Virtualizing iOS on Apple Silicon
Nick Botticelli (via Hacker News):
Now, to get started, a strategy for approaching the daunting task of running iOS on vma2 is needed. I found the most success with reusing a fully macOS 12.0.1 bootchain and simply replacing the system (OS) image, along with its associated
mtree,root_hash, andtrustcachefiles, with that of the iOS 15.0.2’s (iPhone XR build). This would largely bypass the need for (almost) any modifications before iOS initializes, such as to the bootchain and ramdisk (restore process). The XR build was chosen for its arm64e capability and lower-resolution (if that mattered). You should see success with other arm64e device configurations, but do note that the vma2 kernel is hardcoded to return“iPad8,6"for some sysctl key. arm64 versions experienced additional issues and binary incompatibilities, so there is no point in trying these builds.I used my own fork of tart (a third-party application for managing Apple silicon virtual machines), super-tart for running the iOS VM, which allows for using the required undocumented features provided by Virtualization.framework. I have not yet pushed all of my changes, such as for setting
_setProductionModeEnabled(false). Do note that such Virtualization.framework tools that use private APIs require SIP to be turned off, and maybe AMFI as well. I also use my own fork of idevicerestore.[…]
Getting past the system keybag issues requires many more patches and an understanding of the system as it exists in the iOS system and kernel that I currently lack. This project has already taken at least a few hundred hours of exploration, and I’d be curious to see if anyone can take it further than just booting to
PreBoard.app.
Previously:
- Apple and Corellium Settlement
- Corellium Wins iOS Simulator Copyright Case
- Corellium iOS VMs for Individuals
- Apple vs. Security Researchers
- Apple Files Lawsuit Against Corellium for iOS Virtualization
- Running Old iOS Versions
