Hidden files in the Apple TV kernel file

by editor @ AppleTVHacks.net on March 26, 2007


There has been debate over whether the Apple TV is really running OS X ‘proper’, or a derivative. One point is there are important system files which are absent, or are they?

AppleTVHacks.net has been made aware of some kernel extensions and other files that are hidden within the Apple TV’s ‘kernel’ file.

This process is for hardcore geeks only – but may lead to something that everyone can benefit from

Find the hidden files…

If you open it up an image of the harddrve you will see the filesystem of the AppleTV. It contains all the files we know from it’s big brother OS X, but where is the kernel? The EFI bootloader boot.efi is there, but not the kernel. There is a file called mach_kernel.prelink but it does not disassemble or look really right, even though you can see the __TEXT marks in a hex editor. Well the reason for this is, this little ~6MB file is not the kernel. It is a package of files utilized by the EFI, compressed with an odd compression algorithm. So to extract these files? It is easier than you may think, lets take a look…

If you open the file up you will see the header starts with “complzss”, which you probably won’t recognise. Well this header belongs to none of the common compression techniques used on OS X, so what is it? A quick search on Google turned up “The SWORD Project”, an open source bible software projevt, which uses the same compression. You must download the API files for Linux from this page, we are going to use the compression utility it includes.

Run ./configure in the main directory, and then run make, the change to the ‘tests’ directory and run make again, which will build the ‘complzss’ utility. At first this didn’t work, but after some experimentation we found the solution. You need to make a copy of the ‘mach_kernel.prelink’ file from the OSBoot drive, and name mach_kernel.lzs. You then need to remove the first 180 bytes of the file in a hex editor, so it should now start with “FFCEFA” (you may notice the Intel Mach header…). Finally run this file though the ‘complzss’ utility. Bingo! You have a new decompressed file.

Well but the file still seemed a bit huge for a Intel only kernel, so we opened it in a hex editor and examined it carefully. It seems the file contains multiple file headers! Well now came the hard part, cutting it into peaces. From begining of each header to the next (mach header for Intel starts: CEFAEDFE0700 hex). After cutting the file correctly you will end up with ~100 files, albeit without names.

These files appear to be missing daemons, kexts etc. the system image you made earlier is missing. Among them the kext for the remote etc. are included so this is a big step towards getting OS X ‘proper’ to run on the Apple TV.

Now begins the process of digging through these files and seeing what other bounty lays within.

Thanks go to semthex for discovering this process, you can visit him on the www.hackint0sh.org/forum to discuss Apple TV hacks with him.

  • http://no.website.com an nVidia user

    The instructions state the following:

    “Run ./configure in the main directory, and then run make inside the ‘tests’ directory, which will build the ‘complzss’ utility.”

    That results in missing file errors, you must run make in the main directory as well:

    cd //sword-1.5.9/

    ./configure

    make

    cd tests/

    make

    … results in proper compiling of the complzss utility.

  • Tom @ AppleTVHacks.net

    Thanks, missed that out of the write up– I updated the tutorial. :)

  • http://www.netarte.mastertopforum.com f41qu3

    great job semthex. we going to “hackTV” =)

  • Ag Primatic

    I think this is described in detail at

    http://www.kernelthread.com/mac/osx/arch_boot.html

    especially the 3rd bullet towards the bottom that states:

    The next step is to “decode” the kernel. If the kernel header indicates a compressed kernel, BootX tries to decompress it (typical LZSS compression is used, as you compress this kind of data once but expand it many times). Since the kernel binary can potentially be a “fat” binary (code for multiple architectures residing in the same binary), BootX checks if it indeed is (fat), and if so, “thins” it (figures out the PowerPC code).

  • Crash1784

    Does anyone know on an image of an Apple TV, why the OS changes files to a 4 character file name instead of the real file names, and is there anywhere you can find them?

  • mike

    does anybody knows a link where i can get this kernel?
    or is there a torrent??
    please help me

Previous post:

Next post: