Kernel

The kernel of iOS is the XNU kernel. Pre-2.0, it was vulnerable to the Ramdisk Hack and may still be, but iBoot doesn't allow boot-args to be passed anymore. It is mapped to memory at 0x80000000, forcing a 2/2GB address separation, similar to Windows 32-bit model. On older iOS the separation was 3/1 (mapping the kernel at 0xC0000000), closer to the Linux model. Note, that this is NOT like 32-bit OS X, wherein the kernel resides in its own address space, but more like OS X 64-bit, wherein CR3 is shared (albeit an address space larger by several orders of magnitude)

Note: The kernel stack is usually at 0xd2000000, and not at 0xc000000, as someone previously wrote here.

Note also, that as of iOS 6, the kernel is expected to be subject to ASLR, much in the same way as Mountain Lion (OS X 10.8)

On production devices, the kernel is always stored as a pre-linked kernelcache stored at /System/Library/Caches/com.apple.kernelcaches/kernelcache. On development devices the kernel is stored in its normal place, at /mach_kernel. On startup, the kernelcache is decompressed and run.

Boot-Args
Like its OS X counterpart, iOS's XNU accepts command line arguments (though the actual passing of arguments is done by iBoot, which as of late refuses to do so). Arguments may be directed at the kernel proper, or any one of the many KExts (discussed below). The arguments of the kernel are largely the same as those of OS X.

KExts use boot-args as well, as can be seen when disassembly by calls to PE_parse_boot_argn (usually exported, @0x80240800 on the iOS 5 iPod 4g kernel). Finding references (using IDA) reveals hundreds places in the code wherein arguments are parsed in modules, pertaining to Flash, HDMI, and AMFI.

Versions
iOS has consistently maintained a higher kernel version than the corresponding version of OS X. At the time of writing, OS X Mountain Lion's XNU is 20xx, whereas iOS is 21xx. This is not surprising, considering that iOS has novel features (such as KASLR, the default freezer, and various security hardening features) which are first incorporated in it, and only later make it to OS X. The following demonstrates the two OS versions at present:

OS X Mountain Lion:

Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64 iOS 6: Darwin Kernel Version 13.0.0: Sun Aug 19 00:31:06 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8950X

Note: The RELEASE_ARM_xxxxxxxx file obviously differs on device / CPU.

Kernel Extensions
iOS does not have free KEXTs floating around the file system, but they are indeed present: The kernelcache can be unpacked to show the kernel proper, along with the KEXTs (all packed in the __PRELINK_TEXT section) and their PLists (in the __PRELINK_INFO section).

The Cydia supplied kextstat does not work on iOS. This is because it relies on kmod_get_info, which is an unsupported API in recent iOS and OS X. That said, the kexts DO exit. The following shows the listing of a custom command, jkextstat (which does work on iOS) - available from the references section - on the author's iPod 4G:

Podicum:~ root# ./kextstat 0 __kernel__ 1 kpi.bsd 2 kpi.dsep 3 kpi.iokit 4 kpi.libkern 5 kpi.mach 6 kpi.private 7 kpi.unsupported 8 driver.AppleARMPlatform 9 iokit.IOStorageFamily 10 driver.DiskImages 11 driver.FairPlayIOKit 12 driver.IOSlaveProcessor 13 driver.IOP_s5l8930x_firmware 14 iokit.AppleProfileFamily 15 iokit.IOCryptoAcceleratorFamily 16 driver.AppleMobileFileIntegrity 17 iokit.IONetworkingFamily 18 iokit.IOUserEthernet 19 platform.AppleKernelStorage 20 iokit.IOSurface 21 iokit.IOStreamFamily 22 iokit.IOAudio2Family 23 driver.AppleAC3Passthrough 24 iokit.EncryptedBlockStorage 25 iokit.IOFlashStorage 26 driver.AppleEffaceableStorage 27 driver.AppleKeyStore 28 kext.AppleMatch 29 security.sandbox 30 driver.AppleS5L8930X 31 iokit.IOHIDFamily 32 driver.AppleM68Buttons 33 iokit.IOUSBDeviceFamily 34 iokit.IOSerialFamily 35 driver.AppleOnboardSerial 36 iokit.IOAccessoryManager 37 driver.AppleProfileTimestampAction 38 driver.AppleProfileThreadInfoAction 39 driver.AppleProfileKEventAction 40 driver.AppleProfileRegisterStateAction 41 driver.AppleProfileCallstackAction 42 driver.AppleProfileReadCounterAction 43 driver.AppleARMPL192VIC 44 driver.AppleCDMA 45 driver.IODARTFamily 46 driver.AppleS5L8930XDART 47 iokit.IOSDIOFamily 48 driver.AppleIOPSDIO 49 driver.AppleIOPFMI 50 driver.AppleSamsungSPI 51 driver.AppleSamsungSerial 52 driver.AppleSamsungPKE 53 driver.AppleS5L8920X 54 driver.AppleSamsungI2S 55 driver.AppleEmbeddedUSB 56 driver.AppleS5L8930XUSBPhy 57 iokit.IOUSBFamily 58 driver.AppleUSBEHCI 59 driver.AppleUSBComposite 60 driver.AppleEmbeddedUSBHost 61 driver.AppleUSBOHCI 62 driver.AppleUSBOHCIARM 63 driver.AppleUSBHub 64 driver.AppleUSBEHCIARM <3 4 5 8 55 57 58 60 63> 65 driver.AppleS5L8930XUSB <1 3 4 5 7 8 55 57 58 60 61 62 64> 66 driver.AppleARM7M 67 driver.EmbeddedIOP 68 driver.AppleVXD375 69 driver.AppleD1815PMU 70 iokit.AppleARMIISAudio 71 driver.AppleEmbeddedAudio 72 driver.AppleCS42L59Audio 73 driver.AppleEmbeddedAccelerometer 74 driver.AppleEmbeddedGyro 75 driver.AppleEmbeddedLightSensor 76 iokit.IOAcceleratorFamily 77 IMGSGX535 78 driver.H2H264VideoEncoderDriver 79 driver.AppleJPEGDriver 80 driver.AppleH3CameraInterface 81 driver.AppleM2ScalerCSCDriver 82 iokit.IOMobileGraphicsFamily 83 driver.AppleDisplayPipe 84 driver.AppleCLCD 85 driver.AppleSamsungMIPIDSI 86 driver.ApplePinotLCD 87 driver.AppleSamsungSWI 88 iokit.IODisplayPortFamily 89 driver.AppleRGBOUT 90 driver.AppleTVOut 91 driver.AppleAMC_r2 92 driver.AppleSamsungDPTX 93 driver.AppleSynopsysOTGDevice 94 driver.AppleNANDFTL 95 driver.AppleNANDLegacyFTL 96 AppleFSCompression.AppleFSCompressionTypeZlib 97 IOTextEncryptionFamily 98 driver.AppleBSDKextStarter 99 nke.ppp 100 nke.l2tp 101 nke.pptp 102 iokit.IO80211Family 103 driver.AppleBCMWLANCore 104 driver.AppleBCMWLANBusInterfaceSDIO 105 driver.AppleDiagnosticDataAccessReadOnly 106 driver.LightweightVolumeManager 107 driver.IOFlashNVRAM 108 driver.AppleNANDFirmware 109 driver.AppleImage3NORAccess 110 driver.AppleBluetooth 111 driver.AppleMultitouchSPI 112 driver.AppleUSBMike 113 driver.AppleUSBDeviceMux 114 driver.AppleUSBEthernetDevice

For a specific extension, e.g. SandBox, the full information (including the handy load address) is also accessible:

com.apple.security.sandbox CFBundleVersion 154.7         OSBundleCPUSubtype 9         OSBundleCPUType 12         OSBundleDependencies 6                 7                  5                  3                  28                  1                  4                  16                  2          OSBundleExecutablePath /System/Library/Extensions/Sandbox.kext/Sandbox OSBundleIsInterface OSBundleLoadAddress 2153734144         OSBundleLoadSize 36864         OSBundleLoadTag 29         OSBundleMachOHeaders OSBundlePath /System/Library/Extensions/Sandbox.kext OSBundlePrelinked OSBundleRetainCount 0         OSBundleStarted OSBundleUUID OSBundleWiredSize 36864         OSKernelResource

It's also worth mentioning that, in the above listing, the OSBundleMachOHeaders (base-64 encoded binary headers) leak kernel addresses in iOS 6.0.0, allowing for its jailbreak, which has yet to be made public. This has been quickly fixed in iOS 6.0.1, effectively locking down iOS for the foreseeable future, thanks to security researcher mdowd.