Skip to content

alephsecurity/xnu-qemu-arm64

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

iOS on QEMU

This project is a fork of the official QEMU repository. Please refer to this README for information about the QEMU project.

The goal of this project is to boot a fully functional iOS system on QEMU.

The project is under active development, follow @alephsecurity and @JonathanAfek for updates.

For technical information about the research, follow our blog:

Help is wanted!

If you are passionate about iOS and kernel exploitation and want to help us push this project forward, please refer to the open issues in this repo :)


  • Current project's functionality:

    • launchd services
    • Interactive bash
    • R/W secondary disk device
    • Execution of binaries (also ones that are not signed by Apple)
    • SSH through TCP tunneling
    • Textual FrameBuffer
    • ASLR for usermode apps is disabled
    • ASLR for DYLD shared cache is disabled
    • GDB scripts for kernel debugging
    • KVM support
    • TFP0 from user mode applications
  • To run iOS 12.1 on QEMU follow this tutorial.

  • This project works on QEMU with KVM! Check this blog post for more information.

  • We have implemented multiple GDB scripts that will help you to debug the kernel:

    • List current/user/all tasks in XNU kernel.
    • List current/user/all threads in XNU kernel.
    • Print the information about specific task/thread.
    • Many more :).
  • To disable ASLR in DYLD shared cache follow this tutorial.

  • Follow here to learn about how we've implemented the TCP tunneling.

  • Follow the code to see all the patches we've made to the iOS kernel for this project:

    • Disable the Secure Monitor.
    • Bypass iOS's CoreTrust mechanism.
    • Disable ASLR for user mode apps.
    • Enable custom code execution in the kernel to load our own IOKit iOS drivers.
    • Enable KVM support.
    • Support getting TFP0 in usermode applications.