Run 32-bit binaries on 64-bit iOS by passing through syscalls.
The source code is currently very messy and may be prone to a lot of bugs (write overflow, etc). At least it works, but I will improve it later.
This project is heavily based on unidbg.
There are also missing syscalls that I have yet to provide to pass through. Please see ARM32SyscallHandler.java and DarwinSyscallHandler.java to implement them properly.
- Download and extract a ramdisk image using pzb and xpwn. For example, I chose the last 32-bit iPhone (armv7s) on the latest iOS 10.3.3:
pzb -g 058-75249-062.dmg http://appldnld.apple.com/ios10.3.3/091-23384-20170719-CA966D80-6977-11E7-9F96-3E9100BA0AE3/iPhone_4.0_32bit_10.3.3_14G60_Restore.ipsw xpwntool 058-75249-062.dmg ramdisk.dmg -k
- Mount the dmg and copy its contents
# Run the following commands as root disk=$(hdik ramdisk.dmg); echo $disk mount_hfs -o ro $disk /var/mnt cp -rp /var/mnt /var/mobile/ramdisk32 umount -f $disk; hdik -e $disk rm ramdisk.dmg 058-75249-062.dmg
- Replace all of
/var/mobile/Documents/TrollExperimentswith your paths - Compile this project using theos
- Launch a binary and profit. Please note that chroot is internally done otherwise you will hit bad memory access errors. I'm investigating it and will provide a fix.
sudo .theos/out/LiveExec32 /var/mobile/ramdisk32/usr/bin/fdisk
- LiveExec32 has most of the codebase and references from unidbg, so it also uses Dynarmic as the dynamic translator of ARMv7 code to ARM64.
- The entry point starts from dyld, so it has all of dyld APIs isolated from that of host.
- In
CallSVC, it goes through a long list of guest functions that copy memory regions from input and to output using a page table. Perhaps page bound checks can be added to allow fastpath memory access. - Has a crash reporter and symbolicator for guest code.
- Can emulate bind mount points
- More to be explored...
Although this can execute simple C/C++/Objective-C binaries, more work needs to be done. The most important thing is to figure out how to proxy Objective-C classes, objects and method calls between host (64-bit) and guest (32-bit).
Apache License 2.0