-
Notifications
You must be signed in to change notification settings - Fork 3
USB and Restore
This requires another Linux VM to connect to an iOS VM.
Note that the USB-over-TCP Protocol will run on unix socket at /tmp/usbqemu by default.
You can use any QEMU Linux VM. Example below uses Arch Linux installer ISO
./qemu-system-x86_64 -cdrom archlinux-2021.06.01-x86_64.iso -boot order=d -m 1024 -vga virtio -cpu qemu64 -device usb-ehci,id=ehci -device usb-tcp-remote,bus=ehci.0Start an iOS QEMU instance, which will automatically connect to unix socket /tmp/usbqemu.
ATTENTION: You must always start the Linux companion VM first.
From inside the Linux VM, you can access to the iOS VM over USB like a real device.
Make sure that you can connect the iOS to your companion Linux VM through USB first. Follow these-steps if you haven't.
To restore iOS, you need a working Linux installation on QEMU. I use Arch Linux for this purpose. The installation guide can be found on their official guide
Here is my QEMU command to run the Linux VM:
./qemu-t8030/build/qemu-system-x86_64 -boot order=c -m 1024 -vga none -device virtio-vga,xres=640,yres=480 -cpu qemu64 -usb -device usb-ehci,id=ehci -device usb-tcp-remote,bus=ehci.0 -drive file=arch.qcow2 -monitor telnet:127.0.0.1:1236,server,nowaitFirst boot the Linux VM, then install usbmuxd if it hasn't been installed.
DO NOT install idevicerestore from your package manager.
Because you will need scp/sftp to transfer the ipsw, and also for convenience, below is my way of setting up SSH.
Run this command on the Linux VM
ssh -fN -R 10222:localhost:22 <host-user-name>@<host-ip-address>and enter your HOST user password.
And then run this command on your host machine to connect to it
ssh root@localhost -p 10222now enter your VM user password.
If you have an SSH server (i.e openssh-server) installed on the Linux VM, you will now have a shell on it.
To copy any file from your host to the VM:
scp /path/to/file scp://root@localhost:10222/For idevicerestore we need to clone and patch it
Run these commands on the Linux VM
git clone https://github.com/libimobiledevice/idevicerestore.git
cd idevicerestore
git apply /path/to/qemu-t8030-tools/libimobiledevice_patches/idevicerestore.patch
./autogen.sh
make
sudo make installIf the iOS version you are trying to restore is still signed, it is okay to use tsschecker to fetch the SHSH2 blobs and save as ticket.shsh2. The ECID should be 1122334455667788.
A sample ticket is also provided in the bootstrap_scripts folder for your ease.
You can use my script to forge a APTicket.
python3 qemu-t8030-tools/bootstrap_scripts/create_apticket.py n104ap BuildManifest.plist ticket.shsh2 root_ticket.derDO NOT modify the root_ticket.der until you restore again. It is required even after the restore completed.
In before someone ask if this works on a real device:
- We don't have to go through Secure Boot checks
-
restoredignores TSS errors on DEV board (i.e. N104DEV).
With the root_ticket.der and the ipsw inside the Linux VM. Start up the iOS emulator using the command from Auto boot
Then when you saw something like could not receive message, run the following command in the Linux VM to start the restore process.
idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.derAfter you type YES to the prompt, the restore will start.
DO NOT let your computer sleep during this process.
If the restore completed successfully, the iOS VM will automatically reboot to NAND, otherwise, it will reboot to the ramdisk and attempt to restore again.