Macos-arm64-emulation - A guide for emulating macOS arm64e on an x86-based host.

Overview

macos-arm64-emulation

Use the following guide to download and configure all of the necessary tools and files for emulating the macOS arm64e kernel. The guide begins in this project's root directory, ie. the same directory as this README file.

Install decompression tools

Get, patch, and build xar:

git clone https://github.com/mackyle/xar.git
cd xar/xar
sed -i 's/OpenSSL_add_all_ciphers/OPENSSL_init_crypto/g' configure.ac
cat > ext2.patch << EOF
--- ./lib/ext2.c
+++ ./lib/ext2.c
@@ -140,8 +140,10 @@
    if(! (flags & ~EXT2_NOCOMPR_FL) )
        x_addprop(f, "NoCompBlock");
 #endif
+#ifdef EXT2_ECOMPR_FL
    if(! (flags & ~EXT2_ECOMPR_FL) )
        x_addprop(f, "CompError");
+#endif
    if(! (flags & ~EXT2_BTREE_FL) )
        x_addprop(f, "BTree");
    if(! (flags & ~EXT2_INDEX_FL) )
@@ -229,8 +231,10 @@
    if( e2prop_get(f, "NoCompBlock", (char **)&tmp) == 0 )
        flags |= EXT2_NOCOMPR_FL ;
 #endif
+#ifdef EXT2_ECOMPR_FL
    if( e2prop_get(f, "CompError", (char **)&tmp) == 0 )
        flags |= EXT2_ECOMPR_FL ;
+#endif
    if( e2prop_get(f, "BTree", (char **)&tmp) == 0 )
        flags |= EXT2_BTREE_FL ;
    if( e2prop_get(f, "HashIndexed", (char **)&tmp) == 0 )
EOF
git apply --ignore-whitespace ext2.patch
./autogen.sh
make
cd ../..
XAR=./xar/xar/src/xar

Get and build lzfse:

git clone https://github.com/lzfse/lzfse.git
cd lzfse
make
cd ..
LZFSE=./lzfse/build/bin/lzfse

Getting the files

Fetch the installer package (NOTE: this is a very large ~12GB file):

wget http://swcdn.apple.com/content/downloads/00/55/001-86606-A_9SF1TL01U7/5duug9lar1gypwunjfl96dza0upa854qgg/InstallAssistant.pkg

(UPDATE: Unfortunately, Apple has removed the above link and it is no longer valid. Click here to download the files and skip to the Building QEMU section.)

Extract the kernel binaries:

cd ../../
$XAR -xf InstallAssistant.pkg SharedSupport.dmg
7z e SharedSupport.dmg 5.hfs
rm SharedSupport.dmg ._SharedSupport.dmg
7z e -so 5.hfs "Shared Support/SFR/com_apple_MobileAsset_SFRSoftwareUpdate/aabc1798a59cc185ea5a87bfd4dec012f4b7feb1.zip" > sfr.zip
7z e -so 5.hfs "Shared Support/com_apple_MobileAsset_MacSoftwareUpdate/6c799f422b6d995ccc7f3fb669fe3246fd9f61aa.zip" > mac.zip
rm 5.hfs
7z e sfr.zip AssetData/usr/standalone/update/ramdisk/arm64eSURamDisk.dmg
7z e sfr.zip AssetData/boot/Firmware/all_flash/DeviceTree.j273aap.im4p
7z e sfr.zip AssetData/boot/kernelcache.release.j273

Decode the kernel binaries:

git clone https://github.com/alephsecurity/xnu-qemu-arm64-tools.git
SCRIPTS=xnu-qemu-arm64-tools/bootstrap_scripts
python $SCRIPTS/asn1kerneldecode.py kernelcache.release.j273 kernelcache.release.j273.asn1decoded
python $SCRIPTS/asn1rdskdecode.py arm64eSURamDisk.dmg arm64eSURamDisk.dmg.asn1decoded
python $SCRIPTS/asn1dtredecode.py DeviceTree.j273aap.im4p DeviceTree.j273aap.im4p.asn1decoded
$LZFSE -decode -i kernelcache.release.j273.asn1decoded -o kernelcache.release.j273.out
$LZFSE -decode -i DeviceTree.j273aap.im4p.asn1decoded -o DeviceTree.j273aap.im4p.out
cp arm64eSURamDisk.dmg.asn1decoded arm64eSURamDisk.dmg.out

Patching the Device Tree

Build dtetool and patch the device tree file:

cd dtetool
./build.sh
./dtetool ../DeviceTree.j273aap.im4p.out -d dtediff_20C69 -o ../DeviceTree.j273aap.im4p.out.patched
cd ..

Expanding the ramdisk in macOS

This step can only be done on a macOS system. Copy the ramdisk onto a macOS system and expand it:

hdiutil resize -size 1.5G -imagekey diskimage-class=CRawDiskImage arm64eSURamDisk.dmg.out

Getting the user binaries

Copy the expanded ramdisk back onto the Linux system and extract the user binaries:

7z e mac.zip AssetData/Restore/022-10310-098.dmg
rm mac.zip
7z e 022-10310-098.dmg "3 - Apple_APFS"
rm 022-10310-098.dmg

Mount the filesystem and ramdisk to two new directories:

mkdir apfs ramdisk
apfs-fuse -o allow_other "3 - Apple_APFS" apfs
sudo mount -t hfsplus -o force,rw arm64eSURamDisk.dmg.out ramdisk

Transfer the user binaries to ramdisk:

sudo cp -rn apfs/root/bin/* ramdisk/bin/
sudo cp -rn apfs/root/sbin/* ramdisk/sbin/
sudo cp -rn apfs/root/usr/bin/* ramdisk/usr/bin/
sudo cp -rn apfs/root/usr/sbin/* ramdisk/usr/sbin/

Remove all existing launchd profiles and create a profile for bash:

sudo rm -rf ramdisk/System/Library/LaunchDaemons/*
cat > com.apple.bash.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>com.apple.bash</string>
        <key>Umask</key>
        <integer>0</integer>
        <key>RunAtLoad</key>
        <true/>
        <key>ProgramArguments</key>
        <array>
                <string>/bin/bash</string>
        </array>
        <key>StandardInPath</key>
        <string>/dev/console</string>
        <key>StandardOutPath</key>
        <string>/dev/console</string>
        <key>StandardErrorPath</key>
        <string>/dev/console</string>
        <key>POSIXSpawnType</key>
        <string>Interactive</string>
        <key>EnablePressuredExit</key>
        <false/>
        <key>UserName</key>
        <string>root</string>
</dict>
</plist>
EOF 
sudo cp com.apple.bash.plist ramdisk/System/Library/LaunchDaemons/

Unmount the disk images:

sudo umount apfs ramdisk

Building QEMU

Download, extract, and patch the QEMU 5.1.0 source:

wget https://download.qemu.org/qemu-5.1.0.tar.xz
tar xf qemu-5.1.0.tar.xz
mv qemu-5.1.0 xnu-qemu-arm64-5.1.0
git apply xnu-qemu-arm64-5.1.0.diff

Configure and build the source:

cd xnu-qemu-arm64-5.1.0
./configure --target-list=aarch64-softmmu --disable-capstone --disable-pie --disable-slirp
make -j6
cd ..

Modify the -j6 option according to the number of cores on your CPU times 1.5.

Start the emulator

Start the emulator with the following script:

./xnu-qemu-arm64-5.1.0/aarch64-softmmu/qemu-system-aarch64 \
-M macos11-j273-a12z,\
kernel-filename=kernelcache.release.j273.out,\
dtb-filename=DeviceTree.j273aap.im4p.out.patched,\
ramdisk-filename=arm64eSURamDisk.dmg.out,\
kern-cmd-args="kextlog=0xfff cpus=1 rd=md0 serial=2 -noprogress",\
xnu-ramfb=off \
-cpu max \
-m 6G \
-serial mon:stdio \
-nographic \
Issues
  • Fixing -no-pie linker error by excluding optionroms from the build process

    Fixing -no-pie linker error by excluding optionroms from the build process

    This address #2 - it will disable compilation of the optionroms. If the optionroms are necessary for the project (I do not think that they are but I could be wrong), please feel free to close this PR without merging. Thanks for your time.

    opened by nstarke 0
  • Linker Error related to PIE

    Linker Error related to PIE

    Hello,

    I am attempting to build xnu-qemu-arm64 from the repository diff file and I am running into a linker error:

    [...]
      BUILD   pc-bios/optionrom/multiboot.img
    ld: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
    make[1]: *** [Makefile:52: multiboot.img] Error 1
    make: *** [Makefile:576: pc-bios/optionrom/all] Error 2
    make: *** Waiting for unfinished jobs....
    

    This is on ubuntu 21.04 with the following ld version information:

    $ ld --version
    GNU ld (GNU Binutils for Ubuntu) 2.36.1
    

    The linker error is caused by something related to the optionrom directory (pc-bios/optionrom/Makefile).

