There has been debate over whether the Apple TV is really running OS X ‘proper’, or a derivative. One point is there are important system files which are absent, or are they?

AppleTVHacks.net has been made aware of some kernel extensions and other files that are hidden within the Apple TV’s ‘kernel’ file.

This process is for hardcore geeks only – but may lead to something that everyone can benefit from

Find the hidden files…

If you open it up an image of the harddrve you will see the filesystem of the AppleTV. It contains all the files we know from it’s big brother OS X, but where is the kernel? The EFI bootloader boot.efi is there, but not the kernel. There is a file called mach_kernel.prelink but it does not disassemble or look really right, even though you can see the __TEXT marks in a hex editor. Well the reason for this is, this little ~6MB file is not the kernel. It is a package of files utilized by the EFI, compressed with an odd compression algorithm. So to extract these files? It is easier than you may think, lets take a look…

If you open the file up you will see the header starts with “complzss”, which you probably won’t recognise. Well this header belongs to none of the common compression techniques used on OS X, so what is it? A quick search on Google turned up “The SWORD Project”, an open source bible software projevt, which uses the same compression. You must download the API files for Linux from this page, we are going to use the compression utility it includes.

Run ./configure in the main directory, and then run make, the change to the ‘tests’ directory and run make again, which will build the ‘complzss’ utility. At first this didn’t work, but after some experimentation we found the solution. You need to make a copy of the ‘mach_kernel.prelink’ file from the OSBoot drive, and name mach_kernel.lzs. You then need to remove the first 180 bytes of the file in a hex editor, so it should now start with “FFCEFA” (you may notice the Intel Mach header…). Finally run this file though the ‘complzss’ utility. Bingo! You have a new decompressed file.

Well but the file still seemed a bit huge for a Intel only kernel, so we opened it in a hex editor and examined it carefully. It seems the file contains multiple file headers! Well now came the hard part, cutting it into peaces. From begining of each header to the next (mach header for Intel starts: CEFAEDFE0700 hex). After cutting the file correctly you will end up with ~100 files, albeit without names.

These files appear to be missing daemons, kexts etc. the system image you made earlier is missing. Among them the kext for the remote etc. are included so this is a big step towards getting OS X ‘proper’ to run on the Apple TV.

Now begins the process of digging through these files and seeing what other bounty lays within.

Thanks go to semthex for discovering this process, you can visit him on the www.hackint0sh.org/forum to discuss Apple TV hacks with him.