ChangeLog

MOXiI is now self-published, which enables me to keep the book continuously updated! Unlike a traditional print book, with which you have to wait for a new edition, I can update the original HTML file, reprint to PDF, and submit another batch to print! This will obviously not help copies already printed at that point, but any future copies going to print will automatically be as up-to-date as possible. This means that whenever one chooses to buy the book, he or she is guaranteed the latest and greatest edition. Think of it as you would of software - wherein new versions come out every so often.

Over time, this will inevitably open up quite a gap between any past-printed versions and the latest ones. Beginning with v1.0.1, I started this changelog to help people track "What's New". If you bought an older copy and, at some point, wish to re-purchase the latest version of the book, please drop me a note and inform me you already have a previous version. I would be happy cut you a $15/0.05BTC discount when you get a new copy. Note that you have to use BTC or Paypal for that - I can't do that via Amazon, sorry. (And, hey - when's the last time a publisher offered you such a discount on upgrade, or even made an effort to keep a book so up-to-date?)

The MOXiI Volume I Change Log
DateVersionNotes
02/06/20181.0.2
  • Dozens of typos caught by Guido Soranzio - Thank you SO MUCH
  • 03/06/20181.0.3
  • iOS 9 did not leave behind the iPhone 4. iOS 8 did...
  • 05/01/20181.0.4
  • pg 315 - Important correction - SEND_ONCE rights ARE transitive - not clonable, but movable. Table 11-1 should therefore read MOVE only for SEND ONCE.
    (And yes, I'm paying 0.01BTC for this - it was well deserved).
  • Loads more typos , especially by 73696e65 - Thank you!
  • Added note about unique pids - "This unique identifier also comes in handy as it is saved for the parent process identifier, and does not change after reparenting or adoption by PID 1. It can be retrieved using proc_info's private PROC_PIDUNIQIDENTIFIERINFO flavor (#17)."
  • Table 8-13: Two filled entries which somehow were commented out:
    pthread_cond_signal_thread_npSignal a conditional variable to specific thread
    pthread_cond_timedwait_relative_npAs pthread_cond_timedwait, with relative timeout
  • Short explanation on Siri ShortCuts (iOS 12) and the new siriactionsd.
  • Better integration with Volume II, now that it's shaping up :-)
  • 9/21/18v1.1 (really should have been v.1.0.6..) Minor improvements for Darwin 18. Nothing finalized yet. So far, we have:

  • Table 9-5: added
    3831vm_map_exec_lockdownLock down vm_map executable segment preventing remapping (Darwin 18)
    (this is covered in depth in Volume II, rest assured)
  • Table 11-5: Added
    3236 mach_port_special_reply_port_reset_link (Darwin 18)Returns sync ipc turnstile link status
  • Typo corrections by bubbles - Thank you!
  • iOS/TVOS 12, WatchOS 4.0, MacOS 14 also listed in Intro chapter
  • Added [get/set]wgroups to Table 8-8, even though they're unimplemented, in an attempt to reach 100% syscall coverage through the trilogy
  • DYLD opcodes 0xD0 - threaded... explained! (nice going, AAPL! I also threw a note about this in the See added pages in forum post.
  • Correction re: skywalk (bonding, not the IPv6 interface for BridgeOS)
  • Mention Corellium iOS Emulation. I haven't tried it myself, but something so potentially amazing cannot be omitted.
  • Mention tlv_atexit() (from <mach-o/dyld.h>) for Thread Local destructors
  • Better integration with Volume II (which is coming soon)
  • 12/10/2018v1.2

    One year later, a major update, with 10% (= 53) more densely packed pages! Brings back some stuff I had originally pushed to Volume II now that Volume II is close to finish and I know how to divide the material better. This includes:

    • 40 or so more pages of an entirely new chapter (#16) on Networking, from the user mode perspective:
      • PF_NDRV
      • PF_SYSTEM (SYSPROTO_EVENT and SYSPROTO_CONTROL)
      • Network configuration
      • sysctl MIBs - comprehensive lists of pretty much every single net.inet[6].* MIB
      • Network statistics
        • com.apple.network.statistics and the private NetworkStatistics.framework
      • Firewalling
        • ALF.kext
        • ipfw (Depreceated)
        • pf
      • Packet Capture
        • BPF
        • Pktap/iptap
      • QoS
      • Network Extension Control Policies (NECP)
      • com.apple.net.netagent
      • Skywalk (Nexi and Channels)

      I had originally thought I'd include that in Volume II, but now that Volume II is being finalized I realized its own networking chapter (from the kernel perspective) is already quite big - and user mode really belongs in Volume I..

    • 3 pages - Added descriptor types - including NECP, Nexi and Channels - to Chapter 3 ("Promenade"), since it discusses files already. Also discussed guard APIs (their implementation remains in Volume II), and fileports. Again, this was a mistake of mine since I cover the implementation of descriptors (struct fileproc, filedesc, fileglob and all that fun stuff) in Volume II, but the syscalls certainly make more sense in I.
    • 7 pages - Explained process, task and thread policies in Ch. 8 ("Parts of the Process") - I originally pushed all this to Volume II as well, but I realize that the discussion of how to use the Mach traps and syscalls (not how they work) is better suited for Volume I. Also discussed resource limits , in iopolicysys (#323), proc_rlimit_control (#446) and process_policy (#323)
    • 3 pages - Remote XPC! (Took me a while, I had to get myself a T2 machine..)
    Other , more minor changes:

    v1.2 marks what I really believe is the final update to Volume I. Unlike Volume III, which went on for a while because (A) Jailbreaks kept coming and (B) I was working on the trilogy anyway, it doesn't seem like (A) there will be a public JB in the near future and (B) I will still want to "support" Darwin 19 now that Volume II is DONE (pending AAPL's release of the XNU sources *sigh*). So that's it.


    The MOXiI Volume III Change Log
    DateVersionNotes
    10/17/20161.0
  • Initial version, sent to mass production for very first time :-)
  • 11/04/20161.0.1
  • TONS of typo fixes, thanks to Eddie Cornejo!
  • Rounded edges on outputs/listings.
  • Post Scriptum.
  • 11/16/20161.1
  • Pangu 9.3.3 chapter (#21) added
  • 01/10/20171.2
  • Pegasus/Trident chapter (#22) added
  • Mach_portal (Ian Beer's awesome 10.1.1 chain) chapter (#23) added (thanks, Ian!)
  • Yalu+mach_portal (Luca's KPP bypass) chapter (#24) added
  • Miscellaneous typo fixes by @timacfr - Thank you!
  • 02/04/20171.3g
  • Added Yalu 10.2 and CVE-2017-2370 exploit detail to chapter #24
  • A few typos in the appendix fixed (Thanks, jimmers!)
  • Added Glossary
  • 03/21/20171.3.1
  • MACF coverage of priv_check changes from 2782 through 3789
  • Added LiberTV mention, naturally :-)
  • Just a few more typos..
  • 08/07/20171.4
  • Coverage of Phœnix Jailbreak - as Chapter 22½, so as to not disrupt existing chapter numbering
  • Minor additions:
    • Updates to sandbox (new operations: dynamic-code-generation, fs-rename, fs-snapshot-revert, ipc-posix-sem*, managed-preference-read, socket-ioctl)
    • Code signature v20400 and use of detached in iOS 11
    • new CSR_ALLOW_* constants (256, 512) for SIP
  • 09/26/2017
    09/28/2017
    One year later :-)
    1.4.2
  • What are hopefully the LAST $#$#% typo corrections (Thanks, Ian!).
  • amfid's role in kext verification (MacOS 13)
  • The new SystemPolicy.framework
  • Figure 5-4 updated for Code Signature 0x20400 (iOS11) (see below)
  • Figure 5-22 (Apple MIB hierarchy) slightly updated
  • CS_OPS_CLEARINSTALLER in Table 5-28
  • Fix table 6-17 which somehow remained with missing cells all this time
  • sandboxd (MacOS) new MIG messages in MacOS 13
  • A little more on datavault SIP (MacOS 13)
  • Detail on KTRR (KPP-successor in iPhone 7 and onwards) thanks to XNU 4570 sources
  • 12/01/20171.4.3
  • Added slot -6 to code signing special slot, note on DMG signing
  • Clarified a blatantly obvious (and pretty nasty) 0-day (in Chapter 5) that's still in iOS and even more so MacOS 10.13 with SIP - which for some reason isn't obvious enough, after a year the book has been out..
  • A few more typos I could have sworn I eradicated yet @DubiousMind caught
  • Sandbox_ms (mac_syscall) changes in 570 and 765:
    • vtrace (0x13)
    • check_bulk (0x15)
    • reference_retain_by_audit_token (0x1c)
    • reference_release (0x1d)
    • rootless_allows_task_for_pid (0x1e)
    • rootless_whitelist_push(0x1f)
    • rootless_preflight (0x20)
    • rootless_protected_volume (0x21)
    • rootless_mkdir_protected and datavault conversions(0x22)
    (AAPL: if you're reading this, try to not renumber in the future, it messes up my tables)
  • 12/31/20171.5
    • Chapter 25:
      • Ian Beer's IOSurface 11.1.2 exploit (CVE-2017-13861)
      • Discussion of post exploitation techniques and the new Jailbreak toolkit
    03/15/20181.5.1
  • Two really tiny typo fixes ($HOME)/.ssh in Ch1 and missing parentheses in Ch25)
  • Corrected HT20194 to HT201954 (pg 254)
  • Clarification in Table 8-28: The first entitlement is held by requester, the other two by target (Thanks to 0xdead10cc!).
  • Also made note "The extensions are stored (along with other Sandbox related data) in the second MACF label slot (that is, #1) accessible from the process credentials (q.v. Listing 3-7)" before introducing sbtool, after Table 8-23.
  • 05/01/20181.5.2
  • Minor note on CS_EXECSEG.. flags in code signature 0x20400 (still apparently unused)
  • Minor Expansion coverage of QiLin (Chapter #25) with sample code
  • Renumbering of references in Code Signing chapter due to missing ref to Apple's Code Signing Guide
  • 06/25/20181.6
  • Updates in Darwin 18 Betas 1 & 2
  • 08/28/20181.6.1
  • Minor addition to audit sessions (pg 25) as I attempt to make sure the trilogy covers every syscall Apple has ever introduced:

    "Apple has extended audit sessions to be carried over Mach ports and added proprietary system calls in Darwin 10. The audit_session_self call (#428) allows a process to get a Mach SEND right to its own session, or obtain a SEND right to other audit sessions (if their identifiers are known) using audit_session_port (#432). A process (task) with such a SEND right can then call audit_session_join (#429) with the port right."

  • 09/24/20181.6.2iOS 12 changes (in Appendix B of 1.6) finalized, TCC version 13, Sandbox 865 hook count actually reduced by one or two, ARMv8.3 PAC security impact discussed

    Yes, earlier I said 1.5 would be final, but I decided to go on and put all the iOS 12 changes in a short 5 page appendix which is increased now to cover ARMv8.3 impact on security. To reduce the page count (which makes the book super heavy already), the glossary was removed. The MPTCP and VFS exploits (for iOS 11.3.1) do not merit any new chapters (techniques used therein have already been used previously).
    The book is now about 530 538 pages (well over 100 pages added from v1.0!) so that's it. If you were waiting for a time to get/update the book - I'd suggest now.



    Updates

    Errata


    FAQ

  • Q: and how can we early buyer get these updated contents?
    A: see per above. With the Pangu Chapter, I made that public, and a lot of Volume III's extra chapters are free (hyperlinked, above). BUT - I can't do that for every chapter. Again, I MUST apologize for not being able to concoct some "update" scheme wherein I nickel and dime for so and so extra pages. But I can't do that because (A) it would be nickel and diming and (B) I can't track already 500 copies in first month or so. Before you get riled by this, pause for a sec and realize that you wouldn't expect that from any "traditional" print book, which grows obsolete as soon as it sees print.
  • Q: wen eta Trident/Pegasus: v1.2. and it's out
  • Q: what about the other volumes: Working on them. Volume I is next (soon, I hope). Then Volume II. It's just relatively easy to update an existing volume and keep it up-to-date.
  • Q: why does the book not have an index? Because doing one over HTML by hand is Sisyphean and certainly beyond my feeble capabilities. I did add a glossary in v1.3, though. And I'm working on making an online index.
  • Q: wen volume I? It's out already.
  • Q: wen volume II? Soon, but not too soon.. End of October, providing AAPL releases XNU sources for 4903 (with ARMv8.1 support too ;-)
  • Q: Are you still alive? I can't find you on Twitter! Yep. Alive, and never better. Social media has proven full of anti-social people. I'm taking an indefinitely long break.
  • Q: wen next MOXiI training? December 10th, NYC. It'll be a blast, as always :-)






  • * - (of course I said that after 10.1.1, but - hey - at least I'm trying to keep up with this manic pace of jailbreaking!)