I am trying to boot iOS 14.0 (18A188 InternalUI) in the emulator. Error log:

`Loading iOS 14.0... kernel_low: 0xfffffff004000000 kernel_high: 0xfffffff00a4cd4f0 KPF: found apfs_vfsop_mount KPF: found handle_eval_rootauth KPF: Found AMFI hashtype check kpf_amfi_callback: Found AMFI (Leaf) kpf_amfi_callback: start @ 0xfffffff007b5d718 kpf_amfi_callback: Found lookup_in_static_trust_cache KPF: Found mac_mount KPF: Found mac_mount kpf_amfi_callback: Found AMFI (Routine) kpf_amfi_callback: start @ 0xfffffff0097edcb8 kpf_amfi_callback: Found lookup_in_trust_cache_module KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated Qemu FB realize g_virt_base: 0xfffffff004000000 g_phys_base: 0x0000000802000000 entry: 0x00000008061204e8 boot_mode: 0 auto-boot=true cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1] iBoot version: qemu-t8030 Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E AMFI is running in RESEARCH mode! AUC:[0xffffffe19b9f47e0]::init(0xffffffe19ba323c8)

AUC:[0xffffffe19b9f47e0]::probe(0xffffffe19b7c1ea0, 0xffffffe80e3abdac)

AppleCredentialManager: init: called, instance = . ACMFirstResponderKernelService: init: called, . ACMRM-S: init: called, starting PersistentStore service. ACMRM-C: init: called, starting AccessoryCache service. ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default). ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default). ACMRM: init: called, starting TRM service. ACMRM-A: init: called, starting TRM Analytics service. ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default). ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default). ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES). ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default). ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES). ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default). ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO. ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200. ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff). AppleCredentialManager: init: returning, result = true, instance = . AppleARMBootPerf: Error: profile region not found (2) AppleARMBootPerf: Error: failed to publish profile data (2) virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start AppleSSE::start called AppleSSE::start returning, result = 1 AUC:[0xffffffe19b9f47e0]::start(0xffffffe19b7c1ea0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30) AppleSEPKeyStore:545:0: _sep_enabled = 1 AppleCredentialManager: start: called, instance = . ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200. AppleCredentialManager: start: initializing power management, instance = . AppleCredentialManager: start: started, instance = . AppleCredentialManager: start: returning, result = true, instance = . AppleInterruptController::start: Num Shared Timestamps == 0 AppleGPIOICController::start: this: , _gpioicBaseAddress: AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000 AppleGPIOICController::start: this: , _gpioicBaseAddress: AppleGPIOICController::start: this: , _gpioicBaseAddress: virtual bool AppleARMLightEmUp::start(IOService *): starting... AppleS5L8960XUSBPhy::start: hsic disabled 000001.085722 wlan0.A[1] start@968:Default options property found with value 4 Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class 000001.121777 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1 000001.121898 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub 000001.138758 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1 Identified Serial Port uart7 at 0x23521c000() AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Identified Serial Port uart0 at 0x235200000() AppleA7IOPNub: withRegistryEntry, 47: allocated nub

RTBuddy(SMC): start() - (Aug 12 2020@22:50:37) RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37) RTBuddy(SMC): Boot args override: wdt = -1 RTBuddy(ANS2): Boot args override: wdt = -1 RTBuddy(ANS2): Resuming...

RTBuddy(SMC): Resuming...

Starting AppleSMC kext() - (Aug 12 2020@22:51:44) 000001.210077 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1 AppleA7IOPNub: withRegistryEntry, 47: allocated nub

virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000 000001.217358 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet RTBuddy(SIO): start() - (Aug 12 2020@22:50:37) RTBuddy(SIO): Boot args override: wdt = -1 virtual bool AppleANS2NVMeController::start(IOService )::394:Found the ANS2Endpoint1 bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT virtual IOFilterInterruptEventSource AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService )::2719:ANS2 NVMe interrupt index - 0x4 LPM: Log data is NOT valid. 0x0 0x0 AppleDialogSPMIPMU::start: Primary PMU detected AppleARMRTC started!##### AppleDialogSPMIPMURTC started! Failed to read info-leg_scrpad/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1 AppleDialogSPMIPMURTC tick read!&&&&&&& AppleDialogSPMIPMURTC ending!%%% AppleARMRTC registering service!@@@@@@ AppleARMRTC service registered!$$$$$ AppleARMRTC publishing service!^^^^^^ apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12 com.apple.AppleFSCompressionTypeZlib kmod start apfs_sysctl_register:1253: done registering sysctls. com.apple.AppleFSCompressionTypeZlib load succeeded L2TP domain init L2TP domain init complete Load request for com.apple.nke.pptp failed: -603946998 Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1 virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64 virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128 ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0 ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36 bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0 bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0 bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0 bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:======================= bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0] bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0] bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1 dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57) dev_init:300: disk0 device_handle block size 512 block count 67108864 features 0 internal nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064 nx_kernel_mount:1402: disk0 checkpoint search: largest xid 355, best xid 355 @ 33 import_iboot_forwarded_roothash:2577: importing root hash ... apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2) Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Untitled 1@1 BSD root: disk0s1, major 1, minor 1 virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2 apfs_vfsop_mountroot:2188: apfs: mountroot called! dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57) dev_init:300: disk0s1 device_handle block size 512 block count 67108864 features 22 internal solidstate nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064 virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3 virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6 [effaceable:ERR ] unable to find content [effaceable:INIT] started virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8 virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 512 virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 2048 virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8 virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 355, best xid 355 @ 33 apfs_vfsop_mount:1848: Promoter has been locked for disk0s1 failed to find root-snapshot-name snapshot handle_mount:627: vol-uuid: 5133F48D-5D9E-499B-A8BA-45E692E36FD9 block size: 4096 block count: 8388608 (unencrypted; flags: 0x1; features: 8.0.12) handle_mount:640: setting dev block size to 4096 from 512 nx_volume_group_update:6634: Volume System is not in a volume group apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System IOPlatformPanicAction -> AppleANS2NVMeController IOPlatformPanicAction -> AppleNubSynopsysOTG3Device IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleSMC IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleT8030PMGR panic(cpu 0 caller 0xfffffff007e63dfc): "Process 1 exec of /sbin/launchd failed, errno 86" Debugger message: panic Memory ID: 0x0 OS release type: Not set yet OS version: Not set yet Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030 Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3 iBoot version: qemu-t8030 secure boot?: YES Paniclog version: 13 Kernel text base: 0xfffffff007004000 mach_absolute_time: 0x3a68cda Epoch Time: sec usec Boot : 0x62471b68 0x00092c8a Sleep : 0x00000000 0x00000000 Wake : 0x00000000 0x00000000 Calendar: 0x62471b69 0x000da7c4

Panicked task 0xffffffe19b795f40: 1 pages, 1 threads: pid 1: init Panicked thread: 0xffffffe19ba185d0, backtrace: 0xffffffe8139e37f0, tid: 358 lr: 0xfffffff007a2af48 fp: 0xffffffe8139e3830 lr: 0xfffffff007a2ad48 fp: 0xffffffe8139e38a0 lr: 0xfffffff007b64940 fp: 0xffffffe8139e38c0 lr: 0xfffffff007b56e1c fp: 0xffffffe8139e3980 lr: 0xfffffff00811c5f4 fp: 0xffffffe8139e3990 lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d10 lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d70 lr: 0xfffffff0097db97c fp: 0xffffffe8139e3d90 lr: 0xfffffff007e63dfc fp: 0xffffffe8139e3e40 lr: 0xfffffff007e2fea0 fp: 0xffffffe8139e3e60 lr: 0xfffffff007a21b7c fp: 0xffffffe8139e3e90 lr: 0xfffffff00811caec fp: 0xffffffe8139e3ea0 lr: 0xfffffff007a61fd0 fp: 0xffffffe8139e3f00 lr: 0xfffffff00812495c fp: 0x0000000000000000

** Stackshot Succeeded ** Bytes Traced 10867 (Uncompressed 36160) ** IOPlatformPanicAction -> AppleANS2NVMeController IOPlatformPanicAction -> AppleNubSynopsysOTG3Device IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleSMC IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleT8030PMGR IOPlatformPanicAction -> AppleANS2NVMeController IOPlatformPanicAction -> AppleNubSynopsysOTG3Device IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleSMC IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleT8030PMGR IOPlatformPanicAction -> AppleANS2NVMeController IOPlatformPanicAction -> AppleNubSynopsysOTG3Device IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleSMC IOPlatformPanicAction -> RTBuddyV2 IOPlatformPanicAction -> AppleT8030PMGR wdog panic (attempt 1) ` Boot command:

../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" \ -initrd 038-44135-124.dmg \ -cpu max -smp 4 \ -m 4G -serial mon:stdio \ -drive file=disk.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1 \ -drive file=nvme.2,format=raw,if=none,id=drive.2 \ -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2 \ -drive file=nvme.3,format=raw,if=none,id=drive.3 \ -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3 \ -drive file=nvme.4,format=raw,if=none,id=drive.4 \ -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram \ -drive file=nvme.6,format=raw,if=none,id=drive.6 \ -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6 \ -drive file=nvme.7,format=raw,if=none,id=drive.7 \ -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8 \ -monitor telnet:127.0.0.1:1235,server,nowait

With blocksize set to 4096, I get mount errors.

iOS 15.3.1 cannot be restored - unencrypted data volume is not allowed panic Kernel is a research kernel xnu cmdline: -restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1 IPSW download root_ticket.der generated with BuildManifest in ipsw and the ticket.shsh2 in qemu-t8030-tools Host is Debian bullseye Linux 5.15.0-0.bpo.3-amd64 #1 SMP Debian 5.15.15-2~bpo11+1 (2022-02-03) x86_64 qemu-t8030 commit: 42fedc70b97c8071f587b7748e323b897249548a boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '018-92126-069.dmg.out'   \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Serial port output right before panic

entering mount_partition                          
executing /sbin/mount_apfs -R /dev/disk0s1s2 /mnt2                                                  
apfs_mount:26376: disk0s1s2 mount for ramdisk                                                       
set_cloneinfo_id_epoch:25743: disk0s1s2 set cloneinfo_id_epoch to 16                                
apfs_log_mount_unmount:1828: disk0s1s2 mounting volume Data, requested by: mount_apfs (pid 37); parent: restored_externa (pid 6)                                                                         
handle_mount:654: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s2 setting dev block size to 4096 from 512                                 
nx_volume_group_update:7715: disk0s1s2 Volume Data is not in a volume group                         
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
panic(cpu 2 caller 0xfffffff0093c31c8): "unencrypted data volume is not allowed" @apfs_vfsops.c:2357                                                                                                     
Debugger message: panic                           
Memory ID: 0x0                                    
OS release type: Restore                          
OS version: 19D52                                 
Kernel version: Darwin Kernel Version 21.3.0: Wed Jan  5 21:44:45 PST 2022; root:xnu-8019.80.24~23/RELEASE_ARM64_T8030                                                                                   
Kernel UUID: 5703F07F-AEE8-3207-8205-203C7B11B3C2                                                   
iBoot version: qemu-t8030                         
secure boot?: YES                                 
Paniclog version: 13                              
Kernel text base:  0xfffffff007004000             
mach_absolute_time: 0x8fcb69550                   
Epoch Time:        sec       usec                 
  Boot    : 0x6228c86d 0x000d892c                 
  Sleep   : 0x00000000 0x00000000                 
  Wake    : 0x00000000 0x00000000                 
  Calendar: 0x6228ceb3 0x0000edac
  
  Zone info:                                        
Foreign   : 0xfffffff0b83dc000 - 0xfffffff0b83ec000                                                 
Native    : 0xffffffe000588000 - 0xffffffe600588000                                                 
Readonly  : 0xffffffe0e6bec000 - 0xffffffe1338b0000                                                 
Metadata  : 0xffffffeb018cc000 - 0xffffffeb05bac000                                                 
Bitmaps   : 0xffffffeb030cc000 - 0xffffffeb03b28000                                                 
CORE 0: PC=0xfffffff007d4dadc, LR=0xfffffff007c77134, FP=0xffffffeb057bbd60                         
CORE 1: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb0578be80                         
CORE 2 is the one that panicked. Check the full backtrace for details.                              
CORE 3: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb10693e80                         
Panicked task 0xffffffe3006cece8: 658 pages, 1 threads: pid 37: mount_apfs                          
Panicked thread: 0xffffffe3e6cbb020, backtrace: 0xffffffeb0583a990, tid: 551                                                                                                                             
                  lr: 0xfffffff007c08c18  fp: 0xffffffeb0583a9d0                                    
                  lr: 0xfffffff007c08938  fp: 0xffffffeb0583aa40                                    
                  lr: 0xfffffff007d5a2cc  fp: 0xffffffeb0583aa60                                    
                  lr: 0xfffffff007d4bae0  fp: 0xffffffeb0583aae0                                    
                  lr: 0xfffffff007d4a894  fp: 0xffffffeb0583aba0                                    
                  lr: 0xfffffff00835a610  fp: 0xffffffeb0583abb0                                    
                  lr: 0xfffffff007c08604  fp: 0xffffffeb0583af40                                    
                  lr: 0xfffffff007c08604  fp: 0xffffffeb0583afa0                                    
                  lr: 0xfffffff009cf01a8  fp: 0xffffffeb0583afc0                                    
                  lr: 0xfffffff0093c31c8  fp: 0xffffffeb0583b890                                    
                  lr: 0xfffffff007de7ee0  fp: 0xffffffeb0583bb40                                    
                  lr: 0xfffffff007de9974  fp: 0xffffffeb0583bd70                                    
                  lr: 0xfffffff007de96bc  fp: 0xffffffeb0583bdb0                                    
                  lr: 0xfffffff0081a8a98  fp: 0xffffffeb0583be50                                    
                  lr: 0xfffffff007d4a960  fp: 0xffffffeb0583bf10                                    
                  lr: 0xfffffff00835a610  fp: 0xffffffeb0583bf20                                    


** Stackshot Succeeded ** Bytes Traced 18741 (Uncompressed 50480) **                                
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                

Please go to https://panic.apple.com to report this panic

idevicerestore log

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 *.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 15.3.1
Product Build: 19D52 Major: 19
Device supports Image4: true
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
################################ [ WARNING ] #################################
# You are about to perform an *ERASE* restore. ALL DATA on the target device #
# will be IRREVERSIBLY DESTROYED. If you want to update your device without  #
# erasing the user data, hit CTRL+C now and restart without -e or --erase    #
# command line switch.                                                       #
# If you want to continue with the ERASE, please type YES and press ENTER.   #
##############################################################################
> YES  
progress: 1 0.000000
Checking IPSW for required components...
All required components found in IPSW
Using cached filesystem from 'iPhone11,8,iPhone12,1_15.3.1_19D52_Restore/018-91937-063.dmg'
progress: 1 0.200000
progress: 1 0.250000
progress: 1 0.300000
progress: 1 0.500000
progress: 1 0.700000
progress: 1 0.900000
About to restore device... 
restore_is_current_device: Connected to com.apple.mobile.restored, version 15
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device 00008030-1122334455667788 has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 32816
UniqueChipID: 1234605616436508552
ProductionMode: false
Starting FDR listener thread
Connecting to FDR client at port 1082
About to do ctrl handshake
FDR sending 89 bytes:
common.c:printing 287 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
</dict>
</plist>
FDR Sent 89 bytes
FDR Received 105 bytes
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
        <key>ConnPort</key>
        <integer>49161</integer>
</dict>
</plist>
Ctrl handshake done (ConnPort = 49161)
FDR 0x56033bcb5bc0 waiting for message...
progress: 1 1.000000
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Updating NAND Firmware (58)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Checking for uncollected logs (44)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
About to send filesystem...
Connecting to ASR
Retrying connection...
Received 272 bytes:
common.c:printing 272 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Checksum Chunks</key>
        <true/>
        <key>Command</key>
        <string>Initiate</string>
</dict>
</plist>
Connected to ASR
Validating the filesystem
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>55</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>210</integer>
        <key>OOB Offset</key>
        <integer>163</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 330 bytes:
common.c:printing 330 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>18797</integer>
        <key>OOB Offset</key>
        <integer>373</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>210</integer>
        <key>OOB Offset</key>
        <integer>163</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>55</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 331 bytes:
common.c:printing 331 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>204</integer>
        <key>OOB Offset</key>
        <integer>175612</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7085</integer>
        <key>OOB Offset</key>
        <integer>138866</integer>
</dict>
</plist>
Received 334 bytes:
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>192423</integer>
        <key>OOB Offset</key>
        <integer>175816</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>213761</integer>
        <key>OOB Offset</key>
        <integer>21904205</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>3186</integer>
        <key>OOB Offset</key>
        <integer>164926</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 234 bytes:
common.c:printing 234 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>Payload</string>
</dict>
</plist>
Filesystem validated
Sending filesystem now...
progress: 2 0.010006
progress: 2 0.020012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.030018
progress: 2 0.040005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.050011
progress: 2 0.060017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.070003
progress: 2 0.080009
progress: 2 0.090015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.100002
progress: 2 0.110008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.120014
progress: 2 0.130000
progress: 2 0.140006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.150012
progress: 2 0.160018
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.170005
progress: 2 0.180011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.190017
progress: 2 0.200003
progress: 2 0.210009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.220015
progress: 2 0.230002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.240008
progress: 2 0.250014
progress: 2 0.260000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.270006
progress: 2 0.280012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.290019
progress: 2 0.300005
progress: 2 0.310011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.320017
progress: 2 0.330003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.340009
progress: 2 0.350015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.360002
progress: 2 0.370008
progress: 2 0.380014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.390000
progress: 2 0.400006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.410012
progress: 2 0.420019
progress: 2 0.430005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.440011
progress: 2 0.450017
progress: 2 0.460003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.470009
progress: 2 0.480015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.490002
progress: 2 0.500008
progress: 2 0.510014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.520000
progress: 2 0.530006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.540012
progress: 2 0.550019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.560005
progress: 2 0.570011
progress: 2 0.580017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.590003
progress: 2 0.600009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.610016
progress: 2 0.620002
progress: 2 0.630008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.640014
progress: 2 0.650000
progress: 2 0.660006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.670012
progress: 2 0.680019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.690005
progress: 2 0.700011
progress: 2 0.710017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.720003
progress: 2 0.730009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.740016
progress: 2 0.750002
progress: 2 0.760008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.770014
progress: 2 0.780000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.790006
progress: 2 0.800013
progress: 2 0.810019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.820005
progress: 2 0.830011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.840017
progress: 2 0.850003
progress: 2 0.860009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.870016
progress: 2 0.880002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.890008
progress: 2 0.900014
progress: 2 0.910000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.920006
progress: 2 0.930013
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.940019
progress: 2 0.950005
progress: 2 0.960011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.970017
progress: 2 0.980003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.990009
progress: 2 1.000000
Done sending filesystem
Verifying restore (14)
progress: 3 0.020000
progress: 3 0.040000
progress: 3 0.060000
progress: 3 0.080000
progress: 3 0.100000
progress: 3 0.120000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.140000
progress: 3 0.160000
progress: 3 0.180000
progress: 3 0.200000
progress: 3 0.220000
progress: 3 0.240000
progress: 3 0.260000
progress: 3 0.280000
progress: 3 0.300000
progress: 3 0.320000
progress: 3 0.340000
progress: 3 0.360000
progress: 3 0.380000
progress: 3 0.400000
progress: 3 0.420000
progress: 3 0.440000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.460000
progress: 3 0.480000
progress: 3 0.500000
progress: 3 0.520000
progress: 3 0.540000
progress: 3 0.560000
progress: 3 0.580000
progress: 3 0.600000
progress: 3 0.620000
progress: 3 0.640000
progress: 3 0.660000
progress: 3 0.680000
progress: 3 0.700000
progress: 3 0.720000
progress: 3 0.740000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.760000
progress: 3 0.780000
progress: 3 0.800000
progress: 3 0.820000
progress: 3 0.840000
progress: 3 0.860000
progress: 3 0.880000
progress: 3 0.900000
progress: 3 0.920000
progress: 3 0.940000
progress: 3 0.960000
progress: 3 0.980000
progress: 3 1.000000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checking filesystems (15)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
Checking filesystems (15)
Checking filesystems (15)
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.n104.RELEASE.im4p (Firmware/all_flash/LLB.n104.RELEASE.im4p)...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Not personalizing component LLB...
Extracting applelogo@1792~iphone.im4p (Firmware/all_flash/applelogo@1792~iphone.im4p)...
Not personalizing component AppleLogo...
Extracting batterycharging0@1792~iphone.im4p (Firmware/all_flash/batterycharging0@1792~iphone.im4p)...
Not personalizing component BatteryCharging0...
Extracting batterycharging1@1792~iphone.im4p (Firmware/all_flash/batterycharging1@1792~iphone.im4p)...
Not personalizing component BatteryCharging1...
Extracting batteryfull@2x~iphone.im4p (Firmware/all_flash/batteryfull@2x~iphone.im4p)...
Not personalizing component BatteryFull...
Extracting batterylow0@2x~iphone.im4p (Firmware/all_flash/batterylow0@2x~iphone.im4p)...
Not personalizing component BatteryLow0...
Extracting batterylow1@2x~iphone.im4p (Firmware/all_flash/batterylow1@2x~iphone.im4p)...
Not personalizing component BatteryLow1...
Extracting glyphplugin@1792~iphone-lightning.im4p (Firmware/all_flash/glyphplugin@1792~iphone-lightning.im4p)...
Not personalizing component BatteryPlugin...
Extracting DeviceTree.n104ap.im4p (Firmware/all_flash/DeviceTree.n104ap.im4p)...
Not personalizing component DeviceTree...
Extracting lowpowermode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowermode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet0...
Extracting lowpowerfindmymode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowerfindmymode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet1...
Extracting recoverymode@1792~iphone-lightning.im4p (Firmware/all_flash/recoverymode@1792~iphone-lightning.im4p)...
Not personalizing component RecoveryMode...
Extracting WirelessPower.iphone12b.im4p (Firmware/WirelessPower/WirelessPower.iphone12b.im4p)...
Not personalizing component WCHFirmwareUpdater...
Extracting iBoot.n104.RELEASE.im4p (Firmware/all_flash/iBoot.n104.RELEASE.im4p)...
Not personalizing component iBoot...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component RestoreSEP...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component SEP...
common.c:supressed printing 27932382 bytes plist...
Sending NORData now...
Done sending NORData
Flashing firmware (18)
progress: 4 1.000000
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsEarlyAccessFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
Extracting h12_ane_fw_metis.im4p (Firmware/ane/h12_ane_fw_metis.im4p)...
Not personalizing component ANE...
Sending IsFUDFirmware for ANE...
progress: 6 0.060000
Extracting aopfw-iphone12baop.im4p (Firmware/AOP/aopfw-iphone12baop.im4p)...
Not personalizing component AOP...
Sending IsFUDFirmware for AOP...
progress: 6 0.130000
Extracting AppleAVE2FW_H12.im4p (Firmware/ave/AppleAVE2FW_H12.im4p)...
Not personalizing component AVE...
Sending IsFUDFirmware for AVE...
progress: 6 0.200000
Extracting N104_HapticAssets.im4p (Firmware/N104_HapticAssets.im4p)...
Not personalizing component Ap,HapticAssets...
Sending IsFUDFirmware for Ap,HapticAssets...
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
Extracting N104_AudioCodecFirmware.im4p (Firmware/N104_AudioCodecFirmware.im4p)...
Not personalizing component AudioCodecFirmware...
Sending IsFUDFirmware for AudioCodecFirmware...
progress: 6 0.400000
Extracting armfw_g12p.im4p (Firmware/agx/armfw_g12p.im4p)...
Not personalizing component GFX...
Sending IsFUDFirmware for GFX...
progress: 6 0.460000
Extracting adc-zelus-n104.im4p (Firmware/isp_bni/adc-zelus-n104.im4p)...
Not personalizing component ISP...
Sending IsFUDFirmware for ISP...
progress: 6 0.530000
Extracting N104_LeapHapticsFirmware.im4p (Firmware/N104_LeapHapticsFirmware.im4p)...
Not personalizing component LeapHaptics...
Sending IsFUDFirmware for LeapHaptics...
progress: 6 0.600000
Extracting N104_Multitouch.im4p (Firmware/N104_Multitouch.im4p)...
Not personalizing component Multitouch...
Sending IsFUDFirmware for Multitouch...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 6 0.660000
Extracting t8030pmp.im4p (Firmware/pmp/t8030pmp.im4p)...
Not personalizing component PMP...
Sending IsFUDFirmware for PMP...
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
Extracting SmartIOFirmware_ASCv2.im4p (Firmware/SmartIOFirmware_ASCv2.im4p)...
Not personalizing component SIO...
Sending IsFUDFirmware for SIO...
progress: 6 0.860000
Extracting 018-91937-063.dmg.trustcache (Firmware/018-91937-063.dmg.trustcache)...
Not personalizing component StaticTrustCache...
Sending IsFUDFirmware for StaticTrustCache...
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating Stockholm (55)
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
progress: 6 0.060000
progress: 6 0.130000
progress: 6 0.200000
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
progress: 6 0.400000
progress: 6 0.460000
progress: 6 0.530000
progress: 6 0.600000
progress: 6 0.660000
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
progress: 6 0.860000
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating Veridian (66)
Unknown operation (79)
Unhandled progress operation 79 (79)
Requesting EAN Data (74)
Creating Protected Volume (67)
ERROR: Could not read data (-256). Aborting.
FDR 0x56033bcb5bc0 terminating...
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) disconnected
ERROR: Unable to restore device

UPDATE: Check out the latest guide

I'd be grateful if you could provide some instructions on how we can create a VM which can use the xnu kernel using this project.

Do we need to follow the instructions from https://github.com/alephsecurity/xnu-qemu-arm64/wiki/Build-iOS-on-QEMU? Which ipsw / iOS version did you use?

It looks like you're on iOS 14, so I guess that would make iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw then, right? Did you use the kernelcache.release.iphone11b kernel image and the DeviceTree.n104ap.im4p device tree?

PS - I had issues using the Python tools to extract the kernel image & device tree, but https://github.com/blacktop/ipsw seemed to work fine.

Build dependencies

sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build build-essential cmake gdb

Build script

git clone https://github.com/TrungNguyen1909/qemu-t8030
cd qemu-t8030
mkdir build
cd build
../configure --enable-debug --target-list=aarch64-softmmu --disable-capstone --disable-slirp
make -j$(nproc)

Install lzfse

git clone https://github.com/lzfse/lzfse
cd lzfse
mkdir build
cmake ..
make
sudo make install

Extract disks from IPSW file

wget https://github.com/blacktop/ipsw/releases/download/v20.08.87/ipsw_20.08.87_Linux_x86_64.tar.gz
tar xvzf ipsw_20.08.87_Linux_x86_64.tar.gz

wget -nv -nc http://updates-http.cdn-apple.com/2021WinterFCS/fullrestores/001-98427/9C42F04F-C1B3-41C5-8E0D-0EDCB5087BB5/iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw
unzip iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw

./ipsw img4 extract kernelcache.research.iphone12b
lzfse -decode -i kernelcache.research.iphone12b.payload -o kernelcache.research.iphone12b.out

./ipsw img4 extract Firmware/all_flash/DeviceTree.n104ap.im4p
lzfse -decode -i Firmware/all_flash/DeviceTree.n104ap.im4p.payload -o Firmware/all_flash/DeviceTree.n104ap.im4p.out

./ipsw img4 extract 038-96262-062.dmg
./ipsw img4 extract Firmware/038-96262-062.dmg.trustcache

Launch script

~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b,dtb-filename=DeviceTree.n104ap,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg,xnu-ramfb=on,trustcache-filename=038-96262-062.dmg.trustcache -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6

~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b.out,dtb-filename=Firmware/all_flash/DeviceTree.n104ap.im4p.out,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg.payload,xnu-ramfb=on,trustcache-filename=Firmware/038-96262-062.dmg.trustcache.payload -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6

Hey,

I have trouble restoring because of timeouts and freezes. Any advice ?

I also notice that the VMs (linux or iOS) often freeze for no reason until I focus the GUI window.

I cannot seem to restore the device:

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 14.0
Product Build: 18A5351d Major: 18
Device supports Image4: true
ERROR: Unable to find any build identities

idevicerestore commit 38595f0b7dac3d53033f93e9893d9be49996ba95 with patch applied iOS version: 14.0 VM is kali linux rolling (minimal) root_ticket.der made from ticket.shsh2 in xnu-qemu-arm64-tools Device appears to enter restore mode successfully

Additionally, the patch does not apply for configure.ac I ended up adding AC_SEARCH_LIBS([pthread_create], [pthread]) to configure.ac myself and then remove that hunk of the patch.

Linux boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 1 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait

iOS boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-44135-124.dmg.trustcache.out \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Nick Chan

I followed the instructions in the wiki, build QEMU from this repo, launch a Linux VM using it (I use Slax). I also generated root_ticket.der and put it in both host Linux and guess Linux VM, start the Linux VM then start the iOS VM.

The iOS VM boot to the line waiting for host to trigger start of restore [timeout of 120 seconds]

But Linux VM can't find the device, although it found something using lsusb:

/tmp/usbqemu is available in the host:

When the iOS VM run out of time and reboot, it shows something like RTBuddy(SMC): WARNING: failed to send ping.

Any ideas? Thanks!

J327AP is AppleDisplay2,1 aka Studio Display Currently, the kernel can boot to restored (not restored_external), and such a restore could be attempted. There is a failed kernel patch: qemu-system-aarch64: Missing patch: AKSUC_handle, which is probably related to the problem below. Anyways, the system successfully boots to ramdisk with bash running. The firmware can be obtained from here, which is DarwinOS 15.4, although sw_vers still outputs iPhone OS. Now, this is an OTA update, but the AssetData/ directory in it is the structure of an IPSW. The problem Stuck trying to create protecteted filesystems To reproduce

1. Extract the OTA update
2. cd to the AssetData directory in the OTA update, we want to edit BuildManifest.plist such that idevicerestore will restored it.
3. Create display.der with create_apticket.py, the board config should be j327ap
4. In BuildManifest.plist, under SupportedProductTypes, change AppleDisplay12,1 to iPhone12,1
5. ...under DeviceClass, change J327AP to N104AP
6. Zips up every file in the AssetData directory to create a display.ipsw file
7. create the qemu boot command, use the 018-26834-343.dmg file, which is a FactoryRamDisk as the other FactorySupportRamDisk does not seem to have restored. The following is my boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-26834-343.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.release.j327.out \
-dtb DeviceTree.j327ap.im4p \
-append "kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1 wdt=-1" \
-initrd '018-26834-343.dmg.out'   \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

8. (Optional) modify the ramdisk and add a shell and stuff
9. In the Linux VM, the device should show up as Apple Inc.,
10. Try to restore the device: idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 display.ipsw -T display.der
11. Wait until it reaches 97%
12. Stuck trying to create protected filesystem Related restored log:

[08:19:36.0505-GMT]{4>9} CHECKPOINT BEGIN: (null):[0x0674] create_protected_filesystems
restore-step-ids = {0x1103067B:77;0x11030674:135}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030674:create_protected_
filesystems}
restore-step-uptime = 217
restore-step-user-progress = 97
entering create_protected_filesystems
ramrod_display_set_granular_progress_forced: 97.000000
content-protect property not found
encryptable property not found
creating class d key for /mnt2

idevicerestore log:

Requesting EAN Data (74)
Creating Protected Volume (67)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)

Full serial output Full idevicerestore log

After a successful restore, rootfs cannot be mounted for some reason. The rootfs is already modified, and have its snapshot renamed to orig-fs

rootfs binaries (not the one in the wiki as I wanted a newer bash) bash.plist and launchd.plist from setup-ios Although I do not these details mattered when the rootfs is not even mounted.

A filesystem check on the APFS container reported no problem, and it can be mounted on macOS.

This appears to be the log related the the problem:

Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed

Host is Debian bullseye Full log:

Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000800000000
entry: 0x00000008041204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff rd=disk0s1 serial=3 -v wdt=-1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b677dd0]::init(0xffffffe19b5cc1b8)

AUC:[0xffffffe19b677dd0]::probe(0xffffffe19b445fe0, 0xffffffe80a31bdac)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b677dd0]::start(0xffffffe19b445fe0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
virtual bool AppleARMLightEmUp::start(IOService *): starting...
000001.935910 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.948877 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.949319 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...

Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
000002.252741 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
000002.282571 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
000002.287644 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                          
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS        
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0     
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(3) failed

Nick Chan

I was following the Wiki guide and was restoring the emulator, but shortly after starting the restore process, it hangs and then panics at Creating 7 namespaces on NAND.

Here is the full log from start to panic. File modification dates show that nvme.1 and nvram storage files were modified, but there still look zeroed out (except the header in nvram). My environment is macOS 12.4 on M1 MacBook Air, and I compiled the tools and code as of today. Below is my launch command.

qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=firmware/Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel firmware/kernelcache.research.iphone12b \
-dtb firmware/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v -wdt=-1" \
-initrd firmware/038-44135-124.dmg \
-cpu max -smp 6 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Im having this issue while booting a recently restored system

apfs_is_valid_class:2253: rejecting class open (class 2) because we're not content protected
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
handle_revert_to_snapshot:5195: On next mount, volume will revert to snapshot 'com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70' w/snap xid 54
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory 
apfs_stop_bg_work:1028: disk0s1s1:0 Volume System is unmounting, stop any bg work
tx_flush:1075: disk0s1 xid 323 tx stats: # 20 finish 22 enter 599 wait 2 209518us close 32us flush 315223us
apfs: total mem allocated: 12501875 (11 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
revert_to_snapshot:1260: Reverting to snapshot w/xid 54 and old sblock oid 8259450.
revert_extents_to_snapshot:1093: free'ing extents in main extentref tree 8257872
free_allocated_snapshot_extents:1008: processed 0 extents and free'd 0 blocks
obj_cache_remove_reverted_fs_objects:1547: disk0s1s1:0 removing reverted fs objects for fs 1026: 55 - 326
revert_to_snapshot:1336: DONE reverting to snapshot w/xid 54
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 13116575 (12 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 170 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 170
tx_flush:1075: disk0s1 xid 343 tx stats: # 40 finish 42 enter 3116 wait 6 281119us close 18us flush 354580us
tx_flush:1033: disk0s1 tx xid 344 took 1046026 us to sync and write superblock
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 3 caller 0xfffffff009169144): userspace watchdog timeout: no successful checkins from com.apple.thermalmonitord since load
service returned not alive with context : is_alive_func returned unhealthy : current 400000000000, mask 7fffffffffff, expected 7fffffffffff.  SD: 1 Missing sensor(s): TG0B TG0V TP1A TP2C TP3R TP4H TP5d TP0Z Th0a Th0f Th0x Th1a Th1f Th1x Th2a Th2f Th2x Tc0a Tc0f Tc0x Tc1a Tc1f Tc1x Tc2a Tc2f Tc2x 
service: com.apple.backboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.mediaserverd, total successful checkins since load (180 seconds ago): 17, last successful checkin: 0 seconds ago
service: com.apple.logd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.thermalmonitord, no successful checkins since load (180 seconds ago)
service: com.apple.runningboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.wifid, total successful checkins s
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x11ab03024
Epoch Time:        sec       usec
  Boot    : 0x62376f1f 0x000825ce
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x62376fe3 0x0008cccd

Total cpu_usage: 118819282
Thread task pri cpu_usage
0xffffffe19c0cd170 watchdogd 97 0
0xffffffe19c868000 backboardd 63 0
0xffffffe19c0cc5d0 thermalmonitord 37 0
0xffffffe19cb84000 watchdogd 31 105505
0xffffffe19cae68b0 lsd 31 4488402

Panicked task 0xffffffe19be98640: 242 pages, 5 threads: pid 52: watchdogd
Panicked thread: 0xffffffe19c0cd170, backtrace: 0xffffffe9c237b1e0, tid: 549
		  lr: 0xfffffff007a2af48  fp: 0xffffffe9c237b220
		  lr: 0xfffffff007a2ad48  fp: 0xffffffe9c237b290
		  lr: 0xfffffff007b64940  fp: 0xffffffe9c237b2b0
		  lr: 0xfffffff007b56e1c  fp: 0xffffffe9c237b370
		  lr: 0xfffffff00811c5f4  fp: 0xffffffe9c237b380
		  lr: 0xfffffff007a2aa30  fp: 0xffffffe9c237b700
		  lr: 0xfffffff007a2aa30  fp: 0xffffffe9c237b760
		  lr: 0xfffffff0097db9c0  fp: 0xffffffe9c237b780
		  lr: 0xfffffff009169144  fp: 0xffffffe9c237b7a0
		  lr: 0xfffffff009168e38  fp: 0xffffffe9c237b7c0
		  lr: 0xfffffff00808cb78  fp: 0xffffffe9c237b820
		  lr: 0xfffffff009168130  fp: 0xffffffe9c237b900
		  lr: 0xfffffff00809a98c  fp: 0xffffffe9c237baa0
		  lr: 0xfffffff007b25190  fp: 0xffffffe9c237bbc0
		  lr: 0xfffffff007a30e9c  fp: 0xffffffe9c237bc20
		  lr: 0xfffffff007a021d8  fp: 0xffffffe9c237bca0
		  lr: 0xfffffff007a1d810  fp: 0xffffffe9c237bd60
		  lr: 0xfffffff007b4a434  fp: 0xffffffe9c237be30
		  lr: 0xfffffff007b57094  fp: 0xffffffe9c237bef0
		  lr: 0xfffffff00811c5f4  fp: 0xffffffe9c237bf00


** Stackshot Succeeded ** Bytes Traced 115555 (Uncompressed 294176) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip

this is my startup script, which is the same which is found at Bringing Up The Emulator - Auto Boot section only added -noconsole -vnc :1 -k es

qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait \
-nographic \
-vnc :1 -k es \

This adds support for extracting the kernel, device tree and trust cache from im4p files.

It turns out qemu doesn't link with OpenSSL after all, but does use GnuTLS which uses libtasn1, which supports parsing ASN.1 files as well.

It does require you to define a schema for the ASN.1 structure which you're parsing (hence the img4.asn1 file), which is then converted into a "definitions array" using asn1Parser -o img4.c -n img4_definitions_array img4.asn1.

The code assumes:

• The file is an IM4P file if asn1_der_decoding can successfully parse the file.
• The payload is LZFSE-compressed if it starts with the string bvx.

Hi, I've following the guide to booting the VM and execute the following command. I am using the fuzz branch of the project.

../qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1" \
-initrd 048-58517-636.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Almost immediately after booting, watchdog panics and the device does not boot. I have tried removing "wdt=-1" from boot-args but the issue persists. Here is the log file:

panic.log

Hi @TrungNguyen1909, I tried to restore iPhone 11 using Beta 1 version of iOS 15.6 but i'm stuck at 97% then fail. Any suggestion? Using MBPro (M1)

Thanks, 1n0

0nenzer0@MBProKoTo ~ % /Users/Shared/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=/Users/Shared/iphone11.15.6/Firmware/078-34019-076.dmg.trustcache,ticket-filename=/Users/0nenzer0/root_ticket.der
-kernel /Users/Shared/iphone11.15.6/kernelcache.research.iphone12b
-dtb /Users/Shared/iphone11.15.6/Firmware/all_flash/DeviceTree.n104ap.im4p
-append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1"
-initrd /Users/Shared/iphone11.15.6/078-34019-076.dmg
-cpu max -smp 4
-m 4G -serial mon:stdio
-drive file=/Users/Shared/nvme.1,format=raw,if=none,id=drive.1
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvme.2,format=raw,if=none,id=drive.2
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvme.3,format=raw,if=none,id=drive.3
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvme.4,format=raw,if=none,id=drive.4
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvram,if=none,format=raw,id=nvram
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvme.6,format=raw,if=none,id=drive.6
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096
-drive file=/Users/Shared/nvme.7,format=raw,if=none,id=drive.7
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096
-monitor telnet:127.0.0.1:1235,server,nowait Loading iOS 15.6... kernel_low: 0xfffffff004000000 kernel_high: 0xfffffff00a030cb8 KPF: found apfs_vfsop_mount KPF: found handle_eval_rootauth KPF: Found AMFI hashtype check kpf_amfi_callback: Found AMFI (Leaf) kpf_amfi_callback: Found lookup_in_trust_cache_module @ 0xfffffff007cb6e30 KPF: Found mac_mount KPF: Found mac_mount kpf_amfi_callback: Found AMFI (Leaf) kpf_amfi_callback: Found lookup_in_static_trust_cache @ 0xfffffff009c1c370 qemu-system-aarch64: Missing patch: trustcache16 KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated Qemu FB realize qemu-system-aarch64: -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096: nvram bank fails adler32: expected: 0x0, got 0x1fec0001 qemu-system-aarch64: nvram bank fails adler32: expected: 0x0, got 0x1fec0001 boot_mode: 0 auto-boot=false g_virt_base: 0xfffffff004000000 g_phys_base: 0x0000000802000000 slide_virt: 0x00000000019b8000 slide_phys: 0x00000000019b8000 entry: 0x0000000807c704f0 cmdline: [-restore rd=md0 nand-enable-reformat=1 -progress debug=0x14e kextlog=0xffff serial=3 -v wdt=-1] iBoot version: qemu-t8030 Darwin Image4 Validator Version 4.2.0: Sat Jun 18 18:53:08 PDT 2022; root:AppleImage4-158.100.11~2910/AppleImage4/RELEASE_ARM64E AppleImage4: failed to read nvram property: oblit-inprogress: 2 AppleImage4: failed to read nvram property: 40A0DDD2-77F8-4392-B4A3-1E7304206516:nonce-seeds: 2 AppleImage4: nonce manager: error reading seeds: 2 AppleImage4: nonce manager: unsupported nonce blob: version = 0, length = 0, v0 length = 304 AMFI is running in RESEARCH mode! AMFI: UDID enforcement enabled AppleCredentialManager: init: called, instance = . ACMFirstResponderKernelService: init: called, . ACMRM-S: init: called, starting PersistentStore service. ACMRM-C: init: called, starting AccessoryCache service. ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default). ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default). ACMRM: init: called, starting TRM service. ACMRM-A: init: called, starting TRM Analytics service. ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default). ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default). ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES). ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default). ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES). ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default). ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO. ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO). ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200. ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff). AppleCredentialManager: init: returning, result = true, instance = . AppleARMBootPerf: Error: profile handoff region not found (2) AppleARMBootPerf: Error: failed to publish profile data (2) virtual bool CoreAnalyticsHub::start(IOService *)::114:CoreAnalyticsHub start AppleS5L8940XI2CController::start: i2c1 this: _i2cBaseAddress: AppleGen0SPMIController[spmi1]:78: Start 000001.804445 AppleT8030TypeCPhy@0: AppleT8027TypeCPhy::start: usb3-phy-parent not specified AppleS5L8940XI2CController::start: i2c0 this: _i2cBaseAddress: AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000 AppleGPIOICController::start: this: , _gpioicBaseAddress: AppleGPIOICController::start: this: , _gpioicBaseAddress: AppleInterruptController::start: Num Shared Timestamps == 0 AppleGPIOICController::start: this: , _gpioicBaseAddress: AppleGen0SPMIController[spmi2]:78: Start virtual bool AppleARMLightEmUp::start(IOService *): starting... AppleOLYHAL::probe: score = 1000 AppleOLYHAL::start: entry with provider 0x43aecd523b AppleS5L8940XI2CController::start: smc-i2c1 this: _i2cBaseAddress: AppleS5L8940XI2CController::start: i2c2 this: _i2cBaseAddress: ApplePMGR: Starting AppleT8030PMGR AppleGen0SPMIController[spmi0]:78: Start AppleS5L8940XI2CController::start: i2c3 this: _i2cBaseAddress: 000002.141518 wlan0.A[1] start@1843:Default options property found with value 4 AppleSSE::start called AppleSSE::start returning, result = 1 Creating an object of AppleOLYHALPlatformFunctionEmbeddedAMFM class 000002.187155 wlan0.A[2] start@2238: Raised adjustBusy(+1), getBusyState() -> 1 000002.187355 wlan0.A[3] setupNotifier@2303:Setting up notifier for CoreAnalyticsHub Warning: arc4random not implemented Warning: arc4random not implemented Warning: arc4random not implemented AppleSEPKeyStore:319:0: starting (BUILT: Jun 18 2022 19:13:29) AppleSEPKeyStore:524:0: _sep_enabled = 1 AppleCredentialManager: start: called, instance = . ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200. AppleCredentialManager: start: initializing power management. AppleCredentialManager: start: will join SEPManager's PM tree in getSEPEndpoint(). AppleCredentialManager: start: registering notifications. AppleCredentialManager: start: started, instance = . AppleCredentialManager: start: returning, result = true, instance = . AMFIInitializeLocalSigningPublicKey: disabling local signing since we're in the restore environment AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Identified Serial Port uart7 at 0x23521c000() RTBuddy(SMC): start() - (Jun 18 2022@19:12:14) RTBuddy(SMC): Boot args override: wdt = -1 RTBuddy(SMC): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub ........ ....... Skipping Rose update since it does not appear to be supported. If it should be, file a radar! [16:26:17.0030-GMT]{3>6} CHECKPOINT END: FIRMWARE_SEALING:[0x1503] update_rose_postseal restore-step-ids = {0x1103067B:64;0x11030668:93} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0079-GMT]{3>6} CHECKPOINT BEGIN: FIRMWARE_SEALING:[0x1319] stage_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93;0x11031319:97} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing;0x11031319:stage_fdr_ean} restore-step-uptime = 3129 restore-step-user-progress = 97 Skipping stage_fdr_ean on device with no EAN [16:26:17.0142-GMT]{3>6} CHECKPOINT END: FIRMWARE_SEALING:[0x1319] stage_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0193-GMT]{3>6} CHECKPOINT BEGIN: FIRMWARE_SEALING:[0x131A] ensure_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93;0x1103131A:98} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing;0x1103131A:ensure_fdr_ean} restore-step-uptime = 3129 restore-step-user-progress = 97 Skipping ensure_fdr_ean on device with no EAN [16:26:17.0273-GMT]{3>6} CHECKPOINT END: FIRMWARE_SEALING:[0x131A] ensure_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0340-GMT]{3>6} CHECKPOINT BEGIN: FIRMWARE_SEALING:[0x1504] update_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93;0x11031504:99} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing;0x11031504:update_fdr_ean} restore-step-uptime = 3129 restore-step-user-progress = 97 ramrod_display_set_granular_progress_forced: 97.000000 Skipping update_fdr_ean on device with no EAN ramrod_display_set_granular_progress_forced: 97.000000 Skipping ensure_fdr_ean on device with no EAN [16:26:17.0437-GMT]{3>6} CHECKPOINT END: FIRMWARE_SEALING:[0x1504] update_fdr_ean restore-step-ids = {0x1103067B:64;0x11030668:93} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0508-GMT]{3>6} CHECKPOINT BEGIN: FIRMWARE_SEALING:[0x1314] update_fillmore restore-step-ids = {0x1103067B:64;0x11030668:93;0x11031314:100} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing;0x11031314:update_fillmore} restore-step-uptime = 3129 restore-step-user-progress = 97 entering update_fillmore Not a Fillmore-capable device, nothing to update.. [16:26:17.0582-GMT]{3>6} CHECKPOINT END: FIRMWARE_SEALING:[0x1314] update_fillmore restore-step-ids = {0x1103067B:64;0x11030668:93} restore-step-names = {0x1103067B:perform_restore_installing;0x11030668:update_firmware_post_sealing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0690-GMT]{3>6} CHECKPOINT END: (null):[0x0668] update_firmware_post_sealing restore-step-ids = {0x1103067B:64} restore-step-names = {0x1103067B:perform_restore_installing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0763-GMT]{3>6} CHECKPOINT BEGIN: (null):[0x063D] fdr_verify_sealed_manifest restore-step-ids = {0x1103067B:64;0x1103063D:101} restore-step-names = {0x1103067B:perform_restore_installing;0x1103063D:fdr_verify_sealed_manifest} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:17.0832-GMT]{3>6} CHECKPOINT END: (null):[0x063D] fdr_verify_sealed_manifest restore-step-ids = {0x1103067B:64} restore-step-names = {0x1103067B:perform_restore_installing} restore-step-uptime = 3129 restore-step-user-progress = 97 Tolerated step 0x63d has actually succeeded. Marking it as such [16:26:17.0938-GMT]{3>6} CHECKPOINT BEGIN: (null):[0x066F] commit_sep_os restore-step-ids = {0x1103067B:64;0x1103066F:102} restore-step-names = {0x1103067B:perform_restore_installing;0x1103066F:commit_sep_os} restore-step-uptime = 3129 restore-step-user-progress = 97 entering commit_sep_os device has no sep entering ramrod_kill_sep_nonce device has no sep [16:26:17.0994-GMT]{3>6} CHECKPOINT END: (null):[0x066F] commit_sep_os restore-step-ids = {0x1103067B:64} restore-step-names = {0x1103067B:perform_restore_installing} restore-step-uptime = 3129 restore-step-user-progress = 97 [16:26:18.0055-GMT]{3>6} CHECKPOINT BEGIN: (null):[0x0674] create_protected_filesystems restore-step-ids = {0x1103067B:64;0x11030674:103} restore-step-names = {0x1103067B:perform_restore_installing;0x11030674:create_protected_filesystems} restore-step-uptime = 3130 restore-step-user-progress = 97 entering create_protected_filesystems ramrod_display_set_granular_progress_forced: 97.000000 content-protect property not found encryptable property not found creating class d key for /mnt2 creating unencrypted data partition unable to open /dev/disk0s1 to get block size: Resource busy block size for /dev/disk0s1: 0 /System/Library/Filesystems/apfs.fs/newfs_apfs -A -D -o role=d -v Data /dev/disk0s1 executing /System/Library/Filesystems/apfs.fs/newfs_apfs -A -D -o role=d -v Data /dev/disk0s1 apfs_newfs:28581: disk0s1s2 FS will NOT be encrypted. entering ramrod_probe_media_internal entering wait_for_device: 'EmbeddedDeviceTypeRoot' Using device path /dev/disk0 for EmbeddedDeviceTypeRoot device partitioning scheme is GPT APFS Container 'Container' /dev/disk0s1 device is APFS formatted Captured preboot partition on main OS container 2 find_filesystem_partitions: storage=/dev/disk0 container=/dev/disk0s1 system=/dev/disk0s1s1 data=/dev/disk0s1s2 baseband data= log= update=/dev/disk0s1s5 xart= hardware=/dev/disk0s1s3 scratch= preboot=/dev/disk0s1s4 find_filesystem_partitions: recovery os container= volume= entering ramrod_probe_media_internal entering wait_for_device: 'EmbeddedDeviceTypeRoot' Using device path /dev/disk0 for EmbeddedDeviceTypeRoot device partitioning scheme is GPT APFS Container 'Container' /dev/disk0s1 device is APFS formatted Captured preboot partition on main OS container 2 find_filesystem_partitions: storage=/dev/disk0 container=/dev/disk0s1 system=/dev/disk0s1s1 data=/dev/disk0s1s2 baseband data= log= update=/dev/disk0s1s5 xart= hardware=/dev/disk0s1s3 scratch= preboot=/dev/disk0s1s4 find_filesystem_partitions: recovery os container= volume= entering mount_partition executing /sbin/mount_apfs -R /dev/disk0s1s2 /mnt2 apfs_mount:27083: disk0s1s2 mount for ramdisk set_cloneinfo_id_epoch:26435: disk0s1s2 set cloneinfo_id_epoch to 16 apfs_log_mount_unmount:1889: disk0s1s2 mounting volume Data, requested by: mount_apfs (pid 35); parent: restored_externa (pid 6) handle_mount:655: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2) handle_mount:668: disk0s1s2 setting dev block size to 4096 from 512 nx_volume_group_update:7762: disk0s1s2 Volume Data is not in a volume group fastsim_is_enabled:9717: ================ fastsim is enabled ================ /dev/disk0s1s2 mounted on /mnt2 Data mounted read-write [16:26:23.0954-GMT]{3>6} CHECKPOINT END: (null):[0x0674] create_protected_filesystems restore-step-ids = {0x1103067B:64} restore-step-names = {0x1103067B:perform_restore_installing} restore-step-uptime = 3135 restore-step-user-progress = 97 [16:26:23.0985-GMT]{3>6} CHECKPOINT BEGIN: (null):[0x065F] reserve_overprov_space restore-step-ids = {0x1103067B:64;0x1103065F:104} restore-step-names = {0x1103067B:perform_restore_installing;0x1103065F:reserve_overprov_space} restore-step-uptime = 3135 restore-step-user-progress = 97 Reserving space for overprov since this is a erase install device_size = 34359738368 (32 GB) file_size = 343597383 (0 GB) [16:26:25.0974-GMT]{3>6} CHECKPOINT END: (null):[0x065F] reserve_overprov_space restore-step-ids = {0x1103067B:64} restore-step-names = {0x1103067B:perform_restore_installing} restore-step-uptime = 3137 restore-step-user-progress = 97 [16:26:26.0020-GMT]{3>6} CHECKPOINT BEGIN: (null):[0x0628] install_kernel_cache restore-step-ids = {0x1103067B:64;0x11030628:105} restore-step-names = {0x1103067B:perform_restore_installing;0x11030628:install_kernel_cache} restore-step-uptime = 3138 restore-step-user-progress = 97 [16:26:26.0077-GMT]{3>6} CHECKPOINT BEGIN: SYSTEM:[0x0E00] install_kernel_cache restore-step-ids = {0x1103067B:64;0x11030628:105;0x11030E00:106} restore-step-names = {0x1103067B:perform_restore_installing;0x11030628:install_kernel_cache;0x11030E00:install_kernel_cache} ... . . . ...... com.apple.xpc.launchd|2022-11-07 16:42:55.071187 : hello com.apple.xpc.launchd|2022-11-07 16:42:55.092536 : Darwin Bootstrapper Version 7.0.0: Fri Jun 17 23:50:10 PDT 2022; root:libxpc_executables-2236.140.2~15/launchd/RELEASE_ARM64E com.apple.xpc.launchd|2022-11-07 16:42:55.093871 : boot-args = debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 com.apple.xpc.launchd|2022-11-07 16:42:55.113840 (system) : entering ondemand mode com.apple.xpc.launchd|2022-11-07 16:42:55.117355 (system) : created com.apple.xpc.launchd|2022-11-07 16:42:55.128933 : Doing boot task: fsck ** Checking the container superblock. Checking the checkpoint with transaction ID 235. ** Checking the object map. ** Checking volume /dev/rdisk0s1s1. ** Checking the APFS volume superblock. The volume System was formatted by newfs_apfs (1677.41.3.100.4) and last modified by apfs_kext (1934.142.1). warning: apfs superblock at index 0: apfs_unmount_time (1667839430974954666) is greater than current time (1667839377956999000) warning: apfs superblock at index 0: apfs_last_mod_time (1667839382659444541) is greater than current time (1667839377956999000) warning: apfs superblock at index 0: apfs_modified_by[0].timestamp (1667839430974853041) is greater than current time (1667839377956999000) ** Checking volume /dev/rdisk0s1s2. ** Checking the APFS volume superblock. The volume Data was formatted by newfs_apfs (1934.142.1) and last modified by apfs_kext (1934.142.1). warning: apfs superblock at index 1: apfs_unmount_time (1667839430819765666) is greater than current time (1667839377958672000) warning: apfs superblock at index 1: apfs_modified_by[0].timestamp (1667839430819550208) is greater than current time (1667839377958672000) ** Checking volume /dev/rdisk0s1s3. ** Checking the APFS volume superblock. The volume Hardware was formatted by newfs_apfs (1934.142.1) and last modified by apfs_kext (1934.142.1). warning: apfs superblock at index 2: apfs_unmount_time (1667839430918759583) is greater than current time (1667839377959462000) warning: apfs superblock at index 2: apfs_modified_by[0].timestamp (1667839430918578666) is greater than current time (1667839377959462000) ** Checking volume /dev/rdisk0s1s4. ** Checking the APFS volume superblock. The volume Preboot was formatted by newfs_apfs (1934.142.1) and last modified by apfs_kext (1934.142.1). ** Checking volume /dev/rdisk0s1s5. ** Checking the APFS volume superblock. The volume Update was formatted by newfs_apfs (1934.142.1) and last modified by apfs_kext (1934.142.1). warning: apfs superblock at index 4: apfs_unmount_time (1667839430873470958) is greater than current time (1667839377961012000) warning: apfs superblock at index 4: apfs_last_mod_time (1667839393517862208) is greater than current time (1667839377961012000) warning: apfs superblock at index 4: apfs_modified_by[0].timestamp (1667839430873320541) is greater than current time (1667839377961012000) ** QUICKCHECK ONLY; FILESYSTEM CLEAN com.apple.xpc.launchd|2022-11-07 16:42:58.010219 : Doing boot task: mount-phase-1 mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1 apfs_log_mount_unmount:1889: disk0s1s4 mounting volume Preboot, requested by: mount_apfs (pid 5); parent: mount (pid 4) handle_mount:655: disk0s1s4 vol-uuid: 61706673-7575-6964-0010-766F6C756D03 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2) handle_mount:668: disk0s1s4 setting dev block size to 4096 from 512 nx_volume_group_update:7756: disk0s1s4 Volume Preboot role 10 Not a System or data volume fastsim_is_enabled:9717: ================ fastsim is enabled ================ /dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse) com.apple.xpc.launchd|2022-11-07 16:42:58.231961 : Doing boot task: data-protection 004199.479666 AppleT8027USBXDCI@: AppleUSBXDCIARM::start: _ioPort is NULL, defaulting to device mode 004199.480656 AppleT8027USBXDCI@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1 init_data_protection: No SEP present on this device com.apple.xpc.launchd|2022-11-07 16:42:58.496335 : Doing boot task: finish-obliteration Obliterator: In INIT check Mon Nov 7 16:42:58 2022: checkOblitNVRAMkey: IORegistryEntryGetProperty failed, may be does not exist [gF: 0x0000000000000000] Obliterator: No obliteration needed, continue booting, returning 0 com.apple.xpc.launchd|2022-11-07 16:42:58.714092 : Doing boot task: commit-boot-mode com.apple.xpc.launchd|2022-11-07 16:42:58.715133 : boot-mode committed: (null) com.apple.xpc.launchd|2022-11-07 16:42:58.715891 : Doing boot task: restore-datapartition com.apple.xpc.launchd|2022-11-07 16:42:58.718806 : restore-datapartition: optional boot task not present com.apple.xpc.launchd|2022-11-07 16:42:58.719744 : Doing boot task: mount-phase-2 mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1 spaceman_metazone_init:191: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597) spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000 spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768 spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536 spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304 dev_dump:256: Aggregate constructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061 migrate_media_keys_if_needed:1255: disk0s1 no media keys to migrate spaceman_scan_free_blocks:3172: disk0s1 scan took 0.026907 s (no trims) mount: failed to migrate Media Keys, error = c002 spaceman_scan_free_blocks:3154: disk0s1 scan took 0.083568 s, trims took 0.054730 s spaceman_scan_free_blocks:3156: disk0s1 6193755 blocks free in 3142 extents spaceman_scan_free_blocks:3164: disk0s1 6193755 blocks trimmed in 3142 extents (17 us/trim, 57409 trims/s) spaceman_scan_free_blocks:3167: disk0s1 trim distribution 1:1086 2+:631 4+:1036 16+:297 64+:43 256+:49 apfs_log_mount_unmount:1889: disk0s1s2 mounting volume Data, requested by: mount_apfs (pid 10); parent: mount (pid 9) handle_mount:655: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2) handle_mount:668: disk0s1s2 setting dev block size to 4096 from 512 nx_volume_group_update:7762: disk0s1s2 Volume Data is not in a volume group fastsim_is_enabled:9717: ================ fastsim is enabled ================ /dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime) apfs_log_mount_unmount:1889: disk0s1s5 mounting volume Update, requested by: mount_apfs (pid 11); parent: mount (pid 9) handle_mount:655: disk0s1s5 vol-uuid: AEF563AB-7E6C-4E08-BF64-754460DCA1E8 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2) handle_mount:668: disk0s1s5 setting dev block size to 4096 from 512 nx_volume_group_update:7756: disk0s1s5 Volume Update role c0 Not a System or data volume fastsim_is_enabled:9717: ================ fastsim is enabled ================ /dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse) apfs_log_mount_unmount:1889: disk0s1s3 mounting volume Hardware, requested by: mount_apfs (pid 12); parent: mount (pid 9) handle_mount:655: disk0s1s3 vol-uuid: 61706673-7575-6964-0140-766F6C756D02 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2) handle_mount:668: disk0s1s3 setting dev block size to 4096 from 512 nx_volume_group_update:7756: disk0s1s3 Volume Hardware role 140 Not a System or data volume fastsim_is_enabled:9717: ================ fastsim is enabled ================ /dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse) com.apple.xpc.launchd|2022-11-07 16:42:59.160131 : Doing boot task: init-with-data-volume com.apple.xpc.launchd|2022-11-07 16:42:59.318433 : Doing boot task: MSUEarlyBootTask MSUEarlyBootTask: MSUEarlyBootTask running main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate//158e4be1ac4c894fdf8a8821e5b8a9d37dc8caabee9d3aee29b1bda284278581cb0eff4702f1862d0352d1b488f74675-MSUData if it exists MSUEarlyBootTask: I have nothing to do. Goodbye!! com.apple.xpc.launchd|2022-11-07 16:42:59.776932 : Doing boot task: fips Tracing: disabled FIPSPOST_USER [100824457634] fipspost_post:156: [FIPSPOST][Module-ID] Apple corecrypto Module v12.0 [Apple ARM, User, Software, SL1] FIPSPOST_USER [100824650780] fipspost_post:160: PASSED: (8 ms) - fipspost_post_hmac FIPSPOST_USER [100824894487] fipspost_post:169: PASSED: (18 ms) - fipspost_post_integrity FIPSPOST_USER [100824935634] fipspost_post:175: PASSED: (19 ms) - fipspost_post_indicator FIPSPOST_USER [100824947487] fipspost_post:176: PASSED: (20 ms) - fipspost_post_aes_ecb FIPSPOST_USER [100824958682] fipspost_post:177: PASSED: (20 ms) - fipspost_post_aes_cbc FIPSPOST_USER [100825359292] fipspost_post:178: PASSED: (37 ms) - fipspost_post_rsa_sig FIPSPOST_USER [100826777195] fipspost_post:179: PASSED: (96 ms) - fipspost_post_ecdsa FIPSPOST_USER [100826852780] fipspost_post:180: PASSED: (99 ms) - fipspost_post_ecdh FIPSPOST_USER [100826880634] fipspost_post:181: PASSED: (100 ms) - fipspost_post_aes_ccm FIPSPOST_USER [100826898317] fipspost_post:182: PASSED: (101 ms) - fipspost_post_aes_cmac FIPSPOST_USER [100826909853] fipspost_post:183: PASSED: (102 ms) - fipspost_post_hkdf FIPSPOST_USER [100827857829] fipspost_post:184: PASSED: (141 ms) - fipspost_post_pbkdf FIPSPOST_USER [100827870000] fipspost_post:186: PASSED: (142 ms) - fipspost_post_kdf_ctr FIPSPOST_USER [100827890317] fipspost_post:187: PASSED: (143 ms) - fipspost_post_aes_gcm FIPSPOST_USER [100827904000] fipspost_post:188: PASSED: (143 ms) - fipspost_post_aes_xts FIPSPOST_USER [100827924536] fipspost_post:189: PASSED: (144 ms) - fipspost_post_tdes_ecb FIPSPOST_USER [100827936292] fipspost_post:190: PASSED: (144 ms) - fipspost_post_drbg_ctr FIPSPOST_USER [100827955170] fipspost_post:191: PASSED: (145 ms) - fipspost_post_drbg_hmac FIPSPOST_USER [100828878634] fipspost_post:193: PASSED: (184 ms) - fipspost_post_ffdh FIPSPOST_USER [100829503609] fipspost_post:194: PASSED: (210 ms) - fipspost_post_rsa_enc_dec FIPSPOST_USER [100829507878] fipspost_post:213: all tests PASSED (210 ms) com.apple.xpc.launchd|2022-11-07 16:43:00.043536 : Doing boot task: keybag ****** DIAGNOSTICS MODE ENABLED, SKIP INIT **** com.apple.xpc.launchd|2022-11-07 16:43:00.287765 : Doing boot task: usermanagerd com.apple.xpc.launchd|2022-11-07 16:43:00.290833 : usermanagerd: optional boot task not present com.apple.xpc.launchd|2022-11-07 16:43:00.291798 : Doing boot task: dirs_cleaner com.apple.xpc.launchd|2022-11-07 16:43:00.358583 : launchd logging initialized. name: com.apple.xpc.launchd pid: 1 com.apple.xpc.launchd|2022-11-07 16:43:00.358650 : Doing boot task: xpcroleaccountd com.apple.xpc.launchd|2022-11-07 16:43:00.433287 : Doing boot task: init_featureflags com.apple.xpc.launchd|2022-11-07 16:43:01.238400 : Doing boot task: auearlyboot auearlyboot: -FudEarlyBoot doFUDEarlyBoot:: Starting Early Boot auearlyboot: -[AppleFirmwareUpdateController getEarlyBootListInternal:]: Pending critical earlyBoot entries ( ) auearlyboot: No Early Boot Accessories auearlyboot: -[FudEarlyBoot calculateTimeTakenForEarlyBootEntries] Time Taken to wait for critical earlyBoot entries: 0.000000 sec auearlyboot: -FudEarlyBoot doFUDEarlyBoot:: End Early Boot auearlyboot: Exitng Early Boot com.apple.xpc.launchd|2022-11-07 16:43:01.444135 : Doing boot task: tzinit tzinit: Bad zoneinfo link : No such file or directory tzinit: Invalid current symlinks; resetting to system partition: No such file or directory com.apple.xpc.launchd|2022-11-07 08:43:01.524173 : Doing boot task: finish-restore com.apple.xpc.launchd|2022-11-07 08:43:01.570622 : Doing boot task: finish-demo-restore com.apple.xpc.launchd|2022-11-07 08:43:01.642349 : Doing boot task: sysstatuscheck com.apple.xpc.launchd|2022-11-07 08:43:01.695850 : Doing boot task: prng_seedctl kern.prng.user_reseed_count: (-1) (2) No such file or directory failed to load kernel prng seed: (-76) (2) No such file or directory failed to load virtual random: (-147) (-536870212) com.apple.xpc.launchd|2022-11-07 08:43:01.757679 : Doing boot task: launchd_cache_loader 0 Found valid port: 4867 Valid: 1 1 Found valid port: 0 Valid: 0 2 Found valid port: 0 Valid: 0 Using default cache paths Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 26 is checking if a cdhash is in the trust cache static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 26 cdhash: {length = 20, bytes = 0x505a58928f6f4b560b5f7eb86b0fe5cd5681ff39} is trusted Attached signature to file, checking ... Trying to send bytes to launchd: 4867 16384 Sending validated cache to launchd Cache sent to launchd successfully com.apple.xpc.launchd|2022-11-07 08:43:02.459016 : launchd UUID: DC5BEC0B-5E1A-30A2-83B3-6D2FCF01641A com.apple.xpc.launchd|2022-11-07 08:43:02.459164 : Early boot complete. Continuing system boot. 004209.160316 AppleOLYHAL_log.A[1] AppleOLYHALPortInterfacePCIeAMFM::initWithProvider: amfm not matched 004209.164456 wlan0.A[4] deferredStart@2755: Lowered adjustBusy(-1), getBusyState() -> 4 deferred rematching count

Hey, does Springboard support started to began?

I would love to have a complete iOS experience (obviously not in the following months, I am myself a programmer and can understand the nightmares of creating an emulator, especially when it comes to Apple devices...) like with the MacOS emulation on Qemu on GitHub too.

Thanks!

I cloned the repo and then built from source:

git clone https://github.com/TrungNguyen1909/qemu-t8030.git
cd qemu-t8030
mkdir build
cd build
../configure
make

But the make command results in this error:

collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
make: *** [Makefile:163: run-ninja] Error 1

I have completed the restore process but cannot boot. After some time i get endless fault log 0x0, I am attaching my full long.

Shortly it looks like this,

tx_flush:1075: disk0s1 xid 288 tx stats: # 100 finish 102 enter 1657 wait 9 1315578us close 1434us flush 543504us

tx_enter_internal:2133: disk0s1 waited 7299771 us to open tx xid 290 (nx_tx_wait_closed)

tx_flush:945: disk0s1 tx xid 290 took 13792888 us to flush

tx_flush:1033: disk0s1 tx xid 290 took 8462628 us to sync and write superblock

tx_flush:945: disk0s1 tx xid 291 took 2657518 us to flush

tx_flush:1033: disk0s1 tx xid 291 took 1347508 us to sync and write superblock

tx_flush:1033: disk0s1 tx xid 292 took 7313029 us to sync and write superblock

tx_enter_internal:2133: disk0s1 waited 2663805 us to open tx xid 294 (nx_tx_wait_closed)

tx_enter_internal:2133: disk0s1 waited 3606594 us to open tx xid 297 (nx_tx_wait_closed)

tx_flush:1033: disk0s1 tx xid 296 took 5022973 us to sync and write superblock

tx_flush:945: disk0s1 tx xid 301 took 10096260 us to flush

tx_flush:945: disk0s1 tx xid 303 took 2452457 us to flush

tx_flush:1033: disk0s1 tx xid 303 took 20331232 us to sync and write superblock

tx_flush:1033: disk0s1 tx xid 304 took 20330537 us to sync and write superblock

tx_flush:1033: disk0s1 tx xid 305 took 20333699 us to sync and write superblock

AppleT8015SPMIController::_debugDumpState:352: queueStatus: 0x100

AppleT8015SPMIController: fault log 0x0

AppleT8015SPMIController: fault log 0x0

AppleT8015SPMIController: fault log 0x0

log.txt