Difference between revisions of "Kernel"

Revision as of 19:49, 20 July 2015

The kernel of iOS is the XNU kernel. To learn about what "kernel" means in general, see the Wikipedia article.

Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS versions the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model.

Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude). See the appropriate section.

ASLR

Main article: Kernel ASLR

As of iOS 6, the kernel is subject to ASLR, much akin to Mountain Lion (OS X 10.8). This make exploitation harder as the location of kernel code cannot be known.

On production and development devices, the kernel is always stored as a statically linked cache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache that is decompressed and run on startup.

Stack

The kernel maintains thread specific stacks by calling kernel_memory_allocate, this allocates stacks in the specified kalloc zone. The bootstrap thread has its own specific static kernel stack, which is specified by _intstack. IRQ and FIQ handlers will also have their own execution stack which is specified by _irqstack.

Boot-Args

Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by Haifisch). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and AMFI.

The list of boot-args can be extracted from any kernel dump once the address of _PE_parse_boot_argn is determined (which is usually automatically). A list from iOS 8.4 is shown below:

# perform a full disassembly, isolate decompiled lines (^;) with PE_parse.. and isolate string between quotes, sorted uniquely:
# morpheus@Zephyr (~)$ jtool -d __TEXT.__text kernel.8.4.dump | grep PE_parse |grep '^; '| cut -d\" -f2 | cut -d\" -f1 | sort -u
-b
-disable_atm
-factory_debug
-l
-multiq-deep-drain
-no-zp
-no64exec
-novfscache
-oldmezname
-panic_on_exception_triage
-progress
-qos-policy-allow
-s
-vm16k
-vnode_cache_defeat
-x
-zc
-zinfop
-zp
aks_default_class
assert
bg_preempt
boot-uuid
colors
cpumon_ustackshots_trigger_pct
darkwake
dart
dcc
debug
diag
disable_exc_resource
fill
hwm_user_cores
ifa_debug
ifnet_debug
imp_interactive_receiver 
inaddr_nhash
initmcl
interrupt_accounting
io
io_throttle_period_tier1
io_throttle_period_tier2
io_throttle_period_tier3
io_throttle_window_tier1
io_throttle_window_tier2
io_throttle_window_tier3
iosched
iotrace
jcon
jtag
keepsyms
kernel_stack_pages
kextlog
kmapoff
lcks
lo_txstart
longterm
max_cpumon_interval
max_cpumon_percentage
max_task_pmem
maxmem
maxoffset
mbuf_debug
mbuf_pool
mcache_flags
mleak_sample_factor
mseg
msgbuf
mtxspin
multiq_drain_band_limit
multiq_drain_depth_limit
multiq_drain_urgent_first
nbuf
ncl
net.inet.ip.scopedroute
net.inet6.ip6.scopedroute
net_affinity
net_rtref
net_rxpoll
network-type
panic_on_cs_killed
preempt
qos_override_mode
rd
rootdev
rte_debug
sched
sched_decay_penalty
sched_decay_usage_age_factor
sched_pri_decay_limit
sched_use_combined_fgbg_decay
serial
serverperfmode
slto_us
socket_debug
task_policy_suppression_disable
task_wakeups_monitor_interval
task_wakeups_monitor_rate
task_wakeups_monitor_ustackshots_trigger_pct
tbi
trace
trace_panic
trace_typefilter
trace_wake
unrestrict_coalition_syscalls
vm_compression_limit
vm_compressor
vm_compressor_immediate
vm_compressor_threads
wfi
wqsize 
zalloc_debug
zlog
zp-factor
zp-scale
zrecs
zsize

Versions

In the beginning iOS had consistently maintained a fairly higher kernel version than the corresponding version of OS X, but over time iOS and OS X "moved nearer" together. Now at the time of writing, OS X Yosemite's XNU is 2782, whereas iOS 8.4 is 2784. This is not surprising, considering that iOS introduced novel features (such as Kernel ASLR, the default freezer, and various security hardening features) which are first incorporated in it, and later made it to OS X. It seems that Apple is planning to gradually unite iOS and OS X kernels over time and with iOS 8 and OS X Yosemite the at least the version numbers are nearer to each other then ever before. The following demonstrates the OS versions at present (via terminal uname -a command):

OS X Yosemite 10.10.4:

Darwin Kernel Version 14.4.0: Thu May 28 11:35:04 PDT 2015; root:xnu-2782.30.5~1/RELEASE_X86_64

iOS 8.4:

Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_S5L8960X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU and the time varies by a few minutes per device.

Version List

The compilation date for each version will vary slightly between processors. This is due to the fact that compilations are sequential.

Version	Build	Comment
1A420	Darwin Kernel Version 4.4.2-Purple-19: Thu Mar 8 01:43:04 PST 2007; root:xnu-933.0.14~46/RELEASE_ARM_S5L8900XRB	from prototype - not sure if version is 100% correct.
1.0	Darwin Kernel Version 9.0.0d1: Tue May 22 21:15:54 PDT 2007; root:xnu-933.0.178/RELEASE_ARM_S5L8900XRB	Not sure if version is 100% correct.
1.0.1	Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; root:xnu-933.1.178~1/RELEASE_ARM_S5L8900XRB
1.0.2
1.1.1	Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:42 PDT 2007; root:xnu-933.0.203~21/RELEASE_ARM_S5L8900XRB	First kernel that was 8900 encrypted - not sure if version is 100% correct.
1.1.2	Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:49 PDT 2007; root:xnu-933.0.204~7/RELEASE_ARM_S5L8900XRB	Not sure if version is 100% correct.
1.1.3	Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.211~2/RELEASE_ARM_S5L8900XRB
1.1.4
1.1.5		iPod touch only
2.0	Darwin Kernel Version 9.3.1: Sun Jun 15 21:37:01 PDT 2008; root:xnu-1228.6.76~45/RELEASE_ARM_S5L8900X
2.0.1
2.0.2
2.1	Darwin Kernel Version 9.4.1: Sun Aug 10 21:25:25 PDT 2008; root:xnu-1228.7.27~12/RELEASE_ARM_S5L8720X
2.1.1
2.2	Darwin Kernel Version 9.4.1: Sat Nov 1 19:13:13 PDT 2008; root:xnu-1228.7.36~2/RELEASE_ARM_S5L8720X
2.2.1	Darwin Kernel Version 9.4.1: Mon Dec 8 21:02:57 PST 2008; root:xnu-1228.7.37~4/RELEASE_ARM_S5L8720X
3.0	Darwin Kernel Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu-1357.2.89~4/RELEASE_ARM_S5L8920X
3.0.1
3.1	Darwin Kernel Version 10.0.0d3: Fri Aug 14 13:23:32 PDT 2009; root:xnu-1357.5.30~2/RELEASE_ARM_S5L8920X
3.1.2	Darwin Kernel Version 10.0.0d3: Fri Sep 25 23:35:35 PDT 2009; root:xnu-1357.5.30~3/RELEASE_ARM_S5L8920X
3.1.3	Darwin Kernel Version 10.0.0d3: Fri Dec 18 01:34:28 PST 2009; root:xnu-1357.5.30~6/RELEASE_ARM_S5L8920X
3.2	Darwin Kernel Version 10.3.1: Mon Mar 15 23:15:33 PDT 2010; root:xnu-1504.2.27~18/RELEASE_ARM_S5L8930X	iPad Only
3.2.1	Darwin Kernel Version 10.3.1: Fri May 28 16:46:17 PDT 2010; root:xnu-1504.2.50~4/RELEASE_ARM_S5L8930X
3.2.2	Darwin Kernel Version 10.3.1: Wed Aug 4 19:08:04 PDT 2010; root:xnu-1504.2.60~1/RELEASE_ARM_S5L8930X
4.0	Darwin Kernel Version 10.3.1: Wed May 26 22:28:33 PDT 2010; root:xnu-1504.50.73~2/RELEASE_ARM_S5L8930X
4.0.1
4.0.2	Darwin Kernel Version 10.3.1: Wed Aug 4 18:46:06 PDT 2010; root:xnu-1504.50.80~1/RELEASE_ARM_S5L8930X
4.1	Darwin Kernel Version 10.3.1: Wed Aug 4 22:35:51 PDT 2010; root:xnu-1504.55.33~10/RELEASE_ARM_S5L8930X
4.2.1	Darwin Kernel Version 10.4.0: Wed Oct 20 20:14:45 PDT 2010; root:xnu-1504.58.28~3/RELEASE_ARM_S5L8930X
4.3	Darwin Kernel Version 11.0.0: Thu Feb 10 21:46:56 PST 2011; root:xnu-1735.46~2/RELEASE_ARM_S5L8930X
4.3.1
4.3.2	Darwin Kernel Version 11.0.0: Wed Mar 30 18:51:10 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8930X
4.3.3
4.3.4	Darwin Kernel Version 11.0.0: Sat Jul 9 00:59:43 PDT 2011; root:xnu-1735.47~1/RELEASE_ARM_S5L8930X
4.3.5
5.0b5	Darwin Kernel Version 11.0.0: Tue Aug 2 22:31:30 PDT 2011; root:xnu-1878.4.80~1/RELEASE_ARM_S5L8930X
5.0	Darwin Kernel Version 11.0.0: Thu Sep 15 23:34:43 PDT 2011; root:xnu-1878.4.43~2/RELEASE_ARM_S5L8940X
5.0.1b	Darwin Kernel Version 11.0.0: Wed Oct 19 19:05:07 PDT 2011; root:xnu-1878.4.45~1/RELEASE_ARM_S5L8930X
5.0.1b2	Darwin Kernel Version 11.0.0: Tue Nov 1 20:34:16 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8940X
