New Tool Boots Full iPhone on Mac
A new research-level tool now enables booting a full virtual iPhone on macOS. It uses Apple's native Virtualization.framework and supports custom firmware and DFU mode, offering a powerful new method for engineering testing and process optimization, though it requires disabling System Integrity Protection.
This virtualization method appears to have origins in the reverse engineering of Apple's Private Cloud Compute (PCC) firmware. Researchers discovered components, specifically one identified as "vphone600ap," within the cloudOS firmware that laid the groundwork for a virtual iPhone environment intended for research. This suggests the tool leverages elements initially developed for Apple's internal, high-security cloud infrastructure. The core of this capability is a modified open-source tool called "super-tart," a fork of the `tart` virtual machine manager. This special version is engineered to utilize private, undocumented APIs within Apple's native Virtualization.framework, which is what necessitates disabling System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) for it to function. Unlike the standard iOS Simulator included with Xcode, which runs a simulated version of iOS, this tool virtualizes the full operating system, offering deeper access. This allows for interactions impossible with the simulator, such as entering and restoring from Device Firmware Update (DFU) mode and performing live kernel debugging with GDB. The process involves creating a hybrid firmware by combining components from a standard iOS IPSW file with elements from the specialized cloudOS. Key bootchain components like the AVPBooter (the virtual BootROM), iBSS, and the kernelcache must be patched to bypass signature verifications before being restored to the virtual machine in DFU mode. This approach provides a higher-fidelity testing environment than emulators and is more flexible than physical devices for certain security research and driver development tasks. The ability to snapshot, clone, and inspect the machine state at a low level accelerates vulnerability research and driver development workflows. While commercial platforms like Corellium have long offered iOS virtualization, this new tool is notable for running directly on Apple Silicon through the native hypervisor. This avoids the legal and performance overhead challenges faced by third-party virtualization solutions, which was the subject of lengthy litigation between Apple and Corellium that ultimately ended in a settlement.
