Full Report
The iPod 1G Touch was the first version in an amazing line of devices from Apple. So, the author wanted to emulate the device for future generations to enjoy. This was done via a branch of QEMU; in particular, they emulated all of the hardware required for booting and basic functionality. The first iPod touch was an ArmV6 little endian instruction set. The author attempted to run the BootRom code on the device, but it jumped to code at an address they did not know; the same thing happened to the low level bootloader (LLB). So, they moved onto emulating from iBoot instead. To understand how iBoot works, they read through the source code of an open source implementation of it then referred back to the raw binary code. From doing this, they were able to figure out how every boots up, hardware components needed and everything else. Eventually, they were able to redirect print statements to the QEMU console. First, iBoot initializes hardware components, read images from NOR memory, a few other things and finally read kernel images from NAND flash. The NOR image read files, like the Apple logo, and several device properties. The NAND image contains the XNU kernel. Loading the image is not very simple because of NAND drivers containing ohter algorithms, such as ECC, bad block management and other things. The author had to write drivers for reading both the NOR and NAND flash properly. To get the XNU kernel going, the author had to decrypt the image. iBoot jumps to code that the author did not have at the time to decrypt with a 8900 encryption scheme. They were able to decrypt it in QEMU logic instead. There were other hardware components like the Power Management Unit (PMU) and other things. The XNU kernel is open source but Apple has their own fork of it. To understand how the system boots up, they were able to look at the open source code for the most part. From MMIO to loading the device tree to 30 different drivers that needed to be loaded correctly. The hardest one was the Flash Memory Controller (FMC), which had no documentation or source code available. Finally, after this launchd starts up. This is PID 1 or the first process that starts everything else on the device. While launching Springboard (the main UI on the iPod), the device crashes because of a graphics processor trying to be used. While reverse engineering the application, the author learned that the environment variable LK_ENABLE_MBX2D disables the graphics processor. Finally, the home screen appears! The final step was getting touch screen working. The iPhone simulator simulates touch by converting a click into an (x,y) coordinate pair. The kernel communicates with the Multitouch device SPI. By reverse engineering this protocol and looking at the bus traffic, the author figured out how to inject QEMU window touches into frames for the Multitouch device. This included velocity, (x,y) coordinates, home button and more. After a few more small changes, such as adding some files that were missing from the stock NAND flash, they were able to get the iPod working in the emulator! There is still much work to be done, including emulating the second generation but this is amazing work. Love the article and the processes that went into getting this working with QEMU.
Analysis Summary
# Research: Emulating an iPod Touch 1G and iPhoneOS 1.0 using QEMU
## Metadata
- **Authors:** Martijn de Vos
- **Institution:** Independent Researcher (GitHub: devos50)
- **Publication:** Personal Technical Blog (devos50.github.io)
- **Date:** October 11, 2022
## Abstract
This research details the first successful open-source emulation of the iPod Touch 1G (S5L8900 SoC) running iPhoneOS 1.0 using a custom branch of QEMU. The project involved reverse-engineering proprietary hardware components, implementing drivers for NAND/NOR flash and specialized controllers, and achieving a functional Springboard (UI) with multitouch support.
## Research Objective
The study aims to achieve full-system emulation of the first-generation iPod Touch to preserve legacy mobile software and provide a platform for security research and reverse engineering without requiring physical hardware.
## Methodology
### Approach
- **Iterative Bootstrapping:** Progressed through the boot chain (iBoot -> XNU Kernel -> Springboard) by emulating missing hardware dependencies as they were called by the code.
- **Reverse Engineering:** Used Ghidra to analyze iBoot and XNU binaries. Referred to the `openiboot` project and existing device tree dumps to understand register mappings.
- **Static & Dynamic Analysis:** Combined source code review of open-source XNU components with GDB debugging of the live QEMU guest.
### Dataset/Environment
- **Target OS:** iPhoneOS 1.0 (Build 3A101a).
- **Target Hardware:** iPod Touch 1st Generation (ARMv6, S5L8900 SoC).
### Tools & Technologies
- **QEMU:** System emulator (modified with custom hardware models).
- **Ghidra:** SRE framework for disassembly.
- **GDB:** For runtime debugging and memory inspection.
## Key Findings
### Primary Results
1. **Successful Systematic Boot:** Successfully reached the Springboard UI from a cold boot without modifying any original Apple binaries.
2. **Peripheral Emulation:** Developed functional models for critical proprietary components including the AES engine, SHA1 engine, and the Flash Memory Controller (FMC).
3. **Multitouch Integration:** Implemented a translation layer that converts QEMU window events into SPI protocol frames understandable by the iPhoneOS multitouch driver.
### Supporting Evidence
- The researcher demonstrated functional interactivity, including application launching (Safari, Calendar) and UI navigation via emulated touch input.
### Novel Contributions
- **First Open Source UI Emulation:** Unlike previous XNU-QEMU projects that focused solely on the kernel or command line, this project achieves a functional graphical user interface.
- **Undocumented Hardware Models:** Created functional implementations for the S5L89xx series FMC and NAND controllers which lack public documentation.
## Technical Details
- **Bootloader Transition:** While the author initially attempted to run the BootRom and LLB, they pivoted to iBoot to bypass early-stage complexity.
- **Graphics Bypass:** The PowerVR MBX GPU is not emulated. To prevent a kernel panic during Springboard launch, the researcher utilized the `LK_ENABLE_MBX2D` environment variable to force the system into a software-rendering mode.
- **NAND Logic:** Emulation required implementing ECC (Error Correcting Code) and bad block management within the QEMU driver to satisfy the kernel's NAND drivers.
## Practical Implications
### For Security Practitioners
- **Vulnerability Research:** Provides a scalable environment for fuzzing legacy iOS components or analyzing historical vulnerabilities (e.g., early Safari exploits).
- **Malware Analysis:** Offers a "sandbox" for analyzing older mobile malware without risking physical hardware.
### For Defenders
- **Architectural Insights:** Demonstrates how early iOS security was deeply tied to hardware obfuscation (NAND/FMC logic) rather than software-based trust caches found in modern versions.
### For Researchers
- **Hardware Documentation:** Effectively serves as a "living specification" for the S5L8900 SoC.
## Limitations
- **Lacking GPU Acceleration:** UI rendering is performed via software, leading to performance constraints.
- **Missing Peripherals:** No support for Audio, WiFi (802.11), or the Accelerator/Light sensors.
- **Stability:** Reports of race conditions in the FMC and USB drivers due to QEMU's execution speed outstripping physical hardware assumptions.
## Comparison to Prior Work
This research builds upon the work of @zhuowei (XNU-QEMU) and Jonathan Afek but advances it significantly by moving beyond the kernel to the application layer (Springboard) and adding complex peripheral support like Multitouch and NAND.
## Real-world Applications
- **Digital Preservation:** Running legacy mobile software that no longer functions on physical hardware due to battery degradation or component failure.
- **Educational Tools:** A transparent platform for teaching mobile SoC architecture and boot sequence analysis.
## Future Work
- **Hardware Persistence:** Implementing persistent storage for the NAND memory images.
- **Device Support:** Expanding the codebase to support the iPod Touch 2G and other early S5L-based devices.
- **Bug Fixes:** Resolving `libicucore.dylib` loading issues and race conditions.
## References
- QEMU Source (ipod_touch_1g branch): `github.com/devos50/qemu`
- OpeniBoot Project: `github.com/iDroid-Project/openiBoot`
- Related: `alephsecurity.com/2019/06/17/xnu-qemu-arm64-1/`