Jailbroken iOS 26.1 Virtual Machine Demonstrated
Security researchers have demonstrated a fully working, jailbroken iOS 26.1 virtual iPhone running on Apple Silicon-based Macs. The project, which uses PCC firmware, allows for vulnerability testing without relying on third-party services like Corellium. The team has released public setup instructions and a project repository for developers and researchers.
- The project leverages firmware components initially discovered within Apple's Private Cloud Compute (PCC) infrastructure, specifically "vphone600ap" elements that appeared in cloudOS 26 builds. PCC is a system designed for private AI processing, and Apple released an official Virtual Research Environment (VRE) for it, allowing researchers to simulate a PCC node on Apple Silicon. - This type of independent virtualization provides a direct alternative to commercial services like Corellium, with which Apple engaged in a multi-year legal battle over iOS virtualization. Courts ultimately ruled that Corellium's product constituted "fair use" for security research, a major precedent in the field. - The virtual machine operates using Apple's own Virtualization.framework on Apple Silicon, rather than through less efficient emulation. The project specifically uses a modified version of "super-tart," an open-source tool that manages Apple Silicon VMs and utilizes private, undocumented features of the framework to enable advanced capabilities like DFU mode and GDB debugging. - Apple's official iOS 26.1 update, released around November 2025, introduced features such as a "Liquid Glass" opacity toggle, new languages for AirPods Live Translation including Korean and Japanese, and the ability to disable the Lock Screen's camera swipe gesture. - Unlike the Xcode simulator, which mimics the iOS software environment, this project achieves full virtualization, creating a complete virtual iPhone that includes a virtualized Secure Enclave Processor (SEP). This allows for much deeper security research into components that are normally inaccessible. - The ability to locally virtualize and jailbreak iOS on production hardware is a significant step forward from previous public research, which had successfully virtualized older versions like iOS 15 but only reached the initial setup screen (PreBoard.app). - The availability of a free, open-source tool contrasts sharply with the established commercial alternative, Corellium, which can cost individuals around $99 per month for a 2-core CPU plan or have enterprise plans costing tens of thousands annually. - This work is made possible by the common ARM architecture across Apple's devices, but it still faces complexities. For instance, virtualization on the latest M4 chips initially had bugs preventing older macOS versions from booting, requiring a fix in macOS 15.2 to resolve.
