While wanting to do some iOS security research and inspired by the work done by others, I decided to try and get an interactive bash shell on iOS emulated on QEMU. The goal was to get the system to boot without having to patch the kernel beforehand or during the boot process, have new modules that extend QEMU’s capabilities to execute arm64 XNU systems and, get an interactive bash shell. This talk details the research that was required in order to get there. For this project, the iOS version and device that were chosen are iOS 12.1 and iPhone 6s Plus, because this specific iOS 12 image comes with a lot of symbols exported in the kernel image compared to other iOS kernel images that are usually stripped of most symbols. In this talk I will present how the code was inserted in the QEMU project as a new machine type, how the kernel was booted without patching the kernel either at runtime or beforehand, how the secure monitor image was loaded and executed in EL3, how a new static trust cache was added so self signed executables could be executed, how a new launchd item was added for executing an interactive shell instead of the existing services on the ramdisk and how full serial I/O was established. I will also present a demo that demonstrates the final completed project booting an iOS interactive bash shell on QEMU and having a live gdb kernel debugger on the system. We will go through the RE process done using Ghidra to understand the software. This kind of emulation (while still not a full system emulation) is considered by many industry leading iOS and XNU researchers and vulnerability researchers as the holy grail of iOS research as it enables research and live debugging of the system without jailbreaking a real device which is limited to having a jailbreak for that device and doesn't enable kernel debugging in gdb. A commercial product already exists which offers a similar solution but it is closed source and the internals are not public.
Jonathan Afek is managing the Aleph security research team - the security research team by HCL/AppScan. He has 15 years of security research and low level software development. He has worked in various software fields from wifi firmware through storage systems, application security, memory exploitation, reverse engineering and kernel dev and security research.
