Emulating an iPhone in QEMU

Summary

Start of the journey We started our journey with iOS emulation by looking at existing open-source solutions. We had successfully run alephsecurity/xnu-qemu-arm64 before, but the project being read-only was concerning. Then we tried TrungNguyen1909/qemu-t8030 and it had quite a few interesting features: the ability to actually restore iOS (using a second "companion" QEMU for USB connectivity) running iOS 14 a more recent version of QEMU a nice wiki on how to bring up the emulator With that project, we quickly managed to get a shell and ssh by modifying System/Library/xpc/launchd.plist so it was a great starting point. We set our long term objective on getting a functional iOS emulated, with UI and at least the ability to execute some apps. The first thing that bothered us with the t8030 project was the fact that they added code in QEMU itself to patch the xnu kernel. We knew we were going to probably need more patching and wanted a cleaner way to do this. As we had some experience with a jailbroken real iPhone, we looked into using Pongo to apply checkra1n patches, as this would allow us to remove any patching done in QEMU. In a jailbreaking scenario, after getting pwned by checkmate, PongoOS is injected in SRAM and the checkra1n-kpf module is sent through USB. Rather than bothering with early USB we chose to increase the SRAM on our emulated phone, and use PongoOS with checkra1n’s KPF module. Executing PongoOS, first, was not without its issues, any boot code usually done by the bootrom or iboot would be missing, such as setting up the FPU before performing any double/float instructions. Skimming through ARM documentation (section 5.4) and a some Googling helped. Features introduced with A13 and later devices, not supported by Pongo, broke the pattern-matching of some patches. For example Pointer Authentication (PAC) instructions added autda / xpacd and Apple used a different slide. Example with the infamous task_for_pid (tfp0) % ipsw macho info kernelcache.release....