Notes from iOS 12 the MacOS 14 Preview

Jonathan Levin, http://newosxbook.com/ - 06/09/15

0. Changelog

6/9/18:	First version
8/21/18:	Catching up with Beta 9
9/15/18:	Catching up with the final, and the iPhone11

About

Continuing an ongoing tradition I somehow forgot last year...

This is a VERY rough listing, which tracks what I do to figure out diffs. Commands are raw and largely unedited. This is not meant to be A) comprehensive B) overly legible. You want a simple explanation of diffs, wait for an update to MOXII 2. You want raw findings, read on. Feedback welcome.

1. Both (XNU)

xnu 4900 - a leap from 4570
XNU seems to have stabilized around 4903.200 - and the betas just imply bug fixes.
struct proc has changed yet again :-( Sucks for those hard-coded offsets (but not for QiLin, which I will be updating soon)
Memory management updated (There will be no Armageddon!). Finer kalloc.224, 368,400, 768, 1664 and 6144. New Zcache mechanism is apparently magazine based, drawing on ideas from Hoard, apparently. Still needs more research (and I'm glad Volume II comes after Darwin 18.. :-)

Further improvements to skywalk, includings arenas and regions, new sysctls: (there are other sysctls, these are just the SK ones)

 _sysctl__kern_skywalk_flowswitch
 _sysctl__kern_skywalk_flowswitch_children
 _sysctl__kern_skywalk_flowswitch_multistack
 _sysctl__kern_skywalk_flowswitch_multistack_children
 _sysctl__kern_skywalk_flowswitch_multistack_flow_route_expire
 _sysctl__kern_skywalk_flowswitch_multistack_ipfm_frag_ttl
 _sysctl__kern_skywalk_flowswitch_multistack_ipfm_timeout_tcall_ival
 _sysctl__kern_skywalk_stats_flow_route

New Code Signing functions:
- _cs_process_enforcement
- _cs_process_enforcement_enable
- _cs_process_global_enforcement
- _cs_system_enforcement - instead of cs_enforcement
- _cs_system_enforcement_enable
- _csfg_get_identity
- _csfg_get_platform_identifier
- _csproc_check_invalid_allowed
- _csproc_disable_enforcement
- _csproc_forced_lv
- _csproc_get_platform_identifier
- _csproc_hardened_runtime
- _csproc_mark_invalid_allowed
- _csvnode_get_platform_identifier

#define CS_RUNTIME                                    0x00010000  /* Apply hardened runtime policies */

CS_EXECSEG_SKIP_LV is obsolete now

CSSLOT_IDENTIFICATIONSLOT = 0x10001,
CSSLOT_TICKETSLOT = 0x10002,

Exceptions now have a ServerSecToken
Mach Trap #40 - kernelrpc_mach_port_get_attributes_trap
New MIG:
- mach_host_subsystem: adds support for zones (incorrectly referred to as the "kernel heap"), to make Feng Shui easier:
  - 231. skip
  - 232. mach_zone_info_for_zone
  - 233. mach_zone_info_for_largest_zone
  - 234. mach_zone_get_zlog_zones
  - 235. mach_zone_get_btlog_records
  These are still not part of mach_host.defs. Sneaky, guys. Sneaky.
- mach_port_special_reply_port_reset_link" (#3236)
- vm_map_exec_lockdown (#3831) - WHOA. AMCC for userspace??
- device (iokit):
  - ```
  routine io_device_tree_entry_exists_with_name(
              master_port         : mach_port_t;
          in  name                : io_name_t;
          out exists              : boolean_t
          );
```
New mac checks:
- mac_proc_notify_exec_complete - claimed by AppleSystemPolicy.kext
- mac_vnode_check_trigger_resolve

Host special ports: #16 (formerly CHUD) is recast as launchctl, #29 added for syspolicyd

#define HOST_LAUNCHCTL_PORT             (9 + HOST_MAX_SPECIAL_KERNEL_PORT)
#define HOST_RESOURCE_NOTIFY_PORT       (20 + HOST_MAX_SPECIAL_KERNEL_PORT)
#define HOST_CLOSURED_PORT              (21 + HOST_MAX_SPECIAL_KERNEL_PORT)
#define HOST_SYSPOLICYD_PORT            (22 + HOST_MAX_SPECIAL_KERNEL_PORT)

The system call table shows ~~one~~ two more syscalls: (#530): kqueue_workloop_ctl, likely meant for exclusive use by libdispatch, and mach_bridge_remote_time (#531) : likely for MacOS ~~only~~ so as to get time from BridgeOS. Also present in *OS variants, though.

New object - turnstiles - likely scheduling/QoS related - just seeing this now for first time: More kdebug events show the turnstile lifestyle. This seems to be another BSD "inspiration". I'm adding this into Volume II.

./sys/kdebugevents.h:        {0x35100004, "TURNSTILE_thread_added_to_turnstile_waitq"},
./sys/kdebugevents.h:        {0x35100008, "TURNSTILE_thread_removed_from_turnstile_waitq"},
./sys/kdebugevents.h:        {0x3510000c, "TURNSTILE_thread_moved_in_turnstile_waitq"},
./sys/kdebugevents.h:        {0x35100010, "TURNSTILE_turnstile_added_to_turnstile_heap"},
./sys/kdebugevents.h:        {0x35100014, "TURNSTILE_turnstile_removed_from_turnstile_heap"},
./sys/kdebugevents.h:        {0x35100018, "TURNSTILE_turnstile_moved_in_turnstile_heap"},
./sys/kdebugevents.h:        {0x3510001c, "TURNSTILE_turnstile_added_to_thread_heap"},
./sys/kdebugevents.h:        {0x35100020, "TURNSTILE_turnstile_removed_from_thread_heap"},
./sys/kdebugevents.h:        {0x35100024, "TURNSTILE_turnstile_moved_in_thread_heap"},
./sys/kdebugevents.h:        {0x3510002c, "TURNSTILE_thread_not_waiting_on_turnstile"},
./sys/kdebugevents.h:        {0x35200004, "TURNSTILE_turnstile_priority_change"},
./sys/kdebugevents.h:        {0x35300004, "TURNSTILE_turnstile_prepare"},
./sys/kdebugevents.h:        {0x35300008, "TURNSTILE_turnstile_complete"},

Blocks can now be used in kernel mode (for IOKit workloops, possibly elsewhere
Major work on workqueues - no doubt the performance improvements that were mentioned in WWDC keynote

New object: priority_queue - kern/priority_queue.h has a very detailed comment explaining this:

/*
 * A generic priorty ordered queue implementation based on pairing heaps.
 *
 * Reference Papers:
 * - A Back-to-Basics Empirical Study of Priority Queues (https://arxiv.org/abs/1403.0252)
 * - The Pairing Heap: A New Form of Self-Adjusting Heap (https://www.cs.cmu.edu/~sleator/papers/pairing-heaps.pdf)
 *
 * The XNU implementation is a basic version of the pairing heap. It allows for O(1) insertion and amortized O(log n)
 * deletion. It is not a stable data structure since adding stability would need more pointers and hence more memory.
 *
...

New Mach pager! The shared_region_pager - finally, Apple seems to be addressing the DYLD shared cache design flaws - Mazal Tov! (But we're not there yet)

2. Both (Usermode)

libxpc now at 1336 (from 1205). New xpc_event_publisher type. Supported by launchd.plist PublishesEvents
launchd's __TEXT.__bs_plist is now __TEXT.__config - but still runs shell scripts in MacOS (*Sigh*).
GCD (libdispatch) at 1008 (from 913)
DYLD jumps up to 625 (from 519..) and is now with new bind opcodes (well, subopcode 0xd0) to support table size definition as ULEB and threaded_apply. Jtool2 supports this already.

. Seems closured is still dead. Shared cache format changes .. again:

jtool -h /Volumes/PeaceSeed16A5288q.D10D101D20D201DeveloperOS/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 
File is a shared cache (arm64) containing 1381 images (use -l to list)
Header size: 0xf8 bytes
UUID: 0FBF59AF-A545-3853-B824-C6C07B9EEFB7
Got gap of 64 bytes: 0xc1230000 0x01 0xd64844 0x00 0xc1f94844 0x01 0xd994 0x00 0xc1fa4000 0x01 0x181670 0x00 0xc2125670 0x01 0xaee0 0x00 
3 mappings starting from 0x138. 1381 Images infos from 0x1c0-0xae60
mapping r-x/r-x  733MB        180000000 -> 1add50000         (0-2dd50000)
mapping rw-/rw-  145MB        1afd50000 -> 1b8e80000         (2dd50000-36e80000)
mapping r--/r--  118MB        1bae80000 -> 1c253c000         (36e80000-3e53c000)
DYLD base address: 0
Local Symbols:  0x1be53c000-0x1c91e8000 (181059584 bytes)
Code Signature: 0x1c91e8000-0x1c9b0c000 (9584640 bytes)
Branch Pool:    0x180000198-0x1800001c0 (5 entries)
Accel info:     0x1c11f4000-0x1c1230000  (245760 bytes)
Images Text Info: 0x18000ae60-0x180015b00 (1381 entries)
Slide info:     0x1b6e80000-0x1b6e94000 (81920 bytes)
Dylib ImageGroups: 0x0-0x0 (0 bytes)
Other ImageGroups: 0x0-0x0 (0 bytes)
Closures: 0x1c2134000-0x1c2530bb8 (4180920 bytes)
Closures Trie: 0x1c2530bb8-0x1c253a1c0 (38408 bytes)
Platform: 2, Format: 10
Shared Region: 0x180000000-0x280000000 (4294967296 bytes)

The gap shows new fields - 0x1c1230000 (right after Accel info), 0x1c1f94844, 0x1c1fa4000, 0xc2125670. Still don't know what they are. IDA will probably crash on them. But jtool is still fine, thank you for asking :-)

New platform: PLATFORM_IOSMAC (6)
New section type - S_INIT_FUNC_OFFSETS (0x16)
Code signature format is now 2.5 (0x20500).. I'll need to update format when I reverse it.. Contains new runtime flag - from the looks of things iOS still uses 0x20400.
New opcodes (apparently only in iOS.sdk:
- BIND_OPCODE_THREADED (0xD0)
- BIND_SUBOPCODE_THREADED_SET_ORDINAL_TABLE_SIZE_ULEB (0x00)
- BIND_SUBOPCODE_THREADED_APPLY (0x01)
LC_BUILD_VERSION finally default instead of LC_VERSION_MIN_xxxOS : Set automatically with -m...version-min setting to Darwin 18 flavors
Fun new memory tags for CoreMedia (92-96)

#define VM_MEMORY_CM_XPC 92

#define VM_MEMORY_CM_RPC 93

#define VM_MEMORY_CM_MEMORYPOOL 94

#define VM_MEMORY_CM_READCACHE 95

#define VM_MEMORY_CM_CRABS 96

/* memory allocated for QuickLookThumbnailing */
#define VM_MEMORY_QUICKLOOK_THUMBNAILS 97

/* memory allocated by Accounts framework */
#define VM_MEMORY_ACCOUNTS 98

Thread groups
pthread_mutexattr_[get/set]Policy_np. Once again improving QoS
proc_info further extended with PROC_LISTTHREADIDS and proc_udata_info.

A couple of audit (BSM) subsystem changes. This will be useful for my SuPRAudit

// New IOCTLs:
#define       A_GETCTLMODE    41
#define       A_SETCTLMODE    42
#define       A_GETEXPAFTER   43
#define       A_SETEXPAFTER   44

/*
 * Reserved audit class mask indicating which classes are unable to have
 * events added or removed by unentitled processes.
 */
#define AU_CLASS_MASK_RESERVED 0x10000000


/*
 * Audit control modes
 */
#define AUDIT_CTLMODE_NORMAL ((unsigned char)1)
#define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2)

/*
 * Audit file expire_after op modes
 */
#define AUDIT_EXPIRE_OP_AND ((unsigned char)0)
#define AUDIT_EXPIRE_OP_OR ((unsigned char)1)

typedef       unsigned char   au_ctlmode_t;
struct au_expire_after {
      time_t age;             /* Age after which trail files should be expired */
      size_t size;    /* Aggregate trail size when files should be expired */
      unsigned char op_type; /* Operator used with the above values to determine when files should be expired */
};
typedef struct au_expire_after au_expire_after_t;

... lots more - just haven't gotten to it yet

3. iOS 12

The A12 and the S4 (Watch) support the ARMv8.3 instruction set. Bye bye ROP.. it's time to up the ante on exploitation. All user mode binaries on the A12 image are compiled for ARM64e (new architecture, with Mach-O cpusubtype 2), and the kernel, needless to say, as well. JTool2 supports these instructions, as does disarm.

The A12 also has APRR, which is handled by pmap functions. I believe (but don't know 100% if) it's implementing the vm_map_exec_lockdown, for dynamic, revocable, address page readonly regions, as an enhancement to the already annoying KTRR. I have seen references from CPU start/resume code and handling of PINST (protected instructions) but need to dig deeper.

1469 is the new 4903: The kernelcache.release.iphone11 is now compiled in what I call the "1469" kernelcache format (owing to a mistake in the build process by some Apple engineer). Long story short is, all kernel pointers are tagged and in some cases coded (e.g. mach_trap_table and _sysent) are coded as tagged offsets. Additionally, the kernelcache format has changed. Now would be a good time to read Brandon's detail writeup on this. He speculated this is for iBoot. I speculate this is because of the ARMv8.3 PAC requirements.

Springboard MIGs have changed:

jtool2 -q -d __DATA.__const /Volumes/PeaceSeed16A5288q.D10D101D20D201DeveloperOS/System/Library/CoreServices/SpringBoard.app/SpringBoard| grep "MIG Sub"
Dumping 240144 bytes from 0x10081fd00 (Offset 0x81fd00):
0x10082bc30:      0x1000db4f8         	MIG Subsystem 2000000: Dispatcher 
0x10082bc38:    0x1e8480       0x1e84dd   	MIG Subsystem 2000000: 93 messages  ## Was 104 in 11!
0x10082bc40:    0x42c         0x0 	MIG Subsystem 2000000: Msg size 1068 bytes
0x1008376d8:      0x100230f04         	MIG Subsystem 1000000: Dispatcher 
0x1008376e0:    0xf4240       0xf4241   	MIG Subsystem 1000000: 1 messages
0x1008376e8:    0x28         0x0 	MIG Subsystem 1000000: Msg size 40 bytes
0x10083a528:      0x100290060         	MIG Subsystem 4000000: Dispatcher 
0x10083a530:    0x3d0900       0x3d0909   	MIG Subsystem 4000000: 9 messages  ## Was 10 in 11
0x10083a538:    0x42c         0x0 	MIG Subsystem 4000000: Msg size 1068 bytes
0x1008441c0:      0x1003bc884         	MIG Subsystem 6000000: Dispatcher 
0x1008441c8:    0x5b8d80       0x5b8d81   	MIG Subsystem 6000000: 1 messages
0x1008441d0:    0x38         0x0 	MIG Subsystem 6000000: Msg size 56 bytes

OTA format is changed again. I swear, it's like AAPL is personally trying to make me miserable. Now there's .ecc files along with the normal .0## pbzx files. You can still use pbzx and ota on each of the individual payload files.

iBoot/LLB/SEP still encrypted, despite the other components being "decrypted for performance".. Right.

libvminterpose (which was empty to begin with) is gone

/System/Library now has the following new subdirectories:

BulletinDistributor
CardKit
CardServices
CoreAS
CoreImage
MediaCapture
OnBoardingBundles
PPM
RelevanceEngine
UserNotifications
VideoCodecs
VideoDecoders
VideoEncoders

New LaunchDaemons:

com.apple.AppleCredentialManagerDaemon.plist
com.apple.PerfPowerServicesExtended.plist
com.apple.ReportMemoryException.plist
com.apple.SCHelper.plist
com.apple.UsageTrackingAgent.plist
com.apple.abm-helper.plist
com.apple.aoplogd.capture.plist
com.apple.ap.adprivacyd.plist
com.apple.ap.adservicesd.plist
com.apple.applecamerad.plist
com.apple.contextstored.plist
com.apple.corespotlightservice.plist
com.apple.filesystems.apfs_defragd.plist
com.apple.gpsd.plist
com.apple.iomfb_bics_daemon.plist
com.apple.mobile.heartbeat.plist
com.apple.mobiletimerd.plist
com.apple.nfrestore.plist
com.apple.parsec-fbf.plist
com.apple.progressd.plist
com.apple.ptpd.plist
com.apple.remotemanagementd.plist
com.apple.securityuploadd.plist
com.apple.sidecar-relay.plist
com.apple.siriactionsd.plist
com.apple.wwfe.waved.plist
com.apple.xartstoraged.plist

New Daemons/executables: (These could be a bit wrong because I diff'ed between different i-Devices of 11 and 12..)

abm-helper
activity-widget
adprivacyd
adservicesd
apfs_condenser
applecamerad
appstored
ckksctl
contextstored
footprint
gpsd
intents_helper
mobile_house_arrest
mobiletimerd
nanomediaremotelinkaagent
nfrestore_service
progressd
prototyped
resdagent
relevanced
remotemanagementd
scrod
securityuploadd
siriactionsd

AMFI.kext ~~seems to be~~ is significantly hardened - fake signed objects now need to have a non-empty CMS (RFC3852) blob (i.e. blob size > 8). There's also an insistence on 0xfade0b01, apparently. There's also something referred to as "CT validation". This ties in to a new Kext - CoreTrust (com.apple.kext.CoreTrust) - a brand new kext verifying trusted CAs (Apple iPhone Certification Authority and Apple Code Signing Certification Authority). This is a major change. I'll update when I get to inspect it.

While on the subject of new kexts - AppleImage4 (com.apple.security.AppleImage4) is also a new addition, providing Img4 handling services (read: TrustCaches, etc) in kernel

Specific trust caches for each of the three DMGs

Also, significant code added for trust caches:

_pmap_initialize_legacy_static_trust_cache
_pmap_is_trust_cache_loaded
_pmap_load_trust_cache
_pmap_lookup_in_static_trust_cache

Trust cache structure format now documented in kern/trustcache.h

(of course it is MUCH easier to just DO AWAY WITH LOADED TRUST CACHES. But AAPL never seemed to go for simple, eh?)

4. MacOS

Still no multinode, damnit

/System/iOSSupport contains iOS frameworks, compiled for x86_64. This is very similar to the iOS Simulator, but bridges to native frameworks instead. Apple links select apps (e.g. News) with /System/iOSSupport/System/Library/Frameworks/UIKit.framework/Versions/A/UIKit (which reexports UIKitCore) and then the UI* apis bridge to NS* ones. Super cool.

LC_BUILD_VERSION now also has MacOS/iOS hybrid (6). News.app and a bunch of others have this

libMobileGestalt.dylib is on the Mac at last!! Probably as part of the iOS support, but its location (/usr/lib) implies it might be used regularly! I have to check this out. It's one of my favorite libraries. A large part of the keys actully work the same way. Cool!

New MACF Policy:

   69    0 0xffffff7f81210000 0x6000     0x6000     com.apple.AppleSystemPolicy (1.0) 8D...831 <30 7 6 5 4 3 2 1>

This calls up to /usr/libexec/syspolicyd , which has been extended with two new ports:

	<dict>
		<key>com.apple.security.AppleSystemPolicy.mig</key>
		<dict>
			<key>HostSpecialPort</key>
			<integer>29</integer> 
		</dict>
		<key>com.apple.security.syspolicy.kext</key>
		<true/>
		<key>com.apple.security.syspolicy.exec</key>
		<true/>
		<key>com.apple.security.syspolicy</key>
		<true/>
	</dict>

The ..mig port is the upcall port from the kext. The ..exec port should prove interesting :-). Hopefully AAPL will restrict the system policy database properly this time around

The syspolicyd has doubled in size. The new MIG upcalls use subsystem 18600:

jtool -d __DATA.__const syspolicyd | grep MIG                                     
Dumping from address 0x100028920 (Segment: __DATA.__const) to end of section
Address : 0x100028920 = Offset 0x28920
0x1000299d8: a8 48 00 00 aa 48 00 00 MIG subsystem 18600 (2 messages)
0x1000299f8: 73 91 01 00 01 00 00 00  func_100019173  (MIG_Msg_18600_handler) -> 0x100010e5c
0x100029a20: 0e 93 01 00 01 00 00 00  func_10001930e  (MIG_Msg_18601_handler) -> 0x100010980 
		checks team_id/signing_id/cdhash

ContainerManagerd makes its MacOS debut. This is potentially big. Man page says it works "in concert" with sandboxd. This is unlike *OS, wherein there is no more sandboxd and a dedicated containermanager host special port is used instead.

New commands (at least, with man pages):

CSCSupportd.8
PerfPowerServices.8
PerfPowerServicesExtended.8
ReportMemoryException.8
SafeEjectGPU.8 - External GPU support
ScriptMenu.8
ServicesUIAgent.8
SidecarRelay.8
SoftwareUpdateNotificationManager.8
UsageTrackingAgent.8
apfsd.8 - not new, but finally with a paltry manpage
appstoreagent.8
atsd.8
bosreporter.8 - /System/Library/PrivateFrameworks/BridgeOSInstallReporting.framework/Versions/A/Resources/
boswatcher.8 - /System/Library/PrivateFrameworks/BridgeOSInstallReporting.framework/Versions/A/Resources/
cdutil.8
containermanagerd.8
icdd.8
mapspushd.8
parsec-fbf.8
security-checksystem.8
statskit.8
ticketd.8
tsig-keygen.8
usbcupdater.8
CoalitionIO.1
assertiontool.1
delv.1
intfrag.1
navtesttool.1
powerd.1
remotemanagementd.1
securityuploadd.8
silhouette.8
swd.1
symbolscache.1
umtest.1

New Public frameworks:

AdSupport.framework
BusinessChat.framework
NaturalLanguage.framework
Network.framework
UserNotifications.framework
VideoSubscriberAccount.framework
iTunesLibrary.framework

New (or ~~removed~~) Private frameworks:

AXCoreUtilities.framework
AXMediaUtilitiesService.xpc
AccessibilityPlatformTranslation.framework
AdAnalytics.framework
AdCore.framework
AdID.framework
AddressBookCore.framework
AggregateDictionary.framework
AggregateDictionaryHistory.framework
AppStoreDaemon.framework
AppStoreUI.framework
AppSupport.framework
AppleAccount.framework
AppleMediaServices.framework
AssertionServices.framework
~~Assistant.framework~~
AutoBugCaptureCore.framework
BackBoardServices.framework
BaseBoard.framework
BluetoothManager.framework
BridgeOSInstallReporting.framework
BulkSymbolication.framework
C2.framework
Categories.framework
ClassroomKit.framework
ConditionInducer.framework
ConfigurationEngineModel.framework
ConversationKit.framework
CoreHAP.framework
~~CoreInterest.framework~~
CreateML.framework
DAAPKit.framework
~~DMNotification.framework~~
DataAccessExpress.framework
DeviceIdentity.framework
~~DigiHubPreference.framework~~
FMClient.framework
FontServices.framework
FrontBoardServices.framework
GPUWrangler.framework
GraphicsServices.framework
HMFoundation.framework
HomeKit.framework - (Craig did say HomeKit is coming to Mac)
HomeKitDaemon.framework
~~ICALogging.framework~~
KnowledgeMonitor.framework
LimitAdTracking.framework
MetadataUtilities.framework
MobileActivation.framework
MobileBluetooth.framework
MobileContainerManager.framework
NanoRegistry.framework
NetAppsUtilities.framework
~~Network.framework~~
OnBoardingKit.framework
PLShutdown.framework
PersonalizationPortraitInternals.framework
PhotoFoundation.framework
PhotoVision.framework
PhotosFormats.framework
PhotosImagingFoundation.framework
PowerLog.framework
PowerlogControl.framework
PowerlogDatabaseReader.framework
PrototypeTools.framework
QuickLookNonBaseSystem.framework
ROCKit.framework
RemoteManagement.framework
~~RemotePacketCapture.framework~~
RemoteTextInput.framework
SafariFoundation.framework
SafeEjectGPU.framework
SampleAnalysis.framework
ScreenReaderCore.framework
Sentry.framework
SidecarCore.framework
StatsKit.framework
StoreServices.framework
~~SymptomDiagnosticManagement.framework~~
TextToSpeech.framework
TransparencyDetailsViewMac.framework
TuriCore.framework
UIKitHostAppProtocols.framework
UIKitHostAppServices.framework
UIKitSystemAppServices.framework
URLFormatting.framework
UsageTracking.framework
UserManagement.framework
~~UserNotifications.framework~~
~~VideoSubscriberAccount.framework~~
VoiceServices.framework
~~VoiceTrigger.framework~~
~~WirelessDiagnosticsSupport.framework~~
~~XMPPCore.framework~~
~~XPCObjects.framework~~
iAdCore.framework
iAdServices.framework
iPodUpdater.framework
~~iTunesAccess.framework~~
perfdata.framework
zudp.framework

Volume II is on track, (Yes, even now, as of August 21^st) and I hope this list makes you appreciate why I kept it for last :-) Expect unprecedented coverage of XNU kernel internals! I'll need the XNU open sources, though.

Stay tuned for Joker updates - the next one is a big one, and will support XNU from version 1469 to 49xx :-). Also, entitlement database will get an update soon, as well

(Advertisement) I'll be covering updated material for OS X 10.14 and iOS 12 at Our iOS/OS X for Reverse Engineers Course on ~~July 9^th , 2018 in SFO!~~ Dec 10^th, in NYC - it'll be a blast!