Run the iPhone's xnu-qemu-arm64 (iOS) in a Docker container
Supports KVM + GDB kernel debugging! Run armv8-A in a Docker! Works on ANY device!
Run iPhone (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! Run xnu-qemu-arm64 in Docker! Works on ANY device.
https://hub.docker.com/r/sickcodes/docker-eyeos
mkdir -p images
cd images
wget https://images.sick.codes/hfs.sec.zst
wget https://images.sick.codes/hfs.main.zst
# decompress images, uses about 15GB
zstd -d hfs.main.zst
zstd -d hfs.sec.zst
docker pull sickcodes/docker-eyeos:latest
docker run -it --privileged \
--device /dev/kvm \
-e RAM=6 \
-e HFS_MAIN=./images/hfs.main \
-e HFS_SEC=./images/hfs.sec \
-p 2222:2222 \
-v "$PWD:/home/arch/docker-eyeos/images" \
-e "DISPLAY=${DISPLAY:-:0.0}" \
-v /tmp/.X11-unix:/tmp/.X11-unix \
sickcodes/docker-eyeos:latest
ssh root@localhost -p 2222
# password is alpine
# -----> Try to SSH about 4 times
# -----> also needs to HIT ENTER a few times in the terminal to kick it along
Hit enter a few times in the container terminal until you see -bash-4.4#
SSH into the container on localhost:2222
or containerIP:2222
docker run -it --privileged \
--device /dev/kvm \
-e RAM=6 \
-e HFS_MAIN=./images/hfs.main \
-e HFS_SEC=./images/hfs.sec \
-p 2222:2222 \
-v "$PWD:/home/arch/docker-eyeos/images" \
-e "DISPLAY=${DISPLAY:-:0.0}" \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-p 1233:1234 \
-e GDB_ARGS='-S -s' \
sickcodes/docker-eyeos:latest
# image will halt
# get container ID
docker ps
docker exec -it 3cb2d14fc11a /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"
# run
source load.py
target remote localhost:1234
# once you have SSH'ed in, export PATH and look busy!
export PATH=/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin:$PATH
sudo losetup -f
sudo losetup /dev/loop0 ./hfs.main
# mount in a file manager
# unmount and delete loop device when done
sudo losetup -d /dev/loop0
Supported by:
TCP Tunnel for Linux rework:
# run Docker-eyeOS with
-e GDB_ARGS='-S -s' \
# get container id
docker ps
# run gdb-multiarch
docker exec containerid /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"
# run
source load.py
target remote localhost:1234
Run outside the container
# Ubuntu, Debian, Pop!_OS
sudo apt install gdb-multiarch
# Arch, Majaro
sudo pacman -S gdb-multiarch
git clone https://github.com/alephsecurity/xnu-qemu-arm64-tools.git
cd ./xnu-qemu-arm64-tools/gdb
sudo gdb-multiarch -q
source load.py
target remote localhost:1234
See https://alephsecurity.com/2020/07/19/xnu-qemu-kvm/
# proposed docker env command line args when KVM
-e KVM=true
-e KVM=false
Docker-eyeOS is an exploration platform for researchers and anyone who is interested in the XNU kernel.
osx-build-xnu-disks.sh
shell script.Image build script for Docker-OSX
# compress images for any reason
zstd -k hfs.main
zstd -k hfs.sec
# decompress images
zstd -d hfs.main.zst
zstd -d hfs.sec.zst
# after you decompress HFS Plus images, you must fsck them until they are OK using hfsprogs.
fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.main
fsck.hfsplus -fp ./hfs.main
Download pre-patched image -
-e GDB_PORT=1234
Default is already set to 1234, feel free to change it
-e GDB=true
Enables GDB (QEMU will be interrupted until GDB starts)
Alternatively, you can create your own disks as abov
If you do not wish to patch dyld
then you should include all 4 files in your images folder:
./hfs.main
./hfs.sec
./static_tc
./tchashes
-e STORAGE=host
Store the images in ./images on the host folder
-e STORAGE=guest
Store the images in a local folder inside the container (Watch out for disk space usage if doing this)
mkdir screendump
cd screendump
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
sudo pacman -S wget
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
ar -x com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
tar -xzvf data.tar.lzma
# mount and put in the disk
bash -i >& /dev/tcp/google.com/80 0>&1 # requires DNS
bash -i >& /dev/tcp/172.217.22.142/80 0>&1 # perhaps -netdev
Note: this process can take around 1-4 hours depending on your specs.
# this is Docker-OSX btw
docker run --device /dev/kvm \
--device /dev/snd \
-e RAM=12 \
-p 50922:10022 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
sickcodes/docker-osx:latest
Complete the graphical installation, guide here: https://github.com/sickcodes/Docker-OSX#additional-boot-instructions
Turn on SSH in Sharing Settings
Write down your docker container ID with docker ps
, e.g. f771bff2192d
-- You can start the docker later using docker run f771bff2192d
-- You don't need to login to SSH into the Docker-OSX
SSH into your Docker-OSX and add yourself as a NOPASSWD root user (extremely insecure, only do if you will tear-down later).
# OPTIONAL SPEED UP
ssh fullname@localhost -p 50922
sudo tee "/private/etc/sudoers.d/sudoers_$USER" <<EOF
${USER} ALL = (ALL) NOPASSWD: ALL
EOF
https://github.com/sickcodes/Docker-eyeOS/blob/master/osx-build-xnu-disks.sh
scp -P 50922 fullname@localhost:~/static_tc .
scp -P 50922 fullname@localhost:~/tchashes .
scp -P 50922 fullname@localhost:~/hfs.main .
scp -P 50922 fullname@localhost:~/hfs.sec .
Enjoy!