This project is a fork of the official QEMU repository. Please refer to this README for information about the QEMU project.

The goal of this project is to boot a fully functional iOS system on QEMU.

The project is under active development, follow @alephsecurity and @JonathanAfek for updates.

For technical information about the research, follow our blog:

• Running iOS in QEMU to an interactive bash shell (1)
• Running iOS in QEMU to an interactive bash shell (2)
• Tunnelling TCP connections into iOS on QEMU
• Accelerating iOS on QEMU with hardware virtualization (KVM)

Help is wanted!

If you are passionate about iOS and kernel exploitation and want to help us push this project forward, please refer to the open issues in this repo :)

• Current project's functionality:

  • launchd services
  • Interactive bash
  • R/W secondary disk device
  • Execution of binaries (also ones that are not signed by Apple)
  • SSH through TCP tunneling
  • Textual FrameBuffer
  • ASLR for usermode apps is disabled
  • ASLR for DYLD shared cache is disabled
  • GDB scripts for kernel debugging
  • KVM support
  • TFP0 from user mode applications

• To run iOS 12.1 on QEMU follow this tutorial.

• This project works on QEMU with KVM! Check this blog post for more information.

• We have implemented multiple GDB scripts that will help you to debug the kernel:

  • List current/user/all tasks in XNU kernel.
  • List current/user/all threads in XNU kernel.
  • Print the information about specific task/thread.
  • Many more :).

• To disable ASLR in DYLD shared cache follow this tutorial.

• Follow here to learn about how we've implemented the TCP tunneling.

• Follow the code to see all the patches we've made to the iOS kernel for this project:

  • Disable the Secure Monitor.
  • Bypass iOS's CoreTrust mechanism.
  • Disable ASLR for user mode apps.
  • Enable custom code execution in the kernel to load our own IOKit iOS drivers.
  • Enable KVM support.
  • Support getting TFP0 in usermode applications.