Emulating an iPhone in QEMU
a year ago
- #Hardware Security
- #iOS Emulation
- #Cybersecurity
- eShard provides a powerful and collaborative platform for managing attack workflows, including expertise modules, infrastructure integration, and lab equipment management.
- The platform supports various attack techniques such as Side Channel Attacks, Fault Injection Attacks, and Photoemission Analysis, along with evaluation labs and starter kits for hands-on training.
- eShard also offers esReverse for static, dynamic, and stress testing, with extensions for Intel x86/x64 and ARM 32/64 binaries, penetration testing, vulnerability research, and digital forensics.
- The team explored iOS emulation using open-source solutions like alephsecurity/xnu-qemu-arm64 and TrungNguyen1909/qemu-t8030, aiming for a functional iOS emulator with UI and app execution capabilities.
- PongoOS and checkra1n patches were utilized to modify the iOS kernel, with efforts to make patching more declarative and manageable through diff tools and patch file generation.
- Challenges with graphical rendering led to experiments with software rendering and Metal API proxying, ultimately opting for software rendering due to complexity.
- Debugging efforts included setting up framebuffer devices, disabling address randomization for kernel and userland debugging, and system log access through modified lockdownd.
- Pointer authentication (PAC) issues were addressed by disabling PAC enforcement in QEMU, requiring a port to QEMU 8.2.1 for compatibility.
- Further debugging revealed issues with backboardd and graphical plane writing, leading to modifications in the DTB to simulate an iPhone X (t8015) for successful display output.
- Patching userspace and dyld cache was streamlined with tools to handle large binaries efficiently, enabling frequent modifications and testing.
- Experiments with PreBoard and VNC server integration allowed partial UI functionality, though AMX instruction emulation issues required patching vImage framework for software alternatives.
- The project concluded with readiness for SpringBoard display, pending further adjustments to resolve remaining UI issues.