Notes from iOS 12 the MacOS 14 Preview

Jonathan Levin, http://newosxbook.com/ - 06/09/15

0. Changelog

6/9/18:First version

About

Continuing an ongoing tradition I somehow forgot last year...

This is a VERY rough listing, which tracks what I do to figure out diffs. Commands are raw and largely unedited. This is not meant to be A) comprehensive B) overly legible. You want a simple explanation of diffs, wait for an update to MOXII 2. You want raw findings, read on. Feedback welcome.

1. Both (XNU)

2. Both (Usermode)

3. iOS 12

  • Springboard MIGs have changed:
    jtool2 -q -d __DATA.__const /Volumes/PeaceSeed16A5288q.D10D101D20D201DeveloperOS/System/Library/CoreServices/SpringBoard.app/SpringBoard| grep "MIG Sub"
    Dumping 240144 bytes from 0x10081fd00 (Offset 0x81fd00):
    0x10082bc30:      0x1000db4f8         	MIG Subsystem 2000000: Dispatcher 
    0x10082bc38:    0x1e8480       0x1e84dd   	MIG Subsystem 2000000: 93 messages  ## Was 104 in 11!
    0x10082bc40:    0x42c         0x0 	MIG Subsystem 2000000: Msg size 1068 bytes
    0x1008376d8:      0x100230f04         	MIG Subsystem 1000000: Dispatcher 
    0x1008376e0:    0xf4240       0xf4241   	MIG Subsystem 1000000: 1 messages
    0x1008376e8:    0x28         0x0 	MIG Subsystem 1000000: Msg size 40 bytes
    0x10083a528:      0x100290060         	MIG Subsystem 4000000: Dispatcher 
    0x10083a530:    0x3d0900       0x3d0909   	MIG Subsystem 4000000: 9 messages  ## Was 10 in 11
    0x10083a538:    0x42c         0x0 	MIG Subsystem 4000000: Msg size 1068 bytes
    0x1008441c0:      0x1003bc884         	MIG Subsystem 6000000: Dispatcher 
    0x1008441c8:    0x5b8d80       0x5b8d81   	MIG Subsystem 6000000: 1 messages
    0x1008441d0:    0x38         0x0 	MIG Subsystem 6000000: Msg size 56 bytes
    
  • OTA format is changed again. I swear, it's like AAPL is personally trying to make me miserable. Now there's .ecc files along with the normal .0## pbzx files
  • iBoot/LLB/SEP still encrypted, despite the other components being "decrypted for performance".. Right.
  • libvminterpose (which was empty to begin with) is gone
  • /System/Library now has the following new subdirectories:
    • BulletinDistributor
    • CardKit
    • CardServices
    • CoreAS
    • CoreImage
    • MediaCapture
    • OnBoardingBundles
    • PPM
    • RelevanceEngine
    • UserNotifications
    • VideoCodecs
    • VideoDecoders
    • VideoEncoders
  • New LaunchDaemons:
    • com.apple.AppleCredentialManagerDaemon.plist
    • com.apple.PerfPowerServicesExtended.plist
    • com.apple.ReportMemoryException.plist
    • com.apple.SCHelper.plist
    • com.apple.UsageTrackingAgent.plist
    • com.apple.abm-helper.plist
    • com.apple.aoplogd.capture.plist
    • com.apple.ap.adprivacyd.plist
    • com.apple.ap.adservicesd.plist
    • com.apple.applecamerad.plist
    • com.apple.contextstored.plist
    • com.apple.corespotlightservice.plist
    • com.apple.filesystems.apfs_defragd.plist
    • com.apple.gpsd.plist
    • com.apple.iomfb_bics_daemon.plist
    • com.apple.mobile.heartbeat.plist
    • com.apple.mobiletimerd.plist
    • com.apple.nfrestore.plist
    • com.apple.parsec-fbf.plist
    • com.apple.progressd.plist
    • com.apple.ptpd.plist
    • com.apple.remotemanagementd.plist
    • com.apple.securityuploadd.plist
    • com.apple.sidecar-relay.plist
    • com.apple.siriactionsd.plist
    • com.apple.wwfe.waved.plist
    • com.apple.xartstoraged.plist
  • AMFI.kext seems to be hardened - fake signed objects now need to have a non-empty CMS (RFC3852) blob (i.e. blob size > 8). There's also an insistence on 0xfade0b01, apparently. There's also something referred to as "CT validation". This ties in to a new Kext - CoreTrust (com.apple.kext.CoreTrust) - a brand new kext verifying trusted CAs (Apple iPhone Certification Authority and Apple Code Signing Certification Authority). This is a major change. I'll update when I get to inspect it.
  • While on the subject of new kexts - AppleImage4 (com.apple.security.AppleImage4) is also a new addition, providing Img4 handling services (read: TrustCaches, etc) in kernel
  • Specific trust caches for each of the three DMGs
  • Also, significant code added for trust caches:
    • _pmap_initialize_legacy_static_trust_cache
    • _pmap_is_trust_cache_loaded
    • _pmap_load_trust_cache
    • _pmap_lookup_in_loaded_trust_caches
    • _pmap_lookup_in_static_trust_cache
    (of course it is MUCH easier to just DO AWAY WITH LOADED TRUST CACHES. But AAPL never seemed to go for simple, eh?)
  • 4. MacOS

