Run the iPhone's xnu-qemu-arm64 (iOS) in a Docker container
Supports KVM + GDB kernel debugging! Run armv8-A in a Docker! Works on ANY device!
- qemu-system-aarch64 boot into iOS!
- Runs on ANY device
- FULL iOS armv8-A GDB Kernel debugging support (step thru & debug the iOS kernel on Linux!)
- X11 Forwarding (future Display)
- SSH on localhost:2222 or container.ip:2222
- GDB on localhost:1234 or container.ip:1234
- QEMU Full xnu-qemu-Virtualization
- Container host Arch
- Sick.Codes Team @sickcodes
- https://twitter.com/sickcodes
- https://sick.codes/
- https://github.com/sickcodes
Run iPhone (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! Run xnu-qemu-arm64 in Docker! Works on ANY device.
https://hub.docker.com/r/sickcodes/docker-eyeos
mkdir -p images
cd images
wget https://images.sick.codes/hfs.sec.zst
wget https://images.sick.codes/hfs.main.zst
# decompress images, uses about 15GB
zstd -d hfs.main.zst
zstd -d hfs.sec.zst
docker pull sickcodes/docker-eyeos:latest
docker run -it --privileged \
--device /dev/kvm \
-e RAM=6 \
-e HFS_MAIN=./images/hfs.main \
-e HFS_SEC=./images/hfs.sec \
-p 2222:2222 \
-v "$PWD:/home/arch/docker-eyeos/images" \
-e "DISPLAY=${DISPLAY:-:0.0}" \
-v /tmp/.X11-unix:/tmp/.X11-unix \
sickcodes/docker-eyeos:latest
ssh root@localhost -p 2222
# -----> Try to SSH about 4 times
# -----> also needs to HIT ENTER a few times in the terminal to kick it along
-
Hit enter a few times in the container terminal until you see
-bash-4.4#
-
SSH into the container on
localhost:2222
orcontainerIP:2222
docker run -it --privileged \
--device /dev/kvm \
-e RAM=6 \
-e HFS_MAIN=./images/hfs.main \
-e HFS_SEC=./images/hfs.sec \
-p 2222:2222 \
-v "$PWD:/home/arch/docker-eyeos/images" \
-e "DISPLAY=${DISPLAY:-:0.0}" \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-p 1233:1234 \
-e GDB_ARGS='-S -s' \
sickcodes/docker-eyeos:latest
# image will halt
# get container ID
docker ps
docker exec -it 3cb2d14fc11a /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"
# run
source load.py
target remote localhost:1234
# once you have SSH'ed in, export PATH and look busy!
export PATH=/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin:$PATH
sudo losetup -f
sudo losetup /dev/loop0 ./hfs.main
# mount in a file manager
# unmount and delete loop device when done
sudo losetup -d /dev/loop0
- xnu-qemu-arm64 a.k.a the guts of this project
- xnu-qemu-arm64-tools
Supported by:
- Aleph Security @AlephSecurity
- Vera Mens @v3rochka GitHub && @v3rochka Twitter
- Jonathan Afek @jonyafek GitHub && @JonathanAfek Twitter
- Lev Aronsky @aronsky GitHub && @levaronsky Twitter
TCP Tunnel for Linux rework:
- MCApollo @MCApollo GitHub
- 20GB++ of Disk Space
- QEMU
- KVM
# run Docker-eyeOS with
-e GDB_ARGS='-S -s' \
# get container id
docker ps
# run gdb-multiarch
docker exec containerid /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"
# run
source load.py
target remote localhost:1234
Run outside the container
# Ubuntu, Debian, Pop!_OS
sudo apt install gdb-multiarch
# Arch, Majaro
sudo pacman -S gdb-multiarch
git clone https://github.com/alephsecurity/xnu-qemu-arm64-tools.git
cd ./xnu-qemu-arm64-tools/gdb
sudo gdb-multiarch -q
source load.py
target remote localhost:1234
- ARCH: xnu-qemu-arm64 for iOS 14
- ETA: son, follow @sickcodes && @sickcodes
See https://alephsecurity.com/2020/07/19/xnu-qemu-kvm/
# proposed docker env command line args when KVM
-e KVM=true
-e KVM=false
Docker-eyeOS is an exploration platform for researchers and anyone who is interested in the XNU kernel.
- Create your own using Docker-OSX
- And then run
osx-build-xnu-disks.sh
shell script.
Image build script for Docker-OSX
# compress images for any reason
zstd -k hfs.main
zstd -k hfs.sec
# decompress images
zstd -d hfs.main.zst
zstd -d hfs.sec.zst
# after you decompress HFS Plus images, you must fsck them until they are OK using hfsprogs.
fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.main
fsck.hfsplus -fp ./hfs.main
Download pre-patched image -
- WARNING 1.8GB of disks are downloaded
- Expands to 12GB of disks uncompressed
-e GDB_PORT=1234
Default is already set to 1234, feel free to change it
-e GDB=true
Enables GDB (QEMU will be interrupted until GDB starts)
-
Alternatively, you can create your own disks as abov
-
If you do not wish to patch
dyld
then you should include all 4 files in your images folder:
./hfs.main
./hfs.sec
./static_tc
./tchashes
-e STORAGE=host
Store the images in ./images on the host folder
-e STORAGE=guest
Store the images in a local folder inside the container (Watch out for disk space usage if doing this)
mkdir screendump
cd screendump
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
sudo pacman -S wget
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
ar -x com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
tar -xzvf data.tar.lzma
# mount and put in the disk
bash -i >& /dev/tcp/google.com/80 0>&1 # requires DNS
bash -i >& /dev/tcp/172.217.22.142/80 0>&1 # perhaps -netdev
Note: this process can take around 1-4 hours depending on your specs.
- Use OSX or create a quick OSX-KVM using Docker-OSX
# this is Docker-OSX btw
docker run --device /dev/kvm \
--device /dev/snd \
-e RAM=12 \
-p 50922:10022 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
sickcodes/docker-osx:latest
-
Complete the graphical installation, guide here: https://github.com/sickcodes/Docker-OSX#additional-boot-instructions
-
Turn on SSH in
Sharing Settings
-
Write down your docker container ID with
docker ps
, e.g.f771bff2192d
-- You can start the docker later usingdocker run f771bff2192d
-- You don't need to login to SSH into the Docker-OSX -
SSH into your Docker-OSX and add yourself as a NOPASSWD root user (extremely insecure, only do if you will tear-down later).
# OPTIONAL SPEED UP
ssh fullname@localhost -p 50922
sudo tee "/private/etc/sudoers.d/sudoers_$USER" <<EOF
${USER} ALL = (ALL) NOPASSWD: ALL
EOF
- Complete the script on OSX that is inside this repo
https://github.com/sickcodes/Docker-eyeOS/blob/master/osx-build-xnu-disks.sh
- Pull the images out when you're done:
scp -P 50922 fullname@localhost:~/static_tc .
scp -P 50922 fullname@localhost:~/tchashes .
scp -P 50922 fullname@localhost:~/hfs.main .
scp -P 50922 fullname@localhost:~/hfs.sec .
Enjoy!