The underlying unix OS that powers the iPhone has a number of device nodes. These nodes can be read from or written to by the OS or applications.
Overview[edit source]
A iPhone 3G 2.0.2 contains:
crw-rw-rw- 1 root wheel 21, 0 Aug 28 15:35 aes_0
crw------- 1 root wheel 23, 0 Aug 28 18:56 bpf0
crw------- 1 root wheel 23, 1 Aug 28 18:56 bpf1
crw------- 1 root wheel 23, 2 Aug 28 15:35 bpf2
crw------- 1 root wheel 23, 3 Aug 28 15:35 bpf3
c------r-- 1 root wheel 11, 0 Aug 28 15:35 btreset
crw--w--w- 1 root wheel 0, 0 Aug 28 15:35 console
crw-rw-rw- 1 root wheel 1, 5 Aug 28 18:56 cu.bluetooth
crw-rw-rw- 1 root wheel 1, 7 Aug 28 15:35 cu.debug
crw-rw-rw- 1 root wheel 1, 1 Aug 28 15:35 cu.iap
crw-rw-rw- 1 root wheel 1, 3 Aug 28 15:35 cu.umts
brw-r----- 1 root operator 14, 0 Aug 28 15:35 disk0
brw-r----- 1 root operator 14, 1 Aug 28 15:35 disk0s1
brw-r----- 1 root operator 14, 2 Aug 28 15:35 disk0s2
crw------- 1 root wheel 9, 0 Aug 28 15:35 dlci.spi-baseband.0
crw------- 1 root wheel 9, 1 Aug 28 18:56 dlci.spi-baseband.1
crw------- 1 root wheel 9, 10 Aug 28 15:35 dlci.spi-baseband.10
crw------- 1 root wheel 9, 11 Aug 28 15:35 dlci.spi-baseband.11
crw------- 1 root wheel 9, 12 Aug 28 15:35 dlci.spi-baseband.12
crw------- 1 root wheel 9, 13 Aug 28 15:35 dlci.spi-baseband.13
crw------- 1 root wheel 9, 14 Aug 28 15:35 dlci.spi-baseband.14
crw------- 1 root wheel 9, 15 Aug 28 15:35 dlci.spi-baseband.15
crw------- 1 root wheel 9, 2 Aug 28 19:13 dlci.spi-baseband.2
crw------- 1 root wheel 9, 3 Aug 28 18:56 dlci.spi-baseband.3
crw------- 1 root wheel 9, 4 Aug 28 18:56 dlci.spi-baseband.4
crw------- 1 root wheel 9, 5 Aug 28 18:56 dlci.spi-baseband.5
crw------- 1 root wheel 9, 6 Aug 28 18:56 dlci.spi-baseband.6
crw------- 1 root wheel 9, 7 Aug 28 18:56 dlci.spi-baseband.7
crw------- 1 root wheel 9, 8 Aug 28 18:56 dlci.spi-baseband.8
crw------- 1 root wheel 9, 9 Aug 28 18:56 dlci.spi-baseband.9
crw------- 1 root wheel 6, 0 Aug 28 15:35 klog
cr--r--r-- 1 root wheel 13, 3 Aug 28 15:35 mrvl868x0
crw------- 1 root wheel 9, 0 Aug 28 15:35 mux.spi-baseband
crw-rw-rw- 1 root wheel 3, 2 Aug 28 18:56 null
crw-rw-rw- 1 root tty 15, 1 Aug 28 19:13 ptmx
crw-rw-rw- 1 root wheel 5, 0 Aug 28 15:35 ptyp0
crw-rw-rw- 1 root wheel 5, 1 Aug 28 15:35 ptyp1
crw-rw-rw- 1 root wheel 5, 2 Aug 28 15:35 ptyp2
crw-rw-rw- 1 root wheel 5, 3 Aug 28 15:35 ptyp3
crw-rw-rw- 1 root wheel 5, 4 Aug 28 15:35 ptyp4
crw-rw-rw- 1 root wheel 5, 5 Aug 28 15:35 ptyp5
crw-rw-rw- 1 root wheel 5, 6 Aug 28 15:35 ptyp6
crw-rw-rw- 1 root wheel 5, 7 Aug 28 15:35 ptyp7
crw-rw-rw- 1 root wheel 8, 0 Aug 28 15:35 random
crw-r----- 1 root operator 14, 0 Aug 28 15:35 rdisk0
crw-r----- 1 root operator 14, 1 Aug 28 15:35 rdisk0s1
crw-r----- 1 root operator 14, 2 Aug 28 15:35 rdisk0s2
crw-rw-rw- 1 root wheel 20, 0 Aug 28 15:35 sha1_0
crw-rw-rw- 1 root wheel 2, 0 Aug 28 15:35 tty
crw-rw-rw- 1 root wheel 1, 4 Aug 28 15:35 tty.bluetooth
crw-rw-rw- 1 root wheel 1, 6 Aug 28 15:35 tty.debug
crw-rw-rw- 1 root wheel 1, 0 Aug 28 15:35 tty.iap
crw-rw-rw- 1 root wheel 1, 2 Aug 28 15:35 tty.umts
crw-rw-rw- 1 root wheel 4, 0 Aug 28 15:35 ttyp0
crw-rw-rw- 1 root wheel 4, 1 Aug 28 15:35 ttyp1
crw-rw-rw- 1 root wheel 4, 2 Aug 28 15:35 ttyp2
crw-rw-rw- 1 root wheel 4, 3 Aug 28 15:35 ttyp3
crw-rw-rw- 1 root wheel 4, 4 Aug 28 15:35 ttyp4
crw-rw-rw- 1 root wheel 4, 5 Aug 28 15:35 ttyp5
crw-rw-rw- 1 root wheel 4, 6 Aug 28 15:35 ttyp6
crw-rw-rw- 1 root wheel 4, 7 Aug 28 15:35 ttyp7
crw--w---- 1 root tty 16, 0 Aug 28 19:13 ttys000
crw-rw-rw- 1 root wheel 10, 2 Aug 28 15:35 uart.bluetooth
crw-rw-rw- 1 root wheel 10, 3 Aug 28 15:35 uart.debug
crw-rw-rw- 1 root wheel 10, 0 Aug 28 15:35 uart.iap
crw-rw-rw- 1 root wheel 10, 1 Aug 28 15:35 uart.umts
crw-rw-rw- 1 root wheel 8, 1 Aug 28 15:35 urandom
brw------- 1 root operator 1, 0 Aug 28 15:35 vn0
brw------- 1 root operator 1, 1 Aug 28 15:35 vn1
crw-rw-rw- 1 root wheel 3, 3 Aug 28 15:35 zero
Block Devices[edit source]
| Device | Description |
|---|---|
| disk0 | iPhone flash memory (4, 8 or 16GB) |
| disk0s1 | OS partition. Stores / root file system. |
| disk0s2 | User space. Stores Music, Photos, Videos, Podcasts, Ringtones and Apps. Mounted as /private/var. |
| disk1 | Unless you previously mounted something on purpose, this is going to be the DeveloperDiskImage from XCode, which is uploaded to your device and mounted every time you plug in with XCode running. It is signature checked against /System/Library/Lockdown/iPhoneDebug.pem. |
| vn0 | unknown |
| vn1 | unknown |
Interesting Character Devices[edit source]
| Dev Node | Description | Children |
|---|---|---|
| rdisk0 | RAW Disk; to access the Flash | rdisk0s1 (root) rdisk0s2 (data) |
| dlci.spi-baseband | iPhone Baseband Radio | dlci.spi-baseband.0 - dlci.spi-baseband.15 |
| tty.iap | serial connection (pins 12 and 13 of the Dock connector) | |
| uart.umts | Serial connection to the Utms radio (?) | |
| dlci.spi-baseband.9 | GPS device (read from by /usr/libexec/locationd82 for CoreLocation services) | |
| mem | Raw access to RAM (has been blocked since 1.1.2) Memory devices can be re-enabled with single WORD change within kernel. | kmem, Raw access to Kernel Memory (also blocked since 1.1.2) |
| aes_0 | Access to AES engine. Works via complicated ioctl handshake. Not known why it exists, as use of the IOKit interface is much simpler. |
How to access /dev/mem and /dev/kmem[edit source]
All you need to do is patch the kernel. See here for up to date patches according to the firmware revision that you are on. Basically, the last one patches the setup_kmem flag itself, and the others just patch the checks to it.