Difference between revisions of "AppleJPEGDriver"

From iPhone Development Wiki
Jump to: navigation, search
(+ clarification)
(Add two in-the-wild uses of this interface -- struct differs for some reason?)
Line 31: Line 31:
  
 
For best results, use an IOSurface that has the kIOSurfaceCacheMode property set to kIOMapInhibitCache.
 
For best results, use an IOSurface that has the kIOSurfaceCacheMode property set to kIOMapInhibitCache.
 +
 +
== Code making use of this interface ==
 +
* [https://github.com/bazad/AppleJPEGDriver-memleak AppleJPEGDriver-memleak] calls AppleJPEGDriver to perform an exploit on iOS 10.1.1.
 +
* [https://gist.github.com/alyssarosenzweig/7d8099cdb227d2de0a9e83b7de34c7f8 demo.m] from Alyssa Rosenzweig uses the memleak struct definition to decode an image on M1.
 +
 +
It is unknown why the struct definitions appear to differ in the two examples. As with other IOKit classes, you use <code>IOConnectCallStructMethod</code> to call the methods.
  
 
{{occlass|library=IOKit.framework|navbox=1}}
 
{{occlass|library=IOKit.framework|navbox=1}}

Revision as of 07:50, 25 September 2021

AppleJPEGDriver is a kernel-extension providing the acceleration of encoding and decoding JPEG images via IOSurfaces, especially for ones with YUV color space. It powers the AppleJPEG for decoding, Camera for encoding, and Celestial for both.

Methods

Selector Action Input Output
0 initializeDecoder - -
1 startDecoder struct JPEGDriverArgs (40 bytes) 40 bytes of stuff
2 initializeEncoder - -
3 startEncoder struct JPEGDriverArgs (40 bytes) 40 bytes of stuff.

where

struct JPEGDriverArgs {
  int must_be_zero_1;
  IOSurfaceID src_surface /*in*/;
  size_t src_size /*in*/;
  int must_be_zero_2;
  IOSurfaceID dest_surface /*in*/;
  size_t dest_size /*in*/;
  size_t result_size /*out*/;
  size_t dest_width /*in*/;
  size_t dest_height /*in*/;
  int quality /*in: 4 gives decent quality */;
};

For best results, use an IOSurface that has the kIOSurfaceCacheMode property set to kIOMapInhibitCache.

Code making use of this interface

  • AppleJPEGDriver-memleak calls AppleJPEGDriver to perform an exploit on iOS 10.1.1.
  • demo.m from Alyssa Rosenzweig uses the memleak struct definition to decode an image on M1.

It is unknown why the struct definitions appear to differ in the two examples. As with other IOKit classes, you use IOConnectCallStructMethod to call the methods.