This project is a fork of the official QEMU repository. Please refer to this README for information about the QEMU project.
The goal of this project is to boot a fully functional iOS system on QEMU.
The project is under active development, follow @alephsecurity and @JonathanAfek for updates.
For technical information about the research, follow our blog:
- Running iOS in QEMU to an interactive bash shell (1)
- Running iOS in QEMU to an interactive bash shell (2)
Help is wanted!
If you are passionate about iOS and kernel exploitation and want to help us make the magic happen, please refer to the open issues in this repo and just PR to us with your awesome code and/or contact us 🙂
To start the process we first need to prepare a kernel image, a device tree, a static trust cache, the main and the secondary disk images.
To get all that, we first need to get the update file from Apple: iOS 12.1 update file.
This is actually a zip file which we can extract:
$ unzip iPhone_5.5_12.1_16B92_Restore.ipsw
Next, we need to clone the supporting scripts repository:
$ git clone [email protected]:alephsecurity/xnu-qemu-arm64-tools.git
Get the Kernel image
Extract the ASN1 encoded kernel image (pyasn1 should be installed first):
$ pip install pyasn1
$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1kerneldecode.py kernelcache.release.n66 kernelcache.release.n66.asn1decoded
This decoded image now includes the lzss compressed kernel.
Let us decompress it:
$ python xnu-qemu-arm64-tools/bootstrap_scripts/decompress_lzss.py kernelcache.release.n66.asn1decoded kernelcache.release.n66.out
Get the divice tree
Extract the device tree from the ASN1 encoded file:
$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1dtredecode.py Firmware/all_flash/DeviceTree.n66ap.im4p Firmware/all_flash/DeviceTree.n66ap.im4p.out
Create the Disk Devices for iOS system
Some tweaks should be done to use all currently implemented capabilities: bash, many familiar binary tools, all iOS’s launchd services, r/w secondary disk device and SSH.
The following instructions will describe how to create the disk devices and what changes should be made within them to enable the system start with all the functionality mentioned above.
Create the primary disk device
To create a block device that will run on the system we will use ramdisk device available in the iOS 12.1 update file.
The disk devices will be attached to the iOS system by custom block device driver.
Follow the instructions here to create the driver.
Then copy the driver aleph_bdev_drv.bin to your work directory.
$ cp ./xnu-qemu-arm64-tools/aleph_bdev_drv/bin/aleph_bdev_drv.bin ./
Next, decode the ramdisk and resize it. Attach the ramdisk device and the main disk image to the research computer.
$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1rdskdecode.py ./048-32651-104.dmg ./048-32651-104.dmg.out
$ cp ./048-32651-104.dmg.out ./hfs.main
$ hdiutil resize -size 6G -imagekey diskimage-class=CRawDiskImage ./hfs.main
$ hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.main
$ hdiutil attach ./048-31952-103.dmg
Remove all contents of the ramdisk and sync the ramdisk with the main disk image (the latter will take some time).
$ sudo diskutil enableownership /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/*
$ sudo rsync -av /Volumes/PeaceB16B92.N56N66OS/* /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ sudo chown root /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64
Remove contents of /private/var. We will put it to a secondary disk later.
$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/private/var/*
Get pre-compiled binaries
We will use rootlessJB for pre-compiled binary tools (you can use any other project of your choice).
$ git clone https://github.com/jakeajames/rootlessJB
$ cd rootlessJB/rootlessJB/bootstrap/tars/
$ tar xvf iosbinpack.tar
$ sudo cp -R iosbinpack64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ cd -
Add programs to be executed at system start
Four executables will be added to ״Launch Daemons״ directory and start at the system load.
- bash – run bash
Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/bash.plist
EnablePressuredExit
Label
com.apple.bash
POSIXSpawnType
Interactive
ProgramArguments
/iosbinpack64/bin/bash
RunAtLoad
StandardErrorPath
/dev/console
StandardInPath
/dev/console
StandardOutPath
/dev/console
Umask
0
UserName
root
- mount_sec – mount the secondary block device (disk1).
Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/mount_sec.plist
CFBundleIdentifier
com.apple.mount_sec
EnablePressuredExit
EnableTransactions
HighPriorityIO
Label
mount_sec
POSIXSpawnType
Interactive
ProgramArguments
/sbin/mount
/private/var
RunAtLoad
Umask
0
UserName
root
- tcptunnel – opens TCP Tunnel on port 2222 between the host and the guest. SSH will run above this tunnel.
Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/tcptunnel.plist
CFBundleIdentifier
com.apple.tcptunnel
EnablePressuredExit
EnableTransactions
HighPriorityIO
KeepAlive
Label
TcpTunnel
POSIXSpawnType
Interactive
ProgramArguments
/bin/tunnel
2222:127.0.0.1:22
RunAtLoad
Umask
0
UserName
root
- dropbear – will be used as SSH server.
Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/dropbear.plist
CFBundleIdentifier
com.apple.dropbear
EnablePressuredExit
EnableTransactions
HighPriorityIO
KeepAlive
Label
Dropbear
POSIXSpawnType
Interactive
ProgramArguments
/iosbinpack64/usr/local/bin/dropbear
--shell
/iosbinpack64/bin/bash
-R
-E
-F
RunAtLoad
Umask
0
UserName
root
As a side note, you can always convert the binary plist files that you find natively in iOS images to text xml format and back to binary format with:
$ plutil -convert xml1 file.plist
$ vim file.plist
$ plutil -convert binary1 file.plist
For launch daemons, iOS accepts both xml and binary plist files.
Now we need to make sure that we have all the binaries in the system according to their path in ProgramArguments.
/iosbinpack64/bin/bash – part of the iosbinpack64
/sbin/mount – part of the iOS system
/bin/tunnel – follow this tutorial to get the binary and copy it to /bin
/iosbinpack64/usr/local/bin/dropbear – part of the iosbinpack64
Create the static Trust Cache
Since the new binaries are signed, but not by Apple, they need to be trusted by the static trust cache that we will create. To do this, we need to get jtool. We have to run it on every binary we wish to be trusted, extract the first 40 characters of its CDHash, and put it in a new file named tchashes. A sample execution of jtool looks like this:
$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64/bin/bash
Blob at offset: 1308032 (10912 bytes) is an embedded signature
Code Directory (10566 bytes)
Version: 20001
Flags: none
CodeLimit: 0x13f580
Identifier: /Users/jakejames/Desktop/jelbreks/multi_path/multi_path/iosbinpack64/bin/bash (0x58)
CDHash: 7ad4d4c517938b6fdc0f5241cd300d17fbb52418b1a188e357148f8369bacad1 (computed)
# of Hashes: 320 code + 5 special
Hashes @326 size: 32 Type: SHA-256
Empty requirement set (12 bytes)
In the above case, we need to write down 7ad4d4c517938b6fdc0f5241cd300d17fbb52418 in tchashes file.
For convenience, the following command will extract the needed part of the hash from each of the binaries in iosbinpack64:
$ touch ./tchashes
$ for filename in $(find /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64 -type f); do jtool --sig --ent $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
Note that the /bin/tunnel that we’ve created before is not signed yet. Sign it with jtool.
$ sudo jtool --sign --ent ent.xml --inplace /Volumes/PeaceB16B92.arm64UpdateRamDisk/bin/tunnel
Example of ent.xml that will work in most cases:
platform-application
com.apple.private.security.container-required
Add its hash to tchashes as well.
$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/bin/tunnel | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
Now we can create the static trust cache blob:
$ python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc
General changes
- Replace the
fstabfile
$ sudo cp /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab_orig
$ sudo vi /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab
Remove the content from the file and copy the following
/dev/disk0 / hfs ro 0 1
/dev/disk1 /private/var hfs rw,nosuid,nodev 0 2
- Prevent from
keybagddaemon to run on system launch
$ sudo rm /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/com.apple.mobile.keybagd.plist
Patch the launchd binary
To get the launchd load the programs we had added before, instead of looking at the instructions in xpcd_cache.dylib, we need to patch the binary file.
We will demonstrate the patch on Ghidra (you can use any other disassembler of your choice).
Import the binary file /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd and analyze it.
Patch the instruction at 0x10002fb18 from cset w20,ne to mov w20,#0x01
Save and export the binary
Replace the original launchd with the patched binary
$ sudo mv /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd.orig
$ sudo cp exported.bin /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd
Sign the binary with jtool and keep its identity.
$ sudo jtool --sign --ent ent.xml --ident com.apple.xpc.launchd --inplace /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd
Do not forget to ddd its hash to the tchashes.
$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
Update the static_tc file:
$ python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc
Now the disks can be ejected – we’re done!
$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk
$ hdiutil detach /Volumes/PeaceB16B92.N56N66OS
Create the secondary disk device
As with the main disk let us use the ramdisk structure as well.
$ cp ./048-32651-104.dmg.out ./hfs.sec
$ hdiutil resize -size 6G -imagekey diskimage-class=CRawDiskImage ./hfs.sec
$ hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.sec
$ hdiutil attach ./048-31952-103.dmg
Remove all contents of the ramdisk and sync the ramdisk with /private/var directory from the main disk image.
$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/*
$ sudo rsync -av /Volumes/PeaceB16B92.N56N66OS/private/var/* /Volumes/PeaceB16B92.arm64UpdateRamDisk/
Create a directory for the dropbear
$ sudo mkdir /Volumes/PeaceB16B92.arm64UpdateRamDisk/dropbear
Eject the disks
$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk
$ hdiutil detach /Volumes/PeaceB16B92.N56N66OS
We now have all the images and files prepared. Let’s get the modified QEMU code (more detailed info on the work done in QEMU will be in the second post in the series):
$ git clone [email protected]:alephsecurity/xnu-qemu-arm64.git
and compile it:
$ cd xnu-qemu-arm64
$ ./configure --target-list=aarch64-softmmu --disable-capstone --disable-pie --disable-slirp
$ make -j16
$ cd -
And all there’s left to do is execute:
$ xnu-qemu-arm64/aarch64-softmmu/qemu-system-aarch64 -M iPhone6splus-n66-s8000,kernel-filename=kernelcache.release.n66.out,dtb-filename=Firmware/all_flash/DeviceTree.n66ap.im4p.out,driver-filename=aleph_bdev_drv.bin,qc-file-0-filename=hfs.main,qc-file-1-filename=hfs.sec,tc-filename=static_tc,kern-cmd-args="debug=0x8 kextlog=0xfff cpus=1 rd=disk0 serial=2",xnu-ramfb=off -cpu max -m 6G -serial mon:stdio
To use the binaries in the iosbinpack64 update the PATH
export PATH=$PATH:/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin
For an easier workflow, it’s worth to symlink the binaries from iosbinpack64/bin, iosbinpack64/usr/bin, etc. into the corresponding /bin, /usr/bin, etc. directories. It is, in fact, a requirement for executing scp, since it doesn’t respect the PATH enviornment variable when spawned.
And we have an interactive bash shell with mounted r/w disk and SSH enabled!!
* xnu-ramfb=on for textual framebuffer
* SSH password – alpine // just a reminder:)
hfs.sec which is mounted to the iOS, will fail to be mounted again after the QEMU is killed.
When the system is restarted (QEMU is killed to be started again) we need to mount and unmount the disk on the the mac.
$ hdiutil attach -imagekey diskimage-class=CRawDiskImage hfs.sec
$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk
