导语:我们本次研究的目的是让iOS系统在无需事先或在启动过程中修复内核的情况下顺利启动,使用新模块扩展QEMU执行arm64 XNU系统的功能,并获得交互式bash shell。
我们本次研究的目的是让iOS系统在无需事先或在启动过程中修复内核的情况下顺利启动,使用新模块扩展QEMU执行arm64 XNU系统的功能,并获得交互式bash shell。我们会在本文中介绍如何在QEMU上执行iOS并启动一个交互式bash shell。在第二篇文章中,我们将详细介绍为实现这些目标所进行的一些研究。在本次研究中,我们选择的iOS版本和设备是iOS 12.1和iPhone 6s Plus,因为与通常删除大多数符号的其他iOS内核映像相比,这个特定的iOS 12映像在内核映像中导出了许多符号。这带来了一些更大的挑战,因为它是一个使用安全监控器映像的非KTRR设备(Kernel Text Readonly Region,内核文本只读区域)。需要说明的是本文的研究是在这个项目的研究基础上进行的。另一个变化是我希望这个功能在外部模块中,以后可以扩展并用于为其他iOS设备和版本创建模块,而不是将代码放在核心QEMU代码中。
原有项目的介绍
你可以点此,获取包含qemu-scripts-aleph-git所需的脚本。该脚本允许使用只读安装的ram盘启动到用户模式,可以添加新的可执行文件和启动项(启动之前),并且通过模拟UART通道与用户通信,还可以使用复制到ram盘的主盘映像中的dyld缓存进行通信。以下是使用原有项目运行交互式bash shell的演示过程:
这使你可以使用你选择的任何权限执行你想要的任何用户模式进程,并使用内核调试器调试进程或内核:
原有项目的一些限制:
1.在安装ram盘之前,有一个很长的挂起过程(大概几秒);
2.该面目的方法仅适用于以只读方式安装的ram盘映像,并且大小最高为2GB;
3.我们只能通过UART与Guest iOS通信,目前没有其他通信渠道可用;
4.没有基本的硬件支持:屏幕,触摸,wifi,BT或其他任何东西;
5.目前仅支持单个CPU的模拟。
改进过程
要启动该过程,我们首先需要准备内核映像、安全监控器映像,设备树(device tree),静态信任缓存和ram盘映像。要获取映像,我们需要首先获取iOS 12.1更新文件。这实际上是一个zip文件,我们可以提取的内容如下:
Downloads jonathanafek$ unzip iPhone_5.5_12.1_16B92_Restore.ipsw Archive: iPhone_5.5_12.1_16B92_Restore.ipsw creating: Firmware/ inflating: Restore.plist creating: Firmware/usr/ creating: Firmware/usr/local/ inflating: BuildManifest.plist inflating: Firmware/Mav10-7.21.00.Release.plist creating: Firmware/all_flash/ inflating: Firmware/all_flash/DeviceTree.n66ap.im4p.plist inflating: Firmware/all_flash/LLB.n56.RELEASE.im4p inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/all_flash/LLB.n66.RELEASE.im4p inflating: Firmware/all_flash/sep-firmware.n56.RELEASE.im4p.plist inflating: Firmware/all_flash/iBoot.n56.RELEASE.im4p.plist inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/all_flash/iBoot.n66m.RELEASE.im4p inflating: Firmware/all_flash/iBoot.n56.RELEASE.im4p inflating: Firmware/all_flash/DeviceTree.n66ap.im4p inflating: Firmware/all_flash/sep-firmware.n66m.RELEASE.im4p.plist inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/all_flash/[email protected]~iphone-lightning.im4p creating: Firmware/dfu/ inflating: Firmware/dfu/iBSS.n56.RELEASE.im4p.plist inflating: Firmware/all_flash/[email protected]~iphone-lightning.im4p inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/dfu/iBEC.n66m.RELEASE.im4p.plist inflating: Firmware/dfu/iBSS.n66.RELEASE.im4p inflating: Firmware/048-32459-105.dmg.trustcache inflating: Firmware/dfu/iBSS.n66m.RELEASE.im4p inflating: Firmware/dfu/iBEC.n56.RELEASE.im4p.plist inflating: Firmware/all_flash/sep-firmware.n56.RELEASE.im4p inflating: Firmware/Mav13-5.21.00.Release.bbfw inflating: Firmware/all_flash/sep-firmware.n66m.RELEASE.im4p inflating: Firmware/all_flash/LLB.n66m.RELEASE.im4p.plist inflating: Firmware/all_flash/iBoot.n66.RELEASE.im4p.plist inflating: Firmware/dfu/iBSS.n56.RELEASE.im4p inflating: Firmware/all_flash/DeviceTree.n66map.im4p.plist inflating: Firmware/all_flash/DeviceTree.n56ap.im4p.plist inflating: Firmware/all_flash/LLB.n66.RELEASE.im4p.plist creating: Firmware/AOP/ inflating: Firmware/AOP/aopfw-s8000aop.im4p inflating: Firmware/dfu/iBEC.n56.RELEASE.im4p inflating: Firmware/all_flash/LLB.n66m.RELEASE.im4p inflating: Firmware/all_flash/iBoot.n66.RELEASE.im4p inflating: Firmware/all_flash/sep-firmware.n66.RELEASE.im4p inflating: Firmware/048-31952-103.dmg.trustcache inflating: Firmware/all_flash/sep-firmware.n66.RELEASE.im4p.plist inflating: Firmware/dfu/iBSS.n66.RELEASE.im4p.plist inflating: Firmware/all_flash/DeviceTree.n66map.im4p