Emulating an iPhone in QEMU (Part 2)

Summary

What's the plan? At the end of our previous blog post, we got PreBoard to show its UI. But we had no idea if getting SpringBoard to work would even be possible, since we didn’t have SEP emulation. Still, we wanted to see how far we could get without it. Before SpringBoard could show anything, we had plenty of issues to fix. Although the backboardd and SpringBoard processes were starting and stable, they were stuck in different places. Our strategy was to go through system logs, find suspicious errors or warnings, then reverse backboardd, SpringBoard, and their supporting frameworks (BackBoardServices, QuartzCore, SpringBoardFoundation, etc.). Userspace debugging Let’s preface by saying that, when starting this project, we had very limited experience working with Apple development tools and environment, and we also wanted to keep working in Linux as much as possible. A lot of the work detailed in these blogposts required plenty of userspace debugging, and the way we handled it evolved with our knowledge and our needs. Symbols from the dyld cache The biggest improvement of all was to find a way to disable dyld cache ASLR by patching the kernel. Previously, we only had KASLR and userspace process ASLR disabled. With the dyld ASLR disabled, we could get fully symbolized stack traces with lldb and debugserver running on iOS (exposing its port with iproxy). Although at first it took a very long time to attach to a process, because lldb would get all the libraries used by a process from memory. We found out we could directly point to the dyld cache we had extracted with ipsw tool to use the symbols from the rootfs of the host instead: Extract the dyld cache from the ipsw file: ipsw extract -d iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw Extract all libs from the dyld cache: ipsw dyld extract -a dyld_shared_cache_arm64 -o dylibs Then in lldb: platform select remote-ios --sysroot iPhone11,8,iPhone12,1_14.0_18A5351d/dylibs This made attaching significantly faster. Debuggi...