• Stars
    star
    702
  • Rank 64,499 (Top 2 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run iPhone (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! Run xnu-qemu-arm64 in Docker! Works on ANY device.

Docker-eyeOS

Run the iPhone's xnu-qemu-arm64 (iOS) in a Docker container

Supports KVM + GDB kernel debugging! Run armv8-A in a Docker! Works on ANY device!

Follow us @sickcodes on Twitter for updates!

Docker-eyeOS iOS Kernel Debugging

Docker-eyeOS v1.0.12.1

Features In Docker-eyeOS

  • qemu-system-aarch64 boot into iOS!
  • Runs on ANY device
  • FULL iOS armv8-A GDB Kernel debugging support (step thru & debug the iOS kernel on Linux!)
  • X11 Forwarding (future Display)
  • SSH on localhost:2222 or container.ip:2222
  • GDB on localhost:1234 or container.ip:1234
  • QEMU Full xnu-qemu-Virtualization
  • Container host Arch

Author:

Run iPhone (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! Run xnu-qemu-arm64 in Docker! Works on ANY device.

Dockerhub

https://hub.docker.com/r/sickcodes/docker-eyeos

mkdir -p images
cd images

wget https://images.sick.codes/hfs.sec.zst
wget https://images.sick.codes/hfs.main.zst

# decompress images, uses about 15GB
zstd -d hfs.main.zst
zstd -d hfs.sec.zst

docker pull sickcodes/docker-eyeos:latest

docker run -it --privileged \
    --device /dev/kvm \
    -e RAM=6 \
    -e HFS_MAIN=./images/hfs.main \
    -e HFS_SEC=./images/hfs.sec \
    -p 2222:2222 \
    -v "$PWD:/home/arch/docker-eyeos/images" \
    -e "DISPLAY=${DISPLAY:-:0.0}" \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    sickcodes/docker-eyeos:latest


ssh root@localhost -p 2222

# password is alpine

# -----> Try to SSH about 4 times
# -----> also needs to HIT ENTER a few times in the terminal to kick it along

NOTE:

  • Hit enter a few times in the container terminal until you see -bash-4.4#

  • SSH into the container on localhost:2222 or containerIP:2222

RUN Docker-eyeOS with GDB iOS Kernel Debugging!

docker run -it --privileged \
    --device /dev/kvm \
    -e RAM=6 \
    -e HFS_MAIN=./images/hfs.main \
    -e HFS_SEC=./images/hfs.sec \
    -p 2222:2222 \
    -v "$PWD:/home/arch/docker-eyeos/images" \
    -e "DISPLAY=${DISPLAY:-:0.0}" \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -p 1233:1234 \
    -e GDB_ARGS='-S -s' \
    sickcodes/docker-eyeos:latest

# image will halt

# get container ID
docker ps
docker exec -it 3cb2d14fc11a /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"

# run 
source load.py
target remote localhost:1234

Export PATH

# once you have SSH'ed in, export PATH and look busy!
export PATH=/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin:$PATH

How do I mount the disk and put stuff in there?

sudo losetup -f 
sudo losetup /dev/loop0 ./hfs.main

# mount in a file manager

# unmount and delete loop device when done
sudo losetup -d /dev/loop0

Upstream Projects

Upstream Masterminds

Supported by:

TCP Tunnel for Linux rework:

Requirements

  • 20GB++ of Disk Space
  • QEMU
  • KVM

GDB Debugging

# run Docker-eyeOS with
-e GDB_ARGS='-S -s' \

# get container id
docker ps

# run gdb-multiarch
docker exec containerid /bin/bash -c "cd /home/arch/docker-eyeos/xnu-qemu-arm64-tools/gdb; gdb-multiarch -q"

# run 
source load.py
target remote localhost:1234

Run outside the container

# Ubuntu, Debian, Pop!_OS
sudo apt install gdb-multiarch
# Arch, Majaro
sudo pacman -S gdb-multiarch
git clone https://github.com/alephsecurity/xnu-qemu-arm64-tools.git
cd ./xnu-qemu-arm64-tools/gdb
sudo gdb-multiarch -q
source load.py
target remote localhost:1234

Coming Soon

Supported

KVM

Requires a device that supports armv8-A

See https://alephsecurity.com/2020/07/19/xnu-qemu-kvm/

# proposed docker env command line args when KVM 
    -e KVM=true
    -e KVM=false

What does it do?

Docker-eyeOS is an exploration platform for researchers and anyone who is interested in the XNU kernel.

Images

  • Create your own using Docker-OSX
  • And then run osx-build-xnu-disks.sh shell script.

Image build script for Docker-OSX

# compress images for any reason
zstd -k hfs.main
zstd -k hfs.sec

# decompress images
zstd -d hfs.main.zst
zstd -d hfs.sec.zst

# after you decompress HFS Plus images, you must fsck them until they are OK using hfsprogs.

fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.sec
fsck.hfsplus -fp ./hfs.main
fsck.hfsplus -fp ./hfs.main

Optional Flags

Download pre-patched image -

  • WARNING 1.8GB of disks are downloaded
  • Expands to 12GB of disks uncompressed

-e GDB_PORT=1234

Default is already set to 1234, feel free to change it

-e GDB=true

Enables GDB (QEMU will be interrupted until GDB starts)

Unpatched Version

  • Alternatively, you can create your own disks as abov

  • If you do not wish to patch dyld then you should include all 4 files in your images folder:

./hfs.main

./hfs.sec

./static_tc

./tchashes

To Do (Help Wanted)

Ad hoc images

-e STORAGE=host

Store the images in ./images on the host folder

-e STORAGE=guest

Store the images in a local folder inside the container (Watch out for disk space usage if doing this)

VNC

mkdir screendump
cd screendump
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
sudo pacman -S wget
wget https://github.com/cosmosgenius/screendump/releases/download/0.0.3/com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
ar -x com.cosmosgenius.screendump_0.0.3_iphoneos-arm.deb
tar -xzvf data.tar.lzma
# mount and put in the disk

Solve outbound networking

bash -i >& /dev/tcp/google.com/80 0>&1          # requires DNS
bash -i >& /dev/tcp/172.217.22.142/80 0>&1      # perhaps -netdev

How to build your own hfs.main and hfs.sec disk on GNU/Linux for Docker-eyeOS

Note: this process can take around 1-4 hours depending on your specs.

  • Use OSX or create a quick OSX-KVM using Docker-OSX
# this is Docker-OSX btw
docker run --device /dev/kvm \
--device /dev/snd \
-e RAM=12 \
-p 50922:10022 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
sickcodes/docker-osx:latest
  • Complete the graphical installation, guide here: https://github.com/sickcodes/Docker-OSX#additional-boot-instructions

  • Turn on SSH in Sharing Settings

  • Write down your docker container ID with docker ps, e.g. f771bff2192d -- You can start the docker later using docker run f771bff2192d -- You don't need to login to SSH into the Docker-OSX

  • SSH into your Docker-OSX and add yourself as a NOPASSWD root user (extremely insecure, only do if you will tear-down later).

# OPTIONAL SPEED UP
ssh fullname@localhost -p 50922

sudo tee "/private/etc/sudoers.d/sudoers_$USER" <<EOF
${USER} ALL = (ALL) NOPASSWD: ALL
EOF
  • Complete the script on OSX that is inside this repo

https://github.com/sickcodes/Docker-eyeOS/blob/master/osx-build-xnu-disks.sh

  • Pull the images out when you're done:
scp -P 50922 fullname@localhost:~/static_tc .
scp -P 50922 fullname@localhost:~/tchashes .
scp -P 50922 fullname@localhost:~/hfs.main .
scp -P 50922 fullname@localhost:~/hfs.sec .

Enjoy!

<3 Sick.Codes(https://sick.codes)

More Repositories

1

Docker-OSX

Run macOS VM in a Docker! Run near native OSX-KVM in Docker! X11 Forwarding! CI/CD for OS X Security Research! Docker mac Containers.
Shell
31,005
star
2

osx-serial-generator

Mac Serial Generator - Generate complete sets of Serial Numbers for OSX-KVM, Docker-OSX and of course, OpenCore.
Shell
1,456
star
3

osx-optimizer

OSX Optimizer: Optimize MacOS - Shell scripts to speed up your mac boot time, accelerate loading, and prevent unnecessary throttling.
Shell
1,455
star
4

dock-droid

Docker Android - Run QEMU Android in a Docker! X11 Forwarding! CI/CD for Android!
Dockerfile
1,052
star
5

no-sandbox

No Sandbox - Applications That Run Chromium and Chrome Without The Sandbox. TL;DR exploits in these browser based applications are already sandboxed escaped: https://no-sandbox.io/
179
star
6

droid-native

Next Generation Android x86 Desktop - Anbox, Lineage, WayDroid, BlissOS, Dock-Droid
Shell
132
star
7

security

Collection of CVEs from Sick Codes, or collaborations on https://sick.codes security research & advisories.
Shell
70
star
8

Droid-NDK-Extractor

Android NDK Extractor - Extract ARM native bridge libndk translation libraries for use in any Android derivative.
Shell
46
star
9

adb-download-all

ADB Download All Files - A dirty shell script to adb pull all readable files using adb pull & base64
Shell
26
star
10

anbox-modules-dkms

anbox-modules-dkms for kernel - resurrected aur.archlinux.org/anbox-modules-dkms for ongoing maintaining. Next Generation Box Modules DKMS (ngbox). WayDroid, Anbox Halium, Droid Native, Dock Droid + BlissOS!
Shell
24
star
11

xdotool-gui

GUI for command-line X11 automation tool
Python
20
star
12

bulk-whois

Magical Bulk Whois (No CAPTCHA!) 🪄🪄🪄🪄🪄🚀🚀🚀🚀🚀
Shell
14
star
13

Docker-iOS

Run iPhone (iOS) in a Docker container! Supports KVM + kernel debugging! Run xnu-qemu-arm64 in Docker! Works on ANY device.
12
star
14

aur

Sick Codes AUR Packages
Shell
8
star
15

sickcodes

Sick Codes Projects - Security Researcher | Freelance Developer | Open Source
7
star
16

arduino-dark-theme

A very dark arduino theme for late night night board building
Shell
7
star
17

qnx-modules

QNX FileSystem Kernel Modules (qnx-modules-dkms)
C
6
star
18

autodiscover

PGP Signed Statement of Intent Regarding autodiscover.TLD
5
star
19

pgp

Sick Codes Public PGP Key
3
star
20

linux-binderash

Linux Binderash - Arch Linux Kernel Builds for ashmem & binder(fs) builds for the AUR.
Shell
1
star
21

linux-git

AUR linux-git: mainline bleeding edge Kernel Builds for Arch Linux https://aur.archlinux.org/pkgbase/linux-git
Shell
1
star