Skip to content

Emulator File Setup

Jump to bottom
Visual Ehrmanntraut edited this page Jun 18, 2025 · 17 revisions

Caution

Do not share any files, such as pre-made modified or unmodified images or decrypted, patched, modified or unmodified firmware, etc. It surely violates Apple's EULA. However, if the EULA violation isn't a crime, the other cases aforementioned may be under your jurisdiction, check your local laws.

Warning

Do not put the files inside the build folder or source tree of the emulator, otherwise you have a high risk of losing them.

Prerequisites

You must install pyasn1 and pyasn1-modules from your distribution's package manager (e.g. pacman, brew, apt, etc) or pip for the python scripts used in this guide.

Note

In some parts of the guide, Windows users might instead need to write py -3 instead of python3.

Creating the Disks

./QEMUAppleSilicon/build/qemu-img create -f raw nvme.1 16G
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.2 8M
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.3 128K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.4 8K
./QEMUAppleSilicon/build/qemu-img create -f raw nvram  8K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.6 4K
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.7 1M
./QEMUAppleSilicon/build/qemu-img create -f raw nvme.8 3M
./QEMUAppleSilicon/build/qemu-img create -f raw sep_nvram 2K
./QEMUAppleSilicon/build/qemu-img create -f raw sep_ssc 128K

Note

The nvme.1 can also be 32G.

iOS Firmware

Fetch the firmware

Download iOS 14.0 beta 5 ipsw for iPhone12,1.

Extract the necessary files

mkdir iPhone11_8_iPhone12_1_14.0_18A5351d_Restore && cd iPhone11_8_iPhone12_1_14.0_18A5351d_Restore
unzip ../iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw
cd ..

The largest file in iPhone11_8_iPhone12_1_14.0_18A5351d_Restore can be deleted as it's the main OS disk image.

Creating the AP Ticket

The iOS version we are using is not signed, so we have to forge a ticket.

Use this script: https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/create_apticket.py

For your convenience, a ticket shsh is also provided: https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/ticket.shsh2

Run the script like this:

python3 create_apticket.py n104ap iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/BuildManifest.plist ticket.shsh2 root_ticket.der

Caution

Do not modify the generated ticket unless you are going to do a fresh restore. The ticket is required for all boot stages, even after installation completes.

Fetching the SEP ROM

Can't put a direct link here, Apple might get mad.

Google Apple ROM Collection, the result will certainly be secure and fun.

It must be Cebu B1 for t8030/iPhone 11.

Preparing the SEP firmware

Prerequisites

Ticket Creation Script: https://github.com/ChefKissInc/QEMUAppleSiliconTools/raw/refs/heads/master/create_septicket.py

img4tool utility from https://github.com/tihmstar/img4tool

img4 utility from https://github.com/xerub/img4lib

Fetching the Firmware

Download iOS 14.7.1 ipsw for iPhone12,1.

Note

Only the firmware (sep-firmware.n104.RELEASE.im4p) itself should be taken from this ipsw. Files such as the BuildManifest should be from 14.0 beta 5.

Creating the Ticket

python3 create_septicket.py n104ap iPhone11_8_iPhone12_1_14.0_18A5351d_Restore/BuildManifest.plist ticket.shsh2 sep_root_ticket.der

Extract the necessary files

mkdir iPhone11,8,iPhone12,1_14.7.1_18G82_Restore && cd iPhone11,8,iPhone12,1_14.7.1_18G82_Restore
unzip ../iPhone11,8,iPhone12,1_14.7.1_18G82_Restore.ipsw
cd ..

Decrypting the Firmware

img4tool -e --iv THE_SEP_FW_IV --key THE_SEP_FW_KEY -o sep-firmware.n104.RELEASE iPhone11,8,iPhone12,1_14.7.1_18G82_Restore/Firmware/all_flash/sep-firmware.n104.RELEASE.im4p

You can find the keys by googling "iOS firmware keys".

Repackaging the Firmware to an IMG4

img4tool -t rsep -d ff86cbb5e06c820266308202621604696d706c31820258ff87a3e8e0730e300c1604747a3073020407e78000ff868bc9da730e300c160461726d73020400d84000ff87a389da7382010e3082010a160474626d730482010036373166326665363234636164373234643365353332633464666361393732373734353966613362326232366635643962323032383061643961303037666635323834393936383138653962303461336434633034393061663833313630633464356330313832396536633635303836313230666133346539663263323165373237316265623231636139386237386464303064363037326530366464393962666163623262616362623261373830613465636161303363326361333930303931636334613461666231623737326238646234623865653566663365636437373135306531626566333633303034336637373665666265313130316538623433ff87a389da7282010e3082010a160474626d720482010034626631393164373134353637356364306264643131616166373734386138663933373363643865666234383830613130353237633938393833666636366538396438333330623730626237623561333530393864653735353265646635373762656166363137353235613831663161393838373838613865346665363734653936633439353066346136366136343231366561356438653333613833653530353962333536346564633533393664353539653337623030366531633637343633623736306336333164393163306339363965366662373130653962333061386131396338333166353565636365393835363331643032316134363361643030 -c sep-firmware.n104.RELEASE.im4p sep-firmware.n104.RELEASE
img4 -F -o sep-firmware.n104.RELEASE.new.img4 -i sep-firmware.n104.RELEASE.im4p -M sep_root_ticket.der
  1. Host Setup
  2. Emulator File Setup
  3. Companion VM Setup
  4. Running & Restoring
  5. Filesystem Patches
  6. Frequently Asked Questions
Clone this wiki locally