internals: update for macOS 26.0 Tahoe

plutil properly uses standard error, remove weird output filtering

Makefile

@@ -1,6 +1,6 @@
 override DB := $(if $(DB),$(DB:.lz=),$(lastword $(sort internals-$(shell sw_vers -productVersion).db $(basename $(wildcard internals-*)))))
 MY_INTERNALS = $(HOME)/Library/Mobile\ Documents/com~apple~TextEdit/Documents/Apple\ Internals.rtf
-DB_TARGETS = db_files db_binaries db_manifests db_assets db_services
+DB_TARGETS = db_files db_restricted db_binaries db_manifests db_assets db_services
 CHECK_TARGETS = check_files check_binaries check_manifests check_services
 
 .PHONY: all check view sqlite $(DB_TARGETS) $(CHECK_TARGETS)
@@ -33,7 +33,8 @@ check: internals.tsv
 	@$(MAKE) --silent --jobs=1 $(CHECK_TARGETS)
 
 define VIEW
-SELECT path,os FROM files;
+SELECT path,os FROM files WHERE restricted IS NULL;
+SELECT path,os,'restricted' FROM files WHERE restricted;
 SELECT path,os,name FROM files NATURAL JOIN assets;
 SELECT path,os,dylib FROM files NATURAL JOIN linkages;
 SELECT files.path,os,key,value FROM files NATURAL JOIN services, json_each(plist);
@@ -56,16 +57,24 @@ DSCEXTRACTOR = $(shell nix build --no-write-lock-file --no-warn-dirty .\#dsc-ext
 	readlink result && rm result)/bin/dyld-shared-cache-extractor
 
 $(DB_TARGETS)::
-	# evaluate helper tools to catch Nix build errors early
-	: $(ACEXTRACT)
-	: $(DSCEXTRACTOR)
-
-dyld: /System/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h /System/Cryptexes/OS/System/DriverKit/System/Library/dyld/dyld_shared_cache_x86_64h
+	# check presence of helper tools and other preconditions
+	if ! test -x $(ACEXTRACT) ; then \
+		printf '\033[1macextract tool unavailable\033[m\n' >&2 ; \
+		echo 'FAIL;' ; \
+		exit 1 ; \
+	fi
 	if ! test -x $(DSCEXTRACTOR) ; then \
 		printf '\033[1mdscextractor tool unavailable\033[m\n' >&2 ; \
 		echo 'FAIL;' ; \
 		exit 1 ; \
 	fi
+	if ! csrutil status | grep -Fq disabled ; then \
+		printf '\033[1mdisable SIP to get complete file information\033[m\n' >&2 ; \
+		echo 'FAIL;' ; \
+		exit 1 ; \
+	fi
+
+dyld: /System/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e /System/Cryptexes/OS/System/DriverKit/System/Library/dyld/dyld_shared_cache_arm64e
 	for i in $+ ; do $(DSCEXTRACTOR) $$i $@ ; done > /dev/null
 	find $@ -type f -print0 | xargs -0 chmod a+x
 
@@ -74,9 +83,9 @@ XCODE = $(lastword $(wildcard /Applications/Xcode.app /Applications/Xcode-beta.a
 prefix = $$(case $(1) in \
 	(macOS) ;; \
 	(macOS-dyld) echo $(dir $(realpath $(firstword $(MAKEFILE_LIST))))/dyld ;; \
-	(iOS) echo $(wildcard /Library/Developer/CoreSimulator/Volumes/iOS_*/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS*.simruntime/Contents/Resources/RuntimeRoot) ;; \
-	(tvOS) echo $(wildcard /Library/Developer/CoreSimulator/Volumes/tvOS_*/Library/Developer/CoreSimulator/Profiles/Runtimes/tvOS*.simruntime/Contents/Resources/RuntimeRoot) ;; \
-	(watchOS) echo $(wildcard /Library/Developer/CoreSimulator/Volumes/watchOS_*/Library/Developer/CoreSimulator/Profiles/Runtimes/watchOS*.simruntime/Contents/Resources/RuntimeRoot) ;; \
+	(iOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/iOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS*.simruntime/Contents/Resources/RuntimeRoot ;; \
+	(tvOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/tvOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/tvOS*.simruntime/Contents/Resources/RuntimeRoot ;; \
+	(watchOS) echo $(lastword $(wildcard /Library/Developer/CoreSimulator/Volumes/watchOS_*))/Library/Developer/CoreSimulator/Profiles/Runtimes/watchOS*.simruntime/Contents/Resources/RuntimeRoot ;; \
 	esac)
 
 find = \
@@ -99,36 +108,38 @@ $(DB_TARGETS)::
 	echo 'BEGIN IMMEDIATE TRANSACTION;'
 
 db_files:: dyld
-	if ! csrutil status | grep -Fq disabled ; then \
-		printf '\033[1mdisable SIP to get complete file information\033[m\n' >&2 ; \
-		echo 'FAIL;' ; \
-		exit 1 ; \
-	fi
 	printf '\033[1mcollecting file information...\033[m\n' >&2
 	echo 'DROP TABLE IF EXISTS files;'
-	echo 'CREATE TABLE files (id INTEGER PRIMARY KEY, os TEXT, path TEXT, executable BOOLEAN);'
+	echo 'CREATE TABLE files (id INTEGER PRIMARY KEY, os TEXT, path TEXT, restricted BOOLEAN, executable BOOLEAN);'
 	$(call find,,sudo) | sed -E "s/'/''/g;s/([^ ]*) (.*)/INSERT INTO files (os, path) VALUES('\1', '\2');/"
 	find $(HOME)/Library | sed "s|^$(HOME)|~|;s/'/''/g;s/.*/INSERT INTO files (os, path) VALUES('macOS', '&');/"
 	echo 'CREATE INDEX _files_path ON files (path);'
 
+db_restricted:: dyld
+	printf '\033[1mcollecting restricted files...\033[m\n' >&2
+	$(call find,-flags restricted,sudo) | while read -r os path ; do \
+		echo "UPDATE files SET restricted = true WHERE os = '$$os' AND path = '$$(echo "$$path" | sed "s/'/''/g")' ;" ; \
+	done
+
 db_binaries:: dyld
 	printf '\033[1mcollecting executable information...\033[m\n' >&2
 	echo 'DROP TABLE IF EXISTS linkages;'
 	echo 'DROP TABLE IF EXISTS entitlements;'
 	echo 'DROP TABLE IF EXISTS strings;'
-	echo 'CREATE TABLE linkages (id INTEGER REFERENCES files, dylib TEXT);'
+	echo 'CREATE TABLE linkages (id INTEGER REFERENCES files, dylib TEXT, UNIQUE (id, dylib));'
 	echo 'CREATE TABLE entitlements (id INTEGER REFERENCES files, plist JSON);'
-	echo 'CREATE TABLE strings (id INTEGER REFERENCES files, string TEXT);'
+	echo 'CREATE TABLE strings (id INTEGER REFERENCES files, string TEXT, UNIQUE (id, string));'
 	$(call find,-follow -type f -perm +111) | while read -r os path ; do \
-		echo "UPDATE files SET executable = true WHERE os = '$$os' AND path = '$$path';" ; \
+		echo "UPDATE files SET executable = true WHERE os = '$$os' AND path = '$$(echo "$$path" | sed "s/'/''/g")';" ; \
 		if test -r "$(call prefix,$$os)$$path" && file --no-dereference --brief --mime-type "$(call prefix,$$os)$$path" | grep -Fq application/x-mach-binary ; then \
-			objdump --macho --dylibs-used "$(call prefix,$$os)$$path" | \
-				sed "1d;s/^.//;s/ ([^)]*)$$//;s/'/''/g;s|.*|INSERT INTO linkages $(call file,'&');|" ; \
+			case "$$(lipo -archs "$(call prefix,$$os)$$path")" in (*arm64e*) arch=arm64e ;; (*arm64_32*) arch=arm64_32 ;; (*arm64*) arch=arm64 ;; (*x86_64h*) arch=x86_64h ;; (*x86_64*) arch=x86_64 ;; (*) continue ;; esac ; \
+			objdump --arch=$$arch --macho --dylibs-used "$(call prefix,$$os)$$path" | \
+				sed "1d;s/^.//;s/ ([^)]*)$$//;s/'/''/g;s|.*|INSERT OR IGNORE INTO linkages $(call file,'&');|" ; \
 			codesign --display --xml --entitlements - "$(call prefix,$$os)$$path" 2> /dev/null | \
-				plutil -convert json - -o - | \
-				sed "/^<stdin>: Property List error/d;/^{}/d;s/'/''/g;s|.*|INSERT INTO entitlements $(call file,json('&'));\n|" ; \
-			strings -n 8 "$(call prefix,$$os)$$path" | \
-				LANG=C sed "s/'/''/g;s|.*|INSERT INTO strings $(call file,'&');|" ; \
+				plutil -convert json - -o - 2> /dev/null | \
+				sed "/^{}/d;s/'/''/g;s|.*|INSERT INTO entitlements $(call file,json('&'));\n|" ; \
+			strings -n 8 "$(call prefix,$$os)$$path" 2> /dev/null | \
+				LANG=C sed "s/'/''/g;s|.*|INSERT OR IGNORE INTO strings $(call file,'&');|" ; \
 		fi ; \
 	done
 
@@ -137,8 +148,8 @@ db_manifests::
 	echo 'DROP TABLE IF EXISTS info;'
 	echo 'CREATE TABLE info (id INTEGER REFERENCES files, plist JSON);'
 	$(call find,-type f -name 'Info.plist') | while read -r os path ; do \
-		test -r "$(call prefix,$$os)$$path" && plutil -convert json "$(call prefix,$$os)$$path" -o - | \
-			sed "/: invalid object/d;s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \
+		test -r "$(call prefix,$$os)$$path" && plutil -convert json "$(call prefix,$$os)$$path" -o - 2> /dev/null | \
+			sed "s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \
 	done
 	$(call find,-type f -name 'TemplateInfo.plist') | while read -r os path ; do \
 		test -r "$(call prefix,$$os)$$path" && { \
@@ -148,16 +159,11 @@ db_manifests::
 			PlistBuddy -c 'Print Options:0:Units:Swift:Definitions:Info.plist\:NSExtension' "$(call prefix,$$os)$$path" ; \
 			PlistBuddy -c 'Print Options:0:Units:Swift:Definitions:Info.plist\:EXAppExtensionAttributes' "$(call prefix,$$os)$$path" ; \
 			echo '</dict>' ; \
-		} 2> /dev/null | plutil -convert json - -o - | \
-			sed "/Property List error:/d;s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \
+		} 2> /dev/null | plutil -convert json - -o - 2> /dev/null | \
+			sed "s/'/''/g;s|.*|INSERT INTO info $(call file,json('&'));\n|" ; \
 	done
 
 db_assets::
-	if ! test -x $(ACEXTRACT) ; then \
-		printf '\033[1macextract tool unavailable\033[m\n' >&2 ; \
-		echo 'FAIL;' ; \
-		exit 1 ; \
-	fi
 	printf '\033[1mcollecting asset catalog information...\033[m\n' >&2
 	echo 'DROP TABLE IF EXISTS assets;'
 	echo 'CREATE TABLE assets (id INTEGER REFERENCES files, name TEXT);'

README.md

@@ -10,7 +10,7 @@ tools:
 [**acextract**](https://github.com/bartoszj/acextract)  
 Unpacks asset catalogs to individual files.
 
-[**dyld-shared-cache-util**](https://github.com/antons/dyld-shared-cache-big-sur)  
+[**dyld-shared-cache-extractor**](https://github.com/keith/dyld-shared-cache-extractor)  
 Extracts dynamic libraries from the dyld linker cache.
 
 [**snapUtil**](https://github.com/ahl/apfs)  
@@ -26,6 +26,9 @@ and checks the internals text file against this information. Collected details i
 * launchd service descriptions and bundle Info.plist content
 * lists of assets inside asset catalogs
 
+To manually analyze and debug macOS, it can be helpful to temporarily [disable its security
+protections](https://gist.github.com/macshome/15f995a4e849acd75caf14f2e50e7e98).
+
 ___
 This work is licensed under the [MIT license](https://mit-license.org) so you can freely use 
 and share as long as you retain the copyright notice and license text.

flake.lock

@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719468428,
-        "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
+        "lastModified": 1762361079,
+        "narHash": "sha256-lz718rr1BDpZBYk7+G8cE6wee3PiBUpn8aomG/vLLiY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
+        "rev": "ffcdcf99d65c61956d882df249a9be53e5902ea5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -19,23 +19,18 @@
 		};
 	};
 	outputs = { self, nixpkgs, acextract, command-line, dsc-extractor, snap-util }: {
-		packages.x86_64-darwin = let
-			xcode = (nixpkgs.legacyPackages.x86_64-darwin.xcodeenv.composeXcodeWrapper {
-				version = "16.0";
-			}).overrideAttrs (attrs: { buildCommand = ''
-				# see https://github.com/NixOS/nixpkgs/pull/322641
-				set +o pipefail
-			'' + attrs.buildCommand; });
 
+		packages.aarch64-darwin = let
+			xcode = nixpkgs.legacyPackages.aarch64-darwin.xcodeenv.composeXcodeWrapper {};
 		in {
 
 			acextract =
-				with nixpkgs.legacyPackages.x86_64-darwin;
+				with nixpkgs.legacyPackages.aarch64-darwin;
 				let xcodeHook = makeSetupHook {
 					name = "xcode-hook";
 					propagatedBuildInputs = [ xcode ];
 				} "${xcbuildHook}/nix-support/setup-hook";
-				in stdenv.mkDerivation {
+				in stdenvNoCC.mkDerivation {
 					name = "acextract-${lib.substring 0 8 self.inputs.acextract.lastModifiedDate}";
 					src = acextract;
 					nativeBuildInputs = [ xcodeHook ];
@@ -85,7 +80,7 @@
 				};
 
 			dsc-extractor =
-				with nixpkgs.legacyPackages.x86_64-darwin;
+				with nixpkgs.legacyPackages.aarch64-darwin;
 				stdenv.mkDerivation {
 					name = "dsc-extractor-${lib.substring 0 8 self.inputs.dsc-extractor.lastModifiedDate}";
 					src = dsc-extractor;
@@ -93,18 +88,20 @@
 				};
 
 			snap-util =
-				with nixpkgs.legacyPackages.x86_64-darwin;
+				with nixpkgs.legacyPackages.aarch64-darwin;
 				let snapshot-header = fetchFromGitHub {
 					owner = "apple";
 					repo = "darwin-xnu";
 					rev = "xnu-6153.141.1";
 					hash = "sha256-/2aR6n5CbUobwbxkrGqBOAhCZLwDdIsoIOcpALhAUF8=";
 				};
-				in stdenv.mkDerivation {
+				in stdenvNoCC.mkDerivation {
 					name = "snap-util-${lib.substring 0 8 self.inputs.snap-util.lastModifiedDate}";
 					src = snap-util;
 					nativeBuildInputs = [ xcode ];
-					preBuild = "NIX_CFLAGS_COMPILE='-idirafter ${snapshot-header}/bsd'";
+					preBuild = ''
+						NIX_CFLAGS_COMPILE='-idirafter ${snapshot-header}/bsd'
+					'';
 					installPhase = ''
 						mkdir -p $out/bin
 						cp snapUtil $out/bin/.snapUtil-wrapped
@@ -116,7 +113,9 @@
 								echo 'snapUtil requires SIP and AMFI to be disabled:'
 								echo '• boot recovery system'
 								echo '• run ‘csrutil disable’'
+								echo '• boot into macOS again'
 								echo '• run ‘nvram boot-args=amfi_get_out_of_my_way=0x1’'
+								echo '• reboot so boot-args is effective'
 								exit 1
 							fi
 						EOF
@@ -140,5 +139,7 @@
 					'';
 				};
 		};
+
+		checks = self.packages;
 	};
 }

internals.tsv

@@ -5,6 +5,7 @@ AA	Apple Archive, see also Apple Encrypted Archive; command line tools: aa, aea,
 AAC	Automatic Assessment Configuration; AutomaticAssessmentConfiguration.framework; puts device in a locked mode for exam-style test applications
 AAT	Apple Advanced Typography; font format and rendering engine
 Accounts	launchd service: com.apple.accountsd; /System/Library/Accounts
+ACDC	Apple Chips in Data Centers; see PCC
 ACDE	Apple Connect Device External? ACDEClient.framework, old two-step verification, derived from a company-internal AppleConnect system?
 ACFS	Apple Clustered File System; deprecated file system for Xsan; acfs.framework
 Acoustic ID	song recognition and matching with Apple catalog, playback on HomePod; /System/Library/Components/AudioDSP.component
@@ -12,7 +13,7 @@ Activation	cryptographic check-in with iCloud to lock devices reported by the us
 Activity	jobs, coarse-grained work units of applications; tracked by the system across XPC, bears a QoS class for scheduling; low-level mechanism not to be confused with User Activity
 AE	Apple Events; messaging system to invoke application functionality; CoreServices.framework/AE.framework; launchd services: com.apple.coreservices.appleevents, com.apple.AEServer (AE over network)
 Aegir	astronomy watch face and lock screen; /System/Library/CoreServices/AegirProxyApp.app
-AFM	Apple Foundation Model; pre-trained transformer and diffusion models for Greymatter, optimized for on-device use by quantization (with accuracy-recovery adapters) and palletization
+AFM	Apple Foundation Model; pre-trained transformer and diffusion models for Greymatter, optimized for on-device use by quantization (with accuracy-recovery adapters) and palletization; command line tool: modelcatalogdump
 AGC	Apple Graphics Control, management of multiple displays and display port connections; launchd service: com.apple.displaypolicyd
 AHAP	Apple Haptic Audio Pattern; file format for simultaneous audio and haptic data; CoreHaptics.framework
 AIR	Apple Intermediate Representation; synthetic bytecode architecture target for GPU binary toolchain
@@ -50,9 +51,9 @@ Attestation	cryptographic proof of a genuine SEP; used for web authentication an
 Authorization	discretionary access control policies for high-level services; similar to PAM; policy stored in /var/db/auth.db
 Avatar	Memoji and Animoji, including pre-rendered iMessage stickers; AvatarKit.framework
 AVB	Audio Video Bridging, low-latency audio over Ethernet; launchd service: com.apple.avbdeviced; command line tools: avbanalyse, avbdiagnose, avbutil
-AWD	Apple Wireless Diagnostics, sends system telemetry to Apple; CoreAnalytics.framework, WirelessDiagnostics.framework; launchd services: com.apple.awdd, com.apple.analyticsd
+AWD	Apple Wireless Diagnostics, sends system telemetry to Apple; CoreAnalytics.framework, WirelessDiagnostics.framework; launchd services: com.apple.analyticsd
 AWDL	Apple Wireless Direct Link; secondary WiFi interface that runs in parallel to an active WiFi access point connection, similar to WiFi Direct (p2p interface), uses a randomized MAC, used for peer-to-peer networking: AirDrop, AirPlay; DeviceToDeviceManager.framework
-Background Assets	assets that an app extension loads without the app being launched; BackgroundAssets.framework; extension point: com.apple.background-asset-downloader-extension; launchd service: com.apple.backgroundassets.user
+Background Assets	assets that an app extension loads without the app being launched; BackgroundAssets.framework; launchd service: com.apple.backgroundassets.user
 Bezel	on-screen overlays for hardware volume buttons, screen brightness, Bluetooth HID, and others; /Library/Application Support/Apple/BezelServices, launchd services: com.apple.loginwindow, com.apple.OSDUIHelper
 Bifrost	emergency satellite connectivity; /System/Library/LocationBundles/Bifrost.bundle
 Biome	CloudKit-synced streaming and storage of events like donated and invoked Intents; semantic index to ground AI with personal context; BiomeStreams.framework, BiomeSync.framework; launchd services: com.apple.BiomeAgent, com.apple.biomesyncd; embedding vector extraction and storage: ZeoliteFramework.framework
@@ -69,6 +70,7 @@ Cache Delete	cleanup for various caches; /System/Library/CacheDelete; launchd se
 CAML	Core Animation Markup Language; XML file format for layers, shapes and animations
 Carousel	derivative of SpringBoard for Watch home screen, watch face, and notification center
 CBOR	Concise Binary Object Representation; JSON-inspired compact binary data serialization; CBORLibrary.framework
+CDHash	Code Directory Hash; a hash of hashes over the parts of a code bundle; command line tool: codesign
 CDM	Continuous Dialog Manager; natural dialog with Siri, MARRS for multi-modality; ContinuousDialogManagerService.framework
 CEC	Consumer Electronics Control; remote control for HDMI-connected devices; CoreRC.framework, IOCEC.framework
 Celestial	media streaming used by ReplayKit for in-app screen broadcasts; Celestial.framework; launchd service: com.apple.replayd
@@ -77,6 +79,7 @@ Chamois	Stage Manager
 CHIP	Connected Home over IP; Matter; integrated into HomeKit, can use Thread as transport layer; HomeKitMatter.framework, CoreThread.framework; launchd services: com.apple.threadradiod, com.apple.ThreadCommissionerService
 Circle	cryptographic primitive to exchange public keys of trusted devices of a user, signed by Circle peers; iCloud identity added as additional Circle peer, private key synced across all trusted devices, new devices can pull this key from Secure Backup to join the Circle; per-device Circles stored in CKKS for two-factor accounts (Octagon); KeychainCircle.framework; command line tools: otctl (Octagon)
 CKKS	CloudKit Key Sync, end-to-end secure syncing for credentials, seeded by Circle; currently includes ApplePay, AutoUnlock, CreditCards, DevicePairing, Engram, Health, Home, Manatee, SOS, WiFi and other keys; launchd service: com.apple.secd; command line tool: ckksctl
+CL4	Apple’s variant of the L4 microkernel, derived from Pistachio and Wombat/Darbat
 Clarity	customizable accessibility mode for simplified UI; ClarityFoundation.framework
 Classroom	school teachers can create assignments for student iPads and track progress in Schoolwork app; ClassKit.framework; launchd service: com.apple.studentd
 Cloud Pairing	part of Alloy, Bluetooth out-of-band pairing over iCloud for Continuity; launchd service: com.apple.BTServer.cloudpairing (cloudpaird)
@@ -132,26 +135,25 @@ Family Circle	Family Sharing; launchd services: com.apple.familycircled, com.app
 FDE	Full Disk Encryption, FileVault; command line tool: fdesetup, sysadminctl
 FDR	Factory Data/Device Reset? ensures that no downgrades are performed? servers: skl.apple.com, gg.apple.com; /System/Library/FDR
 Feldspar	Apple News; Silex.framework
-FiDES	Fi? Distributed Evaluation Service? aggregates Differential Privacy data for unlinkability? used for emoji, Suggestions, Dictation; /System/Library/DistributedEvaluation; DistributedEvaluation.framework, FedStats.framework (private federated learning?); server: fides-pol.apple.com
+FiDES	Fi? Distributed Evaluation Service? aggregates Differential Privacy data for unlinkability? used for emoji, Suggestions, Dictation; /System/Library/DistributedEvaluation; DistributedEvaluation.framework, FedStats.framework (private federated learning?)
 File Provider	infrastructure and extension system for syncing with cloud providers; placeholder files based on SF_DATALESS attribute in APFS; FileProvider.framework; locally stored in ~/Library/CloudStorage; command line tool: fileproviderctl
-Find My	location sharing by explicitly querying devices remotely or collateral beacon detection using Search Party; FMCore.framework, FMF.framework; launchd service: com.apple.icloud.fmfd (find my friends)
+Find My	location sharing by explicitly querying devices remotely or collateral beacon detection using Search Party; FMCore.framework, FMF.framework
 Firmlink	bi-directional non-symbolic link between the read-only system volume and the data volume, additional symlinks and mountpoints in the root directory are virtually allocated; /usr/share/firmlinks, /etc/synthetic.conf
 Focus	restriction modes for notification presentation; focus filters for in-app display restrictions, communicated by Intents; Focus.framework, DoNotDisturb.framework; local settings in ~/Library/DoNotDisturb
 FollowUp	user interaction for Secure Backup wrapping with device passcode, CoreFollowUp.framework; launchd service: com.apple.followupd
 FoundationDB	fundamental iCloud storage database, marketed as CloudKit, separated into containers; records, blobs, and large asset storage with MMCS, server-side continuous queries can trigger push notifications, user management by IDS, sharing between users by GroupKit; PCS keys used for hierarchical zone, record, and asset encryption; CloudKitDaemon.framework; launchd service: com.apple.cloudd; locally stored in ~/Library/Caches/CloudKit, ~/Library/Containers/*/Data/CloudKit; command line tool: cktool
-FPR	Fast Permission Restrictions; Apple CPU registers to downgrade (old APRRs do bitmasking) or remap (SPRRs since M1) actual permissions of memory pages (the CTRR region) per thread; used for JIT protection and by AMFI to freeze user code after checking
+FPR	Fast Permission Restrictions; Apple CPU registers to downgrade (old APRRs do bitmasking) or remap (SPRRs since M1) actual permissions of memory pages (the CTRR region) per thread
 FSKit	user space file system support; kernel stub file system is /System/Library/Extensions/lifs.kext; file systems are in /System/Library/ExtensionKit/Extensions/com.apple.fskit.*; launchd service: com.apple.filesystems.fskitd, com.apple.filesystems.doubleagentd (handling of Apple double files in user space); extension point: com.apple.fskit.fsmodule
 FUD	Firmware Update Daemon; see TSS, UARP; launchd service: com.apple.accessoryupdaterd
 Game Mode	auto-activates when games are shown full screen, throttles background work, lowers audio and input latency; launchd service: com.apple.gamepolicyd
 GID	group ID key, shared across all devices of the same SoC generation, derived keys are used to prove device type over the network, only accessible by SEP
 Gizmo	Apple Watch; watch settings managed by Companion iPhone; /Applications/Bridge.app, /System/Library/BridgeManifests
-Greymatter	Apple Intelligence; on-device language and diffusion models, larger server-based models in PCC; AFM refined for specific tasks (queries, summarization, categorization) by adapters (parameter for inserted network modules); grounded with context from Biome and intelligence stores; ~/Library/IntelligencePlatform; launchd service: com.apple.modelmanagerd (model residency management); /System/Library/ModelManager/Policy.plist; command line tool: csfdiagnose (cloud subscription features)
+Greymatter	Apple Intelligence; on-device language and diffusion models, larger server-based models in PCC; AFM refined for specific tasks (queries, summarization, categorization) by adapters (parameter for inserted network modules); grounded with context from Biome and intelligence stores; ~/Library/IntelligencePlatform; launchd service: com.apple.modelmanagerd (model residency management); /System/Library/ModelManager/Policy.plist; /Applications/Tamale.app (Camera Control integration); command line tool: csfdiagnose (cloud subscription features), modelmanagerdump
 Group Activities	SharePlay; sharing of media content and programmatic state over FaceTime calls; GroupActivities.framework, CopresenceCore.framework; launchd service: com.apple.telephonyutilities.callservicesd
-GroupKit	groups of IDS users with shared CloudKit (PCS) access; GroupKit.framework; launchd service: com.apple.groupkitd
+GroupKit	groups of IDS users with shared CloudKit (PCS) access; GroupKitCrypto.framework
 GSS	Generic Security Service; part of Kerberos; GSS.framework; launchd service: com.apple.gssd (invoked by kernel through host special port 19); command line tool: gsstool
 GXF	Guarded Execution Feature/Fault, additional exception levels on Apple Silicon, lateral to the usual exception levels; page tables remain the same, but interpretation of permission bits changes by way of FPR, genter and gexit instructions; implements lightweight intra-address-space protection contexts
 HAP	Home Automation Protocol; CoreHAP.framework
-HDA	High Definition Audio; HDAInterface.framework
 HDI	Hard Disk Image; command line tool: hdiutil
 HeadBoard	derivative of SpringBoard for tvOS home screen; /Applications/HeadBoard.app, /Applications/PineBoard.app
 Health Balance	vitals app on Watch; /Applications/NanoHealthBalance.app
@@ -222,13 +224,14 @@ Multipeer Connectivity	ad-hoc networking; Bonjour for discovery; WiFi, AWDL, Blu
 Nano	prefix for watchOS
 Nearby Interaction	proximity-based interaction between devices; proximity measured using ultra wideband or derived from other technologies; used for Universal Control, tapping phones for AirDrop; NearbyInteraction.framework, Proximity.framework; launchd services: com.apple.aonsensed (always-on sense daemon), com.apple.nearbyd
 Nebula	sleep apnea detection on watchOS; BreathingAlgorithms.framework
+New Device Outreach	high-level Bluetooth device pairing flow; NewDeviceOutreach.framework, NDOAPI.framework, NDOUI.framework; launchd service: com.apple.ndoagent
 Newton	fall detection on watchOS
 NLP	Natural Language Processing; NLP.framework; related to mecabra libraries, a linguistic engine for Chinese and Japanese; /usr/share/mecabra, /usr/share/tokenizer
 Notarization	app security scan by Apple; cryptographic proof stapled to code signature, tested at launch by System Policy; for non-notarized apps sends code hash to Apple; command line tools: notarytool, altool, stapler
 Noticeboard	User Notifications for Software Update and App Store, Noticeboard.framework; launchd services: com.apple.noticeboard.state (nbstated), com.apple.noticeboard.agent (nbagent)
 Notifications	system notification bus, unrelated to the local/remote push notifications; launchd service: com.apple.notifyd, com.apple.kuncd (invoked by kernel through host special port 10); command line tool: notifyutil; complemented by framework-level notification system (CFNotification, NSNotification); launchd services: com.apple.distnoted.xpc.daemon, com.apple.distnoted.xpc.agent
 NSP	Network Service Proxy; per-app VPN and proxy settings, implements Private Relay; launchd service: com.apple.networkserviceproxy
-OAH	Rosetta; ahead-of-time compiler for Intel code on Apple Silicon, usable from Linux VMs by way of a custom binformat; /usr/libexec/rosetta; launchd service: com.apple.oahd
+OAH	Rosetta; ahead-of-time compiler for Intel code on Apple Silicon, usable from Linux VMs by way of a custom binformat; /usr/libexec/rosetta, /var/db/oah (AOT cache); launchd service: com.apple.oahd
 ODR	On-Demand Resources; loaded from App Store; launchd service: com.apple.appstored
 Omni Search	fuzzy semantic search with results recognized in images; OmniSearch.framework
 Onboarding	data protection splash screen shown by service-connected apps; /System/Library/OnBoardingBundles; OnBoardingKit.framework
@@ -282,7 +285,7 @@ Replicator	notification sync from Companion iPhone, also drives remotely display
 Revisions	document autosave and auto-versioning; stored in .DocumentRevisions-V100; GenerationalStorage.framework; launchd service: com.apple.revisiond
 Routine	frequently visited locations on iOS, interacts with Duet; launchd service: com.apple.routined
 RTC	Real-time Telemetry and Crash reporting; RTCReporting.framework; launchd service: com.apple.rtcreportingd
-RTKit	operating system used on Apple Silicon for firmware of co-processors
+RTKit	real-time runtime used for firmware of Apple Silicon co-processors; on top of CL4 in Apple’s cellular modem
 RunningBoard	runtime management of apps, paradigm: app as service process invoked by system, check-in by frameworks, handles process assertions (frontmost app, see App Nap), memory pressure (see Jetsam) and compute resources (GPU), replacement for TAL?; launchd service: com.apple.runningboardd; /System/Library/LifecyclePolicy, /System/Library/RunningBoard
 Safety Monitor	Check In; short-term location sharing in iMessage until a destination is reached; /Applications/SafetyMonitorApp.app
 SBPL	Sandbox Profile Language; a TinyScheme-based embedded DSL for Seatbelt profiles
@@ -293,7 +296,7 @@ SDB	SQL Database; CoreSDB.framework, used by iCloud communication
 Search Party	portion of Find My service for offline devices; devices emit public part of rotating key pair via Bluetooth LE, other devices encrypt current location with this key and send to Apple, private key shared over CloudKit
 Seatbelt	process sandbox by filtering system calls; profiles written in SBPL; /System/Library/Sandbox/Profiles, /usr/share/sandbox; default file access policy asks for TCC confirmation before access to folders with user data (like Documents) is allowed; command line tool: sandbox-exec; launchd service: com.apple.sandboxd (invoked by kernel through host special port 14 for logging)
 Secure Backup	escrow part of CKKS; escrow key individually wrapped with passcodes of trusted devices, stored in HSM to prevent brute forcing, uses SRP so passcodes are not visible to iCloud, limited number of recovery attempts; protocol called Lakitu, uses FollowUp; launchd service: com.apple.SecureBackupDaemon (com.apple.sbd); CloudServices.framework
-SEP	Secure Enclave Processor; dedicated ARM core for security services, runs L4/Darbat-based sepOS, inline encryption to DRAM, manages AES keys in storage DMA engine, factory-paired channels to Touch ID/Face ID hardware, Secure Element, Neural Engine; SEP can use but not read UID and GID keys; credential verification performed by hardware lockbox with retry count enforcement
+SEP	Secure Enclave Processor; dedicated ARM core for security services, runs CL4-based sepOS, inline encryption to DRAM, manages AES keys in storage DMA engine, factory-paired channels to Touch ID/Face ID hardware, Secure Element, Neural Engine; SEP can use but not read UID and GID keys; credential verification performed by hardware lockbox with retry count enforcement
 Sequoia	translation; downloadable language models can run on-device; /Applications/SequoiaTranslator.app, Translation.framework
 Seymour	Apple Fitness+; workout videos integrated with Watch sensors; SeymourCore.framework, Blackbeard.framework (personalisation and workout programs)
 SF Symbols	scalable UI symbols; rendered with various color treatments; SFSymbols.framework
@@ -319,11 +322,11 @@ SOS	Secure Object Sync; syncing backend for iCloud Keychain, not to be confused
 SPI	System Private Interface; /System/Library/PrivateFrameworks
 SpringBoard	iOS home screen; like Dock (Launchpad, Mission Control, desktop picture), Control Center, SystemUIServer (menu extras icons), loginwindow (lock screen), and WindowServer (compositor) on macOS; /System/Library/CoreServices/SpringBoard.app, /Applications/PreBoard.app, BaseBoard.framework, FrontBoard.framework, SplashBoard.framework; launchd service: com.apple.backboardd (compositor)
 SPRR	Shadow Permission Remap Register? feature of Apple Silicon to dynamically reintepret page permissions
-SPTM	Secure Page Table Monitor; code with higher-than-kernel privileges (Trustzone Monitor?) protects page table modifications; deprivileged Trusted Execution Monitor (TXM) implements policy; successor to FPR/SPRR?
+SPTM	Secure Page Table Monitor; code in kernel-level GXF protects page table modifications; Trusted Execution Monitor (TXM) in user-level GXF implements policy and parts of AMFI
 SRP	Secure Remote Password; standard cryptographic protocol for proving knowledge of a secret such that attackers cannot brute-force the secret; AppleSRP.framework
 SSO	Single Sign-On
 SSV	Signed System Volume, als called Authenticated Root Volume (ARV); macOS boots from blessed read-only APFS snapshot, merkle-tree and root-hash stored in Preboot volume; modifications require disabling root authentication with csrutil from recovery, then the live filesystem can be mounted, modified, and re-blessed; command line tools: apfs_systemsnapshot, bless, csrutil
-Stark	CarPlay; iPhone provides video feeds for in-car displays; three layers composited by the car: remote UI (from iPhone), punch-through UI (back up camera), local UI (dashboard gauges: assets from iPhone, rendered by car, like Live Activities?), overlay UI (essential indicators); associate apps on iOS: /Applications/AutoSettings.app, /Applications/CarCamera.app, /Applications/Charge.app, /Applications/Climate.app, /Applications/Closures.app, /Applications/Media.app, /Applications/TirePressure.app, /Applications/Trip.app
+Stark	CarPlay; iPhone provides video feeds for in-car displays; three layers composited by the car: remote UI (from iPhone), punch-through UI (back up camera), local UI (dashboard gauges: assets from iPhone, rendered by car, like Live Activities?), overlay UI (essential indicators); associate apps on iOS: /Applications/CarCamera.app, /Applications/Charge.app, /Applications/Climate.app, /Applications/Closures.app, /Applications/Media.app, /Applications/TirePressure.app, /Applications/Trip.app, /Applications/Vehicle.app
 Stockholm	Secure Element in Apple SoCs, a processor running crypto protocols on keys it protects; used for Apple Pay and Car Key; related codenames: Icefall, Warsaw
 Storage Management	freeing up disk space by managing bulky items; UI in System Information.app; StorageManagement.framework; launchd service: com.apple.diskspaced; extension point: com.apple.storagemanagement; extends Cache Delete service
 Suggestions	semantic analysis of mails and websites to suggest contacts, calendar events and the like; launchd services: com.apple.suggestd, com.apple.reversetemplated; custom JavaScript parsers in /System/Library/AssetsV2/com_apple_MobileAsset_CoreSuggestions
@@ -344,7 +347,7 @@ Tones	ringtones; ToneLibrary.framework
 Translocation	app binary copied on launch to dedicated location; initiated by Launch Services for security (prevents path traversal for apps quarantined by System Policy) or path normalization (iOS apps do not expect to be moved, but can be moved on macOS)
 Transparency	un-alterable append-only log to publish information; used for for ESS keys and PCC software hashes, based on CONIKS, devices audit IDS/PCC records against logs, root hashes gossiped over iMessage to detect split-view attacks; Transparency.framework; launchd service: com.apple.transparencyd; server: init-kt.apple.com
 TSS	Tatsu Signing Server; online verification for firmware signatures; server: gs.apple.com
-TTS	Text To Speech, neural-network-based synthesis engine (Gryphon); command line tool: say; /System/Library/Speech, /System/Library/TTSPlugins
+TTS	Text To Speech, neural-network-based synthesis engine (Gryphon); command line tool: say; /System/Library/Speech
 TVML	TV Markup Language; declarative UI language for TV apps; TVMLKit.framework
 UARP	Universal Accessory Restore Protocol; CoreUARP.framework; launchd service: com.apple.uarppersonalizationd (personalized firmware)
 Ubiquity	iCloud Drive; codename Bladerunner, uses CloudKit; CloudDocs.framework; launchd service: com.apple.bird; locally stored in ~/Library/Mobile Documents (was supposed to move to Library/CloudStorage/iCloud Drive but this was reverted)
@@ -355,12 +358,13 @@ USD	Universal Scene Description; storage format for 3D assets; /usr/lib/usd; com
 User Activity	abstraction for deep-linking into apps with structured context (people, places); used for Universal Links (schema.org on websites), Handoff, Parsec (app links in search), Quick Note (context awareness); now part of Intents; UserActivity.framework; launchd service: com.apple.coreservices.useractivityd
 User Notifications	user interface for notification center; launchd service: com.apple.usernoted
 UTI	Uniform Type Identifiers; system for document types; file extensions and MIME types are mapped to UTIs, UTIs form a conformance graph, apps register their UTIs with Launch Services; /System/Library/CoreServices/CoreTypes.bundle; also Apple’s hardware devices are represented as UTIs
-VA	Video Acceleration; AppleGVA.framework, AppleVA.framework, AppleVPA.framework
+VA	Video Acceleration; AppleVA.framework
 VDAF	Verifiable Distributed Aggregation Function; part of Differential Privacy; VDAF.framework
 Viceroy	video conferencing used by FaceTime and ReplayKit; ViceroyTrace.framework
 Virtualisation	running virtual machines on macOS; Hypervisor.framework (for basic VMs and vCPUs), Virtualization.framework (brings a robust set of device models)
 VSDB	volume status database; /var/db/volinfo.database; command line tool: vsdbutil
 Waldo	selects edge servers based on approximate location, part of Private Relay, seen in NSP
+Wally	private search in server-side database using homomorphic encryption; private information retrieval (PIR), private nearest neighbor search (PNNS); used for Caller ID, email logos, adult website filtering, points-of-interest lookup for photos
 WFS	WebDAV File Sharing; built-in file sharing with Apache; /etc/wfs; command line tool: wfsctl
 Widgets	content excerpt from apps; provided via a timeline of view hierarchies, configuration uses Intents; visible on home screen, lock screen, as live activities, as watch complications; WidgetKit.framework, ChronoServices.framework; extension point: com.apple.widgetkit-extension; launchd service: com.apple.chronod (timeline management and sync)
 Willow	HomeKit; end-to-end-encrypted communication protocol and API for IoT-accessories; pairing with SRP using code printed on device, credential sync by CKKS, transported over Alloy, remote access using Apple TV as proxy; launchd service: com.apple.homed