alephsecurity/xnu-qemu-arm64

This project is a fork of the official QEMU repository. Please refer to this README for information about the QEMU project.

The goal of this project is to boot a fully functional iOS system on QEMU.

The project is under active development, follow @alephsecurity and @JonathanAfek for updates.

For technical information about the research, follow our blog:

Help is wanted!

If you are passionate about iOS and kernel exploitation and want to help us make the magic happen, please refer to the open issues in this repo and just PR to us with your awesome code and/or contact us 🙂


To start the process we first need to prepare a kernel image, a device tree, a static trust cache, the main and the secondary disk images.
To get all that, we first need to get the update file from Apple: iOS 12.1 update file.
This is actually a zip file which we can extract:

$ unzip iPhone_5.5_12.1_16B92_Restore.ipsw

Next, we need to clone the supporting scripts repository:

$ git clone git@github.com:alephsecurity/xnu-qemu-arm64-tools.git

Get the Kernel image
Extract the ASN1 encoded kernel image (pyasn1 should be installed first):

$ pip install pyasn1
$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1kerneldecode.py kernelcache.release.n66 kernelcache.release.n66.asn1decoded

This decoded image now includes the lzss compressed kernel.
Let us decompress it:

$ python xnu-qemu-arm64-tools/bootstrap_scripts/decompress_lzss.py kernelcache.release.n66.asn1decoded kernelcache.release.n66.out

Get the divice tree

Extract the device tree from the ASN1 encoded file:

$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1dtredecode.py Firmware/all_flash/DeviceTree.n66ap.im4p Firmware/all_flash/DeviceTree.n66ap.im4p.out

Create the Disk Devices for iOS system

Some tweaks should be done to use all currently implemented capabilities: bash, many familiar binary tools, all iOS’s launchd services, r/w secondary disk device and SSH.

The following instructions will describe how to create the disk devices and what changes should be made within them to enable the system start with all the functionality mentioned above.

Create the primary disk device

To create a block device that will run on the system we will use ramdisk device available in the iOS 12.1 update file.

The disk devices will be attached to the iOS system by custom block device driver.
Follow the instructions here to create the driver.
Then copy the driver aleph_bdev_drv.bin to your work directory.

$ cp ./xnu-qemu-arm64-tools/aleph_bdev_drv/bin/aleph_bdev_drv.bin ./

Next, decode the ramdisk and resize it. Attach the ramdisk device and the main disk image to the research computer.

$ python xnu-qemu-arm64-tools/bootstrap_scripts/asn1rdskdecode.py ./048-32651-104.dmg ./048-32651-104.dmg.out
$ cp ./048-32651-104.dmg.out ./hfs.main
$ hdiutil resize -size 6G -imagekey diskimage-class=CRawDiskImage ./hfs.main
$ hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.main
$ hdiutil attach ./048-31952-103.dmg

Remove all contents of the ramdisk and sync the ramdisk with the main disk image (the latter will take some time).

$ sudo diskutil enableownership /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/*
$ sudo rsync -av /Volumes/PeaceB16B92.N56N66OS/* /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ sudo chown root /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

Remove contents of /private/var. We will put it to a secondary disk later.

$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/private/var/*

Get pre-compiled binaries

We will use rootlessJB for pre-compiled binary tools (you can use any other project of your choice).

$ git clone https://github.com/jakeajames/rootlessJB
$ cd rootlessJB/rootlessJB/bootstrap/tars/
$ tar xvf iosbinpack.tar
$ sudo cp -R iosbinpack64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/
$ cd -

Add programs to be executed at system start

Four executables will be added to ״Launch Daemons״ directory and start at the system load.

  1. bash – run bash

Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/bash.plist





	EnablePressuredExit
	
	Label
	com.apple.bash
	POSIXSpawnType
	Interactive
	ProgramArguments
	
		/iosbinpack64/bin/bash
	
	RunAtLoad
	
	StandardErrorPath
	/dev/console
	StandardInPath
	/dev/console
	StandardOutPath
	/dev/console
	Umask
	
	UserName
	root


  1. mount_sec – mount the secondary block device (disk1).

Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/mount_sec.plist





	CFBundleIdentifier
	com.apple.mount_sec
	EnablePressuredExit
	
	EnableTransactions
	
	HighPriorityIO
	
	Label
	mount_sec
	POSIXSpawnType
	Interactive
	ProgramArguments
	
		/sbin/mount
		/private/var
	
	RunAtLoad
	
	Umask
	
	UserName
	root


  1. tcptunnel – opens TCP Tunnel on port 2222 between the host and the guest. SSH will run above this tunnel.

Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/tcptunnel.plist





	CFBundleIdentifier
	com.apple.tcptunnel
	EnablePressuredExit
	
	EnableTransactions
	
	HighPriorityIO
	
	KeepAlive
	
	Label
	TcpTunnel
	POSIXSpawnType
	Interactive
	ProgramArguments
	
		/bin/tunnel
		2222:127.0.0.1:22
	
	RunAtLoad
	
	Umask
	
	UserName
	root


  1. dropbear – will be used as SSH server.

Create the plist file and save it as /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/dropbear.plist





	CFBundleIdentifier
	com.apple.dropbear
	EnablePressuredExit
	
	EnableTransactions
	
	HighPriorityIO
	
	KeepAlive
	
	Label
	Dropbear
	POSIXSpawnType
	Interactive
	ProgramArguments
	
		/iosbinpack64/usr/local/bin/dropbear
		--shell
		/iosbinpack64/bin/bash
		-R
		-E
		-F
	
	RunAtLoad
	
	Umask
	
	UserName
	root


As a side note, you can always convert the binary plist files that you find natively in iOS images to text xml format and back to binary format with:

$ plutil -convert xml1 file.plist
$ vim file.plist
$ plutil -convert binary1 file.plist

For launch daemons, iOS accepts both xml and binary plist files.

Now we need to make sure that we have all the binaries in the system according to their path in ProgramArguments.

/iosbinpack64/bin/bashpart of the iosbinpack64

/sbin/mountpart of the iOS system

/bin/tunnelfollow this tutorial to get the binary and copy it to /bin

/iosbinpack64/usr/local/bin/dropbearpart of the iosbinpack64

Create the static Trust Cache

Since the new binaries are signed, but not by Apple, they need to be trusted by the static trust cache that we will create. To do this, we need to get jtool. We have to run it on every binary we wish to be trusted, extract the first 40 characters of its CDHash, and put it in a new file named tchashes. A sample execution of jtool looks like this:

$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64/bin/bash
Blob at offset: 1308032 (10912 bytes) is an embedded signature
Code Directory (10566 bytes)
				Version:     20001
				Flags:       none
				CodeLimit:   0x13f580
				Identifier:  /Users/jakejames/Desktop/jelbreks/multi_path/multi_path/iosbinpack64/bin/bash (0x58)
				CDHash:      7ad4d4c517938b6fdc0f5241cd300d17fbb52418b1a188e357148f8369bacad1 (computed)
				# of Hashes: 320 code + 5 special
				Hashes @326 size: 32 Type: SHA-256
 Empty requirement set (12 bytes)

In the above case, we need to write down 7ad4d4c517938b6fdc0f5241cd300d17fbb52418 in tchashes file.
For convenience, the following command will extract the needed part of the hash from each of the binaries in iosbinpack64:

$ touch ./tchashes
$ for filename in $(find /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64 -type f); do jtool --sig --ent $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

Note that the /bin/tunnel that we’ve created before is not signed yet. Sign it with jtool.

$ sudo jtool --sign --ent ent.xml --inplace /Volumes/PeaceB16B92.arm64UpdateRamDisk/bin/tunnel

Example of ent.xml that will work in most cases:



	
		platform-application
		
		com.apple.private.security.container-required
		
	

Add its hash to tchashes as well.

$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/bin/tunnel | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

Now we can create the static trust cache blob:

$ python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc

General changes

  1. Replace the fstab file
$ sudo cp /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab_orig
$ sudo vi /Volumes/PeaceB16B92.arm64UpdateRamDisk/etc/fstab

Remove the content from the file and copy the following

/dev/disk0 / hfs ro 0 1
/dev/disk1 /private/var hfs rw,nosuid,nodev 0 2
  1. Prevent from keybagd daemon to run on system launch
$ sudo rm /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/com.apple.mobile.keybagd.plist

Patch the launchd binary

To get the launchd load the programs we had added before, instead of looking at the instructions in xpcd_cache.dylib, we need to patch the binary file.

We will demonstrate the patch on Ghidra (you can use any other disassembler of your choice).

Import the binary file /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd and analyze it.

Patch the instruction at 0x10002fb18 from cset w20,ne to mov w20,#0x01

Save and export the binary

Replace the original launchd with the patched binary

$ sudo mv /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd.orig
$ sudo cp exported.bin /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd

Sign the binary with jtool and keep its identity.

$ sudo jtool --sign --ent ent.xml --ident com.apple.xpc.launchd --inplace /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd

Do not forget to ddd its hash to the tchashes.

$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/sbin/launchd | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

Update the static_tc file:

$ python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc

Now the disks can be ejected – we’re done!

$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk
$ hdiutil detach /Volumes/PeaceB16B92.N56N66OS

Create the secondary disk device

As with the main disk let us use the ramdisk structure as well.

$ cp ./048-32651-104.dmg.out ./hfs.sec
$ hdiutil resize -size 6G -imagekey diskimage-class=CRawDiskImage ./hfs.sec
$ hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.sec
$ hdiutil attach ./048-31952-103.dmg

Remove all contents of the ramdisk and sync the ramdisk with /private/var directory from the main disk image.

$ sudo rm -rf /Volumes/PeaceB16B92.arm64UpdateRamDisk/*
$ sudo rsync -av /Volumes/PeaceB16B92.N56N66OS/private/var/* /Volumes/PeaceB16B92.arm64UpdateRamDisk/

Create a directory for the dropbear

$ sudo mkdir /Volumes/PeaceB16B92.arm64UpdateRamDisk/dropbear

Eject the disks

$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk
$ hdiutil detach /Volumes/PeaceB16B92.N56N66OS

We now have all the images and files prepared. Let’s get the modified QEMU code (more detailed info on the work done in QEMU will be in the second post in the series):

$ git clone git@github.com:alephsecurity/xnu-qemu-arm64.git

and compile it:

$ cd xnu-qemu-arm64
$ ./configure --target-list=aarch64-softmmu --disable-capstone --disable-pie --disable-slirp
$ make -j16
$ cd -

And all there’s left to do is execute:

$ xnu-qemu-arm64/aarch64-softmmu/qemu-system-aarch64 -M iPhone6splus-n66-s8000,kernel-filename=kernelcache.release.n66.out,dtb-filename=Firmware/all_flash/DeviceTree.n66ap.im4p.out,driver-filename=aleph_bdev_drv.bin,qc-file-0-filename=hfs.main,qc-file-1-filename=hfs.sec,tc-filename=static_tc,kern-cmd-args="debug=0x8 kextlog=0xfff cpus=1 rd=disk0 serial=2",xnu-ramfb=off -cpu max -m 6G -serial mon:stdio

To use the binaries in the iosbinpack64 update the PATH

export PATH=$PATH:/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin

For an easier workflow, it’s worth to symlink the binaries from iosbinpack64/bin, iosbinpack64/usr/bin, etc. into the corresponding /bin, /usr/bin, etc. directories. It is, in fact, a requirement for executing scp, since it doesn’t respect the PATH enviornment variable when spawned.

And we have an interactive bash shell with mounted r/w disk and SSH enabled!!

* xnu-ramfb=on for textual framebuffer

* SSH password – alpine // just a reminder:)

❗️Because there is no graceful shutdown of the system, the hfs.sec which is mounted to the iOS, will fail to be mounted again after the QEMU is killed.

When the system is restarted (QEMU is killed to be started again) we need to mount and unmount the disk on the the mac.

$ hdiutil attach -imagekey diskimage-class=CRawDiskImage hfs.sec
$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk

Read More