search

sickcodes / Docker-eyeOS

Run iPhone (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! Run xnu-qemu-arm64 in Docker! Works on ANY device.
https://hub.docker.com/r/sickcodes/docker-eyeos
GNU General Public License v3.0
847 stars 75 forks source link

iOS14 launchd patch #1

Closed sickcodes closed 4 years ago

sickcodes commented 4 years ago

Missing:

  1. fstab boot alternative (boots with it there, it shouldnt)
  2. launchd patch to run unsigned apps

Download iOS 14 for iPhone6s from

https://api.ipsw.me/v4/ipsw/download/iPhone8,1/18A393

https://ipsw.me/download/iPhone8,1/18A393

wget http://updates-http.cdn-apple.com/2020SummerFCS/fullrestores/001-50286/824AF39B-1ED4-415B-91E3-7665E0EA6E0B/iPhone_4.7_14.0.1_18A393_Restore.ipsw

unzip iPhone_4.7_14.0_18A373_Restore.ipsw

git clone https://github.com/alephsecurity/xnu-qemu-arm64-tools.git
git clone https://github.com/apple/darwin-xnu.git 
git clone --recursive https://github.com/alephsecurity/xnu-qemu-arm64.git

python3 xnu-qemu-arm64-tools/bootstrap_scripts/asn1kerneldecode.py kernelcache.release.n71 kernelcache.release.n71.asn1decoded
python3 xnu-qemu-arm64-tools/bootstrap_scripts/decompress_lzss.py kernelcache.release.n71.asn1decoded kernelcache.release.n71.out
python3 xnu-qemu-arm64-tools/bootstrap_scripts/asn1dtredecode.py Firmware/all_flash/DeviceTree.n71ap.im4p Firmware/all_flash/DeviceTree.n71ap.im4p.out

# get symbols, FYI need to use llvm-nm on Linux
nm kernelcache.release.n71.out > symbols.nm 2>/dev/null || llvm-nm kernelcache.release.n71.out > symbols.nm

export XNU_SOURCES=$PWD/darwin-xnu
export KERNEL_SYMBOLS_FILE=$PWD/symbols.nm
export QEMU_DIR=$PWD/xnu-qemu-arm64
export NUM_BLOCK_DEVS=2

# DARWIN STATES
cd ./xnu-qemu-arm64-tools
git reset --hard HEAD^1
git checkout master
git remote add sickcodes https://github.com/sickcodes/xnu-qemu-arm64-tools.git
git remote add mcapollo https://github.com/MCApollo/xnu-qemu-arm64-tools.git
git fetch --all
git reset --hard HEAD^1
git pull --all
git checkout 10ce50869ce573725774cd0e9a2a431ff3beec5c
echo 'Thank you MCApollo && Lev Aronsky!'
cd ..

cd ./xnu-qemu-arm64
git reset --hard HEAD^1
git checkout master
git remote add sickcodes https://github.com/sickcodes/xnu-qemu-arm64.git
git remote add mcapollo https://github.com/MCApollo/xnu-qemu-arm64.git
git fetch --all
git reset --hard HEAD^1
git pull --all
git checkout bbd2d9955021d72d5dbfccc94a034cc671c41181
echo 'Thank you MCApollo && Lev Aronsky!'
cd ..

# will NOT work on GNU right now, but will work on OSX
make -C xnu-qemu-arm64-tools/aleph_bdev_drv clean
make -C xnu-qemu-arm64-tools/aleph_bdev_drv

python3 xnu-qemu-arm64-tools/bootstrap_scripts/asn1rdskdecode.py ./048-58813-634.dmg ./048-58813-634.dmg.out
# python3 xnu-qemu-arm64-tools/bootstrap_scripts/asn1rdskdecode.py ./048-58666-519.dmg ./048-58666-519.dmg.out #failed
python3 xnu-qemu-arm64-tools/bootstrap_scripts/asn1rdskdecode.py ./048-58904-639.dmg ./048-58904-639.dmg.out

# /run/media/user/OS/LINUX/IPSW/048-58666-519.dmg

echo "BIG DISK ./048-58666-519.dmg"
echo "LITTLE DISK ./048-58904-639.dmg.out #98"

Offload to OSX

scp ./048-58904-639.dmg.out macc:~/hfs.14.main
scp ./048-58666-519.dmg macc:~/hfs.14.sec

In OSX


hdiutil resize -size 10G -imagekey diskimage-class=CRawDiskImage ./hfs.14.main
hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.14.main
hdiutil attach ./hfs.14.sec

sudo diskutil enableownership /Volumes/Azul18A373.arm64CustomerRamDisk/
sudo rm -rf /Volumes/Azul18A373.arm64CustomerRamDisk/*
sudo rsync -av /Volumes/Azul18A373.N71OS/* /Volumes/Azul18A373.arm64CustomerRamDisk/
sudo chown root /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

sudo rm -rf /Volumes/Azul18A373.arm64CustomerRamDisk/private/var/*

git clone https://github.com/jakeajames/rootlessJB
cd rootlessJB/rootlessJB/bootstrap/tars/
tar xvf iosbinpack.tar
sudo cp -R iosbinpack64 /Volumes/Azul18A373.arm64CustomerRamDisk/
echo "Thank you @jakeajames!"
cd -

command dropbear || brew install dropbear
dropbearkey -t rsa -f ./dropbear_key | grep "^ssh-rsa " >> dropbear_key.pub
sudo mkdir -p /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear
sudo cp dropbear_key /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_key
sudo cp dropbear_key.pub /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_key.pub

### MAC

# drop Dropbear keys inside the 
if [[ $(uname) = Linux ]]; then
    sudo rm ./dropbear_ecdsa_host_key
    sudo rm ./dropbear_rsa_host_key
    sudo rm ./dropbear_ed25519_host_key
    sudo mkdir -p /run/media/user/Azul18A373.arm64CustomerRamDisk/var/dropbear/
    sudo mkdir -p /run/media/user/Azul18A373.arm64CustomerRamDisk/etc/dropbear/

    sudo dropbearkey -t ecdsa -f ./dropbear_ecdsa_host_key | grep "^ecdsa-sha2-nistp256 " >> dropbear_ecdsa_host_key.pub
    sudo dropbearkey -t rsa -f ./dropbear_rsa_host_key | grep "^ssh-rsa " >> dropbear_rsa_host_key.pub
    sudo dropbearkey -t ed25519 -f ./dropbear_ed25519_host_key | grep "^ssh-ed25519 " >> dropbear_ed25519_host_key.pub

    KEY_FILES=(
dropbear_ecdsa_host_key
dropbear_ecdsa_host_key.pub
dropbear_rsa_host_key
dropbear_rsa_host_key.pub
dropbear_ed25519_host_key
dropbear_ed25519_host_key.pub
)
    for KEY_FILE in "${KEY_FILES[@]}"; do
        sudo cp -f "${KEY_FILE}" /run/media/user/Azul18A373.arm64CustomerRamDisk/var/dropbear/"${KEY_FILE}"
        sudo cp -f "${KEY_FILE}" /run/media/user/Azul18A373.arm64CustomerRamDisk/etc/dropbear/"${KEY_FILE}"
    done

else
    sudo mkdir -p /Volumes/Azul18A373.arm64CustomerRamDisk/var/dropbear/
    sudo mkdir -p /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/
    sudo dropbearkey -t dss -f /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_dss_host_key
    sudo dropbearkey -t rsa -f /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_rsa_host_key
    sudo dropbearkey -t ecdsa -f /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_ecdsa_host_key
    sudo dropbearkey -t ed25519 -f /Volumes/Azul18A373.arm64CustomerRamDisk/etc/dropbear/dropbear_ed25519_host_key
    sudo dropbearkey -t dss -f /Volumes/Azul18A373.arm64CustomerRamDisk/var/dropbear/dropbear_dss_host_key
    sudo dropbearkey -t rsa -f /Volumes/Azul18A373.arm64CustomerRamDisk/var/dropbear/dropbear_rsa_host_key
    sudo dropbearkey -t ecdsa -f /Volumes/Azul18A373.arm64CustomerRamDisk/var/dropbear/dropbear_ecdsa_host_key
    sudo dropbearkey -t ed25519 -f /Volumes/Azul18A373.arm64CustomerRamDisk/var/dropbear/dropbear_ed25519_host_key
fi

sudo tee /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/LaunchDaemons/bash.plist <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnablePressuredExit</key>
    <false/>
    <key>Label</key>
    <string>com.apple.bash</string>
    <key>POSIXSpawnType</key>
    <string>Interactive</string>
    <key>ProgramArguments</key>
    <array>
        <string>/iosbinpack64/bin/bash</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>/dev/console</string>
    <key>StandardInPath</key>
    <string>/dev/console</string>
    <key>StandardOutPath</key>
    <string>/dev/console</string>
    <key>Umask</key>
    <integer>0</integer>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>
EOF

sudo tee /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/LaunchDaemons/mount_sec.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleIdentifier</key>
    <string>com.apple.mount_sec</string>
    <key>EnablePressuredExit</key>
    <false/>
    <key>EnableTransactions</key>
    <false/>
    <key>HighPriorityIO</key>
    <true/>
    <key>Label</key>
    <string>mount_sec</string>
    <key>POSIXSpawnType</key>
    <string>Interactive</string>
    <key>ProgramArguments</key>
    <array>
        <string>/sbin/mount</string>
        <string>/private/var</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>Umask</key>
    <integer>0</integer>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>
EOF

sudo tee /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/LaunchDaemons/tcptunnel.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleIdentifier</key>
    <string>com.apple.tcptunnel</string>
    <key>EnablePressuredExit</key>
    <false/>
    <key>EnableTransactions</key>
    <false/>
    <key>HighPriorityIO</key>
    <false/>
    <key>KeepAlive</key>
    <true/>
    <key>Label</key>
    <string>TcpTunnel</string>
    <key>POSIXSpawnType</key>
    <string>Interactive</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/tunnel</string>
        <string>2222:127.0.0.1:22</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>Umask</key>
    <integer>0</integer>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>
EOF

sudo tee /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/LaunchDaemons/dropbear.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleIdentifier</key>
    <string>com.apple.dropbear</string>
    <key>EnablePressuredExit</key>
    <false/>
    <key>EnableTransactions</key>
    <false/>
    <key>HighPriorityIO</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>Label</key>
    <string>Dropbear</string>
    <key>POSIXSpawnType</key>
    <string>Interactive</string>
    <key>ProgramArguments</key>
    <array>
        <string>/iosbinpack64/usr/local/bin/dropbear</string>
        <string>--shell</string>
        <string>/iosbinpack64/bin/bash</string>
        <string>-R</string>
        <string>-E</string>
        <string>-F</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>Umask</key>
    <integer>0</integer>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>
EOF

# sudo sed -i -e 's%REPLACE_ME%/iosbinpack64%g' /Volumes/Azul18A373.arm64CustomerRamDisk/iosbinpack64/dropbear.plist

mkdir -p jtool
cd jtool
wget http://newosxbook.com/tools/jtool.tar
tar xvf jtool.tar
sudo chmod +x *
sudo cp jtool /usr/local/bin
cd -

git clone https://github.com/theos/sdks.git

export XNU_SOURCES=$PWD/darwin-xnu
export KERNEL_SYMBOLS_FILE=$PWD/symbols.nm
export QEMU_DIR=$PWD/xnu-qemu-arm64
export QEMU_TOOLS_DIR=$PWD/xnu-qemu-arm64-tools/
export NUM_BLOCK_DEVS=2
export KERNEL_CACHE=$PWD/kernelcache.release.n71.out
export DTB_FIRMWARE=$PWD/Firmware/all_flash/DeviceTree.n71ap.im4p.out
export DRIVER_FILENAME=$PWD/aleph_bdev_drv.bin
export IOS_DIR=$PWD
export HFS_MAIN=$PWD/hfs.14.main
export HFS_SEC=$PWD/hfs.14.sec
export SDK_DIR=$PWD/sdks/iPhoneOS11.2.sdk

# Update tree & Build the Custom Block Device Driver
cd ${QEMU_TOOLS_DIR}
git pull
cd ${IOS_DIR}

echo "Thanks you @Maroc-OS for these edits!"

make -C ${QEMU_TOOLS_DIR}/aleph_bdev_drv clean
make -C ${QEMU_TOOLS_DIR}/aleph_bdev_drv
cp ${QEMU_TOOLS_DIR}/aleph_bdev_drv/bin/aleph_bdev_drv.bin ${DRIVER_FILENAME}

# Update tree & Build XNU QEMU for iOS
cd ${QEMU_DIR}
git pull --all
cd -

tee ./ent.xml <<EOF
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.private.security.container-required</key>
        <false/>
    </dict>
</plist>
EOF

cd xnu-qemu-arm64-tools/tcp-tunnel

make distclean
make clean
make
make install

cd -

# re attach
hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.14.main

Looking to patch DeviceTree.n71ap.im4p to run RAMDISK

back in Linux

yay img4lib-git
img4 -image Firmware/all_flash/DeviceTree.n71ap.im4p DeviceTree.n71ap.im4p.bin
git clone https://github.com/freedomtan/iOS-device-tree-dump.git
cd iOS-device-tree-dump
make
cd -
export PATH="$PWD/iOS-device-tree-dump:$PATH"
dtdump DeviceTree.n71ap.im4p.bin
dtdump DeviceTree.n71ap.im4p.bin | grep \/

back in OSX

sudo cp /Volumes/Azul18A373.arm64CustomerRamDisk/etc/fstab /Volumes/Azul18A373.arm64CustomerRamDisk/etc/fstab_orig

sudo tee /Volumes/Azul18A373.arm64CustomerRamDisk/etc/fstab <<EOF
/dev/disk0 / hfs ro 0 1
/dev/disk1 /private/var hfs rw,nosuid,nodev 0 2
EOF

sudo rm /Volumes/Azul18A373.arm64CustomerRamDisk/System/Library/LaunchDaemons/com.apple.mobile.keybagd.plist

sudo cp /Volumes/Azul18A373.arm64CustomerRamDisk/sbin/launchd ./launchd_unpatched

Patch launchd somehow

OSX: Insert tunnel back in 


hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.14.main
sudo cp -f xnu-qemu-arm64-tools/tcp-tunnel/bin/tunnel /Volumes/Azul18A373.arm64CustomerRamDisk/bin/tunnel
# SIGN everything that wants a signature and add to static trust cache
>tchashes
>static_tc

# sign the patched launchd, the patched dyld, and the tcp-tunnel
sudo jtool --sign --ent ent.xml --ident com.apple.xpc.launchd --inplace /Volumes/Azul18A373.arm64CustomerRamDisk/sbin/launchd
sudo jtool --sign --ent ent.xml --inplace /Volumes/Azul18A373.arm64CustomerRamDisk/usr/lib/dyld
sudo jtool --sign --ent ent.xml --inplace /Volumes/Azul18A373.arm64CustomerRamDisk/bin/tunnel

# rip out the trust cache hashes and add to your very own static trust cache
sudo jtool --sig --ent /Volumes/Azul18A373.arm64CustomerRamDisk/sbin/launchd  | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
sudo jtool --sig --ent /Volumes/Azul18A373.arm64CustomerRamDisk/usr/lib/dyld  | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
sudo jtool --sig --ent /Volumes/Azul18A373.arm64CustomerRamDisk/bin/tunnel  | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc

hdiutil detach /Volumes/Azul18A373.arm64CustomerRamDisk

echo 'FIN; Docker-eyeOS'

Get images back into Linux

scp -P 50922 fullname@localhost:~/static_tc .
scp -P 50922 fullname@localhost:~/tchashes .
scp -P 50922 fullname@localhost:~/hfs.14.main .
scp -P 50922 fullname@localhost:~/hfs.14.sec .

Run Docker-eyeOS with debugging

docker run -it --privileged \
    --device /dev/kvm \
    -e RAM=6 \
    -e HFS_MAIN=./images/hfs.14.main \
    -e HFS_SEC=./images/hfs.14.sec \
    -p 2222:2222 \
    -v "$PWD:/home/arch/docker-eyeos/images" \
    -e "DISPLAY=${DISPLAY:-:0.0}" \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -p 1233:1234 \
    -e GDB_ARGS='-S -s' \
    sickcodes/docker-eyeos:latest

Connect to container running iOS14

docker exec -it e712e685b9b5 /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"
sickcodes commented 4 years ago

Need to edit Dockerfile, building locally currently

export XNU_SOURCES=$PWD/darwin-xnu
export KERNEL_SYMBOLS_FILE=$PWD/symbols.nm
export QEMU_DIR=$PWD/xnu-qemu-arm64
export QEMU_TOOLS_DIR=$PWD/xnu-qemu-arm64-tools/
export NUM_BLOCK_DEVS=2
export KERNEL_CACHE=$PWD/kernelcache.release.n71.out
export DTB_FIRMWARE=$PWD/Firmware/all_flash/DeviceTree.n71ap.im4p.out
export DRIVER_FILENAME=$PWD/aleph_bdev_drv.bin
export IOS_DIR=$PWD
export HFS_MAIN=$PWD/hfs.14.main
export HFS_SEC=$PWD/hfs.14.sec
export SDK_DIR=$PWD/sdks/iPhoneOS11.2.sdk

cd xnu-qemu-arm64

echo "Switching to The Lost Commit by @MCApollo" \
    && git checkout -f c84d3e3a71a9454a6222418fe726729ff2d0eae3

sudo make distclean \
    && sudo make clean \
    && sudo ./configure --target-list=aarch64-softmmu \
    --disable-capstone \
    --disable-pie \
    --disable-slirp \
    --disable-werror

sudo make --ignore-errors -j8

cd -

sudo xnu-qemu-arm64/aarch64-softmmu/qemu-system-aarch64 ${GDB_ARGS} \
-M iPhone6splus-n66-s8000,kernel-filename=${KERNEL_CACHE},dtb-filename=${DTB_FIRMWARE},driver-filename=${DRIVER_FILENAME},qc-file-0-filename=${HFS_MAIN},qc-file-1-filename=${HFS_SEC},kern-cmd-args="debug=0x8 kextlog=0xfff cpus=1 rd=disk0 serial=2",xnu-ramfb=off \
    -cpu max \
    -m ${RAM:-6}G \
    -serial mon:stdio \
    -vga std \
    ${EXTRA:-}

Segmentation fault xD

The actual post above this is attempting to run iOS 14 on iOS 12 kernel, might delete later.