iOS on QEMU

iOS on QEMU

by Posted on

This mission is a fork of the expert QEMU repository. Please seek advice from this README for data about the QEMU mission.

The plot of this mission is to boot a fully useful iOS system on QEMU.

The mission is below active building, follow @alephsecurity and @JonathanAfek for updates.

For technical data about the evaluate, follow our blog:

Aid is wished!

Even as you accumulate yourself iOS and kernel exploitation and deserve to serve us push this mission forward, please seek advice from the originate disorders on this repo 🙂

  • Contemporary mission’s functionality:

    • launchd products and services
    • Interactive bash
    • R/W secondary disk software
    • Execution of binaries (additionally ones that will no longer be signed by Apple)
    • SSH thru TCP tunneling
    • Textual FrameBuffer
    • ASLR for usermode apps is disabled
    • ASLR for DYLD shared cache is disabled
    • GDB scripts for kernel debugging
    • KVM enhance
    • TFP0 from client mode capabilities

  • To breeze iOS 12.1 on QEMU follow this tutorial.

  • This mission works on QEMU with KVM! Check this blog put up for extra data.

  • We’ve applied extra than one GDB scripts that will will enable you to to debug the kernel:

    • Record unique/client/all responsibilities in XNU kernel.
    • Record unique/client/all threads in XNU kernel.
    • Print the info about explicit job/thread.
    • Many extra :).

  • To disable ASLR in DYLD shared cache follow this tutorial.

  • Phrase right here to search out out about how we now non-public applied the TCP tunneling.

  • Phrase the code to ponder the total patches we now non-public made to the iOS kernel for this mission:

    • Disable the Trusty Computer screen.
    • Bypass iOS’s CoreTrust mechanism.
    • Disable ASLR for client mode apps.
    • Enable custom code execution within the kernel to load our safe IOKit iOS drivers.
    • Enable KVM enhance.
    • Abet getting TFP0 in usermode capabilities.

Study Extra