trungnguyen1909 / qemu-t8030 Goto Github PK
View Code? Open in Web Editor NEWiPhone 11 emulated on QEMU
License: Other
iPhone 11 emulated on QEMU
License: Other
libiosexec - an execve shim to allow executing shell scripts on ios
libiosexec
does not work here - it is almost like it isn't there
iOS version: 14.3 with RELEASE
kernel - so it definitely works on a real device (can also be reproduced with research kernels though)
In fact this could also be reproduced on an iOS 15.3.1 arm64eCustomerRamDisk
with research kernels
bootstrap tarball
To reproduce
From a bash
linked with libiosexec (/bin/bash
will do), execute /usr/bin/apt-key
(or any other script)
shell output:
bash: /usr/bin/apt-key: /bin/sh: bad interpreter: No such file or directory
dmesg
output
[ 286.963467]: System Policy: bash(231) deny(1) process-exec-interpreter /usr/bin/dash
for some reason the shebang exec ended up passed to the kernel, even with libiosexec.
Note: I am not asking for a shebang exec kernel patch here - libiosexec is supposed to work around that. There is something else that prevent it from working. (although a shebang exec kernel patch will still fix my apparent issue)
boot command:
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-83075-083.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '038-83075-083.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Machine: Debian bullseye x86_64
Linux 5.15.0-0.bpo.3-amd64
C compiler is clang 13.0.1
cd build
../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror
make -j4
The actual error:
[1158/2860] Compiling C object libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o
FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o
clang -Ilibcommon.fa.p -I../slirp -I../slirp/src -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/gio-unix-2.0 -I/usr/include/libusb-1.0 -I/usr/include/gtk-3.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/fribidi -I/usr/include/harfbuzz -I/usr/include/atk-1.0 -I/usr/include/uuid -I/usr/include/freetype2 -I/usr/include/gdk-pixbuf-2.0 -fcolor-diagnostics -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/nick/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/nick/qemu-t8030 -iquote /home/nick/qemu-t8030/include -iquote /home/nick/qemu-t8030/disas/libvixl -iquote /home/nick/qemu-t8030/tcg/i386 -pthread -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -MD -MQ libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -MF libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o.d -o libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -c ../hw/misc/apple_spmi_pmu.c
../hw/misc/apple_spmi_pmu.c:51:25: error: expected ';' after top level declarator
static uint64_t __unused tick_to_ns(AppleSPMIPMUState *p, uint64_t tick)
^
;
../hw/misc/apple_spmi_pmu.c:246:17: error: use of undeclared identifier 'vmstate_apple_spmi_pmu'
dc->vmsd = &vmstate_apple_spmi_pmu;
^
../hw/misc/apple_spmi_pmu.c:248:16: error: use of undeclared identifier 'apple_spmi_pmu_send'; did you mean 'apple_spmi_pmu_create'?
sc->send = apple_spmi_pmu_send;
^~~~~~~~~~~~~~~~~~~
apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
^
../hw/misc/apple_spmi_pmu.c:249:16: error: use of undeclared identifier 'apple_spmi_pmu_recv'; did you mean 'apple_spmi_pmu_create'?
sc->recv = apple_spmi_pmu_recv;
^~~~~~~~~~~~~~~~~~~
apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
^
../hw/misc/apple_spmi_pmu.c:250:19: error: use of undeclared identifier 'apple_spmi_pmu_command'; did you mean 'apple_spmi_pmu_create'?
sc->command = apple_spmi_pmu_command;
^~~~~~~~~~~~~~~~~~~~~~
apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
^
5 errors generated.
[1159/2860] Compiling C object libcommon.fa.p/hw_misc_apple_mbox.c.o
../hw/misc/apple_mbox.c:838:53: warning: format specifies type 'unsigned long long' but the argument has type 'uint64_t' (aka 'unsigned long') [-Wformat]
s->role, addr, ret);
^~~
/home/nick/qemu-t8030/include/qemu/log.h:120:30: note: expanded from macro 'qemu_log_mask'
qemu_log(FMT, ## __VA_ARGS__); \
~~~ ^~~~~~~~~~~
1 warning generated.
Nick Chan
I am trying to boot iOS 14.0 (18A188 InternalUI) in the emulator.
Error log:
`Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b9f47e0]::init(0xffffffe19ba323c8)
AUC:[0xffffffe19b9f47e0]::probe(0xffffffe19b7c1ea0, 0xffffffe80e3abdac)
AppleCredentialManager: init: called, instance = .
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = .
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b9f47e0]::start(0xffffffe19b7c1ea0)
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = .
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = .
AppleCredentialManager: start: started, instance = .
AppleCredentialManager: start: returning, result = true, instance = .
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleGPIOICController::start: this: , _gpioicBaseAddress:
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
000001.085722 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.121777 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.121898 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000001.138758 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
Identified Serial Port uart7 at 0x23521c000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
Identified Serial Port uart0 at 0x235200000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
RTBuddy(SMC): start() - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...
RTBuddy(SMC): Resuming...
Starting AppleSMC kext() - (Aug 12 2020@22:51:44)
000001.210077 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000
000001.217358 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
RTBuddy(SIO): start() - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
virtual bool AppleANS2NVMeController::start(IOService )::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService )::2719:ANS2 NVMe interrupt index - 0x4
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!
Failed to read info-leg_scrpad/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 512 block count 67108864 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 355, best xid 355 @ 33
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 512 block count 67108864 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 512
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 2048
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 355, best xid 355 @ 33
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
failed to find root-snapshot-name snapshot
handle_mount:627: vol-uuid: 5133F48D-5D9E-499B-A8BA-45E692E36FD9 block size: 4096 block count: 8388608 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff007e63dfc): "Process 1 exec of /sbin/launchd failed, errno 86"
Debugger message: panic
Memory ID: 0x0
OS release type: Not set yet
OS version: Not set yet
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x3a68cda
Epoch Time: sec usec
Boot : 0x62471b68 0x00092c8a
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x62471b69 0x000da7c4
Panicked task 0xffffffe19b795f40: 1 pages, 1 threads: pid 1: init
Panicked thread: 0xffffffe19ba185d0, backtrace: 0xffffffe8139e37f0, tid: 358
lr: 0xfffffff007a2af48 fp: 0xffffffe8139e3830
lr: 0xfffffff007a2ad48 fp: 0xffffffe8139e38a0
lr: 0xfffffff007b64940 fp: 0xffffffe8139e38c0
lr: 0xfffffff007b56e1c fp: 0xffffffe8139e3980
lr: 0xfffffff00811c5f4 fp: 0xffffffe8139e3990
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d10
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d70
lr: 0xfffffff0097db97c fp: 0xffffffe8139e3d90
lr: 0xfffffff007e63dfc fp: 0xffffffe8139e3e40
lr: 0xfffffff007e2fea0 fp: 0xffffffe8139e3e60
lr: 0xfffffff007a21b7c fp: 0xffffffe8139e3e90
lr: 0xfffffff00811caec fp: 0xffffffe8139e3ea0
lr: 0xfffffff007a61fd0 fp: 0xffffffe8139e3f00
lr: 0xfffffff00812495c fp: 0x0000000000000000
** Stackshot Succeeded ** Bytes Traced 10867 (Uncompressed 36160) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
`
Boot command:
../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" \ -initrd 038-44135-124.dmg \ -cpu max -smp 4 \ -m 4G -serial mon:stdio \ -drive file=disk.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1 \ -drive file=nvme.2,format=raw,if=none,id=drive.2 \ -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2 \ -drive file=nvme.3,format=raw,if=none,id=drive.3 \ -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3 \ -drive file=nvme.4,format=raw,if=none,id=drive.4 \ -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram \ -drive file=nvme.6,format=raw,if=none,id=drive.6 \ -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6 \ -drive file=nvme.7,format=raw,if=none,id=drive.7 \ -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8 \ -monitor telnet:127.0.0.1:1235,server,nowait
With blocksize set to 4096, I get mount errors.
I cannot seem to restore the device:
┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 14.0
Product Build: 18A5351d Major: 18
Device supports Image4: true
ERROR: Unable to find any build identities
idevicerestore commit 38595f0b7dac3d53033f93e9893d9be49996ba95
with patch applied
iOS version: 14.0
VM is kali linux rolling (minimal)
root_ticket.der made from ticket.shsh2 in xnu-qemu-arm64-tools
Device appears to enter restore mode successfully
Additionally, the patch does not apply for configure.ac
I ended up adding AC_SEARCH_LIBS([pthread_create], [pthread])
to configure.ac myself and then remove that hunk of the patch.
Linux boot command:
${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 1 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait
iOS boot command:
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-44135-124.dmg.trustcache.out \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Nick Chan
Is there support for bash shell access?
I followed the bringing the emulator, from what I could understand from the error is there could be some issue with nvram or missing plist files.
Following is the directory strucuture
iphone:
total 5304212
-rw-r--r-- 1 zoro zoro 107767835 Jan 9 2007 038-44087-125.dmg
-rw-r--r-- 1 zoro zoro 104685595 Jan 9 2007 038-44135-124.dmg
-rw-r--r-- 1 zoro zoro 5155389281 Jan 9 2007 038-44337-083.dmg
-r--r--r-- 1 zoro zoro 729171 Jan 9 2007 BuildManifest.plist
drwxr-xr-x 18 zoro zoro 4096 Jan 9 2007 Firmware
-rw-r--r-- 1 zoro zoro 15278127 Jan 9 2007 kernelcache.release.iphone11b
-rw-r--r-- 1 zoro zoro 15704952 Jan 9 2007 kernelcache.release.iphone12b
-rw-r--r-- 1 zoro zoro 17429507 Jan 9 2007 kernelcache.research.iphone12b
-rw-r--r-- 1 zoro zoro 34359738368 May 26 17:49 nvme.1
-rw-r--r-- 1 zoro zoro 8388608 May 26 17:49 nvme.2
-rw-r--r-- 1 zoro zoro 131072 May 26 17:49 nvme.3
-rw-r--r-- 1 zoro zoro 8192 May 26 17:49 nvme.4
-rw-r--r-- 1 zoro zoro 4096 May 26 17:49 nvme.6
-rw-r--r-- 1 zoro zoro 1048576 May 26 17:49 nvme.7
-rw-r--r-- 1 zoro zoro 8192 May 26 18:09 nvram
-r--r--r-- 1 zoro zoro 1420 Jan 9 2007 Restore.plist
drwxr-xr-x 13 zoro zoro 4096 May 26 20:17 strap
-rw-r--r-- 1 zoro zoro 14458876 May 26 20:17 strap.tar.lzma
lzfse:
total 40
-rw-r--r-- 1 zoro zoro 458 May 16 17:25 appveyor.yml
drwxr-xr-x 6 zoro zoro 4096 May 16 17:25 build
-rw-r--r-- 1 zoro zoro 4231 May 16 17:25 CMakeLists.txt
-rw-r--r-- 1 zoro zoro 1514 May 16 17:25 LICENSE
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 lzfse.xcodeproj
-rw-r--r-- 1 zoro zoro 3022 May 16 17:25 Makefile
-rw-r--r-- 1 zoro zoro 2582 May 16 17:25 README.md
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 src
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 tests
qemu-t8030:
total 1924
drwxr-xr-x 8 zoro zoro 4096 May 16 17:26 accel
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 audio
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 authz
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 backends
drwxr-xr-x 4 zoro zoro 4096 May 16 17:26 block
-rw-r--r-- 1 zoro zoro 247543 May 16 17:26 block.c
-rw-r--r-- 1 zoro zoro 119968 May 16 17:26 blockdev.c
-rw-r--r-- 1 zoro zoro 7497 May 16 17:26 blockdev-nbd.c
-rw-r--r-- 1 zoro zoro 16520 May 16 17:26 blockjob.c
drwxr-xr-x 10 zoro zoro 4096 May 16 17:26 bsd-user
drwxr-xr-x 77 zoro zoro 4096 May 26 12:49 build
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 capstone
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 chardev
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 common-user
drwxr-xr-x 4 zoro zoro 4096 May 16 17:26 configs
-rwxr-xr-x 1 zoro zoro 91796 May 16 17:26 configure
drwxr-xr-x 13 zoro zoro 4096 May 16 17:26 contrib
-rw-r--r-- 1 zoro zoro 17992 May 16 17:26 COPYING
-rw-r--r-- 1 zoro zoro 26530 May 16 17:26 COPYING.LIB
-rw-r--r-- 1 zoro zoro 12950 May 16 17:26 cpu.c
-rw-r--r-- 1 zoro zoro 10318 May 16 17:26 cpus-common.c
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 crypto
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 disas
-rw-r--r-- 1 zoro zoro 10982 May 16 17:26 disas.c
drwxr-xr-x 14 zoro zoro 4096 May 16 17:26 docs
drwxr-xr-x 7 zoro zoro 4096 May 16 17:27 dtc
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 dump
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 ebpf
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 fpu
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 fsdev
-rw-r--r-- 1 zoro zoro 93984 May 16 17:26 gdbstub.c
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 gdb-xml
-rw-r--r-- 1 zoro zoro 1835 May 16 17:26 gitdm.config
-rw-r--r-- 1 zoro zoro 52286 May 16 17:26 hmp-commands.hx
-rw-r--r-- 1 zoro zoro 19607 May 16 17:26 hmp-commands-info.hx
drwxr-xr-x 68 zoro zoro 4096 May 16 17:26 hw
drwxr-xr-x 25 zoro zoro 4096 May 16 17:26 include
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 io
-rw-r--r-- 1 zoro zoro 12640 May 16 17:26 iothread.c
-rw-r--r-- 1 zoro zoro 27882 May 16 17:26 job.c
-rw-r--r-- 1 zoro zoro 4997 May 16 17:26 job-qmp.c
-rw-r--r-- 1 zoro zoro 132 May 16 17:26 Kconfig
-rw-r--r-- 1 zoro zoro 598 May 16 17:26 Kconfig.host
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 libdecnumber
-rw-r--r-- 1 zoro zoro 1177 May 16 17:26 LICENSE
drwxr-xr-x 12 zoro zoro 4096 May 16 17:26 linux-headers
drwxr-xr-x 24 zoro zoro 4096 May 16 17:26 linux-user
-rw-r--r-- 1 zoro zoro 86163 May 16 17:26 MAINTAINERS
-rw-r--r-- 1 zoro zoro 11567 May 16 17:26 Makefile
-rw-r--r-- 1 zoro zoro 16093 May 16 17:26 memory_ldst.c.inc
drwxr-xr-x 14 zoro zoro 4096 May 16 17:27 meson
-rw-r--r-- 1 zoro zoro 138523 May 16 17:26 meson.build
-rw-r--r-- 1 zoro zoro 13676 May 16 17:26 meson_options.txt
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 migration
-rw-r--r-- 1 zoro zoro 113 May 16 17:26 module-common.c
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 monitor
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 nbd
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 net
-rw-r--r-- 1 zoro zoro 8495 May 16 17:26 os-posix.c
-rw-r--r-- 1 zoro zoro 2249 May 16 17:26 os-win32.c
-rw-r--r-- 1 zoro zoro 1223 May 16 17:26 page-vary.c
-rw-r--r-- 1 zoro zoro 1668 May 16 17:26 page-vary-common.c
drwxr-xr-x 7 zoro zoro 4096 May 16 17:26 pc-bios
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 plugins
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 po
drwxr-xr-x 4 zoro zoro 4096 May 16 17:26 python
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 qapi
-rw-r--r-- 1 zoro zoro 12152 May 16 17:26 qemu-bridge-helper.c
-rw-r--r-- 1 zoro zoro 3681 May 16 17:26 qemu-edid.c
-rw-r--r-- 1 zoro zoro 163649 May 16 17:26 qemu-img.c
-rw-r--r-- 1 zoro zoro 5654 May 16 17:26 qemu-img-cmds.hx
-rw-r--r-- 1 zoro zoro 18269 May 16 17:26 qemu-io.c
-rw-r--r-- 1 zoro zoro 66195 May 16 17:26 qemu-io-cmds.c
-rw-r--r-- 1 zoro zoro 7588 May 16 17:26 qemu-keymap.c
-rw-r--r-- 1 zoro zoro 38211 May 16 17:26 qemu-nbd.c
-rw-r--r-- 1 zoro zoro 6916 May 16 17:26 qemu.nsi
-rw-r--r-- 1 zoro zoro 235167 May 16 17:26 qemu-options.hx
-rw-r--r-- 1 zoro zoro 1694 May 16 17:26 qemu.sasl
drwxr-xr-x 4 zoro zoro 4096 May 16 17:26 qga
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 qobject
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 qom
-rw-r--r-- 1 zoro zoro 5575 May 16 17:26 README.rst
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 replay
-rw-r--r-- 1 zoro zoro 2530 May 16 17:26 replication.c
drwxr-xr-x 17 zoro zoro 4096 May 16 17:26 roms
drwxr-xr-x 16 zoro zoro 4096 May 16 17:26 scripts
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 scsi
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 semihosting
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 setup-ios
drwxr-xr-x 4 zoro zoro 4096 May 16 17:27 slirp
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 softmmu
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 storage-daemon
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 stubs
drwxr-xr-x 3 zoro zoro 4096 May 16 17:26 subprojects
drwxr-xr-x 22 zoro zoro 4096 May 16 17:26 target
drwxr-xr-x 12 zoro zoro 4096 May 16 17:26 tcg
drwxr-xr-x 27 zoro zoro 4096 May 16 17:26 tests
drwxr-xr-x 4 zoro zoro 4096 May 16 17:26 tools
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 trace
-rw-r--r-- 1 zoro zoro 5582 May 16 17:26 trace-events
drwxr-xr-x 5 zoro zoro 4096 May 16 17:26 ui
drwxr-xr-x 2 zoro zoro 4096 May 16 17:26 util
-rw-r--r-- 1 zoro zoro 6 May 16 17:26 VERSION.QEMU
-rw-r--r-- 1 zoro zoro 867 May 16 17:26 version.rc
qemu-t8030-tools:
total 12
drwxr-xr-x 2 zoro zoro 4096 May 16 17:19 bootstrap_scripts
drwxr-xr-x 2 zoro zoro 4096 May 16 17:19 libimobiledevice_patches
-rw-r--r-- 1 zoro zoro 327 May 16 17:19 README.md
Following is the qemu logs
../qemu-t8030/build/qemu-system-aarch64 -snapshot -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: Found lookup_in_trust_cache_module @ 0xfffffff007b5d71c
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: Found lookup_in_static_trust_cache @ 0xfffffff0097edcb8
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff00a000000
g_phys_base: 0x0000000802000000
slide_virt: 0x0000000007000000
slide_phys: 0x0000000001000000
entry: 0x00000008071204e8
boot_mode: 0
auto-boot=false
cmdline: [-restore rd=md0 nand-enable-reformat=1 -progress debug=0x14e kextlog=0xffff serial=3 -v]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1 ~ 129/AppleImage4/RELEASE_ARM64E
AppleImage4: failed to read nvram property: nonce-seeds: 2
AppleImage4: error reading seeds: 2
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19bb18950]::init(0xffffffe19bb4a0a8)
AUC:[0xffffffe19bb18950]::probe(0xffffffe19b8e2300, 0xffffffe8080abdac)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19bb18950]::start(0xffffffe19b8e2300)
AppleS5L8940XI2CController::start: smc-i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleS5L8940XI2CController::start: i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c2 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
000002.788268 wlan0.A[1] start@968:Default options property found with value 4
AppleS5L8940XI2CController::start: i2c3 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000002.898100 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000002.898560 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000002.939384 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
LPM state clear
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
RTBuddy(SMC): Resuming...
RTBuddy(ANS2): Resuming...
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
void AppleEmbeddedNVMeController::GetRestoreEnvironment()::444:Restore Environment!
RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
000003.144880 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=17 newState=1
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
000003.164450 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
void AppleEmbeddedNVMeController::GetRestoreEnvironment()::444:Restore Environment!
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
apfs_vfsop_mANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ount:1745: unable to root from devvpANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
<ptr> (ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
roANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
otANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
_dANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
evice): 2
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 4
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x4, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
hfs: mounted AzulSeed18A5351d.arm64eCustomerRamDisk on device b(3, 0)
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
virtual bool AppleEmbeddedNVMeController::InitializeController()::507:FW update not complete, create dummy block device
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
dyld: setting comm page to 0x0
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.13~13/launchd/RELEASE_ARM64E
boot-args = -restore rd=md0 nand-enable-reformat=1 -progress debug=0x14e kextlog=0xffff serial=3 -v
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Restore environment starting.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering ondemand mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fsck
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: mount-phase-1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: data-protection
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-obliteration
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: commit-boot-mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: boot-mode committed: (null)
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: restore-datapartition
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: restore-datapartition: optional boot task not present
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: mount-phase-2
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init-with-data-volume
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: MSUEarlyBootTask
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fips
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: keybag
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: usermanagerd
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: init_featureflags
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fud
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: tzinit
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-restore
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-demo-restore
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: sysstatuscheck
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: prng_seedctl
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Error>: Unable to open /System/Library/xpc/launchd.plist [2:No such file or directory]
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: launchd_cache_loader
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Error>: No MRM cache found
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Warning>: Unable to load cache
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering bootstrap mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker) <Warning>: Unknown key for Boolean: EnablePressureExit
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.KeyMaker (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.PurpleReverseProxy.ramdisk (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.diskimagesiod.ram (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.restored_external (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemonsAltAccount, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /AppleInternal/Library/LaunchDaemons, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: exiting bootstrap mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: exiting ondemand mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Warning>: Could not find and/or execute program specified by service: 2: No such file or directory: /usr/local/bin/KeyMaker
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Notice>: Service setup event to handle failure and will not launch until it fires.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Error>: Missing executable detected. Job: 'com.apple.KeyMaker' Executable: '/usr/local/bin/KeyMaker'
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Warning>: Service exited with abnormal code: 78
objc[4]: Class AMSupportURLConnectionDelegate is implemented in both ?? (0x1014a0000) and ?? (0x101eb0028). One of the two will be used. Which one is undefined.
objc[4]: Class AMSupportURLSession is implemented in both ?? (0x1014a0050) and ?? (0x101eb0078). One of the two will be used. Which one is undefined.
[14:48:08.0929-GMT]{1>4} CHECKPOINT ANOMALY: [check_collection]auto-boot(does_not_exist)
[14:48:08.0955-GMT]{1>4} CHECKPOINT PROGRESS: START (unknown) -> (initial_monitor_no_return)
[14:48:08.0958-GMT]{1>4} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-anomalies = {0x00000000:[check_collection]auto-boot(does_not_exist)}
restore-outcome = initial_monitor_no_return
executing /usr/sbin/nvram -s restore-outcome=initial_monitor_no_return
[14:48:09.0589-GMT]{1>4} CHECKPOINT NOTICE: (NVRAM set) restore-outcome=initial_monitor_no_return [sync=true] (initial entry)
entering set_boot_stage
[14:48:09.0684-GMT]{1>4} CHECKPOINT MONITOR: [0x0204] boot_stage
restore-step-monitor = {0x11010204:"boot_stage"}
executing /sbin/mount_tmpfs /mnt5
entering show_service_nodes
disk0
IOBlockStorageDriver RegistryID : 0x10000021e Busy State : 0x0 Service State : 0x1e
NS_01 RegistryID : 0x10000021d Busy State : 0x0 Service State : 0x1e
AppleANS2NVMeController RegistryID : 0x1000001fb Busy State : 0x0 Service State : 0x1e
RTBuddyService RegistryID : 0x1000001f3 Busy State : 0x0 Service State : 0x1e
RTBuddyV2 RegistryID : 0x1000001ea Busy State : 0x0 Service State : 0x1e
iop-ans-nub RegistryID : 0x100000132 Busy State : 0x0 Service State : 0x1e
AppleASCWrapV2 RegistryID : 0x1000001d8 Busy State : 0x0 Service State : 0x0
ans RegistryID : 0x100000131 Busy State : 0x0 Service State : 0x1e
AppleT803xIO RegistryID : 0x1000001a6 Busy State : 0x5 Service State : 0x1e
arm-io RegistryID : 0x100000116 Busy State : 0x1 Service State : 0x1e
AppleARMPE RegistryID : 0x100000186 Busy State : 0x2 Service State : 0x1e
N104DEV RegistryID : 0x100000185 Busy State : 0x1 Service State : 0x1e
Root RegistryID : 0x100000100 Busy State : 0x0 Service State : 0x0
[14:48:10.0034-GMT]{1>4} CHECKPOINT MONITOR: [0x1180] create_ramdisk
restore-step-monitor = {0x11011180:"create_ramdisk"}
[14:48:10.0036-GMT]{1>4} CHECKPOINT MONITOR: [0x0206] monitoring_child
restore-step-monitor = {0x11010206:"monitoring_child"}
objc[7]: Class AMSupportURLConnectionDelegate is implemented in both ?? (0x1017f0000) and ?? (0x102200028). One of the two will be used. Which one is undefined.
objc[7]: Class AMSupportURLSession is implemented in both ?? (0x1017f0050) and ?? (0x102200078). One of the two will be used. Which one is undefined.
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: Image4Supported
2022-05-26 14:48:11.678882+0000 restored_external[7:370] RestoreLog: Client Query: Image4Supported
libMobileGestalt utility.c:64: Could not open /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist: No such file or directory
2022-05-26 14:48:11.698142+0000 restored_external[7:370] Could not open /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist: No such file or directory
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: Image4Supported : true
2022-05-26 14:48:11.717470+0000 restored_external[7:370] RestoreLog: Client Response: Image4Supported : 1
[14:48:11.0719-GMT]{4>7} CHECKPOINT NOTICE: Image4 device: AP nonce clearable
entering ramrod_clear_ap_nonce
[14:48:11.0772-GMT]{4>7} CHECKPOINT NOTICE: AP nonce consumed
[14:48:11.0791-GMT]{4>7} CHECKPOINT NOTICE: Pre-existing NVRAM variable: restore-outcome=initial_monitor_no_return
[14:48:11.0822-GMT]{4>7} CHECKPOINT ANOMALY: [check_collection]auto-boot(does_not_exist)
[14:48:11.0825-GMT]{4>7} CHECKPOINT PROGRESS: START (unknown) -> (initial_engine_no_return)
[14:48:11.0826-GMT]{4>7} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-anomalies = {0x00000000:[check_collection]auto-boot(does_not_exist)}
restore-outcome = initial_engine_no_return
executing /usr/sbin/nvram restore-outcome=initial_engine_no_return
[14:48:12.0325-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0400] umask
restore-step-ids = {0x11030400:1}
restore-step-names = {0x11030400:umask}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0332-GMT]{4>7} CHECKPOINT END: MAIN:[0x0400] umask
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0337-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0402] setvbuf
restore-step-ids = {0x11030402:2}
restore-step-names = {0x11030402:setvbuf}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0342-GMT]{4>7} CHECKPOINT END: MAIN:[0x0402] setvbuf
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0347-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {0x11030403:3}
restore-step-names = {0x11030403:kernel_logger_thread}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0352-GMT]{4>7} CHECKPOINT END: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0359-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0406] set_progress_0
restore-step-ids = {0x11030406:4}
restore-step-names = {0x11030406:set_progress_0}
restore-step-uptime = 9
restore-step-user-progress = -1
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: DeviceClass
2022-05-26 14:48:12.367467+0000 restored_external[7:370] RestoreLog: Client Query: DeviceClass
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: DeviceClass : iPhone
2022-05-26 14:48:12.370310+0000 restored_external[7:370] RestoreLog: Client Response: DeviceClass : iPhone
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: DeviceColorMapPolicy
2022-05-26 14:48:12.372004+0000 restored_external[7:370] RestoreLog: Client Query: DeviceColorMapPolicy
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: DeviceColorMapPolicy : 0
2022-05-26 14:48:12.382616+0000 restored_external[7:370] RestoreLog: Client Response: DeviceColorMapPolicy : 0
2022-05-26 14:48:12.393758+0000 restored_external[7:370] IOMFB: /System/Library/Frameworks/MediaToolbox.framework/MediaToolbox not found
2022-05-26 14:48:12.397712+0000 restored_external[7:370] IOMFB: /System/Library/PrivateFrameworks/MediaToolbox.framework/MediaToolbox not found
2022-05-26 14:48:12.400924+0000 restored_external[7:370] IOMFB: /System/Library/PrivateFrameworks/Celestial.framework/Celestial not found
2022-05-26 14:48:12.402334+0000 restored_external[7:370] IOMFB: FigInstallVirtualDisplay not found
unable to get display list
unable to get framebuffer
No framebuffer but an internal display. Ok on bridge but weird anywhere else.
ramrod_display_set_granular_progress_forced: 0.000000
[14:48:18.0016-GMT]{4>7} CHECKPOINT END: MAIN:[0x0406] set_progress_0
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0027-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {0x11030407:5}
restore-step-names = {0x11030407:start_gasgauge_thread}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0052-GMT]{4>7} CHECKPOINT WARNING: MAIN:[0x0407] gasgauge_start_update_thread failed: -1
restored_external: gasgauge_start_update_thread failed: -1
[14:48:18.0057-GMT]{4>7} CHECKPOINT END: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-warnings = {0x11060407:{0:"gasgauge_start_update_thread failed: -1"}}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0074-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {0x11030408:6}
restore-step-names = {0x11030408:listen_for_log_client}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0097-GMT]{4>7} CHECKPOINT END: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0103-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040D] create_listen_socket
restore-step-ids = {0x1103040D:7}
restore-step-names = {0x1103040D:create_listen_socket}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0111-GMT]{4>7} CHECKPOINT END: MAIN:[0x040D] create_listen_socket
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0117-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0404] update_root_mount
restore-step-ids = {0x11030404:8}
restore-step-names = {0x11030404:update_root_mount}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0158-GMT]{4>7} CHECKPOINT END: MAIN:[0x0404] update_root_mount
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0163-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0405] disable_watchdog
restore-step-ids = {0x11030405:9}
restore-step-names = {0x11030405:disable_watchdog}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0177-GMT]{4>7} CHECKPOINT END: MAIN:[0x0405] disable_watchdog
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0190-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040E] enable_usb
restore-step-ids = {0x1103040E:10}
restore-step-names = {0x1103040E:enable_usb}
restore-step-uptime = 15
restore-step-user-progress = 0
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: UniqueDeviceID
2022-05-26 14:48:18.259105+0000 restored_external[7:370] RestoreLog: Client Query: UniqueDeviceID
2022-05-26 14:48:18.261258+0000 restored_external[7:370] [fast-path] taking platform fast path for key: re6Zb+zwFKJNlkQTUeT+/w
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: nFRqKto/RuQAV1P+0/qkBA
2022-05-26 14:48:18.263541+0000 restored_external[7:370] RestoreLog: Client Query: nFRqKto/RuQAV1P+0/qkBA
2022-05-26 14:48:18.264773+0000 restored_external[7:370] [fast-path] taking platform fast path for key: nFRqKto/RuQAV1P+0/qkBA
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: TF31PAB6aO8KAbPyNKSxKA
2022-05-26 14:48:18.268898+0000 restored_external[7:370] RestoreLog: Client Query: TF31PAB6aO8KAbPyNKSxKA
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: TF31PAB6aO8KAbPyNKSxKA : 1234605616436508552
2022-05-26 14:48:18.275121+0000 restored_external[7:370] RestoreLog: Client Response: TF31PAB6aO8KAbPyNKSxKA : 1234605616436508552
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: 566JrJVMlDfnslGpwUzNlQ
2022-05-26 14:48:18.277011+0000 restored_external[7:370] RestoreLog: Client Query: 566JrJVMlDfnslGpwUzNlQ
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: 566JrJVMlDfnslGpwUzNlQ : 32816
2022-05-26 14:48:18.283882+0000 restored_external[7:370] RestoreLog: Client Response: 566JrJVMlDfnslGpwUzNlQ : 32816
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: nFRqKto/RuQAV1P+0/qkBA : <CFData 0x13880e540 [0x101ee41b8]>{length = 25, capacity = 25, bytes = 0x30303030383033302d31313232333334 ... 3535363637373838}
2022-05-26 14:48:18.304635+0000 restored_external[7:370] RestoreLog: Client Response: nFRqKto/RuQAV1P+0/qkBA : {length = 25, bytes = 0x30303030 38303330 2d313132 32333334 ... 35353636 37373838 }
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: UniqueDeviceID : 00008030-1122334455667788
2022-05-26 14:48:18.307444+0000 restored_external[7:370] RestoreLog: Client Response: UniqueDeviceID : 00008030-1122334455667788
000017.727052 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Apple Mobile Device
000017.727788 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: AppleUSBMux
000017.728893 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 1 + Apple Mobile Device
000017.729475 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: Reserved
000017.730027 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: AppleUSBMux
000017.730562 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 2 + Apple Mobile Device
000017.731165 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: Reserved
000017.731708 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: AppleUSBMux
000017.732254 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 3 + Apple Mobile Device
000017.732852 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: Reserved
000017.733326 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: interface: AppleUSBMux
waiting for matching IOKit service: {
IOProviderClass = AppleUSBDeviceMux;
}
000017.752422 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function Reserved
AppleUSBDeviceMux build: Aug 12 2020 22:50:42
000017.769377 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBMux
000017.770859 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::startUSBStack: starting usb stack
qemu: usb_tcp_host_attach: failed to connect to server: -1
IOReturn AppleUSBDeviceMux::setPropertiesGated(OSObject *) setting debug level to 7
[14:48:21.0340-GMT]{4>7} CHECKPOINT END: MAIN:[0x040E] enable_usb
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 18
restore-step-user-progress = 0
waiting for host to trigger start of restore [timeout of 120 seconds]
000022.894390 wlan0.A[4] initWithProvider@120:amfm not matched
000022.900667 wlan0.A[5] deferredStart@1730: Lowered adjustBusy(-1), getBusyState() -> 4
```
After a successful restore, rootfs cannot be mounted for some reason.