5.0.1
5.1b	Darwin Kernel Version 11.0.0: Sun Nov 13 19:10:13 PST 2011; root:xnu-1878.10.61~7/RELEASE_ARM_S5L8930X
5.1b2	Darwin Kernel Version 11.0.0: Sun Dec 4 18:57:33 PST 2011; root:xnu-1878.10.68~2/RELEASE_ARM_S5L8930X
5.1b3	Darwin Kernel Version 11.0.0: Mon Jan 2 18:46:01 PST 2012; root:xnu-1878.10.74~3/RELEASE_ARM_S5L8930X
5.1	Darwin Kernel Version 11.0.0: Wed Feb 1 23:18:07 PST 2012; root:xnu-1878.11.8~1/RELEASE_ARM_S5L8945X
5.1.1	Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X
6.0b	Darwin Kernel Version 13.0.0: Wed May 30 19:23:03 PDT 2012; root:xnu-2107.1.78~18/RELEASE_ARM_S5L8930X
6.0b2	Darwin Kernel Version 13.0.0: Sun Jun 17 19:47:47 PDT 2012; root:xnu-2107.1.61~3/RELEASE_ARM_S5L8930X
6.0b3	Darwin Kernel Version 13.0.0: Sun Jul 8 20:15:17 PDT 2012; root:xnu-2107.2.9~3/RELEASE_ARM_S5L8930X
6.0b4	Darwin Kernel Version 13.0.0: Sun Jul 29 20:15:28 PDT 2012; root:xnu-2107.2.26~4/RELEASE_ARM_S5L8930X
6.0	Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X
6.0.1	Darwin Kernel Version 13.0.0: Wed Oct 10 23:32:19 PDT 2012; root:xnu-2107.2.34~2/RELEASE_ARM_S5L8950X
6.0.2		iPhone 5 only.
6.1b	Darwin Kernel Version 13.0.0: Sun Oct 21 19:28:43 PDT 2012; root:xnu-2107.7.51~17/RELEASE_ARM_S5L8930X
6.1b2	Darwin Kernel Version 13.0.0: Sun Nov 4 19:02:54 PST 2012; root:xnu-2107.7.53~2/RELEASE_ARM_S5L8930X
6.1b3	Darwin Kernel Version 13.0.0: Mon Nov 26 21:17:13 PST 2012; root:xnu-2107.7.53~27/RELEASE_ARM_S5L8930X
6.1b4	Darwin Kernel Version 13.0.0: Sun Dec 9 19:22:45 PST 2012; root:xnu-2107.7.55~6/RELEASE_ARM_S5L8930X
6.1b5	Darwin Kernel Version 13.0.0: Sun Dec 16 20:01:39 PST 2012; root:xnu-2107.7.55~11/RELEASE_ARM_S5L8950X
6.1
6.1.1b
6.1.1		iPhone 4S only
6.1.2
6.1.3b2	Darwin Kernel Version 13.0.0: Wed Feb 13 21:35:42 PST 2013; root:xnu-2107.7.55.2.2~1/RELEASE_ARM_S5L8920X
6.1.3
6.1.4		iPhone 5 only.
6.1.5		iPod touch 4 only.
6.1.6		iPod touch 4 and iPhone 3GS only.
7.0b	Darwin Kernel Version 14.0.0: Wed May 29 23:53:59 PDT 2013; root:xnu-2423.1.1.1.2~1/RELEASE_ARM_S5L8930X
7.0b2	Darwin Kernel Version 14.0.0: Mon Jun 17 00:51:51 PDT 2013; root:xnu-2423.1.28~7/RELEASE_ARM_S5L8930X
7.0b3	Darwin Kernel Version 14.0.0: Mon Jul 1 04:25:28 PDT 2013; root:xnu-2423.1.40~11/RELEASE_ARM_S5L8930X
7.0b4	Darwin Kernel Version 14.0.0: Mon Jul 22 02:12:11 PDT 2013; root:xnu-2423.1.55~8/RELEASE_ARM_S5L8930X
7.0b5	Darwin Kernel Version 14.0.0: Sun Aug 4 22:40:14 PDT 2013; root:xnu-2423.1.70~6/RELEASE_ARM_S5L8930X
7.0b6
7.0GM	Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_S5L8930X
7.0
7.0.1	Darwin Kernel Version 14.0.0: Mon Sep 9 20:56:02 PDT 2013; root:xnu-2423.1.74~2/RELEASE_ARM64_S5L8960X	iPhone 5c and 5s only
7.0.2
7.0.3	Darwin Kernel Version 14.0.0: Fri Sep 27 23:08:32 PDT 2013; root:xnu-2423.3.12~1/RELEASE_ARM64_S5L8960X
7.0.4
7.0.5		iPhone 5c (iPhone5,4) and iPhone 5s (iPhone6,2) only.
7.0.6
7.1b	Darwin Kernel Version 14.0.0: Mon Nov 11 04:18:01 PST 2013; root:xnu-2423.10.33~9/RELEASE_ARM_S5L8930X
7.1b2	Darwin Kernel Version 14.0.0: Tue Dec 10 21:25:34 PST 2013; root:xnu-2423.10.38.1.1~1/RELEASE_ARM_S5L8930X
7.1b3	Darwin Kernel Version 14.0.0: Thu Jan 2 01:55:45 PST 2014; root:xnu-2423.10.45~5/RELEASE_ARM_S5L8930X
7.1b4	Darwin Kernel Version 14.0.0: Mon Jan 13 03:33:00 PST 2014; root:xnu-2423.10.49.0.1~3/RELEASE_ARM_S5L8930X
7.1b5	Darwin Kernel Version 14.0.0: Mon Jan 27 23:55:13 PST 2014; root:xnu-2423.10.58~2/RELEASE_ARM_S5L8930X
7.1	Darwin Kernel Version 14.0.0: Fri Feb 21 19:41:10 PST 2014; root:xnu-2423.10.67~1/RELEASE_ARM_S5L8930X
7.1.1	Darwin Kernel Version 14.0.0: Fri Mar 28 21:22:10 PDT 2014; root:xnu-2423.10.70~1/RELEASE_ARM_S5L8930X
7.1.2	Darwin Kernel Version 14.0.0: Thu May 15 23:17:54 PDT 2014; root:xnu-2423.10.71~1/RELEASE_ARM64_S5L8960X
8.0b	Darwin Kernel Version 14.0.0: Mon May 26 22:09:06 PDT 2014; root:xnu-2729.0.0.0.9~2/RELEASE_ARM_S5L8942X
8.0b2	Darwin Kernel Version 14.0.0: Sat Jun 14 16:36:40 PDT 2014; root:xnu-2775.0.0.1.1~3/RELEASE_ARM64_S5L8960X
8.0b3	Darwin Kernel Version 14.0.0: Wed Jul 2 18:51:34 PDT 2014; root:xnu-2783.1.21~19/RELEASE_ARM_S5L8950X
8.0b4	Darwin Kernel Version 14.0.0: Wed Jul 16 21:55:26 PDT 2014; root:xnu-2783.1.40.0.3~2/RELEASE_ARM_S5L8950X
8.0b5	Darwin Kernel Version 14.0.0: Wed Jul 30 23:04:17 PDT 2014; root:xnu-2783.1.62~20/RELEASE_ARM_S5L8950X
8.0GM	Darwin Kernel Version 14.0.0: Tue Aug 19 15:09:47 PDT 2014; root:xnu-2783.1.72~8/RELEASE_ARM64_S5L8960X
8.0
8.0.1	Darwin Kernel Version 14.0.0: Thu Sep 18 21:52:21 PDT 2014; root:xnu-2783.1.72~23/RELEASE_ARM_S5L8950X
8.0.2
8.1b	Darwin Kernel Version 14.0.0: Sat Sep 27 18:49:49 PDT 2014; root:xnu-2783.3.12~18/RELEASE_ARM_S5L8950X
8.1b2	Darwin Kernel Version 14.0.0: Fri Oct 3 21:52:09 PDT 2014; root:xnu-2783.3.13~2/RELEASE_ARM_S5L8950X
8.1	Darwin Kernel Version 14.0.0: Fri Oct 7 00:04:37 PDT 2014; root:xnu-2783.3.13~4/RELEASE_ARM_S5L8950X
8.1.1b	Darwin Kernel Version 14.0.0: Sun Nov 2 20:21:29 PDT 2014; root:xnu-2783.3.21~1/RELEASE_ARM_S5L8950X
8.1.1	Darwin Kernel Version 14.0.0: Mon Nov 3 22:54:30 PDT 2014; root:xnu-2783.3.22~1/RELEASE_ARM_S5L8950X
8.1.2
8.1.3	Darwin Kernel Version 14.0.0: Mon Jan 2 21:29:20 PST 2015; root:xnu-2783.3.26~3/RELEASE_ARM_S5L8950X
8.2b3	Darwin Kernel Version 14.0.0: Sun Dec 14 20:59:15 PST 2014; root:xnu-2783.5.29.0.1~1/RELEASE_ARM_S5L8940X
8.2b4	Darwin Kernel Version 14.0.0: Tue Jan 6 21:02:10 PST 2015; root:xnu-2783.5.32~9/RELEASE_ARM_S5L8940X
8.2b5	Darwin Kernel Version 14.0.0: Mon Jan 26 22:16:17 PST 2015; root:xnu-2783.5.37~11/RELEASE_ARM_S5L8940X
8.2	Darwin Kernel Version 14.0.0: Mon Feb 9 22:07:57 PST 2015; root:xnu-2783.5.38~5/RELEASE_ARM_S5L8950X
8.3b3	Darwin Kernel Version 14.0.0: Mon Mar 4 20:55:58 PST 2015; root:xnu-2784.20.25~26/RELEASE_ARM64_S5L8960X
8.3b4	Darwin Kernel Version 14.0.0: Thu Mar 19 00:16:36 PST 2015; root:xnu-2784.20.31~1/RELEASE_ARM64_S5L8960X
8.3	Darwin Kernel Version 14.0.0: Sun Mar 29 19:44:04 PDT 2015; root:xnu-2784.20.34~2/RELEASE_ARM_S5L8950X
8.4b	Darwin Kernel Version 14.0.0: Wed Apr 8 21:26:37 PDT 2015; root:xnu-2784.30.1~29/RELEASE_ARM64_T7000X
8.4b2	Darwin Kernel Version 14.0.0: Wed Apr 21 21:49:05 PDT 2015; root:xnu-2784.30.2~9/RELEASE_ARM64_S5L8960X
8.4b3	Darwin Kernel Version 14.0.0: Tue May 5 23:09:22 PDT 2015; root:xnu-2784.30.5~7/RELEASE_ARM64_S5L8960X
8.4b4	Darwin Kernel Version 14.0.0: Tue Wed 3 23:19:49 PDT 2015; root:xnu-2784.30.7~13/RELEASE_ARM64_S5L8960X
8.4	Darwin Kernel Version 14.0.0: Wed Jun 24 00:50:15 PDT 2015; root:xnu-2784.30.7~30/RELEASE_ARM64_S5L8960X
9.0b	Darwin Kernel Version 15.0.0: Fri May 29 22:14:48 PDT 2015; root:xnu-3216.0.0.1.15~2/RELEASE_ARM64_S5L8960X
9.0b2	Darwin Kernel Version 15.0.0: Mon Jun 15 21:51:54 PDT 2015; root:xnu-3247.1.6.1.1~2/RELEASE_ARM64_S5L8960X

Source Code

As XNU is based off of the BSD kernel, it is open source. The source is under a 3-clause BSD License for the original BSD portions with the portions added by Apple under the Apple Public Source License. The versions contained in iOS are not available, instead only versions used in OS X are available. This does not appear to be legal as per §2.3 in the APSL:

2.3     Distribution of Executable Versions.  In addition, if You Externally Deploy Covered
Code (Original Code and/or Modifications) in object code, executable form only, You must
include a prominent notice, in the code itself as well as in related documentation, stating
that Source Code of the Covered Code is available under the terms of this License with
information on how and where to obtain such Source Code.

with Source Code defined in §1.8:

1.8     "Source Code" means the human readable form of a program or other work that is
suitable for making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and installation
of an executable (object code).

It is worth noting that Apple does not list XNU as being an open source component of iOS. This can be seen by viewing opensource.apple.com and selecting any iOS version. As far as can be told, none of the versions of XNU are available in source version.

There are many other open souce components that iOS uses that are not listed, such as:

CF (CoreFoundation - Cocoa)
SQLite (SQLite - database utility)
TimeZoneData (tz database - /usr/share/zoneinfo)
curl(?) (libcurl - various HTTP operations)
hfs (hfs - HFS driver)
launchd (launchd - launch daemon)
libxml2(?) (libxml2 - parser for XML plists)
xnu (XNU - Kernel)
zip (zip - extraction of various files)

It does not appear that Apple assumes what you see in the OS X pages are also on iOS as JavaScriptCore, WebCore, among others are listed on both OS X (10.8) and iOS (6.0), albeit different versions.

It is also worth noting that gdb (GCC debugger) and ld64 are listed as components in iOS 6.0. Why there are present is a mystery as they are not present on unaltered devices, but only through Cydia or Xcode's DeveloperImage.dmg.

Kernel Extensions

iOS, sadly, does not have kexts floating around the file system, but they are indeed present. The kernelcache can be unpacked to show the kernel proper, along with the kexts (all packed in the __PRELINK_TEXT section) and their plists (in the __PRELINK_INFO section).

The Cydia supplied kextstat does not work on iOS. Sadly, the reason is that kextstat relies on kmod_get_info(...), which is a deprecated (and recently removed) API in recent iOS and OS X versions. With that said, the kexts do exist. The alternative, jkextstat, does work on recent iOS versions. jkextstat can cause some confusion as it uses the executable name kextstat, similar to how calling g++ just launches gcc but with parameters to treat all .c files as C++ files.

The following is the output from jkextstat on an iPod touch 4G running iOS 6(?):

Podicum:~ root# ./kextstat 
  0 __kernel__ 
  1 kpi.bsd 
  2 kpi.dsep 
  3 kpi.iokit 
  4 kpi.libkern 
  5 kpi.mach 
  6 kpi.private 
  7 kpi.unsupported 
  8 driver.AppleARMPlatform <1 3 4 5 6 7>
  9 iokit.IOStorageFamily <1 3 4 5 6 7>
 10 driver.DiskImages <1 3 4 5 6 7 9>
 11 driver.FairPlayIOKit <1 3 4 5 6 7>
 12 driver.IOSlaveProcessor <3 4>
 13 driver.IOP_s5l8930x_firmware <3 4 12>
 14 iokit.AppleProfileFamily <1 3 4 5 6 7>
 15 iokit.IOCryptoAcceleratorFamily <1 3 4 5 7>
 16 driver.AppleMobileFileIntegrity <1 2 3 4 5 6 7 15>
 17 iokit.IONetworkingFamily <1 3 4 5 6 7>
 18 iokit.IOUserEthernet <1 3 4 5 6 16 17>
 19 platform.AppleKernelStorage <3 4 7>
 20 iokit.IOSurface <1 3 4 5 6 7 8>
 21 iokit.IOStreamFamily <3 4 5>
 22 iokit.IOAudio2Family <1 3 4 5 21>
 23 driver.AppleAC3Passthrough <1 3 4 5 7 8 11 21 22>
 24 iokit.EncryptedBlockStorage <1 3 4 5 9 15>
 25 iokit.IOFlashStorage <1 3 4 5 7 9 24>
 26 driver.AppleEffaceableStorage <1 3 4 5 7 8 25>
 27 driver.AppleKeyStore <1 3 4 5 6 7 15 16 26>
 28 kext.AppleMatch <1 4>
 29 security.sandbox <1 2 3 4 5 6 7 16 28>
 30 driver.AppleS5L8930X <1 3 4 5 7 8>
 31 iokit.IOHIDFamily <1 3 4 5 6 7 16>
 32 driver.AppleM68Buttons <1 3 4 5 7 8 31>
 33 iokit.IOUSBDeviceFamily <1 3 4 5>
 34 iokit.IOSerialFamily <1 3 4 5 6 7>
 35 driver.AppleOnboardSerial <1 3 4 5 7 34>
 36 iokit.IOAccessoryManager <3 4 5 7 8 33 34 35>
 37 driver.AppleProfileTimestampAction <1 3 4 5 14>
 38 driver.AppleProfileThreadInfoAction <1 3 4 6 14>
 39 driver.AppleProfileKEventAction <1 3 4 14>
 40 driver.AppleProfileRegisterStateAction <1 3 4 14>
 41 driver.AppleProfileCallstackAction <1 3 4 5 6 14>
 42 driver.AppleProfileReadCounterAction <3 4 6 14>
 43 driver.AppleARMPL192VIC <3 4 5 7 8>
 44 driver.AppleCDMA <1 3 4 5 7 8 15>
 45 driver.IODARTFamily <3 4 5>
 46 driver.AppleS5L8930XDART <1 3 4 5 7 8 45>
 47 iokit.IOSDIOFamily <1 3 4 5 7>
 48 driver.AppleIOPSDIO <1 3 4 5 7 8 12 47>
 49 driver.AppleIOPFMI <1 3 4 5 7 8 12 25>
 50 driver.AppleSamsungSPI <1 3 4 5 7 8>
 51 driver.AppleSamsungSerial <1 3 4 5 7 8 34 35>
 52 driver.AppleSamsungPKE <3 4 5 7 8 15>
 53 driver.AppleS5L8920X <1 3 4 5 7 8>
 54 driver.AppleSamsungI2S <1 3 4 5 7 8>
 55 driver.AppleEmbeddedUSB <1 3 4 5 7 8>
 56 driver.AppleS5L8930XUSBPhy <1 3 4 5 7 8 55>
 57 iokit.IOUSBFamily <1 3 4 5 7>
 58 driver.AppleUSBEHCI <1 3 4 5 7 57>
 59 driver.AppleUSBComposite <1 3 4 57>
 60 driver.AppleEmbeddedUSBHost <1 3 4 5 7 55 57 59>
 61 driver.AppleUSBOHCI <1 3 4 5 57>
 62 driver.AppleUSBOHCIARM <3 4 5 8 55 57 60 61>
 63 driver.AppleUSBHub <1 3 4 5 57>
 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63>
 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64>
 66 driver.AppleARM7M <3 4 8 12>
 67 driver.EmbeddedIOP <3 4 5 12>
 68 driver.AppleVXD375 <1 3 4 5 7 8 11>
 69 driver.AppleD1815PMU <1 3 4 5 7 8 31>
 70 iokit.AppleARMIISAudio <1 3 4 5 7 22>
 71 driver.AppleEmbeddedAudio <1 3 4 5 7 8 22 31 70>
 72 driver.AppleCS42L59Audio <3 4 5 8 22 31 70 71>
 73 driver.AppleEmbeddedAccelerometer <3 4 5 7 8 31>
 74 driver.AppleEmbeddedGyro <1 3 4 5 7 8 31>
 75 driver.AppleEmbeddedLightSensor <3 4 5 7 8 31>
 76 iokit.IOAcceleratorFamily <1 3 4 5 7 8>
 77 IMGSGX535 <1 3 4 5 7 8 76>
 78 driver.H2H264VideoEncoderDriver <1 3 4 5 7 8>
 79 driver.AppleJPEGDriver <1 3 4 5 7 8>
 80 driver.AppleH3CameraInterface <1 3 4 5 7 8>
 81 driver.AppleM2ScalerCSCDriver <1 3 4 5 7 8 45>
 82 iokit.IOMobileGraphicsFamily <1 3 4 5 7 8>
 83 driver.AppleDisplayPipe <1 3 4 5 7 8 82>
 84 driver.AppleCLCD <1 3 4 5 7 8 82 83>
 85 driver.AppleSamsungMIPIDSI <1 3 4 5 7 8>
 86 driver.ApplePinotLCD <1 3 4 5 7 8>
 87 driver.AppleSamsungSWI <1 3 4 5 7 8>
 88 iokit.IODisplayPortFamily <1 3 4 5 6 7 22>
 89 driver.AppleRGBOUT <1 3 4 5 7 8 82 83 88>
 90 driver.AppleTVOut <1 3 4 5 7 8>
 91 driver.AppleAMC_r2 <1 3 4 5 7 8 11 21 22>
 92 driver.AppleSamsungDPTX <3 4 5 7 8 88>
 93 driver.AppleSynopsysOTGDevice <1 3 4 5 7 8 33 55>
 94 driver.AppleNANDFTL <1 3 4 5 7 9 25>
 95 driver.AppleNANDLegacyFTL <1 3 4 5 9 25 94>
 96 AppleFSCompression.AppleFSCompressionTypeZlib <1 2 3 4 6>
 97 IOTextEncryptionFamily <1 3 4 5 7 11>
 98 driver.AppleBSDKextStarter <3 4>
 99 nke.ppp <1 3 4 5 6 7>
100 nke.l2tp <1 3 4 5 6 7 99>
101 nke.pptp <1 3 4 5 6 7 99>
102 iokit.IO80211Family <1 3 4 5 6 7 17>
103 driver.AppleBCMWLANCore <1 3 4 5 6 7 8 17 102>
104 driver.AppleBCMWLANBusInterfaceSDIO <1 3 4 5 6 7 8 47 103>
105 driver.AppleDiagnosticDataAccessReadOnly <1 3 4 5 7 8 94>
106 driver.LightweightVolumeManager <1 3 4 5 9 15 24 26>
107 driver.IOFlashNVRAM <1 3 4 5 6 7 25>
108 driver.AppleNANDFirmware <1 3 4 5 25>
109 driver.AppleImage3NORAccess <1 3 4 5 7 8 15 108>
110 driver.AppleBluetooth <1 3 4 5 7 8>
111 driver.AppleMultitouchSPI <1 3 4 5 7 8>
112 driver.AppleUSBMike <1 3 4 5 8 22 33>
113 driver.AppleUSBDeviceMux <1 3 4 5 6 7 33>
114 driver.AppleUSBEthernetDevice <1 3 4 5 6 8 17 33>

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

root# ./jkextstat -b sandbox -x:

<plist>
<dict>
        <key>CFBundleIdentifier</key>
        <string>com.apple.security.sandbox</string>
        <key>CFBundleVersion</key>
        <string>154.7</string>
        <key>OSBundleCPUSubtype</key>
        <integer>9</integer>
        <key>OSBundleCPUType</key>
        <integer>12</integer>
        <key>OSBundleDependencies</key>
        <array>
                <integer>6</integer>
                <integer>7</integer>
                <integer>5</integer>
                <integer>3</integer>
                <integer>28</integer>
                <integer>1</integer>
                <integer>4</integer>
                <integer>16</integer>
                <integer>2</integer>
        </array>
        <key>OSBundleExecutablePath</key>
        <string>/System/Library/Extensions/Sandbox.kext/Sandbox</string>
        <key>OSBundleIsInterface</key>
        <false/>
        <key>OSBundleLoadAddress</key>
        <integer>2153734144</integer>
        <key>OSBundleLoadSize</key>
        <integer>36864</integer>
        <key>OSBundleLoadTag</key>
        <integer>29</integer>
        <key>OSBundleMachOHeaders</key>
        
        zvrt/gwAAAAJAAAACwAAAAMAAAAgAgAAAQAAAAEAAAAEAQAAX19URVhUAAAAAAAAAAAA
        AABgX4AAgAAAAAAAAACAAAAHAAAABwAAAAMAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9f
        VEVYVAAAAAAAAAAAAADMbV+AKGEAAMwNAAACAAAAAAAAAAAAAAAABwCAAAAAAAAAAABf
        X2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAPTOX4DLDQAA9G4AAAAAAAAAAAAA
        AAAAAAIAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwNxf
        gDEDAADAfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQBAABfX0RBVEEAAAAA
        AAAAAAAAAOBfgAAQAAAAgAAAABAAAAcAAAAHAAAAAwAAAAAAAABfX2RhdGEAAAAAAAAA
        AAAAX19EQVRBAAAAAAAAAAAAAADgX4C0BgAAAIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAF9fYnNzAAAAAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAwOZfgHgAAAAAAAAABAAA
        AAAAAAAAAAAAAQAAAAAAAAAAAAAAX19jb21tb24AAAAAAAAAAF9fREFUQQAAAAAAAAAA
        AAA451+AGAAAAAAAAAACAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAbAAAAGAAAABasg7Y2
        TzkVrtqsgOViBQ0=
        
        <key>OSBundlePath</key>
        <string>/System/Library/Extensions/Sandbox.kext</string>
        <key>OSBundlePrelinked</key>
        <true/>
        <key>OSBundleRetainCount</key>
        <integer>0</integer>
        <key>OSBundleStarted</key>
        <true/>
        <key>OSBundleUUID</key>
        
        FqyDtjZPORWu2qyA5WIFDQ==
        
        <key>OSBundleWiredSize</key>
        <integer>36864</integer>
        <key>OSKernelResource</key>
        <false/>
</dict>
</plist>

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0, defeating Kernel ASLR. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.

Winocm's custom kernel

Winocm uses a custom kernel which the version can be found below.

Darwin Kernel Version 13.0.0: Fri Nov 22 18:19:54 CST 2013; root:xnu-2050.48.13~7/DEVELOPMENT_ARM_S5L8930X

External Links

XNU Source (up to latest **OS X** version)
i0n1c on exploiting the kernel
Haifisch on Decrypting the iOS kernel for disassembly
jkextstat.c
OSX/iOS internals book

Difference between revisions of "Kernel"

Revision as of 19:49, 20 July 2015

Contents

ASLR

Stack

Boot-Args

Versions

Version List

Source Code

Kernel Extensions

Winocm's custom kernel

See Also

External Links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Miscellaneous

Tools

@@ Line 19: / Line 19: @@
 Kexts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, _PE_parse_boot_argn 8027A8EC on the iOS 6.1.3 kernel, discovered by [[User:Haifisch|Haifisch]]). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and [[AppleMobileFileIntegrity|AMFI]].
-Here's a list of boot-args extracted with the [https://github.com/pod2g/ios_stuff/tree/master/idc-ios-boot-args IDA script] by [[User:MuscleNerd|MuscleNerd]]:
+The list of boot-args can be extracted from any kernel dump once the address of _PE_parse_boot_argn is determined (which is usually automatically). A list from iOS 8.4 is shown below:
--disable_aslr (From the xnu source code)
- _nand-part-poison
+ # perform a full disassembly, isolate decompiled lines (^;) with PE_parse.. and isolate string between quotes, sorted uniquely:
- _panicd_corename
+ # morpheus@Zephyr (~)$ '''jtool -d __TEXT.__text kernel.8.4.dump | grep PE_parse |grep '^; '| cut -d\" -f2 | cut -d\" -f1 | sort -u'''
- _panicd_ip
- _router_ip
- acc_debug
- aesdev
- als_enable_debug
- amfi
- amfi_allow_any_signature
- amfi_get_out_of_my_way
- amfi_unrestrict_task_for_pid
- AppleEmbeddedUSBArbitrator-debug
- AppleS5L8930XUSBArbitrator-debug
- AppleUSBPhy-debug
- arm7m-enable-jtag
  -b
+ -disable_atm
- backlight-level
+ -factory_debug
- backlight-logging
+ -l
- baseband-spi-sclk-period
+ -multiq-deep-drain
- bcom.chip.driveStrength_mA
+ -no-zp
- bcom.chip.watermark
+ -no64exec
- bcom.clock.sd-rate
+ -novfscache
- bcom.devif.fn2-block-size
+ -oldmezname
- bcom.devif.rx-retries
+ -panic_on_exception_triage
- bcom.devif.transaction-log
+ -progress
- bcom.devif.tx-retries
+ -qos-policy-allow
- bcom.feature.flags
+ -s
- bcom.ps.inactivity.timeout
+ -vm16k
- bcom.wte.thread-priority
+ -vnode_cache_defeat
+ -x
+ -zc
+ -zinfop
+ -zp
+ aks_default_class
+ assert
+ bg_preempt
  boot-uuid
+ colors
- brightness
+ cpumon_ustackshots_trigger_pct
- burnin-size
- cameraclocks
- charger-debug
- cpus
- cs_debug
- cs_enforcement_disable
  darkwake
  dart
  dcc
  debug
+ diag
- disable-usb-iap
+ disable_exc_resource
- dp_async_event_fail_hard
- dp_audio_driver_level
- dp_audio_driver_mask
- dp_audio_interface_level
- dp_audio_interface_mask
- dp_controller_level
- dp_controller_mask
- dp_device_level
- dp_device_mask
- dp_display_interface_level
- dp_display_interface_mask
- dp_interface_level
- dp_interface_mask
- dp_log_level
- dp_max_channel_count_lpcm
- dp_max_sample_rate_lpcm
- dp_max_sample_size_lpcm
- dp_min_channel_count_lpcm
- dp_min_sample_rate_lpcm
- dp_min_sample_size_lpcm
- dp_service_level
- dp_service_mask
- dpsm
- dvb
- dvc
- dvd
- effaceable-enable-full-scan
- effaceable-enable-wipe
- enable-acsleep
- fairshare_minblockedtime
  fill
+ hwm_user_cores
- fixedpriority_quantum
- fix-parity
- force-usb-host
- force-usb-power
- hdmi_max_channel_count_lpcm
- hdmi_max_sample_rate_lpcm
- hdmi_max_sample_size_lpcm
- hdmi_min_channel_count_lpcm
- hdmi_min_sample_rate_lpcm
- hdmi_min_sample_size_lpcm
- hdmi_protection_type
- hp-detect-invert
- hp-pop-workaround
- hp-switch-force-config
- hp-switch-ramp
- hsic
- i2c-logsize
- i2c-verbose
  ifa_debug
  ifnet_debug
+ imp_interactive_receiver
+ inaddr_nhash
  initmcl
+ interrupt_accounting
  io
+ io_throttle_period_tier1
- iopfmi-timeout
+ io_throttle_period_tier2
+ io_throttle_period_tier3
+ io_throttle_window_tier1
+ io_throttle_window_tier2
+ io_throttle_window_tier3
+ iosched
  iotrace
+ jcon
- jpeg-log
  jtag
- kdp_crashdump_pkt_size
- kdp_ip_addr
- kdp_match_mac
- kdp_match_name
  keepsyms
+ kernel_stack_pages
  kextlog
+ kmapoff
- link_recovery_enabled
+ lcks
+ lo_txstart
+ longterm
+ max_cpumon_interval
+ max_cpumon_percentage
+ max_task_pmem
+ maxmem
+ maxoffset
  mbuf_debug
  mbuf_pool
@@ Line 134: / Line 92: @@
  mseg
  msgbuf
- mt-bytes
- mt-strings
  mtxspin
+ multiq_drain_band_limit
- nand-boot-malloc
+ multiq_drain_depth_limit
- nand-check-vs
+ multiq_drain_urgent_first
- nand-commands
- nand-disable-driver
- nand-dump-vs-table
- nand-enable-adm
- nand-enable-reformat
- nand-enable-yaftl
- nand-erase
- nand-erase-install
- nand-fbbt-publish
- nand-force-restore
- nand-idle-timeout-ms
- nand-ignore-ptab
- nand-index-cache-size
- nand-latency-us
- nand-max-pages
- nand-neuralize
- nand-nvram-debug
- nand-ppn-debug
- nand-ppn-vs-debug
- nand-qual
- nand-queue-entries
- nand-read-blocks-max
- nand-read-dccycle-clks
- nand-read-hold-clks
- nand-readonly
- nand-read-setup-clks
- nand-reorder-defer-max
- nand-reorder-defer-size-trigger
- nand-reorder-read-promote-max
- nand-reset-burnin
- nand-save-rma-data
- nand-set-rma
- nand-sftl-cache-drain
- nand-sleep-debug-panic
- nand-slow-timings
- nand-wearlevel-timeout-ms
- nand-whiten-metadata
- nand-wipe
- nand-write-blocks-max
- nand-write-hold-clks
- nand-write-setup-clks
  nbuf
  ncl
+ net.inet.ip.scopedroute
  net.inet6.ip6.scopedroute
  net_affinity
  net_rtref
+ net_rxpoll
  network-type
+ panic_on_cs_killed
- -no64exec
+ preempt
- -novfscache
+ qos_override_mode
- panicd_port
- pcp
- pctb
- pdmvr
- pio-error
- pmu-chargetrap
- pmu-debug
- ppn-clean
- -progress
- prox_enable_debug
- pthtest
  rd
- remote_nmi
  rootdev
+ rte_debug
- -s
+ sched
- sdio.clock.base-rate
+ sched_decay_penalty
- sdio.clock.sd-rate
+ sched_decay_usage_age_factor
- sdio.debug.abort-init
+ sched_pri_decay_limit
- sdio.debug.init-delay
+ sched_use_combined_fgbg_decay
- sdio.log.flags
- sdio.log.level
- sdio.transfer.max-pio-blocks
- sdio.transfer.max-pio-size
- sdio.transfer.mode
  serial
+ serverperfmode
- sgx_panic_on_recovery
- shadev
  slto_us
  socket_debug
+ task_policy_suppression_disable
- torchcltm0
+ task_wakeups_monitor_interval
- usb
+ task_wakeups_monitor_rate
- usb_dev_nmi
+ task_wakeups_monitor_ustackshots_trigger_pct
- usb_dev_reset
+ tbi
- -vnode_cache_defeat
+ trace
- wdt
+ trace_panic
+ trace_typefilter
+ trace_wake
+ unrestrict_coalition_syscalls
+ vm_compression_limit
+ vm_compressor
+ vm_compressor_immediate
+ vm_compressor_threads
  wfi
+ wqsize
- wlan.ap.channel
+ zalloc_debug
- wlan.debug.abort-init
+ zlog
- wlan.debug.generate-mac
+ zp-factor
- wlan.log.flags
+ zp-scale
- wlan.log.level
+ zrecs
- wlan.log.timestamp
+ zsize
- wlan.netmanager.stats-timer-interval
- wlan.panic.factory
- wqsize
- WTE
- -x
 == Versions ==