ios的Device Tree跟的Linux设备树(Devicetree)很类似,Device Tree的内存地址在boot_args的deviceTreeP
typedef struct boot_args {
uint16_t revision; /* Revision of boot_args structure */
uint16_t version; /* Version of boot_args structure */
uint64_t virtBase; /* Virtual base of memory */
uint64_t physBase; /* Physical base of memory */
uint64_t memSize; /* Size of memory */
uint64_t topOfKernelData; /* Highest physical address used in kernel data area */
boot_video video; /* Video Information */
uint32_t machineType; /* Machine Type */
void *deviceTreeP; /* Base of flattened device tree */
uint32_t deviceTreeLength; /* Length of flattened tree */
char commandLine[BOOT_LINE_LENGTH]; /* Passed in command line */
uint64_t boot_flags; /* Misc boot flags*/
} boot_args;
iPhone8,14.6实例:
Revision: 0x2
Version: 0x2
virtBase: 0xfffffff00a7f4000
physBase 0x8007f4000
memSize: 0x7b62c000 物理内存大小2G
topOfKernelData: 0x8070a8000
machineType: 0x0
deviceTreeP: 0xfffffff00e90c000
deviceTreeLength: 0x34000iOS启动初始内存分布:
+==========================+ <-- bottom of RAM (0x8_0000_0000)
| Coprocessor carveouts, |
| iBoot stuff, etc. |
+==========================+ <-- boot_args->phys_base, VM = boot_args->virt_base
| kASLR slide gap (<32MiB) | 内核ASLR,(Address Space Layout Randomization ) 地址空间配置随机加载
+==========================+
| Device Tree (ADT) | /chosen/memory-map.DeviceTree
+--------------------------+
| Trust Cache | /chosen/memory-map.TrustCache
+==========================+ <-- Mach-O lowest vmaddr mapped to here (+ slide!)
| Mach-O base (header) | /chosen/memory-map.Kernel-mach_header
+-- --+
| Mach-O segments... | /chosen/memory-map.Kernel-(segment ID)...
+==========================+
| SEP Firmware | /chosen/memory-map.SEPFW
+--------------------------+ <-- boot_args
| BootArgs | /chosen/memory-map.BootArgs
+==========================+ <-- boot_args->top_of_kdata
| |
| (Free memory) |
| (incl. iBoot trampoline) |
| |
+==========================+ <-- boot_args->top_of_kdata + boot_args->mem_size
| Video memory, SEP |
| carveout, and more |
+==========================+ <-- 0x8_0000_0000 + boot_args.mem_size_actual
iPhone8,14.6 Device Tree Dump:
device-tree:
| regulatory-model-number [32]: A1863
| #address-cells [4]: 0x2
| AAPL,phandle [4]: 0x1
| config-number [64]: (ZERO_FILL)
| serial-number [32]: *****(序列号,隐藏)
| target-type [4]: D20
| platform-name [32]: t8015
| mlb-serial-number [32]: *****(主板序列号,隐藏)
| secure-root-prefix [3]: md
| name [12]: device-tree
| manufacturer [11]: Apple Inc.
| region-info [32]: CH/A 国行
| compatible [26]: 4432304150006950686f6e6531302c31004170706c6541524d |D20AP.iPhone10,1.AppleARM|
| model-number [32]: MQ6M2
| time-stamp [28]: Sat May 8 01:21:14 PDT 2021
| clock-frequency [4]: 0x0
| model-config [86]: receiver_1=AAC;wifi_module_vendor=USI;MoPED=0xB3651978EE098EF5F5BB3B021C79773226D4B157
| model [11]: iPhone10,1
| device_type [8]: bootrom
| #size-cells [4]: 0x2
+ chosen:
| | development-cert [4]: 0x0
| | disable-transport-rm [4]: 0x0
| | amfi-only-platform-code [4]: 0x0
| | coverglass-color [16]: < 0x1 0x200000000 >
| | consistent-debug-root [8]: 0x0
| | dram-vendor [16]: Samsung
| | board-id [4]: 0x2
| | root-matching [256]: <dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>Partition ID</key><integer>1</integer></dict></dict>
| | unique-chip-id [8]: 0x******(设备id,隐藏)
| | dram-vendor-id [4]: 0x1
| | mac-address-bluetooth0 [6]: b*******(蓝牙地址,隐藏)
| | software-behavior [16]: 0x141 0x0
| | amfi-allows-trust-cache-load [4]: 0x0
| | mix-n-match-prevention-status [4]: 0x1
| | max-env-var-name-size [4]: 0x3f
| | certificate-security-mode [4]: 0x1
| | display-rotation [4]: 0x0
| | crypto-hash-method [9]: sha2-384
| | secure-boot [4]: 0x1
| | housing-color [16]: < 0x1 0x700000000 >
| | gid-aes-key [4]: 0x1
| | disable-av-content-protection [4]: 0x0
| | image4-supported [0]:
| | boot-nonce [8]: 0x82263873cc27ed5a
| | display-corner-radius [4]: 0x0
....
+ memory-map:
....
| | | name [11]: memory-map
| | | kernel-only [5]: true
| | | TrustCache [16]: < 0x804194000 0xc000 >
| | | DeviceTree [16]: < 0x804160000 0x34000 >
| | | SEPFW [16]: < 0x806784000 0x174000 > SEP Firmware内存地址及长度
| | | BootArgs [16]: < 0x8068f8000 0x4000 > 起动参数地址及长度
| | | Kernel-__TEXT [16]: < 0x8041a0000 0x710000 > Kernelcache的__TEXT段内存地址及长度
| | | Kernel-__DATA_CONST [16]: < 0x8048b0000 0x33c000 >
| | | Kernel-__TEXT_EXEC [16]: < 0x804bec000 0x17e4000 >
| | | Kernel-__KLD [16]: < 0x8063d0000 0x4000 >
| | | Kernel-__LAST [16]: < 0x8063d4000 0x4000 >
| | | Kernel-__KLDDATA [16]: < 0x8063d8000 0x4000 >
| | | Kernel-__DATA [16]: < 0x8063dc000 0x21c000 >
| | | Kernel-__BOOTDATA [16]: < 0x8065f8000 0x3c000 >
| | | Kernel-__PRELINK_INFO [16]: < 0x806634000 0x12c000 >
| | | Kernel-__LINKEDIT [16]: < 0x806760000 0x21730 >
| | | Kernel-mach_header [16]: < 0x8041a0000 0x20 >
....
+ cpus:
| | #address-cells [4]: 0x1
| | #size-cells [4]: 0x0
| | name [5]: cpus
| | AAPL,phandle [4]: 0xe
+ cpu0:
| | | fixed-frequency [8]: 0x16e3600
| | | coresight-reg [16]: < 0x208010000 0x40000 >
| | | cluster-core-id [4]: 0x0
| | | l3-cache-size [4]: 0x800000
| | | clock-frequency [8]: 0x16e3600
| | | state [8]: running
| | | l2-cache-size [4]: 0x100000
| | | interrupt-parent [4]: 0x1a
| | | function-error_handler [12]: 1900000048727245
| | | interrupts [12]: 800100005b0000008101
| | | timebase-frequency [8]: 0x16e3600
| | | function-ipi_dispatch_other [12]: 1a000000444950498101
| | | cpu-impl-reg [16]: < 0x208050000 0x10000 >
| | | function-enable_core [12]: 1c00000065726f4301
| | | cluster-id [4]: 0x0
| | | l2-cache-id [4]: 0x0
| | | memory-frequency [8]: 0x16e3600
| | | cpm-impl-reg [16]: < 0x208e40000 0x10000 >
| | | peripheral-frequency [8]: 0x16e3600
| | | AAPL,phandle [4]: 0xf
| | | cpu-id [4]: 0x0
| | | name [5]: cpu0
| | | function-ipi_dispatch [12]: 1a000000444950498001
| | | cluster-type [2]: 45
| | | cpu-version [4]: 0x0
| | | device_type [4]: cpu
| | | compatible [21]: 6170706c652c6d69737472616c0041524d2c7638 |apple,mistral.ARM,v8| CPU代号mistral(猛烈的风)
| | | die-cluster-id [4]: 0x0
| | | reg-private [8]: 0x208010000
| | | reg [4]: 0x0
| | | acc-impl-reg [16]: < 0x208f00000 0x50000 >
| | | bus-frequency [8]: 0x16e3600 总线速率 2.4GHz
| | | function-cpu_idle [8]: 0x637075490000001c
| | | l3-cache-id [4]: 0x0
Device Tree包含了所有设备的信息,跟设备的IO交互,则是通过内存地址的方式进行调用,比如sep
+ arm-io:
| | compatible [13]: arm-io,t8015
| | clock-frequencies [396]: 003....
| | soc-generation [4]: H10
| | reg [112]: < 0x208f00000....>
| | chip-revision [4]: 0x11
| | AAPL,phandle [4]: 0x19
| | iommu-present [0]:
| | acc-impl [16]: < 0x208f00000 0x1000 >
| | device_type [9]: t8015-io
| | #size-cells [4]: 0x2
| | ranges [48]: < 0x0 0x200000000 0x100000000 0x600000000...> //第2个地址为IOBase:0x200000000(固定)
...
+ sep:
| | | compatible [10]: iop,t8015
| | | clock-ids [4]: 0x14a
| | | interrupt-parent [4]: 0x1a
| | | aarch64 [0]:
| | | interrupts [16]: < 0x790000007a 0x7b0000007c >
| | | clock-gates [4]: 0x7e
| | | reg [16]: < 0x43000000 0x10000 > SEP的MailBox的地址IOBase+第1个数值:0x43000000+0x8100
| | | self-power-gate [0]:
| | | iop-version [4]: 0x1
| | | device_type [4]: sep
| | | sika-support [4]: 0x1
| | | AAPL,phandle [4]: 0x3e
| | | cpu-ctrl-filtered [0]:
| | | power-gates [4]: 0x7e
内核通过MailBox内存地址与SEP进行调用
更多待更新...
---
内核开发系列
[内核开发系列1 - 从越狱隐藏到自定义越狱](https://bbs.pediy.com/thread-270824.htm)
**内核开发系列2-硬件及内核基础知识**
**内核开发系列3-基于QEMU和iBoot泄露源码内核开发调试**
**内核开发系列4-基于Corellium内核开发调试**
[内核开发系列5 - 从checkra1n了解Kernel Patch](https://bbs.pediy.com/thread-270825.htm)
更多待更新...
----
原创内容,转载或内核开发交流可Q: 3#1#0#4#1#9#0#6#2 (倒序)
----
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-2-7 21:34
被alice编辑
,原因:
