├── .gitignore ├── LICENSE.txt ├── Makefile ├── README.md ├── flake.lock ├── flake.nix ├── index.html └── internals.tsv /.gitignore: -------------------------------------------------------------------------------- 1 | /internals-*.db.lz 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2020 Michael Roitzsch 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | override DB := $(if $(DB),$(DB:.lz=),$(lastword $(sort internals-$(shell sw_vers -productVersion).db $(basename $(wildcard internals-*))))) 2 | MY_INTERNALS = $(HOME)/Library/Mobile\ Documents/com~apple~TextEdit/Documents/Apple\ Internals.rtf 3 | DB_TARGETS = db_files db_restricted db_binaries db_manifests db_assets db_services 4 | CHECK_TARGETS = check_files check_binaries check_manifests check_services 5 | 6 | .PHONY: all check view sqlite $(DB_TARGETS) $(CHECK_TARGETS) 7 | .INTERMEDIATE: $(DB) 8 | 9 | all: $(DB).lz check 10 | 11 | ifneq ($(wildcard $(MY_INTERNALS)),) 12 | internals.tsv: $(MY_INTERNALS) 13 | printf 'Term\tDescription\n' > $@ 14 | textutil -cat txt $@ "$<" -output $@ 15 | xattr -c $@ 16 | endif 17 | 18 | ifneq ($(wildcard $(DB).lz),) 19 | $(DB): $(DB).lz 20 | compression_tool -decode -i $< -o $@ 21 | else 22 | $(DB): 23 | @$(MAKE) --silent --jobs=1 $(DB_TARGETS) | sqlite3 -bail $@ 24 | 25 | $(DB).lz: $(DB) 26 | compression_tool -encode -i $< -o $@ 27 | tmutil addexclusion $@ 28 | rm -rf dyld 29 | endif 30 | 31 | check: internals.tsv 32 | @(head --lines=1 ; LANG=en sort --ignore-case) < $< | diff -uw $< - 33 | @$(MAKE) --silent --jobs=1 $(CHECK_TARGETS) 34 | 35 | define VIEW 36 | SELECT path,os FROM files WHERE restricted IS NULL; 37 | SELECT path,os,'restricted' FROM files WHERE restricted; 38 | SELECT path,os,name FROM files NATURAL JOIN assets; 39 | SELECT path,os,dylib FROM files NATURAL JOIN linkages; 40 | SELECT files.path,os,key,value FROM files NATURAL JOIN services, json_each(plist); 41 | SELECT files.path,os,key,value FROM files NATURAL JOIN entitlements, json_each(plist); 42 | endef 43 | export VIEW 44 | 45 | view: $(DB) 46 | echo "$$VIEW" | sqlite3 -bail $< | LC_COLLATE=C sort 47 | 48 | sqlite: $(DB) 49 | sqlite3 $< || true 50 | 51 | 52 | # MARK: - data extraction helpers 53 | 54 | ACEXTRACT = $(shell nix build --no-write-lock-file --no-warn-dirty .\#acextract && \ 55 | readlink result && rm result)/bin/acextract 56 | DSCEXTRACTOR = $(shell nix build --no-write-lock-file --no-warn-dirty .\#dsc-extractor && \ 57 | readlink result && rm result)/bin/dyld-shared-cache-extractor 58 | 59 | $(DB_TARGETS):: 60 | # check presence of helper tools and other preconditions 61 | if ! test -x $(ACEXTRACT) ; then \ 62 | printf '\033[1macextract tool unavailable\033[m\n' >&2 ; \ 63 | echo 'FAIL;' ; \ 64 | exit 1 ; \ 65 | fi 66 | if ! test -x $(DSCEXTRACTOR) ; then \ 67 | printf '\033[1mdscextractor tool unavailable\033[m\n' >&2 ; \ 68 | echo 'FAIL;' ; \ 69 | exit 1 ; \ 70 | fi 71 | if ! csrutil status | grep -Fq disabled ; then \ 72 | printf '\033[1mdisable SIP to get complete file information\033[m\n' >&2 ; \ 73 | echo 'FAIL;' ; \ 74 | exit 1 ; \ 75 | fi 76 | 77 | dyld: /System/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e /System/Cryptexes/OS/System/DriverKit/System/Library/dyld/dyld_shared_cache_arm64e 78 | for i in $+ ; do $(DSCEXTRACTOR) $$i $@ ; done > /dev/null 79 | find $@ -type f -print0 | xargs -0 chmod a+x 80 | 81 | XCODE = $(lastword $(wildcard /Applications/Xcode.app /Applications/Xcode-beta.app)) 82 | 83 | prefix = $$(case $(1) in \ 84 | (macOS) ;; \ 85 | (macOS-dyld) echo $(dir $(realpath $(firstword $(MAKEFILE_LIST))))/dyld ;; \ 86 | (iOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/iOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS*.simruntime/Contents/Resources/RuntimeRoot ;; \ 87 | (tvOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/tvOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/tvOS*.simruntime/Contents/Resources/RuntimeRoot ;; \ 88 | (watchOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/watchOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/watchOS*.simruntime/Contents/Resources/RuntimeRoot ;; \ 89 | esac) 90 | 91 | find = \ 92 | { \ 93 | $(2) find /Library /System /bin /dev /private /sbin /usr ! \( -path /Library/Developer/CoreSimulator/Volumes -prune \) ! \( -path /System/Volumes/Data -prune \) $(1) 2> /dev/null | sed 's/^/macOS /' ; \ 94 | find $(XCODE)/Contents/Developer $(1) | sed 's|^$(XCODE)|macOS /Applications/Xcode.app|' ; \ 95 | test -d "$(call prefix,macOS-dyld)" && cd "$(call prefix,macOS-dyld)" && find . $(1) | sed '1d;s/^\./macOS-dyld /' ; \ 96 | cd "$(call prefix,iOS)" ; $(2) find . $(1) 2> /dev/null | sed '1d;s/^\./iOS /' ; \ 97 | cd "$(call prefix,tvOS)" ; $(2) find . $(1) 2> /dev/null | sed '1d;s/^\./tvOS /' ; \ 98 | cd "$(call prefix,watchOS)" ; $(2) find . $(1) 2> /dev/null | sed '1d;s/^\./watchOS /' ; \ 99 | } 100 | 101 | file = SELECT id, $(1) FROM files WHERE os = '$$os' AND path = '$$(echo "$$path" | sed "s/'/''/g")' 102 | , = , # for entering a literal comma as part of a function argument 103 | 104 | 105 | # MARK: - generator targets for database 106 | 107 | $(DB_TARGETS):: 108 | echo 'BEGIN IMMEDIATE TRANSACTION;' 109 | 110 | db_files:: dyld 111 | printf '\033[1mcollecting file information...\033[m\n' >&2 112 | echo 'DROP TABLE IF EXISTS files;' 113 | echo 'CREATE TABLE files (id INTEGER PRIMARY KEY, os TEXT, path TEXT, restricted BOOLEAN, executable BOOLEAN);' 114 | $(call find,,sudo) | sed -E "s/'/''/g;s/([^ ]*) (.*)/INSERT INTO files (os, path) VALUES('\1', '\2');/" 115 | find $(HOME)/Library | sed "s|^$(HOME)|~|;s/'/''/g;s/.*/INSERT INTO files (os, path) VALUES('macOS', '&');/" 116 | echo 'CREATE INDEX _files_path ON files (path);' 117 | 118 | db_restricted:: dyld 119 | printf '\033[1mcollecting restricted files...\033[m\n' >&2 120 | $(call find,-flags restricted,sudo) | while read -r os path ; do \ 121 | echo "UPDATE files SET restricted = true WHERE os = '$$os' AND path = '$$(echo "$$path" | sed "s/'/''/g")' ;" ; \ 122 | done 123 | 124 | db_binaries:: dyld 125 | printf '\033[1mcollecting executable information...\033[m\n' >&2 126 | echo 'DROP TABLE IF EXISTS linkages;' 127 | echo 'DROP TABLE IF EXISTS entitlements;' 128 | echo 'DROP TABLE IF EXISTS strings;' 129 | echo 'CREATE TABLE linkages (id INTEGER REFERENCES files, dylib TEXT, UNIQUE (id, dylib));' 130 | echo 'CREATE TABLE entitlements (id INTEGER REFERENCES files, plist JSON);' 131 | echo 'CREATE TABLE strings (id INTEGER REFERENCES files, string TEXT, UNIQUE (id, string));' 132 | $(call find,-follow -type f -perm +111) | while read -r os path ; do \ 133 | echo "UPDATE files SET executable = true WHERE os = '$$os' AND path = '$$(echo "$$path" | sed "s/'/''/g")';" ; \ 134 | if test -r "$(call prefix,$$os)$$path" && file --no-dereference --brief --mime-type "$(call prefix,$$os)$$path" | grep -Fq application/x-mach-binary ; then \ 135 | case "$$(lipo -archs "$(call prefix,$$os)$$path")" in (*arm64e*) arch=arm64e ;; (*arm64_32*) arch=arm64_32 ;; (*arm64*) arch=arm64 ;; (*x86_64h*) arch=x86_64h ;; (*x86_64*) arch=x86_64 ;; (*) continue ;; esac ; \ 136 | objdump --arch=$$arch --macho --dylibs-used "$(call prefix,$$os)$$path" | \ 137 | sed "1d;s/^.//;s/ ([^)]*)$$//;s/'/''/g;s|.*|INSERT OR IGNORE INTO linkages $(call file,'&');|" ; \ 138 | codesign --display --xml --entitlements - "$(call prefix,$$os)$$path" 2> /dev/null | \ 139 | plutil -convert json - -o - | \ 140 | sed "/^: Property List error/d;/^{}/d;s/'/''/g;s|.*|INSERT INTO entitlements $(call file,json('&'));\n|" ; \ 141 | strings -n 8 "$(call prefix,$$os)$$path" 2> /dev/null | \ 142 | LANG=C sed "s/'/''/g;s|.*|INSERT OR IGNORE INTO strings $(call file,'&');|" ; \ 143 | fi ; \ 144 | done 145 | 146 | db_manifests:: 147 | printf '\033[1mcollecting Info.plist information...\033[m\n' >&2 148 | echo 'DROP TABLE IF EXISTS info;' 149 | echo 'CREATE TABLE info (id INTEGER REFERENCES files, plist JSON);' 150 | $(call find,-type f -name 'Info.plist') | while read -r os path ; do \ 151 | test -r "$(call prefix,$$os)$$path" && plutil -convert json "$(call prefix,$$os)$$path" -o - | \ 152 | sed "/: invalid object/d;s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \ 153 | done 154 | $(call find,-type f -name 'TemplateInfo.plist') | while read -r os path ; do \ 155 | test -r "$(call prefix,$$os)$$path" && { \ 156 | echo '' ; \ 157 | PlistBuddy -c 'Print Definitions:Info.plist\:NSExtension' "$(call prefix,$$os)$$path" ; \ 158 | PlistBuddy -c 'Print Definitions:Info.plist\:EXAppExtensionAttributes' "$(call prefix,$$os)$$path" ; \ 159 | PlistBuddy -c 'Print Options:0:Units:Swift:Definitions:Info.plist\:NSExtension' "$(call prefix,$$os)$$path" ; \ 160 | PlistBuddy -c 'Print Options:0:Units:Swift:Definitions:Info.plist\:EXAppExtensionAttributes' "$(call prefix,$$os)$$path" ; \ 161 | echo '' ; \ 162 | } 2> /dev/null | plutil -convert json - -o - | \ 163 | sed "/Property List error:/d;s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \ 164 | done 165 | 166 | db_assets:: 167 | printf '\033[1mcollecting asset catalog information...\033[m\n' >&2 168 | echo 'DROP TABLE IF EXISTS assets;' 169 | echo 'CREATE TABLE assets (id INTEGER REFERENCES files, name TEXT);' 170 | $(call find,-type f -name '*.car') | while read -r os path ; do \ 171 | test -r "$(call prefix,$$os)$$path" && $(ACEXTRACT) --list --input "$(call prefix,$$os)$$path" | \ 172 | sed "1d;s/'/''/g;s|.*|INSERT INTO assets $(call file,'&');|" ; \ 173 | done 174 | 175 | db_services:: 176 | printf '\033[1mcollecting launchd service information...\033[m\n' >&2 177 | echo 'DROP TABLE IF EXISTS services;' 178 | echo 'CREATE TABLE services (id INTEGER REFERENCES files, kind TEXT, plist JSON);' 179 | $(call find,-type f -name '*.plist' -path '*/LaunchAgents/*' -o -path '*/LaunchAngels/*' -o -path '*/LaunchDaemons/*' -o -path '*/NanoLaunchDaemons/*') | while read -r os path ; do \ 180 | case "$$path" in (*/LaunchAgents/*) kind=agent ;; (*/LaunchAngels/*) kind=angel ;; (*/LaunchDaemons/*) kind=daemon ;; (*/NanoLaunchDaemons/*) kind=daemon-nano ;; esac ; \ 181 | test -r "$(call prefix,$$os)$$path" && plutil -convert json "$(call prefix,$$os)$$path" -o - | \ 182 | sed "s/'/''/g;s|.*|INSERT INTO services $(call file,'$$kind'$(,)json('&'));\n|" ; \ 183 | done 184 | 185 | $(DB_TARGETS):: 186 | echo 'COMMIT TRANSACTION;' 187 | 188 | 189 | # MARK: - check targets for internals.tsv 190 | 191 | check_files: internals.tsv $(DB) 192 | printf '\033[1mchecking files...\033[m\n' >&2 193 | grep -ow '~\?/[^,;]*' $< | sed -E 's/ \(.*\)$$//;s/^\/(etc|var)\//\/private&/' | \ 194 | sed "s/'/''/g;s|.*|SELECT count(*), '&' FROM files WHERE path GLOB '&';|" | \ 195 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 196 | 197 | check_binaries: internals.tsv $(DB) 198 | printf '\033[1mchecking command line tools...\033[m\n' >&2 199 | grep -o 'command line tools\?: [^;]*' $< | sed 's/^[^:]*: //;s/ //g;s/([^)]*)//g' | tr , '\n' | \ 200 | sed "s/'/''/g;s|.*|SELECT count(*), '&' FROM files WHERE executable = true AND path GLOB '*/&';|" | \ 201 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 202 | printf '\033[1mchecking frameworks...\033[m\n' >&2 203 | grep -ow '[[:alnum:]]*\.framework[[:alnum:]/.]*' $< | \ 204 | sed "s|/|/*/|g;s/'/''/g;s|.*|SELECT count(*), '&' FROM files WHERE executable = true AND path GLOB '*/&/*';|" | \ 205 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 206 | printf '\033[1mchecking servers...\033[m\n' >&2 207 | grep -o 'servers\?: [^;]*' $< | sed 's/^[^:]*: //;s/ //g;s/([^)]*)//g' | tr , '\n' | \ 208 | sed "s/'/''/g;s/.*/SELECT count(*), '&' FROM strings WHERE string GLOB '*&*';/" | \ 209 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 210 | 211 | check_manifests: internals.tsv $(DB) 212 | printf '\033[1mchecking extension points...\033[m\n' >&2 213 | grep -o 'extension points\?: [^;]*' $< | sed 's/^[^:]*: //;s/ //g;s/([^)]*)//g' | tr , '\n' | \ 214 | sed "s/'/''/g;s|.*|SELECT count(*), '&' FROM (SELECT value FROM info, json_each(plist, '$$.NSExtension') WHERE key = 'NSExtensionPointIdentifier' UNION SELECT value FROM info, json_each(plist, '$$.EXAppExtensionAttributes') WHERE key = 'EXExtensionPointIdentifier') WHERE value = '&';|" | \ 215 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 216 | 217 | check_services: internals.tsv $(DB) 218 | printf '\033[1mchecking launchd services...\033[m\n' >&2 219 | grep -o 'launchd services\?: [^;]*' $< | sed 's/^[^:]*: //;s/ //g;s/([^)]*)//g' | tr , '\n' | \ 220 | sed "s/'/''/g;s|.*|SELECT count(*), '&' FROM services, json_each(plist) WHERE key = 'Label' AND value = '&';|" | \ 221 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 222 | printf '\033[1mchecking special ports...\033[m\n' >&2 223 | grep -o '[^ ]* special port [0-9]*' $< | \ 224 | sed -E "s/'/''/g;s/(host|task) special port ([0-9]+)/SELECT count(*), '&' FROM services, json_tree(plist, '$$.MachServices') WHERE key LIKE '\1SpecialPort' AND value = \2;/" | \ 225 | sqlite3 $(DB) | sed -n "/^0|/{s/^0|//;p;}" 226 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Apple Internals 2 | =============== 3 | 4 | This repository provides tools and information to help understand and analyze the internals 5 | of Apple’s operating system platforms. Information is collected in a text file and 6 | [presented on a website](https://mroi.github.io/apple-internals). A [Nix 7 | flake](https://nixos.wiki/wiki/Flakes) allows to build the following externally hosted 8 | tools: 9 | 10 | [**acextract**](https://github.com/bartoszj/acextract) 11 | Unpacks asset catalogs to individual files. 12 | 13 | [**dyld-shared-cache-extractor**](https://github.com/keith/dyld-shared-cache-extractor) 14 | Extracts dynamic libraries from the dyld linker cache. 15 | 16 | [**snapUtil**](https://github.com/ahl/apfs) 17 | Manages APFS snapshots. 18 | 19 | The Makefile aggregates various kinds of information from the system in a SQLite database 20 | and checks the internals text file against this information. Collected details include: 21 | 22 | * all file names of the installed macOS and the iOS, tvOS, and watchOS simulators 23 | * linkages of binaries to libraries 24 | * entitlements for all executables 25 | * plain-text strings embedded in binaries 26 | * launchd service descriptions and bundle Info.plist content 27 | * lists of assets inside asset catalogs 28 | 29 | To manually analyze and debug macOS, it can be helpful to temporarily [disable its security 30 | protections](https://gist.github.com/macshome/15f995a4e849acd75caf14f2e50e7e98). 31 | 32 | ___ 33 | This work is licensed under the [MIT license](https://mit-license.org) so you can freely use 34 | and share as long as you retain the copyright notice and license text. 35 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "acextract": { 4 | "flake": false, 5 | "locked": { 6 | "lastModified": 1556467432, 7 | "narHash": "sha256-Yh437j5HLwh+s2qBKo3YruBHSJxqH142LuM/Unf+rV4=", 8 | "owner": "bartoszj", 9 | "repo": "acextract", 10 | "rev": "df3b018d53cd4b684a5f6d63535dcc4156be1a97", 11 | "type": "github" 12 | }, 13 | "original": { 14 | "owner": "bartoszj", 15 | "repo": "acextract", 16 | "type": "github" 17 | } 18 | }, 19 | "command-line": { 20 | "flake": false, 21 | "locked": { 22 | "lastModified": 1556260068, 23 | "narHash": "sha256-3BvUfIbbSsv8AHeg+nEjGVNDbgSOf/P7l6EFo+DvE/I=", 24 | "owner": "iHTCboy", 25 | "repo": "CommandLine", 26 | "rev": "b8209dc17ac1dd0f97ebfbd6a77a0633552626ca", 27 | "type": "github" 28 | }, 29 | "original": { 30 | "owner": "iHTCboy", 31 | "repo": "CommandLine", 32 | "type": "github" 33 | } 34 | }, 35 | "dsc-extractor": { 36 | "flake": false, 37 | "locked": { 38 | "lastModified": 1702321461, 39 | "narHash": "sha256-bV0MesIw0lVrhNuEkfexTFhQ73EynryQskvk8egecEs=", 40 | "owner": "keith", 41 | "repo": "dyld-shared-cache-extractor", 42 | "rev": "c28b25abf09d9affa96fc1bdcaa6d7aef1f64032", 43 | "type": "github" 44 | }, 45 | "original": { 46 | "owner": "keith", 47 | "repo": "dyld-shared-cache-extractor", 48 | "type": "github" 49 | } 50 | }, 51 | "nixpkgs": { 52 | "locked": { 53 | "lastModified": 1734988233, 54 | "narHash": "sha256-Ucfnxq1rF/GjNP3kTL+uTfgdoE9a3fxDftSfeLIS8mA=", 55 | "owner": "NixOS", 56 | "repo": "nixpkgs", 57 | "rev": "de1864217bfa9b5845f465e771e0ecb48b30e02d", 58 | "type": "github" 59 | }, 60 | "original": { 61 | "id": "nixpkgs", 62 | "type": "indirect" 63 | } 64 | }, 65 | "root": { 66 | "inputs": { 67 | "acextract": "acextract", 68 | "command-line": "command-line", 69 | "dsc-extractor": "dsc-extractor", 70 | "nixpkgs": "nixpkgs", 71 | "snap-util": "snap-util" 72 | } 73 | }, 74 | "snap-util": { 75 | "flake": false, 76 | "locked": { 77 | "lastModified": 1647211082, 78 | "narHash": "sha256-zQ/0Cpo6CCeKXafeERjBCQ2gv9396c7UZU+VmViQVIc=", 79 | "owner": "ahl", 80 | "repo": "apfs", 81 | "rev": "2bcf604966949f618e6a6ce33ca8ae1721494e6d", 82 | "type": "github" 83 | }, 84 | "original": { 85 | "owner": "ahl", 86 | "repo": "apfs", 87 | "type": "github" 88 | } 89 | } 90 | }, 91 | "root": "root", 92 | "version": 7 93 | } 94 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "tools to understand the internals of Apple’s operating systems"; 3 | inputs = { 4 | acextract = { 5 | url = "github:bartoszj/acextract"; 6 | flake = false; 7 | }; 8 | command-line = { 9 | url = "github:iHTCboy/CommandLine"; 10 | flake = false; 11 | }; 12 | dsc-extractor = { 13 | url = "github:keith/dyld-shared-cache-extractor"; 14 | flake = false; 15 | }; 16 | snap-util = { 17 | url = "github:ahl/apfs"; 18 | flake = false; 19 | }; 20 | }; 21 | outputs = { self, nixpkgs, acextract, command-line, dsc-extractor, snap-util }: { 22 | packages.aarch64-darwin = let 23 | xcode = nixpkgs.legacyPackages.aarch64-darwin.xcodeenv.composeXcodeWrapper {}; 24 | in { 25 | 26 | acextract = 27 | with nixpkgs.legacyPackages.aarch64-darwin; 28 | let xcodeHook = makeSetupHook { 29 | name = "xcode-hook"; 30 | propagatedBuildInputs = [ xcode ]; 31 | } "${xcbuildHook}/nix-support/setup-hook"; 32 | in stdenvNoCC.mkDerivation { 33 | name = "acextract-${lib.substring 0 8 self.inputs.acextract.lastModifiedDate}"; 34 | src = acextract; 35 | nativeBuildInputs = [ xcodeHook ]; 36 | __noChroot = true; 37 | preBuild = "LD=$CC"; 38 | # FIXME: want to have submodule support for Nix flakes, workaround by explicit instantiation 39 | postUnpack = "rmdir source/CommandLine ; ln -s ${command-line} source/CommandLine"; 40 | # FIXME: fix for Swift compiler crash 41 | patchPhase = '' 42 | patch -p0 <<- EOF 43 | --- acextract/CoreUI.h 44 | +++ acextract/CoreUI.h 45 | @@ -24,6 +24,7 @@ 46 | // SOFTWARE. 47 | 48 | @import Foundation; 49 | +@import CoreGraphics; 50 | 51 | // Hierarchy: 52 | // - CUICatalog: 53 | --- acextract/Operation.swift 2021-10-20 10:35:39.000000000 +0200 54 | +++ acextract/Operation.swift 2021-10-20 10:35:46.000000000 +0200 55 | @@ -24,6 +24,7 @@ 56 | // SOFTWARE. 57 | 58 | import Foundation 59 | +import ImageIO 60 | 61 | // MARK: - Protocols 62 | protocol Operation { 63 | @@ -152,7 +153,7 @@ 64 | throw ExtractOperationError.cannotCreatePDFDocument 65 | } 66 | // Create the pdf context 67 | - let cgPage = CGPDFDocument.page(cgPDFDocument) as! CGPDFPage // swiftlint:disable:this force_cast 68 | + let cgPage = cgPDFDocument.page(at: 0)! 69 | var cgPageRect = cgPage.getBoxRect(.mediaBox) 70 | let mutableData = NSMutableData() 71 | 72 | EOF 73 | ''; 74 | installPhase = '' 75 | mkdir -p $out/bin 76 | cp Products/Release/acextract $out/bin/ 77 | ''; 78 | dontStrip = true; 79 | }; 80 | 81 | dsc-extractor = 82 | with nixpkgs.legacyPackages.aarch64-darwin; 83 | stdenv.mkDerivation { 84 | name = "dsc-extractor-${lib.substring 0 8 self.inputs.dsc-extractor.lastModifiedDate}"; 85 | src = dsc-extractor; 86 | nativeBuildInputs = [ cmake ]; 87 | }; 88 | 89 | snap-util = 90 | with nixpkgs.legacyPackages.aarch64-darwin; 91 | let snapshot-header = fetchFromGitHub { 92 | owner = "apple"; 93 | repo = "darwin-xnu"; 94 | rev = "xnu-6153.141.1"; 95 | hash = "sha256-/2aR6n5CbUobwbxkrGqBOAhCZLwDdIsoIOcpALhAUF8="; 96 | }; 97 | in stdenvNoCC.mkDerivation { 98 | name = "snap-util-${lib.substring 0 8 self.inputs.snap-util.lastModifiedDate}"; 99 | src = snap-util; 100 | nativeBuildInputs = [ xcode ]; 101 | preBuild = '' 102 | unset DEVELOPER_DIR SDKROOT 103 | NIX_CFLAGS_COMPILE='-idirafter ${snapshot-header}/bsd' 104 | ''; 105 | installPhase = '' 106 | mkdir -p $out/bin 107 | cp snapUtil $out/bin/.snapUtil-wrapped 108 | cat > $out/bin/snapUtil <<- EOF 109 | #!/bin/sh 110 | if csrutil status | grep -Fq disabled && sysctl kern.bootargs | grep -Fq amfi_get_out_of_my_way ; then 111 | exec -a ./snapUtil $out/bin/.snapUtil-wrapped "\$@" 112 | else 113 | echo 'snapUtil requires SIP and AMFI to be disabled:' 114 | echo '• boot recovery system' 115 | echo '• run ‘csrutil disable’' 116 | echo '• run ‘nvram boot-args=amfi_get_out_of_my_way=0x1’' 117 | exit 1 118 | fi 119 | EOF 120 | chmod a+x $out/bin/snapUtil 121 | ''; 122 | __noChroot = true; 123 | postFixup = '' 124 | cat > snapUtil.entitlements <<- EOF 125 | 126 | 127 | 128 | 129 | com.apple.developer.vfs.snapshot 130 | 131 | com.apple.private.apfs.revert-to-snapshot 132 | 133 | 134 | 135 | EOF 136 | codesign -s - --entitlement snapUtil.entitlements $out/bin/.snapUtil-wrapped 137 | ''; 138 | }; 139 | }; 140 | }; 141 | } 142 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Apple Internals 4 | 94 | 95 | 106 | 107 |

Apple Internals

108 |

Collected knowledge about the internals of Apple’s platforms.

109 |

Sorted by keyword, abbreviation, or codename.

110 |

Feel free to contribute on GitHub or share under MIT license.

111 |
112 | 113 |
114 | 115 | 116 | 117 |
118 |
119 |
120 | 121 | -------------------------------------------------------------------------------- /internals.tsv: -------------------------------------------------------------------------------- 1 | Term Description 2 | 1TR One True Recovery; booting into macOS recovery on Apple Silicon by holding the power button to verify physical presence; enables interaction with SEP to change Boot Policy 3 | AA Apple Account 4 | AA Apple Archive, see also Apple Encrypted Archive; command line tools: aa, aea, compression_tool 5 | AAC Automatic Assessment Configuration; AutomaticAssessmentConfiguration.framework; puts device in a locked mode for exam-style test applications 6 | AAT Apple Advanced Typography; font format and rendering engine 7 | Accounts launchd service: com.apple.accountsd; /System/Library/Accounts 8 | ACDC Apple Chips in Data Centers; see PCC 9 | ACDE Apple Connect Device External? ACDEClient.framework, old two-step verification, derived from a company-internal AppleConnect system? 10 | ACFS Apple Clustered File System; deprecated file system for Xsan; acfs.framework 11 | Acoustic ID song recognition and matching with Apple catalog, playback on HomePod; /System/Library/Components/AudioDSP.component 12 | Activation cryptographic check-in with iCloud to lock devices reported by the user as lost; verified by iBoot; MobileActivationMacOS.framework; launchd service: com.apple.mobileactivationd; servers: humb.apple.com, albert.apple.com 13 | Activity jobs, coarse-grained work units of applications; tracked by the system across XPC, bears a QoS class for scheduling; low-level mechanism not to be confused with User Activity 14 | AE Apple Events; messaging system to invoke application functionality; CoreServices.framework/AE.framework; launchd services: com.apple.coreservices.appleevents, com.apple.AEServer (AE over network) 15 | Aegir astronomy watch face and lock screen; /System/Library/CoreServices/AegirProxyApp.app 16 | AFM Apple Foundation Model; pre-trained transformer and diffusion models for Greymatter, optimized for on-device use by quantization (with accuracy-recovery adapters) and palletization; command line tool: modelcatalogdump 17 | AGC Apple Graphics Control, management of multiple displays and display port connections; launchd service: com.apple.displaypolicyd 18 | AHAP Apple Haptic Audio Pattern; file format for simultaneous audio and haptic data; CoreHaptics.framework 19 | AIR Apple Intermediate Representation; synthetic bytecode architecture target for GPU binary toolchain 20 | ALF Application-Layer Firewall; implemented as a Network Extension (see System Extension); launchd service: com.apple.alf (socketfilterfw); command line tool: socketfilterfw 21 | Alloy substrate for communication between user devices over Bluetooth and devices to iCloud, implemented over IDS; /System/Library/IdentityServices/ServiceDefinitions; launchd service: com.apple.identityservicesd 22 | ALS Ambient Light Sensor, AmbientDisplay.framework 23 | Amber Swift UI; SwiftUI.framework 24 | AMFI Apple Mobile File Integrity, checks code integrity based on code signature, stronger enforcement with hardened runtime, validates entitlement restrictions and environment constraints (launch constraints, library constraints); launchd service: com.apple.MobileFileIntegrity (amfid, invoked by kernel through host special port 18); disabled by setting amfi_get_out_of_my_way=0x1 in boot-args 25 | AMP Apple Media Protocol? former parts of iTunes for iPod and iOS device access in Finder, Home Sharing; AMPDevices.framework, AMPSharing.framework; launchd services: com.apple.AMPDeviceDiscoveryAgent, com.apple.AMPDevicesAgent, com.apple.amp.mediasharingd 26 | AMP Asynchronous Multiprocessing; performance and power-efficiency cores on Apple Silicon 27 | AMS Apple Media Services; formerly the iTunes stores and media services: App Stores, Apple Music, Apple TV, iCloud media library, Apple Podcasts, Podcast sync, Books Store, Books sync; AppleMediaServices.framework; server: phobos.apple.com 28 | AMX Apple Matrix Extension; ARM instruction set extension for matrix operations 29 | ANE Apple Neural Engine, hardware accelerator for neural network operations; ANECompiler.framework, ANEServices.framework; launchd service: com.apple.aned 30 | Anisette two-factor authentication creates security codes on trusted devices using TOTP, probably using Circle keys, checked by HSA; AuthKit.framework; launchd service: com.apple.akd 31 | AOP Always On Processor, part of Apple SoCs, runs RTKit as operating system 32 | AOS Apple Online Services? historical name for iCloud 33 | Apache built-in web server; command line tool: apachectl 34 | APFS Apple File System; copy-on-write file system with support for volume space-sharing, per-file encryption, and snapshots 35 | APNS Apple Push Notification service, server infrastructure for remote push notifications over a single connection, clients subscribe to push topics, can be authenticated by app (remote notifications), device (Find My …), or Apple Account login (DSID); credentials in apsd keychain; launchd service: com.apple.apsd; server: push.apple.com 36 | App Nap quiescence detection for applications and corresponding self-demotion in scheduler parameters, implemented within application frameworks and RunningBoard, listens for occlusion notifications from WindowServer 37 | App Sandbox Seatbelt-based sandbox for apps; /System/Library/Sandbox/Profiles/application.sb; enabled with com.apple.security.app-sandbox entitlement; launchd service: com.apple.secinitd 38 | AppleCare extended warranty; NewDeviceOutreach.framework; launchd service: com.apple.ndoagent 39 | APT Adaptive Picture Timing? ProMotion; dynamic screen updates with 120Hz base frequency; AppleDisplayTCONControl.framework 40 | Ask To parental-controlled user can ask parent for exceptions; launchd service: com.apple.asktod; AskToCore.framework 41 | ASL Apple System Logger, superseded by Unified Logging; /etc/asl; stored in /var/log/asl; launchd service: com.apple.syslogd; command line tool: syslog 42 | ASR Apple Software Restore; restore entire volumes from sources like disk images (HDI, SIU), also restores based on APFS snapshots and snapshot deltas; command line tool: asr 43 | Assertions power state management allowing applications to prevent sleeping; launchd service: com.apple.powerd; command line tools: caffeinate, pmset 44 | Assessment checking of System Policy; term also used for AAC 45 | Asset Cache discretionary caching server for Mobile Assets, Packages, iOS updates, App Store content, ODR, MMCS data; launchd services: com.apple.AssetCache.builtin, com.apple.AssetCacheLocatorService, com.apple.AssetCacheManagerService, com.apple.AssetCacheTetheratorService; command line tools: AssetCacheLocatorUtil, AssetCacheManagerUtil, AssetCacheTetheratorUtil 46 | Assistant Siri; speech recognition and semantic understanding, dialog management by CDM, Intent is communicated to and enacted on the client, uses TTS for speech output, Snippets to embed mini UIs into responses; /System/Library/Assistant, /System/Library/Snippets, AssistantServices.framework; server: *.siri.apple.com 47 | ATS App Transport Security, sandbox mechanism only allowing TLS-secured connections 48 | ATSUI Apple Type Services for Unicode Imaging; rendering engine superseded by CoreText.framework, font management; ApplicationServices.framework/ATS.framework; launchd service: com.apple.xtyped (fontd); command line tools: atsutil 49 | ATT App Tracking Transparency; apps declare user tracking on app store 50 | Attestation cryptographic proof of a genuine SEP; used for web authentication and app attestation; DeviceCheck.framework; SEP responds to challenge using hardware-key (GID, PKA), online service verifies; used to pair Touch ID keyboards, used to pair RemoteXPC channel? 51 | Authorization discretionary access control policies for high-level services; similar to PAM; policy stored in /var/db/auth.db 52 | Avatar Memoji and Animoji, including pre-rendered iMessage stickers; AvatarKit.framework 53 | AVB Audio Video Bridging, low-latency audio over Ethernet; launchd service: com.apple.avbdeviced; command line tools: avbanalyse, avbdiagnose, avbutil 54 | AWD Apple Wireless Diagnostics, sends system telemetry to Apple; CoreAnalytics.framework, WirelessDiagnostics.framework; launchd services: com.apple.awdd, com.apple.analyticsd 55 | AWDL Apple Wireless Direct Link; secondary WiFi interface that runs in parallel to an active WiFi access point connection, similar to WiFi Direct (p2p interface), uses a randomized MAC, used for peer-to-peer networking: AirDrop, AirPlay; DeviceToDeviceManager.framework 56 | Background Assets assets that an app extension loads without the app being launched; BackgroundAssets.framework; extension point: com.apple.background-asset-downloader-extension; launchd service: com.apple.backgroundassets.user 57 | Bezel on-screen overlays for hardware volume buttons, screen brightness, Bluetooth HID, and others; /Library/Application Support/Apple/BezelServices, launchd services: com.apple.loginwindow, com.apple.OSDUIHelper 58 | Bifrost emergency satellite connectivity; /System/Library/LocationBundles/Bifrost.bundle 59 | Biome CloudKit-synced streaming and storage of events like donated and invoked Intents; semantic index to ground AI with personal context; BiomeStreams.framework, BiomeSync.framework; launchd services: com.apple.BiomeAgent, com.apple.biomesyncd; embedding vector extraction and storage: ZeoliteFramework.framework 60 | Blast Door sandboxed sanitization process for untrusted input, used for iMessage, IDS, Telephony, media analysis; BlastDoor.framework, CTBlastDoorSupport.framework, IDSBlastDoorSupport.framework, MediaAnalysisBlastDoorSupport.framework, MessagesBlastDoorSupport.framework, TelephonyBlastDoorSupport.framework 61 | BOM Bill of Materials; format to store contents of installer Packages; command line tool: lsbom 62 | Bonjour mDNS; launchd service: com.apple.mDNSResponder.reloaded; command line tool: dns-sd 63 | Boot Cache disk cache pre-heating at boot time with typically loaded applications; /var/db/BootCaches; launchd service: com.apple.warmd 64 | Boot Policy decides by signature check which OSes can be booted, boot-time equivalent for System Policy; LocalPolicy stores user settings, configurable from 1TR, stored by SEP, enforced by iBoot; command line tools: bputil, kmutil (to enroll custom kernels) 65 | BPR Boot Progress Register; set-only flags to track boot mode (normal, DFU, recovery), part of Keybag class key derivation within SEP, so passcode-protected keys are inaccessible in DFU and recovery 66 | Bridge T2 ARM CPU in Intel Macs to drive Touch Bar and Boot Policy; runs bridgeOS, a derivative of watchOS; boots the platform and the Intel CPU, communication from macOS uses RemoteXPC; launchd service: com.apple.multiversed; /System/Library/MultiversePlugins 67 | Brook hand washing encouragement on watch; BrookServices.framework 68 | Bulletin Board application push notification management, aggregates local and remote push notifications; BulletinBoard.framework 69 | Cache Delete cleanup for various caches; /System/Library/CacheDelete; launchd service: com.apple.cache_delete (deleted) 70 | CAML Core Animation Markup Language; XML file format for layers, shapes and animations 71 | Carousel derivative of SpringBoard for Watch home screen, watch face, and notification center 72 | CBOR Concise Binary Object Representation; JSON-inspired compact binary data serialization; CBORLibrary.framework 73 | CDHash Code Directory Hash; a hash of hashes over the parts of a code bundle; command line tool: codesign 74 | CDM Continuous Dialog Manager; natural dialog with Siri, MARRS for multi-modality; ContinuousDialogManagerService.framework 75 | CEC Consumer Electronics Control; remote control for HDMI-connected devices; CoreRC.framework, IOCEC.framework 76 | Celestial media streaming used by ReplayKit for in-app screen broadcasts; Celestial.framework; launchd service: com.apple.replayd 77 | Certificates validity checked using CRLs, OCSP stapling, and transparency logs; /System/Library/Security/Certificates.bundle; launchd services: com.apple.trustd, com.apple.trustd.agent, com.apple.ocspd; command line tool: crlrefresh 78 | Chamois Stage Manager 79 | CHIP Connected Home over IP; Matter; integrated into HomeKit, can use Thread as transport layer; HomeKitMatter.framework, CoreThread.framework; launchd services: com.apple.threadradiod, com.apple.ThreadCommissionerService 80 | Circle cryptographic primitive to exchange public keys of trusted devices of a user, signed by Circle peers; iCloud identity added as additional Circle peer, private key synced across all trusted devices, new devices can pull this key from Secure Backup to join the Circle; per-device Circles stored in CKKS for two-factor accounts (Octagon); KeychainCircle.framework; command line tools: otctl (Octagon) 81 | CKKS CloudKit Key Sync, end-to-end secure syncing for credentials, seeded by Circle; currently includes ApplePay, AutoUnlock, CreditCards, DevicePairing, Engram, Health, Home, Manatee, SOS, WiFi and other keys; launchd service: com.apple.secd; command line tool: ckksctl 82 | CL4 Apple’s variant of the L4 microkernel, derived from Pistachio and Wombat/Darbat 83 | Clarity customizable accessibility mode for simplified UI; ClarityFoundation.framework 84 | Classroom school teachers can create assignments for student iPads and track progress in Schoolwork app; ClassKit.framework; launchd service: com.apple.studentd 85 | Cloud Pairing part of Alloy, Bluetooth out-of-band pairing over iCloud for Continuity; launchd service: com.apple.BTServer.cloudpairing (cloudpaird) 86 | CMAS Commerial Mobile Alert System, now known as Wireless Emergency Alerts (WEA) 87 | Commpage user-mapped kernel data, like vdso/vsyscall on Linux; mapped at 0x7fffffe00000 88 | Communications Filter recipient blocking for iMessage, FaceTime, Mail; launchd service: com.apple.cmfsyncagent 89 | Companion iPhone that is linked with Watch, Mac, or Apple TV; communication with Watch uses Alloy over IPsec over Bluetooth, AWDL on demand; launchd service: com.apple.companiond; Bonjour service: _companion-link._tcp 90 | Contact Key Verification code for manual verification of iMessage keys; code identifies a long-lived account key stored in iCloud Keychain, which signs all ESS device keys 91 | Continuity umbrella term for Handoff, Sidecar, iPhone Mirroring, SMS relay, Universal Clipboard, Watch unlock, WiFi call relay and others; SMS relay works by proxying to iMessage, other services use Alloy for signalling and AWDL for payload; /System/Applications/iPhone Mirroring.app, ScreenContinuityServices.framework 92 | Control Center icons in menu/status bar and Bento Box controls UI, gradually replaces SystemUIServer on macOS; handles incoming AirPlay content; launchd services: com.apple.controlcenter, com.apple.SystemUIServer.agent 93 | CPML CorePrediction Machine Learning; CPMLBestShim.framework 94 | CRD Conference Room Display; Apple TV mode 95 | Cryptex Cryptographically sealed Extension of SSV, mount-invisible extension of the root volume, allows lightweight updates as part of Rapid Security Response; /System/Cryptexes (mountpoint), /System/Volumes/Preboot/*/cryptex1/current/*.dmg (disk images) 96 | CSR Configurable Security Restrictions; XNU subsystem that is the basis for SIP 97 | CTK Crypto Token Kit; smart card management, also for the Secure Element on iOS? launchd service: com.apple.ctkd; command line tool: sc_auth 98 | CTS Centralized Task Scheduling; execution of DAS tasks; /System/Library/UserEventPlugins/com.apple.cts.plugin 99 | CVMS Core VM Server/Service? compilation of GPU shaders; launchd service: com.apple.cvmsServ 100 | DAAP Digital Audio Access Protocol; used by Home Sharing (with Rapport token) and by the Remote app to control Apple TV (with pairing token); payload unencrypted; DAAPKit.framework; Bonjour services: _atc._tcp, _home-sharing._tcp, _mediaremotetv._tcp, _touch-able._tcp 101 | Daily Briefing Siri giving an overview of information for the day; SiriDailyBriefingInternal.framework 102 | DART DMA Address Relocation Table; IOMMU implementation in Apple silicon, positioned in front of every DMA-capable co-processor and peripheral, offers sub-page protection; SART: streaming variant for high-throughput devices (like NVMe) 103 | Darwin Directory static store for users and groups, saves Open Directory interaction for the local case? /usr/lib/system/libsystem_darwindirectory.dylib, /System/Library/DarwinDirectory, /private/var/db/DarwinDirectory; command line tool: dddiagnose 104 | DAS Duet Activity Scheduler; scheduling policy engine behind NSBackgroundActivityScheduler and XPC activities; /System/Library/DuetActivityScheduler; launchd service: com.apple.dasd 105 | Data Detectors text analysis to highlight phone numbers, street addresses, and the like; DataDetectors.framework 106 | Data Vault directories with the UF_DATAVAULT special flag; CSR limits access to one application 107 | DAV Distributed Authoring and Versioning; network protocol on top of HTTP for syncing calendars (CalDAV), contacts (CardDAV), and formerly also bookmarks (BookmarkDAV) 108 | DCP Display Co-Processor 109 | DDE Device Discovery Extension; detects devices on local network without app access to local network; DeviceDiscoveryExtension.framework, DeviceDiscoveryUICore.framework; extension point: com.apple.discovery-extension 110 | DEP Device Enrollment Program; devices check in with Apple during Setup Assistant to query for their enrollment status, retrieve MDM server URL to fetch initial configuration profile 111 | Developer Mode enables launching of self-compiled apps in iOS, rough equivalent to System Policy; command line tool: devmodectl 112 | DFR Dynamic Function Row?, TouchBar; /System/Library/CoreServices/ControlStrip.app; DFRFoundation.framework 113 | DFU Device Firmware Update; special boot mode where iOS has not booted and the system can be installed over the Lightning connection 114 | Differential Privacy crowdsourcing without user tracking; privacy budget for management of anonymity set; used for keyboard words, emoji, Spotlight searches, Parsec deep links, HealthKit usage, Safari telemetry; /System/Library/DifferentialPrivacy; stored in /var/db/DifferentialPrivacy; launchd service: com.apple.dprivacyd 115 | Digital Separation safety check feature to inhibit sharing relationships; DigitalSeparation.framework 116 | DMC Device Management Client; part of MDM; DMCUtilities.framework 117 | DMC Disk Mount Conditioner; simulates slow IO devices; command line tool: dmc 118 | DND Do Not Disturb 119 | Dose ambient sound level checking on Watch; /Applications/Dose.app 120 | DSID Destination Signaling Identifier, unique ID for IDS login on a specific device 121 | DTrace system-wide tracing infrastructure, command line tools: dtrace, *.d, dappprof, dapptrace, dtruss, errinfo, execsnoop, fddist, fs_usage, imptrace, iopattern, iopending, iosnoop, iotop, lastwords, latency, opensnoop, plockstat, rwsnoop, sampleproc, sc_usage, topsyscall, topsysproc 122 | Duet telemetry collection engine for system and user events, forecasting by machine learning, backend for DAS, Proactive, Relevance, Screen Time, thermal and battery management; /System/Library/DuetKnowledgeBase, /System/Library/DuetExpertCenter; CoreDuet.framework, CoreKnowledge.framework, CorePrediction.framework, CascadeEngine.framework (link to Biome); launchd services: com.apple.coreduetd, com.apple.duetexpertd, com.apple.knowledge-agent, com.apple.ospredictiond 123 | Dyld Shared Cache dynamic linker cache, stores all system libraries in prelinked form, original library files are removed; /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld; command line tools: dyld_info, dyld_usage, update_dyld_shared_cache 124 | EAS Exchange Active Sync; network protocol for accessing Microsoft Exchange servers 125 | EDR Extended Dynamic Range; rendering with transfer function extending beyond sRGB white; implemented natively on XDR displays and by backlight modulation on others; HDRProcessing.framework 126 | Energy Impact unitless metric for per-application energy consumption, machine-specific coefficients; /usr/share/pmenergy, launchd services: com.apple.sysmond, com.apple.thermald; command line tool: powermetrics 127 | Engram Messages in iCloud; devices store received iMessages in CloudKit; Engram.framework 128 | Entitlements capability-like attributes bound to executables by code signing; some entitlements like App Sandbox restrict ambient authority, some gradually relieve those restrictions (using Seatbelt), some services or system calls grant privilege based on caller entitlements 129 | ESS IDS user directory, public key distribution for iMessage and CloudKit sharing, uses Transparency; server: *.ess.apple.com; launchd service: com.apple.identityservicesd 130 | Exclave user-level portions of kernel or SEP services, used for paravirtualized access by VMs; /usr/libexec/init_exclavekit 131 | Eye Relief screen distance warning for handheld devices; /Applications/EyeReliefUI.app 132 | FaceTime video calls, employs the ICE (establishing peer-to-peer connection), STUN (session credential exchange) and SRTP (encrypted media streaming) protocols; FTServices.framework; launchd services: com.apple.videoconference.camera (avconferenced) 133 | FairPlay DRM system used by app and media stores; CoreADI.framework, CoreFP.framework, CoreLSKD.framework; launchd services: com.apple.adid, com.apple.fairplayd (invoked by kernel through host special port 17), com.apple.lskdd; credentials stored in /var/db/fpsd 134 | Family Circle Family Sharing; launchd services: com.apple.familycircled, com.apple.askpermissiond 135 | FDE Full Disk Encryption, FileVault; command line tool: fdesetup, sysadminctl 136 | FDR Factory Data/Device Reset? ensures that no downgrades are performed? servers: skl.apple.com, gg.apple.com; /System/Library/FDR 137 | Feldspar Apple News; Silex.framework 138 | FiDES Fi? Distributed Evaluation Service? aggregates Differential Privacy data for unlinkability? used for emoji, Suggestions, Dictation; /System/Library/DistributedEvaluation; DistributedEvaluation.framework, FedStats.framework (private federated learning?) 