Notes from iOS 8 and the OS X 10.10 Preview

Jonathan Levin, http://newosxbook.com/ - 9/19/14

0. Changelog

6/5/14:First version
6/7/14:Updated with OS X part (after installing 10.10 in a VM)
8/14/14:Updated with DP4 findings
9/19/14:Updated with DP8, and iOS8 findings - lots on frameworks and daemons. Also notes on launchd

Check out @Technologeeks tweets, or the RSS Feed for updates - I'll add more as I go along.. Feel free to shoot any comments/questions to info@

About

I had contemplated signing up for the OS X 10.10 open Beta program, but after seeing the license agreement opted against it. Fortunately, the OS X 10.10 and XCode 6 DP1 are both out there, in the vast reaches of the 'net. This note summarizes my findings (about internals only, not Cocoa level and other APIS) so far:

1. iOS 8

2. OS X

  • No more /mach_kernel which makes sense - boot.efi looks for /system/library/Caches/com.apple.kext.caches/Startup/kernelcache anyway. The barebones kernel is still around - /System/Library/Kernels/kernel (renamed)
  • kernelcache is compressed with lzvm: The iOS kernelcache was always compressed, and seems like OS X is taking a page from that book. The kernelcache is a single architecture FAT binary (really, Apple - thin it! You don't support i386 anymore! Or are you reluctant to touch boot.efi?), and its header (once thinned) reads "complzvn" (traditionally had complzss). This is a bummer, since the standard lzssdec can't decompress it. The code is probably somewhere in boot.efi, though that will require disassembling.. *sigh*.. Probably not worth it since the Kexts are still in /System/Library/Extensions and the kernel proper is still accessible (and Apple will release the code for this eventually..)
  • kernel has some 19681 (DP)19882 (DP8) symbols as opposed to 10.9's 18378 (and 10.8's 17047). There's still an LC_FUNCTION_STARTS, and that helps too.
  • Symbol diffs point to the following:
    • Code signing has been changed: @TODO on the following: 
      > _cs_entitlement_flags
> _cs_find_blob
> _cs_library_val_enable
> _cs_require_lv
> _csblob_get_teamid
> _csfg_get_path
> _csfg_get_platform_binary
> _csfg_get_teamid
> _csproc_get_platform_binary
> _csproc_get_teamid
> _csr_check
> _csr_get_active_config
> _csr_get_pending_config
> _csr_init
> _csr_set_allow_all
> _csrctl
> _csvnode_get_teamid
    • AMFI is in OS X!!! - AppleMobileFileIntegrity.kext, sworn enemy of Jailbreakers everywhere, is now also in OS X - Along with its user mode lackey, amfid! Is OS X going to get the same lockdown as iOS?
    • Changes to /usr/libexec:
      Removed:
      • AOSNotificationAgent
      • AOSNotificationLoginAgent
      • MRT
      • ServerPerfLog
      • StartupItemContext
      • WiFiKeychainProxy
      • amsdstat
      • aosnotifyd - replaced by findmydeviced, probably
      • docsetbless
      • docsetinstalld
      • launchdadd (launch services API is undergoing partial deprecation)
      • launchproxy
      • launchproxyls
      • lsboxd
      • logsyswritesd
      • nsnetworkd
      • opendirectorypdbconfig
      • rpmuxd
      • spindump_symbolicator
      • taskinfo (Update: Just Moved to /usr/bin! (*WHEW*) I love that command!)
      • transition (useless MobileMe mover, if anyone ever used that..)
      • tzlinkd
      • xpcd (no great loss)
      Added::
      • Added:
      • amfid (We meet again, old friend!!!!)
      • awacsd (moved from /usr/sbin - apple Wide Area Connectivity Service Daemon)
      • coreduetd (uses the private CoreDuet framework - Apple: you meant admission, not admisison..)
      • diagnosticd
      • discoveryd (the one daemon to bind DNS and mDNS)
      • discoveryd_helper
      • feedback
