Skip to content
/ LiveExec32 Public

Run 32-bit binaries on 64-bit iOS by passing through syscalls

License

Apache-2.0 license
77 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

khanhduytran0/LiveExec32

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
Generator
Generator
 
 
GuestFrameworks
GuestFrameworks
 
 
GuestLibraries
GuestLibraries
 
 
GuestMakefile
GuestMakefile
 
 
HostFrameworks
HostFrameworks
 
 
Resources
Resources
 
 
include/dynarmic
include/dynarmic
 
 
lib
lib
 
 
test
test
 
 
.gitignore
.gitignore
 
 
32bit.h
32bit.h
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
ObjCProxy.md
ObjCProxy.md
 
 
README.md
README.md
 
 
ap_getparents.c
ap_getparents.c
 
 
arm_dynarmic_cp15.cpp
arm_dynarmic_cp15.cpp
 
 
arm_dynarmic_cp15.h
arm_dynarmic_cp15.h
 
 
bridge.h
bridge.h
 
 
bridge.mm
bridge.mm
 
 
bridge.s
bridge.s
 
 
codesign.h
codesign.h
 
 
control
control
 
 
dynarmic.cpp
dynarmic.cpp
 
 
dynarmic.h
dynarmic.h
 
 
entitlements.plist
entitlements.plist
 
 
filesystem.cpp
filesystem.cpp
 
 
filesystem.h
filesystem.h
 
 
khash.h
khash.h
 
 
log.m
log.m
 
 
mach_private.h
mach_private.h
 
 
main.cpp
main.cpp
 
 
variables.cpp
variables.cpp
 
 

Repository files navigation

LiveExec32

Run 32-bit binaries on 64-bit iOS by passing through syscalls.

The source code is currently very messy and may be prone to a lot of bugs (write overflow, etc). At least it works, but I will improve it later.

This project is heavily based on unidbg.

There are also missing syscalls that I have yet to provide to pass through. Please see ARM32SyscallHandler.java and DarwinSyscallHandler.java to implement them properly.

Usage

  • Download and extract a ramdisk image using pzb and xpwn. For example, I chose the last 32-bit iPhone (armv7s) on the latest iOS 10.3.3:
pzb -g 058-75249-062.dmg http://appldnld.apple.com/ios10.3.3/091-23384-20170719-CA966D80-6977-11E7-9F96-3E9100BA0AE3/iPhone_4.0_32bit_10.3.3_14G60_Restore.ipsw
xpwntool 058-75249-062.dmg ramdisk.dmg -k
  • Mount the dmg and copy its contents
# Run the following commands as root
disk=$(hdik ramdisk.dmg); echo $disk
mount_hfs -o ro $disk /var/mnt
cp -rp /var/mnt /var/mobile/ramdisk32
umount -f $disk; hdik -e $disk
rm ramdisk.dmg 058-75249-062.dmg
  • Replace all of /var/mobile/Documents/TrollExperiments with your paths
  • Compile this project using theos
  • Launch a binary and profit. Please note that chroot is internally done otherwise you will hit bad memory access errors. I'm investigating it and will provide a fix.
sudo .theos/out/LiveExec32 /var/mobile/ramdisk32/usr/bin/fdisk

Design

  • LiveExec32 has most of the codebase and references from unidbg, so it also uses Dynarmic as the dynamic translator of ARMv7 code to ARM64.
  • The entry point starts from dyld, so it has all of dyld APIs isolated from that of host.
  • In CallSVC, it goes through a long list of guest functions that copy memory regions from input and to output using a page table. Perhaps page bound checks can be added to allow fastpath memory access.
  • Has a crash reporter and symbolicator for guest code.
  • Can emulate bind mount points
  • More to be explored...

FAQ: can this be used to run 32-bit apps & integrate to LiveContainer?

Although this can execute simple C/C++/Objective-C binaries, more work needs to be done. The most important thing is to figure out how to proxy Objective-C classes, objects and method calls between host (64-bit) and guest (32-bit).

License

Apache License 2.0

About

Run 32-bit binaries on 64-bit iOS by passing through syscalls

Resources

Readme

License

Apache-2.0 license
Activity

Stars

77 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages