kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
vphone-cli/research/kernel_fairplay_kexts.md
Lakr 641d5b5a79 Create txm_return_mechanism.md
2026-03-04 13:34:02 +08:00

76 lines
3.9 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# FairPlay IOKit Extensions in PCC Kernel
**Kernel:** `kernelcache.research.vphone600` (PCC/cloudOS, vphone600ap research)
**Total kexts in kernel:** 161
**FairPlay kexts found:** 2
---
## 1. com.apple.driver.AvpFairPlayDriver
| Field | Value |
| ----------------- | --------------------------------------------------- |
| Path | `/System/Library/Extensions/AvpFairPlayDriver.kext` |
| Version | 2.9.0 |
| Executable Size | 2,920 bytes |
| IOClass | `AvpFairPlayDriver` |
| IOProviderClass | `AppleVirtIOTransport` |
| IOUserClientClass | `AvpFairPlayUserClient` |
| PCI Match | `0x1a08106b` |
| Dependencies | AppleVirtIO, IOKit, libkern |
**Notes:**
- Virtualization-specific FairPlay driver — matches on a VirtIO PCI device ID (`0x1a08106b`).
- Tiny kext (2.9 KB), acts as a paravirtual bridge to the host-side FairPlay backend.
- Implies the host Virtualization.framework exposes a FairPlay VirtIO device to the guest.
- Has two IOKit personalities:
- `AvpFairPlayDriver` — matches `AppleVirtIOTransport` with `IOVirtIOPrimaryMatch: 0x1a08106b`
- `AvpFairPlayDriver Transport` — matches `IOPCIDevice` with `IOPCIPrimaryMatch: 0x1a08106b` (published by `com.apple.driver.AppleVirtIO`)
---
## 2. com.apple.driver.FairPlayIOKit
| Field | Value |
| ----------------- | --------------------------------------------------------- |
| Path | `/System/Library/Extensions/FairPlayIOKit.kext` |
| Version | 72.15.0 |
| Executable Size | 269,440 bytes |
| IOClass | `com_apple_driver_FairPlayIOKit` |
| IOProviderClass | `IOResources` (always-match) |
| IOUserClientClass | `com_apple_driver_FairPlayIOKitUserClient` |
| IOMatchCategory | `FairPlayIOKit` |
| IOProbeScore | 1000 |
| Dependencies | bsd, **dsep**, iokit, libkern, mach, private, unsupported |
**Notes:**
- Full FairPlay DRM framework kext (269 KB of code).
- Matches on `IOResources` — loads unconditionally at boot.
- Provides FairPlay services to userland via `com_apple_driver_FairPlayIOKitUserClient`.
- Depends on `com.apple.kpi.dsep` (data-at-rest encryption / DRM subsystem).
- Copyright 20082019 — long-lived Apple DRM component.
---
## String Occurrences
| Pattern | Count |
| ------------------------------------ | ----- |
| `FairPlay` (case-sensitive) | 139 |
| `fairplay` (lowercase) | 27 |
| `com.apple.driver.FairPlayIOKit` | 6 |
| `com.apple.driver.AvpFairPlayDriver` | 3 |
Lowercase `fairplay` strings include launch constraint labels: `com.apple.fairplayd`, `com.apple.fairplayd.A2`, `com.apple.fairplayd.A2.dev`, `com.apple.fairplayd.G1` — these are userland daemon identifiers referenced in kernel launch constraint plists.
---
## Implications
- Both kexts are present in the non-JB PCC boot kernel and will load at boot.
- `AvpFairPlayDriver` is the VM-aware component — it bridges FairPlay operations to the host via VirtIO. This is unique to the virtualized (PV=3) environment.
- `FairPlayIOKit` is the standard iOS FairPlay kext, providing DRM primitives to userland processes (e.g., `fairplayd`, media frameworks).
- For research purposes, these kexts may need to be patched or neutralized if FairPlay enforcement interferes with instrumentation or custom binaries.
Reference in New Issue View Git Blame Copy Permalink