      • findmydeviced - replaces aosnotifyd, probably
      • fmfd (Find my friends?)
      • gamecontrollerd
      • iCloudStats
      • neagent (All ne's are NetworkExtension)
      • nehelper (q.v. com.apple.nehelper.plist)
      • nesessionmanager
      • nsurlsessiond - probably supports new iCloud features
      • nsurlstoraged - ditto (iCloud)
      • osaapplet - Go AppleEvents!
      • otherbsd (part of libxpc)
      • rtcreportingd
      • secinitd - Security Policy init daemon, called via xpc from libsystem_sandbox - closed source, no project. @TODO: touch /var/db/.debug_secinitd for debug info..
      • smcupdater
      • smd
      • thermald
      • watchdogd
      • webinspectord
    • Personal observation: I wouldnt be surprised if AAPL does release an iWatch and its main differentiator from the other smart watches is that it would seamlessly enable full voice calls from the watch, or Mac, or Apple i* via BT or WiFi, kind of like Inspector gadget. The handoff feature and network extensions kind of point to it being an obvious use. Update: Nope. No surprise here :-)
    • Launchd has a new key (at least, not that I've seen before): com.apple.fsevents.matching. Used by nehelper. Can be super useful..
    • Coalition support has been added: This is also a new syscall. I'm assuming (shooting in the dark here) that coalitions are tasks working together, possible sharing the same ledger. There's a _proc_pidcoalitioninfo, likely a subset of my favorite (undocumented) syscall, proc_info, which I aim to investigate.. (@TODO: powermetrics and sysmond for coalition_info_resource_usage). Not to mention syscall #458/459 (see below), wrapped by libSystem's coalition_[create|terminate|reap]. There's also a special host port for it now (#22)
    • Support for banks: which are related to ledgers, vouchers and resource control, no doubt
    • ipc_importance apis, donors and receivers - refining those of 10.9
    • Hypervisor APIs: hv_[get/set]_[thread/task]_target, and IOHypervisorClient. Also kern.hv_support
    • More refinements to memorystatus: (you might want to check out this article) 
      > _memorystatus_available_pages
> _memorystatus_available_pages_critical
> _memorystatus_available_pages_pressure
> _memorystatus_bg_pressure_eligible
> _memorystatus_frozen_count
> _memorystatus_is_foreground_locked
> _memorystatus_send_low_swap_note
> _memorystatus_send_pressure_note
> _memorystatus_suspended_count
> _memorystatus_warn_process
    • Support for Interrupt Accounting (should prove useful)
    • IOReporting (introduced silently in 10.9) is used by BT and Interrupt. You can see this with ioreg -l -f
    • sfi (also syscalls 456/457) - use by thermald - likely, selective forced idle. Wrapped by system_get/set_sfi_window, and _get/sfi_set_class_offtime (for 456), and _sfi_process_get/set_flags (457, sfi_pidctl)
    • while on the subject of thermald -- libpmenergy and libpmsample (in /usr/lib) look interesting. They're really aggressive with power management in this release.. (@TODO: check out machdep.xcpm thermal sysctls)
    • Swap Garbage collection (Hallelujah!)
    • Multipath TCP(!!!!) 
      Mes-Mac:~ morpheus$ sysctl -a | grep mpt
net.inet.mptcp.enable: 1
net.inet.mptcp.debug: 0
net.inet.mptcp.mptcp_cap_retr: 2
net.inet.mptcp.dss_csum: 0
net.inet.mptcp.fail: 1
net.inet.mptcp.keepalive: 840
net.inet.mptcp.mpprio: 1
net.inet.mptcp.remaddr: 1
net.inet.mptcp.fastjoin: 1
net.inet.mptcp.rwnotify: 0
net.inet.mptcp.verbose: 0
net.inet.mptcp.pcbcount: 0
net.inet.mptcp.sk_lim: 16
net.inet.mptcp.delayed: 0
net.inet.mptcp.rto_spikethresh: 3000
net.inet.mptcp.rto: 3
net.inet.mptcp.nrto: 3
net.inet.mptcp.tw: 60

    • 1+2: Both OS X and iOS: