Last active
May 21, 2024 15:44
-
-
Save katagaki/f6f0046611701fe2dabf4039513468f1 to your computer and use it in GitHub Desktop.
Script to install QEMU with support for running iOS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| echo You will need to install pip for Python3 and Homebrew for macOS before continuing. | |
| echo Much of this script is provided by TrungNguyen1909. | |
| echo Installing dependencies | |
| pip3 install pyasn1 | |
| brew install libtasn1 meson ninja pixman jtool2 jq coreutils gnutls libgcrypt pkg-config wget glib | |
| git clone https://github.com/lzfse/lzfse | |
| cd lzfse | |
| mkdir build; cd build | |
| cmake .. | |
| make | |
| sudo make install | |
| cd .. | |
| cd .. | |
| echo Building QEMU | |
| git clone https://github.com/TrungNguyen1909/qemu-t8030 | |
| git clone https://github.com/TrungNguyen1909/qemu-t8030-tools | |
| cd qemu-t8030 | |
| mkdir build; cd build | |
| ../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror | |
| make -j$(nproc) | |
| cd .. | |
| cd .. | |
| echo Downloading and unpacking iOS firmware | |
| wget https://updates.cdn-apple.com/2020SummerSeed/fullrestores/001-35886/5FE9BE2E-17F8-41C8-96BB-B76E2B225888/iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw | |
| unzip iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw | |
| echo Getting precompiled system binaries | |
| export STRAP_URL=$(curl https://assets.checkra.in/loader/config.json | jq -r ".core_bootstrap_tar") | |
| wget $STRAP_URL | |
| mkdir strap | |
| tar xf strap.tar.lzma -C strap | |
| echo Unpacking ramdisk | |
| python3 qemu-t8030-tools/bootstrap_scripts/asn1rdskdecode.py 038-44087-125.dmg 038-44087-125.dmg.out | |
| hdiutil resize -size 512M -imagekey diskimage-class=CRawDiskImage 038-44087-125.dmg.out | |
| hdiutil attach -imagekey diskimage-class=CRawDiskImage 038-44087-125.dmg.out | |
| sudo diskutil enableownership /Volumes/AzulSeed18A5351d.arm64eUpdateRamDisk | |
| sudo rsync -av strap/ /Volumes/AzulSeed18A5351d.arm64eUpdateRamDisk | |
| sudo rm /Volumes/AzulSeed18A5351d.arm64eUpdateRamDisk/System/Library/LaunchDaemons/* | |
| sudo cp qemu-t8030/setup-ios/bash.plist /Volumes/AzulSeed18A5351d.arm64eUpdateRamDisk/System/Library/LaunchDaemons/ | |
| hdiutil detach /Volumes/AzulSeed18A5351d.arm64eUpdateRamDisk | |
| echo Creating trust cache | |
| python3 qemu-t8030-tools/bootstrap_scripts/asn1trustcachedecode.py Firmware/038-44087-125.dmg.trustcache Firmware/038-44087-125.dmg.trustcache.out | |
| python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44087-125.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes | |
| for filename in $(find strap/ -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes | |
| python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc | |
| echo Creating NVMe namespaces | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.1 32G | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.2 8M | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.3 128K | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.4 8K | |
| ./qemu-t8030/build/qemu-img create -f raw nvram 8K | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.6 4K | |
| ./qemu-t8030/build/qemu-img create -f raw nvme.7 1M | |
| echo Running QEMU | |
| ./qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \ | |
| -kernel kernelcache.research.iphone12b \ | |
| -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ | |
| -append "debug=0x14e kextlog=0xffff serial=3 -v" \ | |
| -initrd 038-44135-124.dmg \ | |
| -cpu max -smp 4 \ | |
| -m 4G -serial mon:stdio \ | |
| -drive file=nvme.1,format=raw,if=none,id=drive.1 \ | |
| -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.2,format=raw,if=none,id=drive.2 \ | |
| -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.3,format=raw,if=none,id=drive.3 \ | |
| -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.4,format=raw,if=none,id=drive.4 \ | |
| -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvram,if=none,format=raw,id=nvram \ | |
| -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.6,format=raw,if=none,id=drive.6 \ | |
| -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.7,format=raw,if=none,id=drive.7 \ | |
| -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \ | |
| -monitor telnet:127.0.0.1:1235,server,nowait |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment