## 0x1 编译QEMU
brew install libtool glib libtasn1 meson ninja pixman gnutls libgcrypt pkgconf lzfse capstone nettle ncurses libslirp libssh libpng jpeg-turbo zstd
git clone https://github.com/ChefKissInc/QEMUAppleSilicon
cd QEMUAppleSilicon
git submodule update --init
mkdir build && cd build
LIBTOOL="glibtool" ../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-bsd-user --disable-guest-agent --enable-lzfse --enable-slirp --enable-capstone --enable-curses --enable-libssh --enable-virtfs --enable-zstd --extra-cflags=-DNCURSES_WIDECHAR=1 --disable-sdl --disable-gtk --enable-cocoa --enable-nettle --enable-gnutls --extra-cflags="-I/opt/homebrew/include" --extra-ldflags="-L/opt/homebrew/lib" --disable-werror
make -j$(sysctl -n hw.logicalcpu)## 0x2 设置文件
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.1 16G
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.2 8M
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.3 128K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.4 8K
./QEMUAppleSilicon/build/qemu-img create -f raw nvram 8K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.6 4K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.7 1M
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.8 3M
./QEMUAppleSilicon/build/qemu-img create -f raw sep_nvram 2K
./QEMUAppleSilicon/build/qemu-img create -f raw sep_ssc 128K需要下载两个固件:
以及
然后全部解压。
mkdir iPhone11_8_iPhone12_1_14.0_18A5351d_Restore && cd iPhone11_8_iPhone12_1_14.0_18A5351d_Restore
unzip ../iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw
cd ..
mkdir iPhone11,8,iPhone12,1_14.7.1_18G82_Restore && cd iPhone11,8,iPhone12,1_14.7.1_18G82_Restore
unzip ../iPhone11,8,iPhone12,1_14.7.1_18G82_Restore.ipsw
cd ..生成AP Ticket
wget https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/create_apticket.py
wget https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/ticket.shsh2
python3 create_apticket.py n104ap iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/BuildManifest.plist ticket.shsh2 root_ticket.der准备SEP ROM(这里似乎都没有明说,怕吃Apple律师函说是)
wget $(echo aHR0cHM6Ly9zZWN1cmVyb20uZnVuL3Jlc291cmNlcy9TRVBST00vQXBwbGVTRVBST00tQ2VidS1CMQo= | base64 -d)安装img4tool
git clone https://github.com/tihmstar/libgeneral && cd libgeneral && \
./autogen.sh && \
make && \
sudo make install
git clone https://github.com/tihmstar/img4tool && cd img4tool && \
./autogen.sh && \
make && \
sudo make install安装img4lib
git clone --recrusive https://github.com/xerub/img4lib && cd lzfse && \
make && sudo make install && \
cd .. && \
make COMMONCRYPTO=1 && \ # 如果是linux环境不用加参数
sudo make install票据
wget https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/create_septicket.py
python3 create_septicket.py n104ap iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/BuildManifest.plist ticket.shsh2 sep_root_ticket.der
img4tool -e --iv THE_SEP_FW_IV --key THE_SEP_FW_KEY -o sep-firmware.n104.RELEASE iPhone11,8,iPhone12,1_14.7.1_18G82_Restore/Firmware/all_flash/sep-firmware.n104.RELEASE.im4p把上面的THE_SEP_FW_IV,THE_SEP_FW_KEY替换
打包。
img4tool -t rsep -d ff86cbb5e06c820266308202621604696d706c31820258ff87a3e8e0730e300c1604747a3073020407e78000ff868bc9da730e300c160461726d73020400d84000ff87a389da7382010e3082010a160474626d730482010036373166326665363234636164373234643365353332633464666361393732373734353966613362326232366635643962323032383061643961303037666635323834393936383138653962303461336434633034393061663833313630633464356330313832396536633635303836313230666133346539663263323165373237316265623231636139386237386464303064363037326530366464393962666163623262616362623261373830613465636161303363326361333930303931636334613461666231623737326238646234623865653566663365636437373135306531626566333633303034336637373665666265313130316538623433ff87a389da7282010e3082010a160474626d720482010034626631393164373134353637356364306264643131616166373734386138663933373363643865666234383830613130353237633938393833666636366538396438333330623730626237623561333530393864653735353265646635373762656166363137353235613831663161393838373838613865346665363734653936633439353066346136366136343231366561356438653333613833653530353962333536346564633533393664353539653337623030366531633637343633623736306336333164393163306339363965366662373130653962333061386131396338333166353565636365393835363331643032316134363361643030 -c sep-firmware.n104.RELEASE.im4p sep-firmware.n104.RELEASE
img4 -F -o sep-firmware.n104.RELEASE.new.img4 -i sep-firmware.n104.RELEASE.im4p -M sep_root_ticket.der## 0x03 设置peer VM
因为qemu没法走总线共享usb,,作者实现了qemu上通过tcp 发送usb包(且其他的软件没有也不会实现这样一个接收栈)所以我们需要用他编译的qemu再启动一台peer VM用来同步数据。
(就随便装一台ubuntu/debian就行,开一个ssh,转发出来就是正常服务器了)
wget https://mirrors.jlu.edu.cn/debian-cd/12.11.0/amd64/iso-cd/debian-12.11.0-amd64-netinst.iso
qemu-system-x86_64 \
-m 2048 \
-smp 2 \
-hda disk.img \
-cdrom debian-12.11.0-amd64-netinst.iso \
-boot d \
-display cocoa然后安装操作完成之后这样运行:
QEMUAppleSilicon/build/qemu-system-x86_64-unsigned \
-accel tcg \
-m 2048 \
-smp 2 \
-hda disk.img \
-boot d \
-display cocoa \
-usb -device usb-ehci,id=ehci -device usb-tcp-remote,conn-type=ipv4,conn-addr=127.0.0.1,conn-port=8030,bus=ehci.0 \
-nic user,model=virtio-net-pci,hostfwd=tcp::32222-:22 &启动了listen的usb,以及一个转发端口到本地的ssh和net连接
## 0x04 peer VM里配环境
💡
太折磨了,我下辈子不要再配这个b环境了
安装一些不用跑的。
sudo apt install usbmuxd libusbmuxd libplist-devlibtatsu libimobiledevice-glue libimobiledevice idevicerestore这个需要自行构建不想写了qaq(因为我也忘了
最后是把restore的ipsw和ap ticket放到这个peer VM里。
## 0x05 启动!恢复!
配置了这么久终于可以启动了。但是第一次我们需要启动到recovery mode,且需要把usb总线挂到我们peer vm配置的地方。
QEMUAppleSilicon/build/qemu-system-aarch64 -M t8030,trustcache=iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/Firmware/038-44135-124.dmg.trustcache,ticket=root_ticket.der,sep-fw=sep-firmware.n104.RELEASE.new.img4,sep-rom=AppleSEPROM-Cebu-B1,kaslr-off=true,usb-conn-type=ipv4,usb-conn-addr=127.0.0.1,usb-conn-port=8030 \
-kernel iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/kernelcache.research.iphone12b -dtb iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "tlto_us=-1 mtxspin=-1 agm-genuine=1 agm-authentic=1 agm-trusted=1 serial=3 launchd_unsecure_cache=1 wdt=-1" \
-smp 7 -m 4G -serial mon:stdio \
-drive file=sep_nvram,if=pflash,format=raw \
-drive file=sep_ssc,if=pflash,format=raw \
-drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-initrd iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/038-44135-124.dmg \ # 启动参数:Recover内核。
-display cocoa,zoom-to-fit=on,zoom-interpolation=on,show-cursor=on # 在mac上加这一行,在linux 和 windows下是其他的操作。启动完成之后,在peer VM上运行:
idevicerestore --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der然后慢慢等吧。恢复完成之后,关机不要直接重启,你进不去的)
## 0x06 修补文件系统
禁用一些内容来让它能正常启动。(比如CommCenter,voicemail,locationd之类的),也许jailbreak之类的操作也可以在这里完成。
挂载并开启写权限:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -blocksize 4096 nvme.1
sudo diskutil enableownership /Volumes/System
sudo mount -urw /Volumes/System备份然后patch dyld shared cache。
wget https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/PatchDYLD.sh
sudo chmod +x ./PatchDYLD.sh && sudo ./PatchDYLD.sh # other shells禁用系统服务
cp /Volumes/System/System/Library/xpc/launchd.plist launchd.plist
sudo plutil -convert xml1 /Volumes/System/System/Library/xpc/launchd.plist
sudo nano /Volumes/System/System/Library/xpc/launchd.plist 在打开的编辑器中搜索com.apple.voicemail.vmd.plist,com.apple.CommCenter.plist,com.apple.locationd.plist ,然后在下面添加一行:
<key>Disabled</key>
<true/>
diskutil eject /Volumes/System退出磁盘。
## 0x07 正式启动!!!
终于,在折腾了差不多两天之后终于能正常启动了。
QEMUAppleSilicon/build/qemu-system-aarch64 -M t8030,trustcache=iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/Firmware/038-44135-124.dmg.trustcache,ticket=root_ticket.der,sep-fw=sep-firmware.n104.RELEASE.new.img4,sep-rom=AppleSEPROM-Cebu-B1,kaslr-off=true,usb-conn-type=ipv4,usb-conn-addr=127.0.0.1,usb-conn-port=8030 \
-kernel iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/kernelcache.research.iphone12b -dtb iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "tlto_us=-1 mtxspin=-1 agm-genuine=1 agm-authentic=1 agm-trusted=1 serial=3 launchd_unsecure_cache=1 wdt=-1" \
-smp 7 -m 4G -serial mon:stdio \
-drive file=sep_nvram,if=pflash,format=raw \
-drive file=sep_ssc,if=pflash,format=raw \
-drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-display cocoa,zoom-to-fit=on,zoom-interpolation=on,show-cursor=on # 在mac上加这一行,在linux 和 windows下是其他的操作。然后,享受你的,在qemu上跑的,卡卡的iOS吧。
## 7.17 Update
设置网络:
我们的网络需要走peer VM通过usb分享。方式如下:
首先,usbmuxd必须是最新的(从github仓库clone下来运行的),且在启动daemon时需要添加环境变量:USBMUXD_DEFAULT_DEVICE_MODE=3
另外,usb驱动必须是cdc_ncm而不是ipketh。
最后,你需要通过一些设置把ensxx的网卡内容转发到cdc_ncm提供的虚拟网卡上。
sudo systemctl edit --full usbmuxd.service # 添加启动环境变量
# [Service]
# Environment=USBMUXD_DEFAULT_DEVICE_MODE=3
# ExecStart=/usr/local/sbin/usbmuxd --user usbmux --systemd
sudo rmmod ipketh
sudo modprobe cdc_ncm # 你用sudo dmesg 看到内核log里面注册上了cdc就成功了
## 嗯最后那点网络还没配置完,等我配置好了再写(xxx## 7.23 Update
QEMU实现处理器中对SEP请求做了Patch,这导致这个设备不能非常完善的使用keychain。当然,我们也许可以尝试进行一些优化。如果优化成功是不是就能被苹果聘用了