inflating: Firmware/dfu/iBSS.n66m.RELEASE.im4p.plist inflating: Firmware/all_flash/[email protected]~iphone.im4p inflating: Firmware/all_flash/iBoot.n66m.RELEASE.im4p.plist inflating: 048-32651-104.dmg inflating: Firmware/all_flash/LLB.n56.RELEASE.im4p.plist inflating: Firmware/dfu/iBEC.n66.RELEASE.im4p inflating: Firmware/dfu/iBEC.n66.RELEASE.im4p.plist inflating: Firmware/dfu/iBEC.n66m.RELEASE.im4p inflating: kernelcache.release.iphone7 inflating: Firmware/048-32651-104.dmg.trustcache inflating: Firmware/Mav13-5.21.00.Release.plist inflating: Firmware/all_flash/DeviceTree.n56ap.im4p inflating: Firmware/Mav10-7.21.00.Release.bbfw inflating: 048-32459-105.dmg inflating: kernelcache.release.n66 extracting: 048-31952-103.dmg
接下来,我们需要复制用来支持项目继续进行的脚本存储库:
Downloads jonathanafek$ git clone [email protected]:alephsecurity/xnu-qemu-arm64-scripts.git Cloning into 'xnu-qemu-arm64-scripts'... remote: Enumerating objects: 16, done. remote: Counting objects: 100% (16/16), done. remote: Compressing objects: 100% (11/11), done. remote: Total 16 (delta 4), reused 16 (delta 4), pack-reused 0 Receiving objects: 100% (16/16), 5.16 KiB | 5.16 MiB/s, done. Resolving deltas: 100% (4/4), done.
并提取ASN1的内核映像:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1kerneldecode.py kernelcache.release.n66 kernelcache.release.n66.asn1decoded
该解码映像现在就包括压缩内核和安全监控器映像,把它们都提取出来:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/decompress_lzss.py kernelcache.release.n66.asn1decoded kernelcache.release.n66.out Downloads jonathanafek$ python xnu-qemu-arm64-scripts/kernelcompressedextractmonitor.py kernelcache.release.n66.asn1decoded securemonitor.out
现在,让我们准备一个我们可以启动的设备树(关于设备树的更多细节将在第二篇文章中介绍)。首先,从ASN1编码文件中提取它:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1dtredecode.py Firmware/all_flash/DeviceTree.n66ap.im4p Firmware/all_flash/DeviceTree.n66ap.im4p.out
然后,解析它并修改它,以使我们的内核在QEMU上启动:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/read_device_tree.py Firmware/all_flash/DeviceTree.n66ap.im4p.out Firmware/all_flash/DeviceTree.n66ap.im4p.out.mod
现在我们必须设置ram盘,首先,用ASN1解码它:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1rdskdecode.py ./048-32651-104.dmg ./048-32651-104.dmg.out
接下来,调整它的大小,使其具有动态加载程序缓存文件的空间(bash和其他可执行文件需要这些空间),安装它,并强制使用它的文件权限:
Downloads jonathanafek$ hdiutil resize -size 1.5G -imagekey diskimage-class=CRawDiskImage 048-32651-104.dmg.out Downloads jonathanafek$ hdiutil attach -imagekey diskimage-class=CRawDiskImage 048-32651-104.dmg.out Downloads jonathanafek$ sudo diskutil enableownership /Volumes/PeaceB16B92.arm64UpdateRamDisk/
现在,让我们通过双击常规更新磁盘映像来安装它:048-31952-103.dmg。
在ram磁盘中创建一个动态加载器缓存目录,将缓存从更新映像复制到root:
Downloads jonathanafek$ sudo mkdir -p /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/ Downloads jonathanafek$ sudo cp /Volumes/PeaceB16B92.N56N66OS/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/ Downloads jonathanafek$ sudo chown root /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64
从rootlessJB或iOSBinaries获取适用于iOS的预编译用户模式工具,包括bash。或者,按照此处的描述编译自己的iOS控制台二进制文件。
Downloads jonathanafek$ git clone https://github.com/jakeajames/rootlessJB Cloning into 'rootlessJB'... remote: Enumerating objects: 6, done. remote: Counting objects: 100% (6/6), done. remote: Compressing objects: 100% (6/6), done. remote: Total 253 (delta 2), reused 0 (delta 0), pack-reused 247 Receiving objects: 100% (253/253), 7.83 MiB | 3.03 MiB/s, done. Resolving deltas: 100% (73/73), done.
Downloads jonathanafek$ cd rootlessJB/rootlessJB/bootstrap/tars/ tars jonathanafek$ tar xvf iosbinpack.tar tars jonathanafek$ sudo cp -R iosbinpack64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/ tars jonathanafek$ cd -
配置launchd以不执行任何服务:
Downloads jonathanafek$ sudo rm /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/*
现在,通过在/Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/com.apple.bash.plist下创建一个新文件,来,将其配置为启动交互式bash shell,其中包含以下内容:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnablePressuredExit</key> <false/> <key>Label</key> <string>com.apple.bash</string> <key>POSIXSpawnType</key> <string>Interactive</string> <key>ProgramArguments</key> <array> <string>/iosbinpack64/bin/bash</string> </array> <key>RunAtLoad</key> <true/> <key>StandardErrorPath</key> <string>/dev/console</string> <key>StandardInPath</key> <string>/dev/console</string> <key>StandardOutPath</key> <string>/dev/console</string> <key>Umask</key> <integer>0</integer> <key>UserName</key> <string>root</string> </dict> </plist>
附带说明一下,你可以将iOS映像中找到的二进制plist文件转换成文本xml格式,然后用以下命令返回二进制格式:
Downloads jonathanafek$ plutil -convert xml1 file.plist Downloads jonathanafek$ vim file.plist Downloads jonathanafek$ plutil -convert binary1 file.plist
对于启动守护进程,iOS同时接受xml和二进制plist文件。
由于新二进制文件不是由Apple签名的,因此它们需要被我们将要创建的静态信任缓存所信任。为此,我们需要获得jtool(也可以通过Homebrew :brew cask install jtool)。一旦有了该工具,我们就必须在希望被信任的每个二进制文件上运行它,提取其CDHash的前40个字符,并将其放在一个名为tchashes的新文件中。 以下是jtool的执行过程:
Downloads jonathanafek$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64/bin/bash Blob at offset: 1308032 (10912 bytes) is an embedded signature Code Directory (10566 bytes) Version: 20001 Flags: none CodeLimit: 0x13f580 Identifier: /Users/jakejames/Desktop/jelbreks/multi_path/multi_path/iosbinpack64/bin/bash (0x58) CDHash: 7ad4d4c517938b6fdc0f5241cd300d17fbb52418b1a188e357148f8369bacad1 (computed) # of Hashes: 320 code + 5 special Hashes @326 size: 32 Type: SHA-256 Empty requirement set (12 bytes) Entitlements (279 bytes) : -- <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>platform-application</key> <true/> <key>com.apple.private.security.container-required</key> <false/> </dict> </plist>
在上面的执行过程中,我们需要在tchashes中写入7ad4d4c517938b6fdc0f5241cd300d17fbb52418。为方便起见,以下命令将从我们放入映像的每个二进制文件中提取正确的哈希部分:
Downloads jonathanafek$ for filename in $(find /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64 -type f); do jtool --sig --ent $filename 2&>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 ebe945ddbb4dbeb1ee9624e6ba1932d2ec61cfde 7ad4d4c517938b6fdc0f5241cd300d17fbb52418 0cf1b00e3bf76ab51c56da7ca888e89359f1d1c4 c9c1e21c3f3593c99f4e7c91c64d7f3106ad29ce 522dda7f40fe6aa6e2038bc66c9cb31660a43429 dc040d340f1fcfb493394e77d9944aa164e23ca3 f975cd0eec230299d1b8d9b0e3b54ae7cf660d92 728be7f7a78f400742e887f7ac93306145f822c0 4f4ca5aa3e506d145f344d59504630b85ddefffc 0d274c72cefbff705db0ed0fda29fb6f4cacf4c9 ebcf9073fd59db7c59a5212b0824faf1d7b30e39 cf784ea216e6b49f66a3cc81aeceaf7ac39b71d7 9d625c7eaadc8fd3eb57d9facca294b1a5afab8a 90c02c153e636cac74ca09e7e3dc89c0508a1393 59cba1c5ce169d4cd454d43e3a3c6fa824cf2764 9ff1194d135e979a632033ec2df63ba0cfe4682a d11b49576e0f6645c4c9f234497f51219173dce8 7a01f3e7bcda18b26297c3936c9e256ddf8f9fe3 b7fd47df9b6652f2810cc789d5903a082af2570d 68a32f0a35bbb23f4f272ca99186521618c08d21 e04fa65a33c4b69d2338688ee72ea13d624a4255 b400373e16a7f82fa56d318038ec7b4b28e2593f 65859385e11b910de3841e53a833ab4c4b855282 2eae1b42c4f6bb95e3226aff8cb93a539c0a6263 c305e094747ba274f37e3063b826a5e41e5e2549 41620d4632bf6f071388033f8cf267123df16489 3bf1f6c49e3bcd775041864085893bf9b1ab3870 bb2d9c166635fc693e99355e84984aa61692c6f3 3bb79fd3568c3620a2bd7bad004ab759bec4e331 7c60ae6060d7bf2772c6b4b0c04b605c4e62a7a7 b904a692d548c3323621c17212121aca0c733088 6fe1d88bcbdd97d273533d695c04279f8ddf5e32 4165a869f1b35bdff90b74116499c1c210f27ddb 414ebc5e48c94d60b2018e4c83a323426bc0ac74 62b2b303c31e5fc9d5210b736d8d632eee28d24f 871e0ea84b71cd01e45e261542e9b2dd08fb81ab 0912c647e222bd04f05b837a8286519bd8ae2393 bd6d7d7f51b639da99e0581096534273b4f040ed 27ed9a3b21392bc459619293a6b36fe2c3b8ddac e92565cbfdb0bd41d069384689ffae715e61b216 164fc2d96f9decd643ac33fc279b2078e51f5c88 3e0529b705d666af4f25c8c18fc7992f6934cf6f 176f273cb276085052519054d042508dc8d562b4 18762f5c54d935759f02248b032576bdc93be260 22d2f02d3be49da4819534553ad5ac37c0ace28c e76bf6e8e84b656ee61b1ff10b38eab23607ae82 84bbc455477d6737f738b649c5afd3d4a069abee 57fe14db863b48f19cdec3c884c5dfad1bff6a12 e6ee59194bd768c3e3cc140009b6a729c7700a11 f1c25d5ac4e3924deaa3418a9ba309e15c09f502 e962bfddead7da46f23b6f4dc448df085e946940 26d34ca63bc69c8e81c15672258f3b8cbaf4ba4c 7fc69d2fc1f57ca555b07d6de51c82f74915c6bd 85f3c5263835d90b776886f92e8536ceb2f46036 0f1214d8a6138f170c2654a6f81c40586fbebaac dc995e91bc0b67c52b969c91c1d68b09bbf94ec2 5d46a9681b4a3cc84a69083288e76aa969ec3a43 3c0db01f7aaf0a5b935dfcc51f6b2534013795ad 8422f07e41b2951e4138b88e013eab5773ae52f7 f9c4cca6b141064b7ae97131ff3969386d624718 259733b48f2f4fa88ba4f2e5f519bd40a6a3750d 8e06a919d28c3c0376b1207981d70b3bda99b6bc 68cd528c435b417c6f0022a132d459fc25d6e039 d176fa07a7ea5bfe88b9d2d703f3c65b4298b2e6 30f3d6e1d00614a0a9e8e8a3d4f31b8c68066091 698587325d71b9d51c22ae26e0c2de8ca70f6dc8 ccf27e4d7b62f1f839cfb9d70340efd1a2b77532 928a02f17cef27a5528ae055a467a18528f2aff5 4d24ada94fa70d27a684867541266f264261ce36 ab3e7808ee41f4536ece24091d1f166c5f0e9b63 e492332b87adc07406503ca857b6f3e2a3f0625d d121b2de1778563183087238c4675316176f159d 12fe31a31132f7c0bab2857c0b3ac3c71cdb9dae d6bc5428d129dd76695519b9b7f201daa9eb87de 685660477e1f851a90ace593670e5288d2168a24 94a493c2909f8b563e0076956bec7a1941455ed3 13c2e0251ba0469f2e1ec3d61da61c664822c791 e6332fc916f9b06f4987ecbaa23bbf4fa374c68f 1f6f82bcc994a4559d891d3a9e187268632da0b9 f864bd7891b9a0970f3ea05f13f7769289e62803 ba84abbeb198b91cbefec678096c8fd17387657d d537ff6ab7d2bf38b0f18e964ad3525f2761b535 1acf88c15c1a08b3387b62969a34a95196632932 345d3b92a7f8a11c0872ec9ec439b5a6a2ada104 067b54e23cd6bc5b007113929dc4e2d2868228b6 11794790670afe1b651ed838362bb955e1503706 973674b1cf5f51119fa655ad2393df3dee9f44cc c59738382faa4b7f803359d0c92dd53d6479ffb8 e3285e8252c44404675876ae0104f02cdc36574c 41c139fa86a3e67d49566d11a7d1d14fe375b564 b52692291cc4d9c9f09bc0ba650904d889674218 65713ffe304718b3b6a8b710b7db0467e52ca5aa f2e77f5600970036ffdd5a06067491c5799a2ebd cb08034d4647f2cc921b62ea648a76b5635fcc13 a9fc0262a6925ec1c18b0bf627c04c60fa5b5ecf 3736f93cc5f88d138f58016fdce2c3c3af979c43 183cd29cea8ba53f6e5d28d87e37b0cc603106c6 cd0281c8fa808c3f0f0b74db8c262a6997f52d03 e3016edd7acfa4d24d2eacec4918f3018d9d2449 ddd943f2a4192b3eabbb0580c64ff23ea7c31387 e3285e8252c44404675876ae0104f02cdc36574c 41c139fa86a3e67d49566d11a7d1d14fe375b564 b52692291cc4d9c9f09bc0ba650904d889674218 8af0e498ca73e05155f10fe7c26cfbdd9762ff24 73657606cb288c85f909da3ec4b92d7f8819ae79 918a3cf30a9c9d6ee2872c670421e528883221ae dcf5eeaefc7ec3e7a0166676f6ee564761f78bc6 994ada738587ba622bfe36b987e9bfa246ff3858 d6f9c9107eb6dc237040d18debd4244c3e4c1320 f0e0c6a7e5c4545bac0d9ebf7811997f5c7076ad 38a790a40cca659fb8a0942ba140aa07309a17aa 070472831955773d78c9f33aff696c0a67b06bda 4ca98aac5e3b9174beaa2e4175e33fdcddee6866 44bd100692ded0637a763d324490db7435216f8c a28a364092033230a6045fd288cb503aedbdd072 bbbe8ea84bdc4f3004398895ee58979a55b744c0 a09ee84582821397aa68d81350ed07b9902d09cb 8f8f612996a91e4fb26deacf2c88b8eda42da7a2 504d7c5b0a0e72a3dc5177ec571f591f3dae2ade c0b0dea10a283f9d904bad52c53e20b129ae278c 5b089432710347242dfb6ccfdfea6fc523d9fe60 40af3f97ae3dc743f638c82f4ed78bce13687c83 7b3d463b62ce306c86d88e7ec0e52964c073c223 580eb965a96782a1fd005bd8a27100abca8430e1 330efc667ea608575d863b10a41a73e49f31d1c6 5827c3ef16144d298fd04342fc7041dd3b20d35e f9bce1706a98b2492750aaa977806549f7d010f7 eeeaeb163512c31c6462f41c6bc3b6a228224bee 2ae51c0fac8b5656ec91693e7f9846a9c4af8069 92c89c47a734cad1a36756155ea3043e406ae565 be0e71c532033d79d519951f0450cdca44f835c3 feff0ce891c71c69f581b19a70b30ffd4c407205 8b0f3f0c620f008d4b85b7aff69933d3aae6098e 296124c76c9f0201480678a012a1df2e6835c521 a1876907ad59843dc5ed1390c78c88698504b9d8 e3190fc3865f02092ab6725b25c485ea5c143e3b 8bbd9944ebc23ce2001a4837732ba082c040d0f4 6408ed0d9df71e7bdde2faa985e5c07911a43503 ca2b47f582135e00a9720215cc09881dd9b49b85 e7e478f2e7f9715d9b540c9f8d12993c83ece0c1 25ac265b51c484680decaf8903b0b3c12c5ff81c 5a37eb16c2eaba8dcb55d9edb3ba98a0ee09afd0
上面的输出应保存在tchashes中,然后我们可以创建静态信任缓存blob:
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/create_trustcache.py tchashes static_tc
由于我们现在已准备好了所有映像和文件,现在是卸载这两个卷的好时机。卸载后,我们可以得到QEMU代码(有关QEMU工作的更详细信息将在本系列的第二篇文章中介绍):
Downloads jonathanafek$ git clone [email protected]:alephsecurity/xnu-qemu-arm64.git Cloning into 'xnu-qemu-arm64'... remote: Enumerating objects: 377340, done. remote: Total 377340 (delta 0), reused 0 (delta 0), pack-reused 377340 Receiving objects: 100% (377340/377340), 187.68 MiB | 5.32 MiB/s, done. Resolving deltas: 100% (304400/304400), done. Checking out files: 100% (6324/6324), done.
编译它:
Downloads jonathanafek$ cd xnu-qemu-arm64 xnu-qemu-arm64 jonathanafek$ ./configure --target-list=aarch64-softmmu --disable-capstone Install prefix /usr/local BIOS directory /usr/local/share/qemu firmware path /usr/local/share/qemu-firmware binary directory /usr/local/bin library directory /usr/local/lib module directory /usr/local/lib/qemu libexec directory /usr/local/libexec include directory /usr/local/include config directory /usr/local/etc local state directory /usr/local/var Manual directory /usr/local/share/man ELF interp prefix /usr/gnemul/qemu-%M Source path /Users/jonathanafek/Downloads/xnu-qemu-arm64 GIT binary git GIT submodules ui/keycodemapdb dtc C compiler cc Host C compiler cc C++ compiler c++ Objective-C compiler clang ARFLAGS rv CFLAGS -O2 -g QEMU_CFLAGS -I/opt/local/include/pixman-1 -I$(SRC_PATH)/dtc/libfdt -D_REENTRANT -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -m64 -mcx16 -DOS_OBJECT_USE_OBJC=0 -arch x86_64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wno-error=address-of-packed-member -Wno-string-plus-int -Wno-initializer-overrides -Wexpansion-to-defined -Wendif-labels -Wno-shift-negative-value -Wno-missing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-definition -Wtype-limits -fstack-protector-strong -I/opt/local/include -I/opt/local/include/p11-kit-1 -I/opt/local/include -I/opt/local/include/libpng16 -I/opt/local/include LDFLAGS -framework Hypervisor -m64 -framework CoreFoundation -framework IOKit -arch x86_64 -g QEMU_LDFLAGS -L$(BUILD_DIR)/dtc/libfdt make make install install python python -B smbd /usr/sbin/smbd module support no host CPU x86_64 host big endian no target list aarch64-softmmu gprof enabled no sparse enabled no strip binaries yes profiler no static build no Cocoa support yes SDL support no GTK support no GTK GL support no VTE support no TLS priority NORMAL GNUTLS support yes GNUTLS rnd yes libgcrypt no libgcrypt kdf no nettle yes (3.4.1) nettle kdf yes libtasn1 yes curses support yes virgl support no curl support yes mingw32 support no Audio drivers coreaudio Block whitelist (rw) Block whitelist (ro) VirtFS support no Multipath support no VNC support yes VNC SASL support yes VNC JPEG support no VNC PNG support yes xen support no brlapi support no bluez support no Documentation yes PIE no vde support no netmap support no Linux AIO support no ATTR/XATTR support no Install blobs yes KVM support no HAX support yes HVF support yes WHPX support no TCG support yes TCG debug enabled no TCG interpreter no malloc trim support no RDMA support no fdt support git membarrier no preadv support no fdatasync no madvise yes posix_madvise yes posix_memalign yes libcap-ng support no vhost-net support no vhost-crypto support no vhost-scsi support no vhost-vsock support no vhost-user support yes Trace backends log spice support no rbd support no xfsctl support no smartcard support no libusb no usb net redir no OpenGL support no OpenGL dmabufs no libiscsi support no libnfs support no build guest agent yes QGA VSS support no QGA w32 disk info no QGA MSI support no seccomp support no coroutine backend sigaltstack coroutine pool yes debug stack usage no mutex debugging no crypto afalg no GlusterFS support no gcov gcov gcov enabled no TPM support yes libssh2 support no TPM passthrough no TPM emulator yes QOM debugging yes Live block migration yes lzo support no snappy support no bzip2 support yes NUMA host support no libxml2 yes tcmalloc support no jemalloc support no avx2 optimization no replication support yes VxHS block device no capstone no docker no xnu-qemu-arm64 jonathanafek$ make -j16 xnu-qemu-arm64 jonathanafek$ cd -
接下来要做的就是执行:
Downloads jonathanafek$ ./xnu-qemu-arm64/aarch64-softmmu/qemu-system-aarch64 -M iPhone6splus-n66-s8000,kernel-filename=kernelcache.release.n66.out,dtb-filename=Firmware/all_flash/DeviceTree.n66ap.im4p.out.mod,secmon-filename=securemonitor.out,ramdisk-filename=048-32651-104.dmg.out,tc-filename=static_tc,kern-cmd-args="debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2" -cpu max -m 6G -serial mon:stdio iBoot version: corecrypto_kext_start called FIPSPOST_KEXT [38130750] fipspost_post:156: PASSED: (6 ms) - fipspost_post_integrity FIPSPOST_KEXT [38201250] fipspost_post:162: PASSED: (2 ms) - fipspost_post_hmac FIPSPOST_KEXT [38233562] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb FIPSPOST_KEXT [38275375] fipspost_post:164: PASSED: (1 ms) - fipspost_post_aes_cbc FIPSPOST_KEXT [41967250] fipspost_post:165: PASSED: (153 ms) - fipspost_post_rsa_sig FIPSPOST_KEXT [44373250] fipspost_post:166: PASSED: (99 ms) - fipspost_post_ecdsa FIPSPOST_KEXT [44832437] fipspost_post:167: PASSED: (18 ms) - fipspost_post_ecdh FIPSPOST_KEXT [44861312] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr FIPSPOST_KEXT [44922625] fipspost_post:169: PASSED: (2 ms) - fipspost_post_aes_ccm FIPSPOST_KEXT [44994250] fipspost_post:171: PASSED: (2 ms) - fipspost_post_aes_gcm FIPSPOST_KEXT [45042125] fipspost_post:172: PASSED: (1 ms) - fipspost_post_aes_xts FIPSPOST_KEXT [45109687] fipspost_post:173: PASSED: (2 ms) - fipspost_post_tdes_cbc FIPSPOST_KEXT [45167062] fipspost_post:174: PASSED: (1 ms) - fipspost_post_drbg_hmac FIPSPOST_KEXT [45178250] fipspost_post:197: all tests PASSED (300 ms) Darwin Image4 Validation Extension Version 1.0.0: Tue Oct 16 21:46:27 PDT 2018; root:AppleImage4-1.200.18~1853/AppleImage4/RELEASE_ARM64 AppleS8000IO::start: chip-revision: A0 AppleS8000IO::start: this: <ptr>, TCC virt addr: <ptr>, TCC phys addr: 0x202240000 AUC[<ptr>]::init(<ptr>) AUC[<ptr>]::probe(<ptr>, <ptr>) AppleCredentialManager: init: called, instance = <ptr>. ACMRM: init: called, ACMDRM_ENABLED=YES, ACMDRM_STATE_PUBLISHING_ENABLED=YES, ACMDRM_KEYBAG_OBSERVING_ENABLED=YES. ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 . ACMRM-A: init: called, . ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 . ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 . ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES). ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 . ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES). AppleCredentialManager: init: returning, result = true, instance = <ptr>. AUC[<ptr>]::start(<ptr>) virtual bool AppleARMLightEmUp::start(IOService *): starting... AppleKeyStore starting (BUILT: Oct 17 2018 20:34:07) AppleSEPKeyStore::start: _sep_enabled = 1 AppleCredentialManager: start: called, instance = <ptr>. ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200. AppleCredentialManager: start: initializing power management, instance = <ptr>. AppleCredentialManager: start: started, instance = <ptr>. AppleCredentialManager: start: returning, result = true, instance = <ptr>. AppleARMPE::getGMTTimeOfDay can not provide time of day: RTC did not show up : apfs_module_start:1277: load: com.apple.filesystems.apfs, v748.220.3, 748.220.3, 2018/10/16 com.apple.AppleFSCompressionTypeZlib kmod start IOSurfaceRoot::installMemoryRegions() IOSurface disallowing global lookups apfs_sysctl_register:911: done registering sysctls. com.apple.AppleFSCompressionTypeZlib load succeeded L2TP domain init L2TP domain init complete PPTP domain init BSD root: md0, major 2, minor 0 apfs_vfsop_mountroot:1468: apfs: mountroot called! apfs_vfsop_mount:1231: unable to root from devvp <ptr> (root_device): 2 apfs_vfsop_mountroot:1472: apfs: mountroot failed, error: 2 hfs: mounted PeaceB16B92.arm64UpdateRamDisk on device b(2, 0) : : Darwin Bootstrapper Version 6.0.0: Tue Oct 16 22:26:06 PDT 2018; root:libxpc_executables-1336.220.5~209/launchd/RELEASE_ARM64 boot-args = debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2 Thu Jan 1 00:01:05 1970 localhost com.apple.xpc.launchd[1] <Notice>: Restore environment starting. Thu Jan 1 00:01:05 1970 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot. Thu Jan 1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Could not read path: path = /AppleInternal/Library/LaunchDaemons, error = 2: No such file or directory Thu Jan 1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Could not read path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory Thu Jan 1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory bash-4.4# export PATH=$PATH:/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin bash-4.4# id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin) bash-4.4# pwd / bash-4.4# ls -la total 18 drwxr-xr-x 17 root wheel 748 Jun 10 2019 . drwxr-xr-x 17 root wheel 748 Jun 10 2019 .. -rw-r--r-- 1 root wheel 0 Oct 20 2018 .Trashes drwx------ 2 mobile staff 170 Jun 10 2019 .fseventsd drwxr-xr-x 4 root wheel 136 Oct 20 2018 System drwxr-xr-x 2 root wheel 272 Oct 20 2018 bin dr-xr-xr-x 3 root wheel 660 Jan 1 00:01 dev lrwxr-xr-x 1 root wheel 11 Oct 20 2018 etc -> private/etc drwxr-xr-x 7 root wheel 374 Jun 10 2019 iosbinpack64 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt1 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt2 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt3 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt4 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt5 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt6 drwxr-xr-x 2 root wheel 68 Oct 20 2018 mnt7 drwxr-xr-x 4 root wheel 136 Oct 20 2018 private drwxr-xr-x 2 root wheel 510 Oct 20 2018 sbin drwxr-xr-x 9 root wheel 306 Oct 20 2018 usr lrwxr-xr-x 1 root admin 11 Oct 20 2018 var -> private/var bash-4.4#
此时,我们就会得到一个交互式bash shell!
请注意,最后一个标志(-serial mon:stdio)会将所有shell组合(例如Ctrl + C)转发给shell。要关闭QEMU,请关闭其(空)窗口。
要获得内核调试器,应将-S -s添加到QEMU命令行中,然后可以在支持此体系结构的gdb控制台中执行target remote :1234 。有关如何获取此gdb并执行此操作的更多详细信息,请参见此处。你还可以在OSX上使用mac端口获取相关的gdb,同时将multiarch和python27选项添加到gdb端口。
总的来说,我们对原来的项目进行了以下改进
1.在安装ram盘之前,无需长时间悬挂即可快速启动。
2.添加支持,以将iOS模拟为USB设备并通过usbmuxd进行通信。这将使我们能够通过SSH连接,因此使用scp复制文件,拥有更强大的终端,对网络协议进行安全研究,使用gdbserver调试用户模式应用程序等。
3.添加对模拟物理存储的支持,以使用r/w安装的盘,该盘不是ram盘,提供的空间大于2GB。
4.增加对设备的支持,如屏幕,触摸,wifi, BT等。
5.添加对更多苹果产品和iOS版本的支持。
由于ASLR的存在,用户应用程序在每次启动时都会加载到不同的地址,并且可以彼此共享虚拟地址,因此在调试用户模式应用程序时,在gdb中的静态虚拟地址上使用常规断点可能会具有挑战性。因此,我添加了另一个有趣的功能来帮助调试此内核调试器中的用户模式应用程序。当QEMU遇到HLT aarch64指令时,它会在gdb中中断,就好像它是一个gdb断点一样。所以在内核调试器中调试用户模式应用程序时,您所要做的就是使用HLT指令对应用程序进行修补,例如使用ghidra。
然后使用带有任何所需权限的jtool进行签名:
Downloads jonathanafek$ ./jtool/jtool --sign --ent ent.xml --inplace bin
之后,你需要将新的CDHash添加到tchashes文件中,并重新创建静态信任缓存。
这样,当gdb在用户模式应用程序中遇到HLT指令时,就会触发断点,我们就可以在内核调试器中调试应用程序了: