Mac OS and iOS Internals: The Change Log

ChangeLog

(Last update: 02/05/20)

MOXiI is now self-published, which enables me to keep the book continuously updated! Unlike a traditional print book, with which you have to wait for a new edition, I can update the original HTML file, reprint to PDF, and submit another batch to print! This will obviously not help copies already printed at that point, but any future copies going to print will automatically be as up-to-date as possible. This means that whenever one chooses to buy the book, he or she is guaranteed the latest and greatest edition. Think of it as you would of software - wherein new versions come out every so often.

Over time, this will inevitably open up quite a gap between any past-printed versions and the latest ones. Beginning with v1.0.1, I started this changelog to help people track "What's New". If you bought an older copy and, at some point, wish to re-purchase the latest version of the book, please drop me a note and inform me you already have a previous version. I would be happy cut you a $15/0.05BTC discount when you get a new copy. Note that you have to use BTC or Paypal for that - I can't do that via Amazon, sorry. (And, hey - when's the last time a publisher offered you such a discount on upgrade, or even made an effort to keep a book so up-to-date?)

Volume I: Volume II Volume III

Date Version Notes

02/06/2018 1.0.2 Dozens of typos caught by Guido Soranzio - Thank you SO MUCH

03/06/2018 1.0.3 iOS 9 did not leave behind the iPhone 4. iOS 8 did...

05/01/2018

1.0.4

pg 315 - Important correction - SEND_ONCE rights ARE transitive - not clonable, but movable. Table 11-1 should therefore read MOVE only for SEND ONCE.
(And yes, I'm paying 0.01BTC for this - it was well deserved).

Loads more typos , especially by 73696e65 - Thank you!

Added note about unique pids - "This unique identifier also comes in handy as it is saved for the parent process identifier, and does not change after reparenting or adoption by PID 1. It can be retrieved using proc_info's private PROC_PIDUNIQIDENTIFIERINFO flavor (#17)."

Table 8-13: Two filled entries which somehow were commented out:

`pthread_cond_signal_thread_np`	Signal a conditional variable to specific thread
`pthread_cond_timedwait_relative_np`	As `pthread_cond_timedwait`, with relative timeout

Short explanation on Siri ShortCuts (iOS 12) and the new siriactionsd.

Better integration with Volume II, now that it's shaping up :-)

9/21/18

v1.1 (really should have been v.1.0.6..)

Minor improvements for Darwin 18. Nothing finalized yet. So far, we have:

Table 9-5: added

3831 vm_map_exec_lockdown Lock down vm_map executable segment preventing remapping (Darwin 18)

(this is covered in depth in Volume II, rest assured)

Table 11-5: Added

3236

mach_port_special_reply_port_reset_link (Darwin 18)

Returns sync ipc turnstile link status

Typo corrections by bubbles - Thank you!

iOS/TVOS 12, WatchOS 4.0, MacOS 14 also listed in Intro chapter

Added [get/set]wgroups to Table 8-8, even though they're unimplemented, in an attempt to reach 100% syscall coverage through the trilogy

DYLD opcodes 0xD0 - threaded... explained! (nice going, AAPL! I also threw a note about this in the See added pages in forum post.

Correction re: skywalk (bonding, not the IPv6 interface for BridgeOS)

Mention Corellium iOS Emulation. I haven't tried it myself, but something so potentially amazing cannot be omitted.

Mention tlv_atexit() (from <mach-o/dyld.h>) for Thread Local destructors

Better integration with Volume II (which is coming soon)

12/10/2018

v1.2

One year later, a major update, with over 60 (+12%) densely packed pages! Brings back some stuff I had originally pushed to Volume II now that Volume II is close to finish and I know how to divide the material better. This includes:

40 or so more pages of an entirely new chapter (#16) on Networking, from the user mode perspective:
- PF_NDRV
- PF_SYSTEM (SYSPROTO_EVENT and SYSPROTO_CONTROL)
- Network configuration
- sysctl MIBs - comprehensive lists of pretty much every single net.inet[6].* MIB
- Network statistics
  - com.apple.network.statistics and the private NetworkStatistics.framework
- Firewalling
  - ALF.kext
  - ipfw (Depreceated)
  - pf
- Packet Capture
  - BPF
  - Pktap/iptap
- QoS
- Network Extension Control Policies (NECP)
- com.apple.net.netagent
- Skywalk (Nexuses and Channels)
FREE TO DOWNLOAD
here
I had originally thought I'd include that in Volume II, but now that Volume II is being finalized I realized its own networking chapter (from the kernel perspective) is already quite big - and user mode really belongs in Volume I..
3 pages - Added descriptor types - including NECP, Nexuses and Channels - to Chapter 3 ("Promenade"), since it discusses files already. Also discussed guard APIs (their implementation remains in Volume II), and fileports. Again, this was a mistake of mine since I cover the implementation of descriptors (struct fileproc, filedesc, filEglob and all that fun stuff) in Volume II, but the syscalls certainly make more sense in I.
7 pages - Explained process, task and thread policies in Ch. 8 ("Parts of the Process") - I originally pushed all this to Volume II as well, but I realize that the discussion of how to use the Mach traps and syscalls (not how they work) is better suited for Volume I. Also discussed resource limits , in iopolicysys (#~~323~~ 322), proc_rlimit_control (#446) and process_policy (#323)
3 pages - Remote XPC! (Took me a while, I had to get myself a T2 machine..)
Added Experiment to XPC chapter highlighting XPoCe 2
Added libmalloc-166 (Darwin 18) APIs, including Nanov2. Also mentioned Darwin 16 pressure callback and super cool malloc_replay tool
Made note of Patrick Wardle's post about login items
5 pages - GUI (MacOS), event taps (MacOS) and Multitouch. Blew a bug AAPL patched on iOS but not on MacOS. Also, while on the subject of Patrick's great posts, added note of Patrick Wardle's post about synthetic events

Other , more minor changes:

All them II/@@ references (when I didn't know which chapter numbering I'd end up with) are all resolved!
External references:
- Added a reference to @timacfr's excellent reversing of the .car file format and list of iOS12 MobileGestalt keys
- Added a note + reference to Brandon Azad's amazing exploit of CrashReporter
- Added mention of Samuel Groß's clever exploitation technique of Bootstrap port MiM-ing
- Added link to Kai Lu's XPC internals blog post, since he shows reversing of other objects like I did with xpc_int64_t (Listing 14-10). This pushes some references (since he's #5), but is well worth it. Also while I was at it, I updated the listing to Darwin 18 (Object format changed slightly, and there's tagged pointer obfuscation stuff) , and colorized that listing to make decompilation stand out better like in other listings, like this:
  .
Added [get/set]tid to Table 8-8..
Listing 7-29 (dyld_cache_header) now updated for dyld-625 sources
Corrected Output 11-15-c (0x503 is remote, 0x403 is local), and 11-15-d title (using procexp to show process ports)
Modified Listing 6-2 to be all strictly little endian (cf/fa/ed/fe)
Removed the mention of cs_relax_platform_task_ports, since I didn't mention it's only #ifndef SECURE_KERNEL, which is never the case when CONFIG_EMBEDDED
Table 15-2 updated with Darwin 18 proc_info consts (#28, #29)
Corrected Message Trailers. Incomplete cut paste messed up the "Trailers may be requested on message reception by adding MACH_RCV_TRAILER_TYPE (MACH_RCV_TRAILER_xxx) to the options (=2^nd) argument of mach_msg)." paragraph.
Added review questions to Mach Messaging and Mach Primitives chapters
Mention voucher persona adoption (libDispatch in Darwin 18)
Emphasizing MIG semantics as a recurring source of mayhem (thus making the MIG warning in Ch. 11 clearer)
Updated that a blatant KASLR info leak in MacOS is still very much alive in MacOS 14. Doesn't anybody out there read the book? It's one of several free CVEs I put in :-)
Mention the kern.tfp.policy sysctl (Ch. 12 "With Great Power..")
Emphasize that NOTE_VM_PRESSURE/EVFILT_VM was actually removed in MacOS 12.. My thanks to septium/cahoots from the Book's forum!
100% Darwin system call coverage achieved!! Meaning that all Darwin Proprietary calls - especially undocumented ones - are discussed in one form or another in Volume I (or , for VFS ones, Volume II).

3/17/2019

v1.2.1

Minor additions:

Mentioned Jeremy Erickson and Mikhail Davidov for their thorough Remote XPC research
Clarified mach_ports_[register/lookup] - stashed rights are inheritable. That is a MUCH better way than overriding the bootstrap port (and, is in fact, what the mechanism was devised for).
Changed footnote of Darwin notification experiment to :
* - Until Darwin 18, notifyd didn't verify the identity of the notification poster, nor performs a sandbox_check, which could lead to interesting behaviors inspired by malicious clients. An Apple engineer who paid close attention to the footnotes in v1.1 of this book fixed this issue anonymously.

as yet another vulnerability hidden in the book was discovered :-) But.. what about the others...?

06/17/2019

v1.3

Fixed Mach local/remote port 11-10 and Output 11-15 as somehow endianess got the better of me.

Mentioned https://developer.apple.com/bug-reporting/profiles-and-logs/

ARM64 Branch pool size smaller - 48K

Incorporated what I hope are the last typo fixes thanks to the astute Peter Upfold

Darwin 19 changes! These are the ones pertaining to this volume, many more go into Volume II:

SF_* flags
Update to xnu version 6,000+ (Figure 1-..)
DriverKit bundles (DEXTs - in Chapter II and more detail going into Volume II)
more on port guarding: task_[get/set]_exc_guard_behvavior, mach_port_*guard*.., etc, and new mach_msg descriptor
New host special ports - filecoordinationd and fairplayd
New Mach traps (mach_port_type, request_notification, and new guard)
New syscalls: 532 (coalition_ledger), 533 (log_data), 534 (memorystatus_available_memory) and that sneaky #217 (fsgetpath_ext) - can't hide from me, AAPLytes ;-)
Minor LC changes (two new load commands added for DYLD)
Added description of __DATA_CONST.__const in Chapter 6, and note in figure (which still shows pre-Darwin 19 layout)
MacOS read only root partition, finally (updated "Partitioning")
Made notes on blocks in kernel mode as well
Noted vmnet interface in Table 16-10
libsystem_featureflags in Table 2-20
Last minute update to include Jonathan Afek's success at booting iOS in QEMU to bash
IMPORTANT TIP (especially during MacOS 15 beta...) added after DTrace probe experiment:
New Appendix: MacOS/*OS Software images and updates - 16 more pages detailing MacOS installations, and iOS IPSW and OTA formats! Free to download: HERE

07/29/19
08/20/19 v1.3-1 (19β4,6) Updated Listing 3-10 for COMPRESSION_LZFSE (type 7) in DMGs

Emphasized pid_shutdown_sockets() is on target pid, and mentioned assertiond calls it when device sleeps

Explanation of new /System/Library/FeatureFlags/ and init_featureflags run on startup

Note on "#" extension to xattrs and libcopyfile's xattr_name_with_flags(3) (Thanks, @Howardnoakley!)

TVOS 13 is codenamed Yager..

09/22/2019

v.1.3.3.7

Updated Table A-12 (firmware images) for WatchOS 6 Watch4,* firmwares

The missing discussion of content filters.. (2 pages, will be made available here)

Separated the note about vnode guard from other guarded fdesc, since the two are not related and may be confused.

EEK. Somehow in Chapter 3 (File descriptors in Darwin), I referred to System V IPC (shmat/shmdt/smget) and Semaphores (semget/semop/semctl) as POSIX, by quoting the wrong syscall numbers! This is, of course, a mistake of mine - The Sys V IPC objects are not descriptors, and the POSIX objects use different syscalls (shm_open/unlink, sem_*...). I saved myself 0.01BTC by catching it in this update, when I was syncing contents with Volume II, where I ended up expanding on their in-kernel representation. The following is the corrected text (+d on runningboardD..):

Added reference to CMU's archive of published and unpublished Mach papers (#5 for Chapter 11, and #6 for 12, for exception handling), as this valuable reference was somehow commented out in the book's HTML till now...

Finalized XNU's version for Darwin 19 as 6153

Updated as much of Darwin 19 as I can get in this volue:

MacOS 15, iOS 13 in Chapter 1
iPadOS in Figure 1-3
Updated Table 7-3 to include Darwin 18's addition of ptr_munge, consumed by libc.
Noted that Table 8-49 (dispatch sources from libdispatch-1008) hasn't changed in Darwin19's libdispatch-1173 either.

No more borders around figures. Looks better this way (like in Volume II). Also small ones have been made bigger by 12-20%!!!

Listing 5-38 (emond rules) properly indented and colorized

The Mach/BSD plane figure (12-6) now looks a LOT better now that it has all fields colorized:

Two more pages in an experiment to handle exceptions in code, similar to the code from MOXiI 1st edition Chapter 11 (and the basis for QiLin's amfidebilitate)

Made note iPads may use swapfile(!)

Tip about watchevent/waitevent/modwatch syscalls as file descriptor based alternative to fsevents

Added initgroups() (#243) and settid_with_pid() (#311 :-) to Table 8-8

8-44 is an output, not a listing..

Finally fixed 7-21 listing numbering..

Filled in all the psynch and pthread syscalls, as well as proprietary ulock_[wait/wake]()

Mentioned terminate_with_payload() and os_fault_with_payload() (#520, 529) after abort_with_payload() (#521) in Ch15. Pedantic, I agree, but 100% syscall coverage doesn't come easy..

Added new full page table for contents of /dev in Chapter 3 (Table 3-24, which renumbered rest *sigh*)

Total page count: 570 pages..

v.1.3.3.7.7.1

Download links for MacOS Installation images (Thanks to Mr. Csaba Fitzl):
- Catalina - https://support.apple.com/en-us/HT201475
- Mojave - https://support.apple.com/en-us/HT210190
- High Sierra - https://support.apple.com/en-us/HT208969
- Sierra - https://support.apple.com/en-us/HT208202
- El Capitan - https://support.apple.com/en-us/HT206886
- Yosemite - https://support.apple.com/en-us/HT210717
Noted Mach-O was actually patented (US5432937). Who knew? :)
iopolicysys() is #322, not #323!
Updates from XNU-6153:
- Table 9-4: Added MAP_32BIT (*OS, requires entitlement)
- Added memory tags 99-101 to table 9-6
- Added JETSAM_REASON_LOWSWAP in 9-25
- Noted swapping is becoming more common on *OS..
- Table 15-1: PROC_INFO_CALL_UDATA_INFO: how did I miss this one?! Since 4570, but MacOS only
- Table 15-2: flavors 30-32 (PLATFORMINFO, PIDREGIONPATH and PIDTABLEINFO)
Chapter 16: Fixed xx-xx to be 16-37 and *sigh* renumbered..
Added ioctl(BIOCSETF) to actually load program in 16-34
Added list of all Darwin specific socket options (for [get/set]sockopt(2)) as Table 16-10' (tired of renumbering..)

Volume I Volume II Volume III

**The MOXiI Volume II Change Log**
Date	Version	Notes
11/3/2019	1.0.1	Minor typo fixes: @@TODOs that shouldn't have been there Table 10-9 (IKOT_*) updated for type 41,42. I don't know the constant names since AAPL are taking their sweet time with sources, as usual, but 41 is DriverKit uexts (MacOS only) and 42 is arcade (also apparently MacOS only) AST_ARCADE on MacOS, ~~and the new Hypervisor AST (used by AppleHV.kext)~~ Mentioned kqueue_workloop_ctl right after Listing 6-19. Missed that nigh-useless system call the first time around, but since @S0rryMyBad exploits a UaF in it, people might as well know what it's really intended for :-) `ipc_kobject_alloc_port` mentioned as new way (from Darwin 19) to alloc ports for kobjects Titled Listing 13-32, 13-33, 13-41, and adjusted width so text isnt truncated. Added captures of endpointsecurity XPC, thanks to Patrick Wardle's great example
02/02/2020	1.0.2	Incorporated dozens more typo fixes thanks to my regular hawkeye and meticulous reviewer, Peter Upfold - Thank you! A few other typos (mostly pg 170-171 in proc group fields) from @_4lx_ Updated XNU sources for 6153 - thank you so much, finally, AAPLytes - so lots of changes to source snippets. Added link to NewOSXbook.com's local resources, mirroring and archiving Apple Developer's superb documentation, as PDFs Chapter 1: A13 has ARMv8.4, apparently (LLVM project sources, thanks, @Longhorn) Chapter 3: Linked to my own Endpoint Security article Chapter 4: Lock tickets (used so far only in pset_lock) after spinlock discussion, with struct explanation, and links to original article. Also updated Table 4-14 for this. circle queues (back in fashion after formerly deemed a disgrace :-) MPSC queues Updated 4-33 (`sysent` to better display syscalls, from 6153. Also added 4-34 for the args struct: Also explained syscall filtering now that I have the sources: Mentioned @S1guza's awesome PAN design flaw in a highlighted note Chapter 7: Listing 7-15 for disk_conditioner_info (actually since 4903..) Namespace materialization (file resolvers) - Source makes this $%$#% so much easier to understand... But I'm glad to say I was already pretty accurate! Minor additions here, notably source references, header comment in bsd/vfs/vfs_syscalls.c, and the MIG defs osfmk/mach/vfs_nspace.defs. Chapter 9: Listing updates: Listing 9-7 for AST_RESET_PCS/ARCADE Listing 9-17 (task_pend_token) Listing 9-18 (THREAD_POLICY_INTERNAL_STRUCT_VERSION is now 5..) For thread_deallocate: As of Darwin 19, `thread_deallocate_daemon_register_queue()` is used to register `thread_[deallocate/terminate]_queue`s, as well as the `turnstile_deallocate_queue` and `workq_deallocate_queue`. These are Multi-Producer Single Consumer `struct mpsc_daemon_queue`s (implemented in osfmk/kern/mpsc_queue.c), as discussed in Chapter 4. This new queue type is also used for the `thread_[exception/stack]_queue`s. The Clutch sche?duler (used in OS on non AMP, i.e. pre A11) __AMP__ is only on A11 (APPLEMONSOON) and later, and actually since iOS 12 (Sneaky, guys! How did I not notice? :-). Unfortunately not open source outside one header :(, but still explained. Added `TURNSTILE_SLEEP_INHERITOR` to Table 9-30. Also, `TURNSTILE_KERNEL_MUTEX` is now finally used in `lck_mtx_t`s. Mentioned `task_thread_limit` and `CONFIG_THREAD_MAX`, though the former is still not really used. Updated `processor_set_t` (Figure 9-4) for node, pset_cluster_id and pset_cluster_type which I honestly don't understand how I didn't have in the diagram earlier.. The original diagram also incorrectly pointed from pset_list to processor.. New diagram should be easier to read, too (color coding indicates data/pointer type): Added processor state machine (from osfmk/kern/processor.h) in a diagram as 9-5. This renumbers everything by another +1... Fixed Refs to Chapter 9 that were incorrectly marked as 10 because I ended up swapping order last minute.. CORRECTION: There is no Hypervisor specific AST* (oopsie! Glad I saved myself 0.01BTC - $91.98!). But there are new ASTs for task_restartable_ranges (`AST_RESET_PCS`) and arcade (`AST_ARCADE`) both of which are now discussed!!! Added review question: If a given process type (e.g. iOS's SpringBoard) requires different ledger limits, how could such specific, per-process ledger values be implemented? Chapter 12: Added review question in Chapter 12: (in the hope that AAPL actually adopts this for future versions of iOS..) How could ledgers (from Chapter 9) or new task-level limits be used to augment the defenses against zone corruption attacks and fake objects? and one for Brandon's excellent just-not-giving-a-damn-about-`zone_require()`: What could have been the rationale for zone_require() not panic()ing on an address outside the zone_map? Why is this incorrect? And how could the routine be properly reimplemented so as to cover all cases? and: In older versions of Darwin (and even the present day, for foreign allocations) the zone metadata could be embedded in the element page. Why is this a bad idea? And, because I didn't make crystal clear a point which enabled Bran the Breaker to break another OS version: and, although in a footnote, Brandon gets the only resource reference in Chapter 12 :-) And, for what it's worth, I'll reiterate: The kernel "heap" is NOT IN ANY WAY A HEAP. It's zones, (per Linux, slabs, or pools). By any other name (But heap), it DOES NOT HAVE METADATA IN OBJECTS* (at least, not anymore, and excluding foreign). When you overflow one object, you're directly onto the next (or free space for one). The metadata is maintained separately. There is ample confusion due to the only public references on this being from really older versions of XNU, and much has changed. And most importantly, it's not at all similar to the traditional data structure we know and love, called a heap. And to emphasize that, I have a new experiment with zones! In fact, I added lots of notes to the zone discussion, which I think now merit a Bonus download for those of you with v1.0. Chapter 13: Clarified that IOUserClients in `io_user_clients` of `struct task` are kept as a `queue_head_t` of `struct IOUserClientOwner`s. IIG example (in chapter 13) which I realized I forgot because of comment in HTML! Sorry.. and thanks @sdotknight! Chapter 14: Updates to bsd/net. Ouch. Not touching the Contiki stuff.. (Also thankfully #ifdef'ed) MPKL restricted ports content_filter_crypto

Volume I Volume II Volume III

**The MOXiI Volume III Change Log**
Date	Version	Notes
10/17/2016	1.0	Initial version, sent to mass production for very first time :-)
11/04/2016	1.0.1	TONS of typo fixes, thanks to Eddie Cornejo! Rounded edges on outputs/listings. Post Scriptum.
11/16/2016	1.1	Pangu 9.3.3 chapter (#21) added
01/10/2017	1.2	Pegasus/Trident chapter (#22) added Mach_portal (Ian Beer's awesome 10.1.1 chain) chapter (#23) added (thanks, Ian!) Yalu+mach_portal (Luca's KPP bypass) chapter (#24) added Miscellaneous typo fixes by @timacfr - Thank you!
02/04/2017	1.3g	Added Yalu 10.2 and CVE-2017-2370 exploit detail to chapter #24 A few typos in the appendix fixed (Thanks, jimmers!) Added Glossary
03/21/2017	1.3.1	MACF coverage of priv_check changes from 2782 through 3789 Added LiberTV mention, naturally :-) Just a few more typos..
08/07/2017	1.4	Coverage of Phœnix Jailbreak - as Chapter 22½, so as to not disrupt existing chapter numbering Minor additions: Updates to sandbox (new operations: `dynamic-code-generation, fs-rename, fs-snapshot-revert, ipc-posix-sem, managed-preference-read, socket-ioctl`) Code signature v20400 and use of detached in iOS 11 new `CSR_ALLOW_` constants (256, 512) for SIP
~~09/26/2017~~ 09/28/2017 One year later :-)	1.4.2	What are hopefully the LAST $#$#% typo corrections (Thanks, Ian!). amfid's role in kext verification (MacOS 13) The new SystemPolicy.framework Figure 5-4 updated for Code Signature 0x20400 (iOS11) (see below) Figure 5-22 (Apple MIB hierarchy) slightly updated `CS_OPS_CLEARINSTALLER` in Table 5-28 Fix table 6-17 which somehow remained with missing cells all this time sandboxd (MacOS) new MIG messages in MacOS 13 A little more on datavault SIP (MacOS 13) Detail on KTRR (KPP-successor in iPhone 7 and onwards) thanks to XNU 4570 sources
12/01/2017	1.4.3	Added slot -6 to code signing special slot, note on DMG signing Clarified a blatantly obvious (and pretty nasty) 0-day (in Chapter 5) that's still in iOS and even more so MacOS 10.13 with SIP - which for some reason isn't obvious enough, after a year the book has been out.. A few more typos I could have sworn I eradicated yet @DubiousMind caught Sandbox_ms (mac_syscall) changes in 570 and 765: vtrace (0x13) check_bulk (0x15) reference_retain_by_audit_token (0x1c) reference_release (0x1d) rootless_allows_task_for_pid (0x1e) rootless_whitelist_push(0x1f) rootless_preflight (0x20) rootless_protected_volume (0x21) rootless_mkdir_protected and datavault conversions(0x22) (AAPL: if you're reading this, try to not renumber in the future, it messes up my tables)
12/31/2017	1.5	Chapter 25: Ian Beer's IOSurface 11.1.2 exploit (CVE-2017-13861) Discussion of post exploitation techniques and the new Jailbreak toolkit
03/15/2018	1.5.1	Two really tiny typo fixes ($HOME)/.ssh in Ch1 and missing parentheses in Ch25) Corrected HT20194 to HT201954 (pg 254) Clarification in Table 8-28: The first entitlement is held by requester, the other two by target (Thanks to 0xdead10cc!). Also made note "The extensions are stored (along with other Sandbox related data) in the second MACF label slot (that is, #1) accessible from the process credentials (q.v. Listing 3-7)" before introducing `sbtool`, after Table 8-23.
05/01/2018	1.5.2	Minor note on `CS_EXECSEG..` flags in code signature 0x20400 (still apparently unused) Minor Expansion coverage of QiLin (Chapter #25) with sample code Renumbering of references in Code Signing chapter due to missing ref to Apple's Code Signing Guide
06/25/2018	1.6	Updates in Darwin 18 Betas 1 & 2
08/28/2018	1.6.1	Minor addition to audit sessions (pg 25) as I attempt to make sure the trilogy covers every syscall Apple has ever introduced: "Apple has extended audit sessions to be carried over Mach ports and added proprietary system calls in Darwin 10. The `audit_session_self` call (#428) allows a process to get a Mach `SEND` right to its own session, or obtain a `SEND` right to other audit sessions (if their identifiers are known) using `audit_session_port` (#432). A process (task) with such a `SEND` right can then call `audit_session_join` (#429) with the port right."
09/24/2018	1.6.2	iOS 12 changes (in Appendix B of 1.6) finalized, TCC version 13, Sandbox 865 hook count actually reduced by one or two, ARMv8.3 PAC security impact discussed
1.6.4 (03/15/2019)	1.6.4	Minor updates: Added `CS_OPS_CLEARINSTALLER` (Darwin 17) and `CS_TEAMID` (Darwin 18) to Table 5-28 Update of jailbreak timeline illustration (Figure 13-22) to include LiberiOS and unc0ver Added executable segment flags Added small note about CSBlobs in memory Updated Figure 5-4 Linked to Malus security's Sandblaster as a sandbox profile decompiler Minor updates to QiLin (for iOS 12) Made note that `PROTECTION_CLASS_F` appears deprecated as of Darwin 16 (`_E` was never used) Updated Figure 5-4 to Code Signature format 0x20500 (see below) Linked to my PPL writeup from appendix Mentioned and linked to Brandon's A12 PAC bypass method Noted CoreTrust bypass. Fix: the flow for Pegasus's Arbitrary Kernel Memory Overwrite is technically in `OSUnserializeBinary`, not `OSUnserializeXML` (though the latter calls the former anyway)
1.6.6n	02/10/2020	Really minor typo fixes Minor fix to Figure 5-4 (below) Mentioned Checkm8 Updated JB history diagram Got rid of Appendix B by absorbing Darwin 18 (and a few 19) changes into respective chapters. Added AMFI's `mac_syscall` support CS Version 0x20500 preencrypt hashes fleshed out Added `mac_proc_check_unix_syscall` Peter Upfold's typo fixes :-)

Yes, earlier I said 1.5 would be final, but I decided to go on and put all the iOS 12 changes in a short 5 page appendix which is increased now to cover ARMv8.3 impact on security. To reduce the page count (which makes the book super heavy already), the glossary was removed. The MPTCP and VFS exploits (for iOS 11.3.1) do not merit any new chapters (techniques used therein have already been used previously), and neither do the voucher_swap ones (for iOS 12.1.2). Brandon's detailed explanation on his exploit and PAC bypass is so well explained I couldn't add a single word of elaboration to it.
The book is now about ~~530~~ 540 pages (well over 100 pages added from v1.0!) so that's it. If you were waiting for a time to get/update the book - I'd suggest now.

Updates

03/15/2019 - Figure 5-4: Code signatures have since been updated - and the new format (0x20500) is shown below:
Also updated Table 10-2 to account for new kTCCService* constants:
09/19/19 - Darwin 19 bumps this even further with 30+ more services - 22 alone for kTCCServiceSensorKit*, 3 for SystemPolicy[Desktop/Downloads/Documents]Folder, ScreenCapture, FileProvider[Presence/Domain], Contacts[Full/Limited], Bluetooth[WhileInUse/Always], ListenEvent, and possibly a few others I missed..
10/17/2017 - DMG signatures: Whilst covering DMGs in Volume I (out next week!) I realized I omitted that as of somewhere in 10.11.x DMGs can be signed with embedded, not just detached signatures. This adds special slot -6, and hashes the entire DMG (sans koly and, obviously, signature) as the single slot 0 of the signature. This will be put into v1.4.3 and later.

Errata

Table 8-19: distributed-notification-post is, of course, to post to Distributed Notification Center, not Darwin
Chapter 22.5, discussion of mach_ports_register: The explanation should make it clear the bug is in the kernel-side MIG generated code. Readers might get the impression the bug is in Listing 22a-7. A better explanation (put into versions after 1.4 and the PhJB PDF) would be:
The call to this code is automatically generated by the Mach Interface Generator (MIG, q.v. I/11), which takes care (in user-mode) of properly initializing the portsCnt variable so that it matches the length of the OOL ports descriptor sent in the message. But user-mode MIG can easily be bypassed, and its code tweaked to deliberately mismatch the two values. The sanity checks restrict the value of portsCnt to be between 1 and 3 - but the kernel-side MIG checks fail to validate that it actually matches the number of ports in the ool descriptor itself. This still allows for an out of bounds condition, wherein extra port elements in kernel memory can be read - and then dereferenced - leading to a Use After Free (UaF) bug.
Chapter 25 - The QiLin Toolkit - Page 486 - "and in particular the task_for_pid/com.apple.system-task-ports" - mistakenly inserted as the result of a vi '.' operation. Should just be ignored (considering that this specific entitlement pair is held by sysdiagnose and ps, as shown already at the top of the same page, before the listing).

FAQ

Q: and how can we early buyer get these updated contents?
A: see per above. With the Pangu Chapter, I made that public, and a lot of Volume III's extra chapters are free (hyperlinked, above). BUT - I can't do that for every chapter. Again, I MUST apologize for not being able to concoct some "update" scheme wherein I nickel and dime for so and so extra pages. But I can't do that because (A) it would be nickel and diming and (B) I can't track already 500 copies in first month or so. Before you get riled by this, pause for a sec and realize that you wouldn't expect that from any "traditional" print book, which grows obsolete as soon as it sees print.

Q: wen eta Trident/Pegasus: v1.2. and it's out

Q: what about the other volumes: Working on them. Volume I is next (soon, I hope). Then Volume II. It's just relatively easy to update an existing volume and keep it up-to-date.