Perhaps my favorite time of the year is when the annual Apple WWDC conference occurs. I am heavily inspired by Apple’s Software and Hardware meld, and I truly enjoy nearly every ounce of the conference. But nothing compares to the love I have for the macOS operating system. With it’s deep history and Unix origins, it brings an interesting take on a consumer operating system.

But macOS has one central problem, it’s almost entirely proprietary. macOS consists of a few open source components, and a majority proprietary components. As someone with a strong Open Source origin and a professional grounding in software companies, it can be hard for me to sympathize with the belief that all software should be Open Source, but at the same time, I’m a curious developer, and I love knowing how things work.

This is what excites me every time a new macOS release is announced. I want to understand the technical foundations and changes on an entusiast level!

That’s why I’ve built a macOS system analysis tool called jolk. jolk aims to scan and analyze all the executables found on a macOS installation and reports results about interesting findings.

First, let me dive into the most important note in this entire post. I am doing this purely as an enthusiest. I want to understand what makes up the macOS operating system. For example, I want to understand what daemons run when I use my FaceTime HD Camera on my MacBook Pro, or how the boot process on Apple M1 devices work. There is no intention of malicious use in this tool.

What is jolk?

jolk is a tool which will scan, analyze, and report the executables installed on a macOS system, providing useful details which can help whittle down to interesting aspects of the system. jolk is portmanteau of the words jog and walk. This is an personal inside joke to the time in which I owned the domain idont.run.

jolk combines a system executable finder and an executable analyzer. Using various built-in macOS development tools, you can discover a lot about what is installed on a system. jolk automates that task.

jolk currently supports the following analyzer passes:

  • lipo: discovers what architectures an executable supports using, you guessed it, the lipo tool.
  • dynamic linker: determines frameworks and libraries that the executable links to.
  • launchd: finds launchd services which reference the executable.
  • strings: scans the executable for interesting strings.
  • man page: backsearches man pages for mentions of the executable.

How can I use jolk?

jolk can be ran by cloning the repository and building the jolk tool with Xcode.

Let’s start with an example usage of jolk to discover what the /usr/libexec/remotectl executable does.

$ jolk -o remotectl.json -i '/usr/libexec/remotectl'
analyze /usr/libexec/remotectl
complete /usr/libexec/remotectl 253.41ms

This will produce a JSON report in the file remotectl.json which contains relevant information about the remotectl utility.

{
  "/usr/libexec/remotectl" : {
    "dynamic-linker.linked-files" : [
      "/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation",
      "/System/Library/PrivateFrameworks/BridgeXPC.framework/Versions/A/BridgeXPC",
      "/System/Library/PrivateFrameworks/RemoteXPC.framework/Versions/A/RemoteXPC",
      "/System/Library/PrivateFrameworks/RemoteServiceDiscovery.framework/Versions/A/RemoteServiceDiscovery",
      "/usr/lib/libobjc.A.dylib",
      "/usr/lib/libSystem.B.dylib",
      "/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation"
    ],
    "dynamic-linker.linked-frameworks" : [
      "/System/Library/Frameworks/Foundation.framework",
      "/System/Library/PrivateFrameworks/BridgeXPC.framework",
      "/System/Library/PrivateFrameworks/RemoteXPC.framework",
      "/System/Library/PrivateFrameworks/RemoteServiceDiscovery.framework",
      "/System/Library/Frameworks/CoreFoundation.framework"
    ],
    "lipo.architectures" : [
      "x86_64",
      "arm64e"
    ],
    "man-page.exists" : false,
    "strings.likely.has-help-flag" : false,
    "strings.likely.has-usage" : true
  }
}

Hmm, it appears from the entry "strings.likely.has-usage" : true that this command has a usage message, lets run the tool to see if we can capture the usage.

$ /usr/libexec/remotectl
usage: remotectl list
usage: remotectl show (type|name|uuid|trait)
usage: remotectl get-property (type|name|uuid|trait) [service] property
usage: remotectl dumpstate
usage: remotectl browse
usage: remotectl echo [-v service_version] [-d (type|name|uuid|trait)]
usage: remotectl echo-file (type|name|uuid|trait) path
usage: remotectl eos-echo
usage: remotectl netcat (type|name|uuid|trait) service
usage: remotectl relay (type|name|uuid|trait) service
usage: remotectl loopback (attach|connect|detach|suspend|resume)
usage: remotectl bonjour ((enable|enable-loopback interface_name)|(disable))
usage: remotectl convert-bridge-version plist-in-path bin-out-path
usage: remotectl heartbeat (type|name|uuid|trait)
usage: remotectl trampoline [-2 fd] service_name command args ... [ -- [-2 fd] service_name command args ... ]
usage: remotectl reset (type|name|uuid|trait)
usage: remotectl alias (type|name|uuid|trait) alias

It also appears that remotectl links to the framework /System/Library/PrivateFrameworks/RemoteServiceDiscovery.framework, I bet that’s got some interesting uses. Maybe I will investigate other executables later that use this framework. By running jolk without an include flag, we can scan the entire system, and find any executables that link this framework.

Future Improvements

My ultimate goal is for jolk is to be able to scan, diff, and analyze multiple macOS releases to discover what has truly changed about the system between releases. Please don’t hesitate to create issues on the repository for suggestions or improvements.

Conclusion

jolk is intended to be used for enthusiast analysis of a macOS system. I hope other enthusiasts find this tool interesting and useful.