Run the unmodified iOS kernel image on the VIM3 development board (2)
Hardware debugging stage of VIM3 development board
The sha256 instruction problem can’t be circumvented on the ARM FVP. There is no way to directly go to the hardware. There are several development boards on hand. I found that only espressobin and VIM3 support the sha256 instruction. The Raspberry Pi 4 does not support it at all, because vim3 is a pro version with 4G memory, so VIM3 Pro was chosen as the experimental platform. I recommend this development board here. I personally think that the workmanship and software and hardware openness are much better than the Raspberry Pi 4. The other is that Minos already supports VIM3 and supports Android.
Trust Cache
Run the first run log on VIM3, which is better than I expected, you can print the log directly
console:/sdcard # sync
console:/sdcard # sh ios.sh
[WARN ] argment format wrong: device
console:/sdcard # [INFO ] os is 64bit
[DEBUG] MACH-O magic: 0xfeedfacf
[DEB[ 54.300207@00 070] INF add slab mem : 0xeb858fc8 : 0x38 to slab
[ 54.306680@00 070] WRN destroy host mapping 0x4d6c2c30---->0x4d6c2cb0
UG] MACH-O cpu_type: 0x100000c
[DEBUG] MACH-O cpu_sub_type: 0x0
[[ 54.320308@00 070] WRN PMD block remap 0xbe800000 ---> 0xbe800000 @0x200000
[ 52.944986@0] register event-9 irq-34
[ 54.331017@00 070] INF vm_mmap start:0x80000000 size:0x7800000
[ 52.956727@0] vm-1 map 0xb4200000 -> 0x80000000 size:0x7800000
[ 52.960375@0] vma flags is 0x40404fb
DEBUG] MACH-O file_type: 2
[DEBUG] MACH-O nr_cmds: 22
[DEBUG] MACH-O size_of_cmds: 4120
[DEBUG] MACH-O flags: 0x200001
[INFO ] xnu entry address is 0xfffffff0070a5098
[INFO ] xnu kernel_load_base 0xfffffff005c6c000
[INFO ] xnu ramdisk_load_base 0xfffffff0079ec000
[INFO ] xnu dtb_load_base 0xfffffff00d0b0000
[INFO ] xnu bootarg_load_base 0xfffffff00d0d0000
[INFO ] xnu tc cache load base 0x45a00000
[INFO ] xnu tc cache load size 0x0
[INFO ] xnu memory map start 0x45a00000
[INFO ] xnu memory map size 0x7800000
[NIC ] create new vm *
[NIC ] -name : ios12
[NIC ] -os_type : xnu
[NIC ] -nr_vcpu : 1
[NIC ] -bit64 : 1
[NIC ] -mem_size : 0x40000000
[NIC ] -mem_base : 0x40000000
[NIC ] -entry : 0x470a5098
[NIC ] -setup_data : 0x4d0d0000
[INFO ] create s3c uart
[NIC ] vm-1 0x45a00000@0x7800000 mmap to 0xb4200000
[INFO ] load image: 0xb5e88000 0x1c88000 0x610000 0x62ee0
[INFO ] load image: 0xb5fe0000 0x1de0000 0x1b00000 0x0
[INFO ] load image: 0xb5fe0000 0x1de0000 0x1b00000 0x0
[INFO ] load image: 0xb55f8000 0x13f8000 0x1800000 0x20c000
[INFO ] load image: 0xb5eec000 0x1cec000 0x1a0c000 0xf4000
[INFO ] load image: 0xb4910000 0x710000 0xb18000 0xce8000
[INFO ] load image: 0xb5fe0000 0x1de0000 0x1b00000 0x20c000
[INFO ] load image: 0xb446c000 0x26c000 0x674000 0x4a4000
[INFO ] load image: 0xb5e70000 0x1c70000 0x5f8000 0x18000
[INFO ] load image: 0xb5dc8000 0x1bc8000 0x5c4000 0x34000
[INFO ] memset for 0xfffffff0075fc000 ---> 0x74000
[INFO ] load image: 0xb5dc4000 0x1bc4000 0x5c0000 0x4000
[INFO ] load image: 0xb5dc0000 0x1bc0000 0x5bc000 0x4000
[INFO ] load image: 0xb5898000 0x1698000 0x94000 0x528000
[INFO ] load image: 0xb5878000 0x1678000 0x74000 0x20000
[INFO ] load image: 0xb5804000 0x1604000 0x0 0x74000
[INFO ] load image: 0xb61ec000 0x1fec000 0x0 0x56c1a1b
[INFO ] load image: 0xbb8b0000 0x76b0000 0x0 0x1d460
[INFO ] xnu bootarg revision - 2
[INFO [ 55.315938@01 071] NIC vm-1 vcpu-0 affnity to pcpu-4
[ 55.320908@01 071] NIC vmpidr is 0x0
] xnu bootarg version - 2
[INFO ] xnu bootarg virtbase - 0xfffffff000000000
[INFO ] xnu bootarg physbase - 0x40000000
[INFO ] xnu bootarg mem_size - 0x40000000
[INFO ] xnu bootarg tok - 0x4d0e0000
[INFO ] xnu bootarg dtb - 0xfffffff00d0b0000
[INFO ] xnu bootarg dtb_size - 0x1d460
[INFO ] xnu bootarg cmdline - debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2
[INFO ] set timer freq to 0x16e3600
iBoot version:
corecrypto_kext_start called
[cckprng] Yarrow PRNG initialized with SHA-256.
FIPSPOST_KEXT [1681736303] fipspost_post:156: PASSED: (0 ms) - fipspost_post_integrity
FIPSPOST_KEXT [1681896878] fipspost_post:162: PASSED: (0 ms) - fipspost_post_hmac
FIPSPOST_KEXT [1682187479] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [1682332977] fipspost_post:164: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [1683811646] fipspost_post:165: PASSED: (54 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [1684205414] fipspost_post:166: PASSED: (11 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [1684403124] fipspost_post:167: PASSED: (3 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [1684501485] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [1684798990] fipspost_post:169: PASSED: (0 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [1684926962] fipspost_post:171: PASSED: (0 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [1685053206] fipspost_post:172: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [1685190366] fipspost_post:173: PASSED: (0 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [1685325675] fipspost_post:174: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [1685466407] fipspost_post:197: all tests PASSED (156 ms)
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMRM: init: called, EN=YES, KB_OBS=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, .
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
Darwin Image4 Validation Extension Version 1.2.0: Tue Mar 5 19:43:52 PST 2019; root:AppleImage4-1.250.8~181/AppleImage4/RELEASE_ARM64
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modifpanic(cpu 0 caller 0xfffffff0070efb0c): "No external trust cache found (region len is 0)."
"thread_invoke: preemption_level 1, possible cause: blocking while holding a spinlock, or within interrupt context"panic(cpu 0 caller 0xfffffff0070efb0c): "No external trust cache found (region len is 0)."
"thread already waiting on 0xffffffe0151f20d0"panic(cpu 0 caller 0xfffffff0070efb0c): "No external trust cache found (region len is 0)."
"thread already waiting on 0xffffffe0151f20d0"panic(cpu 0 caller 0xfffffff0070efb0c): "No external trust cache found (region len is 0)."
"hw_lock_bit(): timed out (0xffffffe0007837a0)"panic(cpu 0 caller 0xfffffff0070efb0c): "No external trust cache found (region len is 0)."
[ 62.732559@0] fb: mem_free_work, free memory: addr:800000
But the kernel panic, found the reason “No external trust cache found (region len is 0)” through the panic prompt, it seems that the trust cache image that was saved before cannot be saved, and I learned from Afek’s article that if you want to execute non-apple The signed program needs to store the hash value in the trust cache, so in theory the trust cache can be empty, but it needs to have header information. So casually made a trust cache file, and then added support for trust cache file in mvm
Successfully mounted the Ramdisk root file system
After the above problem was solved, the root file system was finally successfully mounted
console:/sdcard #
console:/sdcard #
console:/sdcard #
console:/sdcard # [ 39.897686@2] aml_tdm_open
[ 39.897717@2] Not init audio effects
[ 39.904385@2] asoc-aml-card auge_sound: tdm playback enable
[ 40.168019@0] dhd_bus_rxctl: resumed on timeout, INT status=0x20800040
console:/sdcard # sn[ 51.678628@0] type=1400 audit(1581514285.360:53): avc: denied { search } for pid=3350 comm="memtrack@1.0-se" name="3351" dev="proc" ino=692 scontext=u:r:hal_memtrack_default:s0 tcontext=u:r:hal_neuraln1
[ 51.694791@2] type=1400 audit(1581514291.472:65): avc: denied { open } for pid=4918 comm="Binder:4918_1" path="/sys/block" dev="sysfs" ino=11626 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir p1
[ 51.719042@0] type=1400 audit(1581514291.472:65): avc: denied { open } for pid=4918 comm="Binder:4918_1" path="/sys/block" dev="sysfs" ino=11626 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir p1
[ 51.736136@0] type=1400 audit(1581514291.512:66): avc: denied { open } for pid=4918 comm="Binder:4918_1" path="/proc/bus/pci/devices" dev="proc" ino=4026532039 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc:s1
[ 51.758148@0] type=1400 audit(1581514291.512:66): avc: denied { open } for pid=4918 comm="Binder:4918_1" path="/proc/bus/pci/devices" dev="proc" ino=4026532039 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc:s1
[ 51.779750@0] type=1400 audit(1581514291.512:67): avc: denied { getattr } for pid=4918 comm="Binder:4918_1" path="/proc/bus/pci/devices" dev="proc" ino=4026532039 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:pro1
[ 51.815128@3] type=1400 audit(1581514291.512:67): avc: denied { getattr } for pid=4918 comm="Binder:4918_1" path="/proc/bus/pci/devices" dev="proc" ino=4026532039 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:pro1
[ 51.831734@3] type=1400 audit(1581514291.608:68): avc: denied { read } for pid=4918 comm="Binder:4918_1" name="stat" dev="proc" ino=16245 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=file permissive=1
[ 51.851425@3] type=1400 audit(1581514291.608:68): avc: denied { read } for pid=4918 comm="Binder:4918_1" name="stat" dev="proc" ino=16245 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=file permissive=1
[ 51.870675@3] type=1400 audit(1581514291.608:69): avc: denied { open } for pid=4918 comm="Binder:4918_1" path="/proc/3330/stat" dev="proc" ino=16245 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=file pe1
console:/sdcard #
console:/sdcard #
console:/sdcard #
console:/sdcard #
console:/sdcard # ls
Alarms Music aarch64-boot.img iphone6s n71.dt.out
Android Notifications backup kernel.out ramdisk.out
DCIM Pictures boot32.img minicom.sh tc.out
Download Podcasts dt.out mvm32-old.sh
Movies Ringtones ios.sh mvm32.sh
console:/sdcard # sh ios.sh
[WARN ] argment format wrong: device
console:/sdcard # [INFO ] os is 64bit
[DEBUG] MACH-O magic: 0xfeedfacf
[DEBUG][ 63.712283@00 070] INF add slab mem : 0xeb858fc8 : 0x38 to slab
[ 63.718681@00 070] WRN destroy host mapping 0x49ec2c30---->0x49ec2cb0
MACH-O cpu_type: 0x100000c
[DEBUG] MACH-O cpu_sub_type: 0x0
[DEBUG] MACH-O file_type: 2
[DEBUG] MACH-O nr_cmds: 22
[DEBUG] MACH-O size_of_cmds: 4120
[DEBUG] MACH-O flags: [ 63.743532@03 073] WRN PMD block remap 0xbe800000 ---> 0xbe800000 @0x200000
[ 62.368080@3] register event-10 irq-34
[ 63.754047@03 073] INF vm_mmap start:0x80000000 size:0x8600000
[ 62.377950@3] vm-1 map 0xb3800000 -> 0x80000000 size:0x8600000
[ 62.383651@3] vma flags is 0x40404fb
0x200001
[INFO ] xnu entry address is 0xfffffff0070a5098
[INFO ] xnu kernel_load_base 0xfffffff005c6c000
[INFO ] xnu ramdisk_load_base 0xfffffff0079ec000
[INFO ] xnu dtb_load_base 0xfffffff00dfc0000
[INFO ] xnu bootarg_load_base 0xfffffff00dfe0000
[INFO ] xnu tc cache load base 0x45a00000
[INFO ] xnu tc cache load size 0xc54
[INFO ] xnu memory map start 0x45a00000
[INFO ] xnu memory map size 0x8600000
[NIC ] create new vm *
[NIC ] -name : ios12
[NIC ] -os_type : xnu
[NIC ] -nr_vcpu : 1
[NIC ] -bit64 : 1
[NIC ] -mem_size : 0x40000000
[NIC ] -mem_base : 0x40000000
[NIC ] -entry : 0x470a5098
[NIC ] -setup_data : 0x4dfe0000
[INFO ] create s3c uart
[NIC ] vm-1 0x45a00000@0x8600000 mmap to 0xb3800000
[INFO ] load image: 0xb5488000 0x1c88000 0x610000 0x62ee0
[INFO ] load image: 0xb55e0000 0x1de0000 0x1b00000 0x0
[INFO ] load image: 0xb55e0000 0x1de0000 0x1b00000 0x0
[INFO ] load image: 0xb4bf8000 0x13f8000 0x1800000 0x20c000
[INFO ] load image: 0xb54ec000 0x1cec000 0x1a0c000 0xf4000
[INFO ] load image: 0xb3f10000 0x710000 0xb18000 0xce8000
[INFO ] load image: 0xb55e0000 0x1de0000 0x1b00000 0x20c000
[INFO ] load image: 0xb3a6c000 0x26c000 0x674000 0x4a4000
[INFO ] load image: 0xb5470000 0x1c70000 0x5f8000 0x18000
[INFO ] load image: 0xb53c8000 0x1bc8000 0x5c4000 0x34000
[INFO ] memset for 0xfffffff0075fc000 ---> 0x74000
[INFO ] load image: 0xb53c4000 0x1bc4000 0x5c0000 0x4000
[INFO ] load image: 0xb53c0000 0x1bc0000 0x5bc000 0x4000
[INFO ] load image: 0xb4e98000 0x1698000 0x94000 0x528000
[INFO ] load image: 0xb4e78000 0x1678000 0x74000 0x20000
[INFO ] load image: 0xb4e04000 0x1604000 0x0 0x74000
[INFO ] load image: 0xb57ec000 0x1fec000 0x0 0x65d3400
[ 62.695443@0] fb: mem_free_work, free memory: addr:800000
[INFO ] load image: 0xbbdc0000 0x85c0000 0x0 0x1d460
[ 64.858749@00 070] NIC vm-1 vcpu-0 affnity to pcpu-4
[ 64.863760@00 070] NIC vmpidr is 0x0
[INFO ] xnu bootarg revision - 2
[INFO ] xnu bootarg version - 2
[INFO ] xnu bootarg virtbase - 0xfffffff000000000
[INFO ] xnu bootarg physbase - 0x40000000
[INFO ] xnu bootarg mem_size - 0x40000000
[INFO ] xnu bootarg tok - 0x4dff0000
[INFO ] xnu bootarg dtb - 0xfffffff00dfc0000
[INFO ] xnu bootarg dtb_size - 0x1d460
[INFO ] xnu bootarg cmdline - debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2
[INFO ] set timer freq to 0x16e3600
iBoot version:
corecrypto_kext_start called
[cckprng] Yarrow PRNG initialized with SHA-256.
FIPSPOST_KEXT [1931917382] fipspost_post:156: PASSED: (0 ms) - fipspost_post_integrity
FIPSPOST_KEXT [1932094315] fipspost_post:162: PASSED: (0 ms) - fipspost_post_hmac
FIPSPOST_KEXT [1932239773] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [1932384284] fipspost_post:164: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [1933855582] fipspost_post:165: PASSED: (54 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [1934278598] fipspost_post:166: PASSED: (11 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [1934498218] fipspost_post:167: PASSED: (3 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [1934620988] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [1934753970] fipspost_post:169: PASSED: (0 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [1934879471] fipspost_post:171: PASSED: (0 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [1935001951] fipspost_post:172: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [1935182014] fipspost_post:173: PASSED: (0 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [1935272353] fipspost_post:174: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [1935362535] fipspost_post:197: all tests PASSED (144 ms)
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMRM: init: called, EN=YES, KB_OBS=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, .
Darwin Image4 Validation Extension Version 1.2.0: Tue Mar 5 19:43:52 PST 2019; root:AppleImage4-1.250.8~181/AppleImage4/RELEASE_ARM64
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 .
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: set TRM_GracePeriodTimeout = 3600.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(2): TRM: 259200 -/ff 3600 -/ff CUR: 259200 -/ff 3600 -/ff.
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AUC[<ptr>]::start(<ptr>)
AppleKeyStore starting (BUILT: Mar 7 2019 22:27:50)
AppleSEPKeyStore::start: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
[ 112.327571@0] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
AppleARMPE::getGMTTimeOfDay can not provide time of day: RTC did not show up
: apfs_module_start:1393: load: com.apple.filesystems.apfs, v945.250.134, apfs-945.250.134, 2019/03/05
com.apple.AppleFSCompressionTypeZlib kmod start
IOSurfaceRoot::installMemoryRegions()
IOSurface disallowing global lookups
apfs_sysctl_register:929: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
PPTP domain init
BSD root: md0, major 2, minor 0
apfs_vfsop_mountroot:1549: apfs: mountroot called!
apfs_vfsop_mount:1279: unable to root from devvp <ptr> (root_device): 2
apfs_vfsop_mountroot:1553: apfs: mountroot failed, error: 2
hfs: mounted PeaceB16B92.arm64CustomerRamDisk on device b(2, 0)
But the system has stopped here forever. In theory, the next step is to start the lanchd process and print the following log
: : Darwin Bootstrapper Version 6.0.0: Tue Oct 16 22:26:06 PDT 2018; root:libxpc_executables-1336.220.5~209/launchd/RELEASE_ARM64
boot-args = debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2
But the system has no output and no panic, indicating that the system is stuck somewhere or waiting for an event or signal.
Summay
Because there are no effective debugging tools and methods on the development board, the current progress is stopped here. If you want to debug later, you can only wait for the ARM FVP SHA256 instruction to solve the problem. You can use DS to perform single steps. The IOS kernel is up. If you can get some device specs, you can simulate more devices. In theory, it is not impossible to run ios on ordinary armv8 devices. Through this experiment, I have a deeper understanding of the arm architecture, and explored some methods of reverse engineering angels.If you are interested, welcome to follow our Wechat public number: MinosProject