  • Still no multinode, damnit
  • /System/iOSSupport contains iOS frameworks, compiled for x86_64. This is very similar to the iOS Simulator, but bridges to native frameworks instead. Apple links select apps (e.g. News) with /System/iOSSupport/System/Library/Frameworks/UIKit.framework/Versions/A/UIKit (which reexports UIKitCore) and then the UI* apis bridge to NS* ones. Super cool.
  • LC_BUILD_VERSION now also has MacOS/iOS hybrid (6). News.app and a bunch of others have this
  • libMobileGestalt.dylib is on the Mac at last!! Probably as part of the iOS support, but its location (/usr/lib) implies it might be used regularly! I have to check this out. It's one of my favorite libraries. A large part of the keys actully work the same way. Cool!
  • New MACF Policy:
       69    0 0xffffff7f81210000 0x6000     0x6000     com.apple.AppleSystemPolicy (1.0) 8D...831 <30 7 6 5 4 3 2 1>
    This calls up to /usr/libexec/syspolicyd , which has been extended with two new ports:
    	<dict>
    		<key>com.apple.security.AppleSystemPolicy.mig</key>
    		<dict>
    			<key>HostSpecialPort</key>
    			<integer>29</integer> 
    		</dict>
    		<key>com.apple.security.syspolicy.kext</key>
    		<true/>
    		<key>com.apple.security.syspolicy.exec</key>
    		<true/>
    		<key>com.apple.security.syspolicy</key>
    		<true/>
    	</dict>
    
    

    The ..mig port is the upcall port from the kext. The ..exec port should prove interesting :-). Hopefully AAPL will restrict the system policy database properly this time around

    The syspolicyd has doubled in size. The new MIG upcalls use subsystem 18600:

    jtool -d __DATA.__const syspolicyd | grep MIG                                     
    Dumping from address 0x100028920 (Segment: __DATA.__const) to end of section
    Address : 0x100028920 = Offset 0x28920
    0x1000299d8: a8 48 00 00 aa 48 00 00 MIG subsystem 18600 (2 messages)
    0x1000299f8: 73 91 01 00 01 00 00 00  func_100019173  (MIG_Msg_18600_handler) -> 0x100010e5c
    0x100029a20: 0e 93 01 00 01 00 00 00  func_10001930e  (MIG_Msg_18601_handler) -> 0x100010980 
    		checks team_id/signing_id/cdhash
    
    
  • ContainerManagerd makes its MacOS debut. This is potentially big. Man page says it works "in concert" with sandboxd. This is unlike *OS, wherein there is no more sandboxd and a dedicated containermanager host special port is used instead.
  • New commands (at least, with man pages):
    • CSCSupportd.8
    • PerfPowerServices.8
    • PerfPowerServicesExtended.8
    • ReportMemoryException.8
    • SafeEjectGPU.8 - External GPU support
    • ScriptMenu.8
    • ServicesUIAgent.8
    • SidecarRelay.8
    • SoftwareUpdateNotificationManager.8
    • UsageTrackingAgent.8
    • apfsd.8 - not new, but finally with a paltry manpage
    • appstoreagent.8
    • atsd.8
    • bosreporter.8 - BridgeOS
    • boswatcher.8 - BridgeOS
    • cdutil.8
    • containermanagerd.8
    • icdd.8
    • mapspushd.8
    • parsec-fbf.8
    • security-checksystem.8
    • statskit.8
    • ticketd.8
    • tsig-keygen.8
    • usbcupdater.8
    • CoalitionIO.1
    • assertiontool.1
    • delv.1
    • intfrag.1
    • navtesttool.1
    • powerd.1
    • remotemanagementd.1
    • securityuploadd.8
    • silhouette.8
    • swd.1
    • symbolscache.1
    • umtest.1
  • New Public frameworks:
    • AdSupport.framework
    • BusinessChat.framework
    • NaturalLanguage.framework
    • Network.framework
    • UserNotifications.framework
    • VideoSubscriberAccount.framework
    • iTunesLibrary.framework
  • New (or removed) Private frameworks:
    • AXCoreUtilities.framework
    • AXMediaUtilitiesService.xpc
    • AccessibilityPlatformTranslation.framework
    • AdAnalytics.framework
    • AdCore.framework
    • AdID.framework
    • AddressBookCore.framework
    • AggregateDictionary.framework
    • AggregateDictionaryHistory.framework
    • AppStoreDaemon.framework
    • AppStoreUI.framework
    • AppSupport.framework
    • AppleAccount.framework
    • AppleMediaServices.framework
    • AssertionServices.framework
    • Assistant.framework
    • AutoBugCaptureCore.framework
    • BackBoardServices.framework
    • BaseBoard.framework
    • BluetoothManager.framework
    • BridgeOSInstallReporting.framework
    • BulkSymbolication.framework
    • C2.framework
    • Categories.framework
    • ClassroomKit.framework
    • ConditionInducer.framework
    • ConfigurationEngineModel.framework
    • ConversationKit.framework
    • CoreHAP.framework
    • CoreInterest.framework
    • CreateML.framework
    • DAAPKit.framework
    • DMNotification.framework
    • DataAccessExpress.framework
    • DeviceIdentity.framework
    • DigiHubPreference.framework
    • FMClient.framework
    • FontServices.framework
    • FrontBoardServices.framework
    • GPUWrangler.framework
    • GraphicsServices.framework
    • HMFoundation.framework
    • HomeKit.framework - (Craig did say HomeKit is coming to Mac)
    • HomeKitDaemon.framework
    • ICALogging.framework
    • KnowledgeMonitor.framework
    • LimitAdTracking.framework
    • MetadataUtilities.framework
    • MobileActivation.framework
    • MobileBluetooth.framework
    • MobileContainerManager.framework
    • NanoRegistry.framework
    • NetAppsUtilities.framework
    • Network.framework
    • OnBoardingKit.framework
    • PLShutdown.framework
    • PersonalizationPortraitInternals.framework
    • PhotoFoundation.framework
    • PhotoVision.framework
    • PhotosFormats.framework
    • PhotosImagingFoundation.framework
    • PowerLog.framework
    • PowerlogControl.framework
    • PowerlogDatabaseReader.framework
    • PrototypeTools.framework
    • QuickLookNonBaseSystem.framework
    • ROCKit.framework
    • RemoteManagement.framework
    • RemotePacketCapture.framework
    • RemoteTextInput.framework
    • SafariFoundation.framework
    • SafeEjectGPU.framework
    • SampleAnalysis.framework
    • ScreenReaderCore.framework
    • Sentry.framework
    • SidecarCore.framework
    • StatsKit.framework
    • StoreServices.framework
    • SymptomDiagnosticManagement.framework
    • TextToSpeech.framework
    • TransparencyDetailsViewMac.framework
    • TuriCore.framework
    • UIKitHostAppProtocols.framework
    • UIKitHostAppServices.framework
    • UIKitSystemAppServices.framework
    • URLFormatting.framework
    • UsageTracking.framework
    • UserManagement.framework
    • UserNotifications.framework
    • VideoSubscriberAccount.framework
    • VoiceServices.framework
    • VoiceTrigger.framework
    • WirelessDiagnosticsSupport.framework
    • XMPPCore.framework
    • XPCObjects.framework
    • iAdCore.framework
    • iAdServices.framework
    • iPodUpdater.framework
    • iTunesAccess.framework
    • perfdata.framework
    • zudp.framework
  • Volume II is on track, and I hope this list makes you appreciate why I kept it for last :-) Expect unprecedented coverage of XNU kernel internals!

    Stay tuned for Joker updates - the next one is a big one, and will support XNU from version 1469 to 49xx :-). Also, entitlement database will get an update soon, as well

    (Advertisement) I'll be covering updated material for OS X 10.14 and iOS 12 at Our iOS/OS X for Reverse Engineers Course on July 9th , 2018 in SFO! - it'll be a blast!