The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Kernel"

From The iPhone Wiki
Jump to: navigation, search
m
Line 1: Line 1:
The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude)
+
The '''kernel''' of [[iOS]] is the [[wikipedia:XNU|XNU]] kernel. Pre-2.0, it was vulnerable to the [[Ramdisk Hack]] and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.
   
  +
Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate [[#64-bit|section]]
Note: The kernel stack is usually at 0xd2000000, and not at 0xc000000, as someone previously wrote here.
  
   
  +
== [[ASLR]] ==
Note also, that as of iOS 6, the kernel is expected to be subject to [[ASLR]], much in the same way as Mountain Lion (OS X 10.8)
  
  +
As of [[iOS]] 6, the kernel is presumed to be subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make [[jailbreak]]s harder as the location of it cannot be known.
   
  +
With the location unable to be known, the only choice is to guess and check. The flaw Apple overlooked with this though is that the kernel, like apps, is loaded on a <code>0x1000</code>(?) byte (4 KiB) boundary with only <code>0x100</code> (256) possible boundaries to load onto.
On production devices, the kernel is always stored as a pre-linked kernelcache stored at '''/System/Library/Caches/com.apple.kernelcaches/kernelcache'''. On development devices the kernel is stored in its normal place, at '''/mach_kernel'''. On startup, the [[kernelcache]] is decompressed and run.
 
  +
  +
On production devices, the kernel is always stored as a statically linked [[kernelcache|cache]] stored at [[/System/Library/Caches/com.apple.kernelcaches/kernelcache]] that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at [[/mach_kernel]].
  +
  +
== Stack ==
  +
The kernel maintains its stack at <code>0xd2000000</code> (<code>d2 00 00 00</code>)
   
 
== Boot-Args ==
  
== Boot-Args ==
Line 13: Line 19:
   
 
== Versions ==
  
== Versions ==
 
 
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:
  
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:
   
Line 153: Line 158:
 
|-
  
|-
 
| 4.3.3
  
| 4.3.3
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X
 +
| Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_[[S5L8920]]X
 
|
  
|
 
|-
  
|-
Line 165: Line 170:
 
|-
  
|-
 
| 5.0
  
| 5.0
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_S5L8940X
 +
| Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_[[S5L8940]]X
 
|
  
|
 
|-
  
|-
 
| 5.0.1
  
| 5.0.1
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8940X
 +
| Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_[[S5L8940]]X
 
|
  
|
 
|-
  
|-
 
| 5.1
  
| 5.1
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_S5L8945X
 +
| Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_[[S5L8945]]X
 
|
  
|
 
|-
  
|-
 
| 5.1.1
  
| 5.1.1
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X
+
| Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_[[S5L8930]]X
 
|
  
|
 
|-
  
|-
 
| 6.0
  
| 6.0
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X
 +
| Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_[[S5L8950]]X
 
|
  
|
 
|-
  
|-
Line 188: Line 193:
 
|
  
|
 
|}
  
|}
  +
  +
This constant version scheme makes parsing with regex dead simple:
  +
Darwin Kernel Version ([0-9]+)\.([0-9]+)\.([0-9]+): (Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}) ([0-9]{2}):([0-9]{2}):([0-9]{2}) ([A-Z]{3}) ([0-9]{4}); root:xnu-([0-9]+)\.([0-9]+)\.([0-9]+)~([0-9]+)/RELEASE_ARM_S5L([0-9]{4})X
  +
with the results as:
  +
Darwin Kernel Version $1\.$2\.$3: $4 $5 $6 $7:$8:$9 $10 $11; root:xnu-$12.$13.$14~$15/RELEASE_ARM_S5L$16X
  +
  +
== Source Code ==
  +
As XNU is based off of the [[wikipedia:Berkeley Software Distribution|BSD kernel]], it is [http://opensource.apple.com/source/xnu open source]. The source is under a [http://opensource.apple.com/license/bsd/ 3-clause BSD License] for the original BSD portions with the portions added by Apple under the [http://opensource.apple.com/license/apsl/ Apple Public Source License]. The [[#Versions|versions contained in iOS]] are not available, instead only versions used in ''OS X'' are available. This does not appear to be legal as per &#x00A7;2.3 in the APSL:
  +
2.3 Distribution of Executable Versions. In addition, if You Externally Deploy Covered
  +
Code (Original Code and/or Modifications) in object code, executable form only, '''You must
  +
include a''' prominent '''notice''', in the code itself as well as in related documentation, '''stating
  +
that Source Code of the Covered Code is available''' under the terms of this License '''with
  +
information on how and where to obtain such Source Code'''.
  +
with ''Source Code'' defined in &#x00A7;1.8:
  +
1.8 "Source Code" means the human readable form of a program or other work that is
  +
suitable for making modifications to it, including all modules it contains, plus any
  +
associated interface definition files, scripts used to control compilation and installation
  +
of an executable (object code).
  +
  +
It is worth noting that Apple does ''not'' list XNU as being an open source component of [[iOS]]. This can be seen by viewing [http://opensource.apple.com/ opensource.apple.com] and selecting ''any'' iOS version. As far as can be told, ''none'' of the versions of XNU are available in source version.
  +
  +
There are many other open souce components that iOS uses that are ''not'' listed, such as:
  +
* [http://opensource.apple.com/source/CF/ CF] ([https://developer.apple.com/library/mac/#documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html CoreFoundation] - Cocoa)
  +
* [http://opensource.apple.com/source/SQLite/ SQLite] ([http://www.sqlite.org/ SQLite] - database utility)
  +
* [http://opensource.apple.com/source/TimeZoneData/ TimeZoneData] ([[wikipedia:tz database|tz database]] - [[/usr/share/zoneinfo]])
  +
* [http://opensource.apple.com/source/curl/ curl](?) ([http://curl.haxx.se/ libcurl] - various HTTP operations)
  +
* [http://opensource.apple.com/source/hfs/ hfs] (hfs - [[wikipedia:Hierarchical File System|HFS]] driver)
  +
* [http://opensource.apple.com/source/launchd/ launchd] ([[launchd]] - launch daemon)
  +
* [http://opensource.apple.com/source/libxml2/ libxml2](?) ([http://www.xmlsoft.org/ libxml2] - parser for [[wikipedia:XML|XML]] [[Property List|plist]]s)<!-- or does CF handle the parsing? -->
  +
* [http://opensource.apple.com/source/xnu/ xnu] (XNU - Kernel)
  +
* [http://opensource.apple.com/source/zip/ zip] (zip - extraction of various files)
  +
It does ''not'' appear that Apple assumes what you see in the ''OS X'' pages are also on ''iOS''<!-- reword needed --> as [http://opensource.apple.com/source/JavaScriptCore/ JavaScriptCore], [http://opensource.apple.com/source/WebCore/ WebCore], among others are listed on both [http://opensource.apple.com/release/mac-os-x-108/ OS X] (10.8) and [http://opensource.apple.com/release/ios-60/ iOS] (6.0), albeit different versions.
  +
  +
It is also worth noting that [http://opensource.apple.com/source/gdb/ gdb] ([[wikipedia:GNU Compiler Collection|GCC]] debugger) and [http://opensource.apple.com/source/ld64/ ld64] are listed as components in [http://opensource.apple.com/release/ios-60/ iOS 6.0]. Why there are present is a mystery as they are not present on unaltered devices, but only through [[Cydia.app|Cydia]] or [[Xcode]]'s <code>DeveloperImage.dmg</code>.
  +
  +
== 64-bit ==
  +
The kernel appears to be 64-bit due to [http://opensource.apple.com/release/developer-tools-45/ Xcode 4.5] and [http://opensource.apple.com/release/ios-60/ iOS 6.0] containing [http://opensource.apple.com/source/ld64/ ld'''64''']
   
 
== Kernel Extensions ==
  
== Kernel Extensions ==
iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).
 +
iOS, sadly, does ''not'' have [[Kernel Extension|kext]]s floating around the [[/|file system]], but they are indeed present. The [[kernelcache]] can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their [[Property List|plist]]s (in the __PRELINK_INFO section).
  +
  +
The Cydia supplied [[kextstat]] does not work on [[iOS]]. Sadly, the reason is that kextstat relies on <code>kmod_get_info(...)</code>, which is a deprecated (and recently removed) API in recent<!-- how recent? --> iOS and OS X versions. With that said, the [[Kernel Extension|kext]]s ''do'' exist. The alternative, [[kextstat#jkextstat|jkextstat]], ''does'' work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name <code>kextstat</code>, similar to how calling <code>g++</code> just launches <code>gcc</code> but with parameters to treat all <code>.c</code> files as C++ files.
   
  +
The following is the output from [[kextstat#jkextstat|jkextstat]] on an [[n81ap|iPod touch 4G]] running [[iOS]] 6(?):
The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info(), which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) - available from the references section - on the author's iPod 4G:
  
   
 
Podicum:~ root# ./kextstat
 
Podicum:~ root# ./kextstat

Revision as of 01:50, 20 November 2012

The kernel of iOS is the XNU kernel. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate section

ASLR

As of iOS 6, the kernel is presumed to be subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make jailbreaks harder as the location of it cannot be known.

With the location unable to be known, the only choice is to guess and check. The flaw Apple overlooked with this though is that the kernel, like apps, is loaded on a 0x1000(?) byte (4 KiB) boundary with only 0x100 (256) possible boundaries to load onto.

On production devices, the kernel is always stored as a statically linked cache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache that is decompressed and run on startup. On development devices the kernel is stored in the same location as OS X, at /mach_kernel.

Stack

The kernel maintains its stack at 0xd2000000 (d2 00 00 00)

Boot-Args

Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and AMFI.

Versions

iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion: 

Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64

iOS 6: 

Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

Version Build Comment
1A420 Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB from prototype - not sure if 100% correct.
1.0.0
1.0.1
1.0.2
1.1.1
1.1.2
1.1.3
1.1.4
2.0
2.0.1
2.0.2
2.1
2.2
2.2.1
3.0
3.0.1
3.1
3.1.2
3.1.3
3.2
3.2.1
3.2.2
4.0
4.0.1
4.0.2
4.1
4.2.1 Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_S5L8930X
4.3
4.3.1
4.3.2
4.3.3 Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X
4.3.4
4.3.5
5.0 Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_S5L8940X
5.0.1 Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8940X
5.1 Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_S5L8945X
5.1.1 Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X
6.0 Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X
6.0.1

This constant version scheme makes parsing with regex dead simple: 

Darwin Kernel Version ([0-9]+)\.([0-9]+)\.([0-9]+): (Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}) ([0-9]{2}):([0-9]{2}):([0-9]{2}) ([A-Z]{3}) ([0-9]{4}); root:xnu-([0-9]+)\.([0-9]+)\.([0-9]+)~([0-9]+)/RELEASE_ARM_S5L([0-9]{4})X

with the results as: 

Darwin Kernel Version $1\.$2\.$3: $4 $5 $6 $7:$8:$9 $10 $11; root:xnu-$12.$13.$14~$15/RELEASE_ARM_S5L$16X

Source Code

As XNU is based off of the BSD kernel, it is open source. The source is under a 3-clause BSD License for the original BSD portions with the portions added by Apple under the Apple Public Source License. The versions contained in iOS are not available, instead only versions used in OS X are available. This does not appear to be legal as per §2.3 in the APSL: 

2.3     Distribution of Executable Versions.  In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, You must
include a prominent notice, in the code itself as well as in related documentation, stating
that Source Code of the Covered Code is available under the terms of this License with
information on how and where to obtain such Source Code.

with Source Code defined in §1.8: 

1.8     "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does not list XNU as being an open source component of iOS. This can be seen by viewing opensource.apple.com and selecting any iOS version. As far as can be told, none of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are not listed, such as:

It does not appear that Apple assumes what you see in the OS X pages are also on iOS as JavaScriptCore, WebCore, among others are listed on both OS X (10.8) and iOS (6.0), albeit different versions.

It is also worth noting that gdb (GCC debugger) and ld64 are listed as components in iOS 6.0. Why there are present is a mystery as they are not present on unaltered devices, but only through Cydia or Xcode's DeveloperImage.dmg.

64-bit

The kernel appears to be 64-bit due to Xcode 4.5 and iOS 6.0 containing ld64

Kernel Extensions

iOS, sadly, does not have kexts floating around the file system, but they are indeed present. The kernelcache can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their plists (in the __PRELINK_INFO section).

The Cydia supplied kextstat does not work on iOS. Sadly, the reason is that kextstat relies on kmod_get_info(...), which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the kexts do exist. The alternative, jkextstat, does work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name kextstat, similar to how calling g++ just launches gcc but with parameters to treat all .c files as C++ files.

The following is the output from jkextstat on an iPod touch 4G running iOS 6(?): 

Podicum:~ root# ./kextstat 
  0 __kernel__ 
  1 kpi.bsd 
  2 kpi.dsep 
  3 kpi.iokit 
  4 kpi.libkern 
  5 kpi.mach 
  6 kpi.private 
  7 kpi.unsupported 
  8 driver.AppleARMPlatform <1 3 4 5 6 7>
  9 iokit.IOStorageFamily <1 3 4 5 6 7>
 10 driver.DiskImages <1 3 4 5 6 7 9>
 11 driver.FairPlayIOKit <1 3 4 5 6 7>
 12 driver.IOSlaveProcessor <3 4>
 13 driver.IOP_s5l8930x_firmware <3 4 12>
 14 iokit.AppleProfileFamily <1 3 4 5 6 7>
 15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
 16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
 17 iokit.IONetworkingFamily <1 3 4 5 6 7>
 18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
 19 platform.AppleKernelStorage <3 4 7>
 20 iokit.IOSurface <1 3 4 5 6 7 8>
 21 iokit.IOStreamFamily <3 4 5>
 22 iokit.IOAudio2Family <1 3 4 5 21>
 23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
 24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
 25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
 26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
 27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
 28 kext.AppleMatch <1 4>
 29 security.sandbox <1 2 3 4 5 6 7 16 28>
 30 driver.AppleS5L8930X <1 3 4 5 7 8>
 31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
 32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
 33 iokit.IOUSBDeviceFamily <1 3 4 5>
 34 iokit.IOSerialFamily <1 3 4 5 6 7>
 35 driver.AppleOnboardSerial <1 3 4 5 7 34>
 36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
 37 driver.AppleProfileTimestampAction <1 3 4 5 14>
 38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
 39 driver.AppleProfileKEventAction <1 3 4 14>
 40 driver.AppleProfileRegisterStateAction <1 3 4 14>
 41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
 42 driver.AppleProfileReadCounterAction <3 4 6 14>
 43 driver.AppleARMPL192VIC <3 4 5 7 8>
 44 driver.AppleCDMA <1 3 4 5 7 8 15>
 45 driver.IODARTFamily <3 4 5>
 46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
 47 iokit.IOSDIOFamily <1 3 4 5 7>
 48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
 49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
 50 driver.AppleSamsungSPI <1 3 4 5 7 8>
 51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
 52 driver.AppleSamsungPKE <3 4 5 7 8 15>
 53 driver.AppleS5L8920X <1 3 4 5 7 8>
 54 driver.AppleSamsungI2S <1 3 4 5 7 8>
 55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
 56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
 57 iokit.IOUSBFamily <1 3 4 5 7>
 58 driver.AppleUSBEHCI <1 3 4 5 7 57>
 59 driver.AppleUSBComposite <1 3 4 57>
 60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
 61 driver.AppleUSBOHCI <1 3 4 5 57>
 62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
 63 driver.AppleUSBHub <1 3 4 5 57>
 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
 66 driver.AppleARM7M <3 4 8 12>
 67 driver.EmbeddedIOP <3 4 5 12>
 68 driver.AppleVXD375 <1 3 4 5 7 8 11>
 69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
 70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
 71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
 72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
 73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
 74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
 75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
 76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
 77 IMGSGX535 <1 3 4 5 7 8 76>
 78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
 79 driver.AppleJPEGDriver <1 3 4 5 7 8>
 80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
 81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
 82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
 83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
 84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
 85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
 86 driver.ApplePinotLCD <1 3 4 5 7 8>
 87 driver.AppleSamsungSWI <1 3 4 5 7 8>
 88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
 89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
 90 driver.AppleTVOut <1 3 4 5 7 8>
 91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
 92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
 93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
 94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
 95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
 96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
 97 IOTextEncryptionFamily <1 3 4 5 7 11>
 98 driver.AppleBSDKextStarter <3 4>
 99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

root# ./jkextstat -b sandbox -x: 

<plist>
<dict>
        <key>CFBundleIdentifier</key>
        <string>com.apple.security.sandbox</string>
        <key>CFBundleVersion</key>
        <string>154.7</string>
        <key>OSBundleCPUSubtype</key>
        <integer>9</integer>
        <key>OSBundleCPUType</key>
        <integer>12</integer>
        <key>OSBundleDependencies</key>
        <array>
                <integer>6</integer>
                <integer>7</integer>
                <integer>5</integer>
                <integer>3</integer>
                <integer>28</integer>
                <integer>1</integer>
                <integer>4</integer>
                <integer>16</integer>
                <integer>2</integer>
        </array>
        <key>OSBundleExecutablePath</key>
        <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
        <key>OSBundleIsInterface</key>
        <false/>
        <key>OSBundleLoadAddress</key>
        <integer>2153734144</integer>
        <key>OSBundleLoadSize</key>
        <integer>36864</integer>
        <key>OSBundleLoadTag</key>
        <integer>29</integer>
        <key>OSBundleMachOHeaders</key>
        
        zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
        AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
        VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
        X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
        AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
        gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
        AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
        AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
        AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
        AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
        TzkVrtqsgOViBQ0=
        
        <key>OSBundlePath</key>
        <string>/System/Library/Extensions/Sandbox.kext</string>
        <key>OSBundlePrelinked</key>
        <true/>
        <key>OSBundleRetainCount</key>
        <integer>0</integer>
        <key>OSBundleStarted</key>
        <true/>
        <key>OSBundleUUID</key>
        
        FqyDtjZPORWu2qyA5WIFDQ==
        
        <key>OSBundleWiredSize</key>
        <integer>36864</integer>
        <key>OSKernelResource</key>
        <false/>
</dict>
</plist>


It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0.0, allowing for its jailbreak, which has yet to be made public. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.

External Links

Article by Stefan Esser about exploiting the kernel

Basic Source code of jkextstat from the OSX/iOS internals book.

See Also

External Links

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Kernel&oldid=28210"