The rootfs is already modified, and have its snapshot renamed to orig-fs
rootfs binaries (not the one in the wiki as I wanted a newer bash)
bash.plist and launchd.plist from setup-ios
Although I do not these details mattered when the rootfs is not even mounted.
A filesystem check on the APFS container reported no problem, and it can be mounted on macOS.
This appears to be the log related the the problem:
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed
Host is Debian bullseye
Full log:
Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000800000000
entry: 0x00000008041204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff rd=disk0s1 serial=3 -v wdt=-1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b677dd0]::init(0xffffffe19b5cc1b8)
AUC:[0xffffffe19b677dd0]::probe(0xffffffe19b445fe0, 0xffffffe80a31bdac)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b677dd0]::start(0xffffffe19b445fe0)
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
virtual bool AppleARMLightEmUp::start(IOService *): starting...
000001.935910 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.948877 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.949319 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...
Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
000002.252741 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
000002.282571 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
000002.287644 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(3) failed
Nick Chan
Hi,
I have followed all the steps given in the tutorial and in the final step getting stuck at the following place.
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
AppleNVMe Assert failed: ( 0 != resources ) ErrorExit file: /Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-557.0.2.152.1/Embedded/AppleEmbeddedNVMeController.cpp line: 5248
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2188: apfs: mountroot called!
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 2
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
hfs: mounted AzulSeed18A5351d.arm64eUpdateRamDisk on device b(3, 0)
virtual void AppleEmbeddedNVMeController::InitializeWallTime()::5248:nvme: IOBSD didn't show up in 60 secs
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff00934c658): "Could not initialize wall time.\n"
I installed all packages via DNF and YUM (https://wiki.qemu.org/Hosts/Linux#Fedora_Linux_.2F_Debian_GNU_Linux_.2F_Ubuntu_Linux_.2F_Linux_Mint_distributions), but it fails to compile at some point https://pastebin.com/mdd6EATS
Environment:
os: Macos bigsur
gdb: GNU gdb (GDB) 12.1
Step to reproduce:
(gdb) set debug remote 1
(gdb) target remote :1235
Remote debugging using :1235
[remote] start_remote_1: enter
[remote] Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;memory-tagging+;xmlRegisters=i386#77
[remote] Junk:
[remote] Junk: {
[remote] Junk:
[remote] Junk:
[remote] Junk: {
[remote] Junk:
[remote] Junk:
[remote] Junk: {
[remote] Junk:
[remote] Junk:
[remote] Junk: }
[remote] Junk:
[remote] Junk: Q
[remote] Junk: E
[remote] Junk: M
[remote] Junk: U
[remote] Junk:
[remote] Junk: 7
[remote] Junk: .
[remote] Junk: 0
[remote] Junk: .
[remote] Junk: 0
[remote] Junk:
[remote] Junk: m
[remote] Junk: o
[remote] Junk: n
[remote] Junk: i
[remote] Junk: t
[remote] Junk: o
[remote] Junk: r
[remote] Junk:
[remote] Received Nak
[remote] Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;memory-tagging+;xmlRegisters=i386#77
[remote] Junk:
[remote] Junk: t
[remote] Junk: y
[remote] Junk: p
[remote] Junk: e
[remote] Junk:
[remote] Junk: '
[remote] Junk: h
[remote] Junk: e
[remote] Junk: l
[remote] Junk: p
[remote] Junk: '
[remote] Junk:
[remote] Junk: f
[remote] Junk: o
[remote] Junk: r
[remote] Junk:
[remote] Junk: m
[remote] Junk: o
[remote] Junk: r
[remote] Junk: e
[remote] Junk:
[remote] Junk: i
[remote] Junk: n
[remote] Junk: f
[remote] Junk: o
[remote] Junk: r
[remote] Junk: m
[remote] Junk: a
[remote] Junk: t
[remote] Junk: i
[remote] Junk: o
[remote] Junk: n
[remote] Junk:
[remote] Junk:
[remote] Junk: (
[remote] Junk: q
[remote] Junk: e
[remote] Junk: m
[remote] Junk: u
[remote] Junk: )
[remote] Junk:
[remote] Received Ack
[remote] read_frame: Saw new packet start in middle of old one
[remote] read_frame: Saw new packet start in middle of old one
[remote] read_frame: Saw new packet start in middle of old one
Ignoring packet error, continuing...
[remote] packet_ok: Packet qSupported (supported-packets) is supported
[remote] Sending packet: $vMustReplyEmpty#3a
[remote] Junk: qqSup
[remote] Junk: SqSup
[remote] Junk: uqSup
[remote] Junk: pqSup
[remote] Junk: pqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: KqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Junk: Sup
[remote] Junk: [qSup
[remote] Junk: DqSup
[remote] Received Ack
[remote] read_frame: Saw new packet start in middle of old one
[remote] read_frame: Saw new packet start in middle of old one
[remote] read_frame: Saw new packet start in middle of old one
Ignoring packet error, continuing...
[remote] start_remote_1: exit
Remote replied unexpectedly to 'vMustReplyEmpty'+ qSupported
(gdb)
Camera work?
In a nutshell: watchdogd must be kept running
iOS version: 14.3 (don't think it matters), with reserach kernels (don't think this mattered too)
qemu-t8030 commit: 42fedc7
To reproduce
/System/Library/LaunchDaemons/xpc/launchd.plist
as detailed in the wikipanic(cpu 0 caller 0xfffffff0091c85d4): watchdog timeout: no checkins from watchdogd since boot (600 seconds ago)
kernel watchdog timeout panic:
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff0091c85d4): watchdog timeout: no checkins from watchdogd since boot (600 seconds ago)
Debugger message: panic
Memory ID: 0x0
OS release type: User
OS version: 18C66
Kernel version: Darwin Kernel Version 20.2.0: Fri Nov 13 01:00:15 PST 2020; root:xnu-7195.62.1~4/RELEASE_ARM64_T8030
Kernel UUID: 73CDC310-07B4-3CB1-9F61-114FA9D77E4D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x35e3ab49e
Epoch Time: sec usec
Boot : 0x622c0777 0x00042b47
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x622c09cf 0x0003d01d
Total cpu_usage: 129487437
Thread task pri cpu_usage
0xffffffe19c87c5d0 com.apple.datami 37 47767
0xffffffe19bbf68b0 com.apple.datami 31 77901
0xffffffe19b76d740 kernel_task 0 5372077
0xffffffe19b76e8b0 kernel_task 0 802121
0xffffffe19b67d740 kernel_task 0 4436923
Panicked task 0xffffffe19b669900: 5100 pages, 118 threads: pid 0: kernel_task
Panicked thread: 0xffffffe19b67d740, backtrace: 0xffffffe80a5b78f0, tid: 102
lr: 0xfffffff007a58c90 fp: 0xffffffe80a5b7930
lr: 0xfffffff007a58a90 fp: 0xffffffe80a5b79a0
lr: 0xfffffff007b96b90 fp: 0xffffffe80a5b79c0
lr: 0xfffffff007b88c9c fp: 0xffffffe80a5b7a80
lr: 0xfffffff008160600 fp: 0xffffffe80a5b7a90
lr: 0xfffffff007a58778 fp: 0xffffffe80a5b7e10
lr: 0xfffffff007a58778 fp: 0xffffffe80a5b7e70
lr: 0xfffffff00987ba18 fp: 0xffffffe80a5b7e90
lr: 0xfffffff0091c85d4 fp: 0xffffffe80a5b7ec0
lr: 0xfffffff0091c7e54 fp: 0xffffffe80a5b7f00
lr: 0xfffffff0097089b0 fp: 0xffffffe80a5b7f20
lr: 0xfffffff009233990 fp: 0xffffffe80a5b7fb0
lr: 0xfffffff0080bab20 fp: 0xffffffe80a5b7fc0
lr: 0xfffffff007b8a3fc fp: 0xffffffe80a5b7fe0
lr: 0xfffffff008160674 fp: 0xffffffe80a5b7ff0
lr: 0xfffffff007a86d9c fp: 0xffffffe8b7c2bee0
lr: 0xfffffff007a8701c fp: 0xffffffe8b7c2bf00
lr: 0xfffffff00816895c fp: 0x0000000000000000
** Stackshot Succeeded ** Bytes Traced 117405 (Uncompressed 303632) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip
boot command:
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-83075-083.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '038-83075-083.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
I'm using Macbook Pro (Intel), follow side bar guide compile codes is fine, but auto boot stuck at apfs: mountroot , how can I fix it ?
-------logs-------
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2188: apfs: mountroot called!
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 2
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
hfs: mounted AzulSeed18A5351d.arm64eCustomerRamDisk on device b(3, 0)
iOS 15.3.1 cannot be restored - unencrypted data volume is not allowed
panic
Kernel is a research kernel
xnu cmdline: -restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1
IPSW download
root_ticket.der generated with BuildManifest in ipsw and the ticket.shsh2 in qemu-t8030-tools
Host is Debian bullseye Linux 5.15.0-0.bpo.3-amd64 #1 SMP Debian 5.15.15-2~bpo11+1 (2022-02-03) x86_64
qemu-t8030 commit: 42fedc7
boot command:
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '018-92126-069.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Serial port output right before panic
entering mount_partition
executing /sbin/mount_apfs -R /dev/disk0s1s2 /mnt2
apfs_mount:26376: disk0s1s2 mount for ramdisk
set_cloneinfo_id_epoch:25743: disk0s1s2 set cloneinfo_id_epoch to 16
apfs_log_mount_unmount:1828: disk0s1s2 mounting volume Data, requested by: mount_apfs (pid 37); parent: restored_externa (pid 6)
handle_mount:654: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s2 setting dev block size to 4096 from 512
nx_volume_group_update:7715: disk0s1s2 Volume Data is not in a volume group
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
panic(cpu 2 caller 0xfffffff0093c31c8): "unencrypted data volume is not allowed" @apfs_vfsops.c:2357
Debugger message: panic
Memory ID: 0x0
OS release type: Restore
OS version: 19D52
Kernel version: Darwin Kernel Version 21.3.0: Wed Jan 5 21:44:45 PST 2022; root:xnu-8019.80.24~23/RELEASE_ARM64_T8030
Kernel UUID: 5703F07F-AEE8-3207-8205-203C7B11B3C2
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x8fcb69550
Epoch Time: sec usec
Boot : 0x6228c86d 0x000d892c
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x6228ceb3 0x0000edac
Zone info:
Foreign : 0xfffffff0b83dc000 - 0xfffffff0b83ec000
Native : 0xffffffe000588000 - 0xffffffe600588000
Readonly : 0xffffffe0e6bec000 - 0xffffffe1338b0000
Metadata : 0xffffffeb018cc000 - 0xffffffeb05bac000
Bitmaps : 0xffffffeb030cc000 - 0xffffffeb03b28000
CORE 0: PC=0xfffffff007d4dadc, LR=0xfffffff007c77134, FP=0xffffffeb057bbd60
CORE 1: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb0578be80
CORE 2 is the one that panicked. Check the full backtrace for details.
CORE 3: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb10693e80
Panicked task 0xffffffe3006cece8: 658 pages, 1 threads: pid 37: mount_apfs
Panicked thread: 0xffffffe3e6cbb020, backtrace: 0xffffffeb0583a990, tid: 551
lr: 0xfffffff007c08c18 fp: 0xffffffeb0583a9d0
lr: 0xfffffff007c08938 fp: 0xffffffeb0583aa40
lr: 0xfffffff007d5a2cc fp: 0xffffffeb0583aa60
lr: 0xfffffff007d4bae0 fp: 0xffffffeb0583aae0
lr: 0xfffffff007d4a894 fp: 0xffffffeb0583aba0
lr: 0xfffffff00835a610 fp: 0xffffffeb0583abb0
lr: 0xfffffff007c08604 fp: 0xffffffeb0583af40
lr: 0xfffffff007c08604 fp: 0xffffffeb0583afa0
lr: 0xfffffff009cf01a8 fp: 0xffffffeb0583afc0
lr: 0xfffffff0093c31c8 fp: 0xffffffeb0583b890
lr: 0xfffffff007de7ee0 fp: 0xffffffeb0583bb40
lr: 0xfffffff007de9974 fp: 0xffffffeb0583bd70
lr: 0xfffffff007de96bc fp: 0xffffffeb0583bdb0
lr: 0xfffffff0081a8a98 fp: 0xffffffeb0583be50
lr: 0xfffffff007d4a960 fp: 0xffffffeb0583bf10
lr: 0xfffffff00835a610 fp: 0xffffffeb0583bf20
** Stackshot Succeeded ** Bytes Traced 18741 (Uncompressed 50480) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
Please go to https://panic.apple.com to report this panic
idevicerestore log
┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 *.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 15.3.1
Product Build: 19D52 Major: 19
Device supports Image4: true
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
################################ [ WARNING ] #################################
# You are about to perform an *ERASE* restore. ALL DATA on the target device #
# will be IRREVERSIBLY DESTROYED. If you want to update your device without #
# erasing the user data, hit CTRL+C now and restart without -e or --erase #
# command line switch. #
# If you want to continue with the ERASE, please type YES and press ENTER. #
##############################################################################
> YES
progress: 1 0.000000
Checking IPSW for required components...
All required components found in IPSW
Using cached filesystem from 'iPhone11,8,iPhone12,1_15.3.1_19D52_Restore/018-91937-063.dmg'
progress: 1 0.200000
progress: 1 0.250000
progress: 1 0.300000
progress: 1 0.500000
progress: 1 0.700000
progress: 1 0.900000
About to restore device...
restore_is_current_device: Connected to com.apple.mobile.restored, version 15
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device 00008030-1122334455667788 has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 32816
UniqueChipID: 1234605616436508552
ProductionMode: false
Starting FDR listener thread
Connecting to FDR client at port 1082
About to do ctrl handshake
FDR sending 89 bytes:
common.c:printing 287 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>BeginCtrl</string>
<key>CtrlProtoVersion</key>
<integer>2</integer>
</dict>
</plist>
FDR Sent 89 bytes
FDR Received 105 bytes
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>BeginCtrl</string>
<key>CtrlProtoVersion</key>
<integer>2</integer>
<key>ConnPort</key>
<integer>49161</integer>
</dict>
</plist>
Ctrl handshake done (ConnPort = 49161)
FDR 0x56033bcb5bc0 waiting for message...
progress: 1 1.000000
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Updating NAND Firmware (58)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Checking for uncollected logs (44)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
About to send filesystem...