    I don't think the optionroms are necessary to get this project working, though I definitely could be wrong. I am preparing a pull request with an updated diff that disables compiling of the optionroms. I did not see a flag in ./configure that would enable me to do this.

    Pull request forthcoming.

    opened by nstarke 0
Owner
Cylance
Cylance
Emulating PSX Memory Card (or controller) using a Raspberry Pi Pico

PicoMemcard PicoMemcard allows you to build your own supercharged PSX Memory Card that can be connected to your computer via USB in order to transfer

Daniele Giuliani 189 Aug 9, 2022
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
a poc implementation arm64 tracer based on simulation

sim-trace a poc implementation arm64 tracer based on simulation Build Test ndk-build NDK_DEBUG=1 Run Test adb push test /data/local/tmp/test && adb s

null 26 Jun 17, 2022
A guide that teach you build a custom version of Chrome / Electron on macOS / Windows / Linux that supports hardware / software HEVC decoding.

enable-chromium-hevc-hardware-decoding A guide that teach you build a custom version of Chrome / Electron on macOS / Windows / Linux that supports har

Sta Zhu 210 Aug 5, 2022
Opencore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7

macOS on Thinkpad X1 Carbon 7th Generation OpenCore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7. This guide has been generated

Aidan Chandra 33 Aug 9, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

QuantumCored 159 Aug 2, 2022
the ares multi-system console emulation suite

ares ares is a multi-system emulator that began development on October 14th, 2004. It is a descendent of higan and bsnes, and focuses on accuracy and

higan 315 Aug 3, 2022
Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Sloth ?? Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch

Chaithu 74 Jul 26, 2022
Emulation of classic VA synths of the late 90s/2000s that featured the Motorola 56300 family DSP

Gearmulator Emulation of classic VA synths of the late 90s/2000s that used the Motorola 56300 family DSP This project aims at emulating various musica

null 133 Aug 10, 2022
Bobby Cooke 272 Jul 27, 2022
A simple CHIP-8 emulator made for the purpose of studying computer organization, mainly how emulation does work.

CHIP8EMU A simple CHIP-8 emulator made for the purpose of studying computer organization, mainly how emulation does work. It was written in just a few

Patrick Cardoso 1 Nov 9, 2021
The Cycle: Frontier server emulation

Prospect Also known as "The Cycle: Frontier". This repository is just something I work on when bored, do not expect much at this stage. Features Conne

AeonLucid 14 Jul 11, 2022
the ares multi-system console emulation suite

ares is a multi-system emulator that began development on October 14th, 2004. It is a descendent of higan and bsnes, and focuses on accuracy and prese

ares 315 Aug 10, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 159 Aug 2, 2022
A guide and set of tools for working with TinyML powered Audio Sensors

Audio Sensor Toolkit This is a guide on how to build an Audio Sensor using Machine Learning, and helpful tools. Audio Sensor Guide Audio Tools Acceler

IQT Labs 19 Jun 13, 2022
V4L0R4NT 0V3RL4Y 3XT3RN4L 35P CH34T -- Guide written in Indonesian Language~

V4L0VL4Y V4L0R4NT 0V3RL4Y 3XT3RN4L 35P CH34T K4L4U M4U N908R0L M45UK 4J4! H3H3 C4R4 C0MP1L3 DR1V3R 1N5T4L W5L K4L4U 94K PUNY4 L1NUX 9UN4K4N L1NUX Y4N9

Basilius Bias Astho Christyono 29 Aug 1, 2022
A comprehensive guide to 50 years of evolution of strict C programming, a tribute to Dennis Ritchie's language

42 School Cheat Sheet by agavrel ?? Intended for 42 alumni, current students and candidates Truth can only be found in one place: the code – Robert C.

Antonin GAVREL 952 Aug 4, 2022
Guide to Cross Compiling on a Raspberry Pi

Guide to Cross Compilation for a Raspberry Pi > Start Setup XCS and RPi Setup RPi Network and SSH Setup RPi Peripherals Setup Cross-compile environmen

Hessel van der Molen 55 Apr 20, 2022
Step-by-step guide through the abstract and complex universe of Fragment Shaders.

The Book of Shaders by Patricio Gonzalez Vivo and Jen Lowe This is a gentle step-by-step guide through the abstract and complex universe of Fragment S

Patricio Gonzalez Vivo 4.6k Aug 7, 2022