Connect to iOS emulator over USB
This requires another Linux VM to connect to an iOS VM.
Note that the USB-over-TCP Protocol will run on unix socket at
/tmp/usbqemu by default.
Run a Linux VM as USB host
You can use any QEMU Linux VM. Example below uses Arch Linux installer ISO
./qemu-system-x86_64 -cdrom archlinux-2021.06.01-x86_64.iso -boot order=d -m 1024 -vga virtio -cpu qemu64 -device usb-ehci,id=ehci -device usb-tcp-remote,bus=ehci.0
Start iOS VM
Start an iOS QEMU instance, which will automatically connect to unix socket
ATTENTION: You must always start the Linux companion VM first.
Connect to iOS VM
From inside the Linux VM, you can access to the iOS VM over USB like a real device.
Restore iOS firmware
Make sure that you can connect the iOS to your companion Linux VM through USB first. Follow these-steps if you haven't.
To restore iOS, you need a working Linux installation on QEMU. I use Arch Linux for this purpose. The installation guide can be found on their official guide
Here is my QEMU command to run the Linux VM:
./qemu-t8030/build/qemu-system-x86_64 -boot order=c -m 1024 -vga none -device virtio-vga,xres=640,yres=480 -cpu qemu64 -usb -device usb-ehci,id=ehci -device usb-tcp-remote,bus=ehci.0 -drive file=arch.qcow2 -monitor telnet:127.0.0.1:1236,server,nowait
First boot the Linux VM, then install
usbmuxd if it hasn't been installed.
DO NOT install
idevicerestore from your package manager.
Setting up SSH connection to the Linux VM
Because you will need scp/sftp to transfer the ipsw, and also for convenience, below is my way of setting up SSH.
Run this command on the Linux VM
ssh -fN -R 10222:localhost:22 <host-user-name>@<host-ip-address>
and enter your HOST user password.
And then run this command on your host machine to connect to it
ssh root@localhost -p 10222
now enter your VM user password.
If you have an SSH server (i.e openssh-server) installed on the Linux VM, you will now have a shell on it.
To copy any file from your host to the VM:
scp /path/to/file scp://root@localhost:10222/
idevicerestore we need to clone and patch it
Run these commands on the Linux VM
git clone https://github.com/libimobiledevice/idevicerestore.git cd idevicerestore git apply /path/to/qemu-t8030-tools/libimobiledevice_patches/idevicerestore.patch ./autogen.sh make sudo make install
If the iOS version you are trying to restore is still signed, it is okay to use tsschecker to fetch the SHSH2 blobs and save as
ticket.shsh2. The ECID should be
A sample ticket is also provided in the
bootstrap_scripts folder for your ease.
You can use my script to forge a APTicket.
python3 qemu-t8030-tools/bootstrap_scripts/create_apticket.py n104ap BuildManifest.plist ticket.shsh2 root_ticket.der
DO NOT modify the
root_ticket.der until you restore again. It is required even after the restore completed.
In before someone ask if this works on a real device:
- We don't have to go through Secure Boot checks
restoredignores TSS errors on DEV board (i.e. N104DEV).
root_ticket.der and the ipsw inside the Linux VM. Start up the iOS emulator using the command from Auto boot
Then when you saw something like
could not receive message, run the following command in the Linux VM to start the restore process.
idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
After you type
YES to the prompt, the restore will start.
DO NOT let your computer sleep during this process.
If the restore completed successfully, the iOS VM will automatically reboot to NAND, otherwise, it will reboot to the ramdisk and attempt to restore again.