essentially allows us to output to any device on the planet, irregardless of the endpoint bus (HDMI, DisplayPort, and any future inventions) by simply producing the relevant adapter that plugs into the Lightning port. Since the iOS device doesn’t care about the hardware hanging off the other end, you don’t need a new iPad or iPhone when a new A/V connector hits the market.</cite>

<cite>Certain people are aware that the quality could be better and others are working on it. For the time being, the quality was deemed to be suitably acceptable. Given the dynamic nature of the system (and the fact that the firmware is stored in RAM rather then ROM), updates **will** be made available as a part of future iOS updates. When this will happen I can’t say for anonymous reasons, but these concerns haven’t gone unnoticed."</cite>

== External Resources ==
* [http://brockerhoff.net/blog/2012/09/23/boom-pins/ Rainer Brockerhoff’s blog]
* [http://appleinsider.com/articles/12/09/25/apples_lightning_port_dynamically_assigns_pins_to_allow_for_reversible_use Dynamic pin assignment]
* [http://techon.nikkeibp.co.jp/english/NEWS_EN/20121001/242892/ Pinout]
* [http://www.chipworks.com/blog/recentteardowns/2012/10/15/inside-the-apple-lightning-cable/ Chipworks teardown of cable]
* [http://www.chipworks.com/blog/recentteardowns/2012/10/18/inside-the-apple-lightning-to-30-pin-adapter/ Chipworks teardown of 30-pin adapter]

{{stub|hardware}}

S5L8950

2012-09-23T21:47:14Z

Winocm:

[[Image:A6.png|right]]
The '''S5L8950X''' is the Apple A6 processor currently used in the [[iPhone 5]].

The processor supposedly uses custom Apple silicon.

The software architecture as reported by "hostinfo" is: armv7s.

== Hardware ==
The A6 part number is APL0598. It is produced by Samsung with its low power 32nm CMOS process. The die has an area of 95mm². It incorporates a three core PowerVR SGX543MP3 GPU clocked at 266MHz.

== Software ==
The chip contains [[Bootrom 1145.3]]. It runs [[ARM]] based instructions with the CPU Instruction set ARMv7s. The exact [[ARM]] reference has to be determined yet.

iBoot load address is 0x80000000, framebuffer for n41ap begins at 0xBF7AA000.

<pre>
Mach kernel version:
Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X
Kernel configured for up to 2 processors.
2 processors are physically available.
2 processors are logically available.
Processor type: armv7s (arm v7s)
Processors active: 0 1
Primary memory available: 1015.66 megabytes
Default processor set: 65 tasks, 503 threads, 2 processors
Load average: 2.56, Mach factor: 0.44</pre>

Device tree available at: http://nttalk.com/iphone5_devicetree.txt

== References ==
*[[wikipedia:Apple_A6|Wikipedia: Apple A6]]

S5L8950

2012-09-23T02:41:48Z

Winocm:

S5L8950

2012-09-23T02:39:59Z

Winocm:

[[Image:A6.png|right]]
The '''S5L8950X''' is the Apple A6 processor currently used in the [[iPhone 5]].

The processor uses the Cortex-A15 core (?).

The software architecture as reported by "hostinfo" is: armv7s.

== Hardware ==
The A6 part number is APL0598. It is produced by Samsung with its low power 32nm CMOS process. The die has an area of 95mm². It incorporates a three core PowerVR SGX543MP3 GPU clocked at 266MHz.

== Software ==
The chip contains [[Bootrom 1145.3]]. It runs [[ARM]] based instructions with the CPU Instruction set ARMv7s. The exact [[ARM]] reference has to be determined yet.

iBoot load address is 0x80000000, framebuffer for n41ap begins at 0xBF7AA000.

== References ==
*[[wikipedia:Apple_A6|Wikipedia: Apple A6]]

Bootrom

2012-09-16T20:56:10Z

Winocm:

== Summary ==

The '''bootrom''' (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.

== Old & New bootrom ==

Certain models, including the [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]], have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after [[Timeline#September|9 September 2009]] and have the [[0x24000 Segment Overflow]] fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an [[untethered jailbreak]].

You might also be looking for [[iBoot (Bootloader)|Apple's stage 2 bootloader]], which also uses the "iBoot" name.

Usually also looking at the CPRV (Chip Revision) tag will also tell you whether the device is new unit or not also.

==Finding bootrom version==
===From the model number ([[n72ap|iPod touch 2G]])===
If the second character of your Model Number is "B" (e.g.- '''FB533''', '''MB533''', or '''PB533'''), your iPod has the old bootrom. If the second character is "C" ('''FC086''', '''MC086''' or '''PC086'''), your iPod has the new bootrom.

===From the serial number ([[n88ap|iPhone 3GS]])===
The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010), while the fourth and the fifth indicate the week. The first "new bootrom" devices are from week 40 of 2009 (??940?????? or higher serials). Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.

===From the DFU Device descriptors (all devices except S5L8900)===
====Windows====
# Connect Device & Enter [[DFU Mode]]
# Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver
# Right-Click & click Properties
# Go to Details tab & select Device Instance Path in the dropdown box
# The end of the info string will show the bootrom version

====Mac OS X====
# Connect Device & Enter [[DFU Mode]]
# Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)
# The end of the Serial Number string will show the bootrom version in brackets (ie: [iBoot-574.4])

====Linux====
# Make sure your distribution has '''usbutils''' installed. (most distributions have it by default)
# Connect Device & Enter [[DFU Mode]]
# In terminal, run '''sudo lsusb -v'''
# Find the line that says '''iSerial''' and your bootrom version will be at the end of the line.

== Dumping the bootrom ==
You can use [[Bootrom Dumper Utility]] by [[User:pod2g|pod2g]] to dump the bootrom on devices that are vulnerable to the [[limera1n]] exploit.

== Revisions ==
===[[S5L8900]], used in the [[M68ap|iPhone]], [[N45ap|iPod touch]], and [[N82ap|iPhone 3G]]===
* [[Bootrom Rev.2]]

===[[S5L8720]], used in the [[N72ap|iPod touch 2G]]===
* [[Bootrom 240.4]] "old bootrom"
* [[Bootrom 240.5.1]] "new bootrom"

===[[S5L8920]], used in the [[N88ap|iPhone 3GS]]===
* [[Bootrom 359.3]] "old bootrom"
* [[Bootrom 359.3.2]] "new bootrom"

===[[S5L8922]], used in the [[N18ap|iPod touch 3G]]===
* [[Bootrom 359.5]]

===[[S5L8930]], used in the [[K48ap|iPad]], [[N90ap|iPhone 4]], [[K66ap|Apple TV 2G]] and [[N81ap|iPod touch 4G]]===
* [[Bootrom 574.4]]

===[[S5L8940]], used in the [[iPad 2]] and [[N94ap|iPhone 4S]]===
* [[Bootrom 838.3]]

===[[S5L8942]], used in the [[iPad 2 R2]] and [[J33ap|Apple TV 3G]] ===
* ?


===[[S5L8945]], used in the [[iPad 3]]===
* [[Bootrom 1062.2]]

[[Category:Bootrom]]

IBSS

2012-09-16T20:54:11Z

Winocm:

{{DISPLAYTITLE:iBSS}}
A stripped down version of [[IBoot (Bootloader)|iBoot]], missing things such as interacting with the [[/|filesystem]]. Can be uploaded via [[DFU (Protocol)|DFU]] to bootstrap [[iBEC]] during a [[DFU Mode]] restore.

==Use of the iBSS==
The [[iBSS]] bootstraps the [[iBEC]], which prepares and executes the [[Restore Ramdisk]]. in addition, it sends messages to [[iTunes]] on the restore to supervise the restore process. It also integrity checks the images uploaded, and on iOS5+ does the image responsible for [[APTicket]], by uploading the [[nonce]] string to [[iTunes]] then checks for the match of the [[APTicket]] and [[nonce]] and the signatures on [[APTicket]]. On custom firmwares, the [[iBSS]] is patched out of every signature check, but on certain circumstances it still generates [[nonce]]. Check [[APTicket]] for further detail.

On jailbreak softwares like [[redsn0w]] and [[greenpois0n]], the [[iBSS]] bootstraps [[iBEC]] and executes a payload. It is patched out of its signature checks, of course.

==iBSS 5.x==

iBSS in iOS 5.x is very similar to LLB/DFU, where it has the same protocol. On UART out, it says: "iBSS ready. DFU start", or something along those lines.

Interesting things I've noted are when certain bits in chip ID are set, it uses a different DFU device identifier (I've personally seen 0x1226/0x1228), and these modes reject any Img3 files sent over USB.

Models

2012-09-16T15:34:18Z

Winocm:

The firmware [[iOS]] runs on various different '''models''' of devices. This page is used to give an overview of the different model numbers. For the region please see [[Model Regions]].

NOTE: The first letter may vary between "F", "M", or "P". "F" is used for refurbished units. "M" is used for typical retail units. "P" is used for personalized (engraved) units.

{| class="wikitable" style="text-align:center; width:auto;"
! Device Type
! Generation
! Model
! Bootrom
! Cellular Radio
! Type
! [[IPSW File Format|IPSW]] Prefix
! Color
! Memory
! Model
|-
! rowspan="33" | [[iPhone]]
| rowspan="3" | iPhone 2G
| rowspan="3" | A1203
| rowspan="3" | [[Bootrom Rev.2]]
| rowspan="3" | [[wikipedia:GSM|GSM]]
| rowspan="3" | [[m68ap]]
| rowspan="3" | iPhone1,1
| rowspan="3" | black
| 4 GB
| MA501
|-
| 8 GB
| MA712
|-
| 16 GB
| MB384
|-
| rowspan="3" | iPhone 3G
| rowspan="3" | A1241
| rowspan="3" | [[Bootrom Rev.2]]
| rowspan="3" | [[wikipedia:GSM|GSM]]
| rowspan="3" | [[n82ap]]
| rowspan="3" | iPhone1,2
| rowspan="2" | black
| 8 GB
| MB046, MB489, MB702, MC176
|-
| 16 GB
| MB048, MB496, MB704
|-
| white
| 16 GB
| MB499, MB500, MB501, MB632, MB705
|-
| rowspan="9" | iPhone 3GS
| rowspan="9" | A1303
| rowspan="4" | [[Bootrom 359.3]]
| rowspan="9" | [[wikipedia:GSM|GSM]]
| rowspan="9" | [[n88ap]]
| rowspan="9" | iPhone2,1
| rowspan="2" | black
| 16 GB
| MB715, MB735, MC135
|-
| 32 GB
| MB717, MB737
|-
| rowspan="2" | white
| 16 GB
| MB716, MB736, MC136
|-
| 32 GB
| MB718, MB738
|-
| rowspan="5" | [[Bootrom 359.3.2]]
| rowspan="3" | black
| 8 GB
| MC555, MC640
|-
| 16 GB
| MB715, MC131, MC135
|-
| 32 GB
| MB717, MC133, MC137
|-
| rowspan="2" | white
| 16 GB
| MB716, MC132, MC136
|-
| 32 GB
| MC134, MC138
|-
| rowspan="12" | [[iPhone 4]]
| rowspan="6" | A1332
| rowspan="6" | [[Bootrom 574.4]]
| rowspan="6" | [[wikipedia:GSM|GSM]]
| rowspan="6" | [[n90ap]]
| rowspan="6" | iPhone3,1
| rowspan="3" | black
| 8 GB
| MD126, MD128
|-
| 16 GB
| MC318, MC603, MC608
|-
| 32 GB
| MC319, MC605, MC610
|-
| rowspan="3" | white
| 8 GB
| MD196, MD198
|-
| 16 GB
| MC604
|-
| 32 GB
| MC606
|-
| rowspan="6" | A1349
| rowspan="6" | [[Bootrom 574.4]]
| rowspan="6" | [[wikipedia:Code division multiple access|CDMA]]
| rowspan="6" | [[n92ap]]
| rowspan="6" | iPhone3,3
| rowspan="3" | black
| 8 GB
| MD146, MD873
|-
| 16 GB
| MC676
|-
| 32 GB
| MC678
|-
| rowspan="3" | white
| 8 GB
| MD200, MD874
|-
| 16 GB
| MC677
|-
| 32 GB
| MC679
|-
| rowspan="6" | iPhone 4S
| rowspan="6" | A1387
| rowspan="6" | [[Bootrom 838.3]]
| rowspan="6" | [[wikipedia:GSM|GSM]]+[[wikipedia:Code division multiple access|CDMA]]
| rowspan="6" | [[n94ap]]
| rowspan="6" | iPhone4,1
| rowspan="3" | black
| 16 GB
| MC918, MD234, MD235, MD276, MD377, MD865
|-
| 32 GB
| MC919, MC923, MD241, MD278, MD379
|-
| 64 GB
| MD257, MD258, MD269, MD280, MD381
|-
| rowspan="3" | white
| 16 GB
| MC920, MD237, MD277, MD378, MD866
|-
| 32 GB
| MC921, MD244, MD279, MD380
|-
| 64 GB
| MD260, MD271, MD281, MD382
|-
! rowspan="29" | [[iPod touch]]
| rowspan="3" | iPod touch 1G
| rowspan="3" | A1213
| rowspan="3" | [[Bootrom Rev.2]]
| rowspan="3" {{n/a}}
| rowspan="3" | [[n45ap]]
| rowspan="3" | iPod1,1
| rowspan="3" | black
| 8 GB
| MA623, MA624, MA839
|-
| 16 GB
| MA627, MA628
|-
| 32 GB
| MB376
|-
| rowspan="4" | iPod touch 2G
| rowspan="4" | A1288
| rowspan="3" | [[Bootrom 240.4]]
| rowspan="4" {{n/a}}
| rowspan="4" | [[n72ap]]
| rowspan="4" | iPod2,1
| rowspan="4" | black
| 8 GB
| MB525, MB528, MB529
|-
| 16 GB
| MB531, MB532
|-
| 32 GB
| MB533, MB534
|-
| [[Bootrom 240.5.1]]
| 8 GB
| MC086
|-
| rowspan="2" | iPod touch 3G
| rowspan="2" | A1318
| rowspan="2" | [[Bootrom 359.5]]
| rowspan="2" {{n/a}}
| rowspan="2" | [[n18ap]]
| rowspan="2" | iPod3,1
| rowspan="2" | black
| 32 GB
| MC008
|-
| 64 GB
| MC011
|-
| rowspan="8" | iPod touch 4G
| rowspan="8" | A1367
| rowspan="8" | [[Bootrom 574.4]]
| rowspan="8" {{n/a}}
| rowspan="8" | [[n81ap]]
| rowspan="8" | iPod4,1
| rowspan="4" | black
| 8 GB
| MC540
|-
| 16 GB
| ME178
|-
| 32 GB
| MC544
|-
| 64 GB
| MC547
|-
| rowspan="4" | white
| 8 GB
| MD057
|-
| 16 GB
| ME179
|-
| 32 GB
| MD058
|-
| 64 GB
| MD059
|-
|-
| rowspan="12" | iPod touch 5G
| rowspan="12" | ?
| rowspan="12" | ?
| rowspan="12" {{n/a}}
| rowspan="12" | ?
| rowspan="12" | iPod5,1
| rowspan="2" | black
| 32 GB
| MD723
|-
| 64 GB
| MD724
|-
| rowspan="2" | blue
| 32 GB
| MD717
|-
| 64 GB
| MD718
|-
| rowspan="2" | pink
| 32 GB
| MC903
|-
| 64 GB
| MC904
|-
| rowspan="2" | red
| 32 GB
| MD749
|-
| 64 GB
| MD750
|-
| rowspan="2" | silver
| 32 GB
| MD720
|-
| 64 GB
| MD721
|-
| rowspan="2" | yellow
| 32 GB
| MD714
|-
| 64 GB
| MD715
|-
! rowspan="44" | [[iPad]]
| rowspan="6" | iPad
| rowspan="3" | A1219
| rowspan="6" | [[Bootrom 574.4]]
| rowspan="3" {{n/a}}
| rowspan="6" | [[k48ap]]
| rowspan="6" | iPad1,1
| rowspan="3" | black
| 16 GB
| MB292
|-
| 32 GB
| MB293
|-
| 64 GB
| MB294
|-
| rowspan="3" | A1337
| rowspan="3" | [[wikipedia:GSM|GSM]]
| rowspan="3" | black
| 16 GB
| MC349
|-
| 32 GB
| MC496
|-
| 64 GB
| MC497
|-
| rowspan="20" | [[iPad 2]]
| rowspan="6" | A1395
| rowspan="18" | [[Bootrom 838.3]]
| rowspan="6" {{n/a}}
| rowspan="6" | [[k93ap]]
| rowspan="6" | iPad2,1
| rowspan="3" | black
| 16 GB
| MC769
|-
| 32 GB
| MC770
|-
| 64 GB
| MC916
|-
| rowspan="3" | white
| 16 GB
| MC979
|-
| 32 GB
| MC980
|-
| 64 GB
| MC981
|-
| rowspan="6" | A1396
| rowspan="6" | [[wikipedia:GSM|GSM]]
| rowspan="6" | [[k94ap]]
| rowspan="6" | iPad2,2
| rowspan="3" | black
| 16 GB
| MC773
|-
| 32 GB
| MC774
|-
| 64 GB
| MC775
|-
| rowspan="3" | white
| 16 GB
| MC982
|-
| 32 GB
| MC983
|-
| 64 GB
| MC984
|-
| rowspan="6" | A1397
| rowspan="6" | [[wikipedia:Code division multiple access|CDMA]]
| rowspan="6" | [[k95ap]]
| rowspan="6" | iPad2,3
| rowspan="3" | black
| 16 GB
| MC755
|-
| 32 GB
| MC763
|-
| 64 GB
| MC764
|-
| rowspan="3" | white
| 16GB
| MC985
|-
| 32 GB
| MC986
|-
| 64 GB
| MC987
|-
| rowspan="2" | ?
| rowspan="2" | ?
| rowspan="2" {{n/a}}
| rowspan="2" | [[k93aap]]
| rowspan="2" | iPad2,4
| black
| 16 GB
| MC954
|-
| white
| 16 GB
| MC989
|-
| rowspan="18" | [[iPad 3]]
| rowspan="6" | A1416
| rowspan="18" | [[Bootrom 1062.2]]
| rowspan="6" {{n/a}}
| rowspan="6" | [[j1ap]]
| rowspan="6" | iPad3,1
| rowspan="3" | black
| 16 GB
| MC705
|-
| 32 GB
| MC706
|-
| 64 GB
| MC707
|-
| rowspan="3" | white
| 16 GB
| MD328
|-
| 32 GB
| MD329
|-
| 64 GB
| MD330
|-
| rowspan="6" | A1403
| rowspan="6" | [[wikipedia:GSM|GSM]]+[[wikipedia:Code division multiple access|CDMA]]
| rowspan="6" | [[j2ap]]
| rowspan="6" | iPad3,2
| rowspan="3" | black
| 16 GB
| MC733
|-
| 32 GB
| MC744
|-
| 64 GB
| MC756
|-
| rowspan="3" | white
| 16 GB
| MD363
|-
| 32 GB
| MD364
|-
| 64 GB
| MD365
|-
| rowspan="6" | A1430
| rowspan="6" | [[wikipedia:GSM|GSM]]
| rowspan="6" | [[j2aap]]
| rowspan="6" | iPad3,3
| rowspan="3" | black
| 16 GB
| MD366
|-
| 32 GB
| MD367
|-
| 64 GB
| MD368
|-
| rowspan="3" | white
| 16 GB
| MD369
|-
| 32 GB
| MD370
|-
| 64 GB
| MD371
|-
! rowspan="2" | [[Apple TV]]
| Apple TV 2G
| A1378
| [[Bootrom 574.4]]
| {{n/a}}
| [[k66ap]]
| AppleTV2,1
| black
| 8 GB
| MC572
|-
| Apple TV 3G
| A1427
| Bootrom Revision: ROM
| {{n/a}}
| [[j33ap]]
| AppleTV3,1
| black
| 8 GB
| MD199
|}

Unknown: MB719 (3GS, probably old bootrom model)

S5L8920

2012-09-16T15:32:35Z

Winocm:

This is the processor used in the [[iPhone 3GS]].

S5L8920 and derivative SoCs use the armv7 family, with later versions of the architecture using armv7f/armv7s.

[[S5L8920]] using THUMB-2 instruction set as well as ARM and THUMB ones. Binaries included in iOS are compiled for only [[ARMv7]] and are not compatible with older CPUs.

== Exploits ==
=== [[S5L8920 (Bootrom)|Bootrom]] ===
* [[0x24000 Segment Overflow]] - only in [[Bootrom 359.3]]
* [[Limera1n Exploit]]

== Related iOS Exploits ==
=== [[iBoot]] ===
* [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3
* [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2

=== [[Kernel]] ===
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1
* [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1
* [[HFS Legacy Volume Name Stack Buffer Overflow]] - Works up to [[iOS]] 4.2.1
* [[ndrv_setspec() Integer Overflow]] - Works up to [[iOS]] 4.3.3
* [[HFS Heap Overflow]] - Works up to iOS 5.0.1

=== [[Userland]] ===
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0.1
* [[T1 Font Integer Overflow]]- Works up to [[iOS]] 4.3.3
* [[Racoon String Format Overflow Exploit]] - Works up to iOS 5.0.1

== Boot Chain ==
[[S5L8920 (Bootrom)|Bootrom]]→[[LLB]]→[[iBoot]]→[[Kernel]]→[[Firmware|System Software]]

== See also ==
* [[S5L8920 (Bootrom)]]
* [[S5L8920 (Hardware)]]
* [[S5L8920 (Hardware - Quick Notes)]]

==External Links==
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0344j/DDI0344J_cortex_a8_r3p2_trm.pdf Technical Reference Manual: Cortex A8]

S5L8945

2012-09-16T15:30:37Z

Winocm:

[[Image:A5X.png|right]]
The '''S5L8945''' is the Apple A5X processor currently used in the "The New iPad", also called [[iPad 3]].

The processor uses the Cortex-A9 core, and an updated version of the 8940 architecture. S5L8945X also has a new security epoch, but the SoC also has identical caching, and other components as to the 8940.

The software architecture as reported by "hostinfo" is: armv7f.

== Hardware ==
The A5X part number is APL5498 and the die markings repeat that same number as well. It is produced by Samsung with its low power 45nm CMOS process. The die measures 12.82mm × 12.71mm for an area of 162.94mm².

== Software ==
The chip contains [[Bootrom 1062.2]]. It runs [[ARM]] based instructions. The exact [[ARM]] reference has to be determined yet.

S5L8930

2012-09-16T15:27:54Z

Winocm:

[[Image:A4.jpg|right]]
A [[wikipedia:system on a chip|system on a chip]] ("SoC") developed by Apple's in-house chip design department. It is used in [[k48ap|iPad]], both models of the iPhone 4 ([[n90ap|GSM]] and [[n92ap|CDMA]]), [[K66ap|Apple TV 2G]] and the [[N81ap|iPod touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''. Internally, this processor is also based on the S5L8920X family, which can also be seen through the reuse of several MMIO devices and MMIO device registers (i.e: chipid).

== Exploits ==

=== [[S5L8930 (Bootrom)|Bootrom]] ===
* [[limera1n]]
* [[SHA-1 Image Segment Overflow|SHAtter]]

=== [[iBoot]] ===
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]

=== [[Kernel]] ===
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)
* [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1
* [[HFS Legacy Volume Name Stack Buffer Overflow]] - Works up to [[iOS]] 4.2.8
* [[ndrv_setspec() Integer Overflow]] - Works up to [[iOS]] 4.3.3
* [[Incomplete Codesign Exploit]]- Works up to iOS 4.3.3 (excluding iOS 4.2.9/4.2.10)
* [[Racoon String Format Overflow Exploit]]- Works up to iOS 5.0.1
* [[HFS Heap Overflow]] - Works up to iOS 5.0.1

=== [[Userland]] ===
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)
*[[T1 Font Integer Overflow]]- Works up to [[iOS]] 4.3.3 (excluding 4.2.9 and 4.2.10)

== Boot Chain ==
[[Bootrom 574.4|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]

== Specifications ==
* '''CPU''': ARM Cortex-A8
* '''GPU''': PowerVR SGX 535
* '''A/V Playback''': PowerVR VXD
* '''RAM''': 256 MB ([[K66ap|Apple TV 2G]], [[K48ap|iPad]], and [[N81ap|iPod touch 4G]]) or 512 MB ([[iPhone 4]])

Aside from the [[iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].

== See also ==
* [[Bootrom 574.4]]

== Links ==
* http://www.apple.com/ipad/specs/
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx