Notes from iOS 10 and the Mac OS X 10.12 Preview
Jonathan Levin, @Morpheus______, http://newosxbook.com/ - 06/14/16
0. Changelog
| 6/14/16: | First version |
| 6/19/16: | Added daemons of |
| 7/06/16 | :10b2 added |
| 8/10/16 | :10b5 added |
I'll be covering updated material for OS X 10.12 and iOS 10 at Our iOS/OS X for Reverse Engineers Course
About
By now, it's somewhat of a tradition - going into the third year, as I get my talons on the OS X and iOS betas and share my findings. As usual, tthe standard disclaimer:
Changelist
As an unexpected bonus, the Swift Playground (awesome idea, guys!) contains the iOS SDK *on* the device itself. How cool is that? Relieved me of the torture of downloading XCode 8b :-) From the header files we learn:
- Bye bye, breadcrumbs - The
os_*_breadcrumbAPI is deprecated, in favor ofos_activity_label_useraction. - Hello, signposts -
os_signpostnow wrapskdebug_signpost. It's always great to see Apple continue to invest and improve this awesome API (second only to DTrace). mach_continuous_[approximate_]timemkostemp[s]for temp files, apparently- Plenty of changes to GCD, which will go right to Volume I after I research them. Also
os_unfair_lock_s- looks swell - Minor additions to objc runtime
- dyld_all_image_infos updated! v15, no less (but apparently breaking compatibility with v14, guys - put the fields in order maybe? Right after SharedCacheUUID we have:
/* the following field is only in version 15 (Mac OS X 10.12, iOS 10.0) and later */ uint64_t infoArrayChangeTimestamp; uintptr_t sharedCacheBaseAddress; const char* dyldPath; mach_port_t notifyPorts[2]; // HMMMMMMMMM.... - My favorite wiseguy, launchd, is now at version 4.0. And so we shall spar again :-) Apple removed the easter egg citing Becket. Shame on you, AAPL! That's what made me love
launchdafter hours of poring through disassembly and seeing that. Where's your sense of humor?!
XNU
- XNU is now at
37053789.2.4 (GM) - The sections of XNU are changed. In iOS:
morpheus@Zephyr (~/Documents/iOS/10) % jtool -l xnu.3789.n66 LC 00: LC_SEGMENT_64 Mem: 0xfffffff007004000-0xfffffff007060000 __TEXT Mem: 0xfffffff007007d00-0xfffffff00701f6b8 __TEXT.__const Mem: 0xfffffff00701f6b8-0xfffffff00705e98c __TEXT.__cstring (C-String Literals) Mem: 0xfffffff00705e98c-0xfffffff00705ffe1 __TEXT.__os_log LC 01: LC_SEGMENT_64 Mem: 0xfffffff007060000-0xfffffff00707c000 __DATA_CONST Mem: 0xfffffff007060000-0xfffffff007060210 __DATA_CONST.__mod_init_func (Module Init Function Ptrs) Mem: 0xfffffff007060210-0xfffffff007060418 __DATA_CONST.__mod_term_func (Module Termination Function Ptrs) Mem: 0xfffffff007060420-0xfffffff00707bff8 __DATA_CONST.__const LC 02: LC_SEGMENT_64 Mem: 0xfffffff00707c000-0xfffffff0074f8000 __TEXT_EXEC Mem: 0xfffffff00707c000-0xfffffff0074f49e4 __TEXT_EXEC.__text (Normal) LC 03: LC_SEGMENT_64 Mem: 0xfffffff0074f8000-0xfffffff0074fc000 __KLD Mem: 0xfffffff0074f8000-0xfffffff0074f96dc __KLD.__text (Normal) Mem: 0xfffffff0074f96dc-0xfffffff0074f9ea8 __KLD.__cstring (C-String Literals) Mem: 0xfffffff0074f9ea8-0xfffffff0074f9f10 __KLD.__const Mem: 0xfffffff0074f9f10-0xfffffff0074f9f18 __KLD.__mod_init_func (Module Init Function Ptrs) Mem: 0xfffffff0074f9f18-0xfffffff0074f9f20 __KLD.__mod_term_func (Module Termination Function Ptrs) Mem: 0xfffffff0074f9f20-0xfffffff0074f9f21 __KLD.__bss (Zero Fill) LC 04: LC_SEGMENT_64 Mem: 0xfffffff0074fc000-0xfffffff007500000 __LAST Mem: 0xfffffff0074fc000-0xfffffff0074fc008 __LAST.__mod_init_func (Module Init Function Ptrs) Mem: 0xfffffff0074fc008-0xfffffff0074fc008 __LAST.__last (Zero Fill) LC 05: LC_SEGMENT_64 Mem: 0xfffffff007500000-0xfffffff0075b0000 __DATA Mem: 0xfffffff007500000-0xfffffff007530c98 __DATA.__data Mem: 0xfffffff007530c98-0xfffffff007532db0 __DATA.__sysctl_set Mem: 0xfffffff007532db0-0xfffffff007532db0 __DATA.__llvm_prf_cnts Mem: 0xfffffff007532db0-0xfffffff007532db0 __DATA.__llvm_prf_data Mem: 0xfffffff007532db0-0xfffffff007532db0 __DATA.__llvm_prf_names Mem: 0xfffffff007533000-0xfffffff0075ad7f0 __DATA.__bss (Zero Fill) Mem: 0xfffffff0075ae000-0xfffffff0075af130 __DATA.__common (Zero Fill) LC 06: LC_SEGMENT_64 Mem: 0xfffffff00606c000-0xfffffff0063dc000 __PRELINK_TEXT Mem: 0xfffffff00606c000-0xfffffff0063dc000 __PRELINK_TEXT.__text LC 07: LC_SEGMENT_64 Mem: 0xfffffff0063dc000-0xfffffff006e50000 __PLK_TEXT_EXEC Mem: 0xfffffff0063dc000-0xfffffff006e50000 __PLK_TEXT_EXEC.__text LC 08: LC_SEGMENT_64 Mem: 0xfffffff007610000-0xfffffff0076c4000 __PRELINK_DATA Mem: 0xfffffff007610000-0xfffffff0076c4000 __PRELINK_DATA.__data LC 09: LC_SEGMENT_64 Mem: 0xfffffff006e50000-0xfffffff007004000 __PLK_DATA_CONST Mem: 0xfffffff006e50000-0xfffffff007004000 __PLK_DATA_CONST.__data LC 10: LC_SEGMENT_64 Mem: 0xfffffff0076c4000-0xfffffff0076c4000 __PLK_LINKEDIT Mem: 0xfffffff0076c4000-0xfffffff0076c4000 __PLK_LINKEDIT.__data LC 11: LC_SEGMENT_64 Mem: 0xfffffff0076c4000-0xfffffff00788c000 __PRELINK_INFO Mem: 0xfffffff0076c4000-0xfffffff00788c000 __PRELINK_INFO.__info LC 12: LC_SEGMENT_64 Mem: 0xfffffff0075b0000-0xfffffff00760cc18 __LINKEDIT LC 13: LC_SYMTAB Symbol table is at offset 0x55ac08 (5614600), 4504 entries String table is at offset 0x56c588 (5686664), 132752 bytes LC 14: LC_DYSYMTAB No local symbols 4504 external symbols at index 0 No undefined symbols No TOC No modtab No Indirect symbols LC 15: LC_UUID UUID: DD9D6FB0-34E6-37C3-8D30-BEABAE3DE4F1 LC 16: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 10.0.0 LC 17: LC_SOURCE_VERSION Source Version: 3789.1.24.0.0 LC 18: LC_UNIXTHREAD Entry Point: 0xfffffff007081068 LC 19: LC_FUNCTION_STARTS Offset: 5597272, Size: 17328 (0x556858-0x55ac08) with 10797 functionsAnd in OS X, though we have
__CONST, the__TEXT.__textis still there - New host special ports: Almost missed unlucky #13:
#define HOST_KTRACE_BACKGROUND_PORT (6 + HOST_MAX_SPECIAL_KERNEL_PORT) ... #define HOST_NODE_PORT (19 + HOST_MAX_SPECIAL_KERNEL_PORT) #define HOST_RESOURCE_NOTIFY_PORT (20 + HOST_MAX_SPECIAL_KERNEL_PORT) - VM protection of EXECUTE ONLY! Cool! (thanks to anonymous tip reminding me about this)
mach/vm_prot.h:#define VM_PROT_EXECUTE_ONLY (VM_PROT_EXECUTE|VM_PROT_STRIP_READ)
- New MIGs!
{ "task_generate_corpse", 3442 },\ { "task_map_corpse_info", 3443 },\ { "task_register_dyld_image_infos", 3444 },\ { "task_unregister_dyld_image_infos", 3445 },\ { "task_get_dyld_image_infos", 3446 },\ { "task_register_dyld_shared_cache_image_info", 3447 },\ { "task_register_dyld_set_dyld_state", 3448 },\ { "task_register_dyld_get_process_state", 3449 },\ { "task_map_corpse_info_64", 3450 } { "host_set_multiuser_config_flags", 228 },\ { "host_get_multiuser_config_flags", 229 },\ { "host_check_multiuser_mode", 230 } /* MULTIUSER! iOS! Whoa! AT LAST! */ - The system call table shows several new syscalls. As usual, one has to go a tad deeper than those syscalls which were added at the end. Thanks to
<sys/syscall.h> we have:#define SYS_invalid 63 .. #define SYS_kdebug_typefilter 177 .. /* 185 old chud */ // CHUD is officially dead. .. #define SYS_clonefileat 462 /* reclaimed from 10.10(!) reservation */ #define SYS_persona 494 /* reclaimed from 10.11 reservation */ .. #define SYS_getentropy 500 #define SYS_necp_open 501 #define SYS_necp_client_action 502 #define SYS___nexus_open 503 #define SYS___nexus_register 504 #define SYS___nexus_deregister 505 #define SYS___nexus_create 506 #define SYS___nexus_destroy 507 #define SYS___nexus_get_opt 508 #define SYS___nexus_set_opt 509 #define SYS___channel_open 510 #define SYS___channel_get_info 511 #define SYS___channel_sync 512 #define SYS___channel_get_opt 513 #define SYS___channel_set_opt 514 #define SYS_ulock_wait 515 #define SYS_ulock_wake 516 #define SYS_fclonefileat 517 #define SYS_fs_snapshot 518 /* 519 */ #define SYS_terminate_with_payload 520 #define SYS_abort_with_payload 521
- RIP stack_snapshot! Murderers!! My 2nd favorite syscall is gone! Time to rewrite procexp for
[micro]stack_snapshot_with_config - More memory tags:
/* Swift runtime */ #define VM_MEMORY_SWIFT_RUNTIME 82 /* Swift metadata */ #define VM_MEMORY_SWIFT_METADATA 83 /* DHMM data */ #define VM_MEMORY_DHMM 84 /* memory needed for DFR related actions */ #define VM_MEMORY_DFR 85 /* memory allocated by SceneKit.framework */ #define VM_MEMORY_SCENEKIT 86 /* memory allocated by skywalk networking */ #define VM_MEMORY_SKYWALK 87
- A new MACH trap!
mach_generate_activity_id! - Something for qwert:
< #define F_CHECK_LV 98 /* Check if Library Validation allows this Mach-O file to be mapped into the calling process */ 390,407d388 /* * DYLD needs to check if the object is allowed to be combined * into the main binary. This is done between the code signature * is loaded and dyld is doing all the work to process the LOAD commands. * * While this could be done in F_ADDFILESIGS.* family the hook into * the MAC module doesn't say no when LV isn't enabled and then that * is cached on the vnode, and the MAC module never gets change once * a process that library validation enabled. */ typedef struct fchecklv { off_t lv_file_start; size_t lv_error_message_size; void *lv_error_message; } fchecklv_t; - APFS - this will be big. Very little information, but I'll fool around with whatever Apple throws out and investigate the implementation, rather than wait for documentation which will go the way of TN1150 (HFS+). Good thing I cover filesystems in Volume II - there'll be time for that
1. iOS 10
The big news here is that Apple, for whatever reason and for the very first time, neglected to encrypt the rootFS and the kernelcache, as well as the logos and deviceTree. The logos, nobody cares about. The DeviceTree, you can get from ioreg. The rootFS you can reconstruct using the OTA method. But the kernelcache being unencrypted is an absolute godsend, second only to getting the source code of XNU with the ARM64 portions filled in.
Why? Because the kernelcache contains a lot of sections and regions which get discarded during runtime, such as the detailed PRELINK_INFO.
The other big deal here is that whatever the Stazi might protest about "pirating kernels", it is now perfectly valid to look at and inspect the kernelcache. I've started the long and painful process of getting all the ARM64 examples into MOXiI's 2nd Ed (instead of x86_64), and this will greatly augment the OSX/iOS training offered by TechnoloGeeks.
Also - on the more personal front, the kernelcache is helping me in my not-so-secret-anymore project of porting XNU to ARM64. Yes, it's been tried before by @winocm and others, but they all mysteriously disappeared as AAPL nabbed them. Won't happen here.
Not only does this not delay MOX*I by much, it will add an unprecendented level of detail. See update here
Examining the kernelcache also reveals a component which eluded analysis for the longest time - the infamous Kernel Patch Protector (KPP - q.v. here). Contrary to popular belief, this doesn't run on a separate processor, but is really just a Hypervisor/Monitor implementation of the ARM64 EL3 layer. I'll be detailing this in the book (which is just about one month away!).
With beta 2, kext structures have been changed too. Apparently kexts are now split in some way. Stuff moved into __DATA_CONST.__const :-(. Joker's -Kextraction ability is severly impaired as a result! The following output is from beta1, which still works:
morpheus@zephyr (/tmp)$ joker -k xnu.3705.j99a This is a 64-bit kernel from iOS 10.x, or later (3705.0.0.2.3) Only 0 kexts figured out. This is a dump, isn't it? Trying method #2 Unable to get kexts from __PRELINK_INFO.. going straight for __PRELINK_TEXT 1: built-in?(3705.0.0.2.3) at 0x574000 (4000 bytes) 2: built-in?(3705.0.0.2.3) at 0x578000 (c000 bytes) 3: built-in?(3705.0.0.2.3) at 0x584000 (4000 bytes) 4: built-in?(3705.0.0.2.3) at 0x588000 (1c000 bytes) 5: built-in?(3705.0.0.2.3) at 0x5a4000 (c000 bytes) 6: built-in?(3705.0.0.2.3) at 0x5b0000 (8000 bytes) 7: com.apple.iokit.IONetworkingFamily(116.0.0.0.0) at 0x5b8000 (28000 bytes) 8: com.apple.iokit.IOTimeSyncFamily(500.23.0.0.0) at 0x5e0000 (1c000 bytes) 9: built-in?(500.23.0.0.0) at 0x5fc000 (4000 bytes) 10: com.apple.kec.corecrypto(414.0.0.0.0) at 0x600000 (50000 bytes) 11: com.apple.driver.AppleMobileFileIntegrity(206.0.0.1.2) at 0x650000 (38000 bytes) 12: com.apple.iokit.IOHIDFamily(826.0.0.1.3) at 0x688000 (3c000 bytes) 13: com.apple.driver.AppleInputDeviceSupport(70.2.0.0.0) at 0x6c4000 (c000 bytes) 14: com.apple.iokit.IOSlowAdaptiveClockingFamily(8.0.0.0.0) at 0x6d0000 (c000 bytes) 15: built-in?(206.0.0.0.0) at 0x6dc000 (20000 bytes) 16: com.apple.iokit.IOReporting(39.0.0.0.0) at 0x6fc000 (c000 bytes) 17: com.apple.driver.AppleARMPlatform(584.0.0.0.0) at 0x708000 (68000 bytes) 18: com.apple.driver.AppleMultitouchDriver(355.0.0.0.0) at 0x770000 (24000 bytes) 19: com.apple.driver.AppleEmbeddedBluetoothMultitouch(70.0.0.0.0) at 0x794000 (14000 bytes) 20: com.apple.driver.AppleSamsungSPI(114.0.0.0.0) at 0x7a8000 (10000 bytes) 21: built-in?(436.0.0.0.0) at 0x7b8000 (1c000 bytes) 22: com.apple.driver.AppleS5L8920XPWM(354.0.0.0.0) at 0x7d4000 (c000 bytes) 23: com.apple.driver.AppleHIDTransport(70.2.0.0.0) at 0x7e0000 (28000 bytes) 24: com.apple.driver.AppleHIDTransportSPI(70.2.0.0.0) at 0x808000 (1c000 bytes) 25: com.apple.driver.AppleUSBHostMergeProperties(281.0.0.0.0) at 0x824000 (c000 bytes) 26: com.apple.iokit.IOUSBDeviceFamily(296.0.0.0.0) at 0x830000 (1c000 bytes) 27: com.apple.iokit.IOSerialFamily(90.0.0.0.0) at 0x84c000 (10000 bytes) 28: com.apple.iokit.IOSkywalkFamily(11.0.0.0.0) at 0x85c000 (c000 bytes) 29: com.apple.driver.AppleOnboardSerial(137.0.0.0.0) at 0x868000 (1c000 bytes) 30: com.apple.iokit.IOAccessoryManager(274.0.0.1.1) at 0x884000 (38000 bytes) 31: com.apple.iokit.IOMikeyBusFamily(56.0.0.0.0) at 0x8bc000 (20000 bytes) 32: com.apple.iokit.IOStreamAudioFamily(8.0.0.0.0) at 0x8dc000 (c000 bytes) 33: com.apple.iokit.IOAudio2Family(8.0.0.0.0) at 0x8e8000 (10000 bytes) 34: com.apple.iokit.AppleARMIISAudio(75.0.0.0.0) at 0x8f8000 (10000 bytes) 35: com.apple.driver.AppleEmbeddedAudio(417.80.0.0.0) at 0x908000 (30000 bytes) 36: com.apple.driver.AppleCSEmbeddedAudio(417.80.0.0.0) at 0x938000 (1c000 bytes) 37: com.apple.driver.AppleCS42L81Audio(417.80.0.0.0) at 0x954000 (10000 bytes) 38: com.apple.driver.AppleFirmwareUpdateKext(3.0.0.0.0) at 0x964000 (10000 bytes) 39: com.apple.driver.AppleIPAppender(41.0.0.0.0) at 0x974000 (c000 bytes) 40: com.apple.driver.AppleMultitouchSPI(355.0.0.0.0) at 0x980000 (20000 bytes) 41: com.apple.iokit.IOPCIFamily(279.0.0.0.0) at 0x9a0000 (1c000 bytes) 42: com.apple.driver.AppleEmbeddedPCIE(208.0.0.0.0) at 0x9bc000 (14000 bytes) 43: com.apple.driver.IOSlaveProcessor(14.1.0.0.0) at 0x9d0000 (c000 bytes) 44: com.apple.driver.AppleA7IOP(86.0.0.0.0) at 0x9dc000 (14000 bytes) 45: com.apple.driver.AppleSEPManager(174.0.0.0.0) at 0x9f0000 (24000 bytes) 46: com.apple.driver.AppleBiometricSensor(161.0.0.0.0) at 0xa14000 (24000 bytes) 47: com.apple.driver.ProvInfoIOKit(0.0.0.0.0) at 0xa38000 (18000 bytes) 48: com.apple.iokit.IOSurface(142.0.0.0.0) at 0xa50000 (18000 bytes) 49: com.apple.driver.AppleAVE(102.19.0.0.0) at 0xa68000 (1d0000 bytes) 50: com.apple.driver.IODARTFamily(88.0.0.0.0) at 0xc38000 (14000 bytes) 51: com.apple.driver.AppleS5L8960XDART(110.0.0.0.0) at 0xc4c000 (10000 bytes) 52: com.apple.driver.DiskImages(439.2.0.0.0) at 0xc5c000 (10000 bytes) 53: com.apple.driver.DiskImages.KernelBacked(439.2.0.0.0) at 0xc6c000 (c000 bytes) 54: com.apple.driver.DiskImages.RAMBackingStore(439.2.0.0.0) at 0xc78000 (c000 bytes) 55: com.apple.driver.AppleJPEGDriver(4.3.3.0.0) at 0xc84000 (1c000 bytes) 56: com.apple.ApplePMGR(118.0.0.0.0) at 0xca0000 (1c000 bytes) 57: com.apple.ApplePMGR(118.0.0.0.0) at 0xcbc000 (c000 bytes) 58: com.apple.driver.AppleS8001PCIe(208.0.0.0.0) at 0xcc8000 (10000 bytes) 59: com.apple.iokit.IOUSBHostFamily(281.0.0.0.0) at 0xcd8000 (60000 bytes) 60: com.apple.driver.usb.AppleUSBXHCI(281.0.0.0.0) at 0xd38000 (38000 bytes) 61: com.apple.driver.usb.AppleUSBXHCIPCI(281.0.0.0.0) at 0xd70000 (1c000 bytes) 62: com.apple.driver.AppleTriStar(63.0.0.1.1) at 0xd8c000 (10000 bytes) 63: com.apple.driver.AppleEmbeddedMikeyBus(174.0.0.1.1) at 0xd9c000 (30000 bytes) 64: com.apple.driver.AppleMikeyBusAudio(1.11.0.0.0) at 0xdcc000 (18000 bytes) 65: com.apple.IOCECFamily(46.0.0.0.0) at 0xde4000 (c000 bytes) 66: com.apple.iokit.IOAVFamily(152.0.0.0.0) at 0xdf0000 (4c000 bytes) 67: com.apple.iokit.IODisplayPortFamily(509.0.0.0.0) at 0xe3c000 (24000 bytes) 68: com.apple.driver.AppleDPDisplay(39.0.0.0.0) at 0xe60000 (10000 bytes) 69: com.apple.driver.AppleS5L8940XI2C(160.0.0.0.0) at 0xe70000 (c000 bytes) 70: com.apple.driver.AppleEmbeddedUSB(305.0.0.0.1) at 0xe7c000 (10000 bytes) 71: com.apple.iokit.IOCryptoAcceleratorFamily(100.0.0.0.0) at 0xe8c000 (14000 bytes) 72: com.apple.EncryptedBlockStorage(16.0.0.0.0) at 0xea0000 (c000 bytes) 73: com.apple.driver.AppleEffaceableStorage(51.0.0.0.0) at 0xeac000 (10000 bytes) 74: com.apple.driver.LightweightVolumeManager(97.0.0.0.0) at 0xebc000 (18000 bytes) 75: com.apple.driver.usb.AppleUSBHostCompositeDevice(281.0.0.0.0) at 