Difference between revisions of "DeviceTree"

From The iPhone Wiki
Jump to: navigation, search
(The tool is not a decrypter...)
 
(14 intermediate revisions by 8 users not shown)
Line 1: Line 1:
The '''device tree''' is a representation of hardware used by the boot loaders (iOS's [[iBoot (Bootloader)|iBoot]] and OS X's <code>boot.efi</code>) to provide the kernel with a mapping of hardware. The tree is a hierarchical representation of devices by connection, somewhat similar to Solaris's device tree (<code>/devices</code>), and Linux's <code>/sys/devices</code>. It is used extensively by the boot loader, as it populates the various entries of the tree, and then passes it to [[kernelcache|XNU]] (the kernel). XNU's platform expert then maps these addresses and uses them to communicate with the I/O buses and other low level hardware.
+
The '''device tree''' is a representation of hardware used by the boot loaders (iOS's [[iBoot (Bootloader)|iBoot]] and OS X's <code>boot.efi</code>) to provide the kernel with a mapping of hardware. The tree is a hierarchical representation of devices by connection, somewhat similar to Solaris's device tree (<code>/devices</code>), and Linux's <code>/sys/devices</code> (see [https://en.wikipedia.org/wiki/Device_tree device tree on Wikipedia] for more context). It is used extensively by the boot loader, as it populates the various entries of the tree, and then passes it to [[kernelcache|XNU]] (the kernel). XNU's platform expert then maps these addresses and uses them to communicate with the I/O buses and other low level hardware.
   
The device tree is packaged as an [[IMG3]] file and is located in the [[IPSW File Format|IPSW]] at <code>/Firmware/?</code>. They are the same for every firmware for the device they are for, however, the keys are different every build.
+
The device tree is packaged as an [[IMG3 File Format|IMG3]] or [[IMG4 File Format|IM4P]] file and is located in the [[IPSW File Format|IPSW]] at <code>/Firmware/all_flash/all_flash.{BoardCode}.production/DeviceTree.{BoardCode}.RELEASE.img3/im4p</code> on production devices or <code>/Firmware/all_flash/all_flash.{BoardCode}.factoryfa/DeviceTree.{BoardCode}.DEVELOPMENT.img3/im4p</code> on development devices. They are the same for every firmware for the device they are for, however, the [[Firmware Keys|keys]] are different every build. After iOS 10, almost all the img4 images for 64-bit devices are not encrypted, so it's possible to extract device trees from im4p files and dump them. E.g., with img4tool, we can do something like <code>img4 -image DeviceTree.d211ap.im4p devicetree-d211ap.bin</code> to get device tree into <code>devicetree-d211ap.bin</code>. Then we can use <code> dtdump </code> to <code>dtdump devicetree-d211ap.bin</code>
  +
   
 
== See Also ==
 
== See Also ==
  +
* [[N88AP|iPhone 3GS]]'s [[N88AP/Device Tree|Device Tree]]
* [[xpwntool]]
 
* [[n88ap|iPhone 3GS]]'s [[N88AP Device Tree|Device Tree]]
+
* [[D211AP|iPhone 8 Plus (D211AP)]]'s [[D211AP/Device Tree|Device Tree]]
  +
* [[D331AP|iPhone XS Max (D331AP)]]'s [[D331AP/Device Tree|Device Tree]]
   
 
== External Links ==
 
== External Links ==
* [http://www.newosxbook.com/src.jl?tree=listings&file=6-bonus.c IMG3 display tool, with device tree parser]
+
* IMG3 display tool, with device tree parser ([http://www.newosxbook.com/src.jl?tree=listings&file=6-bonus.c source] and [http://www.newosxbook.com/src.jl?tree=listings&file=dt.h header] or use the updated version from [http://www.newosxbook.com/forum/viewtopic.php?f=3&t=16576#p17126 here])
  +
* IMG4 tool [https://github.com/xerub/img4tool img4tool]
  +
* dtdump, a simple program to dump iOS device tree derived from the IMG3 display tool, [https://github.com/freedomtan/iOS-device-tree-dump dtdump]

Latest revision as of 05:43, 22 November 2018

The device tree is a representation of hardware used by the boot loaders (iOS's iBoot and OS X's boot.efi) to provide the kernel with a mapping of hardware. The tree is a hierarchical representation of devices by connection, somewhat similar to Solaris's device tree (/devices), and Linux's /sys/devices (see device tree on Wikipedia for more context). It is used extensively by the boot loader, as it populates the various entries of the tree, and then passes it to XNU (the kernel). XNU's platform expert then maps these addresses and uses them to communicate with the I/O buses and other low level hardware.

The device tree is packaged as an IMG3 or IM4P file and is located in the IPSW at /Firmware/all_flash/all_flash.{BoardCode}.production/DeviceTree.{BoardCode}.RELEASE.img3/im4p on production devices or /Firmware/all_flash/all_flash.{BoardCode}.factoryfa/DeviceTree.{BoardCode}.DEVELOPMENT.img3/im4p on development devices. They are the same for every firmware for the device they are for, however, the keys are different every build. After iOS 10, almost all the img4 images for 64-bit devices are not encrypted, so it's possible to extract device trees from im4p files and dump them. E.g., with img4tool, we can do something like img4 -image DeviceTree.d211ap.im4p devicetree-d211ap.bin to get device tree into devicetree-d211ap.bin. Then we can use dtdump to dtdump devicetree-d211ap.bin


See Also

External Links

  • IMG3 display tool, with device tree parser (source and header or use the updated version from here)
  • IMG4 tool img4tool
  • dtdump, a simple program to dump iOS device tree derived from the IMG3 display tool, dtdump