Difference between revisions of "Kernel Symbols"

From The iPhone Wiki
Jump to: navigation, search
m
 
(25 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
iOS's XNU is largely stripped, and contains fewer and fewer symbols with its newer versions. Whereas in pre 3.0 most symbols were visible, nowadays only symbols required for KExt linkage remain so.
 
iOS's XNU is largely stripped, and contains fewer and fewer symbols with its newer versions. Whereas in pre 3.0 most symbols were visible, nowadays only symbols required for KExt linkage remain so.
   
This page is started in the hopes of bringing together efforts of the various JBers so as to pool already symbolified sections of the kernel. Because addresses change along with the different builds, please add the symbols under the right kernel version (i.e. release + device). If not 100% sure about a symbol, indicate the level of confidence.
+
This page is started in the hopes of bringing together efforts of the various jailbreakers so as to pool already symbolified sections of the kernel. Because addresses change along with the different builds, please add the symbols under the right kernel version (i.e. release + device). If not 100% sure about a symbol, indicate the level of confidence.
   
  +
Started with [[N81AP|iPod touch (4th generation)]], because this is the main kernel the author has largely (>80%) symbolicated. Please add your own. Even if your build is different, the address space doesn't change that much. As of iOS 6 ASLR will shift these symbols by a given offset.
   
<div>
 
<table>
 
<thead>
 
<tr>
 
<th>symbol</th><th>5.0.0 iPodT 4G</th><th>Notes</th>
 
</tr>
 
</thead>
 
<tbody>
 
<tr>
 
<td>sysent</td><td>0x802CCBAC</td><td>Through this you can obtain all of XNU's 438 system calls, e.g. _exit @0x8019DE04</td>
 
</tr>
 
<tr>
 
<td>syscall_names</td><td>0x802D2C6C</td>The char[][] containing the textual names of all system calls </td>
 
</tr>
 
</tbody>
 
</table>
 
   
  +
The table below is obsolete - The Joker tool from http://NewOSXBook.com/tools/joker.html exists for the sole purpose of auto-symbolicating kernels, and works on all kernels through XNU 32xx, and symbolicates the symbols below, as well as MIG tables and various other important functions.
</div>
 
  +
  +
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
  +
|-
  +
!symbol
  +
!5.0.x [[N81AP|iPod touch (4th generation)]]
  +
!5.0.1 [[N94AP|iPhone 4S]]
  +
!5.1 [[N81AP|iPod touch (4th generation)]]
  +
!6.0 beta 1 [[N81AP|iPod touch (4th generation)]]
  +
!6.0 [[N81AP|iPod touch (4th generation)]]
  +
!6.0.1 [[N81AP|iPod touch (4th generation)]]
  +
!Notes
  +
|-
  +
|_exception_triage
  +
|0x80016C34
  +
| ???
  +
| ...
  +
| ...
  +
|0x80018774
  +
|0x80018774
  +
|The Mach exception processing logic.
  +
|-
  +
|sysent
  +
|0x802CCBAC
  +
|0x802CBBAC
  +
|0x802CCBAC
  +
|0x802F00B8
  +
|0x802F00B8
  +
|0x802F00B8
  +
|Through this you can obtain all of XNU's 438 system calls, e.g. _exit @0x8019DE04 on iPod, 0x8019D278 on iPhone 4S, etc.
  +
|-
  +
|syscall_names
  +
|0x802D2C6C
  +
|0x802D1C6C-0x802D2340
  +
|0x802D2C5C-0x802D4338
  +
|0x802A6538-0x802A7540
  +
|0x802E8FB0-0x802E969C
  +
|0x802E8FB0-0x802E969C
  +
|The char[][] containing the textual names of all system calls
  +
|-
  +
|AppleMobileFileIntegrity_Start
  +
|0x805E499C
  +
| ???
  +
|0x805D5B94
  +
| ...
  +
| ...
  +
| ...
  +
|Initialization of AMFI, the kext responsible for [[sandbox]] policies and entitlements
  +
|-
  +
|bsd_init
  +
|0x802B77C0
  +
| ???
  +
|0x802B8A24
  +
| ...
  +
|0x802B85B4
  +
|0x802B9618
  +
|BSD layer initialization logic. Branches out to initialize virtually every BSD subsystem. Same as OS X XNU, with minor exception (e.g. kernel_memorystatus/jetsam, iptap..)
  +
|-
  +
|ExceptionVectorsBase
  +
|0x80078000
  +
|0x80078000
  +
|0x80078000
  +
| ...
  +
| ...
  +
| ...
  +
|Address of CPU exception handlers in kernel space: fleh_reset, fleh_undef, fleh_swi, fleh_prefabt, _fleh_dataabt, _fleh_addrexc and fleh_irq can be obtained from here
  +
|}
  +
  +
Note: For most of the above symbols, a fairly decent source code can be obtained from the public open source XNU available [http://opensource.apple.com here]. Bear in mind that ml_, PE_ and other machine specific functions will naturally be implemented quite differently. (but, it's a start!).

Latest revision as of 10:17, 26 March 2017

iOS's XNU is largely stripped, and contains fewer and fewer symbols with its newer versions. Whereas in pre 3.0 most symbols were visible, nowadays only symbols required for KExt linkage remain so.

This page is started in the hopes of bringing together efforts of the various jailbreakers so as to pool already symbolified sections of the kernel. Because addresses change along with the different builds, please add the symbols under the right kernel version (i.e. release + device). If not 100% sure about a symbol, indicate the level of confidence.

Started with iPod touch (4th generation), because this is the main kernel the author has largely (>80%) symbolicated. Please add your own. Even if your build is different, the address space doesn't change that much. As of iOS 6 ASLR will shift these symbols by a given offset.


The table below is obsolete - The Joker tool from http://NewOSXBook.com/tools/joker.html exists for the sole purpose of auto-symbolicating kernels, and works on all kernels through XNU 32xx, and symbolicates the symbols below, as well as MIG tables and various other important functions.

symbol 5.0.x iPod touch (4th generation) 5.0.1 iPhone 4S 5.1 iPod touch (4th generation) 6.0 beta 1 iPod touch (4th generation) 6.0 iPod touch (4th generation) 6.0.1 iPod touch (4th generation) Notes
_exception_triage 0x80016C34 ??? ... ... 0x80018774 0x80018774 The Mach exception processing logic.
sysent 0x802CCBAC 0x802CBBAC 0x802CCBAC 0x802F00B8 0x802F00B8 0x802F00B8 Through this you can obtain all of XNU's 438 system calls, e.g. _exit @0x8019DE04 on iPod, 0x8019D278 on iPhone 4S, etc.
syscall_names 0x802D2C6C 0x802D1C6C-0x802D2340 0x802D2C5C-0x802D4338 0x802A6538-0x802A7540 0x802E8FB0-0x802E969C 0x802E8FB0-0x802E969C The char[][] containing the textual names of all system calls
AppleMobileFileIntegrity_Start 0x805E499C ??? 0x805D5B94 ... ... ... Initialization of AMFI, the kext responsible for sandbox policies and entitlements
bsd_init 0x802B77C0 ??? 0x802B8A24 ... 0x802B85B4 0x802B9618 BSD layer initialization logic. Branches out to initialize virtually every BSD subsystem. Same as OS X XNU, with minor exception (e.g. kernel_memorystatus/jetsam, iptap..)
ExceptionVectorsBase 0x80078000 0x80078000 0x80078000 ... ... ... Address of CPU exception handlers in kernel space: fleh_reset, fleh_undef, fleh_swi, fleh_prefabt, _fleh_dataabt, _fleh_addrexc and fleh_irq can be obtained from here

Note: For most of the above symbols, a fairly decent source code can be obtained from the public open source XNU available here. Bear in mind that ml_, PE_ and other machine specific functions will naturally be implemented quite differently. (but, it's a start!).