Difference between revisions of "AppleJPEGDriver"

From iPhone Development Wiki
Jump to: navigation, search
(Added note about IOSurface caching)
(Code making use of this interface)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
'''AppleJPEGDriver''' is a kernel-extension providing accelerating encoding and decoding JPEG images via {{fwlink|IOSurface}}s, esp. for those with [http://en.wikipedia.org/wiki/YUV422 YUV color space]. It powers the {{fwlink|AppleJPEG}} for decoding, {{fwlink|Camera}} for encoding, and {{fwlink|Celestial}} for both.
+
'''AppleJPEGDriver''' is a kernel-extension providing the acceleration of encoding and decoding JPEG images via {{fwlink|IOSurface}}s, especially for ones with [http://en.wikipedia.org/wiki/YUV422 YUV color space]. It powers the {{fwlink|AppleJPEG}} for decoding, {{fwlink|Camera}} for encoding, and {{fwlink|Celestial}} for both.
  
 
== Methods ==
 
== Methods ==
Line 30: Line 30:
 
</source>
 
</source>
  
For best results, use an IOSurfaces that have the kIOSurfaceCacheMode property set to kIOMapInhibitCache.
+
For best results, use an IOSurface that has the kIOSurfaceCacheMode property set to kIOMapInhibitCache.
 +
 
 +
== Code making use of this interface ==
 +
* [https://github.com/bazad/AppleJPEGDriver-memleak AppleJPEGDriver-memleak] calls AppleJPEGDriver to perform an exploit on iOS 10.1.1.
 +
* [https://gist.github.com/alyssarosenzweig/7d8099cdb227d2de0a9e83b7de34c7f8 demo.m] from Alyssa Rosenzweig uses the memleak struct definition to decode an image on M1.
 +
 
 +
It is unknown why the struct definitions appear to differ from the above in the two examples (probably just an upgrade). As with other IOKit classes, you use <code>IOConnectCallStructMethod</code> to call the methods.
  
 
{{occlass|library=IOKit.framework|navbox=1}}
 
{{occlass|library=IOKit.framework|navbox=1}}

Latest revision as of 08:07, 25 September 2021

AppleJPEGDriver is a kernel-extension providing the acceleration of encoding and decoding JPEG images via IOSurfaces, especially for ones with YUV color space. It powers the AppleJPEG for decoding, Camera for encoding, and Celestial for both.

Methods

Selector Action Input Output
0 initializeDecoder - -
1 startDecoder struct JPEGDriverArgs (40 bytes) 40 bytes of stuff
2 initializeEncoder - -
3 startEncoder struct JPEGDriverArgs (40 bytes) 40 bytes of stuff.

where

struct JPEGDriverArgs {
  int must_be_zero_1;
  IOSurfaceID src_surface /*in*/;
  size_t src_size /*in*/;
  int must_be_zero_2;
  IOSurfaceID dest_surface /*in*/;
  size_t dest_size /*in*/;
  size_t result_size /*out*/;
  size_t dest_width /*in*/;
  size_t dest_height /*in*/;
  int quality /*in: 4 gives decent quality */;
};

For best results, use an IOSurface that has the kIOSurfaceCacheMode property set to kIOMapInhibitCache.

Code making use of this interface

  • AppleJPEGDriver-memleak calls AppleJPEGDriver to perform an exploit on iOS 10.1.1.
  • demo.m from Alyssa Rosenzweig uses the memleak struct definition to decode an image on M1.

It is unknown why the struct definitions appear to differ from the above in the two examples (probably just an upgrade). As with other IOKit classes, you use IOConnectCallStructMethod to call the methods.