search

TrungNguyen1909 / qemu-t8030

iPhone 11 emulated on QEMU
Other
1.97k stars 194 forks source link

Regression: can no longer load iOS 15.3.1 #48

Closed asdfugil closed 2 years ago

asdfugil commented 2 years ago

I cannot load my iOS 15.3.1 VM anymore (it is working previously)

qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.

QEMU output:

Loading iOS 15.3...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a120738
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d51ae0
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff009d0b8f0
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.
Aborted

it looks like there is a problem during machine init boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
# kernelcache.research.iphone12b.out
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "rd=disk0s1s1 kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd 018-92126-069.dmg.out \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Using ecb8ff6ce750226a80ca2acb4508a1a01db565f4 with FastSim workaround. Host: Debian 11 bullseye, Linux 5.16.0-0.bpo.3-amd64 I have a core dump, not sure how useful it is.

TrungNguyen1909 commented 2 years ago

Yeah, this is a regression. You can temporary workaround that by replacing the assert with if (!child) return;

I will push a fix when appropriate.

TrungNguyen1909 commented 2 years ago

Fixed in ba738a11f8