139 | File Provider infrastructure and extension system for syncing with cloud providers; placeholder files based on SF_DATALESS attribute in APFS; FileProvider.framework; locally stored in ~/Library/CloudStorage; command line tool: fileproviderctl 140 | Find My location sharing by explicitly querying devices remotely or collateral beacon detection using Search Party; FMCore.framework, FMF.framework; launchd service: com.apple.icloud.fmfd (find my friends) 141 | Firmlink bi-directional non-symbolic link between the read-only system volume and the data volume, additional symlinks and mountpoints in the root directory are virtually allocated; /usr/share/firmlinks, /etc/synthetic.conf 142 | Focus restriction modes for notification presentation; focus filters for in-app display restrictions, communicated by Intents; Focus.framework, DoNotDisturb.framework; local settings in ~/Library/DoNotDisturb 143 | FollowUp user interaction for Secure Backup wrapping with device passcode, CoreFollowUp.framework; launchd service: com.apple.followupd 144 | FoundationDB fundamental iCloud storage database, marketed as CloudKit, separated into containers; records, blobs, and large asset storage with MMCS, server-side continuous queries can trigger push notifications, user management by IDS, sharing between users by GroupKit; PCS keys used for hierarchical zone, record, and asset encryption; CloudKitDaemon.framework; launchd service: com.apple.cloudd; locally stored in ~/Library/Caches/CloudKit, ~/Library/Containers/*/Data/CloudKit; command line tool: cktool 145 | FPR Fast Permission Restrictions; Apple CPU registers to downgrade (old APRRs do bitmasking) or remap (SPRRs since M1) actual permissions of memory pages (the CTRR region) per thread 146 | FSKit user space file system support; kernel stub file system is /System/Library/Extensions/lifs.kext; file systems are in /System/Library/ExtensionKit/Extensions/com.apple.fskit.*; launchd service: com.apple.filesystems.fskitd, com.apple.filesystems.doubleagentd (handling of Apple double files in user space); extension point: com.apple.fskit.fsmodule 147 | FUD Firmware Update Daemon; see TSS, UARP; launchd service: com.apple.accessoryupdaterd 148 | Game Mode auto-activates when games are shown full screen, throttles background work, lowers audio and input latency; launchd service: com.apple.gamepolicyd 149 | GID group ID key, shared across all devices of the same SoC generation, derived keys are used to prove device type over the network, only accessible by SEP 150 | Gizmo Apple Watch; watch settings managed by Companion iPhone; /Applications/Bridge.app, /System/Library/BridgeManifests 151 | Greymatter Apple Intelligence; on-device language and diffusion models, larger server-based models in PCC; AFM refined for specific tasks (queries, summarization, categorization) by adapters (parameter for inserted network modules); grounded with context from Biome and intelligence stores; ~/Library/IntelligencePlatform; launchd service: com.apple.modelmanagerd (model residency management); /System/Library/ModelManager/Policy.plist; /Applications/Tamale.app (Camera Control integration); command line tool: csfdiagnose (cloud subscription features), modelmanagerdump 152 | Group Activities SharePlay; sharing of media content and programmatic state over FaceTime calls; GroupActivities.framework, CopresenceCore.framework; launchd service: com.apple.telephonyutilities.callservicesd 153 | GroupKit groups of IDS users with shared CloudKit (PCS) access; GroupKitCrypto.framework 154 | GSS Generic Security Service; part of Kerberos; GSS.framework; launchd service: com.apple.gssd (invoked by kernel through host special port 19); command line tool: gsstool 155 | GXF Guarded Execution Feature/Fault, additional exception levels on Apple Silicon, lateral to the usual exception levels; page tables remain the same, but interpretation of permission bits changes by way of FPR, genter and gexit instructions; implements lightweight intra-address-space protection contexts 156 | HAP Home Automation Protocol; CoreHAP.framework 157 | HDA High Definition Audio; HDAInterface.framework 158 | HDI Hard Disk Image; command line tool: hdiutil 159 | HeadBoard derivative of SpringBoard for tvOS home screen; /Applications/HeadBoard.app, /Applications/PineBoard.app 160 | Health Balance vitals app on Watch; /Applications/NanoHealthBalance.app 161 | HLS HTTP Live Streaming 162 | HomeEnergy HomeKit management for grid energy supply; EnergyKit.framework 163 | HSA Hardware Security Architecture; version 1 used for two-step verification, SOS with iCSC; version 2 for two-factor authentication, CKKS and Secure Backup with iCDP 164 | HSM Hardware Security Module; HSM fleet runs escrow service for Secure Backup 165 | Hyperion iCloud Photos, uses CloudKit; launchd service: com.apple.cloudphotod 166 | IAP iPod Accessory Protocol; IAP.framework 167 | iBoot boot loader stage after boot ROM or UEFI (macOS on Intel); intermediate Low-Level Bootloader (LLB); DFU mode is implemented here; /System/Library/CoreServices/boot.efi 168 | iCDP iCloud Data Protection, codename for a set of enhancements to iCloud privacy: device passcodes used as iCSC for Secure Backup, root keys for CKKS-enabled services only synced between devices and not stored at Apple; launchd service: com.apple.cdpd 169 | iCloud umbrella term for a conglomerate of services, consists of FoundationDB containers with PCS views for key management, supported by CKKS; uses IDS and APNS; some services under the iCloud name are actually served by AMS, IMAP, or DAV 170 | iCSC iCloud Security Code, credential wrapping for Secure Backup, previously used a separate code, with HSA2/iCDP uses device passcodes 171 | IDAM Inter-Device Audio and MIDI; audio connection between devices 172 | IDS Identity Directory Service, also IDMS, Apple Account identity management for all of Apple’s online services; APNS topics for signaling and messaging, see also Alloy, ESS, FaceTime, iMessage; authentication to services with Kerberos 173 | IDV Identity Verification? Touch ID and Face ID; /System/Library/AccessibilityBundles/CoreIDVUI.axbundle 174 | IM Instant Messaging; usually means iMessage and FaceTime 175 | IMG4 boot files (Mach-O binaries or configuration data) with ASN.1 signature, contains RemotePolicy certificate constraints to restrict Boot Policy evaluation 176 | Intent semantic interaction between app and system (or another app); used for Siri, Shortcuts, Maps (contextual suggestion), Widgets (configuration); definition by file or programmatically using AppIntents.framework; command line tool: appintentsmetadataprocessor (Xcode extracts Intent definition at compile time); extension points: com.apple.intents-service, com.apple.intents-ui-service 177 | IOKit device driver subsystem for in-kernel and DriverKit drivers, command line tool: ioreg 178 | Ironwood dictation, customized on server with selected user data (contacts, app names, music titles, HomeKit names, Siri Shortcut phrases), not tied to Apple Account; SpeechRecognitionCore.framework, ASRBridge.framework; server: guzzoni.apple.com 179 | ISP Image Signal Processor; camera imaging circuit in iPhones 180 | ITML iTunes Markup Language; metdata tagging for media services; ITMLKit.framework 181 | ITP Intelligent Tracking Prevention, cross-site tracking defenses in Safari, statistics and user interaction classify sites, cookies are partitioned and access is restricted 182 | JARVIS Just A Rather Very Intelligent Scheduler, Mesos cluster manager for Siri, iCloud, AMS 183 | Jellyfish Animoji; /Applications/Jellyfish.app 184 | Jetsam reclaiming of purgeable memory and termination of apps during memory pressure 185 | JSC JavaScript Core; JavaScriptCore.framework; command line tool: jsc 186 | Kalamata codename for the transition from x86 to ARM-based Apple Silicon 187 | Kerberos single-sign-on mechanism; Heimdal.framework; command line tools: kinit, ktutil 188 | Kext kernel extension mechanism, loaded at boot time as part of a Kext Collection; /Library/Extensions, /Library/StagedExtensions (for user approval), /System/Library/Extensions; command line tool: kextutil (manages deprecated runtime loading) 189 | Kext Collection prelinked sets of kernel extensions; /System/Library/KernelCollections (for boot and system kexts), /Library/KernelCollections (for auxiliary third-party kexts); the latter is only loaded at a lower-security Boot Policy; launchd service: com.apple.kernelmanagerd (invoked by kernel through host special port 15); command line tool: kmutil 190 | Keybag storage of protection class keys for Keychain and filesystem, protected by SEP using SKP; stored in user.kb; launchd services: com.apple.mobile.keybagd, com.apple.secd 191 | Keychain storage for credentials; launchd service: com.apple.securityd; command line tools: certtool, security, systemkeychain 192 | KIP Kernel Integrity Protection, locking of physical memory pages to prevent changes to kernel 193 | Launch Services management for application launches, association of UTIs to apps, uses Spotlight to update cached info; launchd services: com.apple.coreservices.launchservicesd, com.apple.lsd; CoreServices.framework/LaunchServices.framework; command line tools: lsappinfo, lsregister 194 | Live Files user mode filesystems, currently FAT, ExFAT, NTFS on external storage; UserFS.framework, UVFSXPCService.framework; launchd service: com.apple.filesystems.userfsd 195 | Liverpool PCS codename for CloudKit 196 | LKDC Local Key Distribution Center, Kerberos on client machines 197 | LSM Latent Semantic Mapping, text analysis, used for spam filtering, command line tool: lsm 198 | Mac Buddy historic name for Setup Assistant 199 | MAC Policy Mandatory Access Control subsystem in XNU, based on TrustedBSD, implements policy hooks for restricted kernel operations; current policies: AMFI, Seatbelt, Quarantine, CSR 200 | Machine Learning Vision.framework, Espresso.framework, Futhark.framework, PhotoAnalysis.framework; used for Live Text and Visual Lookup; launchd service: com.apple.mediaanalysisd 201 | Madrid iMessage; /System/Library/Messages 202 | Manatee PCS key for some CloudKit containers are synced via CKKS, so data is unreadable to Apple (credential management codenames: Plesio, Stingray, Cuttlefish) 203 | Mandrake emergency siren on Apple Watch Ultra; /Applications/Mandrake.app 204 | Mangrove transfering UI tiles over XPC; Mangrove.framework, IOSurface.framework 205 | Marco Marco.framework, something about IDS and communication (iMessage, Calls), logging? 206 | Marklar codename from the PowerPC era for the port to x86, served the transition to Intel CPUs 207 | MARRS Multimodal Reference Resolution; Marrs.framework 208 | Marzipan Catalyst; port of iOS frameworks to macOS, Catalyst apps are iOS apps with additional API to adapt macOS UI idioms; /System/iOSSupport; integration using UIKit system process; launchd service: com.apple.uikitsystemapp; input remapping by /Library/Apple/Library/Bundles/InputAlternatives.bundle 209 | MCX Managed Client for OS X, preference management for settings from configuration profiles, /Library/Managed Preferences, command line tools: mcxquery, mcxrefresh 210 | MDM Mobile Device Management; server software to manage fleets of iOS and macOS devices; uses configuration profiles to manage preferences; ConfigurationProfiles.framework 211 | MDS Module Directory Services, ancient part of the old security APIs (CSDA, CSSM) 212 | Memory Debugging uses Taskport; command line tools: heap, leaks, malloc_history, stringdups, vmmap 213 | Mesa Touch ID; /Library/Catacomb 214 | Metadata Spotlight; file indexing on macOS; CoreServices.framework/Metadata.framework, CoreServices.framework/SearchKit.framework; stored in .Spotlight-V100; launchd service: com.apple.metadata.mds; command line tools: mddiagnose, mdfind, mdimport, mdls, mdutil; in addition to auto-indexing, apps can explicitly register searchable items; CoreSpotlight.framework; launchd service: com.apple.corespotlightd 215 | Micro Location positioning service on macOS (because there is no GPS?); MicroLocation.framework; launchd service: com.apple.milod 216 | MLHost background machine learning service; launchd service: com.apple.mlhostd; /System/Library/MLHost; DeepThought.framework, LighthouseBackground.framework, LighthouseBitacoraFramework.framework, Dendrite.framework 217 | MMCS MobileMe Chunk Storage, used by iCloud, splits blobs into chunks and stores them at Apple/AWS/GCP with convergent encryption (content hash as key); MMCS.framework 218 | Mobile prefix for iOS 219 | Mobile Assets demand-downloaded system components like fonts, dictionaries, linguistic data; stored in /System/Library/Assets; launchd services: com.apple.languageassetd (language-dependent assets), com.apple.mobileassetd; server: mesu.apple.com 220 | Mobile Device connectivity to iOS devices over USB or WiFi (AirTrafficHost) for syning, development, and debugging; MobileDevice.framework; launchd service: com.apple.usbmuxd; Bonjour service: _apple-mobdev2._tcp 221 | MOC Managed Object Context; Core Data object space 222 | Mondrian photo collage arrangement in Photos.app; Mondrian.framework 223 | MRT Malware Removal Tool; /Library/Apple/System/Library/CoreServices/MRT.app; superseded by XProtect 224 | Multipeer Connectivity ad-hoc networking; Bonjour for discovery; WiFi, AWDL, Bluetooth, or Ethernet as transport; optional encryption and certificate-based authentication; MultipeerConnectivity.framework 225 | Nano prefix for watchOS 226 | Nearby Interaction proximity-based interaction between devices; proximity measured using ultra wideband or derived from other technologies; used for Universal Control, tapping phones for AirDrop; NearbyInteraction.framework, Proximity.framework; launchd services: com.apple.aonsensed (always-on sense daemon), com.apple.nearbyd 227 | Nebula sleep apnea detection on watchOS; BreathingAlgorithms.framework 228 | Newton fall detection on watchOS 229 | NLP Natural Language Processing; NLP.framework; related to mecabra libraries, a linguistic engine for Chinese and Japanese; /usr/share/mecabra, /usr/share/tokenizer 230 | Notarization app security scan by Apple; cryptographic proof stapled to code signature, tested at launch by System Policy; for non-notarized apps sends code hash to Apple; command line tools: notarytool, altool, stapler 231 | Noticeboard User Notifications for Software Update and App Store, Noticeboard.framework; launchd services: com.apple.noticeboard.state (nbstated), com.apple.noticeboard.agent (nbagent) 232 | Notifications system notification bus, unrelated to the local/remote push notifications; launchd service: com.apple.notifyd, com.apple.kuncd (invoked by kernel through host special port 10); command line tool: notifyutil; complemented by framework-level notification system (CFNotification, NSNotification); launchd services: com.apple.distnoted.xpc.daemon, com.apple.distnoted.xpc.agent 233 | NSP Network Service Proxy; per-app VPN and proxy settings, implements Private Relay; launchd service: com.apple.networkserviceproxy 234 | OAH Rosetta; ahead-of-time compiler for Intel code on Apple Silicon, usable from Linux VMs by way of a custom binformat; /usr/libexec/rosetta, /var/db/oah (AOT cache); launchd service: com.apple.oahd 235 | ODR On-Demand Resources; loaded from App Store; launchd service: com.apple.appstored 236 | Omni Search fuzzy semantic search with results recognized in images; OmniSearch.framework 237 | Onboarding data protection splash screen shown by service-connected apps; /System/Library/OnBoardingBundles; OnBoardingKit.framework 238 | Open Directory directory service for user, group, and machine management; plugin-based to use different backend stores (LDAP, Active Directory), local accounts in /private/var/db/dslocal, populated from /System/Library/DirectoryServices/DefaultLocalDB; launchd service: com.apple.opendirectoryd; command line tools: dscacheutil, dscl, dsconfigad, dsconfigldap, dseditgroup, dsenableroot, dserr, dsexport, dsimport, dsmemberutil, odutil 239 | OpenBSM Open Basic Security Module; deprecated security audit subsystem; /etc/security, /var/audit; launchd service: com.apple.auditd; command line tool: audit 240 | Opus create slide shows from photos; Slideshows.framework 241 | OSA Open Scripting Architecture; scripting of applications from different fontend languages (currently AppleScript and JavaScript); backed by Apple Events; command line tools: osacompile, osadecompile, osalang, osascript, sdef, sdp 242 | OTUT One-Time Unlock Token; security mechanism to allow keybag unwrapping after updates 243 | PAC Pointer Authentication Codes; pointers signed in unused bits to prevent ROP attacks 244 | Packages unit of software installation; command line tools: pkgutil, installer, softwareupdate; launchd services: com.apple.softwareupdated, com.apple.bootinstalld, com.apple.installd, com.apple.system_installd, com.apple.uninstalld; /var/db/softwareupdate, /Library/Apple/System/Library/Receipts (system), /System/Library/Receipts (read-only), /private/var/db/receipts (App Store) 245 | Packet Filter network traffic filtering subsystem from OpenBSD; command line tool: pfctl 246 | Parsec Spotlight web results and searching of crowdsourced Intent deep links; server: *.smoot.apple.com; launchd services: com.apple.parsecd, com.apple.parsec-fbf (Feedback Flush to Differential Privacy); telemetry collection with Poirot: PoirotSQLite.framework, PoirotUDFs.framework, SearchOnDeviceAnalytics.framework 247 | Party Studio Karaoke mode on tvOS, where video from a paired phone is shown with effects; /System/Library/PrivateFrameworks/PartyStudio.* 248 | Passkey keypair used for authentication instead of password, synced via SOS, implements WebAuthn standard; keys can be used to login on separate device via QR code and Bluetooth proximity proof; AuthenticationServices.framework 249 | Password Breach monitoring of Keychain passwords against a breach database; round-robin matching in fixed-size batches, local match against common leaks, remote match using hash prefix; launchd service: com.apple.Safari.passwordbreachd 250 | Pasteboard storage for cut, copy, and paste; type of content remembered as UTI; launchd service: com.apple.pboard; command line tools: pbcopy, pbpaste 251 | PAT Private Access Tokens; blind challenge-response authentication; Apple server attests user validity to token issuer, issuer performs blind signature, websites receiving the token cannot identify user; used for Private Relay, can replace CAPTCHAs 252 | PCC Private Cloud Compute; server-based AFM for AI, running on Apple Silicon managed by SEP; stateless computation, PAT to authorize user, Attestation of remote code by device, measurements published in Transparency; ~/Library/PrivateCloudCompute; launchd services: com.apple.privatecloudcomputed, com.apple.swtransparencyd 253 | PCS Protected Cloud Storage; key management for separate iCloud storage compartments (PCS calls them views), each can contain FoundationDB plus bulk data stored by MMCS; see also iCDP, CKKS, GroupKit, Manatee; ProtectedCloudStorage.framework; /System/Library/Preferences/ProtectedCloudStorage; command line tool: pcsstatus 254 | PCSC Personal Computer Smart Card; PCSC.framework, uses CTK 255 | PDE Print Dialog Extension; old name, not a proper Extension 256 | PEC/PIR Private Encrypted Compute and Private Information Retrieval; used for parental controls for media and web; CipherML.framework; launchd service: com.apple.ciphermld 257 | Pegasus meaning 1: picture-in-picture video playback; Pegasus.framework (iOS), PIP.framework (macOS); meaning 2: online search query engine for visual lookup; PegasusKit.framework 258 | People contacts with Apple Accounts within Group Activities and Shared With You 259 | Pepper UI elements for Watch home screen and Chat, like Quickboard (canned replies), Animoji; PepperUICore.framework 260 | Persona separation of sub-user-identities, like when using a private and managed Apple account; PersonaKit.framework; ~/Library/Personas; /System/Library/UserManagement; command line tool: umtool 261 | PHASE Physical Audio Spatialization Engine; 3D sound rendering engine; Apple devices map audio sources (even mono and stereo) to virtual speakers in a 3D sound stage, which is simulated by the physical speakers via a head-related transfer function; PHASE.framework 262 | Piano Mover Mail Drop; bulk mail attachments transfered over PCS; not to be confused with storage for iMessage attachments, which uses a CloudKit container 263 | Plugin Extensions, XPC services bundled with apps or frameworks, discovery by Launch Services; extension points listed in /System/Library/ExtensionKit/ExtensionPoints; launchd service: com.apple.pluginkit.pkd; command line tool: pluginkit 264 | PMC Performance Monitoring Counters; Recount.framework; /usr/share/kpep 265 | PMP Port Mapping Protocol; Apple alternative to UPnP, Bonjour service: _acp-sync._tcp 266 | Poster iPhone lock screen; PosterBoard.framework, PosterKit.framework; /Library/Wallpaper 267 | PowerUI battery management like smart charge and power save, learns from Duet and other data; PowerUI.framework; /var/db/PowerUI; launchd service: com.apple.PowerUIAgent 268 | Preferences storage for user-configurable settings; launchd services: com.apple.cfprefsd.xpc.daemon, com.apple.cfprefsd.xpc.agent; stored in Library/Preferences, command line tool: defaults; interaction with Synced Defaults per /System/Library/DefaultsConfigurations 269 | Preview Shell skeleton for on-device UI previews during development; /System/Library/CoreServices/PreviewShell.app; PreviewShellKit.framework, XOJIT.framework (code live patching) 270 | Private Relay two-hop onion routing with one entry and one exit node; Apple operates entry, third-party services operate exit nodes; QUIC for payload, ODoH for DNS, approximate IP geolocation via Waldo, authentication via PAT 271 | Proactive umbrella term for suggestions, completions, and summarizations based on Duet forecasting, Biome, and Intent context; PersonalizationPortrait.framework, ProactiveMagicalMoments.framework, ProactiveSummarization.framework 272 | Provenance per-file origin tracking, extended attribute com.apple.provenance stores ID into /var/db/SystemPolicyConfiguration/ExecPolicy 273 | QoS Classes inheritable property for Activities; semantic priorities, influences scheduling parameters; initially set at user-level, priority inheritance within GCD queues and across XPC in kernel? 274 | Quagga framework for QR and barcode decoding; Quagga.framework 275 | Quick Action extension type for quick interaction with foreign content within a host app; extension points: com.apple.services, com.apple.ui-services 276 | Quick Look file preview and thumbnail generation; comand line tool: qlmanage 277 | RAOP Remote Audio Output Protocol, AirPlay; Bonjour service: _raop._tcp 278 | Rapport device pairing by proximity using Alloy, with PIN entry, or using iCloud; once paired, devices can access services; used for HomeKit, HomePod, AirPlay, Home Sharing, SideCar; Rapport.framework, ProximityAppleIDSetup.framework; launchd service: com.apple.rapportd 279 | RCS Rich Communication Services; messaging service in mobile networks, successor to SMS; IMRCSTransfer.framework; /System/Library/Messages/PlugIns/RCS.imservice 280 | Recents recently used items (not files) in various applications, synced with Synced Defaults; CoreRecents.framework, /System/Library/Recents; launchd service: com.apple.recentsd 281 | Relevance Engine backend for Siri suggestions (for example of Siri Shortcuts), Widget smart stacks (also Siri watch face); consumes Duet knowledge and app-provided timelines with relevance hints; /System/Library/RelevanceEngine 282 | Remote Pairing Mobile Device pairing without wired connection; RemotePairingDevice.framework; Bonjour services: _remotepairing._tcp, _remotepairing-manual-pairing._tcp 283 | RemoteXPC connection to a non-SoC-integrated SEP like Bridge; uses HTTP/2 over a network interface, Bridge connected over USB, secured using Attestation; RemoteServiceDiscovery.framework, TrustedAccessory.framework; launchd service: com.apple.remoted, com.apple.tracd; command line tool: remotectl 284 | Replicator notification sync from Companion iPhone, also drives remotely displayed live activities; ReplicatorServices.framework; launchd service: com.apple.replicatord 285 | Revisions document autosave and auto-versioning; stored in .DocumentRevisions-V100; GenerationalStorage.framework; launchd service: com.apple.revisiond 286 | Routine frequently visited locations on iOS, interacts with Duet; launchd service: com.apple.routined 287 | RTC Real-time Telemetry and Crash reporting; RTCReporting.framework; launchd service: com.apple.rtcreportingd 288 | RTKit real-time runtime used for firmware of Apple Silicon co-processors; on top of CL4 in Apple’s cellular modem 289 | RunningBoard runtime management of apps, paradigm: app as service process invoked by system, check-in by frameworks, handles process assertions (frontmost app, see App Nap), memory pressure (see Jetsam) and compute resources (GPU), replacement for TAL?; launchd service: com.apple.runningboardd; /System/Library/LifecyclePolicy, /System/Library/RunningBoard 290 | Safety Monitor Check In; short-term location sharing in iMessage until a destination is reached; /Applications/SafetyMonitorApp.app 291 | SBPL Sandbox Profile Language; a TinyScheme-based embedded DSL for Seatbelt profiles 292 | SCIP System Coprocessor Integrity Protection; like KIP, but for SEP, ISP, Motion coprocessor 293 | Screen Reader VoiceOver and Braille; /System/Library/ScreenReader; ScreenReader.framework 294 | Screen Time digital wellbeing and parental controls system, uses Device Management as policy engine, self-enforced within the application by frameworks; DeviceActivity.framework, ManagedSettings.framework, FamilyControls.framework; launchd services: com.apple.ScreenTimeAgent, com.apple.dmd 295 | SDB SQL Database; CoreSDB.framework, used by iCloud communication 296 | Search Party portion of Find My service for offline devices; devices emit public part of rotating key pair via Bluetooth LE, other devices encrypt current location with this key and send to Apple, private key shared over CloudKit 297 | Seatbelt process sandbox by filtering system calls; profiles written in SBPL; /System/Library/Sandbox/Profiles, /usr/share/sandbox; default file access policy asks for TCC confirmation before access to folders with user data (like Documents) is allowed; command line tool: sandbox-exec; launchd service: com.apple.sandboxd (invoked by kernel through host special port 14 for logging) 298 | Secure Backup escrow part of CKKS; escrow key individually wrapped with passcodes of trusted devices, stored in HSM to prevent brute forcing, uses SRP so passcodes are not visible to iCloud, limited number of recovery attempts; protocol called Lakitu, uses FollowUp; launchd service: com.apple.SecureBackupDaemon (com.apple.sbd); CloudServices.framework 299 | SEP Secure Enclave Processor; dedicated ARM core for security services, runs CL4-based sepOS, inline encryption to DRAM, manages AES keys in storage DMA engine, factory-paired channels to Touch ID/Face ID hardware, Secure Element, Neural Engine; SEP can use but not read UID and GID keys; credential verification performed by hardware lockbox with retry count enforcement 300 | Sequoia translation; downloadable language models can run on-device; /Applications/SequoiaTranslator.app, Translation.framework 301 | Seymour Apple Fitness+; workout videos integrated with Watch sensors; SeymourCore.framework, Blackbeard.framework (personalisation and workout programs) 302 | SF Symbols scalable UI symbols; rendered with various color treatments; SFSymbols.framework 303 | Shared File List lists of recently opened files from apps that are stored with Launch Services; command line tool: sfltool; also manages login items and app-installed background daemons 304 | Shared With You collaboration features between apps and iMessage; content shared via iMessage is surfaced in apps (Swift Transferable protocol), content in apps can be collaboratively edited and connected to an iMessage group; collaborations are expressed by keys derived from participant device keys, padded with a number of random keys to prevent tracking of device count, a merkle tree of those keys is used to prove inclusion of a specific device to an app; SharedWithYou.framework 305 | Sharing umbrella term for wireless proximity services: AirDrop, Continuity, Instant Hotspot, WiFi sharing; used by loginwindow for Watch unlock; Sharing.framework; launchd service: com.apple.sharingd; also serves connection sharing and remote disk 306 | Shazam audio (especially music) recognition service; ShazamKit.framework; launchd service: com.apple.shazamd; command line tool: shazam 307 | Shoebox Passbook 308 | Sidecar using iPhone/iPad as Mac accessory: external camera and microphone (ContinuityCapture), camera for photos and scanning (DocumentCamera.framework), iPad as display over low-latency WiFi (llw interface) using avconferenced encoding; /Applications/Sidecar.app; SidecarCore.framework; launchd services: com.apple.sidecar-display-agent (SidecarDisplayAgent), com.apple.sidecar-relay (SidecarRelay) 309 | Signpost telemetry API to report points of interest in code; launchd service: com.apple.signpost.signpost_reporter 310 | SIL Secure Indicator Light; microphone and camera indicator on iPads rendered in hardware 311 | Simulator running an iOS/tvOS/watchOS personality on macOS, uses sandboxing and a separate Mach bootstrap namespace for container-like isolation; installable simulators as disk images in /Library/Developer/CoreSimulator/Images; command line tool: simctl 312 | SIP System Integrity Protection or rootless mode; collection of kernel-level security restrictions regarding file system modification, unsigned Kexts, Taskport access, NVRAM access, DTrace; /System/Library/Sandbox/rootless.conf; command line tool: csrutil, rootless-init 313 | Site Association signed files in .well-known directory on websites; equivalent to Entitlements for websites, associates domains with app IDs for Universal Links; command line tool: swcutil 314 | SKP Sealed Key Protection; measurement of system state (boot chain IMG4 manifests, BPR, Boot Policy data, UID key, user passcode) to derive Keybag keys 315 | SKS Secure Key Store; handling of keybag keys within the SEP 316 | SkyLight WindowServer; SkyLight.framework 317 | Skywalk network subsystem in XNU, links together actual technologies (Bluetooth, WiFi, Thunderbolt) and interfaces/tunnels; transacts in nexus (for conduits) and agent (for endpoints) objects; DriverKit network drivers use Skywalk; command line tool: skywalkctl 318 | SLC System-Level Cache, architectural feature of Apple Silicon; cache located within SoC at controllers for external DRAM, serves all compute units and stages transfers between them 319 | Social Gaming Game Center; multiplayer gaming services on top of CloudKit, shared storage and low-latency multicast for multiplayer sessions; launchd service: com.apple.gamed 320 | Sock Puppet Watch interaction that requires Companion iPhone 321 | SOS Secure Object Sync; syncing backend for iCloud Keychain, not to be confused with the emergency call feature; transferred items previously staged in Synced Defaults, for two-factor accounts in CKKS; launchd services: com.apple.secd (access to local keychain), com.apple.security.cloudkeychainproxy3 (connects to Synced Defaults), com.apple.security.keychain-circle-notification 322 | SPI System Private Interface; /System/Library/PrivateFrameworks 323 | SpringBoard iOS home screen; like Dock (Launchpad, Mission Control, desktop picture), Control Center, SystemUIServer (menu extras icons), loginwindow (lock screen), and WindowServer (compositor) on macOS; /System/Library/CoreServices/SpringBoard.app, /Applications/PreBoard.app, BaseBoard.framework, FrontBoard.framework, SplashBoard.framework; launchd service: com.apple.backboardd (compositor) 324 | SPRR Shadow Permission Remap Register? feature of Apple Silicon to dynamically reintepret page permissions 325 | SPTM Secure Page Table Monitor; code in kernel-level GXF protects page table modifications; Trusted Execution Monitor (TXM) in user-level GXF implements policy and parts of AMFI 326 | SRP Secure Remote Password; standard cryptographic protocol for proving knowledge of a secret such that attackers cannot brute-force the secret; AppleSRP.framework 327 | SSO Single Sign-On 328 | SSV Signed System Volume, als called Authenticated Root Volume (ARV); macOS boots from blessed read-only APFS snapshot, merkle-tree and root-hash stored in Preboot volume; modifications require disabling root authentication with csrutil from recovery, then the live filesystem can be mounted, modified, and re-blessed; command line tools: apfs_systemsnapshot, bless, csrutil 329 | Stark CarPlay; iPhone provides video feeds for in-car displays; three layers composited by the car: remote UI (from iPhone), punch-through UI (back up camera), local UI (dashboard gauges: assets from iPhone, rendered by car, like Live Activities?), overlay UI (essential indicators); associate apps on iOS: /Applications/CarCamera.app, /Applications/Charge.app, /Applications/Climate.app, /Applications/Closures.app, /Applications/Media.app, /Applications/TirePressure.app, /Applications/Trip.app, /Applications/Vehicle.app 330 | Stockholm Secure Element in Apple SoCs, a processor running crypto protocols on keys it protects; used for Apple Pay and Car Key; related codenames: Icefall, Warsaw 331 | Storage Management freeing up disk space by managing bulky items; UI in System Information.app; StorageManagement.framework; launchd service: com.apple.diskspaced; extension point: com.apple.storagemanagement; extends Cache Delete service 332 | Suggestions semantic analysis of mails and websites to suggest contacts, calendar events and the like; launchd services: com.apple.suggestd, com.apple.reversetemplated; custom JavaScript parsers in /System/Library/AssetsV2/com_apple_MobileAsset_CoreSuggestions 333 | Symbols debug symbols for backtraces; CoreSymbolication.framework; launchd services: com.apple.coresymbolicationd; command line tools: atos, symbols, symbolscache 334 | Symptoms network diagnostics; Symptoms.framework; /var/networkd/db/netusage.sqlite; launchd service: com.apple.symptomsd (invoked by kernel through host special port 27) 335 | Synced Defaults simple key-value store for applications, no user control over data; can use iCloud key-value backend (old) or Manatee container (new, marked as com.apple.kvs) as storage; launchd service: com.apple.syncdefaultsd; locally stored in ~/Library/SyncedPreferences 336 | System Configuration SystemConfiguration.framework; launchd service: com.apple.configd; command line tool: scutil 337 | System Extension system-wide components formerly implemented as insecure plugins or kexts; current extension types: DriverKit, FSKit, Network, Endpoint Security, Core Media IO; /System/DriverKit, /System/Library/DriverExtensions, /Library/Preferences/com.apple.networkextension.plist; command line tool: systemextensionsctl; launchd services: com.apple.sysextd, com.apple.nesessionmanager, com.apple.endpointsecurity.endpointsecurityd; command line tool: eslogger 338 | System Policy Gatekeeper; policy engine for application launches and kext loading, malware signatures from /Library/Apple/System/Library/CoreServices/XProtect.bundle; /var/db/SystemPolicyConfiguration; launchd service: com.apple.security.syspolicy (invoked by kernel through host special port 29); command line tool: spctl 339 | Tailspin sampling of process stack traces; launchd service: com.apple.tailspind; command line tool: tailspin 340 | TAL Transparent App Lifecycle; process for macOS apps started and stopped independently of the user launching and quitting app; also handles session restore across reboots; ~/Library/Saved Application State; launchd service: com.apple.talagent 341 | Taskport Mach kernel concept for ptrace-like access to task internals; access policy implemented by daemon; launchd service: com.apple.taskgated (invoked by kernel through task special port 9); command line tool: DevToolsSecurity 342 | TCC Transparency, Consent, and Control; user control over app access to privacy-related services (kTCCService*); TCC.framework; launchd services: com.apple.tccd, com.apple.tccd.system; command line tool: tccutil; stored in /Library/Application Support/com.apple.TCC, ~/Library/Application Support/com.apple.TCC, /var/db/locationd (for kTCCServiceLocation) 343 | Template App code-less app-bundle, passed to an actual executable by LauncServices; created when adding websites in Safari to Dock/Springboard; run by /System/Volumes/Preboot/Cryptexes/App/System/Library/CoreServices/Web App.app 344 | Time Machine automatic backup service, command line tools: tmdiagnose, tmutil 345 | Tin Can Walkie Talkie on watchOS; /Applications/TinCan.app 346 | Tones ringtones; ToneLibrary.framework 347 | Translocation app binary copied on launch to dedicated location; initiated by Launch Services for security (prevents path traversal for apps quarantined by System Policy) or path normalization (iOS apps do not expect to be moved, but can be moved on macOS) 348 | Transparency un-alterable append-only log to publish information; used for for ESS keys and PCC software hashes, based on CONIKS, devices audit IDS/PCC records against logs, root hashes gossiped over iMessage to detect split-view attacks; Transparency.framework; launchd service: com.apple.transparencyd; server: init-kt.apple.com 349 | TSS Tatsu Signing Server; online verification for firmware signatures; server: gs.apple.com 350 | TTS Text To Speech, neural-network-based synthesis engine (Gryphon); command line tool: say; /System/Library/Speech, /System/Library/TTSPlugins 351 | TVML TV Markup Language; declarative UI language for TV apps; TVMLKit.framework 352 | UARP Universal Accessory Restore Protocol; CoreUARP.framework; launchd service: com.apple.uarppersonalizationd (personalized firmware) 353 | Ubiquity iCloud Drive; codename Bladerunner, uses CloudKit; CloudDocs.framework; launchd service: com.apple.bird; locally stored in ~/Library/Mobile Documents (was supposed to move to Library/CloudStorage/iCloud Drive but this was reverted) 354 | UID unique ID key, used as root key for cryptographic subsystems, generated during manufacturing by SEP and fused into hardware, only accessible by SEP 355 | Unified Logging system-wide logging and Activity tracking; launchd service: com.apple.logd, com.apple.diagnosticd; command line tool: log; /dev/oslog; data stored in /var/db/diagnostics, support files in /var/db/uuidtext 356 | Urchin Tides app on watchOS; /Applications/Urchin.app 357 | USD Universal Scene Description; storage format for 3D assets; /usr/lib/usd; command line tools: usdcat, usdchecker, usdcrush, usdextract, usdrecord, usdtree, usdzip 358 | User Activity abstraction for deep-linking into apps with structured context (people, places); used for Universal Links (schema.org on websites), Handoff, Parsec (app links in search), Quick Note (context awareness); now part of Intents; UserActivity.framework; launchd service: com.apple.coreservices.useractivityd 359 | User Notifications user interface for notification center; launchd service: com.apple.usernoted 360 | UTI Uniform Type Identifiers; system for document types; file extensions and MIME types are mapped to UTIs, UTIs form a conformance graph, apps register their UTIs with Launch Services; /System/Library/CoreServices/CoreTypes.bundle; also Apple’s hardware devices are represented as UTIs 361 | VA Video Acceleration; AppleVA.framework 362 | VDAF Verifiable Distributed Aggregation Function; part of Differential Privacy; VDAF.framework 363 | Viceroy video conferencing used by FaceTime and ReplayKit; ViceroyTrace.framework 364 | Virtualisation running virtual machines on macOS; Hypervisor.framework (for basic VMs and vCPUs), Virtualization.framework (brings a robust set of device models) 365 | VSDB volume status database; /var/db/volinfo.database; command line tool: vsdbutil 366 | Waldo selects edge servers based on approximate location, part of Private Relay, seen in NSP 367 | Wally private search in server-side database using homomorphic encryption; private information retrieval (PIR), private nearest neighbor search (PNNS); used for Caller ID, email logos, adult website filtering, points-of-interest lookup for photos 368 | WFS WebDAV File Sharing; built-in file sharing with Apache; /etc/wfs; command line tool: wfsctl 369 | Widgets content excerpt from apps; provided via a timeline of view hierarchies, configuration uses Intents; visible on home screen, lock screen, as live activities, as watch complications; WidgetKit.framework, ChronoServices.framework; extension point: com.apple.widgetkit-extension; launchd service: com.apple.chronod (timeline management and sync) 370 | Willow HomeKit; end-to-end-encrypted communication protocol and API for IoT-accessories; pairing with SRP using code printed on device, credential sync by CKKS, transported over Alloy, remote access using Apple TV as proxy; launchd service: com.apple.homed 371 | Window Manager implements Stage Manager; /System/Library/CoreServices/WindowManager.app; launchd service: com.apple.WindowManager.agent 372 | Workflow Shortcuts; user-programmable system-wide automation, built-in triggers cause a chain of actions to run; actions are synthesized from User Activities and Intents provided by apps; WorkflowKit.framework, ActionKit.framework; locally stored in ~/Library/Shortcuts; launchd service: com.apple.siriactionsd (voice-triggered shortcuts); command line tool: shortcuts 373 | xART eXtended Anti-Replay Technology; persistent storage for SEP, used by Mesa; /System/Volumes/xarts; launchd service: com.apple.xartstorageremoted; command line tool: xartutil 374 | XCS Xcode Server; continuous integration server; command line tools: xcscontrol, xcsdiagnose 375 | XProtect signature-based malware scanner and remediation service; /Library/Apple/System/Library/CoreServices/XProtect.bundle; command line tool: xprotect --------------------------------------------------------------------------------