The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Kernel"

From The iPhone Wiki
Jump to: navigation, search
Line 1: Line 1:
The '''kernel''' of [[iOS]] is the {{wp|XNU|XNU kernel}}. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0xC0000000. On startup, the [[kernelcache]] is decompressed and run.
 +
The '''kernel''' of [[iOS]] is the {{wp|XNU|XNU kernel}}. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space.
   
On production devices, the kernel is always stored as a pre-linked kernelcache stored at '''/System/Library/Caches/com.apple.kernelcaches/kernelcache'''. On development devices the kernel is stored in its normal place, at '''/mach_kernel'''.
 +
On production devices, the kernel is always stored as a pre-linked kernelcache stored at '''/System/Library/Caches/com.apple.kernelcaches/kernelcache'''. On development devices the kernel is stored in its normal place, at '''/mach_kernel'''. On startup, the [[kernelcache]] is decompressed and run.
   
Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
 +
Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
   
 
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:
  
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G:

Revision as of 14:25, 10 February 2012

The kernel of iOS is the Template:Wp. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space.

On production devices, the kernel is always stored as a pre-linked kernelcache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache. On development devices the kernel is stored in its normal place, at /mach_kernel. On startup, the kernelcache is decompressed and run.

Contrary to common belief, the iOS XNU is highly similar to the OS X one. This includes KEXTs and the IOKit, which is implemented in full. iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).

The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) on the author's iPod 4G: 

Podicum:~ root# ./kextstat 
0 __kernel__ 
1 kpi.bsd 
2 kpi.dsep 
3 kpi.iokit 
4 kpi.libkern 
5 kpi.mach 
6 kpi.private 
7 kpi.unsupported 
8 driver.AppleARMPlatform <1 3 4 5 6 7>
9 iokit.IOStorageFamily <1 3 4 5 6 7>
10 driver.DiskImages <1 3 4 5 6 7 9>
11 driver.FairPlayIOKit <1 3 4 5 6 7>
12 driver.IOSlaveProcessor <3 4>
13 driver.IOP_s5l8930x_firmware <3 4 12>
14 iokit.AppleProfileFamily <1 3 4 5 6 7>
15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
17 iokit.IONetworkingFamily <1 3 4 5 6 7>
18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
19 platform.AppleKernelStorage <3 4 7>
20 iokit.IOSurface <1 3 4 5 6 7 8>
21 iokit.IOStreamFamily <3 4 5>
22 iokit.IOAudio2Family <1 3 4 5 21>
23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
28 kext.AppleMatch <1 4>
29 security.sandbox <1 2 3 4 5 6 7 16 28>
30 driver.AppleS5L8930X <1 3 4 5 7 8>
31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
33 iokit.IOUSBDeviceFamily <1 3 4 5>
34 iokit.IOSerialFamily <1 3 4 5 6 7>
35 driver.AppleOnboardSerial <1 3 4 5 7 34>
36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
37 driver.AppleProfileTimestampAction <1 3 4 5 14>
38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
39 driver.AppleProfileKEventAction <1 3 4 14>
40 driver.AppleProfileRegisterStateAction <1 3 4 14>
41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
42 driver.AppleProfileReadCounterAction <3 4 6 14>
43 driver.AppleARMPL192VIC <3 4 5 7 8>
44 driver.AppleCDMA <1 3 4 5 7 8 15>
45 driver.IODARTFamily <3 4 5>
46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
47 iokit.IOSDIOFamily <1 3 4 5 7>
48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
50 driver.AppleSamsungSPI <1 3 4 5 7 8>
51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
52 driver.AppleSamsungPKE <3 4 5 7 8 15>
53 driver.AppleS5L8920X <1 3 4 5 7 8>
54 driver.AppleSamsungI2S <1 3 4 5 7 8>
55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
57 iokit.IOUSBFamily <1 3 4 5 7>
58 driver.AppleUSBEHCI <1 3 4 5 7 57>
59 driver.AppleUSBComposite <1 3 4 57>
60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
61 driver.AppleUSBOHCI <1 3 4 5 57>
62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
63 driver.AppleUSBHub <1 3 4 5 57>
64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
66 driver.AppleARM7M <3 4 8 12>
67 driver.EmbeddedIOP <3 4 5 12>
68 driver.AppleVXD375 <1 3 4 5 7 8 11>
69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
77 IMGSGX535 <1 3 4 5 7 8 76>
78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
79 driver.AppleJPEGDriver <1 3 4 5 7 8>
80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
86 driver.ApplePinotLCD <1 3 4 5 7 8>
87 driver.AppleSamsungSWI <1 3 4 5 7 8>
88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
90 driver.AppleTVOut <1 3 4 5 7 8>
91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
97 IOTextEncryptionFamily <1 3 4 5 7 11>
98 driver.AppleBSDKextStarter <3 4>
99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible: 

Podicum:~ root# ./jkextstat -b sandbox  -x
<dict>
        <key>CFBundleIdentifier</key>
        <string>com.apple.security.sandbox</string>
        <key>CFBundleVersion</key>
        <string>154.7</string>
        <key>OSBundleCPUSubtype</key>
        <integer>9</integer>
        <key>OSBundleCPUType</key>
        <integer>12</integer>
        <key>OSBundleDependencies</key>
        <array>
                <integer>6</integer>
                <integer>7</integer>
                <integer>5</integer>
                <integer>3</integer>
                <integer>28</integer>
                <integer>1</integer>
                <integer>4</integer>
                <integer>16</integer>
                <integer>2</integer>
        </array>
        <key>OSBundleExecutablePath</key>
        <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
        <key>OSBundleIsInterface</key>
        <false/>
        <key>OSBundleLoadAddress</key>
        <integer>2153734144</integer>
  <key>OSBundleLoadSize</key>
        <integer>36864</integer>
        <key>OSBundleLoadTag</key>
        <integer>29</integer>
        <key>OSBundleMachOHeaders</key>
        <data>
        zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
        AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
        VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
        X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
        AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
        gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
        AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
        AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
        AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
        AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
        TzkVrtqsgOViBQ0=
        </data>
        <key>OSBundlePath</key>
        <string>/System/Library/Extensions/Sandbox.kext</string>
        <key>OSBundlePrelinked</key>
        <true/>
        <key>OSBundleRetainCount</key>
        <integer>0</integer>
        <key>OSBundleStarted</key>
        <true/>
        <key>OSBundleUUID</key>
        <data>
        FqyDtjZPORWu2qyA5WIFDQ==
        </data>
        <key>OSBundleWiredSize</key>
        <integer>36864</integer>
        <key>OSKernelResource</key>
        <false/>
</dict>


(The tool itself will be released soon)

External Links

Article by Stefan Esser about exploiting the kernel

See Also

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Kernel&oldid=24544"