Connecting to ASR
Retrying connection...
Received 272 bytes:
common.c:printing 272 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Checksum Chunks</key>
<true/>
<key>Command</key>
<string>Initiate</string>
</dict>
</plist>
Connected to ASR
Validating the filesystem
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>1276</integer>
<key>OOB Offset</key>
<integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>72</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>64</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>399069</integer>
<key>OOB Offset</key>
<integer>6562272806</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>1276</integer>
<key>OOB Offset</key>
<integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>72</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>64</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>399069</integer>
<key>OOB Offset</key>
<integer>6562272806</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>55</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>210</integer>
<key>OOB Offset</key>
<integer>163</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>108</integer>
<key>OOB Offset</key>
<integer>55</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>108</integer>
<key>OOB Offset</key>
<integer>55</integer>
</dict>
</plist>
Received 330 bytes:
common.c:printing 330 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>18797</integer>
<key>OOB Offset</key>
<integer>373</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>108</integer>
<key>OOB Offset</key>
<integer>55</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>210</integer>
<key>OOB Offset</key>
<integer>163</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>55</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>7500</integer>
<key>OOB Offset</key>
<integer>168112</integer>
</dict>
</plist>
Received 331 bytes:
common.c:printing 331 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>204</integer>
<key>OOB Offset</key>
<integer>175612</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>7500</integer>
<key>OOB Offset</key>
<integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>7085</integer>
<key>OOB Offset</key>
<integer>138866</integer>
</dict>
</plist>
Received 334 bytes:
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>192423</integer>
<key>OOB Offset</key>
<integer>175816</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>213761</integer>
<key>OOB Offset</key>
<integer>21904205</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>7500</integer>
<key>OOB Offset</key>
<integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>3186</integer>
<key>OOB Offset</key>
<integer>164926</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>7500</integer>
<key>OOB Offset</key>
<integer>168112</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>1276</integer>
<key>OOB Offset</key>
<integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>72</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>512</integer>
<key>OOB Offset</key>
<integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>64</integer>
<key>OOB Offset</key>
<integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>399069</integer>
<key>OOB Offset</key>
<integer>6562272806</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>OOBData</string>
<key>OOB Length</key>
<integer>399069</integer>
<key>OOB Offset</key>
<integer>6562272806</integer>
</dict>
</plist>
Received 234 bytes:
common.c:printing 234 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<string>Payload</string>
</dict>
</plist>
Filesystem validated
Sending filesystem now...
progress: 2 0.010006
progress: 2 0.020012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.030018
progress: 2 0.040005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.050011
progress: 2 0.060017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.070003
progress: 2 0.080009
progress: 2 0.090015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.100002
progress: 2 0.110008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.120014
progress: 2 0.130000
progress: 2 0.140006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.150012
progress: 2 0.160018
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.170005
progress: 2 0.180011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.190017
progress: 2 0.200003
progress: 2 0.210009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.220015
progress: 2 0.230002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.240008
progress: 2 0.250014
progress: 2 0.260000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.270006
progress: 2 0.280012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.290019
progress: 2 0.300005
progress: 2 0.310011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.320017
progress: 2 0.330003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.340009
progress: 2 0.350015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.360002
progress: 2 0.370008
progress: 2 0.380014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.390000
progress: 2 0.400006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.410012
progress: 2 0.420019
progress: 2 0.430005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.440011
progress: 2 0.450017
progress: 2 0.460003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.470009
progress: 2 0.480015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.490002
progress: 2 0.500008
progress: 2 0.510014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.520000
progress: 2 0.530006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.540012
progress: 2 0.550019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.560005
progress: 2 0.570011
progress: 2 0.580017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.590003
progress: 2 0.600009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.610016
progress: 2 0.620002
progress: 2 0.630008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.640014
progress: 2 0.650000
progress: 2 0.660006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.670012
progress: 2 0.680019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.690005
progress: 2 0.700011
progress: 2 0.710017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.720003
progress: 2 0.730009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.740016
progress: 2 0.750002
progress: 2 0.760008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.770014
progress: 2 0.780000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.790006
progress: 2 0.800013
progress: 2 0.810019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.820005
progress: 2 0.830011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.840017
progress: 2 0.850003
progress: 2 0.860009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.870016
progress: 2 0.880002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.890008
progress: 2 0.900014
progress: 2 0.910000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.920006
progress: 2 0.930013
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.940019
progress: 2 0.950005
progress: 2 0.960011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.970017
progress: 2 0.980003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.990009
progress: 2 1.000000
Done sending filesystem
Verifying restore (14)
progress: 3 0.020000
progress: 3 0.040000
progress: 3 0.060000
progress: 3 0.080000
progress: 3 0.100000
progress: 3 0.120000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.140000
progress: 3 0.160000
progress: 3 0.180000
progress: 3 0.200000
progress: 3 0.220000
progress: 3 0.240000
progress: 3 0.260000
progress: 3 0.280000
progress: 3 0.300000
progress: 3 0.320000
progress: 3 0.340000
progress: 3 0.360000
progress: 3 0.380000
progress: 3 0.400000
progress: 3 0.420000
progress: 3 0.440000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.460000
progress: 3 0.480000
progress: 3 0.500000
progress: 3 0.520000
progress: 3 0.540000
progress: 3 0.560000
progress: 3 0.580000
progress: 3 0.600000
progress: 3 0.620000
progress: 3 0.640000
progress: 3 0.660000
progress: 3 0.680000
progress: 3 0.700000
progress: 3 0.720000
progress: 3 0.740000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.760000
progress: 3 0.780000
progress: 3 0.800000
progress: 3 0.820000
progress: 3 0.840000
progress: 3 0.860000
progress: 3 0.880000
progress: 3 0.900000
progress: 3 0.920000
progress: 3 0.940000
progress: 3 0.960000
progress: 3 0.980000
progress: 3 1.000000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checking filesystems (15)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
Checking filesystems (15)
Checking filesystems (15)
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.n104.RELEASE.im4p (Firmware/all_flash/LLB.n104.RELEASE.im4p)...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Not personalizing component LLB...
Extracting applelogo@1792~iphone.im4p (Firmware/all_flash/applelogo@1792~iphone.im4p)...
Not personalizing component AppleLogo...
Extracting batterycharging0@1792~iphone.im4p (Firmware/all_flash/batterycharging0@1792~iphone.im4p)...
Not personalizing component BatteryCharging0...
Extracting batterycharging1@1792~iphone.im4p (Firmware/all_flash/batterycharging1@1792~iphone.im4p)...
Not personalizing component BatteryCharging1...
Extracting batteryfull@2x~iphone.im4p (Firmware/all_flash/batteryfull@2x~iphone.im4p)...
Not personalizing component BatteryFull...
Extracting batterylow0@2x~iphone.im4p (Firmware/all_flash/batterylow0@2x~iphone.im4p)...
Not personalizing component BatteryLow0...
Extracting batterylow1@2x~iphone.im4p (Firmware/all_flash/batterylow1@2x~iphone.im4p)...
Not personalizing component BatteryLow1...
Extracting glyphplugin@1792~iphone-lightning.im4p (Firmware/all_flash/glyphplugin@1792~iphone-lightning.im4p)...
Not personalizing component BatteryPlugin...
Extracting DeviceTree.n104ap.im4p (Firmware/all_flash/DeviceTree.n104ap.im4p)...
Not personalizing component DeviceTree...
Extracting lowpowermode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowermode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet0...
Extracting lowpowerfindmymode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowerfindmymode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet1...
Extracting recoverymode@1792~iphone-lightning.im4p (Firmware/all_flash/recoverymode@1792~iphone-lightning.im4p)...
Not personalizing component RecoveryMode...
Extracting WirelessPower.iphone12b.im4p (Firmware/WirelessPower/WirelessPower.iphone12b.im4p)...
Not personalizing component WCHFirmwareUpdater...
Extracting iBoot.n104.RELEASE.im4p (Firmware/all_flash/iBoot.n104.RELEASE.im4p)...
Not personalizing component iBoot...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component RestoreSEP...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component SEP...
common.c:supressed printing 27932382 bytes plist...
Sending NORData now...
Done sending NORData
Flashing firmware (18)
progress: 4 1.000000
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsEarlyAccessFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
Extracting h12_ane_fw_metis.im4p (Firmware/ane/h12_ane_fw_metis.im4p)...
Not personalizing component ANE...
Sending IsFUDFirmware for ANE...
progress: 6 0.060000
Extracting aopfw-iphone12baop.im4p (Firmware/AOP/aopfw-iphone12baop.im4p)...
Not personalizing component AOP...
Sending IsFUDFirmware for AOP...
progress: 6 0.130000
Extracting AppleAVE2FW_H12.im4p (Firmware/ave/AppleAVE2FW_H12.im4p)...
Not personalizing component AVE...
Sending IsFUDFirmware for AVE...
progress: 6 0.200000
Extracting N104_HapticAssets.im4p (Firmware/N104_HapticAssets.im4p)...
Not personalizing component Ap,HapticAssets...
Sending IsFUDFirmware for Ap,HapticAssets...
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
Extracting N104_AudioCodecFirmware.im4p (Firmware/N104_AudioCodecFirmware.im4p)...
Not personalizing component AudioCodecFirmware...
Sending IsFUDFirmware for AudioCodecFirmware...
progress: 6 0.400000
Extracting armfw_g12p.im4p (Firmware/agx/armfw_g12p.im4p)...
Not personalizing component GFX...
Sending IsFUDFirmware for GFX...
progress: 6 0.460000
Extracting adc-zelus-n104.im4p (Firmware/isp_bni/adc-zelus-n104.im4p)...
Not personalizing component ISP...
Sending IsFUDFirmware for ISP...
progress: 6 0.530000
Extracting N104_LeapHapticsFirmware.im4p (Firmware/N104_LeapHapticsFirmware.im4p)...
Not personalizing component LeapHaptics...
Sending IsFUDFirmware for LeapHaptics...
progress: 6 0.600000
Extracting N104_Multitouch.im4p (Firmware/N104_Multitouch.im4p)...
Not personalizing component Multitouch...
Sending IsFUDFirmware for Multitouch...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 6 0.660000
Extracting t8030pmp.im4p (Firmware/pmp/t8030pmp.im4p)...
Not personalizing component PMP...
Sending IsFUDFirmware for PMP...
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
Extracting SmartIOFirmware_ASCv2.im4p (Firmware/SmartIOFirmware_ASCv2.im4p)...
Not personalizing component SIO...
Sending IsFUDFirmware for SIO...
progress: 6 0.860000
Extracting 018-91937-063.dmg.trustcache (Firmware/018-91937-063.dmg.trustcache)...
Not personalizing component StaticTrustCache...
Sending IsFUDFirmware for StaticTrustCache...
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating Stockholm (55)
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
progress: 6 0.060000
progress: 6 0.130000
progress: 6 0.200000
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
progress: 6 0.400000
progress: 6 0.460000
progress: 6 0.530000
progress: 6 0.600000
progress: 6 0.660000
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
progress: 6 0.860000
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating Veridian (66)
Unknown operation (79)
Unhandled progress operation 79 (79)
Requesting EAN Data (74)
Creating Protected Volume (67)
ERROR: Could not read data (-256). Aborting.
FDR 0x56033bcb5bc0 terminating...
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) disconnected
ERROR: Unable to restore device
I've restored iOS 15.0, edited launchd.plist and added bash.plist to /System/Library/LaunchDaemons however bash is not starting. There are no APFS Snapshots to rename.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=15.0/static_tc,ticket-filename=15.0/root_ticket.der -kernel 15.0/kernelcache.research.iphone12b -dtb 15.0/Firmware/all_flash/DeviceTree.n104ap.im4p -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" -initrd 15.0/038-42528-639.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait
Log:
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
com.apple.xpc.launchd|2022-04-17 08:16:14.555550 : Doing boot task: data-protection
init_data_protection: No SEP present on this device
com.apple.xpc.launchd|2022-04-17 08:16:14.814353 : Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
com.apple.xpc.launchd|2022-04-17 08:16:15.028039 : Doing boot task: commit-boot-mode
com.apple.xpc.launchd|2022-04-17 08:16:15.029260 : boot-mode committed: (null)
com.apple.xpc.launchd|2022-04-17 08:16:15.030008 : Doing boot task: restore-datapartition
com.apple.xpc.launchd|2022-04-17 08:16:15.033256 : restore-datapartition: optional boot task not present
com.apple.xpc.launchd|2022-04-17 08:16:15.046458 : Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:191: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597)
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304
dev_dump:256: Aggregate constructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
migrate_media_keys_if_needed:1254: disk0s1 no media keys to migrate
spaceman_scan_free_blocks:3171: disk0s1 scan took 0.015712 s (no trims)
mount: failed to migrate Media Keys, error = c002
handle_mount:654: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s2 setting dev block size to 4096 from 512
nx_volume_group_update:7713: disk0s1s2 Volume Data is not in a volume group
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:654: disk0s1s5 vol-uuid: E3918FE6-47D6-43AD-9A10-058CDC596EB4 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s5 setting dev block size to 4096 from 512
nx_volume_group_update:7707: disk0s1s5 Volume Update role c0 Not a System or data volume
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:654: disk0s1s3 vol-uuid: 61706673-7575-6964-0140-766F6C756D02 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s3 setting dev block size to 4096 from 512
nx_volume_group_update:7707: disk0s1s3 Volume Hardware role 140 Not a System or data volume
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
com.apple.xpc.launchd|2022-04-17 01:16:16.033083 : Doing boot task: init-with-data-volume
com.apple.xpc.launchd|2022-04-17 01:16:16.095901 : Doing boot task: MSUEarlyBootTask
spaceman_scan_free_blocks:3153: disk0s1 scan took 1.025618 s, trims took 0.983285 s
spaceman_scan_free_blocks:3155: disk0s1 6089571 blocks free in 17906 extents
spaceman_scan_free_blocks:3163: disk0s1 6089571 blocks trimmed in 17906 extents (54 us/trim, 18210 trims/s)
spaceman_scan_free_blocks:3166: disk0s1 trim distribution 1:12171 2+:1962 4+:2516 16+:796 64+:310 256+:151
MSUEarlyBootTask: MSUEarlyBootTask running
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate//2b906ac48e7b89aa76bdc77cf2eb46a52a5cfc4d863d676f515d4c2a3fcd87c5203e5dc133c771fde7038ea4513d4dd6-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
com.apple.xpc.launchd|2022-04-17 01:16:16.328821 : Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [270726780] fipspost_post:155: [FIPSPOST][Module-ID] Apple corecrypto Module v12.0 [Apple ARM, User, Software, SL1]
FIPSPOST_USER [270839121] fipspost_post:165: PASSED: (4 ms) - fipspost_post_hmac
FIPSPOST_USER [271036682] fipspost_post:166: PASSED: (12 ms) - fipspost_post_integrity
FIPSPOST_USER [271068000] fipspost_post:172: PASSED: (14 ms) - fipspost_post_indicator
FIPSPOST_USER [271078926] fipspost_post:173: PASSED: (14 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [271088853] fipspost_post:174: PASSED: (15 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [271452097] fipspost_post:175: PASSED: (30 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [272340780] fipspost_post:176: PASSED: (67 ms) - fipspost_post_ecdsa
FIPSPOST_USER [272388121] fipspost_post:177: PASSED: (69 ms) - fipspost_post_ecdh
FIPSPOST_USER [272413658] fipspost_post:178: PASSED: (70 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [272428439] fipspost_post:179: PASSED: (70 ms) - fipspost_post_aes_cmac
FIPSPOST_USER [272438097] fipspost_post:180: PASSED: (71 ms) - fipspost_post_hkdf
FIPSPOST_USER [272933219] fipspost_post:182: PASSED: (91 ms) - fipspost_post_pbkdf
FIPSPOST_USER [272942512] fipspost_post:183: PASSED: (92 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [272960731] fipspost_post:184: PASSED: (93 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [272973585] fipspost_post:185: PASSED: (93 ms) - fipspost_post_aes_xts
FIPSPOST_USER [273002609] fipspost_post:186: PASSED: (94 ms) - fipspost_post_tdes_ecb
FIPSPOST_USER [273011609] fipspost_post:187: PASSED: (95 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [273026219] fipspost_post:188: PASSED: (95 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [282071512] fipspost_post:190: PASSED: (472 ms) - fipspost_post_ffdh
FIPSPOST_USER [282638439] fipspost_post:191: PASSED: (496 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [282641804] fipspost_post:210: all tests PASSED (496 ms)
com.apple.xpc.launchd|2022-04-17 01:16:16.953443 : Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
com.apple.xpc.launchd|2022-04-17 01:16:17.201197 : Doing boot task: usermanagerd
com.apple.xpc.launchd|2022-04-17 01:16:17.203375 : usermanagerd: optional boot task not present
com.apple.xpc.launchd|2022-04-17 01:16:17.228387 : launchd logging initialized. name: com.apple.xpc.launchd pid: 1
com.apple.xpc.launchd|2022-04-17 01:16:17.248288 : Doing boot task: xpcroleaccountd
com.apple.xpc.launchd|2022-04-17 01:16:17.385264 : Doing boot task: init_featureflags
com.apple.xpc.launchd|2022-04-17 01:16:17.902870 : Doing boot task: fud
fud: Early Boot
fud: -FudEarlyBoot doFUDEarlyBoot:: Starting Early Boot
fud: No Early Boot Accessories
fud: -FudEarlyBoot doFUDEarlyBoot:: End Early Boot
fud: Exitng Early Boot
com.apple.xpc.launchd|2022-04-17 01:16:18.438675 : Doing boot task: tzinit
com.apple.xpc.launchd|2022-04-17 01:16:18.574303 : Doing boot task: finish-restore
com.apple.xpc.launchd|2022-04-17 01:16:18.697320 : Doing boot task: finish-demo-restore
com.apple.xpc.launchd|2022-04-17 01:16:18.821920 : Doing boot task: sysstatuscheck
com.apple.xpc.launchd|2022-04-17 01:16:18.947177 : Doing boot task: prng_seedctl
kern.prng.user_reseed_count: (-1) (2) No such file or directory
failed to load virtual random: (-147) (-536870212)
com.apple.xpc.launchd|2022-04-17 01:16:19.088041 : Doing boot task: launchd_cache_loader
0 Found valid port: 2307 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
Using unsecure cache: /System/Library/xpc/launchd.plist
Trying to send bytes to launchd: 2307 16384
Sending validated cache to launchd
Cache sent to launchd successfully
com.apple.xpc.launchd|2022-04-17 01:16:19.388631 : launchd UUID: D1C385F5-82FE-32CD-9F8F-2C4A3A640895
com.apple.xpc.launchd|2022-04-17 01:16:19.388733 : Early boot complete. Continuing system boot.
000021.115717 AppleOLYHAL_log.A[1] AppleOLYHALPortInterfacePCIeAMFM::initWithProvider: amfm not matched
000021.122704 wlan0.A[4] deferredStart@2734: Lowered adjustBusy(-1), getBusyState() -> 4
glib
seems to be required to compile QEMU, it might be good to add glib
to the brew install
command in the Bringing up the emulator guide.
In the Getting precompiled system binaries section, wget
is also used. It will be great to add wget
into the brew install
command too.
I am booting emulator with auto boot instructions but not getting shell access. This is the log of running it
AppleUSBDeviceMux build: Aug 12 2020 22:50:42
000042.269962 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBMux
IOAccessoryPortUSB::start
AppleUSBEthernetDevice::start: no device-mac-address present
000042.274005 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBNCMControl
000042.274572 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function IapOverUsbHid
000042.282476 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBNCMData
000042.295219 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function PTP
000042.295823 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function Valeria
000042.296267 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::startUSBStack: starting usb stack
qemu-system-aarch64: usb_tcp_host_attach: failed to connect to server: -1
apfs_is_valid_class:2253: rejecting class open (class 2) because we're not content protected
handle_mount:627: vol-uuid: FE08F35A-6B73-4D6B-A39A-B83D81136524 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
handle_revert_to_snapshot:5195: On next mount, volume will revert to snapshot 'com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70' w/snap xid 133
apfs_stop_bg_work:1028: disk0s1s1:0 Volume System is unmounting, stop any bg work
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 11952394 (11 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 5)
tx_flush:1075: disk0s1 xid 242 tx stats: # 20 finish 20 enter 775 wait 1 3033us close 2317us flush 8062us
revert_to_snapshot:1260: Reverting to snapshot w/xid 133 and old sblock oid 8259547.
revert_extents_to_snapshot:1093: free'ing extents in main extentref tree 8257579
free_allocated_snapshot_extents:1008: processed 0 extents and free'd 0 blocks
obj_cache_remove_reverted_fs_objects:1547: disk0s1s1:0 removing reverted fs objects for fs 1026: 134 - 244
revert_to_snapshot:1336: DONE reverting to snapshot w/xid 133
handle_mount:627: vol-uuid: FE08F35A-6B73-4D6B-A39A-B83D81136524 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 12886655 (12 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 5)
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 163 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 163
ls
tx_flush:1075: disk0s1 xid 262 tx stats: # 40 finish 40 enter 3141 wait 6 2470us close 1664us flush 13359us
ls
tx_flush:1075: disk0s1 xid 282 tx stats: # 60 finish 60 enter 2155 wait 6 2470us close 1219us flush 19586us
The emulated device will not load bash, even after adding setup-ios/launchd.plist and setup-ios/bash.plist to the filesystem.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v launchd_insecure_cache=1 wdt=-1" \ -initrd 038-44087-125.dmg.out \ -cpu max -smp 1 \ -m 4G -serial mon:stdio \ -drive file=nvme.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096
I think the problem is pretty simple to fix, but the command I typed (copy and pasted from the wiki) seems to be correct, but after I've mounted disk.1 (aka. /Volumes/AzulSeed18A5351d.N104N841DeveloperOS), it says that it's read-only, and I can't do anything on the disk.
I'm on a clear install of Big Sur 11.3.1, so it shouldn't be the problem.
example of the issue:
/System/Volumes/Data/SWE/macOS/BuildRoots/2288acc43c/Library/Caches/com.apple.xbs/Sources/AppleFSCompression_executables/AppleFSCompression-125/Libraries/CompressData/CompressData.c:211: chflags /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/AccessibilityBundles/SoundsAndHapticsSettings.axbundle/es_419.lproj/Accessibility.strings: Read-only file system (this happens when running sudo afscexpand /Volumes/AzulSeed18A5351d.N104N841DeveloperOS, but also trying to write something into the disk fails obv)
You've mentioned that the ramdisk should be decompressed before being used. That seems to be correct - booting from a ramdisk with compressed files gives the following error:
BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2214: apfs: mountroot called!
apfs_vfsop_mount:1777: unable to root from devvp <ptr> (root_device): 2
apfs_vfsop_mountroot:2218: apfs: mountroot failed, error: 2
hfs: mounted AzulD18D52.arm64eCustomerRamDisk on device b(3, 0)
/Library/Caches/com.apple.xbs/Sources/AppleFSCompression/AppleFSCompression-125/Common/ChunkCompression.cpp:604: /usr/lib/dyld: invalid zlib header
Attempting to forcibly halt cpu 1
cpu 1 failed to halt with error -5: halt not supported for this configuration
Debugger synchronization timed out; waited 10000000 nanoseconds
IOPlatformPanicAction -> AppleT8030PMGR
Kernel data abort. at pc 0xfffffff008bcad2c, lr 0xfffffff008bcad24 (saved state: 0xffffffe8162a3040)
x0: 0x0000000000000000 x1: 0x0000000000000014 x2: 0x0000000000000000 x3: 0x0000000000000000
x4: 0x0000000000000062 x5: 0x000000023b040000 x6: 0xffffffe8008b1d80 x7: 0x0988fff0078f14f0
x8: 0xffffffe80ec58048 x9: 0x0000000000000028 x10: 0x00000000fffd8000 x11: 0xffffffe4ce1511d0
x12: 0x000000007fffffff x13: 0x00000000ffffffff x14: 0x0000000000000000 x15: 0x0000000000000010
x16: 0xfffffff0078f1148 x17: 0xfffffff0078f1148 x18: 0x0000000000000001 x19: 0xffffffe800890000
x20: 0x0000000000088000 x21: 0xffffffe8008b23a0 x22: 0xcda1ffe800890000 x23: 0x000000023b084000
x24: 0x0000000000084000 x25: 0x000000023d284000 x26: 0x0000000000000001 x27: 0xfffffff13630e910
x28: 0xfffffff009aa8000 fp: 0xffffffe8162a33d0 lr: 0xfffffff008bcad24 sp: 0xffffffe8162a3390
pc: 0xfffffff008bcad2c cpsr: 0x204003c4 esr: 0x96000010 far: 0xffffffe80ec58048
panic(cpu 4 caller 0xfffffff007ec6e40): unexpected SIGKILL of init with reason -- namespace 9 code 0x1 description none
I find the /Library/Caches/com.apple.xbs/Sources/AppleFSCompression/AppleFSCompression-125/Common/ChunkCompression.cpp:604: /usr/lib/dyld: invalid zlib header
error odd.
Do you have any idea why this is raised / how this can be troubleshooted? I know there are version of zlib which are heavily optimized for ARM. Could it be an error in the ARM translation which causes the zlib library to fail?
qemu-t8030
commit: 617fa85c2161e765b39ca32d4c9a7bafa3fce87d
QEMU command line: qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der -kernel kernelcache.research.iphone12b -dtb Firmware/all_flash/DeviceTree.n104ap.im4p -append "wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v" -initrd 038-44135-124.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait
Boot log:
Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: Found lookup_in_trust_cache_module @ 0xfffffff007b5d71c
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: Found lookup_in_static_trust_cache @ 0xfffffff0097edcb8
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff018000000
g_phys_base: 0x0000000802000000
slide_virt: 0x0000000015c00000
slide_phys: 0x0000000001c00000
entry: 0x0000000807d204e8
boot_mode: 0
auto-boot=true
cmdline: [wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v]
VNC server running on 127.0.0.1:5900
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b864390]::init(0xffffffe19b895e78)
AUC:[0xffffffe19b864390]::probe(0xffffffe19b62df40, 0xffffffe807d93dac)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b864390]::start(0xffffffe19b62df40)
AppleInterruptController::start: Num Shared Timestamps == 0
AppleS5L8940XI2CController::start: i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c2 this: <ptr> _i2cBaseAddress: <ptr>
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleS5L8960XUSBPhy::start: hsic disabled
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
000012.449209 wlan0.A[1] start@968:Default options property found with value 4
AppleS5L8940XI2CController::start: i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000012.856236 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c3 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c0 this: <ptr> _i2cBaseAddress: <ptr>
000013.085061 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000013.129032 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
000013.738421 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
RTBuddy(SIO): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
RTBuddy(ANS2): Resuming...
Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
000014.070541 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
AppleARMRTC started!#####
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOMedia</string><key>IOPropertyMatch</key><dict ID="2"><key>Partition ID</key><integer size="64" ID="3">0x1</integer></dict></dict>
virtual IANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
OReturn IONVMeController::CreateSubmisANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
sionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 4096 block count 2097141 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 174, best xid 174 @ 7
nx_kernel_mount:1404: disk0 reloading after unclean unmount, checkpoint xid 174, superblock xid 163
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Container@1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 2097141 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 4096
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 256
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 174, best xid 174 @ 7
nx_kernel_mount:1404: disk0s1 reloading after unclean unmount, checkpoint xid 174, superblock xid 163
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
apfs_vfsop_mount:1998: disk0s1s1:0 Rooting from snapshot with xid 159.
handle_snapshot_mount:844: mounting snapshot w/snap_xid 159 and sblock oid 0x1f0006
handle_snapshot_mount:1000: setting dev block size to 4096 from 512
handle_mount:627: vol-uuid: DB5E5127-915A-4F0E-9BF6-1C49E3FB4851 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.12)
nx_volume_group_update:6634: Volume com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70 is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
dyld: setting comm page to 0x0
Sat May 21 11:27:50 2022 com.apple.xpc.launchd[1] <Notice>: hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.13~13/launchd/RELEASE_ARM64E
boot-args = wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v
Sat May 21 11:27:50 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering ondemand mode
Sat May 21 11:27:50 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fsck
000032.975537 wlan0.A[4] initWithProvider@120:amfm not matched
000033.160367 wlan0.A[5] deferredStart@1730: Lowered adjustBusy(-1), getBusyState() -> 4
** Checking the container superblock.
** Checking the object map.
** Checking volume.
** Checking the APFS volume superblock.
** The volume System was formatted by newfs_apfs (945.200.129.100.10) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Data was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Hardware was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Preboot was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Update was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** QUICKCHECK ONLY; FILESYSTEM CLEAN
Sat May 21 11:28:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-1
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70@/dev/disk0s1s1 on / (apfs, local, nosuid, read-only, journaled, noatime)
handle_mount:627: vol-uuid: F5DEACDF-4954-4120-BAF2-7E092DD4E684 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s4:0 mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
Sat May 21 11:28:07 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: data-protection
init_data_protection: No SEP present on this device
Sat May 21 11:28:08 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: commit-boot-mode
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: boot-mode committed: (null)
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: restore-datapartition
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: restore-datapartition: optional boot task not present
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:189: disk0s1 metazone for device 0 of size 131072 blocks (encrypted: 1966069-2031605 unencrypted: 2031605-2097141)
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 32768
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 65536
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 98304
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 131072
dev_dump:256: Aggregate constructed: dev=<ptr> di=0 dv_num_slice=8 dv_num_slice_blk=262144 dv_num_lslice_blk=262133
migrate_media_keys_if_needed:1206: no media keys to migrate for container = disk0s1
mount: failed to migrate Media Keys, error = c002
spaceman_trim_free_blocks:3361: disk0s1 scan took 2.034399 s, trims took 0.295646 s
spaceman_trim_free_blocks:3369: disk0s1 245561 blocks free in 322 extents
spaceman_trim_free_blocks:3377: disk0s1 245561 blocks trimmed in 322 extents (918 us/trim, 1089 trims/s)
spaceman_trim_free_blocks:3380: disk0s1 trim distribution 1:198 2+:97 4+:15 16+:4 64+:0 256+:8
handle_mount:627: vol-uuid: 946E93CE-C991-4E1A-B650-7685AF0B9095 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs_vfsop_mount:2171: disk0s1s2:0 mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:627: vol-uuid: 180F6F92-F4A0-4E37-9B94-D2E6CB4607D9 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s5:0 mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:627: vol-uuid: 521EEEEA-7A6E-4FD6-B067-55BBA3533710 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s3:0 mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
Sat May 21 04:28:24 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init-with-data-volume
Sat May 21 04:28:26 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: MSUEarlyBootTask
main: MSUEarlyBootTask running
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate/5118ea8f39ff61d152ba7e1f92591910cde7a2b09b867d8d58dc37e2cdc0b7c98dd296d4bf57862d143413dd17012d70-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
Sat May 21 04:28:31 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [1557131414] fipspost_post:158: PASSED: (89 ms) - fipspost_post_integrity
FIPSPOST_USER [1558100585] fipspost_post:164: PASSED: (11 ms) - fipspost_post_hmac
FIPSPOST_USER [1558759941] fipspost_post:165: PASSED: (10 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [1561097014] fipspost_post:166: PASSED: (2 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [1564188582] fipspost_post:167: PASSED: (114 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [1567310180] fipspost_post:168: PASSED: (86 ms) - fipspost_post_ecdsa
FIPSPOST_USER [1572905885] fipspost_post:169: PASSED: (91 ms) - fipspost_post_ecdh
FIPSPOST_USER [1578096036] fipspost_post:170: PASSED: (74 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [1579127619] fipspost_post:171: PASSED: (10 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [1586953336] fipspost_post:173: PASSED: (229 ms) - fipspost_post_pbkdf
FIPSPOST_USER [1587973156] fipspost_post:174: PASSED: (25 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [1607684126] fipspost_post:175: PASSED: (439 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [1610118992] fipspost_post:176: PASSED: (4 ms) - fipspost_post_aes_xts
FIPSPOST_USER [1610686578] fipspost_post:177: PASSED: (7 ms) - fipspost_post_tdes_cbc
FIPSPOST_USER [1612386590] fipspost_post:178: PASSED: (4 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [1615174948] fipspost_post:180: PASSED: (96 ms) - fipspost_post_ffdh
FIPSPOST_USER [1620719951] fipspost_post:181: PASSED: (219 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [1622339821] fipspost_post:201: all tests PASSED (2806 ms)
Sat May 21 04:28:35 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
Sat May 21 04:28:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: usermanagerd
Sat May 21 04:28:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: usermanagerd: optional boot task not present
Sat May 21 04:28:41 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd logging initialized
Sat May 21 04:28:42 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: xpcroleaccountd
Sat May 21 04:28:43 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init_featureflags
init_featureflags: skipping directory: /System/Library/FeatureFlags/Domain
init_featureflags: skipping directory: /Library/Preferences/FeatureFlags/Domain
Sat May 21 04:28:44 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fud
objc[20]: Class UARPManifestProperties is implemented in both /System/Library/PrivateFrameworks/CoreUARP.framework/CoreUARP and /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud. One of the two will be used. Which one is undefined.
fud: -[FudEarlyBoot doFUDEarlyBoot:](): Starting Early Boot
fud: No Early Boot Accessories
fud: -[FudEarlyBoot doFUDEarlyBoot:](): End Early Boot
Sat May 21 04:28:54 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: tzinit
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-restore
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-demo-restore
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: sysstatuscheck
Sat May 21 04:28:56 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: prng_seedctl
PRNG diagnostics:
0 user reseeds, 1 scheduled reseeds, 64 max samples in a scheduled reseed, 284 max samples in an entropy input
generator 0: 2 rekeys, 458 requests, 5456 total bytes requested, 64 max bytes requested in a request, 3304 bytes requested since rekey, 3304 max bytes requested between rekeys
generator 1: 2 rekeys, 55 requests, 800 total bytes requested, 64 max bytes requested in a request, 784 bytes requested since rekey, 784 max bytes requested between rekeys
generator 2: 2 rekeys, 14 requests, 228 total bytes requested, 64 max bytes requested in a request, 180 bytes requested since rekey, 180 max bytes requested between rekeys
generator 3: 2 rekeys, 32 requests, 496 total bytes requested, 64 max bytes requested in a request, 432 bytes requested since rekey, 432 max bytes requested between rekeys
pool 0: 0 samples, 1 drains, 64 max samples
pool 1: 284 samples, 0 drains, 284 max samples
pool 2: 38 samples, 0 drains, 38 max samples
pool 3: 69 samples, 0 drains, 69 max samples
pool 4: 85 samples, 0 drains, 85 max samples
pool 5: 113 samples, 0 drains, 113 max samples
pool 6: 40 samples, 0 drains, 40 max samples
pool 7: 48 samples, 0 drains, 48 max samples
pool 8: 88 samples, 0 drains, 88 max samples
pool 9: 34 samples, 0 drains, 34 max samples
pool 10: 58 samples, 0 drains, 58 max samples
pool 11: 37 samples, 0 drains, 37 max samples
pool 12: 40 samples, 0 drains, 40 max samples
pool 13: 45 samples, 0 drains, 45 max samples
pool 14: 126 samples, 0 drains, 126 max samples
pool 15: 70 samples, 0 drains, 70 max samples
pool 16: 0 samples, 0 drains, 0 max samples
pool 17: 0 samples, 0 drains, 0 max samples
pool 18: 0 samples, 0 drains, 0 max samples
pool 19: 0 samples, 0 drains, 0 max samples
pool 20: 0 samples, 0 drains, 0 max samples
pool 21: 0 samples, 0 drains, 0 max samples
pool 22: 0 samples, 0 drains, 0 max samples
pool 23: 0 samples, 0 drains, 0 max samples
pool 24: 0 samples, 0 drains, 0 max samples
pool 25: 0 samples, 0 drains, 0 max samples
pool 26: 0 samples, 0 drains, 0 max samples
pool 27: 0 samples, 0 drains, 0 max samples
pool 28: 0 samples, 0 drains, 0 max samples
pool 29: 0 samples, 0 drains, 0 max samples
pool 30: 0 samples, 0 drains, 0 max samples
pool 31: 0 samples, 0 drains, 0 max samples
failed to load virtual random: (-147) (-536870212)
Sat May 21 04:28:56 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: launchd_cache_loader
0 Found valid port: 2307 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 26 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 26
cdhash: {length = 20, bytes = 0x1f926e82fb7151558f895e958a422ee5c570b6bc} is trusted
Attached signature to file, checking ...
Trying to send bytes to launchd: 2307 16384
Sending validated cache to launchd
Cache sent to launchd successfully
Sat May 21 04:29:02 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Sat May 21 04:29:02 2022 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.
Attempting to forcibly halt cpu 0
cpu 0 failed to halt with error -5: halt not supported for this configuration
Attempting to forcibly halt cpu 1
cpu 1 failed to halt with error -5: halt not supported for this configuration
Attempting to forcibly halt cpu 2
cpu 2 failed to halt with error -5: halt not supported for this configuration
Debugger synchronization timed out; waited 10000000 nanoseconds
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 3 caller 0xfffffff01d64434c): "Ticket spinlock timeout; start: 0x9cae6fec, end: 0x9cdc36ac, current: 0x9cdc6de7, lock: 0xfffffff01f5a6f80, *lock: 0x8f, waiting for 0x90, owner: 0"
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel slide: 0x0000000015c00000
Kernel text base: 0xfffffff01cc04000
mach_absolute_time: 0xd0408738
Epoch Time: sec usec
Boot : 0x6288ccae 0x0001fac2
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x6288cd31 0x000174bf
Panicked task 0xffffffe19b603840: 67 pages, 1 threads: pid 32: xpcproxy
Panicked thread: 0xffffffe19bf1e2e0, backtrace: 0xffffffe934452ab0, tid: 423
lr: 0xfffffff01d62af48 fp: 0xffffffe934452af0
lr: 0xfffffff01d62ad48 fp: 0xffffffe934452b60
lr: 0xfffffff01d764940 fp: 0xffffffe934452b80
lr: 0xfffffff01d756e1c fp: 0xffffffe934452c40
lr: 0xfffffff01dd1c5f4 fp: 0xffffffe934452c50
lr: 0xfffffff01d62aa30 fp: 0xffffffe934452fd0
lr: 0xfffffff01d62aa30 fp: 0xffffffe934453030
lr: 0xfffffff01f3db97c fp: 0xffffffe934453050
lr: 0xfffffff01d64434c fp: 0xffffffe9344530a0
lr: 0xfffffff01d657b0c fp: 0xffffffe9344530d0
lr: 0xfffffff01d657db0 fp: 0xffffffe934453110
lr: 0xfffffff01d641074 fp: 0xffffffe934453140
lr: 0xfffffff01d755444 fp: 0xffffffe934453170
lr: 0xfffffff01dbc48c0 fp: 0xffffffe9344531b0
lr: 0xfffffff01db8cdd8 fp: 0xffffffe9344531d0
lr: 0xfffffff01def38e4 fp: 0xffffffe9344531f0
lr: 0xfffffff01eeaad5c fp: 0xffffffe934453490
lr: 0xfffffff01eea9fa0 fp: 0xffffffe9344534f0
lr: 0xfffffff01eea2528 fp: 0xffffffe934453710
lr: 0xfffffff01dd04a54 fp: 0xffffffe934453760
lr: 0xfffffff01d7eda08 fp: 0xffffffe9344537b0
lr: 0xfffffff01d80e1a4 fp: 0xffffffe934453870
lr: 0xfffffff01d7f771c fp: 0xffffffe934453ad0
lr: 0xfffffff01da60318 fp: 0xffffffe934453da0
lr: 0xfffffff01db7fc80 fp: 0xffffffe934453e30
lr: 0xfffffff01d756c6c fp: 0xffffffe934453ef0
lr: 0xfffffff01dd1c5f4 fp: 0xffffffe934453f00
!! debugger synchronization failed, no stackshot !!
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
I actually added wdt=-1
to command line (you can see above), and iOS still say wdog panic
. What should I do now? Thanks!
The Linux VM crashed while telneting into iOS, with message
qemu-system-x86_64: ../hw/usb/core.c:523: void usb_cancel_packet(USBPacket *): Assertion `usb_packet_is_inflight(p)' failed
The most reliable way to produce the same error message would be trying to upload a iBSS.n71.RELEASE.im4p.dec
to the s8000 securerom VM, but it can happen in T8030 VMs too (such as the telnet crash).
To reproduce
Method 1: upload anything (such as a decrypted iBSS, or 1MB of random data) to S8000 securerom
irecovery -f iBSS.n71.RELEASE.im4p.dec
Method 2: Setup telnetd on the iOS side, telnet into it in the Linux VM, and do some random stuff. It will crash
Result
Linux VM crashed.
No core dumps are generated.
Host is debian 11 bullseye
qemu-t8030 commit: ba738a1
I'm getting "qemu-system-aarch64: macho_parse: Invalid Mach-O object: mh->magic != MACH_MAGIC_64" when trying to boot 16.0b1 to restore mode.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=16.0b1/Firmware/078-13778-076.dmg.trustcache,ticket-filename=16.0b1/root_ticket.der
-kernel 16.0b1/kernelcache.research.iphone12b
-dtb 16.0b1/Firmware/all_flash/DeviceTree.n104ap.im4p
-append "debug=0x14e kextlog=0xffff serial=3 -v -restore rd=md0 nand-enable-reformat=1 -progress launchd_missing_exec_no_panic=1"
-initrd 16.0b1/078-13778-076.dmg
-cpu max -smp 6
-m 4G -serial mon:stdio
-drive file=20A5283p/nvme.1,format=raw,if=none,id=drive.1
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.2,format=raw,if=none,id=drive.2
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.3,format=raw,if=none,id=drive.3
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.4,format=raw,if=none,id=drive.4
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvram,if=none,format=raw,id=nvram
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.6,format=raw,if=none,id=drive.6
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.7,format=raw,if=none,id=drive.7
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096
-monitor telnet:127.0.0.1:1235,server,nowait
Full terminal output:
qemu-system-aarch64: macho_parse: Invalid Mach-O object: mh->magic != MACH_MAGIC_64
J327AP
is AppleDisplay2,1
aka Studio Display
Currently, the kernel can boot to restored (not restored_external
), and such a restore could be attempted.
There is a failed kernel patch: qemu-system-aarch64: Missing patch: AKSUC_handle
, which is probably related to the problem below.
Anyways, the system successfully boots to ramdisk with bash
running.
The firmware can be obtained from here, which is DarwinOS 15.4
, although sw_vers still outputs iPhone OS.
Now, this is an OTA update, but the AssetData/ directory in it is the structure of an IPSW.
The problem
Stuck trying to create protecteted filesystems
To reproduce
display.der
with create_apticket.py
, the board config should be j327ap
SupportedProductTypes
, change AppleDisplay12,1
to iPhone12,1
DeviceClass
, change J327AP
to N104AP
FactoryRamDisk
as the other FactorySupportRamDisk
does not seem to have restored. The following is my boot command:${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-26834-343.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.release.j327.out \
-dtb DeviceTree.j327ap.im4p \
-append "kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1 wdt=-1" \
-initrd '018-26834-343.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Apple Inc.,
idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 display.ipsw -T display.der
[08:19:36.0505-GMT]{4>9} CHECKPOINT BEGIN: (null):[0x0674] create_protected_filesystems
restore-step-ids = {0x1103067B:77;0x11030674:135}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030674:create_protected_
filesystems}
restore-step-uptime = 217
restore-step-user-progress = 97
entering create_protected_filesystems
ramrod_display_set_granular_progress_forced: 97.000000
content-protect property not found
encryptable property not found
creating class d key for /mnt2
idevicerestore log:
Requesting EAN Data (74)
Creating Protected Volume (67)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
Hello, it's me again,
I tried the other documentation, and it was successful until some time later only. It got stuck on another module this time:
FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o
cc -Ilibcommon.fa.p -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/local/include -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/lzo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cloudproviders -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/libusb-1.0 -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/porya/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/porya/qemu-t8030 -iquote /home/porya/qemu-t8030/include -iquote /home/porya/qemu-t8030/disas/libvixl -iquote /home/porya/qemu-t8030/tcg/i386 -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -Wno-undef -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -MF libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o.d -o libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -c ../hw/misc/apple_spmi_pmu.c
../hw/misc/apple_spmi_pmu.c:51:26: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘tick_to_ns’
51 | static uint64_t __unused tick_to_ns(AppleSPMIPMUState *p, uint64_t tick)
| ^~~~~~~~~~
[1349/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_xdma.c.o
[1350/3071] Compiling C object libcommon.fa.p/hw_misc_nrf51_rng.c.o
[1351/3071] Compiling C object libcommon.fa.p/hw_misc_msf2-sysreg.c.o
[1352/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_sdmc.c.o
[1353/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_scu.c.o
[1354/3071] Compiling C object libcommon.fa.p/hw_net_ne2000-pci.c.o
[1355/3071] Compiling C object libcommon.fa.p/hw_misc_apple_smc.c.o
../hw/misc/apple_smc.c: In function ‘smc_key_mbse_write’:
../hw/misc/apple_smc.c:238:10: warning: multi-character character constant [-Wmultichar]
238 | case 'off1':
| ^~~~~~
../hw/misc/apple_smc.c:241:10: warning: multi-character character constant [-Wmultichar]
241 | case 'susp':
| ^~~~~~
../hw/misc/apple_smc.c:251:10: warning: multi-character character constant [-Wmultichar]
251 | case 'rest':
| ^~~~~~
../hw/misc/apple_smc.c:254:10: warning: multi-character character constant [-Wmultichar]
254 | case 'slpw':
| ^~~~~~
../hw/misc/apple_smc.c: In function ‘smc_key_nesn_write’:
../hw/misc/apple_smc.c:281:14: warning: unused variable ‘p’ [-Wunused-variable]
281 | uint8_t *p = (uint8_t *)payload;
| ^
../hw/misc/apple_smc.c: In function ‘apple_smc_handle_key_endpoint’:
../hw/misc/apple_smc.c:354:34: warning: taking address of packed member of ‘struct key_response’ may result in an unaligned pointer value [-Waddress-of-packed-member]
354 | bswap32s((uint32_t *)r.response);
| ^
../hw/misc/apple_smc.c: In function ‘apple_smc_create’:
../hw/misc/apple_smc.c:428:9: warning: unused variable ‘i’ [-Wunused-variable]
428 | int i;
| ^
../hw/misc/apple_smc.c: In function ‘apple_smc_realize’:
../hw/misc/apple_smc.c:529:28: warning: multi-character character constant [-Wmultichar]
529 | smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:529:47: warning: multi-character character constant [-Wmultichar]
529 | smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:532:23: warning: multi-character character constant [-Wmultichar]
532 | smc_create_key(s, 'CLKH', 8, 0x7b636c68, SMC_ATTR_LITTLE_ENDIAN, data);
| ^~~~~~
../hw/misc/apple_smc.c:535:23: warning: multi-character character constant [-Wmultichar]
535 | smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
| ^~~~~~
../hw/misc/apple_smc.c:535:42: warning: multi-character character constant [-Wmultichar]
535 | smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
| ^~~~~~
../hw/misc/apple_smc.c:538:23: warning: multi-character character constant [-Wmultichar]
538 | smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
| ^~~~~~
../hw/misc/apple_smc.c:538:42: warning: multi-character character constant [-Wmultichar]
538 | smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
| ^~~~~~
../hw/misc/apple_smc.c:540:28: warning: multi-character character constant [-Wmultichar]
540 | smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:540:47: warning: multi-character character constant [-Wmultichar]
540 | smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:543:28: warning: multi-character character constant [-Wmultichar]
543 | smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:543:47: warning: multi-character character constant [-Wmultichar]
543 | smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:545:28: warning: multi-character character constant [-Wmultichar]
545 | smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:545:47: warning: multi-character character constant [-Wmultichar]
545 | smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:547:28: warning: multi-character character constant [-Wmultichar]
547 | smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
../hw/misc/apple_smc.c:547:47: warning: multi-character character constant [-Wmultichar]
547 | smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
| ^~~~~~
At top level:
../hw/misc/apple_smc.c:415:13: warning: ‘apple_smc_set_irq’ defined but not used [-Wunused-function]
415 | static void apple_smc_set_irq(void *opaque, int irq_num, int level)
| ^~~~~~~~~~~~~~~~~
../hw/misc/apple_smc.c:213:16: warning: ‘smc_key_copy_write’ defined but not used [-Wunused-function]
213 | static uint8_t smc_key_copy_write(AppleSMCState *s, smc_key *k,
| ^~~~~~~~~~~~~~~~~~
[1356/3071] Compiling C object libcommon.fa.p/hw_net_ne2000.c.o
[1357/3071] Compiling C object libcommon.fa.p/hw_misc_apple_mbox.c.o
In file included from ../hw/misc/apple_mbox.c:3:
../hw/misc/apple_mbox.c: In function ‘apple_mbox_iop_reg_read’:
../hw/misc/apple_mbox.c:836:38: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=]
836 | qemu_log_mask(LOG_UNIMP, "%s: AppleA7IOP AKF unknown IOP reg READ @ 0x"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
837 | TARGET_FMT_plx " ret: 0x%08llx\n",
838 | s->role, addr, ret);
| ~~~
| |
| uint64_t {aka long unsigned int}
/home/porya/qemu-t8030/include/qemu/log.h:120:22: note: in definition of macro ‘qemu_log_mask’
120 | qemu_log(FMT, ## __VA_ARGS__); \
| ^~~
[1358/3071] Compiling C object libcommon.fa.p/hw_net_pcnet-pci.c.o
[1359/3071] Compiling C object libcommon.fa.p/hw_misc_apple_aes.c.o
../hw/misc/apple_aes.c: In function ‘key_mode’:
../hw/misc/apple_aes.c:92:1: warning: control reaches end of non-void function [-Wreturn-type]
92 | }
| ^
[1360/3071] Compiling C object libcommon.fa.p/hw_net_eepro100.c.o
[1361/3071] Compiling C object libcommon.fa.p/hw_net_pcnet.c.o
[1362/3071] Compiling C object libcommon.fa.p/hw_net_e1000.c.o
[1363/3071] Compiling C object libcommon.fa.p/hw_display_cirrus_vga.c.o
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1
When attempting a restore (in this case with fresh NAND files), the iOS device kernel panics shortly after creating NAND namespaces. Full log (too long to send as text):
When running the below command as per the Wiki, I'm receiving the following error:
$ ../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror
[…]
../meson.build:192:2: ERROR: Dependency "appleframeworks" not found, tried framework
My system is a 2021 16" MacBook Pro w/ M1 Max:
$ uname -a
Darwin Jacobs-MBP.lan 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan 5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T6000 x86_64
I cannot load my iOS 15.3.1 VM anymore (it is working previously)
qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.
QEMU output:
Loading iOS 15.3...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a120738
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d51ae0
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff009d0b8f0
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.
Aborted
it looks like there is a problem during machine init
boot command:
${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
# kernelcache.research.iphone12b.out
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "rd=disk0s1s1 kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd 018-92126-069.dmg.out \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Using ecb8ff6 with FastSim workaround.
Host: Debian 11 bullseye, Linux 5.16.0-0.bpo.3-amd64
I have a core dump, not sure how useful it is.
I have read similar earlier.
https://alephsecurity.com/2020/07/19/xnu-qemu-kvm/
So, my question is that, this is display the iOS or just terminal?
Thanks, It is really good development.
We're currently required to extract the kernel image, device tree and static trust cache from the .img4 files.
It may be useful if qemu itself can take care of the extraction - it would make the process easier.
Qemu already links with OpenSSL and liblzfse, so it already has the infrastructure required to manipulate im4p files in place.
Would you be open to a PR which adds such a feature?
This causes compilation error with:
qemu-t8030/hw/watchdog/apple_wdt.c
Line 145 in 7f5549a
GCC version
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
UPDATE: Check out the latest guide
I'd be grateful if you could provide some instructions on how we can create a VM which can use the xnu kernel using this project.
Do we need to follow the instructions from https://github.com/alephsecurity/xnu-qemu-arm64/wiki/Build-iOS-on-QEMU? Which ipsw / iOS version did you use?
It looks like you're on iOS 14, so I guess that would make iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw then, right?
Did you use the kernelcache.release.iphone11b
kernel image and the DeviceTree.n104ap.im4p
device tree?
PS - I had issues using the Python tools to extract the kernel image & device tree, but https://github.com/blacktop/ipsw seemed to work fine.
sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build build-essential cmake gdb
git clone https://github.com/TrungNguyen1909/qemu-t8030
cd qemu-t8030
mkdir build
cd build
../configure --enable-debug --target-list=aarch64-softmmu --disable-capstone --disable-slirp
make -j$(nproc)
git clone https://github.com/lzfse/lzfse
cd lzfse
mkdir build
cmake ..
make
sudo make install
wget https://github.com/blacktop/ipsw/releases/download/v20.08.87/ipsw_20.08.87_Linux_x86_64.tar.gz
tar xvzf ipsw_20.08.87_Linux_x86_64.tar.gz
wget -nv -nc http://updates-http.cdn-apple.com/2021WinterFCS/fullrestores/001-98427/9C42F04F-C1B3-41C5-8E0D-0EDCB5087BB5/iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw
unzip iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw
./ipsw img4 extract kernelcache.research.iphone12b
lzfse -decode -i kernelcache.research.iphone12b.payload -o kernelcache.research.iphone12b.out
./ipsw img4 extract Firmware/all_flash/DeviceTree.n104ap.im4p
lzfse -decode -i Firmware/all_flash/DeviceTree.n104ap.im4p.payload -o Firmware/all_flash/DeviceTree.n104ap.im4p.out
./ipsw img4 extract 038-96262-062.dmg
./ipsw img4 extract Firmware/038-96262-062.dmg.trustcache
~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b,dtb-filename=DeviceTree.n104ap,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg,xnu-ramfb=on,trustcache-filename=038-96262-062.dmg.trustcache -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6
~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b.out,dtb-filename=Firmware/all_flash/DeviceTree.n104ap.im4p.out,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg.payload,xnu-ramfb=on,trustcache-filename=Firmware/038-96262-062.dmg.trustcache.payload -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6
Machine : macbook m1
command used:
brew install libtasn1 meson ninja pixman lzfse jtool2 jq
git clone --recursive https://github.com/TrungNguyen1909/qemu-t8030
cd qemu-t8030
mkdir build; cd build
../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --disable-slirp make -j$(nproc)
configure result
make result
Has the functionality on the emulated iPhone to be able to see the iPhone display and having a touch screen been implemented yet in this project. And is it possible to emulate iOS using the current instructions on the M1 chip?
When I tried to run a Linux VM running Ubuntu Server in order to do a restore on the emulated iPhone, QEMU returned "qemu-aarch64-softmmu: -device usb-tcp-remote,bus=ehci.0: 'usb-tcp-remote' is not a valid device model name." Is there any way to fix this issue?
When booting normally using the emulator, does it actually boot to the usual setup page like a new iPhone or is it less advanced than that?
Hi, trying build emulator, but get this error after
make -j$(nproc)
command.
error log:
[991/1378] Linking target qemu-system-aarch64
FAILED: qemu-system-aarch64
c++ @qemu-system-aarch64.rsp
/usr/bin/ld: libqemu-aarch64-softmmu.fa.p/hw_arm_xnu.c.o: in function `extract_im4p_payload':
/mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:224: undefined reference to `asn1_array2tree'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:229: undefined reference to `asn1_create_element'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:234: undefined reference to `asn1_der_decoding'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:241: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:252: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:258: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:266: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:273: undefined reference to `asn1_read_value'
collect2: error: ld returned 1 exit status
[992/1378] Compiling C object tests/unit/check-qnull.p/check-qnull.c.o
[993/1378] Compiling C object tests/unit/check-qdict.p/check-qdict.c.o
[994/1378] Compiling C object tests/fp/fp-test-log2.p/fp-test-log2.c.o
[995/1378] Compiling C object tests/unit/check-block-qdict.p/check-block-qdict.c.o
[996/1378] Compiling C object tests/fp/fp-test.p/fp-test.c.o
[997/1378] Compiling C object tests/unit/check-qstring.p/check-qstring.c.o
[998/1378] Compiling C object tests/fp/fp-bench.p/fp-bench.c.o
[999/1378] Compiling C object tests/fp/fp-test-log2.p/.._.._fpu_softfloat.c.o
[1000/1378] Compiling C object tests/fp/fp-bench.p/.._.._fpu_softfloat.c.o
[1001/1378] Compiling C object tests/fp/fp-test.p/.._.._fpu_softfloat.c.o
[1002/1378] Linking target qemu-system-x86_64
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1
Im having this issue while booting a recently restored system
apfs_is_valid_class:2253: rejecting class open (class 2) because we're not content protected
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
handle_revert_to_snapshot:5195: On next mount, volume will revert to snapshot 'com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70' w/snap xid 54
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
apfs_stop_bg_work:1028: disk0s1s1:0 Volume System is unmounting, stop any bg work
tx_flush:1075: disk0s1 xid 323 tx stats: # 20 finish 22 enter 599 wait 2 209518us close 32us flush 315223us
apfs: total mem allocated: 12501875 (11 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 5)
revert_to_snapshot:1260: Reverting to snapshot w/xid 54 and old sblock oid 8259450.
revert_extents_to_snapshot:1093: free'ing extents in main extentref tree 8257872
free_allocated_snapshot_extents:1008: processed 0 extents and free'd 0 blocks
obj_cache_remove_reverted_fs_objects:1547: disk0s1s1:0 removing reverted fs objects for fs 1026: 55 - 326
revert_to_snapshot:1336: DONE reverting to snapshot w/xid 54
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 13116575 (12 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 5)
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 170 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 170
tx_flush:1075: disk0s1 xid 343 tx stats: # 40 finish 42 enter 3116 wait 6 281119us close 18us flush 354580us
tx_flush:1033: disk0s1 tx xid 344 took 1046026 us to sync and write superblock
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 3 caller 0xfffffff009169144): userspace watchdog timeout: no successful checkins from com.apple.thermalmonitord since load
service returned not alive with context : is_alive_func returned unhealthy : current 400000000000, mask 7fffffffffff, expected 7fffffffffff. SD: 1 Missing sensor(s): TG0B TG0V TP1A TP2C TP3R TP4H TP5d TP0Z Th0a Th0f Th0x Th1a Th1f Th1x Th2a Th2f Th2x Tc0a Tc0f Tc0x Tc1a Tc1f Tc1x Tc2a Tc2f Tc2x
service: com.apple.backboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.mediaserverd, total successful checkins since load (180 seconds ago): 17, last successful checkin: 0 seconds ago
service: com.apple.logd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.thermalmonitord, no successful checkins since load (180 seconds ago)
service: com.apple.runningboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.wifid, total successful checkins s
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x11ab03024
Epoch Time: sec usec
Boot : 0x62376f1f 0x000825ce
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x62376fe3 0x0008cccd
Total cpu_usage: 118819282
Thread task pri cpu_usage
0xffffffe19c0cd170 watchdogd 97 0
0xffffffe19c868000 backboardd 63 0
0xffffffe19c0cc5d0 thermalmonitord 37 0
0xffffffe19cb84000 watchdogd 31 105505
0xffffffe19cae68b0 lsd 31 4488402
Panicked task 0xffffffe19be98640: 242 pages, 5 threads: pid 52: watchdogd
Panicked thread: 0xffffffe19c0cd170, backtrace: 0xffffffe9c237b1e0, tid: 549
lr: 0xfffffff007a2af48 fp: 0xffffffe9c237b220
lr: 0xfffffff007a2ad48 fp: 0xffffffe9c237b290
lr: 0xfffffff007b64940 fp: 0xffffffe9c237b2b0
lr: 0xfffffff007b56e1c fp: 0xffffffe9c237b370
lr: 0xfffffff00811c5f4 fp: 0xffffffe9c237b380
lr: 0xfffffff007a2aa30 fp: 0xffffffe9c237b700
lr: 0xfffffff007a2aa30 fp: 0xffffffe9c237b760
lr: 0xfffffff0097db9c0 fp: 0xffffffe9c237b780
lr: 0xfffffff009169144 fp: 0xffffffe9c237b7a0
lr: 0xfffffff009168e38 fp: 0xffffffe9c237b7c0
lr: 0xfffffff00808cb78 fp: 0xffffffe9c237b820
lr: 0xfffffff009168130 fp: 0xffffffe9c237b900
lr: 0xfffffff00809a98c fp: 0xffffffe9c237baa0
lr: 0xfffffff007b25190 fp: 0xffffffe9c237bbc0
lr: 0xfffffff007a30e9c fp: 0xffffffe9c237bc20
lr: 0xfffffff007a021d8 fp: 0xffffffe9c237bca0
lr: 0xfffffff007a1d810 fp: 0xffffffe9c237bd60
lr: 0xfffffff007b4a434 fp: 0xffffffe9c237be30
lr: 0xfffffff007b57094 fp: 0xffffffe9c237bef0
lr: 0xfffffff00811c5f4 fp: 0xffffffe9c237bf00
** Stackshot Succeeded ** Bytes Traced 115555 (Uncompressed 294176) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip
this is my startup script, which is the same which is found at Bringing Up The Emulator - Auto Boot section
only added -noconsole -vnc :1 -k es
qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait \
-nographic \
-vnc :1 -k es \
Currently, the implementation of ApplePMGR device is inadequate that it will cause a kernel data abort in ApplePMGR::panicHW
when the kernel panics.
In the mean time, the issue can be workaround by replacing the first instruction of mapping pmp's reg.ApplePMGR::panicHW
with a RET
instruction.
This issue should be addressed by either implementing a better version of PMGR or patching the DeviceTree from xnu.c
.
I am attempting to install iOS 15.5 on the QEMU machine with an iOS 15.5 kernelcache. Every time when I go through the restore procedure, it fails at checkpoint 1662 with an invalid GPT header error.
iOS log excerpt (Full iOS log)
[23:53:00.0051-GMT]{3>6} CHECKPOINT BEGIN: RESTORED:[0x067E] verify_storage_for_update
restore-step-ids = {0x1103067E:26}
restore-step-names = {0x1103067E:verify_storage_for_update}
restore-step-uptime = 103
restore-step-user-progress = 0
[23:53:00.0106-GMT]{3>6} CHECKPOINT FAILURE:(FAILURE:78) RESTORED:[0x067E] verify_storage_for_update [0]D(Storage with invalid GPT header 0000000000000000 0000000000000000)
restore-step-results = {0x1107067E:{0:78}}
restore-step-codes = {0x1107067E:{0:78}}
restore-step-domains = {0x1107067E:{0:"AMRestoreErrorDomain"}}
restore-step-error = {0x1107067E:"[0]D(Storage with invalid GPT header 0000000000000000 0000000000000000)"}
restore-step-uptime = 103
restore-step-user-progress = 0
[23:53:00.0135-GMT]{3>6} CHECKPOINT NOTICE: (NVRAM set) restore-step-user-progress=0 [sync=true] (first failure)
[23:53:00.0141-GMT]{3>6} CHECKPOINT BEGIN: RESTORED:[0x067C] cleanup_boot_command
QEMU boot args
#!/bin/sh
~/ios_test/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/078-12427-117.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 078-12427-117.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait -vnc 127.0.0.2:1
I was compiling this to try it out myself, but then after a while of complilation, it gave out this error:
FAILED: libcommon.fa.p/hw_block_apple_ans.c.o
cc -Ilibcommon.fa.p -I../capstone/include/capstone -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/local/include -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/lzo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cloudproviders -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/libusb-1.0 -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -isystem /home/porya/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/porya/qemu-t8030 -iquote /home/porya/qemu-t8030/include -iquote /home/porya/qemu-t8030/disas/libvixl -iquote /home/porya/qemu-t8030/tcg/i386 -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -Wno-undef -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.fa.p/hw_block_apple_ans.c.o -MF libcommon.fa.p/hw_block_apple_ans.c.o.d -o libcommon.fa.p/hw_block_apple_ans.c.o -c ../hw/block/apple_ans.c
../hw/block/apple_ans.c: In function ‘apple_ans_create’:
../hw/block/apple_ans.c:141:9: error: unused variable ‘i’ [-Werror=unused-variable]
141 | int i;
| ^
cc1: all warnings being treated as errors
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1
No idea what could've caused this
It will be stuck on waiting for host to trigger start of restore [timeout of 120 seconds] forever.
Do I need to run a Linux VM connected to it to run the restore?
(log on pastebin as it is too long for github)
https://pastebin.com/CaC9ZXnF
I was following the Wiki guide and was restoring the emulator, but shortly after starting the restore process, it hangs and then panics at Creating 7 namespaces on NAND
.
Here is the full log from start to panic. File modification dates show that nvme.1
and nvram
storage files were modified, but there still look zeroed out (except the header in nvram). My environment is macOS 12.4 on M1 MacBook Air, and I compiled the tools and code as of today. Below is my launch command.
qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=firmware/Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel firmware/kernelcache.research.iphone12b \
-dtb firmware/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v -wdt=-1" \
-initrd firmware/038-44135-124.dmg \
-cpu max -smp 6 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Followed the wiki.
qemu-t8030/build/qemu-system-aarch64 -s -M s8000,force-dfu=false \
-bios "s8000/SecureROM for s8000si, iBoot-2234.0.0.3.3" \
-dtb DeviceTree.n71ap.im4p \
-cpu max -smp 1 -nographic \
-d guest_errors \
-m 4G -serial mon:stdio \
-drive file=s8000.nor,format=raw,if=none,id=nor \
-device m25p128,drive=nor,bus=spi0.bus \
-monitor telnet:127.0.0.1:1235,server,nowait
Register redefined: cp=19 32 bit crn=15 crm=0 opc1=4 opc2=4, was ARM64_REG_APCTL_EL1, now APCTL_EL1
**
ERROR:../target/arm/helper.c:8836:add_cpreg_to_hashtable: code should not be reached
Bail out! ERROR:../target/arm/helper.c:8836:add_cpreg_to_hashtable: code should not be reached
[1] 11936 abort qemu-t8030/build/qemu-system-aarch64 -s -M s8000,force-dfu=false -bios -dtb
In the Bringing up the emulator page, the iOS firmware is extracted to the iphone
folder, but subsequent commands use the root directory for files in it.
Example:
python3 qemu-t8030-tools/bootstrap_scripts/asn1rdskdecode.py 038-44087-125.dmg 038-44087-125.dmg.out
Suggested edit:
python3 qemu-t8030-tools/bootstrap_scripts/asn1rdskdecode.py iphone/038-44087-125.dmg iphone/038-44087-125.dmg.out
I followed the instructions in the wiki, build QEMU from this repo, launch a Linux VM using it (I use Slax). I also generated root_ticket.der
and put it in both host Linux and guess Linux VM, start the Linux VM then start the iOS VM.
The iOS VM boot to the line waiting for host to trigger start of restore [timeout of 120 seconds]
But Linux VM can't find the device, although it found something using lsusb
:
/tmp/usbqemu
is available in the host:
When the iOS VM run out of time and reboot, it shows something like RTBuddy(SMC): WARNING: failed to send ping.
Any ideas? Thanks!
The "reboot" command which worked in previous commits now causes the emulator to hang on "AMFI is running in RESEARCH mode!"
Boot command:
../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der -kernel kernelcache.research.iphone12b -dtb Firmware/all_flash/DeviceTree.n104ap.im4p -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" -initrd 038-44135-124.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait -nographic
Full log:
`Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b7cf810]::init(0xffffffe19b80e2d8)
AUC:[0xffffffe19b7cf810]::probe(0xffffffe19b59dd60, 0xffffffe8080cbdac)
AppleCredentialManager: init: called, instance = .
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = .
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b7cf810]::start(0xffffffe19b59dd60)
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = .
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = .
AppleCredentialManager: start: started, instance = .
AppleCredentialManager: start: returning, result = true, instance = .
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleGPIOICController::start: this: , _gpioicBaseAddress:
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
000001.007726 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.032073 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.032210 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000001.046332 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
Identified Serial Port uart0 at 0x235200000()
Identified Serial Port uart7 at 0x23521c000()
RTBuddy(SMC): start() - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
Starting AppleSMC kext() - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...
AppleA7IOPNub: withRegistryEntry, 47: allocated nub
RTBuddy(SIO): start() - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!***
Failed to read info-leg_scrpadvirtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
000001.146106 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleARMRTC registering service!@@@@@@
000001.150276 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 4096 block count 8388597 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1234: disk0 container cleanly-unmounted flag set.
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 376, best xid 376 @ 187
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Container@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388597 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1234: disk0s1 container cleanly-unmounted flag set.
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 4096
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 256
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 376, best xid 376 @ 187
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
failed to find root-snapshot-name snapshot
handle_mount:627: vol-uuid: 75563A84-CD28-4FDF-A5CD-FDFB101AF003 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
dyld: setting comm page to 0x0
Sun Apr 10 10:57:29 2022 com.apple.xpc.launchd[1] : hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.1313/launchd/RELEASE_ARM64E129/AppleImage4/RELEASE_ARM64E
boot-args = debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1
Sun Apr 10 10:57:29 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : entering ondemand mode
Sun Apr 10 10:57:29 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fsck
** Checking the container superblock.
** Checking the object map.
** Checking volume.
** Checking the APFS volume superblock.
** The volume System was formatted by newfs_apfs (945.200.129.100.10) and last modified by apfs_kext (1934.101.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Data was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Hardware was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Preboot was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Update was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** QUICKCHECK ONLY; FILESYSTEM CLEAN
Sun Apr 10 10:57:30 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: mount-phase-1
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
handle_mount:627: vol-uuid: C022658D-2D8A-43EF-9511-578DEA98F3F6 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s4:0 mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
Sun Apr 10 10:57:30 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: data-protection
init_data_protection: No SEP present on this device
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: commit-boot-mode
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : boot-mode committed: (null)
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: restore-datapartition
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : restore-datapartition: optional boot task not present
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:189: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597)
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304
dev_dump:256: Aggregate constructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
migrate_media_keys_if_needed:1206: no media keys to migrate for container = disk0s1
mount: failed to migrate Media Keys, error = c002
handle_mount:627: vol-uuid: 3344C381-3F31-4426-8AD2-CE2A55208C63 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs_vfsop_mount:2171: disk0s1s2:0 mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:627: vol-uuid: 1EB53D1F-1473-4853-8EB9-2AA055605BF1 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s5:0 mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:627: vol-uuid: A285CE9A-F9B3-4409-8E33-0BB7E2341F82 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s3:0 mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: init-with-data-volume
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: MSUEarlyBootTask
main: MSUEarlyBootTask running
spaceman_trim_free_blocks:3361: disk0s1 scan took 0.962146 s, trims took 0.716117 s
spaceman_trim_free_blocks:3369: disk0s1 6511505 blocks free in 17343 extents
spaceman_trim_free_blocks:3377: disk0s1 6511505 blocks trimmed in 17343 extents (41 us/trim, 24218 trims/s)
spaceman_trim_free_blocks:3380: disk0s1 trim distribution 1:11316 2+:2452 4+:1743 16+:1305 64+:459 256+:68
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate/5118ea8f39ff61d152ba7e1f92591910cde7a2b09b867d8d58dc37e2cdc0b7c98dd296d4bf57862d143413dd17012d70-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [146790609] fipspost_post:158: PASSED: (7 ms) - fipspost_post_integrity
FIPSPOST_USER [146820463] fipspost_post:164: PASSED: (0 ms) - fipspost_post_hmac
FIPSPOST_USER [146829292] fipspost_post:165: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [146838341] fipspost_post:166: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [147183878] fipspost_post:167: PASSED: (14 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [147380878] fipspost_post:168: PASSED: (8 ms) - fipspost_post_ecdsa
FIPSPOST_USER [147424804] fipspost_post:169: PASSED: (1 ms) - fipspost_post_ecdh
FIPSPOST_USER [147436170] fipspost_post:170: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [147455780] fipspost_post:171: PASSED: (0 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [148233512] fipspost_post:173: PASSED: (32 ms) - fipspost_post_pbkdf
FIPSPOST_USER [148242268] fipspost_post:174: PASSED: (0 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [148452926] fipspost_post:175: PASSED: (8 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [148467024] fipspost_post:176: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_USER [148490219] fipspost_post:177: PASSED: (0 ms) - fipspost_post_tdes_cbc
FIPSPOST_USER [148506780] fipspost_post:178: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [148743317] fipspost_post:180: PASSED: (9 ms) - fipspost_post_ffdh
FIPSPOST_USER [149010926] fipspost_post:181: PASSED: (11 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [149013853] fipspost_post:201: all tests PASSED (100 ms)
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: usermanagerd
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : usermanagerd: optional boot task not present
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : launchd logging initialized
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: xpcroleaccountd
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: init_featureflags
init_featureflags: skipping directory: /System/Library/FeatureFlags/Domain
init_featureflags: skipping directory: /Library/Preferences/FeatureFlags/Domain
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fud
objc[19]: Class UARPManifestProperties is implemented in both /System/Library/PrivateFrameworks/CoreUARP.framework/CoreUARP and /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud. One of the two will be used. Which one is undefined.
fud: -FudEarlyBoot doFUDEarlyBoot:: Starting Early Boot
fud: No Early Boot Accessories
fud: -FudEarlyBoot doFUDEarlyBoot:: End Early Boot
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: tzinit
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-restore
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-demo-restore
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: sysstatuscheck
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: prng_seedctl
PRNG diagnostics:
0 user reseeds, 1 scheduled reseeds, 80 max samples in a scheduled reseed, 122 max samples in an entropy input
generator 0: 2 rekeys, 481 requests, 5808 total bytes requested, 64 max bytes requested in a request, 3656 bytes requested since rekey, 3656 max bytes requested between rekeys
generator 1: 2 rekeys, 47 requests, 836 total bytes requested, 64 max bytes requested in a request, 788 bytes requested since rekey, 788 max bytes requested between rekeys
generator 2: 2 rekeys, 10 requests, 112 total bytes requested, 16 max bytes requested in a request, 32 bytes requested since rekey, 80 max bytes requested between rekeys
generator 3: 2 rekeys, 0 requests, 0 total bytes requested, 0 max bytes requested in a request, 0 bytes requested since rekey, 0 max bytes requested between rekeys
pool 0: 0 samples, 1 drains, 80 max samples
pool 1: 122 samples, 0 drains, 122 max samples
pool 2: 41 samples, 0 drains, 41 max samples
pool 3: 69 samples, 0 drains, 69 max samples
pool 4: 87 samples, 0 drains, 87 max samples
pool 5: 114 samples, 0 drains, 114 max samples
pool 6: 34 samples, 0 drains, 34 max samples
pool 7: 50 samples, 0 drains, 50 max samples
pool 8: 88 samples, 0 drains, 88 max samples
pool 9: 41 samples, 0 drains, 41 max samples
pool 10: 83 samples, 0 drains, 83 max samples
pool 11: 49 samples, 0 drains, 49 max samples
pool 12: 40 samples, 0 drains, 40 max samples
pool 13: 50 samples, 0 drains, 50 max samples
pool 14: 122 samples, 0 drains, 122 max samples
pool 15: 70 samples, 0 drains, 70 max samples
pool 16: 0 samples, 0 drains, 0 max samples
pool 17: 0 samples, 0 drains, 0 max samples
pool 18: 0 samples, 0 drains, 0 max samples
pool 19: 0 samples, 0 drains, 0 max samples
pool 20: 0 samples, 0 drains, 0 max samples
pool 21: 0 samples, 0 drains, 0 max samples
pool 22: 0 samples, 0 drains, 0 max samples
pool 23: 0 samples, 0 drains, 0 max samples
pool 24: 0 samples, 0 drains, 0 max samples
pool 25: 0 samples, 0 drains, 0 max samples
pool 26: 0 samples, 0 drains, 0 max samples
pool 27: 0 samples, 0 drains, 0 max samples
pool 28: 0 samples, 0 drains, 0 max samples
pool 29: 0 samples, 0 drains, 0 max samples
pool 30: 0 samples, 0 drains, 0 max samples
pool 31: 0 samples, 0 drains, 0 max samples
failed to load virtual random: (-147) (-536870212)
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: launchd_cache_loader
0 Found valid port: 5123 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
Using unsecure cache: /System/Library/xpc/launchd.plist
Trying to send bytes to launchd: 5123 16384
Sending validated cache to launchd
Cache sent to launchd successfully
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Early boot complete. Continuing system boot.
bash-5.0# reboot
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : System shutdown initiated by: reboot.27<-bash.26<-launchd.1
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown UNINITIALIZED -> COMMITTED
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown WAITING_ON_COALITIONS -> LAUNCH_SHUTDOWN_TEARDOWN
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : Userspace teardown took: 166 ms
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : Will be calling reboot(2) with flags: 0x0
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] : Quiescing queues
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown LAUNCH_SHUTDOWN_TEARDOWN -> WAITING_ON_QUIESCE
launchd quiesce complete
apfs_stop_bg_work:1019: System is shutting down stop any bg work
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Hardware'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs: total mem allocated: 1504392 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 4)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Update'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs: total mem allocated: 1501756 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 3)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Data'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs: total mem allocated: 1490675 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 2)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Preboot'
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs: total mem allocated: 1486659 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 1)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
nx_volume_group_update:6634: Volume System is not in a volume group
dev_dump:256: Aggregate destructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
apfs: total mem allocated: 64 (0 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 0)
virtual void AppleEmbeddedNVMeController::systemWillShutdown(IOOptionBits)::4247:Entry, inOptions - 0xe0000310
virtual void AppleNVMeController::systemWillShutdown(IOOptionBits)::1311:Entry, inOptions - 0xe0000310
virtual void IONVMeController::systemWillShutdown(IOOptionBits)::509:Entry, inOptions - 0xe0000310
virtual void IONVMeController::systemWillShutdown(IOOptionBits)::559:Exit, inOptions - 0xe0000310
virtual void AppleEmbeddedNVMeController::systemWillShutdown(IOOptionBits)::4257:Exit, inOptions - 0xe0000310
IOPlatformHaltRestartAction -> AppleT8030PMGR
wdog restart
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1
AMFI is running in RESEARCH mode!`
Is it possible to run iPadOS using this tool?
Seems that you forgot this enum entry
../hw/nvme/nvme.h: In function ‘nvme_io_opc_str’:
../hw/nvme/nvme.h:349:10: error: ‘NVME_CMD_REPRIORITIZE’ undeclared (first use in this function)
349 | case NVME_CMD_REPRIORITIZE: return "NVME_CMD_REPRIORITIZE";
| ^~~~~~~~~~~~~~~~~~~~~
../hw/nvme/nvme.h:349:10: note: each undeclared identifier is reported only once for each function it appears in
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.