Mac OS X and iOS Internals: To the Apple's Core

Category: Operating Systems
Author: Jonathan Levin
This Month Stack Overflow 6


by anonymous   2019-07-21

The launchd and launchctl binaries appear to be the only lone binaries that report the version number in Finder, as far as I can tell.

From Mac OS X and iOS Internals, it describes the startup of launchd as being directly by the kernel and the "name -- /sbin/launchd -- is hard coded as the variable init_program_name".

I suspect that the version number is also hard-coded in a way in which Finder knows what to display, else Finder is treating this as a special known case.

If you use the 'what' command you can also see the version number in the binary, which in my case, is 2.0.0 on Yosemite 10.10.2:

$ what /sbin/launchd

PROGRAM:launchd  PROJECT:libxpc-559.10.3
VERSION:Darwin System Bootstrapper 2.0.0: Wed Nov 12 18:47:07 PST 2014; root:libxpc_executables-559.10.3~1/launchd/RELEASE_X86_64
by anonymous   2019-07-21

And there's also the upcoming - picking up where Singh's excellent book left off. FYI Yuji, much has indeed changed internally. Mach hasn't, but launchd has been revamped, GCD and XPC is totally new, the porting to ARM is new, and XNU has had about 40-50 new system calls since then.

by anonymous   2019-07-21

I don't know if it possible for headphone events but with private API, you can send some events like: home button press, power button press or mouse events (not tested).

You should read this book:

It'll be a hard work to make this works.

Take a look at GSEvent to know how to send an event to OS (iOS).

Edit: I've found 2 event types in GSEvent.GSEventType:

kGSEventHeadsetButtonDown = 1018,
kGSEventHeadsetButtonUp = 1019,

PS: - this use private API so it will be rejected if you post this app to AppStore.

by anonymous   2019-07-21

Ethical questions about hacking/cracking/etc aside, let's discuss the details:

  • In OS X the binary decryption is performed by a Don't Steal MacOS X.Kext (affectionately known as DSMOS).
  • In iOS the binary decryption is performed by the FairPlay kext.

    In both cases, the kernel Mach-O loader is responsible for this. If you really need to go into the detail, it's the Apple Protect pager which handles the decryption. In XNU parlance a "pager" is a component which is responsible for taking VM pages and retrieving them from a backing store (swap, memory mapped file, etc). It's the Apple Protect Pager which calls on the kext (one of the above two)

    There's a great book covering the kernel specifics -

    As you correctly stated, this encryption is easily defeated - on a jailbroken device (or a PC with root privileges) you can use the Mach VM APIs to read the decrypted image. That's actually mentioned in the above book, with a sample tool to do that (among other VM tricks). Alternatively, Stefan Esser has a simple tool which decrypts binaries by injecting a simple .dylib into the process address space when loaded, using DYLD_INSERT_LIBRARIES. › stefanesser › dumpdecrypted.

hope this helps