After initializing the QEMU machine and initializing some memory, we are ready to load our binaries into memory and execute some code! Fortunately, QEMU supports the ARM1176 CPU and the required instruction set. The verify first step of this project involved setting up a QEMU machine with a CPU so we could execute some code. The iPod Touch 1G uses the ArmV6 (Little Endian) instruction set. The diagram below shows all five steps when booting the iPod Touch to user applications: The following hardware components are not functional yet but are also not essential to fully boot the iPod Touch: The Direct Memory Access (DMA) controller.The Vectored Interrupt Controller (VIC) and GPIO interrupt controller.The power management unit and integrated real-time clock.The Flash Memory Controller (FMC), used to communicate with the NAND memory.The NAND controller and error-correcting code (ECC) module.Current Project StatusĪll hardware components required to execute iBoot, the XNU kernel, Springboard and the pre-installed iPhoneOS applications are functional. By focusing on the most primitive version of iPhoneOS, I didn’t have to circumvent any security mechanism. The second reason is that older iPhoneOS/iOS versions have few to no security measures implemented, such as trust caches. Contemporary Apple devices contain many additional hardware components, such as neural engines, secure enclaves, and a variety of sensors that will make the emulation of such devices much more difficult and time consuming. I did this for two reasons: first, older devices have fewer hardware components than newer devices, making it easier to build a useful device emulator. I specifically decided to focus on emulating an iPod Touch 1G running the first iOS version ever released. I did enjoy working on this emulator and learned many new things about the internals of mobile devices. In this blog post, I will outline some of the challenges I encountered, describe the steps taken during the boot process, and list some future tasks that can make the emulation even better. I do think, however, that this is the first emulated Apple product that is not only open source but also has full display support and multitouch operational (even though Correllium also offers virtualized iPhones, Correllium is commercial and closed source). The specifications of most of these components I had to get operational are proprietary and undocumented, making it sometimes quite difficult to emulate them properly. The most complicated part of this project was to emulate the many hardware components included in the iPod Touch. This dump of the iPod Touch device tree by that provided an overview and specification of hardware components included in the iPod Touch 1G.The Ghidra reverse engineering tool that I used to disassemble the bootloader/kernel images and other binaries.The openiboot project has been an invaluable resource in understanding the hardware components of the iPod Touch (I do hope that at one point, we can run Android on iOS devices).This emulation of the iPhone 11 with QEMU - provides full kernel emulation functionality.The follow-up work by Johathan Afek, building upon the work by Early work on the emulation of the S5L8900 SoC.This initial blog post by initially inspired me to start with this project.To achieve the above, I built upon some of the previous work on iOS/Apple device emulation by others □: The video below shows the emulator in action when booting the device and when navigating through various applications: I aim to publish another blog post soon with detailed instructions on how to generate these custom images. Note: the emulator requires a custom NOR and NAND image (more about that later in this post). All source code can be found in my branch of QEMU. I haven’t made any modifications to the bootloader, the kernel or other binaries being loaded. Springboard renders the home screen and is responsible for launching other applications such as Safari and the calendar. The emulator runs iBoot (the bootloader), the XNU kernel and then executes Springboard. The emulated device runs the first firmware ever released by Apple for the iPod Touch: iPhoneOS 1.0, build 3A101a. After months of reverse engineering, figuring out the specifications of various hardware components, and countless debugging runs with GDB, I now have a functional emulation of an iPod Touch that includes display rendering and multitouch support. Around a year ago, I started working on emulating an iPod Touch 1G using the QEMU emulation software.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |