http://www.newosxbook.com/ Additional code samples, articles, and downloads for OS X and iOS kernel enthusiasts en-us © Jonathan Levin Tue, 08 May 2012 22:36:42 EDT 5 http://newosxbook.com/bonus/vol1AppA.html Bonus chapter from Vol1 v1.3 - Appendix on Software Images - free, as promised Wed, 19 Jun 2019 07:23:00 EDT http://newosxbook.com/articles/CasaDePPL.html?rss Reverse Engineering Apple's iOS12/A12 Page Protection Layer Sun, 03 Mar 2019 17:01:00 EDT http://newosxbook.com/forum/viewforum.php?f=15 Bring your own exploit. Presently different file (qilin12.o) for 12 due to different structures. Working on making this universal. Stay tuned Sun, 03 Feb 2019 17:56:00 EDT http://newosxbook.com/bonus/vol1ch16.html Bonus chapter from Vol1 - Networking - free, as promised Fri, 04 Jan 2019 13:41:00 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&p=23792#p23792 .. but I need help testing this! Thu, 14 Jan 2019 23:14:00 EDT http://newosxbook.com/tools/iOSBinaries.html I've updated the binpack for Darwin 18.1 (MacOS 14.1 sources), and while at it collapsed it into a single multipurpose binary. Better for forensics, and for dealing with that annoying CoreTrust). 70 utilities folded so far into a 1.2MB binary. Thu, 03 Jan 2019 12:15:00 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=19610 Volume I expanded with a new chapter on networking, and more detail on thread policies, and remote XPC. Volume II is delayed because AAPL are mean to me. Sat, 08 Dec 2018 19:49:00 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&p=23629#p23629 JTool2 is a radical rewrite of jtool to make it more featureful and extensible, and less buggy. This is your chance to help out! Sat, 22 Sep 2018 14:30:00 EDT http://newosxbook.com/forum/viewtopic.php?f=11&t=19557&p=23623#p23623 I put the updates in the ChangeLog, and made a couple of the pages (pertaining to PAC and the new Mach-O architectures) available in the forum. Thu, 20 Sep 2018 14:46:00 EDT http://www.newosxbook.com/forum/viewtopic.php?f=10&t=19566 I could use your help as I try to work towards combining the trilogy into one, colorful and hardcover format. Sun, 15 Sep 2018 23:40:00 EST http://www.newosxbook.com/forum/viewtopic.php?f=8&t=19565&ref=rss Quick glimpse from Volume II to summarize differences between normal iOS 10 and later kernelcaches and the new "1469" format. I figured this is something that needs to get out there, before the book (which is still on track, thank you for asking :-) Sun, 15 Sep 2018 22:49:00 EST http://newosxbook.com/forum/viewtopic.php?f=11&t=19557&ref=rss Things AAPL didn't mention about the iPhone 11's A12. Wed, 12 Sep 2018 22:59:00 GMT http://newosxbook.com/forum/viewtopic.php?f=11&t=19534 I've been using find . -type f | xargs grep .... on the XNU sources for so long I figured I might as well make it a bit easier for me and give it a web interface. Thus is born http://newosxbook.com/xxr . I'm not linking it yet from main page because it might not be ready for the world. Please try it out and provide feedback! Wed, 08 Aug 2018 21:57:00 PDT http://newosxbook.com/forum/viewtopic.php?f=11&t=19527&etc Still alive, and working on a couple of things - jtool2, Fsleuth with APFS and new version of Joker, and Liber* JBs - among others. Just busy with actual work in Singapore, too.. Stay tuned, folks. :-) Sat, Jul 21 2018 04:04:00 EDT http://newosxbook.com/forum/?xx Captcha was broken, and I wanted to detach from anything remotely GOOGL. So we're back to simple image + admin verification. That way spambots won't be able to get in. Sat, Aug 18 2018 15:35:00 EDT http://newosxbook.com/forum/viewtopic.php?f=11&t=19527 I got so used to Twitter that I abandoned this medium. Now that I'm on indefinite leave from the former, time to get this alive again. Fri, Jul 06 2018 15:42:00 EDT http://newosxbook.com/tools/supraudit.html Enhanced praudit(1) for MacOS, enabling agent mode, filters, colors, and more. Fri, Oct 06 2017 15:03:00 EDT http://newosxbook.com/forum/viewforum.php?f=12 All Done! #LiberTV - #tvOS #jailbreak for 10.0-10.1: Free at last! http://NewOSXBook.com/libertv/libertv.ipa But please RTFM @ http://newosxbook.com/forum/viewforum.php?f=12 first! Fri, Mar 03 2017 01:03:00 EDT http://newosxbook.com/ent.jl Now full with all MacOS 10.12(.2) and iOS 10.2 Wed, Jan 18 2017 22:02:00 EDT http://newosxbook.com/tools/jtool.html Somewhat belated, but - I bring Significant jtool improvements! Better SLC handling (now works and resolves symbols so you don't really need to extract), decompilation (-D) and even ARMv7k under the hood :-) Plenty more to come, so stay tuned! Sat, Jan 08 2017 21:24:00 EDT http://newosxbook.com/articles/nuwashi.pdf I published the very small but detailed Chapter 21, dealing with Pangu's 9.3.3 jailbreak, for free. This way if you got the initial version you can get the PDF as well. Anybody ordering the book as of today will get this built-in . Wed, Nov 16 2016 11:12:00 EDT http://newosxbook.com/tools/hfsleuth.html HFSLeuth for HFS+ partition/DMG forensics/mounting/debugging under *OS/Linux, now supports file compression, xattr. http://newosxbook.com/tools/hfsleuth.html Mon, Nov 14 2016 00:17:00 EDT http://newosxbook.com/tools/ojtool.html Sun, Nov 06 2016 00:17:00 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=16750&p=17996#p17996 Thu, Nov 02 2016 22:24:00 EDT http://NewOSXBook.com/ I've been out and about and neglecting the site a bit. Hopefully updates will be more frequent as of now! Anyway - MOXiI Vol. III is on sale. Already went through its first (minor) revision, adding a bit more content. Wed, Nov 02 2016 12:18:00 EDT http://NewOSXBook.com/articles/OTA4.html Something I should have implemented LONG ago for in-OTA searches! Wed, Sep 07 2016 21:37:00 EDT http://NewOSXBook.com/articles/hitsb.html Plus a nifty little sandbox inspection tool. Thu, Aug 25 2016 19:35:00 EDT http://NewOSXBook.com/2ndUpdate.html Yep. You read right. I've been cooking this quietly for months, and it's almost ready. Fri, Jul 01 2016 13:57:00 EDT http://NewOSXBook.com/tools/filemon.html?r FileMon gets some active capabilities, and its own about page :-) Mon, Jun 06 2016 20:43:00 EDT http://NewOSXBook.com/2ndUpdate.html?r Nuff Said Thu, Mar 10 2016 07:43:00 EDT http://NewOSXBook.com/articles/TvOS.html?r Summary notes from Apple TV, 4th Gen Sat, Mar 05 2016 02:11:00 EDT http://NewOSXBook.com/tools/procexp.html?color ProcExp now correctly displays Mach/XPC ports for all port types (U and M). And -- colors! Sun 28 Feb 2016, 20:11:00 EDT http://NewOSXBook.com/ent.jl A searchable database of iOS entitlements Tue 23 Feb 2016, 01:20:00 EDT http://NewOSXBook.com/src.jl?tree=listings&file=ls.m Just a simple, but rather useful utilty for inspecting apps in both OSes. I cover the internals of this in MOXiI 2. Stay tuned Tue 16 Feb 2016, 23:16:00 EDT http://NewOSXBook.com/tools/iOSBinaries.html?u1 I keep adding more and more binaries and fixing a few which were malsigned by me. screen, vim should now work, ls now has full color (well, "full".. you know, terminal capability..), and fs_usage (useful!) is now added to the bunchm, as well Fri 12 Feb 2016, 22:36:00 EDT http://NewOSXBook.com/tools/iOSBinaries.html IMHO, a far better alternative to Cydia's old and all-too-often binaries. Recompiled by yours truly from scratch. Fri 05 Feb 2016, 10:02:00 EDT http://NewOSXBook.com/tools/jtool.html#darncool JTool now auto-detects and auto symbolicates MIG tables when you dump __DATA.__const. Check it out! Unbelievably useful for reversing! Wed 03 Feb 2016, 23:27:00 EDT http://NewOSXBook.com/tools/jtool.tar?s1 Fixes disass/decomp (esp in fat files) as well as a few bugs I introduced by mistake in the process of refactoring.. Also updates Linux version to be in line with OSX/iOS[32/64] (thanks Billy!) Sat, 30 Jan 2016, 23:55:15 EDT http://NewOSXBook.com/tools/procexp.html?1-e Much, much needed functionality :-) Tue, 26 Jan 2015, 12:00:00 EDT http://NewOSXBook.com/tools/jtool.html?r Massive improvements. Too many to list here. Read the html.. Sun, 20 Dec 2015, 10:10:00 EDT http://NewOSXBook.com/articles/jlaunchctl.html?1.1 jlaunchctl now supports more commands, and a bonus XPC Man-in-the-Middle Library which you can use (via interposing) to print XPC messages Fri, 13 Nov 2015, 22:20:00 EDT http://NewOSXBook.com/files/jtool.tar?r0.98 RADICALLY improved jtool now handles code signature faking, better objective C, and many other features - Checks WhatsNew in tar file.. Thu, 12 Nov 2015, 20:00:00 EDT http://NewOSXBook.com/files/procexp.tgz?r099 Thu, 12 Nov 2015, 20:00:00 EDT http://NewOSXBook.com/TOC2-2.html?r Tue, 10 Nov 2015, 00:00:00 EDT http://newosxbook.com/articles/jlaunchctl.html?r Your comments and feedback on this are really appreciated. Tue, 09 Nov 2015, 00:00:00 EDT http://newosxbook.com/articles/OTA2.html?r Thu, 24 Sep 2015, 00:00:00 EDT http://newosxbook.com/articles/HIDeAndSeek.html?r Tue, 25 Jul 2015, 00:00:00 EDT http://newosxbook.com/tools/disarm.html?r .. Mon, 17 Aug 2015, 08:00:00 PDT http://newosxbook.com/tools/joker.html?r .. and integration with Jtool companion files as well. Q.v. the new joker page Fri, 07 Aug 2015, 12:00:00 EDT http://newosxbook.com/articles/28DaysLater.html?r Fri, 24 Jul 2015, 07:50:00 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=16580 Process Explorer (0.56) now updated to symbolicate user threads, supports iOS9/OSX 10.11 Fri, 10 Jul 2015, 00:15:00 EDT http://newosxbook.com/articles/9-10.11.html?0.1rs Observations on the new 10.11 DP1 and XCode w/iOS 9.0b kernel Tue, 09 Jun 2015, 19:15:00 EDT http://newosxbook.com/src.jl?r=1&tree=listings&file=inject.c You know. Just in case you want it :-) Mon, 01 June 2015, 00:01:00 EDT http://newosxbook.com/articles/guesstalt.html?r MobileGestalt is Apple's library which provides support for system configuration data. As part of MOXiI 2, I've reversed it. Findings are herein Sat, 23 May 2015, 20:01:00 EDT http://newosxbook.com/2ndKickoff.html?r The 2nd Edition is my baby again! Tue, 05 May 2015, 17:36:00 EDT http://newosxbook.com/articles/CodeSigning.pdf?r The full slides of my talk Tue, 28 Apr 2015, 20:02:00 EDT http://newosxbook.com/files/joker.tar?r Joker now supports iOS 8, and allows for kext extraction Mon, 20 Apr 2015, 21:26:00 EDT http://newosxbook.com/files/procexp.tar?05 'nuff said Mon, 13 Apr 2015, 16:13:00 EDT http://newosxbook.com/articles/11208ellpA.html?r 'nuff said Wed, 08 Apr 2015, 20:15:00 EDT http://newosxbook.com/articles/TaiG2.html .. Sun, 15 Feb 2015, 04:32:00 EDT http://newosxbook.com/articles/TaiG.html .. Sun, 08 Feb 2015, 04:32:00 EDT http://newosxbook.com/files/filemon.tgz?r Why didn't I do this before? The previous version that was on the site was an utter mess, and crashed. This one produces human readable output, is grep friendly, and should be rock solid! Tue, 09 Nov 2014, 03:25:00 EDT http://newosxbook.com/TOC2.html 'Nuff said! Please check out the TOC, and let me know if I've missed anything Tue, 04 Nov 2014, 16:38:00 EDT http://newosxbook.com/articles/8-10.10.html?0.4rs More observations on the new 10.10 DP8 and XCode w/iOS 8 full filesystem image Sun, 21 Sep 2014, 20:54:00 EDT http://newosxbook.com/forum/viewtopic.php?f=10&t=16552&2 Wiley and I have reached an understanding. The second edition is underway. Expect *many* updates - by Early 2015! Wed, 30 Jul 2014, 09:37:00 EDT http://newosxbook.com/forum/viewtopic.php?f=10&t=16552 1.5 years after the book has been out, many changes have been afoot. OS X has advanced by almost three operating system versions , with 10.10 and iOS 8 around the corner. Also, I've got some pretty constructive (and sometime less than constructive) feedback on more topics to cover. The new book will follow in the general path of the Android book, meaning far less source code snippets, and lots more diagrams and illustrations, which will allow for more coverage of important topics. Your requests are welcome - this is your chance to get all your questions about undocumented stuff answered! Wed, 02 Jul 2014, 09:37:00 EDT http://newosxbook.com/files/procexp.tar?v032 New version of Process Explorer - now handles kernel symbols! Select any process and press "T" to view kernel and user stacks. Symbolication on kernel works (tested on ML, Y) - will symbolicate user stacks soon Fri, 13 Jun 2014, 00:59:00 EDT http://newosxbook.com/articles/8-10.10.html?rs Preliminary notes on the new 10.10 DP1 and XCode w/iOS 8 SDK Thu, 05 Jun 2014, 12:43:00 EDT http://newosxbook.com/articles/GCD.html?rs An exploration of Grand Central Dispatcher and Apple's modifications to Pthread Sat, 22 Feb 2014, 12:43:00 EDT http://newosxbook.com/src.jl?tree=listings&r=1&file=inject.c The coreruption tool is still closed source, but I've made an important part of it - the dylib injector - open. And I've fully annotated it, too. Wed, 05 Feb 2014, 01:43:11 EDT http://newosxbook.com/files/hfsleuth.tar?v022 HFSleuth in new version with bug fixes, and full Linux support for BZ2 DMGs. Useful for opening HFS+ volumes for raw access, as well as DMG files on Linux - pure user mode, no driver or kernel interaction required. Tue, 21 Jan 2014, 23:51:11 EDT http://newosxbook.com/files/procexp.tar?v027 The last thing that top(1) may have had on ProcExp is now gone - updated procexp to have network statistics. Working on debugging *per-process* statistics, but that will wait for next release... Mon, 20 Jan 2014, 01:22:24 EDT http://newosxbook.com/files/procexp.tar?v025 v0.25 now has vmmap(1) functionality built-in - try "procexp pid regions". Also tested on Armv8 Sun, 19 Jan 2014, 13:09:52 EDT http://newosxbook.com/articles/EveningWithMobileObliterator.html Back after a long leave of absence.. with an article on iOS and its entitlement model. Happy New Year, everyone! Tue, 31 Dec 2013, 14:42:11 EDT http://newosxbook.com/articles/MemoryPressure.html Another long flight to the far east, and to pass the time - I wrote a short article explaining OS X's memorystatus, iOS's Jetsam, and memory pressure handling in both OSes Sun, 03 Nov 2013, 10:29:44 EDT http://newosxbook.com/files/procexp.tar?v24 Process Explorer updated (v0.24) for Mavericks and iOS7, with memory pressure, per CPU statistics, file descriptors, and more. Also includes preliminary support for delta mode (highlighting changed table cells) Thu, 24 Oct 2013 14:53:10 EDT http://newosxbook.com/files/procexp.universal?v21 Process Explorer updated (v0.21) for Mavericks and iOS7, with more details (such as memory compression statistics). This is A FAR better tool than OS X's top (closer and modeled after Linux top). Bugs fixed, color added, man page created. Thu, 10 Oct 2013 14:53:10 EDT blah Just as I was getting a handle on ARM32 and Thumb, A7 starts using ARM64.. *Sigh* Now revising jtool accordingly... Sun, 22 Sep 2013 20:59:10 EDT http://newosxbook.com/forum/viewtopic.php?f=3&t=16543 I never really got a chance to post this. Think SysInternals, but for OS X/iOS - and in text mode. Downloadable via the forum. Preliminary Alpha version, but works pretty well. Sun, 08 Sep 2013 13:54:12 EDT http://www.newosxbook.com/src.jl?tree=listings&file=bat.c Someone pointed out to me that I refer (in Chapter 19) to IOPowerSources in the book, but don't really have a demonstration of how to do so. I use that in Process Explorer (my top replacement, demonstrating proc_info (syscall #336), and now I posted the (really simple) code Sun, 08 Sep 2013 13:30:12 EDT http://newosxbook.com/files/joker?7 The joker tool can now handle iOS7 betas, as well. Apple has changed the system and mach table structures (and added 10 new syscalls!), but now the signatures are updated. I'm also rewriting the tool to be a lot more elegant (use machlib). You're welcome to download and try. Tue, 27 Aug 2013 09:28:14 EDT http://newosxbook.com/forum/viewforum.php?f=9 Following comments from readers Emmanuel and Brian, I've started a sub-forum to handle all errata. If you have any comments on any factual inaccuracies in the book (or, alas, typos), please share them here. This would prove valuable to all readers, past, present and future. Fri, 16 Aug 2013 23:59:03 EDT http://newosxbook.com/files/jtool.tar?x JTool now supports more load commands, including LC_LOAD_UPWARD_DYLIB and others you're never likely to see anywhere... More importantly, the symbol display command (jtool -S -v) now works for 64-bit and fat binaries too. DWARF support is almost done, so creating .dSYM files and injecting symbols is right around the corner. Stay tuned. Fri, 16 Aug 2013 21:04:03 EDT http://newosxbook.com/articles/DYLD.html A detailed description of DYLD's internals and the poorly documented __LINKEDIT segment, picking up where the book left off. Also provides some good usage examples of Jtool. Wed, 07 Aug 2013 21:04:03 EDT http://newosxbook.com/src.jl?tree=listings&file=jurpleConsole.c Another long flight from PVG to LAX, and with nothing else to do I set out to reverse engineer the (surprisingly simple) purple_console tool, from Apple's "RestoreTools.pkg" floating around the Internet. The result is a 1:1 decompilation, allowing you to see the usage of MobileDevice.framework. This will surely open up more discoveries as I dissect the framework (which is included in every Mac by default) to pieces. Stay tuned - and go ahead and download the source! Sat, 27 Jul 2013 22:24:55 EDT http://newosxbook.com/forum/viewtopic.php?f=3&zz With nothing to do in Beijing, I've occupied myself with some serious enhancements in JTool! From the WhatsNew.txt: 1) JTool now dumps CFStrings! If you -d an address in _cfstring section, or disassemble, and a register is detected to point to a CFString, it will be resolved to its CFString value. REALLY useful for reverse engineering. 2) LC_FUNCTION_STARTS now processed during disassembly, so as to print function starting points. If the function addresses do not have a symbol associated with them (as, alas, is the case with most iOS binaries), jtool generates a func_xxxx name (similar to IDA). A future version will auto-symbolicate in a .dSYM file (once I figure out what the #$%#$% Mach-O Dwarf format is) 3) Last, but by far NOT least: JTool now correctly resolves stubs in disassembly! This will show external (dylib) function calls. This puts JTool on par with otool (grrrr) and IDA. In fact, seeing as JTool resolves PC relative and neither of the other two do, it might just come a bit ahead. Thu, 18 Jul 2013 22:01:04 EDT http://newosxbook.com/forum/viewtopic.php?f=3&z JTool now has (partial) support for shared caches (implementing decache functionality), as well as a new option, --pages, which gives you a mapping of the Mach-O file pages to their respetive regions or load commands. Useful for inspecting __LINKEDIT. Tue, 09 Jul 2013 22:01:04 EDT http://newosxbook.com/forum/viewtopic.php?f=3&y Amazing what boredom on an 11 hour flight does. JTool is (again) updated, this time with *really* useful features: -S -v: shows symbols like nm WITH libraries, -opcodes: does dyldinfo's opcode binding. Check out WhatsNew.txt in jtool.tar. Sat, 29 Jun 2013 22:28:21 EDT http://newosxbook.com/forum/viewtopic.php?f=3&x New version of JTool - with entitlement and signature support. You can now use --ent and --sig, respectively, to display the previously opaque goodies in LC_CODE_SIGNATURE. Man page updated, as are many of its options. Thu, 27 Jun 2013 19:50:21 EDT http://newosxbook.com/forum/viewtopic.php?f=3& Tools keep updating, with HFSLeuth and JTool - both as universal binaries (also for iOS) as well as ELF (Linux) - released in updated versions with minor bugfixes. Still working on the latter, but it already has more nifty features such as being able to dump C-Strings, and toggle PIE in a binary. Expect more really soon. Fri, 07 Jun 2013 07:56:11 EDT http://newosxbook.com/forum/viewtopic.php?f=3 It's been a while.. :-) Thanks to a bug find by codelogic - hfsleuth now supports unmounted filesystems. Also, joker available in universal version. I'm also working on a massive update to Jtool, which incorporates all of dyldinfo(1)'s functionality into it. Tue, 04 Jun 2013 08:23:32 PDT http://newosxbook.com/forum/viewtopic.php?f=3&t=376 Now supporting a full dump of the kextcache, along with file offsets - q.v. forum post Sat, 20 Apr 2013 13:06:32 EDT http://newosxbook.com/files/hfsleuth.universal As per a request on the newly established forum by Daniel - HFSleuth is now released as a truly universal binary, with support for Intel (Mac), ARMv7 (iOS) and PPC (G5). There is a separate ELF version for Linux, as well. This makes HFSleuth a great replacement for Singh's "hfsdebug", which has been available only for PPC, and has disappeared with the advent of his commercial tool. HFSleuth is here to stay. Wed, 17 Apr 2013 07:34:20 EDT http://newosxbook.com/forum Following my reviewer's excellent advice, the website now has an online forum. Currently wide open for guests - no need to register - until the first spambot finds me.. This forum will give you a chance to discuss, and ask questions, on anything related to iOS or OS X. Now waiting for the first post.. Thu, 11 Apr 2013 13:31:20 EDT http://newosxbook.com/files/joker The joker tool now displays kext load addresses, making it useful for plotting out the kernel address space. Note that KASLR still applies (i.e. these addresses will be shifted by some random value) Mon, 08 Apr 2013 16:51:27 EDT http://newosxbook.com/files/jtool.tar Jtool is now also available in an ELF64 version for Linux. I had to tweak the OS X headers, but it compiles (almost) neatly. You're welcome to download it and try Tue, 19 Mar 2013 20:27:41 EDT http://newosxbook.com/Sample.pdf I decided to make chapter 4 available for my Harvard students as we discuss mobile operating system internals. Then I figured, why not make it public? So, enjoy Tue, 12 Mar 2013 09:05:10 EDT http://newosxbook.com/files/HFSleuth.tar Sun, 10 Mar 2013 00:32:22 EST http://newosxbook.com/src.jl?tree=listings&file=12-1-vmmap.c Updated vmmap for iOS and OS X - file is now a fat binary (so you can run it on iOS on OS X). Source now modified to use dyld APIs to retrieve list of Mach-O images. Not putting the two together yet (i.e. list is separate), but working on a procfs implementation for a Linux-like /proc/$$/maps on OS X. Stay tuned. Sat, 09 Mar 2013 14:30:11 EST http://nekkidblogger.com/2013/mac-os-x-and-ios-internals-to-the-apples-core-by-jonathan-levin/ Another great review by Peter, a.k.a nekkidblogger. Thanks for the kind words! Sat, 09 Mar 2013 14:30:01 EST http://www.newosxbook.com/index.php?page=Appendix Following a question on LinkedIn - Appendix A (list of Mach Traps and System calls) is on the site (always has been, but with no clear link outside the RSS feed) at http://www.newosxbook.com/index.php?page=Appendix. Clicking on file names will (usually) get you to the source tree and a quick JS hack I wrote for auto-syntax and function names. Also, as per my reviewer's recommendation, RSS feeds are now newest first.. :-) Sorry if this causes confusion for your RSS readers (hopefully it won't, since the guids have not changed) Mon, 04 Mar 2013 23:19:20 EST http://newosxbook.com/DMG.html After adding support for DMGs to HFSleuth, I figured it makes sense to document the file format and process of mounting images in OS X. Fri, 01 Mar 2013 13:27:32 EDT http://newosxbook.com/files/hfsleuth.tar&new HFSleuth has been updated with a new command - "allocation", to display the allocation bitmap of the HFS filesystem inspected. Experimental output is to an HTML table, providing a clear view of fragmentation and "holes" in the filesystem. Thu, 28 Feb 2013 12:53:02 EDT http://newosxbook.com/files/hfsleuth.tar It's been a (long) while, but I've been busy.. And now I'm back with a new version of HFSleuth. Now a fully interactive tool, able to open HFS+/HFSX partitions as well as DMGs. Available for OS X, iOS, and - Linux! All in the same tar file, along with a manual page. Even more to come soon. Tue, 26 Feb 2013 12:53:02 EDT http://macsoluciones.com/analisis/ver-todos/35-libros/948-mac-os-x-and-ios-internals-to-the-apple-s-core http://macsoluciones.com/analisis/ver-todos/35-libros/948-mac-os-x-and-ios-internals-to-the-apple-s-core has a nice review of the book, in Spanish, no less. Wed, 20 Feb 2013 12:53:02 EDT http://unix.stackexchange.com/questions/60298/what-is-bsd-in-mac-os-x-and-ios-internals/62193#62193 I came across a post on StackExchange, wondering about the extra " in Chapter 13's dual title - BS"D. While yours truly is technically Jewish, it is not meant as an allusion to the Jewish roots. Close, but no cigar. Like all dual titles, though, it *is* an allusion. BS"D is an orthodox jewish wish/blessing written on documents, short for Besyiata Deshmaya (Yiddish for "With the help of the 'name'", i.e. God). The allusion was that OS X wouldn't have gotten to where it did without the BSD core (in a sense, a greater power). And it ties in to "On the shoulders of Giants" in Chapter 3, which is an allusion to Newton (gigantum humeris insidentes). While on the subject, "E Pluribus Unum", the motto of the United States, is "One out of many", which in Chapter 2 talks about the synergy of the various technologies (Mach, BSD, IOKit, frameworks) and how they build OS X. In short, no, it's not a typo :-) Though my editors probably think so till this very day ;-) . Tue, 22 Jan 2013 12:53:02 EDT http://www.newosxbook.com/files/hfsleuth.tar Happy New Year! HFSleuth is ready! A stable version, now as an interactive tool, is ready for your consumption. Both OS X and iOS versions, as well as an experimental ELF version. *** THIS IS VERY PRELIMINARY, BUT STABLE **. I will add many more features (including shell like interface for low level file access directly over HFS) soon. Tue, 08 Jan 2013 23:09:02 EDT http://www.newosxbook.com/files/not-yet For those of you wondering - HFSleuth is (almost) ready for consumption and use by the masses. It was working just fine until I recently tested it on iOS 6, wherein Apple has forced a blocksize of 8192 on the flash devices. Turns out lseek(2) still works just fine, but read(2) fails with an unknown error. Using dmesg(1), however, reveals an orphaned "alignment error" message. I'm now revising HFSleuth for the change, and will republish it soon! Sat, 29 Dec 2012 21:06:02 EDT http://www.newosxbook.com/files/filemon.iOS http://www.newosxbook.com/files/filemon.iOS Merry Christmas! I've been bad, as work keeps on pouring.. But - due to popular demand (Boyd, Jason and others) - filemon is up. This is an iOS6-tested example of an fsevents monitor, and provides cool insight as to the behind-the-scenes of your (jailbroken) i-Device. Both source and binary are available! Please keep emails and requests coming. MUCH more will come soon (including a GUI for filemon). Tue, 25 Dec 2012 18:45:01 EDT http://www.newosxbook.com/update2 http://www.newosxbook.com/files/joker Inundated with other stuff, I let the regular updates slip some.. Anyway, The source for the joker tool (which reads the decrypted iOS kernelcache and displays information about it) is now out (along with the binary, as before). Watch out for more updates as I add some of the beta functionality, like separating the kexts, editing the info, etc. Fri, 30 Nov 2012 04:53:43 CST http://www.newosxbook.com/update1 http://www.newosxbook.com The book must be selling well - consistently in the top #8,000 still, and Amazon has twice upped the price , by some $4.9 by now (20%!). Thanks for all of you who bought so far (and kudos to those who got it at the pre-sale price). I'd love to hear from you! Incidentally, some copies contain a bonus chapter of ASP.net. I know, because I got some of them too.. Too bad they come in place of Chapters 4-5.. It's only a limited batch, though. I'm hopeful Wiley will replace them.. Mon, 12 Nov 2012 22:53:12 CST http://www.newosxbook.com/src.jl?tree=listings&file=12-vmmap.c http://www.newosxbook.com/src.jl?tree=listings&file=12-1-vmmap.c The vmmap(1) clone, derived from GDB's "info regions" logic. Patched to workaround iOS 6's invalidation of the task port. Used as the basis for the corerupt tool (which will be available for download once I tidy it up a little..). Thanks to Mike of Canada for pointing out the link was broken! Sun, 11 Nov 2012 08:21:11 CST http://who.asked.google.com http://books.google.com/books?id=bzZO64m3iS0C Apparently, the book is now on Google (e)Books. Somewhat peeving, since nobody asked me if I want it to be there (I'd have said no). Even though it might be tempting to buy it at $32.99, I personally think that it's worth waiting for the high quality PDF that Wiley will be putting out (sometime) soon (though the link to Google is supplied). Oh, the irony. Google making a buck off of Apple's back :-). From what I understand, btw, Amazon's price is slightly cheaper if you follow the link on this site (i.e. http://www.newosxbook.com/) Btw, I am not an associate professor of English, or whatever Google has me at. What can you expect from a hulking yet inferior, context-free search engine? Fri, 02 Nov 2012 19:56:02 EDT http://newosxbook.com/src.jl?tree=listings&file=stack-snapshot. http://newosxbook.com/src.jl?tree=listings&file=5-2-stack-snapshot.c Added the code from listing 5-2, which provides stackshot functionality (using the undocumented syscall #365) for both OS X and iOS. This enables you to get a complete thread call stack dump. In other news, the book is (incredibly) in Amazon's top #2,000(!). Who would've believed? A niche technical book! Watch out, 50 shades :-) Thank you all! Fri, 02 Nov 2012 10:11:02 EDT http://newosxbook.com/src.jl?tree=listings&file=6-bonus.c http://newosxbook.com/src.jl?tree=listings&file=6-bonus.c The imagine tool, shown in chapter 6 (EFI and iBoot) can be used to inspect the various IMG3 files from the iOS ipsws. In particular, it's useful to dump the device tree files. The tool is shown in output 6-6 and listing 6-7 (which should really be an output..). Oh, and - the book just climbed to the all time high of 8,247 (and #3 in Mac OS Books) on Amazon! Tue, 30 Oct 2012 11:22:11 EDT http://newosxbook.com/ http://www.amazon.com/gp/product/1118057651/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1118057651&linkCode=as2&tag=newosxbookcom-20 The book is finally in print, a few days ahead of time. Amazon is listing it as in stock, and I got my copies (all 20 of them.. if I want more to hand out, I actually have to *buy* my own book, imagine that!). Book has been consistently in the top 25,000 on Amazon so far. Quite impressive, considering it's out of 8,000,000, and not bad for a book that was yet to be published! Sun, 28 Oct 2012 11:13:52 EDT http://newosxbook.com/src.jl?tree=listings&file=17-15-utun.c http://newosxbook.com/src.jl?tree=listings&file=17-15-utun.c The example from Chapter 17 (networking) demonstrating usage of User mode tunnels with the UTUN mechanism. The simple example sets up a utun interface (utun1), and then dumps all the packets sent to it. Download as source for both OS X and iOS. Tue, 16 Oct 2012 13:21:56 EDT http://newosxbook.com/src.jl?tree=listings&file=17-25-bpf.c http://newosxbook.com/src.jl?tree=listings&file=17-25-bpf.c The example from Chapter 17 (networking) demonstrating usage of BPF filters. Download as source for both OS X and iOS. Sun, 14 Oct 2012 20:11:41 EDT http://newosxbook.com/src.jl?tree=listings&file=17-1-lsock.c http://newosxbook.com/src.jl?tree=listings&file=17-1-lsock.c The example from Chapter 17 (networking) demonstrating the com.apple.network.statistics provider is ready! Download as source or as binaries for OS X/iOS Tue, 09 Oct 2012 19:15:11 EDT http://www.amazon.com/gp/reader/1118057651/ref=sib_dp_pt#reader-link http://www.amazon.com/gp/reader/1118057651/ref=sib_dp_pt#reader-link Checking on the book's rank (fluctuating in the top 30,000-100,000 - not bad for a book that has yet to be published!) I just saw that Amazon uploaded the "Look Inside" previews! This is it, people! Thu, 04 Oct 2012 19:21:28 EDT http://newosxbook.com/index.php?page=Downloads http://newosxbook.com/index.php?page=Downloads Tools will now feature some sample usage . This is especially important for some of the cool features, like JTool's new disassembler.. Tue, 25 Sep 2012 14:21:28 EDT http://newosxbook.com/index.php?page=Appendix http://newosxbook.com/index.php?page=Appendix Appendix I - the list of XNU's system calls and Mach traps - is now online. Some of the system calls are well known (being POSIX), but nevertheless there are a few undocumented ones whose prototype the table lists, with a short description. More detail can be found in the book. The Mach traps are entirely undocumented, and Apple keeps adding more (e.g. kernelrpc_* ones, which were introduced in iOS and have been included in Mountain Lion). I'll try to keep this as updated as I can, so check back soon. Thu, 30 Aug 2012 20:51:28 EDT http://opensource.apple.com http://www.opensource.apple.com/release/mac-os-x-108/ Mountain Lion Sources (XNU 2050.7.9 and others) are officially out in the public domain, and it's great to see that the reverse engineering and educated guesses made in the book have all proved correct! Thu, 02 Aug 2012 00:30:25 EDT http://www.newosxbook.com/index.php?page=main& http://www.newosxbook.com/index.php?page=book Main page edited. Added welcome message Fri, 08 Jun 2012 23:07:19 EDT http://www.newosxbook.com/index.php?page=main http://www.newosxbook.com/index.php Main page edited. Added welcome message Tue, 08 May 2012 23:07:19 EDT http://www.newosxbook.com/xxx/xxx/xxx http://www.newosxbook.com/index.php Watch this space for more news and announcements! Tue, 08 May 2012 23:06:09 EDT