Notes from TvOS 9.0
Jonathan Levin (@Morpheus______), http://www.newosxbook.com/
0. Changelog
- 04/03/2016 - Initial
- 06/03/2016 - Added kextstat
1. About
A couple of weeks ago I concluded the informal OTA "trilogy" by pointing out one can basically re-create the entire system partition of TvOS, with or without a public jailbreak, due to AAPL's curious decision to provide a non-diff'ed OTA image. This is great for static analysis, but to really get an idea of which files are tapped, which processes communicate with which, and under what circumstances, nothing beats dynamic analysis.
TvOS is one of the reasons the 2nd edition of MOXiI is running behind schedule. I really want to cover it (but not the Watch. Ewww), and it has now become possible to do so. I've already conducted a fair amount of research into it, pouring findings into the book. But as that's delayed - and with four hours to kill at Changi (having narrowly averted World War III ;-) - I figured I'd post some high-level analysis. There's deeper stuff, but you'll have to wait (a bit longer) for MOXiI 2nd for that.
Just in case the Stasi accuse me of anything - I am neither "pirating" TvOS nor providing any exploits which may lead to Wassenar or some other crazy legislation nobody cares about. Maybe some people should contribute freely first, and criticize later. This is just my way to compensate my readers for an ongoing delay, and deal with a delay of my own.
TvOS in a nutshell
TvOS is really a very close relative of iOS. There are, however, changes. Namely:
SpringBoard, the UI, has been replaced by the dynamic duo ofPineBoard/HeadBoard- Far less built-in Apps, as one can see from the OTA.
- The main interface of choice is Siri, and that cute remote, which provides essentially similar MultiTouch support, but via a pointer. There's HID over BlueTooth, which I'm sure will entertain many in the years to come.
- Slightly different Kernel Extension (kext) composition
However, it is very very close to iOS. In fact, that processor in there is pretty much the same as an iPhone 6 (A8). Apple could have made it even smaller by producing an iPhone with an HDMI-out :-P
Default Apps
The default apps can easily be seen from the TvOS image. Unlike iOS, wherein there are dozens (and most are SBAppTags Hidden), TvOS has under 20:
AdSheetTV.app SiriViewService.app TVDiagnostics.app
HeadBoard.app StoreDemoViewService.app TVGameCenterUIService.app
PBLinkHandler.app TVAirPlay.app TVHomeSharing.app
PineBoard.app TVAppStore.app TVIdleScreen.app
Podcasts.app TVCRDService.app TVPeripheralAgent.app
Setup.app TVConferenceRoomDisplay.app TVSearch.app
The names are actually self explanatory (CRD = ConferenceRoomDisplay), and as you can see there are two types of Apps - Apps and "Services". This follows and expands on the iOS Model, allowing the pop up of a UI on top of or during another App. I couldn't find TVPeripheralAgent and TVSearch, which do exist in the 9.0 image - but not in the 9.2 OTA, so maybe it has been removed.
The apps that actually seem to run are:
root@AppleTV (/)# ps | grep /Applica | more
501 33 1 0 5:44PM ?? 0:00.05 /Applications/TVPeripheralAgent.app/TVPeripheralAgent
501 46 1 0 5:44PM ?? 0:02.09 /Applications/PineBoard.app/PineBoard
501 100 1 0 5:44PM ?? 0:00.59 /Applications/HeadBoard.app/HeadBoard
501 101 1 0 5:44PM ?? 0:00.29 /Applications/TVAirPlay.app/TVAirPlay
501 111 1 0 5:44PM ?? 0:00.07 /Applications/TVPhotos.app/PlugIns/TVPhotosTopShelfExtension.appex/TVPhotosTopShelfExtension
501 112 1 0 5:44PM ?? 0:00.22 /Applications/TVPhotos.app/TVPhotos
501 113 1 0 5:44PM ?? 0:00.15 /Applications/TVSystemBulletinService.app/TVSystemBulletinService
501 116 1 0 5:44PM ?? 0:00.06 /Applications/TVHomeSharing.app/PlugIns/TVHomeSharingTopShelfExtension.appex/TVHomeSharingTopShelfExtension
501 125 1 0 5:45PM ?? 0:01.60 /Applications/TVSearch.app/TVSearch
501 130 1 0 5:49PM ?? 0:06.23 /Applications/TVIdleScreen.app/TVIdleScreen
Daemons:
No shortage of those, and very close to stock iOS. We have the usual cadre of
root@AppleTV (/)# ps -ef | grep libexec 0 23 1 0 5:44PM ?? 0:05.14 /usr/libexec/UserEventAgent (System) 0 27 1 0 5:44PM ?? 0:00.09 /usr/libexec/fseventsd 0 32 1 0 5:44PM ?? 0:00.68 /usr/libexec/configd 501 36 1 0 5:44PM ?? 0:00.07 /usr/libexec/atc 0 39 1 0 5:44PM ?? 0:00.01 /usr/libexec/keybagd -t 15 501 44 1 0 5:44PM ?? 0:00.04 /usr/libexec/installd 501 49 1 0 5:44PM ?? 0:02.97 /usr/libexec/airtunesd 501 51 1 0 5:44PM ?? 2:23.88 /usr/libexec/backboardd 501 53 1 0 5:44PM ?? 0:00.09 /usr/libexec/timed 501 54 1 0 5:44PM ?? 0:00.09 /usr/libexec/sharingd 0 55 1 0 5:44PM ?? 0:01.87 /usr/libexec/locationd 0 57 1 0 5:44PM ?? 0:00.23 /usr/libexec/assertiond 0 59 1 0 5:44PM ?? 0:01.96 /usr/libexec/lockdownd 0 69 1 0 5:44PM ?? 0:00.08 /usr/libexec/diagnosticd 501 70 1 0 5:44PM ?? 0:00.12 /usr/libexec/lsd 501 71 1 0 5:44PM ?? 0:00.02 /usr/libexec/MobileGestaltHelper 501 73 1 0 5:44PM ?? 0:00.20 /usr/libexec/corercd 501 75 1 0 5:44PM ?? 0:00.19 /usr/libexec/lockbot 64 76 1 0 5:44PM ?? 0:02.94 /usr/libexec/securityd 0 78 1 0 5:44PM ?? 0:02.16 /usr/libexec/hangtracerd 501 81 1 0 5:44PM ?? 0:00.01 /usr/libexec/misagent 24 83 1 0 5:44PM ?? 0:00.36 /usr/libexec/networkd 501 84 1 0 5:44PM ?? 0:00.33 /usr/libexec/coreduetd 0 86 1 0 5:44PM ?? 0:00.01 /usr/libexec/networkd_privileged 501 87 1 0 5:44PM ?? 0:00.25 /usr/libexec/nsurlstoraged 501 88 1 0 5:44PM ?? 0:00.22 /usr/libexec/nsurlsessiond 0 90 1 0 5:44PM ?? 0:00.03 /usr/libexec/nehelper 0 95 1 0 5:44PM ?? 0:00.08 /usr/libexec/mobileassetd 501 96 1 0 5:44PM ?? 0:00.07 /usr/libexec/atvcached 501 98 1 0 5:44PM ?? 0:00.05 /usr/libexec/adid 501 102 1 0 5:44PM ?? 0:00.09 /usr/libexec/syslog_relay 501 104 1 0 5:44PM ?? 0:00.03 /usr/libexec/notification_proxy 0 105 1 0 5:44PM ?? 0:00.02 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations 0 106 1 0 5:44PM ?? 0:00.01 /usr/libexec/amfid 501 122 1 0 5:45PM ?? 0:00.34 /usr/libexec/gamed 501 131 1 0 5:49PM ?? 0:00.35 /usr/libexec/rtcreportingd 501 134 1 0 5:52PM ?? 0:00.04 /usr/libexec/afcd -r
.. And the assorted ones:
0 1 0 0 5:44PM ?? 0:01.70 /sbin/launchd
0 22 1 0 5:44PM ?? 0:01.67 /usr/sbin/syslogd
501 26 1 0 5:44PM ?? 3:00.36 /usr/sbin/mediaserverd
501 28 1 0 5:44PM ?? 0:00.30 /System/Library/PrivateFrameworks/AssistantServices.framework/assistantd
501 29 1 0 5:44PM ?? 0:00.02 /System/Library/PrivateFrameworks/FileProvider.framework/Support/fileproviderd
501 31 1 0 5:44PM ?? 0:00.04 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
0 34 1 0 5:44PM ?? 0:00.10 /System/Library/CoreServices/powerd.bundle/powerd
501 35 1 0 5:44PM ?? 0:00.14 /usr/sbin/fairplayd.T2
0 38 1 0 5:44PM ?? 0:01.04 /usr/sbin/wifid
501 41 1 0 5:44PM ?? 0:00.03 /System/Library/PrivateFrameworks/FamilyNotification.framework/familynotificationd
501 43 1 0 5:44PM ?? 0:00.01 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Support/softwareupdated
0 45 1 0 5:44PM ?? 0:00.06 /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud 30
501 47 1 0 5:44PM ?? 0:00.27 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd
0 48 1 0 5:44PM ?? 0:00.04 /System/Library/CoreServices/AppleIDAuthAgent
501 50 1 0 5:44PM ?? 0:01.49 /usr/sbin/wirelessproxd
501 52 1 0 5:44PM ?? 0:00.03 /System/Library/PrivateFrameworks/AskPermission.framework/askpermissiond
501 56 1 0 5:44PM ?? 0:01.01 /usr/sbin/BTServer
501 58 1 0 5:44PM ?? 0:00.03 /System/Library/PrivateFrameworks/TVPhotoSources.framework/Support/tvphotosourcesd
65 60 1 0 5:44PM ?? 0:00.55 /usr/sbin/mDNSResponder
501 61 1 0 5:44PM ?? 0:00.03 /System/Library/PrivateFrameworks/IAP.framework/Support/iaptransportd
501 62 1 0 5:44PM ?? 0:00.07 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
0 66 1 0 5:44PM ?? 0:00.66 /usr/sbin/notifyd
0 67 1 0 5:44PM ?? 0:00.50 /usr/sbin/cfprefsd daemon
0 68 1 0 5:44PM ?? 0:00.05 aslmanager
241 72 1 0 5:44PM ?? 0:00.03 /usr/sbin/distnoted daemon
501 74 1 0 5:44PM ?? 0:00.05 /System/Library/PrivateFrameworks/MobileActivation.framework/Support/mobactivationd
25 77 1 0 5:44PM ?? 0:00.13 /System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd
501 80 1 0 5:44PM ?? 0:00.04 /usr/sbin/BlueTool -R
501 82 1 0 5:44PM ?? 0:00.02 /System/Library/PrivateFrameworks/TCC.framework/tccd
501 85 1 0 5:44PM ?? 0:00.49 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored
501 89 1 0 5:44PM ?? 0:00.43 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
0 91 1 0 5:44PM ?? 0:00.02 /System/Library/Frameworks/Security.framework/CloudKeychainProxy.bundle/CloudKeychainProxy
0 92 1 0 5:44PM ?? 0:00.02 /System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy
501 93 1 0 5:44PM ?? 0:00.27 /System/Library/PrivateFrameworks/AuthKit.framework/akd
501 94 1 0 5:44PM ?? 0:00.57 /System/Library/Frameworks/Accounts.framework/accountsd
501 103 1 0 5:44PM ?? 0:00.14 /System/Library/PrivateFrameworks/GeoServices.framework/geod
0 107 1 0 5:44PM ?? 0:00.01 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/com.apple.MobileSoftwareUpdate.CleanupPreparePathService
501 108 1 0 5:44PM ?? 0:00.10 /usr/sbin/BTLEServer
501 110 1 0 5:44PM ?? 0:00.04 /System/Library/PrivateFrameworks/MobileContainerManager.framework/Support/containermanagerd
501 114 1 0 5:44PM ?? 0:00.06 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
501 115 1 0 5:44PM ?? 0:00.59 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService
501 117 1 0 5:44PM ?? 0:00.06 /System/Library/PrivateFrameworks/TVHomeSharingServices.framework/Support/tvhomesharingd
0 123 1 0 5:45PM ?? 0:00.02 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd
501 132 1 0 5:49PM ?? 0:00.16 /System/Library/PrivateFrameworks/iCloudNotification.framework/ind
501 146 1 0 5:55PM ?? 0:00.24 /System/Library/TextInput/kbd
The UI
In place of SpringBoard, we have PineBoard.
PineBoard appears to be closely derived from SpringBoard, and handles the same services as the latter, as can be seen from procexp ... ports output:
root@AppleTV (~)# procexp 46 ports | \
grep "<-" | \ # held ports only
grep \" | \ # named ports only
PineBoard:46:0x2f1f "com.apple.frontboard.workspace" <-launchd:1:0x1b803 <-HeadBoard:100:0x4203 <-TVAirPlay:101:0x410f <-TVPhotos:112:0x3d0f <-TVSystemBulletin:113:0x3a0f <-TVSearch:125:0x4003 <-TVIdleScreen:130:0x3a03
PineBoard:46:0x3107 "com.apple.frontboard.systemappservices" <-launchd:1:0x1c303 <-mediaserverd:26:0x2d03 <-BTServer:56:0x390b <-assertiond:57:0x390b <-nsurlsessiond:88:0x3503 <-HeadBoard:100:0x3e03 <-TVAirPlay:101:0x3f03 <-TVPhotos:112:0x3b03 <-TVSystemBulletin:113:0x3803 <-TVSearch:125:0x3b03 <-TVIdleScreen:130:0x3f03
PineBoard:46:0x5a03 "com.apple.PineBoard.gsEvents" <-launchd:1:0x20efb <-backboardd:51:0x20c0f
PineBoard:46:0x5b03 "PurpleSystemAppPort" <-launchd:1:0x1b907 <-backboardd:51:0x2203b
PineBoard:46:0x5e23 "com.apple.PineBoardServices" <-launchd:1:0x1c603 <-TVPeripheralAgen:33:0x3903 <-HeadBoard:100:0x4703 <-TVPhotosTopShelf:111:0x3003 <-TVPhotos:112:0x510b <-TVSearch:125:0x4e03 <-TVIdleScreen:130:0x4903
PineBoard:46:0x9b07 "com.apple.PineBoard.UIKit.migserver" <-launchd:1:0x1bd07
PineBoard:46:0xd303 "com.apple.SBUserNotification" <-launchd:1:0x1c103
PineBoard:46:0x1130f "com.apple.bulletinboard.observerconnection" <-launchd:1:0x1c403
PineBoard:46:0x1150b "com.apple.bulletinboard.dataproviderconnection" <-launchd:1:0x1bf03 <-familynotificati:41:0x2403
PineBoard:46:0x11f03 "com.apple.bulletinboard.utilitiesconnection" <-launchd:1:0x1c503
PineBoard:46:0x12003 "com.apple.bulletinboard.serverconduitconnection" <-launchd:1:0x1bb03
PineBoard:46:0x12103 "com.apple.bulletinboard.systemstateconnection" <-launchd:1:0x1ba03
PineBoard:46:0x12203 "com.apple.bulletinboard.settingsconnection" <-launchd:1:0x1c003 <-sharingd:54:0x3607
PineBoard:46:0x12f03 "com.apple.PineBoard.BBDataProvider" <-launchd:1:0x1be03
PineBoard:46:0x13f07 "com.apple.usernotification.notificationregistrar" <-launchd:1:0x1b603
PineBoard:46:0x14003 "com.apple.usernotification.notificationscheduler" <-launchd:1:0x1c203
In particular, the PurpleSystemAppPort, com.apple.bulletinboard.* and SBUserNotification ports are the distinctive SpringBoard ports.
There is also Headboard, which holds all the running Apps' assets:
root@AppleTV (~)# procexp 101 fds
11 File descriptors: HeadBoard 101 FD 0r /dev/null @0x0
HeadBoard 101 FD 1u /dev/null @0x0
HeadBoard 101 FD 2u /dev/null @0x3d5
HeadBoard 101 FD 3u kqueue (sleep)
HeadBoard 101 FD 4r /System/Library/PrivateFrameworks/TVKit.framework/Assets.car @0x200
HeadBoard 101 FD 5r /Applications/HeadBoard.app/Assets.car @0x200
HeadBoard 101 FD 6r /Applications/TVPhotos.app/Assets.car @0x200
HeadBoard 101 FD 7r /System/Library/Frameworks/UIKit.framework/Artwork.bundle/Assets.car @0x200
HeadBoard 101 FD 8r /Applications/TVSearch.app/Assets.car @0x200
HeadBoard 101 FD 9r /Applications/TVHomeSharing.app/Assets.car @0x200
HeadBoard 101 FD 10r /Applications/TVSettings.app/Assets.car @0x200
.. and is responsible for App display order in the "shelf" display, like so:
root@AppleTV (~)# cat var/mobile/library/com.apple.HeadBoard/AppOrder.plist | plutil -convert xml1 -o - -
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>HBRootFolderKey</key>
<dict>
<key>HBFolderItemsKey</key>
<array>
<string>com.apple.TVPhotos</string>
<string>com.apple.TVSearch</string>
<string>com.apple.TVHomeSharing</string>
<string>com.apple.TVSettings</string>
</array>
<key>HBFolderNameKey</key>
<string>RootFolder</string>
</dict>
</dict>
</plist>
Behind the scenes, /usr/libexec/backboardd still helps run the show, with the PurpleSystemEventPort, the iohid ports, and a connection to the running GUI Apps' .gsEvents. It's essentially the same backboardd as in iOS, with the same 14 ports:
root@AppleTV (~)# procexp 51 ports |\ # Have I mentioned how useful the ports feature is?
grep "<-" \ # AAPL - Add it to lsmp(1) maybe?
grep \" # (or use procexp! ;-)
backboardd:51:0x3a03 "com.apple.CARenderServer" <-launchd:1:0x9307
backboardd:51:0x3d13 "com.apple.backboard.animation-fence-arbiter" <-launchd:1:0x9707 <-PineBoard:46:0x17503 <-TVSystemBulletin:113:0x5d1f
backboardd:51:0x410b "PurpleWorkspacePort" <-launchd:1:0x8b07
backboardd:51:0x430b "com.apple.backboardd.gsEvents" <-launchd:1:0x20a8b
backboardd:51:0x4403 "PurpleSystemEventPort" <-launchd:1:0x8d07
backboardd:51:0x18107 "com.apple.iohideventsystem" <-launchd:1:0x20c1f <-UserEventAgent:23:0x5d07 <-TVPeripheralAgen:33:0x160b <-PineBoard:46:0x4e07 <-locationd:55:0x9e07 <-HeadBoard:100:0x2503 <-TVAirPlay:101:0x2503 <-TVPhotos:112:0x2603 <-TVSystemBulletin:113:0x2503 <-TVSearch:125:0x2403 <-TVIdleScreen:130:0x2803
backboardd:51:0x1e117 "com.apple.backlightd" <-launchd:1:0x9603 <-coreduetd:84:0x4803
backboardd:51:0x1ee03 "com.apple.backboard.watchdog" <-launchd:1:0x9003 <-UserEventAgent:23:0x4c07
backboardd:51:0x1f007 "com.apple.backboard.display.services" <-launchd:1:0x9507 <-mediaserverd:26:0x500f <-PineBoard:46:0x1d07 <-HeadBoard:100:0x1d13 <-TVAirPlay:101:0x1d13 <-TVPhotos:112:0x160f <-TVSystemBulletin:113:0x1d13 <-TVSearch:125:0x140f <-TVIdleScreen:130:0x1a0f
backboardd:51:0x1f107 "com.apple.backboard.system-app-server" <-launchd:1:0x9103 <-PineBoard:46:0x1e03
backboardd:51:0x1f207 "com.apple.backboard.hid.services" <-launchd:1:0x8e07 <-UserEventAgent:23:0x400b <-PineBoard:46:0x3b07 <-HeadBoard:100:0x6107 <-TVPhotos:112:0x580f <-TVSystemBulletin:113:0x570b <-TVSearch:125:0x5307 <-TVIdleScreen:130:0x8c13
backboardd:51:0x1fa07 "com.apple.backboard.altsysapp" <-launchd:1:0x9203
backboardd:51:0x1fb07 "com.apple.accessibility.AXBackBoardServer" <-launchd:1:0x20de7
backboardd:51:0x1fd0f "com.apple.backboard.TouchDeliveryPolicyServer" <-launchd:1:0x8f03
Kexts
For those waiting for a big surprise here, I'm afraid I must disappoint. Only noteable kext is AppleTVIR. Nearly all others are same as iOS:
Index Refs Address Size Wired Name (Version) UUID1 90 0xffffff800461c000 0x7944 0x7944 com.apple.kpi.bsd (15.0.0) 0F52525C-63C7-4758-9261-AAF28B1202DD 2 3 0xffffff8004634000 0x1314 0x1314 com.apple.kpi.dsep (15.0.0) 36FC510C-6F1E-44F5-AD7C-2D4DFE875340 3 100 0xffffff8004644000 0x1a594 0x1a594 com.apple.kpi.iokit (15.0.0) 7712901A-37FC-4B94-BBCC-2B32651BB836 4 103 0xffffff8004624000 0x8f54 0x8f54 com.apple.kpi.libkern (15.0.0) DE3191C7-9F68-4AB9-9781-1F098EBE4967 5 96 0xffffff8004630000 0x18f4 0x18f4 com.apple.kpi.mach (15.0.0) EA05EF30-EB24-4A51-9166-357678A79B50 6 42 0xffffff8004638000 0x68a8 0x68a8 com.apple.kpi.private (15.0.0) 11D9BE04-B3CA-43D9-9CF3-8A140273F8C3 7 82 0xffffff8004640000 0x315c 0x315c com.apple.kpi.unsupported (15.0.0) F7E83B4F-7715-4C08-97EA-122AA9ED6C98 8 4 0xffffff8004660000 0x48000 0x48000 com.apple.kec.corecrypto (1.0) E3BDF7E9-11C3-36C2-B4E2-7638186EBA94 <7 6 5 4 3 1> 9 0 0xffffff8004b48000 0x10000 0x10000 com.apple.kec.pthread (1) 752883F7-6E28-35CD-B621-60CB96E65DED <7 6 5 4 1> 10 1 0xffffff80057c4000 0xc000 0xc000 com.apple.kec.Libm (1) C4F2460B-6971-3501-ADD5-27AD11603FA3 <4> 11 1 0xffffff8004708000 0x8000 0x8000 com.apple.iokit.IOSlowAdaptiveClockingFamily (1.0.0) E81A0E3C-38C5-38D9-91F2-15030972BD9C <7 6 5 4 3 1> 12 12 0xffffff8004714000 0x8000 0x8000 com.apple.iokit.IOReportFamily (31) 0FB66E68-84F3-3041-ABA0-C3712567B3EE <5 4 3> 13 57 0xffffff8004720000 0x4c000 0x4c000 com.apple.driver.AppleARMPlatform (1.0.2) 0E261ED0-B73C-3269-899C-23AFA06A4299 <12 11 7 6 5 4 3 1> 14 5 0xffffff80047d4000 0x18000 0x18000 com.apple.iokit.IOStorageFamily (2.1) B28AA2D3-9AE8-3A33-9166-BFBDF8AB45C3 <7 6 5 4 3 1> 15 0 0xffffff80047f4000 0xc000 0xc000 com.apple.driver.DiskImages (415) EEFEFC06-5875-3718-B5B8-9B2FA3A6FA0B <14 7 6 5 4 3 1> 16 3 0xffffff8004b7c000 0x84000 0x84000 com.apple.driver.FairPlayIOKit (58.66.10) FEEB25F5-397D-3A9E-B3C5-BA29B514C556 <7 6 5 4 3 1> 17 0 0xffffff8004d40000 0x20000 0x20000 com.apple.AGXFirmwareKextG4P (1) 898B21F0-D04F-3239-93AE-B1A2859E7E0E <5 4 3 1> 18 4 0xffffff8004e74000 0xc000 0xc000 com.apple.driver.AppleEffaceableStorage (1.0) BD61175E-C01F-38AC-B7CF-5ED444D404D8 <13 7 5 4 3 1> 19 7 0xffffff8004e84000 0x8000 0x8000 com.apple.driver.IOSlaveProcessor (1) D213CEDB-6472-37D2-A20F-7B2397D405A5 <4 3> 20 9 0xffffff80046ac000 0x20000 0x20000 com.apple.driver.AppleMobileFileIntegrity (1.0.5) AFC499F1-4D7C-37F9-9B68-0F40A987E23A <8 7 6 5 4 3 2 1> 21 5 0xffffff8004e90000 0x10000 0x10000 com.apple.iokit.IOCryptoAcceleratorFamily (1.0.1) 936076EB-5D45-38BC-B245-9D2201F95FEF <7 5 4 3 1> 22 3 0xffffff8004ea4000 0x8000 0x8000 com.apple.driver.AppleA7IOP (1.0.2) 96BF609D-A32C-3B68-B913-BBDAA0208F52 <19 13 5 4 3> 23 2 0xffffff8004eb0000 0x1c000 0x1c000 com.apple.driver.AppleSEPManager (1.0.1) C688732B-6EE8-351D-B4B9-5B223FA1F01E <22 19 13 8 7 6 5 4 3 1> 24 0 0xffffff8004ed0000 0x14000 0x14000 com.apple.driver.AppleSEPKeyStore (2) 156CE22C-951D-3E87-9A73-D45FEFC6F2D2 <23 21 20 19 18 8 7 6 5 4 3 1> 25 1 0xffffff8004f2c000 0x58000 0x58000 com.apple.driver.LSKDIOKitMSE (3.1.8) 1B28B424-7F54-3CF8-AB79-67FF34FADA92 <7 6 5 4 3 1> 26 2 0xffffff8004f88000 0x74000 0x74000 com.apple.driver.LSKDIOKit (8.46.2) DBC485E6-A56E-368E-89EB-78D4C2500DB4 <7 6 5 4 3 1> 27 0 0xffffff8005000000 0x64000 0x64000 com.apple.driver.IOAudioCodecs (1.0.0) 6F0FC290-D496-39AB-AC47-B9E5ACEBBCBA <26 16 13 7 5 4 3> 28 0 0xffffff8005300000 0x8000 0x8000 com.apple.driver.AppleSEPCredentialManager (1.0) 4C1930E5-5F01-3D0F-8A8A-DFF668A594EC <23 19 13 7 5 4 3 1> 29 0 0xffffff80058d4000 0xc000 0xc000 com.apple.driver.ProvInfoIOKit (3.7.3) 40F87C30-9B3D-3878-80B8-9AB9B2806ADF <7 6 5 4 3 1> 30 1 0xffffff8004d64000 0x8000 0x8000 com.apple.kext.AppleMatch (1.0.0d1) 5E756FEF-B058-399A-9D58-EF652AA11016 <4 1> 31 0 0xffffff8004d70000 0x84000 0x84000 com.apple.security.sandbox (300.0) B16D42AD-B14A-336E-8452-F4686FA41ECE <30 20 7 6 5 4 3 2 1> 32 2 0xffffff8004df8000 0x8000 0x8000 com.apple.driver.AppleCycloneErrorHandler (1) 86AC2F70-C085-3942-8C45-EFB3A34CCBC7 <13 12 7 6 5 4 3 1> 33 0 0xffffff8005758000 0x14000 0x14000 com.apple.driver.AppleT7000 (1) B78E9811-229D-37B2-BDDF-CB67CFC1BDDE <32 13 12 7 6 5 4 3 1> 34 0 0xffffff8005350000 0x8000 0x8000 com.apple.driver.AppleMobileApNonce (1) 96608853-CF4B-3C1D-B0CC-71B491F166C6 <18 13 7 6 5 4 3 1> 35 0 0xffffff800556c000 0x8000 0x8000 com.apple.driver.AppleInterruptController (1.0.0d1) 0F015E41-5282-3927-8F92-8E686E09C2D2 <13 7 6 5 4 3 1> 36 2 0xffffff8005274000 0x18000 0x18000 com.apple.driver.ApplePMGR (1) 295DBC25-A159-3077-8578-CF4D2FFB46F7 <13 12 7 6 5 4 3 1> 37 0 0xffffff800574c000 0x8000 0x8000 com.apple.driver.AppleT7000PMGR (1) D487BC96-0048-304F-9D95-1E94A32B4207 <36 13 7 6 5 4 3 1> 38 0 0xffffff80051a8000 0x10000 0x10000 com.apple.driver.AppleS5L8960X (1) A4E3FA5D-BCC5-3DE0-A02F-B6C1659D82FB <32 13 12 7 6 5 4 3 1> 39 0 0xffffff80052b8000 0x8000 0x8000 com.apple.driver.AppleS5L8960XWatchDogTimer (1) 1993F777-DCB9-3119-95C1-3E75EFD54A2A <13 12 7 5 4 3 1> 40 0 0xffffff8005718000 0x8000 0x8000 com.apple.driver.AppleS5L8960XGPIOIC (1) 39DA4C21-141B-3E82-9733-E68D89A118EE <13 12 7 5 4 3 1> 41 0 0xffffff800570c000 0x8000 0x8000 com.apple.driver.AppleS5L8940XDWI (1.0.0d1) 30DDA9F1-B159-3A88-BEAF-3DB87B1E7761 <13 7 5 4 3 1> 42 3 0xffffff80048d4000 0xc000 0xc000 com.apple.iokit.IOSerialFamily (11) A89A5CA3-386B-34E5-8CA8-15469093094A <7 6 5 4 3 1> 43 5 0xffffff80048e4000 0x14000 0x14000 com.apple.driver.AppleOnboardSerial (1.0) 0B42684B-F3A9-3A51-8C7A-A1CE260AA1F7 <42 7 5 4 3 1> 44 0 0xffffff8005090000 0x8000 0x8000 com.apple.driver.AppleSamsungSerial (1.0.0d1) 91469164-DAA1-380A-B25B-BC0FA205CD69 <43 42 13 7 5 4 3 1> 45 6 0xffffff80046d0000 0x30000 0x30000 com.apple.iokit.IOHIDFamily (2.0.0) 6E7B92F4-BBE0-3A54-A96A-228D24941F88 <20 7 6 5 4 3 1> 46 0 0xffffff8004ef4000 0x8000 0x8000 com.apple.driver.AppleTVIR (1) 2E202F3F-9918-31DF-9ABE-AD32945D26E4 <45 13 7 5 4 3 1> 47 0 0xffffff80052f4000 0x8000 0x8000 com.apple.driver.TiSerialFlasherIOCtrl (1.0.1) B7593FA2-1233-3DF0-9374-0D07CF1DDA86 <13 7 5 4 3 1> 48 5 0xffffff8005068000 0xc000 0xc000 com.apple.driver.AppleEmbeddedUSB (1) 0E84D662-249A-3D47-B8DA-596FBA21E12B <13 7 5 4 3 1> 49 0 0xffffff80058c8000 0x8000 0x8000 com.apple.driver.AppleS5L8960XUSB (1) 72C285D8-19B4-3C57-8E53-1DDB8700703A <48 13 7 5 4 3 1> 50 0 0xffffff8004f00000 0x8000 0x8000 com.apple.driver.AppleS5L8940XI2C (1.0.0d2) FFDCA89B-5120-3194-BEBB-FA347AD22598 <13 7 5 4 3 1> 51 6 0xffffff8004c10000 0x14000 0x14000 com.apple.iokit.IOSurface (52.9.22) 915C9BF6-BD6C-313B-95D0-4412C38275EF <13 7 6 5 4 3 1> 52 2 0xffffff8004854000 0x10000 0x10000 com.apple.driver.IODARTFamily (1) 61AF909D-045B-3B93-8B01-6770D48F0F02 <5 4 3> 53 4 0xffffff8004c28000 0x48000 0x48000 com.apple.driver.AppleM2ScalerCSCDriver (205.0.13) 341ACAFC-64E3-3E71-B671-B4AE268D91BC <52 51 13 7 5 4 3 1> 54 1 0xffffff80047c8000 0x8000 0x8000 com.apple.iokit.IOStreamAudioFamily (1.0) 2CC34148-73F0-3323-A3A1-5FFE7F782C18 <5 4 3 1> 55 1 0xffffff8004c78000 0xc000 0xc000 com.apple.iokit.IOAudio2Family (1.0) B4CBEB54-98B2-344F-96F7-894EFD0149BD <54 5 4 3 1> 56 1 0xffffff8004c88000 0x8000 0x8000 com.apple.iokit.IOCECFamily (1) 8151A26D-2BD0-3AAC-A747-5AF8857BAFCF <4 3> 57 5 0xffffff8004c94000 0x40000 0x40000 com.apple.iokit.IOAVFamily (1.0.0) 7F2E061D-A405-3859-A830-99579302D9C3 <56 55 13 7 6 5 4 3 1> 58 3 0xffffff8004ce0000 0x1c000 0x1c000 com.apple.iokit.IOMobileGraphicsFamily (225.2.11) D76D80F7-159D-380C-BCA4-C7A4F073B2F3 <57 53 51 20 13 7 5 4 3 1> 59 2 0xffffff8004f0c000 0x18000 0x18000 com.apple.iokit.IODisplayPortFamily (1.0.0) B9286EE7-64E7-38D9-9D9C-EEB027AA0F00 <57 7 6 5 4 3 1> 60 0 0xffffff8005210000 0x1c000 0x1c000 com.apple.driver.AppleANXDPTX (1) 394EF86F-3BD7-3D0A-A366-01447643975D <59 58 57 13 7 5 4 3> 61 0 0xffffff800530c000 0x3c000 0x3c000 com.apple.driver.AppleH7ADBE0 (140.0) 11E19827-A2A3-34E4-A3AE-0C7FA7B7CBB0 <58 57 53 51 13 7 5 4 3 1> 62 0 0xffffff8004868000 0xc000 0xc000 com.apple.driver.AppleS5L8960XDART (1) 33D7EF71-5E3D-3F9B-B363-6838EEBFAE51 <52 13 7 5 4 3 1> 63 0 0xffffff8005770000 0x18000 0x18000 com.apple.driver.AppleJPEGDriver (4.2.13) D734CECD-EDB3-33B3-AC15-30450D4C7B94 <13 7 5 4 3 1> 64 0 0xffffff8005578000 0x190000 0x190000 com.apple.driver.AppleAVE (101.77.0) AEED41C6-49E7-3F91-B3F1-1FFD07F386A4 <51 13 7 5 4 3 1> 65 0 0xffffff800539c000 0xc000 0xc000 com.apple.driver.AppleSTDP2700 (1) 5F5CA9BD-B03E-35EF-83AC-7A84D0C10CAB <59 57 13 7 5 4 3 1> 66 0 0xffffff80053b8000 0x48000 0x48000 com.apple.driver.AppleVXD393 (2.85.0) 48163426-00AA-3BD8-B83B-59425A38C491 <53 51 26 25 16 13 7 5 4 3 1> 67 1 0xffffff8005804000 0x2c000 0x2c000 com.apple.iokit.IOAcceleratorFamily2 (201.5.0) 2AD2A680-1EE1-3B99-BAAF-1D2FBEBB8351 <58 53 51 20 13 7 5 4 3 1> 68 0 0xffffff8005838000 0x54000 0x54000 com.apple.AGX (75.10.10) EA38B389-517B-3890-AA23-321F64D55B38 <67 20 13 12 7 6 5 4 3 1> 69 0 0xffffff8005380000 0xc000 0xc000 com.apple.driver.AppleAE2Audio (1) 5BC08971-6218-3234-86AF-CF09A78E0E7F <13 5 4 3> 70 3 0xffffff8004e10000 0x20000 0x20000 com.apple.iokit.IOPCIFamily (2.9) 3C90D54D-1260-3815-9FF1-B9DB1D37BCE2 <7 6 5 4 3> 71 2 0xffffff8004e34000 0x10000 0x10000 com.apple.driver.AppleEmbeddedPCIE (1) D3F41C26-49B2-386D-917F-35D8A2826FA9 <70 13 12 7 5 4 3 1> 72 0 0xffffff8005204000 0x8000 0x8000 com.apple.driver.AppleT7000PCIe (1) 91C68E73-867F-3F6D-B745-22D0DFBAA4DC <71 70 13 12 7 6 5 4 3 1> 73 2 0xffffff8004780000 0x14000 0x14000 com.apple.driver.AppleEmbeddedTempSensor (1.0.0) 9E17263A-E9B6-3B7F-90A4-BE479C20B929 <45 13 12 7 5 4 3 1> 74 0 0xffffff80057d4000 0x28000 0x28000 com.apple.driver.AppleT7000CLPC (1) 68D5295D-856E-3488-83EF-B5C30A219793 <36 13 12 10 7 6 5 4 3 1> 75 1 0xffffff8005404000 0x18000 0x18000 com.apple.driver.AppleCSI (1) BC0ABACD-8622-3A5E-A883-E63CA0CFB3D7 <22 19 13 7 5 4 3 1> 76 1 0xffffff800479c000 0x8000 0x8000 com.apple.driver.AppleDialogPMU (1.0.1) D53043EA-4287-35FC-BE81-318597DBA4EB <73 45 13 7 5 4 3 1> 77 0 0xffffff80047a8000 0x10000 0x10000 com.apple.driver.AppleD2186PMU (1.0.1) C13955DA-CB4F-3223-ADA1-3B055377E5C7 <76 73 45 13 7 5 4 3 1> 78 0 0xffffff800543c000 0x100000 0x100000 com.apple.driver.AppleT7000SmartIO (1) BBB08553-A80E-3923-94A1-2B58EDA97CBE <22 21 19 6 5 4 3 1> 79 2 0xffffff8004d28000 0x8000 0x8000 com.apple.driver.AppleNANDConfigAccess (1.0.0) 306A4424-FDDD-39C5-8F6B-16B77D321835 <13 7 5 4 3 1> 80 2 0xffffff80052c4000 0x8000 0x8000 com.apple.iokit.EncryptedBlockStorage (1.0.0) 6469223B-4357-3468-8F14-F17BBC0B2B12 <21 14 5 4 3 1> 81 0 0xffffff8005540000 0x24000 0x24000 com.apple.driver.ASPSupportNodes (1) B0BFDD85-6FA1-3834-BDDD-9E956E1AC765 <80 79 75 45 21 19 14 13 7 6 5 4 3 1> 82 0 0xffffff80058e4000 0x8000 0x8000 com.apple.driver.AppleExternalPowerMonitor (1) 7757253A-B168-38F0-AA1D-D1F8734EEC99 <43 13 7 5 4 3> 83 4 0xffffff8004820000 0x8000 0x8000 com.apple.driver.AppleUSBHostMergeProperties (1.0.1) C95170D3-CBB3-3D20-B573-131CF3C2FB11 <4 3 1> 84 9 0xffffff8004a9c000 0x5c000 0x5c000 com.apple.iokit.IOUSBHostFamily (1.0.1) 82762877-B02B-3629-BC12-0C6F51602E7B <83 7 5 4 3 1> 85 5 0xffffff8004878000 0x20000 0x20000 com.apple.iokit.IONetworkingFamily (3.2) 9E5DC1FB-2F34-3DD2-8F53-B96735649D6A <7 6 5 4 3 1> 86 1 0xffffff80048a0000 0xc000 0xc000 com.apple.driver.mDNSOffloadUserClient-Embedded (1.0.1b8) B2DDB4E2-E796-3EA1-A58D-677F417844D2 <85 4 3 1> 87 4 0xffffff80048b0000 0x1c000 0x1c000 com.apple.driver.corecapture (1.0.4) C7934DDD-746C-3AA6-87E1-92F39A5ECF9F <7 6 5 4 3 1> 88 1 0xffffff80048fc000 0xa4000 0xa4000 com.apple.iokit.IO80211Family (1100.23) 2B169406-0AC0-399F-A565-E695DC6910B6 <87 85 20 8 7 6 5 4 3 1> 89 1 0xffffff80049a8000 0xdc000 0xdc000 com.apple.driver.AppleBCMWLANCore (1.0.0) 9750E211-7DA2-3986-9E11-48D5A44E9ADE <88 87 86 85 43 20 13 7 6 5 4 3 1> 90 0 0xffffff8004e48000 0x28000 0x28000 com.apple.driver.AppleBCMWLANBusInterfacePCIe (1) 1B6065F9-9100-3FF4-AC1B-37A81B0106F3 <89 87 85 71 70 43 13 7 6 5 4 3 1> 91 0 0xffffff8004ee8000 0x8000 0x8000 com.apple.driver.AppleBluetooth (1.0.0d1) 77180802-5B1A-354E-9B14-6CF2506EE877 <13 7 5 4 3 1> 92 3 0xffffff800482c000 0x14000 0x14000 com.apple.iokit.IOUSBDeviceFamily (2.0.0) 2D0E5241-9C9E-32F8-BD68-E0EF9FBB15E7 <83 5 4 3 1> 93 0 0xffffff8005078000 0x14000 0x14000 com.apple.driver.AppleSynopsysOTGDevice (1.0.0d1) 9C2A2771-1947-33EA-944B-8313543A23B5 <92 48 13 7 5 4 3 1> 94 0 0xffffff80047bc000 0x8000 0x8000 com.apple.AppleFSCompression.AppleFSCompressionTypeZlib (1.0.0) CBE11177-FA15-3F7E-9CD8-3E0A3758A6A7 <6 4 3 2 1> 95 0 0xffffff8004c04000 0x8000 0x8000 com.apple.IOTextEncryptionFamily (1.0.0) 8C6D2902-B821-3E87-BFCC-BE775D521711 <16 7 5 4 3 1> 96 4 0xffffff80051bc000 0x34000 0x34000 com.apple.driver.usb.AppleUSBEHCI (1.0.1) DB2F71DA-9921-341A-8A7E-C178AF58D993 <84 7 5 4 3 1> 97 1 0xffffff8004b00000 0x24000 0x24000 com.apple.driver.usb.AppleUSBHub (1.0.1) CFC2990C-7FE6-38CC-80EF-E57977FD6348 <84 83 5 4 3 1> 98 2 0xffffff8004b2c000 0x8000 0x8000 com.apple.driver.usb.AppleUSBHostCompositeDevice (1.0.1) 81FADF2A-F563-364E-89A6-1F78F93330B5 <84 5 4 3 1> 99 1 0xffffff8004b38000 0xc000 0xc000 com.apple.driver.AppleEmbeddedUSBHost (1) FB28B372-C0A3-310A-B8C5-22546E5D6DFB <98 97 84 83 20 7 5 4 3 1> 100 3 0xffffff80051f4000 0xc000 0xc000 com.apple.driver.AppleUSBHSIC (1) E89EBBDE-908F-36B6-B4EF-AF23DF4E29A2 <96 84 48 13 7 5 4 3 1> 101 2 0xffffff8005724000 0xc000 0xc000 com.apple.driver.AppleUSBEHCIARM (1.0) 62CF52AE-FEF5-39FF-BE97-A1A458794B3E <100 99 96 84 48 13 5 4 3> 102 1 0xffffff8005734000 0x8000 0x8000 com.apple.driver.AppleS5L8960XUSBHSIC (1) B8F5D678-96B9-320D-856E-E0C696F9A710 <101 100 96 84 48 13 7 5 4 3 1> 103 0 0xffffff8005740000 0x8000 0x8000 com.apple.driver.AppleS5L8960XUSBEHCI (1) 67E33D25-F816-3787-8D13-1AFA2473829B <102 101 96 84 13 7 5 4 3 1> 104 0 0xffffff8005268000 0x8000 0x8000 com.apple.driver.CoreCaptureResponder (1) 685FC705-B82A-379B-AF5F-E65D915BEE44 <87 7 6 5 4 3 1> 105 0 0xffffff80052d0000 0x14000 0x14000 com.apple.driver.LightweightVolumeManager (1) 44FC49FA-24E1-39E0-A8D7-59658D06A56A <80 21 18 14 7 6 5 4 3 1> 106 0 0xffffff80058b0000 0x14000 0x14000 com.apple.driver.AppleHSICEthernet (1) 59A70BC3-C432-3525-902E-6AEDD72827DB <100 98 85 84 13 6 5 4 3 1> 107 0 0xffffff80052e8000 0x8000 0x8000 com.apple.driver.AppleEffaceableBlockDevice (1.0) 462CB329-5256-3FA2-AAB6-7F5BC2436E7A <18 14 13 7 5 4 3 1> 108 0 0xffffff8004d34000 0x8000 0x8000 com.apple.driver.AppleDiagnosticDataAccessReadOnly (1.0.0) 95E90481-BF43-38BC-B77A-9D63F4681F09 <79 13 7 5 4 3 1> 109 0 0xffffff8004844000 0xc000 0xc000 com.apple.driver.AppleUSBDeviceMux (1.0.0d1) 1B50211E-FEEC-39D7-8C62-94632C84138B <92 7 6 5 4 3 1> 110 0 0xffffff800511c000 0x28000 0x28000 com.apple.iokit.IOAccessoryManager (1.0.0) 2E7EA636-A712-36C1-BA8D-C1B261145F1B <92 45 43 42 13 7 5 4 3>
But the good news is I'm getting Joker trained to identify and kextract them all :-)
@TODO:
Ok, done for now. Finally checkin counter opens. As I said, MOXiI 2 is coming, with a lot more of this. As with all my "Notes From.." series, this is more of an annotated output than a detailed discussion. The discussion will yet ensue, but it's just taking a lot of time. Sorry, but writing a book isn't easy.