0xed4000 (c000 bytes) 76: com.apple.driver.usb.AppleUSBEHCI(281.0.0.0.0) at 0xee0000 (34000 bytes) 77: com.apple.driver.AppleUSBHSIC(305.0.0.0.1) at 0xf14000 (10000 bytes) 78: com.apple.driver.usb.networking(130.0.0.0.0) at 0xf24000 (c000 bytes) 79: com.apple.driver.usb.hsic.cellular(130.0.0.0.0) at 0xf30000 (18000 bytes) 80: com.apple.driver.AppleM2ScalerCSC(30.0.5.0.0) at 0xf48000 (60000 bytes) 81: com.apple.driver.usb.cdc(130.0.0.0.0) at 0xfa8000 (c000 bytes) 82: com.apple.driver.usb.cdc.ncm(130.0.0.0.0) at 0xfb4000 (10000 bytes) 83: com.apple.driver.AppleUSBEthernetDevice(138.0.0.0.0) at 0xfc4000 (c000 bytes) 84: com.apple.driver.corecapture(179.0.0.0.0) at 0xfd0000 (24000 bytes) 85: com.apple.iokit.IO80211Family(194.1.0.0.0) at 0xff4000 (b8000 bytes) 86: com.apple.plugin.IOgPTPPlugin(500.23.0.0.0) at 0x10ac000 (38000 bytes) 87: com.apple.driver.LSKDIOKit(0.0.0.0.0) at 0x10e4000 (78000 bytes) 88: com.apple.driver.FairPlayIOKit(0.0.0.0.0) at 0x115c000 (80000 bytes) 89: com.apple.driver.LSKDIOKitMSE(0.0.0.0.0) at 0x11dc000 (5c000 bytes) 90: com.apple.driver.AppleD5500(122.0.0.0.0) at 0x1238000 (54000 bytes) 91: com.apple.driver.AppleEmbeddedTempSensor(100.0.0.1.1) at 0x128c000 (1c000 bytes) 92: com.apple.driver.AppleOrion(41.0.0.0.0) at 0x12a8000 (10000 bytes) 93: com.apple.driver.AppleHighVoltageCharger(46.0.0.0.0) at 0x12b8000 (10000 bytes) 94: com.apple.driver.AppleSSE(66.0.0.0.0) at 0x12c8000 (c000 bytes) 95: com.apple.ASIOKit(0.0.0.0.0) at 0x12d4000 (14000 bytes) 96: com.apple.AppleS8000DWI(82.0.0.0.0) at 0x12e8000 (c000 bytes) 97: com.apple.driver.usb.AppleUSBOHCI(281.0.0.0.0) at 0x12f4000 (1c000 bytes) 98: com.apple.driver.usb.AppleUSBHub(281.0.0.0.0) at 0x1310000 (2c000 bytes) 99: com.apple.driver.AppleEmbeddedUSBHost(305.0.0.0.1) at 0x133c000 (10000 bytes) 100: com.apple.driver.AppleUSBOHCIARM(305.0.0.0.1) at 0x134c000 (10000 bytes) 101: com.apple.driver.AppleT7000USBOHCI(305.0.0.0.1) at 0x135c000 (c000 bytes) 102: com.apple.iokit.IOUserEthernet(38.0.0.0.0) at 0x1368000 (c000 bytes) 103: com.apple.driver.AppleUSBDeviceAudioController(305.36.0.0.0) at 0x1374000 (c000 bytes) 104: com.apple.driver.AppleUSBAudio(305.36.0.0.0) at 0x1380000 (58000 bytes) 105: com.apple.driver.DiskImages.UDIFDiskImage(439.2.0.0.0) at 0x13d8000 (10000 bytes) 106: com.apple.AppleLMBacklight(11.0.0.0.0) at 0x13e8000 (c000 bytes) 107: com.apple.iokit.IOSCSIArchitectureModelFamily(391.0.0.0.0) at 0x13f4000 (10000 bytes) 108: com.apple.iokit.IOSCSIBlockCommandsDevice(391.0.0.0.0) at 0x1404000 (14000 bytes) 109: com.apple.iokit.IOUSBMassStorageDriver(126.1.1.0.0) at 0x1418000 (14000 bytes) 110: com.apple.driver.AppleUSBCardReader(396.0.0.0.0) at 0x142c000 (10000 bytes) 111: com.apple.ApplePMGR(118.0.0.0.0) at 0x143c000 (c000 bytes) 112: com.apple.driver.usb.IOUSBHostHIDDevice(281.0.0.0.0) at 0x1448000 (10000 bytes) 113: com.apple.AppleARM64ErrorHandler(15.0.0.0.0) at 0x1458000 (c000 bytes) 114: com.apple.AppleS8001(27.0.0.0.0) at 0x1464000 (1c000 bytes) 115: com.apple.nke.ppp(831.0.0.1.1) at 0x1480000 (14000 bytes) 116: com.apple.nke.lttp(831.0.0.1.1) at 0x1494000 (10000 bytes) 117: com.apple.driver.AppleSynopsysOTGDevice(227.0.0.0.0) at 0x14a4000 (18000 bytes) 118: com.apple.driver.RTBuddy(173.0.0.0.0) at 0x14bc000 (2c000 bytes) 119: com.apple.drivers.AppleS7002SPU(277.0.0.1.1) at 0x14e8000 (160000 bytes) 120: com.apple.AppleS8000(82.0.0.0.0) at 0x1648000 (18000 bytes) 121: com.apple.iokit.IOMobileGraphicsFamily(85.0.26.0.2) at 0x1660000 (20000 bytes) 122: com.apple.IOTextEncryptionFamily(21.0.0.0.0) at 0x1680000 (c000 bytes) 123: com.apple.AppleAstrisGpioProbe(17.0.0.0.0) at 0x168c000 (10000 bytes) 124: com.apple.driver.AppleH6CameraInterface(11.97.1.0.0) at 0x169c000 (24000 bytes) 125: com.apple.driver.AppleMobileApNonce(10.0.0.2.1) at 0x16c0000 (c000 bytes) 126: com.apple.driver.AppleUSBMike(61.0.0.0.0) at 0x16cc000 (10000 bytes) 127: com.apple.Libm.kext(3121.1.0.0.0) at 0x16dc000 (10000 bytes) 128: com.apple.driver.AppleS8000CLPC(72.0.0.0.0) at 0x16ec000 (30000 bytes) 129: com.apple.driver.AppleSEPKeyStore(336.0.0.0.0) at 0x171c000 (20000 bytes) 130: com.apple.driver.DiskImages.FileBackingStore(439.2.0.0.0) at 0x173c000 (c000 bytes) 131: com.apple.driver.AppleEmbeddedProx(61.0.0.0.0) at 0x1748000 (10000 bytes) 132: com.apple.driver.ApplePMP(21.0.0.0.0) at 0x1758000 (c000 bytes) 133: com.apple.driver.AppleS5L8960XNCO(151.0.0.0.0) at 0x1764000 (c000 bytes) 134: com.apple.iokit.IOStreamFamily(114.0.0.0.0) at 0x1770000 (c000 bytes) 135: com.apple.iokit.IOAcceleratorFamily(260.0.0.0.0) at 0x177c000 (3c000 bytes) 136: com.apple.AGX(95.4.3.0.0) at 0x17b8000 (88000 bytes) 137: com.apple.kec.pthread(202.0.0.1.1) at 0x1840000 (14000 bytes) 138: com.apple.driver.AppleEmbeddedUSBXHCI(305.0.0.0.1) at 0x1854000 (14000 bytes) 139: com.apple.driver.AppleMesaSEPDriver(376.0.0.0.0) at 0x1868000 (24000 bytes) 140: com.apple.driver.AppleStockholmControl(270.45.4.1.0) at 0x188c000 (c000 bytes) 141: com.apple.driver.AppleSamsungSerial(114.0.0.0.0) at 0x1898000 (c000 bytes) 142: com.apple.driver.AppleBasebandN61(419.0.0.0.0) at 0x18a4000 (10000 bytes) 143: com.apple.driver.AppleBSDKextStarter(8.0.0.0.0) at 0x18b4000 (c000 bytes) 144: com.apple.driver.usb.cdc.ecm(130.0.0.0.0) at 0x18c0000 (c000 bytes) # So APFS will make it to iOS, too 145: com.apple.filesystems.apfs(204.0.0.1.2) at 0x18cc000 (6c000 bytes) 146: com.apple.kext.Match(27.0.0.0.0) at 0x1938000 (c000 bytes) 147: com.apple.AGXFirmwareKextG5G(95.4.3.0.0) at 0x1944000 (24000 bytes) 148: com.apple.driver.AppleANXDPTX(73.1.1.0.0) at 0x1968000 (28000 bytes) 149: com.apple.driver.AppleEffaceableBlockDevice(51.0.0.0.0) at 0x1990000 (c000 bytes) 150: com.apple.AppleS8000AES(82.0.0.0.0) at 0x199c000 (c000 bytes) 151: com.apple.driver.AppleBluetooth(6.0.0.0.0) at 0x19a8000 (c000 bytes) 152: com.apple.driver.usb.ethernet.asix(130.0.0.0.0) at 0x19b4000 (14000 bytes) 153: com.apple.driver.AppleCredentialManager(111.0.0.0.0) at 0x19c8000 (c000 bytes) 154: com.apple.driver.AppleS8001PMPFirmware(21.0.0.0.0) at 0x19d4000 (44000 bytes) 155: com.apple.driver.AppleSamsungPKE(114.0.0.0.0) at 0x1a18000 (c000 bytes) 156: com.apple.driver.AppleInterruptController(36.0.0.0.0) at 0x1a24000 (c000 bytes) 157: com.apple.driver.AppleAuthCP(27.0.0.0.0) at 0x1a30000 (c000 bytes) 158: com.apple.driver.AppleDialogPMU(659.0.0.0.0) at 0x1a3c000 (10000 bytes) 159: com.apple.driver.AppleD2231Charger(659.0.0.0.0) at 0x1a4c000 (34000 bytes) 160: com.apple.driver.AppleS5L8960XGPIOIC(151.0.0.0.0) at 0x1a80000 (c000 bytes) 161: com.apple.security.sandbox(570.0.0.0.0) at 0x1a8c000 (8c000 bytes) 162: com.apple.driver.AppleHIDKeyboard(194.0.0.0.0) at 0x1b18000 (10000 bytes) 163: com.apple.driver.AppleHDQGasGaugeControl(177.0.0.1.1) at 0x1b28000 (14000 bytes) 164: com.apple.driver.AppleAE2Audio(86.5.0.0.0) at 0x1b3c000 (10000 bytes) 165: com.apple.driver.AppleNANDConfigAccess(6.0.0.0.0) at 0x1b4c000 (c000 bytes) 166: com.apple.iokit.IONVMeFamily(230.0.0.0.0) at 0x1b58000 (40000 bytes) 167: com.apple.driver.AppleSRSDriver(1.0.18.0.0) at 0x1b98000 (2c000 bytes) 168: com.apple.driver.AppleMAX98721Amp(417.80.0.0.0) at 0x1bc4000 (c000 bytes) 169: com.apple.driver.IOAudioCodecs(53.0.0.0.0) at 0x1bd0000 (3c000 bytes) 170: com.apple.driver.DiskImages.ReadWriteDiskImage(439.2.0.0.0) at 0x1c0c000 (c000 bytes) 171: com.apple.AppleFSCompression.AppleFSCompressionTypeZlib(88.0.0.0.0) at 0x1c18000 (c000 bytes) 172: com.apple.driver.AppleBCMWLANCore(18.0.0.0.0) at 0x1c24000 (104000 bytes) 173: com.apple.driver.AppleBCMWLANBusInterfacePCIe(18.0.0.0.0) at 0x1d28000 (30000 bytes) 174: com.apple.driver.AppleUSBEHCIARM(305.0.0.0.1) at 0x1d58000 (10000 bytes) 175: com.apple.driver.AppleS5L8960XUSBHSIC(305.0.0.0.1) at 0x1d68000 (c000 bytes) 176: com.apple.driver.AppleS5L8960XUSBEHCI(305.0.0.0.1) at 0x1d74000 (c000 bytes) 177: com.apple.driver.AppleUSBDeviceNCM(130.0.0.0.0) at 0x1d80000 (c000 bytes) 178: com.apple.driver.AppleMobileDispH8G(85.0.26.0.2) at 0x1d8c000 (64000 bytes) 179: com.apple.file-systems.hfs.kext(360.0.0.0.0) at 0x1df0000 (64000 bytes) 180: com.apple.driver.AppleSamsungI2S(114.0.0.0.0) at 0x1e54000 (c000 bytes) 181: com.apple.driver.AppleM68Buttons(71.0.0.0.0) at 0x1e60000 (c000 bytes) 182: com.apple.driver.AppleUSBDeviceMux(372.0.0.0.0) at 0x1e6c000 (10000 bytes) 183: com.apple.nke.pptp(831.0.0.1.1) at 0x1e7c000 (c000 bytes) 184: com.apple.driver.AppleS5L8960XWatchDogTimer(151.0.0.0.0) at 0x1e88000 (c000 bytes) 185: com.apple.iokit.IOAcceleratorFamily(260.0.0.0.0) at 0x1e94000 (2c000 bytes) 186: com.apple.driver.AppleUSBEthernetHost(138.0.0.0.0) at 0x1ec0000 (c000 bytes) 187: com.apple.driver.AppleS8001SmartIO(169.0.0.0.0) at 0x1ecc000 (70000 bytes) 188: com.apple.driver.AppleDPRepeater(206.1.1.0.0) at 0x1f3c000 (34000 bytes) 189: com.apple.driver.AppleIDAMInterface(10.0.0.0.0) at 0x1f70000 (c000 bytes) 190: com.apple.driver.AppleDiagnosticDataAccessReadOnly(24.0.0.0.0) at 0x1f7c000 (c000 bytes) 191: com.apple.driver.AppleBiometricServices(376.0.0.0.0) at 0x1f88000 (c000 bytes) 192: com.apple.driver.AppleS5L8960XUSB(305.0.0.0.1) at 0x1f94000 (c000 bytes) 193: com.apple.driver.AppleTCA7408GPIOIC(10.0.0.0.0) at 0x1fa0000 (c000 bytes)
AMFI has been updated (206219 vs. 160), as has the Sandbox (560587 vs. 459).
Policy has been made stronger, with more hooks, and finally hooks on IOKit properties. joker will also show you those, when run (in a new mode) on the kext:
morpheus@Zephyr (/tmp)$ joker /tmp/161.com.apple.security.sandbo.kext
Checking __DATA.__const to get policy...
Found policy at 0xfffffff0055a05d0
Policy name: Sandbox
Full name of policy: Seatbelt sandbox policy
Flags: 0
Ops: fffffff0055a0620
com.apple.security.sandbox(570.0.0.0.0)(570.0.0.0.0)
mpo_cred_check_label_update_execve: 0xfffffff00552a34c
mpo_cred_check_label_update: 0xfffffff00551e3f8
mpo_cred_label_associate: 0xfffffff00551e428
mpo_cred_label_destroy: 0xfffffff00551e454
mpo_cred_label_update_execve: 0xfffffff00552a354
mpo_cred_label_update: 0xfffffff00551e45c
mpo_file_check_fcntl: 0xfffffff00551e49c
mpo_file_check_mmap: 0xfffffff00551e518
mpo_file_check_set: 0xfffffff00551e5bc
mpo_mount_check_fsctl: 0xfffffff00551e628
mpo_mount_check_mount: 0xfffffff00551e6a4
mpo_mount_check_remount: 0xfffffff00551e744
mpo_mount_check_umount: 0xfffffff00551e808
mpo_policy_init: 0xfffffff00551e8c4
mpo_policy_initbsd: 0xfffffff00551ea20
mpo_policy_syscall: 0xfffffff00551eab8
mpo_system_check_sysctlbyname: 0xfffffff00551ebe8
mpo_vnode_check_rename: 0xfffffff00551edbc
mpo_kext_check_query: 0xfffffff00551eff8
mpo_iokit_check_nvram_get: 0xfffffff00551f06c
mpo_iokit_check_nvram_set: 0xfffffff00551f0e8
mpo_iokit_check_nvram_delete: 0xfffffff00551f310
mpo_proc_check_expose: 0xfffffff00551f38c
mpo_proc_check_set_host_special_port: 0xfffffff00551f414
mpo_proc_check_set_host_exception_port: 0xfffffff00551f490
mpo_posixsem_check_create: 0xfffffff00551f4fc
mpo_posixsem_check_open: 0xfffffff00551f5ac
mpo_posixsem_check_post: 0xfffffff00551f5b4
mpo_posixsem_check_unlink: 0xfffffff00551f644
mpo_posixsem_check_wait: 0xfffffff00551f64c
mpo_posixshm_check_create: 0xfffffff00551f6dc
mpo_posixshm_check_open: 0xfffffff00551f75c
mpo_posixshm_check_stat: 0xfffffff00551f850
mpo_posixshm_check: 0xfffffff00551f8d0
mpo_posixshm_check_unlink: 0xfffffff00551f950
mpo_proc_check_debug: 0xfffffff00551f9d0
mpo_proc_check_fork: 0xfffffff00551fa4c
mpo_proc_check_get: 0xfffffff00551fab8
mpo_proc_check_get: 0xfffffff00551fb34
mpo_proc_check_sched: 0xfffffff00551fc10
mpo_proc_check_setaudit: 0xfffffff00551fc7c
mpo_proc_check_setauid: 0xfffffff00551fce8
mpo_proc_check_signal: 0xfffffff00551fd54
mpo_socket_check_bind: 0xfffffff00551fde8
mpo_socket_check_connect: 0xfffffff00551fdfc
mpo_socket_check_create: 0xfffffff00551fe38
mpo_socket_check_listen: 0xfffffff00551fefc
mpo_socket_check_receive: 0xfffffff00551ff14
mpo_socket_check_send: 0xfffffff00551ff2c
mpo_system_check_acct: 0xfffffff00551ff48
mpo_system_check_audit: 0xfffffff00551ffb4
mpo_system_check_auditctl: 0xfffffff005520020
mpo_system_check_auditon: 0xfffffff00552008c
mpo_system_check_host_priv: 0xfffffff0055200f8
mpo_system_check_nfsd: 0xfffffff00552016c
mpo_system_check_reboot: 0xfffffff0055201d8
mpo_system_check_settime: 0xfffffff005520244
mpo_system_check_swapoff: 0xfffffff0055202b0
mpo_system_check_swapon: 0xfffffff00552031c
mpo_sysvmsq_check_enqueue: 0xfffffff005520388
mpo_sysvmsq_check_msgrcv: 0xfffffff0055203f4
mpo_sysvmsq_check_msgrmid: 0xfffffff005520460
mpo_sysvmsq_check_msqctl: 0xfffffff0055204cc
mpo_sysvmsq_check_msqget: 0xfffffff005520538
mpo_sysvmsq_check_msqrcv: 0xfffffff0055205a4
mpo_sysvmsq_check_msqsnd: 0xfffffff005520610
mpo_sysvsem_check_semctl: 0xfffffff00552067c
mpo_sysvsem_check_semget: 0xfffffff0055206e8
mpo_sysvsem_check_semop: 0xfffffff005520754
mpo_sysvshm_check_shmat: 0xfffffff0055207c0
mpo_sysvshm_check_shmctl: 0xfffffff00552082c
mpo_sysvshm_check_shmdt: 0xfffffff005520898
mpo_sysvshm_check_shmget: 0xfffffff005520904
mpo_reserved_hook: 0xfffffff005520970mpo_mount_check_snapshot_create
mpo_reserved_hook: 0xfffffff005520a08mpo_check_snapshot_delete
mpo_reserved_hook: 0xfffffff005520aa0mpo_vnode_check_clone
mpo_reserved_hook: 0xfffffff005520c68mpo_proc_check_get_cs_info
mpo_reserved_hook: 0xfffffff005520d1cmpo_proc_check_set_cs_info
mpo_iokit_check_hid_control: 0xfffffff005520d98
mpo_vnode_check_access: 0xfffffff005520e04
mpo_vnode_check_chroot: 0xfffffff005520f30
mpo_vnode_check_create: 0xfffffff005520fb4
mpo_vnode_check_deleteextattr: 0xfffffff005521154
mpo_vnode_check_exchangedata: 0xfffffff0055211f4
mpo_vnode_check_exec: 0xfffffff00552132c
mpo_vnode_check_getattrlist: 0xfffffff0055214b0
mpo_vnode_check_getextattr: 0xfffffff005521534
mpo_vnode_check_ioctl: 0xfffffff0055215c0
mpo_vnode_check_link: 0xfffffff0055216c0
mpo_vnode_check_listextattr: 0xfffffff0055218c8
mpo_vnode_check_open: 0xfffffff00552194c
mpo_vnode_check_readlink: 0xfffffff005521a38
mpo_vnode_check_revoke: 0xfffffff005521abc
mpo_vnode_check_setattrlist: 0xfffffff005521b40
mpo_vnode_check_setextattr: 0xfffffff005521bc4
mpo_vnode_check_setflags: 0xfffffff005521c64
mpo_vnode_check_setmode: 0xfffffff005521d18
mpo_vnode_check_setowner: 0xfffffff005521e60
mpo_vnode_check_setutimes: 0xfffffff005521ee4
mpo_vnode_check_stat: 0xfffffff005521f64
mpo_vnode_check: 0xfffffff005521fe8
mpo_vnode_check_unlink: 0xfffffff00552206c
mpo_vnode_notify_create: 0xfffffff005522190
mpo_vnode_check_uipc_bind: 0xfffffff0055223a8
mpo_vnode_check_uipc_connect: 0xfffffff005522434
mpo_proc_check_suspend_resume: 0xfffffff0055224cc
mpo_iokit_check_set_properties: 0xfffffff005522538
mpo_system_check_chud: 0xfffffff005522594
mpo_vnode_check_searchfs: 0xfffffff005522600
mpo_priv_check: 0xfffffff005522684
mpo_priv_grant: 0xfffffff005522700
mpo_vnode_check_fsgetpath: 0xfffffff005522794
mpo_iokit_check_open: 0xfffffff005522818
mpo_vnode_notify_rename: 0xfffffff005522894
mpo_reserved_hook: 0xfffffff0055228f4 _hook_vnode_check_setacl
mpo_system_check_kas_info: 0xfffffff005522978
mpo_system_check_info: 0xfffffff005522a10
mpo_pty_notify_grant: 0xfffffff005522a8c
mpo_pty_notify_close: 0xfffffff005522b6c
mpo_kext_check_load: 0xfffffff005522c4c
mpo_kext_check_unload: 0xfffffff005522cc8
mpo_proc_check_proc_info: 0xfffffff005522d44
mpo_iokit_check_filter_properties: 0xfffffff005522e0c
mpo_iokit_check_get_property: 0xfffffff005522e4c
The above "Reserved" have been claimed by Apple. For what? I can't tell yet without reversing XNU fully. But when the source comes out (my guess? November :-) we'll have the names. Ok. I can tell you - thanks to OS X sandbox.kext.
As a side note - Funny that nobody wrote any follow up to Dionysus Blazakis seminal work since 2011. I was hoping to be the one, and present it at GSEC.hitb.org, but I guess it'll wait for the book.
Boot-Args
Apparently, instead of PE_parse_boot_argn (which is still defined), we have boot arg code jumping to two instructions later. It turns out the exported PE_parse_boot_argn passes 0 as the fourth (x3) argument to the real PE_parse_boot_argn, which isn't exported. No matter - by fixing the companion file, you can easily get all the boot arguments - as well as their memory locations, like so:
bash-3.2# JCOLOR=1 jtool -d __TEXT_EXEC.__text xnu.3705.j99a | grep PE_parse_boot_argn\( | sort -u
Opened companion File: ./xnu.3705.j99a.ARM64.33A2E481-EF0F-3779-8C96-360114BB824A
Loading symbols...
Disassembling from file offset 0x78000, Address 0xfffffff00747c000
;; R0 = _PE_parse_boot_argn("-b",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-disable_atm",0xffffffffffffff90,20);
;; R0 = _PE_parse_boot_argn("-l",SP + 0x150,16);
;; R0 = _PE_parse_boot_argn("-minimalboot",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-multiq-deep-drain",0xfffffff00791f56c,4);
;; R0 = _PE_parse_boot_argn("-no-zp",SP + 0xffffff90,16);
;; R0 = _PE_parse_boot_argn("-no64exec",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-no_corpses",0xffffffffffffff90,20);
;; R0 = _PE_parse_boot_argn("-novfscache",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-oldmezname",SP + 0xffffff90,4);
;; R0 = _PE_parse_boot_argn("-panic_on_exception_triage",0xfffffff00774c850,4);
;; R0 = _PE_parse_boot_argn("-progress",0xfffffff0074bf92c,4);
;; R0 = _PE_parse_boot_argn("-qos-policy-allow",0xfffffff007934928,4);
;; R0 = _PE_parse_boot_argn("-s",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-show_pointers",0xfffffff0074baf64,16);
;; R0 = _PE_parse_boot_argn("-use_hwpagesize",0xfffffff00756f350,4);
;; R0 = _PE_parse_boot_argn("-vm_compressor_hybrid",0xfffffff0074c0c54,4);
;; R0 = _PE_parse_boot_argn("-vm_compressor_wk",0xfffffff0074c0c30,4);
;; R0 = _PE_parse_boot_argn("-vnode_cache_defeat",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-x",0xfffffff00784677c,16);
;; R0 = _PE_parse_boot_argn("-x",SP + 0x3c0,16);
;; R0 = _PE_parse_boot_argn("-x",SP + 0x8,4);
;; R0 = _PE_parse_boot_argn("-zc",SP + 0xffffff70,16);
;; R0 = _PE_parse_boot_argn("-zl",SP + 0xffffff70,16);
;; R0 = _PE_parse_boot_argn("-zp",SP + 0xffffff90,16);
;; R0 = _PE_parse_boot_argn("arm64_maxoffset",0xfffffff00756ff2c,8);
;; R0 = _PE_parse_boot_argn("arm_maxoffset",0xfffffff00756fecc,8);
;; R0 = _PE_parse_boot_argn("assert",0xfffffff0078f0128,4);
;; R0 = _PE_parse_boot_argn("assertions",0xfffffff0078f0128,4);
;; R0 = _PE_parse_boot_argn("assertions",SP + 0x10,4);
;; R0 = _PE_parse_boot_argn("atm_diagnostic_config",0xfffffff007948d3c,4);
;; R0 = _PE_parse_boot_argn("bg_preempt",SP + 0xfffffff8,4);
;; R0 = _PE_parse_boot_argn("boot-uuid",?,128);
;; R0 = _PE_parse_boot_argn("bootprofile_buffer_size",0xfffffff0079671a8,4);
;; R0 = _PE_parse_boot_argn("bootprofile_interval_ms",0xfffffff0079671b0,4);
;; R0 = _PE_parse_boot_argn("bootprofile_proc_name",0xfffffff007967300,17);
;; R0 = _PE_parse_boot_argn("bootprofile_stackshot_flags",0xfffffff0079671b4,4);
;; R0 = _PE_parse_boot_argn("bootprofile_type",SP + 0xb0,32);
;; R0 = _PE_parse_boot_argn("colors",SP + 0xffffff90,4);
;; R0 = _PE_parse_boot_argn("corpse_for_fatal_memkill",0xfffffff0074bd91c,4);
;; R0 = _PE_parse_boot_argn("cpumon_ustackshots_trigger_pct",0xfffffff00791fa90,4);
;; R0 = _PE_parse_boot_argn("darkwake",0xfffffff007912958,4);
;; R0 = _PE_parse_boot_argn("dart",SP + 0x8,4);
;; R0 = _PE_parse_boot_argn("dcc",SP + 0x8,4);
;; R0 = _PE_parse_boot_argn("debug",0xfffffff007570178,4);
;; R0 = _PE_parse_boot_argn("debug",0xfffffff00757035c,4);
;; R0 = _PE_parse_boot_argn("debug",0xfffffff0079689e8,4);
;; R0 = _PE_parse_boot_argn("debug",0xfffffff00798f790,4);
;; R0 = _PE_parse_boot_argn("diag",0xfffffff007968890,4);
;; R0 = _PE_parse_boot_argn("disable_exc_resource",0xfffffff00791f8fc,4);
;; R0 = _PE_parse_boot_argn("exc_via_corpse_forking",0xffffffffffffff70,4);
;; R0 = _PE_parse_boot_argn("fill",SP + 0xffffff90,4);
;; R0 = _PE_parse_boot_argn("fq_codel",0xfffffff007979870,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007976ab4,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007979984,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007979a74,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff00797b284,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007985174,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff00798699c,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007986ab4,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007986e84,4);
;; R0 = _PE_parse_boot_argn("ifa_debug",0xfffffff007986e94,4);
;; R0 = _PE_parse_boot_argn("ifnet_debug",0xfffffff007976dc0,4);
;; R0 = _PE_parse_boot_argn("imp_interactive_receiver",0xffffffffffffff90,26);
;; R0 = _PE_parse_boot_argn("inaddr_nhash",0xfffffff00797a5c4,4);
;; R0 = _PE_parse_boot_argn("initmcl",0xfffffff007745f50,4);
;; R0 = _PE_parse_boot_argn("intcoproc_unrestricted",0xfffffff007979abc,4);
;; R0 = _PE_parse_boot_argn("interrupt_accounting",SP + 0x8,4);
;; R0 = _PE_parse_boot_argn("io",SP + 0x0,4);
;; R0 = _PE_parse_boot_argn("io_telemetry_limit",0xfffffff00791f910,8);
;; R0 = _PE_parse_boot_argn("io_throttle_period_tier1",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("io_throttle_period_tier2",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("io_throttle_period_tier3",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("io_throttle_window_tier1",SP + 0x3c0,4);
;; R0 = _PE_parse_boot_argn("io_throttle_window_tier2",SP + 0x3c0,4);
;; R0 = _PE_parse_boot_argn("io_throttle_window_tier3",SP + 0x3c0,4);
;; R0 = _PE_parse_boot_argn("iosched",SP + 0x2e0,4);
;; R0 = _PE_parse_boot_argn("iotrace",SP + 0x0,4);
;; R0 = _PE_parse_boot_argn("jcon",SP + 0x0,4);
;; R0 = _PE_parse_boot_argn("jetsam_aging_policy",0xfffffff007909748,4);
;; R0 = _PE_parse_boot_argn("jetsam_idle_snapshot",0xfffffff0079898fc,4);
;; R0 = _PE_parse_boot_argn("jtag",SP + 0x30,8);
;; R0 = _PE_parse_boot_argn("keepsyms",0xfffffff00798e910,1);
;; R0 = _PE_parse_boot_argn("kernel_stack_pages",0xfffffff00791f6c8,4);
;; R0 = _PE_parse_boot_argn("kextlog",0xfffffff007846720,4);
;; R0 = _PE_parse_boot_argn("kmapoff",0xfffffff00794f6f8,4);
;; R0 = _PE_parse_boot_argn("lcks",0xfffffff0079689d0,4);
;; R0 = _PE_parse_boot_argn("lo_txstart",0xfffffff007976e78,4);
;; R0 = _PE_parse_boot_argn("log_executable_mem_entry",0xfffffff00796675c,4);
;; R0 = _PE_parse_boot_argn("longterm",0xfffffff00756ef44,4);
;; R0 = _PE_parse_boot_argn("max_cpumon_interval",0xfffffff00791f958,8);
;; R0 = _PE_parse_boot_argn("max_cpumon_percentage",0xfffffff00791f954,1);
;; R0 = _PE_parse_boot_argn("max_task_pmem",0xfffffff00791f7c4,4);
;; R0 = _PE_parse_boot_argn("maxmem",0xfffffff00756f2a4,4);
;; R0 = _PE_parse_boot_argn("mbuf_debug",0xfffffff00798ded4,4);
;; R0 = _PE_parse_boot_argn("mbuf_pool",SP + 0x28,4);
;; R0 = _PE_parse_boot_argn("mcache_flags",0xfffffff007989e40,4);
;; R0 = _PE_parse_boot_argn("mleak_sample_factor",0xfffffff00798de58,4);
;; R0 = _PE_parse_boot_argn("mseg",0xfffffff00798f1b0,4);
;; R0 = _PE_parse_boot_argn("msgbuf",SP + 0x2e0,4);
;; R0 = _PE_parse_boot_argn("mtxspin",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("multiq_drain_band_limit",0xfffffff00791f68c,4);
;; R0 = _PE_parse_boot_argn("multiq_drain_ceiling",0xfffffff00791f694,4);
;; R0 = _PE_parse_boot_argn("multiq_drain_depth_limit",0xfffffff00791f690,4);
;; R0 = _PE_parse_boot_argn("nbuf",0xfffffff007969138,4);
;; R0 = _PE_parse_boot_argn("ncl",0xfffffff007969150,4);
;; R0 = _PE_parse_boot_argn("net_affinity",0xfffffff0078f7384,4);
;; R0 = _PE_parse_boot_argn("net_rtref",0xfffffff007976d80,4);
;; R0 = _PE_parse_boot_argn("net_rxpoll",0xfffffff0078f7388,4);
;; R0 = _PE_parse_boot_argn("network-type",SP + 0x10,128);
;; R0 = _PE_parse_boot_argn("noidle",0xfffffff00798f60c,4);
;; R0 = _PE_parse_boot_argn("panic_on_cs_killed",0xfffffff0079894dc,4);
;; R0 = _PE_parse_boot_argn("pmtimeout",SP + 0x0,4);
;; R0 = _PE_parse_boot_argn("preempt",SP + 0xfffffff8,4);
;; R0 = _PE_parse_boot_argn("qos_override_mode",0xfffffff007934924,4);
;; R0 = _PE_parse_boot_argn("radar_20804515",0xfffffff00756f324,4);
;; R0 = _PE_parse_boot_argn("rd",0x200,128);
;; R0 = _PE_parse_boot_argn("rd",SP + 0x10,128);
;; R0 = _PE_parse_boot_argn("rootdev",0x200,128);
;; R0 = _PE_parse_boot_argn("rootdev",SP + 0x10,128);
;; R0 = _PE_parse_boot_argn("rte_debug",0xfffffff007976f48,4);
;; R0 = _PE_parse_boot_argn("sched",0xffffffffffffff90,48);
;; R0 = _PE_parse_boot_argn("sched_debug",0xfffffff00791ef38,4);
;; R0 = _PE_parse_boot_argn("sched_decay_penalty",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("sched_decay_usage_age_factor",0xfffffff0078f026c,4);
;; R0 = _PE_parse_boot_argn("sched_pri_decay_limit",0xfffffff0078f0270,4);
;; R0 = _PE_parse_boot_argn("sched_use_combined_fgbg_decay",0xfffffff00791eefc,4);
;; R0 = _PE_parse_boot_argn("secluded_aging_policy",0xfffffff0078f04ac,4);
;; R0 = _PE_parse_boot_argn("secluded_for_apps",0xfffffff0078f04a0,4);
;; R0 = _PE_parse_boot_argn("secluded_for_fbdp",0xfffffff0078f04a8,4);
;; R0 = _PE_parse_boot_argn("secluded_for_filecache",0xfffffff0078f04a4,4);
;; R0 = _PE_parse_boot_argn("secluded_for_iokit",0xfffffff0078f049c,4);
;; R0 = _PE_parse_boot_argn("secluded_mem_mb",0xfffffff007965c90,4);
;; R0 = _PE_parse_boot_argn("serial",0xfffffff007966a20,4);
;; R0 = _PE_parse_boot_argn("serverperfmode",0xfffffff00796914c,4);
;; R0 = _PE_parse_boot_argn("sigrestrict",0xfffffff007989810,4);
;; R0 = _PE_parse_boot_argn("sk_debug",0xfffffff00798e3b8,4);
;; R0 = _PE_parse_boot_argn("slto_us",SP + 0x10,4);
;; R0 = _PE_parse_boot_argn("socket_debug",0xfffffff00798df68,4);
;; R0 = _PE_parse_boot_argn("statistics",SP + 0x10,4);
;; R0 = _PE_parse_boot_argn("swd_delay_duration",0xfffffff00798efec,4);
;; R0 = _PE_parse_boot_argn("swd_delay_type",0xfffffff00798efd9,16);
;; R0 = _PE_parse_boot_argn("swd_kext_name",0xfffffff00798ef59,128);
;; R0 = _PE_parse_boot_argn("swd_panic",SP + 0x18,4);
;; R0 = _PE_parse_boot_argn("swd_timeout",0xfffffff007912360,4);
;; R0 = _PE_parse_boot_argn("task_iomon_interval_secs",0xfffffff00791f908,8);
;; R0 = _PE_parse_boot_argn("task_iomon_limit_mb",0xfffffff00791f900,8);
;; R0 = _PE_parse_boot_argn("task_policy_suppression_disable",0xfffffff00791f970,4);
;; R0 = _PE_parse_boot_argn("task_wakeups_monitor_interval",0xfffffff00791f8f4,4);
;; R0 = _PE_parse_boot_argn("task_wakeups_monitor_rate",0xfffffff00791f8f0,4);
;; R0 = _PE_parse_boot_argn("task_wakeups_monitor_ustackshots_trigger_pct",0xfffffff00791f8f8,4);
;; R0 = _PE_parse_boot_argn("tbi",0xfffffff00756f9e8,4);
;; R0 = _PE_parse_boot_argn("telemetry_buffer_size",0xfffffff007967068,4);
;; R0 = _PE_parse_boot_argn("telemetry_notification_leeway",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("telemetry_sample_all_tasks",0xfffffff007967050,4);
;; R0 = _PE_parse_boot_argn("telemetry_sample_rate",0xfffffff007967048,4);
;; R0 = _PE_parse_boot_argn("trace",0xfffffff00791f730,4);
;; R0 = _PE_parse_boot_argn("trace_panic",0xfffffff00791f738,4);
;; R0 = _PE_parse_boot_argn("trace_typefilter",0xfffffff00791f758,64);
;; R0 = _PE_parse_boot_argn("trace_wake",0xfffffff00791f734,4);
;; R0 = _PE_parse_boot_argn("unify_corpse_blob_alloc",0xfffffff0074bd8e8,4);
;; R0 = _PE_parse_boot_argn("unrestrict_coalition_syscalls",0xfffffff007917738,4);
;; R0 = _PE_parse_boot_argn("up_style_idle_exit",0xfffffff007968884,4);
;; R0 = _PE_parse_boot_argn("vm_compression_limit",0xfffffff00794aea4,4);
;; R0 = _PE_parse_boot_argn("vm_compressor",SP + 0xffffff90,4);
;; R0 = _PE_parse_boot_argn("vm_compressor_codec",0xfffffff0074c0c18,4);
;; R0 = _PE_parse_boot_argn("vm_compressor_immediate",SP + 0xffffff90,4);
;; R0 = _PE_parse_boot_argn("vm_compressor_threads",0xfffffff0078f0488,4);
;; R0 = _PE_parse_boot_argn("vm_page_bg_exclude_external",0xfffffff007965bec,4);
;; R0 = _PE_parse_boot_argn("vm_page_bg_limit",0xfffffff007965be4,4);
;; R0 = _PE_parse_boot_argn("vm_page_bg_mode",0xfffffff007965be8,4);
;; R0 = _PE_parse_boot_argn("vm_page_bg_target",0xfffffff007965be0,4);
;; R0 = _PE_parse_boot_argn("wfi",SP + 0x28,4);
;; R0 = _PE_parse_boot_argn("wql_tsize",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("wqp_tsize",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("wqsize",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("wqt_min_free",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("wqt_tbl_size",0xffffffffffffff90,4);
;; R0 = _PE_parse_boot_argn("zalloc_debug",0xfffffff0079487a8,4);
;; R0 = _PE_parse_boot_argn("zelems",0xfffffff007917450,8);
;; R0 = _PE_parse_boot_argn("zlog",0xfffffff007948b24,32);
;; R0 = _PE_parse_boot_argn("zp-factor",0xfffffff007934f58,4);
;; R0 = _PE_parse_boot_argn("zp-scale",0xfffffff007934f5c,4);
;; R0 = _PE_parse_boot_argn("zrecs",0xfffffff007948b4c,4);
;; R0 = _PE_parse_boot_argn("zsize",SP + 0x130,8);
Note that the addresses aren't always correct (e.g. ifa_debug), but hey - you get all the boot-args. That's a start! I still need to diff vs. the 3247 boot-args. That'll go in the book..
New SYSCTLs
joker can figure those out automatically, so I'l add them later.
New Daemons
diffing the ls -b of
added:
> asd
> captiveagent
> DataDetectorsSourceAccess
> DeveloperTools
> dprivacyd
> fdrhelper
> finish_demo_restore
> fmflocatord
> magicswitchd
> MobileStorageMounter /* finally in its rightful place */
> networkserviceproxy
> pcsstatus
> rtbuddyd
> safarifetcherd
> symptomsd-helper
> webbookmarksd
> wifivelocityd
removed:
< findmydeviced-nano-support
< ios_diagnostics_relay
< networkd
< networkd_privileged
< uuidpathd
In BTMagic appears.
2. OS X
For OS X I've so far obtained only the kernel and my two usual victims, Sandbox and AMFI. More to follow when I get the full DMG and can shove in a VM..
Security
- Though not SIP by name, the notion of a Platform profile ("system policy") has been effectuated:
iPhone:~ root# /tmp/sbtool -sh: /tmp/sbtool: Operation not permitted SandboxViolation: bash(792) System Policy: deny(1) process-exec* /private/var/tmp/sbtool
- AMFI now has messages 1000 through 1005: - 1000, 1001, 1005 used on iOS. (1005 - gets device lock state to patch an old bug) - 1000, 1002-1004 used on OS X (covering those in detail in *OSI)
- Pegasus bugs (importantly, the info leak) likely only patched in GM)
- fG!