Notes from iOS 8 and the OS X 10.10 Preview
Jonathan Levin, http://newosxbook.com/ - 9/19/14
|6/7/14:||Updated with OS X part (after installing 10.10 in a VM)|
|8/14/14:||Updated with DP4 findings|
|9/19/14:||Updated with DP8, and iOS8 findings - lots on frameworks and daemons. Also notes on launchd|
Check out @Technologeeks tweets, or the RSS Feed for updates - I'll add more as I go along.. Feel free to shoot any comments/questions to info@
I had contemplated signing up for the OS X 10.10 open Beta program, but after seeing the license agreement opted against it. Fortunately, the OS X 10.10 and XCode 6 DP1 are both out there, in the vast reaches of the 'net. This note summarizes my findings (about internals only, not Cocoa level and other APIS) so far:
1. iOS 8
- No support for iPhone 4: This is no surprise, but has far reaching implications. Beyond forcing people to dump the 4 and upgrade already (good for AAPL stock), this means that the A4 bootloader is finally out of the picture. No more Limera1n and other (known) exploits, by means of which a tethered jailbreak can be performed and - more importantly - the iOS IPSW can be decrypted (Unless IH8Sn0w or someone rises to the challenge and provides the 4S IV/Key, at a minimum!). This is terrible news for jailbreaking efforts, which have always built on reverse engineering the iOS binaries. Since apps are sandboxed, it's a LOT harder (though not impossible, thankfully!) to get access to the myriad frameworks and private frameworks, not to mention random binaries in /usr/libexec, etc - some of which have (as yet) undisclosed code injection vectors, which allow root and arbitrary code injection (via ROP).
- The SDK contains stubs, not images - I admit it always baffled me why Apple provided fully symbolicated framework images, with the full text (=code). Sure, you need them for crash symboication, but, seriously - WITH THE CODE (and I think I might've foolishly mentioned it to one too many people, too). Kinda like a Stockholm Syndrome with Jailbreakers, you know? Anyway, it turns out that somebody at Infinite Loop finally decided to put this to an end. The framework images are now merely stubs. E.g. kperfdata (one of the coolest frameworks I've seen so far!):
At first I thought this is a bug in jtool (wouldn't have been my first..), but otool displayed the same output (albeit messier). So no more of that. Just symbols... jtool -S still works:
Update: No biggy. You can just grab the shared library cache (at least in the case of Okemo12A365.N94OS, the 4S)
- While on the subject of frameworks: Tons of new ones, but as I mentioned - Apple has the new
kperfdata.framework, which builds on the kernel kperf(and private framework), introduced in 7.0/10.8. The main user of this appears to be iprofileron the DeveloperDiskImage.dmg, which is a port of the XCode 5.x x86_64 iprofiler (along with man page), and shows that kperf is the new mechanism for performance monitoring (out with CHUD for good, it seems, and AppleProfileFamily..). Unfortunately, I haven't been able to try it out yet on my 7.x, since one needs the framework binary which is now a stub. I'm trying an alternate route..Update: Frameworks can now be easily extracted from the dyld cache. See below.
- Many more frameworks : The # of public frameworks has gone up from 60 to 74, but - more importantly - the # of private frameworks has gone up from 271 to 358! The diff follows (if you click), and I'll provide a dependency map (who/what uses whom/what) at some point for the 2nd Ed)
- Unsurprisingly, the shared library cache is bigger: with 875 images, rather than 696. Plenty more gadget material for ROP :-). If you're interested, click to show the full list.
Important: Jtool >=0.75 supports extraction of files from the shared cache, for both 32-bit and 64-bit caches. This is not unlike previous work (notably, DHowett/KennyTM's), but improves on it by correctly fixing 10.8+ load commands as well as full 64-bit. Extraction is ever more important now since Apple only supplies stubs with the SDK (as explained above).
You can get the latest version of Jtool here. Tar file now contains universal (x86_64/ARM/ARM64), ELF32 and ELF64 binaries.
- More daemons in
/usr/libexec:And, once more , a diff, annotated. This one needs no clicking - it's short - but nonetheless very important
2. OS X
- Code signing has been changed: @TODO on the following:
> _cs_entitlement_flags > _cs_find_blob > _cs_library_val_enable > _cs_require_lv > _csblob_get_teamid > _csfg_get_path > _csfg_get_platform_binary > _csfg_get_teamid > _csproc_get_platform_binary > _csproc_get_teamid > _csr_check > _csr_get_active_config > _csr_get_pending_config > _csr_init > _csr_set_allow_all > _csrctl > _csvnode_get_teamid
- AMFI is in OS X!!! - AppleMobileFileIntegrity.kext, sworn enemy of Jailbreakers everywhere, is now also in OS X - Along with its user mode lackey, amfid! Is OS X going to get the same lockdown as iOS?
- Changes to /usr/libexec:
- aosnotifyd - replaced by findmydeviced, probably
- launchdadd (launch services API is undergoing partial deprecation)
taskinfo(Update: Just Moved to /usr/bin! (*WHEW*) I love that command!)
- transition (useless MobileMe mover, if anyone ever used that..)
- xpcd (no great loss)
- amfid (We meet again, old friend!!!!)
- awacsd (moved from /usr/sbin - apple Wide Area Connectivity Service Daemon)
- coreduetd (uses the private CoreDuet framework - Apple: you meant admission, not admisison..)
- discoveryd (the one daemon to bind DNS and mDNS)
- findmydeviced - replaces aosnotifyd, probably
- fmfd (Find my friends?)
- neagent (All ne's are NetworkExtension)
- nehelper (q.v. com.apple.nehelper.plist)
- nsurlsessiond - probably supports new iCloud features
- nsurlstoraged - ditto (iCloud)
- osaapplet - Go AppleEvents!
- otherbsd (part of libxpc)
- secinitd - Security Policy init daemon, called via xpc from libsystem_sandbox - closed source, no project. @TODO: touch /var/db/.debug_secinitd for debug info..
- Personal observation: I wouldnt be surprised if AAPL does release an iWatch and its main differentiator from the other smart watches is that it would seamlessly enable full voice calls from the watch, or Mac, or Apple i* via BT or WiFi, kind of like Inspector gadget. The handoff feature and network extensions kind of point to it being an obvious use. Update: Nope. No surprise here :-)
- Launchd has a new key (at least, not that I've seen before): com.apple.fsevents.matching. Used by nehelper. Can be super useful..
- Coalition support has been added: This is also a new syscall. I'm assuming (shooting in the dark here) that coalitions are tasks working together, possible sharing the same ledger. There's a
_proc_pidcoalitioninfo, likely a subset of my favorite (undocumented) syscall,
proc_info, which I aim to investigate.. (@TODO: powermetrics and sysmond for coalition_info_resource_usage). Not to mention syscall #458/459 (see below), wrapped by libSystem's
coalition_[create|terminate|reap]. There's also a special host port for it now (#22)
- Support for banks: which are related to ledgers, vouchers and resource control, no doubt
- ipc_importance apis, donors and receivers - refining those of 10.9
- Hypervisor APIs:
IOHypervisorClient. Also kern.hv_support
- More refinements to memorystatus: (you might want to check out this article)
> _memorystatus_available_pages > _memorystatus_available_pages_critical > _memorystatus_available_pages_pressure > _memorystatus_bg_pressure_eligible > _memorystatus_frozen_count > _memorystatus_is_foreground_locked > _memorystatus_send_low_swap_note > _memorystatus_send_pressure_note > _memorystatus_suspended_count > _memorystatus_warn_process
- Support for Interrupt Accounting (should prove useful)
- IOReporting (introduced silently in 10.9) is used by BT and Interrupt. You can see this with ioreg -l -f
- sfi (also syscalls 456/457) - use by thermald - likely, selective forced idle. Wrapped by system_get/set_sfi_window, and _get/sfi_set_class_offtime (for 456), and
- while on the subject of thermald -- libpmenergy and libpmsample (in
/usr/lib) look interesting. They're really aggressive with power management in this release.. (@TODO: check out machdep.xcpm thermal sysctls)
- Swap Garbage collection (Hallelujah!)
- Multipath TCP(!!!!)
1+2: Both OS X and iOS:
- Launchd has been *entirely* rewritten. This involves several significant changes:
Because of its pivotal role in both OSX/iOS, launchd requires a LOT more investigation. You can check out my recent MacSysAdmin 2014 presentation for some more notes, but I'll be re-writing the entire Chapter 7 of my book to reflect just how different everything is now
- Launchd is (likely) no longer open source: It's been moved to libxpc-559/560, which never was open source, so I doubt Apple will make it now. It's also now written a dependency on libObjC no doubt because of...
- Launchd's XPC role expanded significantly: with the major news of no more per-user launchd. Apple is confident in their XPC isolation (hmmm... :-) and therefore there is only launchd as PID 1. Period.
- Launchctl is no longer interactive by default but heck, who needs interaction when you have new commands like:
- resolveport : to resolve a Mach port to a launchd endpoint. Arguably, this could have been done a bit better - but likely is on debug builds.
- procinfo: to supply detailed process information on any PID, not necessarily launchd services. Providing Mach port mappings (sorta), entitlements (via SecTask APIs), plist-to-JSON andmore.
- hostinfo: to show ownership of host special ports
- Launchd mig defs have expanded (to support more launchctl functionality)
- Launchd keeps closer tabs on its launched jobs - much more info
- XNU has jumped in version number to
2720 27382782-something. Which implies there's lots of changes. The sources will only be out when 10.10 is out, and I haven't done any reversing yet. But:
- Apple has likely moved more stuff out into dedicated kexts (a la corecrypto.kext (10.8) and pthread.kext (10.9/7.0)) - and those kexts will remain closed source.. Update: Yep - com.apple.kec.Libm - for fractions and trig functions, has been separated from kernel
- There are 480-something syscalls - 29 or so more than 10.9/7.x. This should make for a fine exploration and reversing. Some are merely _at variants, others are brand new:
(goes without saying that the interesting ones have no syscall stub *sigh*)
- More Mach APIs! - New mach object - voucher. Will need to research that. Very little leakage of ARM stuff, alas
- New QoS APIs - A well documented pthread/qos.h and sys/qos.h file , for thread level Quality of Service (all non posix, of course). These are also plugged into the Grand Central Dispatcher (which I wrote an article about a while back here) update: got my hands on GCD presentation from WWDC 14, and indeed this is thread level QoS. Basically, it's making available in user mode the stuff from task_policy.h that was in 10.9, though I need to investigate this
- Bootstrap services are finally deprecated - q.v. launchd rewrite. Also no per-user launchd
- ASL (apple syslog) APIs revamped
- Better extended attribute support
- New Mach-O Load command: LC_LINKER_OPTIMIZATION_HINT - 0x2E. @TODO: Update jtool
- sched_multiq and sched_dualq
I'll try to update this as I go along, but the journey is still underway.
Naturally, it'll be easier to glean info on 10.10, because at least there reversing is fairly straightforward. Thanks to the iOS8 4S vfdecrypt key, this is now almost as easy for iOS! If someone can, perchance, somehow provide me with a iOS kernel image or dump (OR THE KERNELCACHE IV/KEY - iH8Sn0w? *nudge* *nudge* *wink* *wink*?), I'd be extremely happy to update the joker tool and share all my findings.MOXiI (my book) will be coming out late 2015 in a 2nd edition, to reflect changes all the way up to 10.11 and iOS 9 (e.g. Swift, and more of the above), and add new contents! You are highly welcome to stop by the WebSite Forum and leave any requests for stuff to include in the 2nd Edition! You are also welcome to say hi directly - j@