GithubHelp home page GithubHelp logo

trungnguyen1909 / qemu-t8030 Goto Github PK

View Code? Open in Web Editor NEW
1.9K 50.0 191.0 242.74 MB

iPhone 11 emulated on QEMU

License: Other

Emacs Lisp 0.01% GDB 0.01% Python 3.83% Dockerfile 0.01% Makefile 0.11% C 79.80% Meson 0.47% C++ 12.67% Haxe 0.38% Objective-C 0.13% Shell 1.62% Assembly 0.52% Pawn 0.02% NSIS 0.01% Perl 0.26% SmPL 0.03% GLSL 0.01% SourcePawn 0.08% Vim Script 0.01% POV-Ray SDL 0.07%
emulator ios qemu hypervisor

qemu-t8030's Introduction

QEMU README

QEMU is a generic and open source machine & userspace emulator and virtualizer.

QEMU is capable of emulating a complete machine in software without any need for hardware virtualization support. By using dynamic translation, it achieves very good performance. QEMU can also integrate with the Xen and KVM hypervisors to provide emulated hardware while allowing the hypervisor to manage the CPU. With hypervisor support, QEMU can achieve near native performance for CPUs. When QEMU emulates CPUs directly it is capable of running operating systems made for one machine (e.g. an ARMv7 board) on a different machine (e.g. an x86_64 PC board).

QEMU is also capable of providing userspace API virtualization for Linux and BSD kernel interfaces. This allows binaries compiled against one architecture ABI (e.g. the Linux PPC64 ABI) to be run on a host using a different architecture ABI (e.g. the Linux x86_64 ABI). This does not involve any hardware emulation, simply CPU and syscall emulation.

QEMU aims to fit into a variety of use cases. It can be invoked directly by users wishing to have full control over its behaviour and settings. It also aims to facilitate integration into higher level management layers, by providing a stable command line interface and monitor API. It is commonly invoked indirectly via the libvirt library when using open source applications such as oVirt, OpenStack and virt-manager.

QEMU as a whole is released under the GNU General Public License, version 2. For full licensing details, consult the LICENSE file.

Documentation

Documentation can be found hosted online at https://www.qemu.org/documentation/. The documentation for the current development version that is available at https://www.qemu.org/docs/master/ is generated from the docs/ folder in the source tree, and is built by Sphinx.

Building

QEMU is multi-platform software intended to be buildable on all modern Linux platforms, OS-X, Win32 (via the Mingw64 toolchain) and a variety of other UNIX targets. The simple steps to build QEMU are:

mkdir build
cd build
../configure
make

Additional information can also be found online via the QEMU website:

Submitting patches

The QEMU source code is maintained under the GIT version control system.

git clone https://gitlab.com/qemu-project/qemu.git

When submitting patches, one common approach is to use 'git format-patch' and/or 'git send-email' to format & send the mail to the [email protected] mailing list. All patches submitted must contain a 'Signed-off-by' line from the author. Patches should follow the guidelines set out in the style section of the Developers Guide.

Additional information on submitting patches can be found online via the QEMU website

The QEMU website is also maintained under source control.

git clone https://gitlab.com/qemu-project/qemu-web.git

A 'git-publish' utility was created to make above process less cumbersome, and is highly recommended for making regular contributions, or even just for sending consecutive patch series revisions. It also requires a working 'git send-email' setup, and by default doesn't automate everything, so you may want to go through the above steps manually for once.

For installation instructions, please go to

The workflow with 'git-publish' is:

$ git checkout master -b my-feature
$ # work on new commits, add your 'Signed-off-by' lines to each
$ git publish

Your patch series will be sent and tagged as my-feature-v1 if you need to refer back to it in the future.

Sending v2:

$ git checkout my-feature # same topic branch
$ # making changes to the commits (using 'git rebase', for example)
$ git publish

Your patch series will be sent with 'v2' tag in the subject and the git tip will be tagged as my-feature-v2.

Bug reporting

The QEMU project uses GitLab issues to track bugs. Bugs found when running code built from QEMU git or upstream released sources should be reported via:

If using QEMU via an operating system vendor pre-built binary package, it is preferable to report bugs to the vendor's own bug tracker first. If the bug is also known to affect latest upstream code, it can also be reported via GitLab.

For additional information on bug reporting consult:

ChangeLog

For version history and release notes, please visit https://wiki.qemu.org/ChangeLog/ or look at the git history for more detailed information.

Contact

The QEMU community can be contacted in a number of ways, with the two main methods being email and IRC

Information on additional methods of contacting the community can be found online via the QEMU website:

qemu-t8030's People

Contributors

afaerber avatar agraf avatar aliguori avatar aurel32 avatar berrange avatar blueswirl avatar bonzini avatar davidhildenbrand avatar dgibson avatar ebblake avatar edgarigl avatar ehabkost avatar elmarco avatar gkurz avatar huth avatar jan-kiszka avatar jnsnow avatar kevmw avatar kraxel avatar legoater avatar mcayland avatar mstsirkin avatar philmd avatar pm215 avatar rth7680 avatar stefanharh avatar stsquad avatar stweil avatar vivier avatar xanclic avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

k3rnelninja timb-machine-mirrors mkyyy sickcodes tmoss11 binerdd sx000 dandycheung acidburn0zzz fatgrass junlongliu xtiankisutsa crackercat iaminactions d34d633f miladbr bb33bb hack-different zer0nka otval228 aydodo stjordanis aspenmayer jslcom davincee jolt151 n0validname jgreever mrcodechef losenineai thecatalinstan hbcbh1999 kenny-ngo runlevel5 ameg-yag archivecrew shaneisley goofwear sagar19raorane miku1958 sekmet opensourcefuture saddam1999 anttutu hj3938 royjo1983 keyman9848 exiahan foxruntime neuroradiology sapphire41 avatarchik superligen fkios ekmixon ysmilec yzydog mokhtaralgholi ttotal netwdef raspiduino congbuluangao ivoszbg snx90 andraekaaa pipcet yemyatthu1990 yxles-dev mo2007ed olavito shannon2893 cyberflamego asw81239 sachiotomita duemaster thurday c0de3 wtdcode gmh5225 thegamerrobert justinforbes godfatherx64 dverbeeck ncolyer powerpress milankkk zha0 wellcomez friedri1970 sohailnajar whoami2323 wikix apachecn ink-splatters konradybcio adeyosemanputra 5l1v3r1 2515684244 ploosh-alt unr0i

qemu-t8030's Issues

Support J327AP devices

J327AP is AppleDisplay2,1 aka Studio Display
Currently, the kernel can boot to restored (not restored_external), and such a restore could be attempted.
There is a failed kernel patch: qemu-system-aarch64: Missing patch: AKSUC_handle, which is probably related to the problem below.
Anyways, the system successfully boots to ramdisk with bash running.
The firmware can be obtained from here, which is DarwinOS 15.4, although sw_vers still outputs iPhone OS.
Now, this is an OTA update, but the AssetData/ directory in it is the structure of an IPSW.
The problem
Stuck trying to create protecteted filesystems
To reproduce

  1. Extract the OTA update
  2. cd to the AssetData directory in the OTA update, we want to edit BuildManifest.plist such that idevicerestore will restored it.
  3. Create display.der with create_apticket.py, the board config should be j327ap
  4. In BuildManifest.plist, under SupportedProductTypes, change AppleDisplay12,1 to iPhone12,1
  5. ...under DeviceClass, change J327AP to N104AP
  6. Zips up every file in the AssetData directory to create a display.ipsw file
  7. create the qemu boot command, use the 018-26834-343.dmg file, which is a FactoryRamDisk as the other FactorySupportRamDisk does not seem to have restored. The following is my boot command:
${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-26834-343.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.release.j327.out \
-dtb DeviceTree.j327ap.im4p \
-append "kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1 wdt=-1" \
-initrd '018-26834-343.dmg.out'   \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
  1. (Optional) modify the ramdisk and add a shell and stuff
  2. In the Linux VM, the device should show up as Apple Inc.,
  3. Try to restore the device: idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 display.ipsw -T display.der
  4. Wait until it reaches 97%
  5. Stuck trying to create protected filesystem
    Related restored log:
[08:19:36.0505-GMT]{4>9} CHECKPOINT BEGIN: (null):[0x0674] create_protected_filesystems
restore-step-ids = {0x1103067B:77;0x11030674:135}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030674:create_protected_
filesystems}
restore-step-uptime = 217
restore-step-user-progress = 97
entering create_protected_filesystems
ramrod_display_set_granular_progress_forced: 97.000000
content-protect property not found
encryptable property not found
creating class d key for /mnt2

idevicerestore log:

Requesting EAN Data (74)
Creating Protected Volume (67)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)

Full serial output
Full idevicerestore log

Booting 16.0b1 restore ramdisk causes "qemu-system-aarch64: macho_parse: Invalid Mach-O object: mh->magic != MACH_MAGIC_64"

I'm getting "qemu-system-aarch64: macho_parse: Invalid Mach-O object: mh->magic != MACH_MAGIC_64" when trying to boot 16.0b1 to restore mode.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=16.0b1/Firmware/078-13778-076.dmg.trustcache,ticket-filename=16.0b1/root_ticket.der
-kernel 16.0b1/kernelcache.research.iphone12b
-dtb 16.0b1/Firmware/all_flash/DeviceTree.n104ap.im4p
-append "debug=0x14e kextlog=0xffff serial=3 -v -restore rd=md0 nand-enable-reformat=1 -progress launchd_missing_exec_no_panic=1"
-initrd 16.0b1/078-13778-076.dmg
-cpu max -smp 6
-m 4G -serial mon:stdio
-drive file=20A5283p/nvme.1,format=raw,if=none,id=drive.1
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.2,format=raw,if=none,id=drive.2
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.3,format=raw,if=none,id=drive.3
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.4,format=raw,if=none,id=drive.4
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvram,if=none,format=raw,id=nvram
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.6,format=raw,if=none,id=drive.6
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096
-drive file=20A5283p/nvme.7,format=raw,if=none,id=drive.7
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096
-monitor telnet:127.0.0.1:1235,server,nowait
Full terminal output:
qemu-system-aarch64: macho_parse: Invalid Mach-O object: mh->magic != MACH_MAGIC_64

Panic when restoring (Creating 7 namespaces on NAND)

I was following the Wiki guide and was restoring the emulator, but shortly after starting the restore process, it hangs and then panics at Creating 7 namespaces on NAND.

Here is the full log from start to panic. File modification dates show that nvme.1 and nvram storage files were modified, but there still look zeroed out (except the header in nvram). My environment is macOS 12.4 on M1 MacBook Air, and I compiled the tools and code as of today. Below is my launch command.

qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=firmware/Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel firmware/kernelcache.research.iphone12b \
-dtb firmware/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v -wdt=-1" \
-initrd firmware/038-44135-124.dmg \
-cpu max -smp 6 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Assertion `usb_packet_is_inflight(p)' failed.

The Linux VM crashed while telneting into iOS, with message

qemu-system-x86_64: ../hw/usb/core.c:523: void usb_cancel_packet(USBPacket *): Assertion `usb_packet_is_inflight(p)' failed

The most reliable way to produce the same error message would be trying to upload a iBSS.n71.RELEASE.im4p.dec to the s8000 securerom VM, but it can happen in T8030 VMs too (such as the telnet crash).

To reproduce
Method 1: upload anything (such as a decrypted iBSS, or 1MB of random data) to S8000 securerom

irecovery -f iBSS.n71.RELEASE.im4p.dec

Method 2: Setup telnetd on the iOS side, telnet into it in the Linux VM, and do some random stuff. It will crash

Result
Linux VM crashed.

No core dumps are generated.
Host is debian 11 bullseye
qemu-t8030 commit: ba738a1

Display and Touch screen support?

Has the functionality on the emulated iPhone to be able to see the iPhone display and having a touch screen been implemented yet in this project. And is it possible to emulate iOS using the current instructions on the M1 chip?

Cannot boot emulator, kernel panic, thermalmonitord

Im having this issue while booting a recently restored system

apfs_is_valid_class:2253: rejecting class open (class 2) because we're not content protected
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
handle_revert_to_snapshot:5195: On next mount, volume will revert to snapshot 'com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70' w/snap xid 54
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory 
apfs_stop_bg_work:1028: disk0s1s1:0 Volume System is unmounting, stop any bg work
tx_flush:1075: disk0s1 xid 323 tx stats: # 20 finish 22 enter 599 wait 2 209518us close 32us flush 315223us
apfs: total mem allocated: 12501875 (11 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
revert_to_snapshot:1260: Reverting to snapshot w/xid 54 and old sblock oid 8259450.
revert_extents_to_snapshot:1093: free'ing extents in main extentref tree 8257872
free_allocated_snapshot_extents:1008: processed 0 extents and free'd 0 blocks
obj_cache_remove_reverted_fs_objects:1547: disk0s1s1:0 removing reverted fs objects for fs 1026: 55 - 326
revert_to_snapshot:1336: DONE reverting to snapshot w/xid 54
handle_mount:627: vol-uuid: 3D9B78CD-479A-4DC6-ACE3-B6D84DC5166E block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 13116575 (12 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 170 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 170
tx_flush:1075: disk0s1 xid 343 tx stats: # 40 finish 42 enter 3116 wait 6 281119us close 18us flush 354580us
tx_flush:1033: disk0s1 tx xid 344 took 1046026 us to sync and write superblock
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 3 caller 0xfffffff009169144): userspace watchdog timeout: no successful checkins from com.apple.thermalmonitord since load
service returned not alive with context : is_alive_func returned unhealthy : current 400000000000, mask 7fffffffffff, expected 7fffffffffff.  SD: 1 Missing sensor(s): TG0B TG0V TP1A TP2C TP3R TP4H TP5d TP0Z Th0a Th0f Th0x Th1a Th1f Th1x Th2a Th2f Th2x Tc0a Tc0f Tc0x Tc1a Tc1f Tc1x Tc2a Tc2f Tc2x 
service: com.apple.backboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.mediaserverd, total successful checkins since load (180 seconds ago): 17, last successful checkin: 0 seconds ago
service: com.apple.logd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.thermalmonitord, no successful checkins since load (180 seconds ago)
service: com.apple.runningboardd, total successful checkins since load (180 seconds ago): 19, last successful checkin: 0 seconds ago
service: com.apple.wifid, total successful checkins s
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x11ab03024
Epoch Time:        sec       usec
  Boot    : 0x62376f1f 0x000825ce
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x62376fe3 0x0008cccd

Total cpu_usage: 118819282
Thread task pri cpu_usage
0xffffffe19c0cd170 watchdogd 97 0
0xffffffe19c868000 backboardd 63 0
0xffffffe19c0cc5d0 thermalmonitord 37 0
0xffffffe19cb84000 watchdogd 31 105505
0xffffffe19cae68b0 lsd 31 4488402

Panicked task 0xffffffe19be98640: 242 pages, 5 threads: pid 52: watchdogd
Panicked thread: 0xffffffe19c0cd170, backtrace: 0xffffffe9c237b1e0, tid: 549
		  lr: 0xfffffff007a2af48  fp: 0xffffffe9c237b220
		  lr: 0xfffffff007a2ad48  fp: 0xffffffe9c237b290
		  lr: 0xfffffff007b64940  fp: 0xffffffe9c237b2b0
		  lr: 0xfffffff007b56e1c  fp: 0xffffffe9c237b370
		  lr: 0xfffffff00811c5f4  fp: 0xffffffe9c237b380
		  lr: 0xfffffff007a2aa30  fp: 0xffffffe9c237b700
		  lr: 0xfffffff007a2aa30  fp: 0xffffffe9c237b760
		  lr: 0xfffffff0097db9c0  fp: 0xffffffe9c237b780
		  lr: 0xfffffff009169144  fp: 0xffffffe9c237b7a0
		  lr: 0xfffffff009168e38  fp: 0xffffffe9c237b7c0
		  lr: 0xfffffff00808cb78  fp: 0xffffffe9c237b820
		  lr: 0xfffffff009168130  fp: 0xffffffe9c237b900
		  lr: 0xfffffff00809a98c  fp: 0xffffffe9c237baa0
		  lr: 0xfffffff007b25190  fp: 0xffffffe9c237bbc0
		  lr: 0xfffffff007a30e9c  fp: 0xffffffe9c237bc20
		  lr: 0xfffffff007a021d8  fp: 0xffffffe9c237bca0
		  lr: 0xfffffff007a1d810  fp: 0xffffffe9c237bd60
		  lr: 0xfffffff007b4a434  fp: 0xffffffe9c237be30
		  lr: 0xfffffff007b57094  fp: 0xffffffe9c237bef0
		  lr: 0xfffffff00811c5f4  fp: 0xffffffe9c237bf00


** Stackshot Succeeded ** Bytes Traced 115555 (Uncompressed 294176) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip

this is my startup script, which is the same which is found at Bringing Up The Emulator - Auto Boot section
only added -noconsole -vnc :1 -k es

qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait \
-nographic \
-vnc :1 -k es \

Linux VM couldn't find the emulated device

I followed the instructions in the wiki, build QEMU from this repo, launch a Linux VM using it (I use Slax). I also generated root_ticket.der and put it in both host Linux and guess Linux VM, start the Linux VM then start the iOS VM.

The iOS VM boot to the line waiting for host to trigger start of restore [timeout of 120 seconds]
image

But Linux VM can't find the device, although it found something using lsusb:
image

/tmp/usbqemu is available in the host:
image

When the iOS VM run out of time and reboot, it shows something like RTBuddy(SMC): WARNING: failed to send ping.
image

Any ideas? Thanks!

Update commands to use

In the Bringing up the emulator page, the iOS firmware is extracted to the iphone folder, but subsequent commands use the root directory for files in it.

Example:
python3 qemu-t8030-tools/bootstrap_scripts/asn1rdskdecode.py 038-44087-125.dmg 038-44087-125.dmg.out

Suggested edit:
python3 qemu-t8030-tools/bootstrap_scripts/asn1rdskdecode.py iphone/038-44087-125.dmg iphone/038-44087-125.dmg.out

Ticket spinlock timeout

qemu-t8030 commit: 617fa85c2161e765b39ca32d4c9a7bafa3fce87d

QEMU command line: qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache,ticket-filename=root_ticket.der -kernel kernelcache.research.iphone12b -dtb Firmware/all_flash/DeviceTree.n104ap.im4p -append "wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v" -initrd 038-44135-124.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait

Boot log:

Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: Found lookup_in_trust_cache_module @ 0xfffffff007b5d71c
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: Found lookup_in_static_trust_cache @ 0xfffffff0097edcb8
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff018000000
g_phys_base: 0x0000000802000000
slide_virt: 0x0000000015c00000
slide_phys: 0x0000000001c00000
entry: 0x0000000807d204e8
boot_mode: 0
auto-boot=true
cmdline: [wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v]
VNC server running on 127.0.0.1:5900
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b864390]::init(0xffffffe19b895e78)

AUC:[0xffffffe19b864390]::probe(0xffffffe19b62df40, 0xffffffe807d93dac)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b864390]::start(0xffffffe19b62df40)

AppleInterruptController::start: Num Shared Timestamps == 0
AppleS5L8940XI2CController::start: i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c2 this: <ptr> _i2cBaseAddress: <ptr>
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleS5L8960XUSBPhy::start: hsic disabled
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
000012.449209 wlan0.A[1] start@968:Default options property found with value 4
AppleS5L8940XI2CController::start: i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000012.856236 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c3 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c0 this: <ptr> _i2cBaseAddress: <ptr>
000013.085061 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000013.129032 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>


RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
000013.738421 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
RTBuddy(SIO): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...

LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
RTBuddy(ANS2): Resuming...

Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
000014.070541 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
AppleARMRTC started!#####
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOMedia</string><key>IOPropertyMatch</key><dict ID="2"><key>Partition ID</key><integer size="64" ID="3">0x1</integer></dict></dict>
virtual IANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
OReturn IONVMeController::CreateSubmisANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
sionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                       
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 4096 block count 2097141 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 174, best xid 174 @ 7
nx_kernel_mount:1404: disk0 reloading after unclean unmount, checkpoint xid 174, superblock xid 163
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Container@1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 2097141 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 4096
 virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 256
 virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 174, best xid 174 @ 7
nx_kernel_mount:1404: disk0s1 reloading after unclean unmount, checkpoint xid 174, superblock xid 163
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
apfs_vfsop_mount:1998: disk0s1s1:0 Rooting from snapshot with xid 159.
handle_snapshot_mount:844: mounting snapshot w/snap_xid 159 and sblock oid 0x1f0006
handle_snapshot_mount:1000: setting dev block size to 4096 from 512
handle_mount:627: vol-uuid: DB5E5127-915A-4F0E-9BF6-1C49E3FB4851 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.12)
nx_volume_group_update:6634: Volume com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70 is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
dyld: setting comm page to 0x0
Sat May 21 11:27:50 2022  com.apple.xpc.launchd[1] <Notice>: hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.13~13/launchd/RELEASE_ARM64E
boot-args = wdt=-1 debug=0x14e kextlog=0xffff serial=3 -v
Sat May 21 11:27:50 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering ondemand mode
Sat May 21 11:27:50 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fsck
000032.975537 wlan0.A[4] initWithProvider@120:amfm not matched
000033.160367 wlan0.A[5] deferredStart@1730: Lowered adjustBusy(-1), getBusyState() -> 4
** Checking the container superblock.
** Checking the object map.
** Checking volume.
** Checking the APFS volume superblock.
** The volume System was formatted by newfs_apfs (945.200.129.100.10) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Data was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Hardware was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Preboot was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Update was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** QUICKCHECK ONLY; FILESYSTEM CLEAN
Sat May 21 11:28:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-1
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70@/dev/disk0s1s1 on / (apfs, local, nosuid, read-only, journaled, noatime)
handle_mount:627: vol-uuid: F5DEACDF-4954-4120-BAF2-7E092DD4E684 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s4:0 mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
Sat May 21 11:28:07 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: data-protection
init_data_protection: No SEP present on this device
Sat May 21 11:28:08 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: commit-boot-mode
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: boot-mode committed: (null)
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: restore-datapartition
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: restore-datapartition: optional boot task not present
Sat May 21 11:28:09 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:189: disk0s1 metazone for device 0 of size 131072 blocks (encrypted: 1966069-2031605 unencrypted: 2031605-2097141)
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 32768
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 65536
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 98304
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 131072
dev_dump:256: Aggregate constructed: dev=<ptr> di=0 dv_num_slice=8 dv_num_slice_blk=262144 dv_num_lslice_blk=262133
migrate_media_keys_if_needed:1206: no media keys to migrate for container = disk0s1
mount: failed to migrate Media Keys, error = c002
spaceman_trim_free_blocks:3361: disk0s1 scan took 2.034399 s, trims took 0.295646 s
spaceman_trim_free_blocks:3369: disk0s1 245561 blocks free in 322 extents
spaceman_trim_free_blocks:3377: disk0s1 245561 blocks trimmed in 322 extents (918 us/trim, 1089 trims/s)
spaceman_trim_free_blocks:3380: disk0s1 trim distribution 1:198 2+:97 4+:15 16+:4 64+:0 256+:8
handle_mount:627: vol-uuid: 946E93CE-C991-4E1A-B650-7685AF0B9095 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs_vfsop_mount:2171: disk0s1s2:0 mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:627: vol-uuid: 180F6F92-F4A0-4E37-9B94-D2E6CB4607D9 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s5:0 mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:627: vol-uuid: 521EEEEA-7A6E-4FD6-B067-55BBA3533710 block size: 4096 block count: 2097141 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s3:0 mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
Sat May 21 04:28:24 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init-with-data-volume
Sat May 21 04:28:26 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: MSUEarlyBootTask
main: MSUEarlyBootTask running
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate/5118ea8f39ff61d152ba7e1f92591910cde7a2b09b867d8d58dc37e2cdc0b7c98dd296d4bf57862d143413dd17012d70-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
Sat May 21 04:28:31 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [1557131414] fipspost_post:158: PASSED: (89 ms) - fipspost_post_integrity
FIPSPOST_USER [1558100585] fipspost_post:164: PASSED: (11 ms) - fipspost_post_hmac
FIPSPOST_USER [1558759941] fipspost_post:165: PASSED: (10 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [1561097014] fipspost_post:166: PASSED: (2 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [1564188582] fipspost_post:167: PASSED: (114 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [1567310180] fipspost_post:168: PASSED: (86 ms) - fipspost_post_ecdsa
FIPSPOST_USER [1572905885] fipspost_post:169: PASSED: (91 ms) - fipspost_post_ecdh
FIPSPOST_USER [1578096036] fipspost_post:170: PASSED: (74 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [1579127619] fipspost_post:171: PASSED: (10 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [1586953336] fipspost_post:173: PASSED: (229 ms) - fipspost_post_pbkdf
FIPSPOST_USER [1587973156] fipspost_post:174: PASSED: (25 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [1607684126] fipspost_post:175: PASSED: (439 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [1610118992] fipspost_post:176: PASSED: (4 ms) - fipspost_post_aes_xts
FIPSPOST_USER [1610686578] fipspost_post:177: PASSED: (7 ms) - fipspost_post_tdes_cbc
FIPSPOST_USER [1612386590] fipspost_post:178: PASSED: (4 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [1615174948] fipspost_post:180: PASSED: (96 ms) - fipspost_post_ffdh
FIPSPOST_USER [1620719951] fipspost_post:181: PASSED: (219 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [1622339821] fipspost_post:201: all tests PASSED (2806 ms)
Sat May 21 04:28:35 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
Sat May 21 04:28:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: usermanagerd
Sat May 21 04:28:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: usermanagerd: optional boot task not present
Sat May 21 04:28:41 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd logging initialized
Sat May 21 04:28:42 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: xpcroleaccountd
Sat May 21 04:28:43 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init_featureflags
init_featureflags: skipping directory: /System/Library/FeatureFlags/Domain
init_featureflags: skipping directory: /Library/Preferences/FeatureFlags/Domain
Sat May 21 04:28:44 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fud
objc[20]: Class UARPManifestProperties is implemented in both /System/Library/PrivateFrameworks/CoreUARP.framework/CoreUARP and /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud. One of the two will be used. Which one is undefined.
fud: -[FudEarlyBoot doFUDEarlyBoot:](): Starting Early Boot
fud: No Early Boot Accessories
fud: -[FudEarlyBoot doFUDEarlyBoot:](): End Early Boot
Sat May 21 04:28:54 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: tzinit
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-restore
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-demo-restore
Sat May 21 04:28:55 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: sysstatuscheck
Sat May 21 04:28:56 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: prng_seedctl
PRNG diagnostics:
0 user reseeds, 1 scheduled reseeds, 64 max samples in a scheduled reseed, 284 max samples in an entropy input
generator 0: 2 rekeys, 458 requests, 5456 total bytes requested, 64 max bytes requested in a request, 3304 bytes requested since rekey, 3304 max bytes requested between rekeys
generator 1: 2 rekeys, 55 requests, 800 total bytes requested, 64 max bytes requested in a request, 784 bytes requested since rekey, 784 max bytes requested between rekeys
generator 2: 2 rekeys, 14 requests, 228 total bytes requested, 64 max bytes requested in a request, 180 bytes requested since rekey, 180 max bytes requested between rekeys
generator 3: 2 rekeys, 32 requests, 496 total bytes requested, 64 max bytes requested in a request, 432 bytes requested since rekey, 432 max bytes requested between rekeys
pool 0: 0 samples, 1 drains, 64 max samples
pool 1: 284 samples, 0 drains, 284 max samples
pool 2: 38 samples, 0 drains, 38 max samples
pool 3: 69 samples, 0 drains, 69 max samples
pool 4: 85 samples, 0 drains, 85 max samples
pool 5: 113 samples, 0 drains, 113 max samples
pool 6: 40 samples, 0 drains, 40 max samples
pool 7: 48 samples, 0 drains, 48 max samples
pool 8: 88 samples, 0 drains, 88 max samples
pool 9: 34 samples, 0 drains, 34 max samples
pool 10: 58 samples, 0 drains, 58 max samples
pool 11: 37 samples, 0 drains, 37 max samples
pool 12: 40 samples, 0 drains, 40 max samples
pool 13: 45 samples, 0 drains, 45 max samples
pool 14: 126 samples, 0 drains, 126 max samples
pool 15: 70 samples, 0 drains, 70 max samples
pool 16: 0 samples, 0 drains, 0 max samples
pool 17: 0 samples, 0 drains, 0 max samples
pool 18: 0 samples, 0 drains, 0 max samples
pool 19: 0 samples, 0 drains, 0 max samples
pool 20: 0 samples, 0 drains, 0 max samples
pool 21: 0 samples, 0 drains, 0 max samples
pool 22: 0 samples, 0 drains, 0 max samples
pool 23: 0 samples, 0 drains, 0 max samples
pool 24: 0 samples, 0 drains, 0 max samples
pool 25: 0 samples, 0 drains, 0 max samples
pool 26: 0 samples, 0 drains, 0 max samples
pool 27: 0 samples, 0 drains, 0 max samples
pool 28: 0 samples, 0 drains, 0 max samples
pool 29: 0 samples, 0 drains, 0 max samples
pool 30: 0 samples, 0 drains, 0 max samples
pool 31: 0 samples, 0 drains, 0 max samples
failed to load virtual random: (-147) (-536870212)
Sat May 21 04:28:56 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: launchd_cache_loader
0 Found valid port: 2307 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 26 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 26
cdhash: {length = 20, bytes = 0x1f926e82fb7151558f895e958a422ee5c570b6bc} is trusted
Attached signature to file, checking ...
Trying to send bytes to launchd: 2307 16384
Sending validated cache to launchd
Cache sent to launchd successfully
Sat May 21 04:29:02 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Sat May 21 04:29:02 2022 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.





Attempting to forcibly halt cpu 0
cpu 0 failed to halt with error -5: halt not supported for this configuration
Attempting to forcibly halt cpu 1
cpu 1 failed to halt with error -5: halt not supported for this configuration
Attempting to forcibly halt cpu 2
cpu 2 failed to halt with error -5: halt not supported for this configuration
Debugger synchronization timed out; waited 10000000 nanoseconds
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 3 caller 0xfffffff01d64434c): "Ticket spinlock timeout; start: 0x9cae6fec, end: 0x9cdc36ac, current: 0x9cdc6de7, lock: 0xfffffff01f5a6f80, *lock: 0x8f, waiting for 0x90, owner: 0"
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel slide:      0x0000000015c00000
Kernel text base:  0xfffffff01cc04000
mach_absolute_time: 0xd0408738
Epoch Time:        sec       usec
  Boot    : 0x6288ccae 0x0001fac2
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x6288cd31 0x000174bf

Panicked task 0xffffffe19b603840: 67 pages, 1 threads: pid 32: xpcproxy
Panicked thread: 0xffffffe19bf1e2e0, backtrace: 0xffffffe934452ab0, tid: 423
                  lr: 0xfffffff01d62af48  fp: 0xffffffe934452af0
                  lr: 0xfffffff01d62ad48  fp: 0xffffffe934452b60
                  lr: 0xfffffff01d764940  fp: 0xffffffe934452b80
                  lr: 0xfffffff01d756e1c  fp: 0xffffffe934452c40
                  lr: 0xfffffff01dd1c5f4  fp: 0xffffffe934452c50
                  lr: 0xfffffff01d62aa30  fp: 0xffffffe934452fd0
                  lr: 0xfffffff01d62aa30  fp: 0xffffffe934453030
                  lr: 0xfffffff01f3db97c  fp: 0xffffffe934453050
                  lr: 0xfffffff01d64434c  fp: 0xffffffe9344530a0
                  lr: 0xfffffff01d657b0c  fp: 0xffffffe9344530d0
                  lr: 0xfffffff01d657db0  fp: 0xffffffe934453110
                  lr: 0xfffffff01d641074  fp: 0xffffffe934453140
                  lr: 0xfffffff01d755444  fp: 0xffffffe934453170
                  lr: 0xfffffff01dbc48c0  fp: 0xffffffe9344531b0
                  lr: 0xfffffff01db8cdd8  fp: 0xffffffe9344531d0
                  lr: 0xfffffff01def38e4  fp: 0xffffffe9344531f0
                  lr: 0xfffffff01eeaad5c  fp: 0xffffffe934453490
                  lr: 0xfffffff01eea9fa0  fp: 0xffffffe9344534f0
                  lr: 0xfffffff01eea2528  fp: 0xffffffe934453710
                  lr: 0xfffffff01dd04a54  fp: 0xffffffe934453760
                  lr: 0xfffffff01d7eda08  fp: 0xffffffe9344537b0
                  lr: 0xfffffff01d80e1a4  fp: 0xffffffe934453870
                  lr: 0xfffffff01d7f771c  fp: 0xffffffe934453ad0
                  lr: 0xfffffff01da60318  fp: 0xffffffe934453da0
                  lr: 0xfffffff01db7fc80  fp: 0xffffffe934453e30
                  lr: 0xfffffff01d756c6c  fp: 0xffffffe934453ef0
                  lr: 0xfffffff01dd1c5f4  fp: 0xffffffe934453f00

!! debugger synchronization failed, no stackshot !!
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)

I actually added wdt=-1 to command line (you can see above), and iOS still say wdog panic. What should I do now? Thanks!

Accept .im4p kernel cache, device tree, static trust cache files

We're currently required to extract the kernel image, device tree and static trust cache from the .img4 files.

It may be useful if qemu itself can take care of the extraction - it would make the process easier.
Qemu already links with OpenSSL and liblzfse, so it already has the infrastructure required to manipulate im4p files in place.

Would you be open to a PR which adds such a feature?

Regression: can no longer load iOS 15.3.1

I cannot load my iOS 15.3.1 VM anymore (it is working previously)

qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.

QEMU output:

Loading iOS 15.3...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a120738
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d51ae0
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff009d0b8f0
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.
Aborted

it looks like there is a problem during machine init
boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
# kernelcache.research.iphone12b.out
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "rd=disk0s1s1 kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd 018-92126-069.dmg.out \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Using ecb8ff6 with FastSim workaround.
Host: Debian 11 bullseye, Linux 5.16.0-0.bpo.3-amd64
I have a core dump, not sure how useful it is.

GCC on Linux doesn't recognized `__unused`

This causes compilation error with:

qemu-t8030/hw/watchdog/apple_wdt.c

Line 145 in 7f5549a

uint32_t __unused orig = data;

GCC version

gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

QEMU Linux VM: 'usb-tcp-remote' is not a valid device model name.

When I tried to run a Linux VM running Ubuntu Server in order to do a restore on the emulated iPhone, QEMU returned "qemu-aarch64-softmmu: -device usb-tcp-remote,bus=ehci.0: 'usb-tcp-remote' is not a valid device model name." Is there any way to fix this issue?

Process 1 exec of /sbin/launchd failed, errno 86

I am trying to boot iOS 14.0 (18A188 InternalUI) in the emulator.
Error log:

`Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b9f47e0]::init(0xffffffe19ba323c8)

AUC:[0xffffffe19b9f47e0]::probe(0xffffffe19b7c1ea0, 0xffffffe80e3abdac)

AppleCredentialManager: init: called, instance = .
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = .
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b9f47e0]::start(0xffffffe19b7c1ea0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = .
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = .
AppleCredentialManager: start: started, instance = .
AppleCredentialManager: start: returning, result = true, instance = .
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleGPIOICController::start: this: , _gpioicBaseAddress:
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
000001.085722 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.121777 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.121898 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000001.138758 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
Identified Serial Port uart7 at 0x23521c000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Identified Serial Port uart0 at 0x235200000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

RTBuddy(SMC): start() - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

RTBuddy(SMC): Resuming...

Starting AppleSMC kext() - (Aug 12 2020@22:51:44)
000001.210077 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000
000001.217358 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
RTBuddy(SIO): start() - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
virtual bool AppleANS2NVMeController::start(IOService )::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService )::2719:ANS2 NVMe interrupt index - 0x4
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!
Failed to read info-leg_scrpad/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 512 block count 67108864 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 355, best xid 355 @ 33
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 512 block count 67108864 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 512
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 2048
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 355, best xid 355 @ 33
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
failed to find root-snapshot-name snapshot
handle_mount:627: vol-uuid: 5133F48D-5D9E-499B-A8BA-45E692E36FD9 block size: 4096 block count: 8388608 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff007e63dfc): "Process 1 exec of /sbin/launchd failed, errno 86"
Debugger message: panic
Memory ID: 0x0
OS release type: Not set yet
OS version: Not set yet
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x3a68cda
Epoch Time: sec usec
Boot : 0x62471b68 0x00092c8a
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x62471b69 0x000da7c4

Panicked task 0xffffffe19b795f40: 1 pages, 1 threads: pid 1: init
Panicked thread: 0xffffffe19ba185d0, backtrace: 0xffffffe8139e37f0, tid: 358
lr: 0xfffffff007a2af48 fp: 0xffffffe8139e3830
lr: 0xfffffff007a2ad48 fp: 0xffffffe8139e38a0
lr: 0xfffffff007b64940 fp: 0xffffffe8139e38c0
lr: 0xfffffff007b56e1c fp: 0xffffffe8139e3980
lr: 0xfffffff00811c5f4 fp: 0xffffffe8139e3990
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d10
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d70
lr: 0xfffffff0097db97c fp: 0xffffffe8139e3d90
lr: 0xfffffff007e63dfc fp: 0xffffffe8139e3e40
lr: 0xfffffff007e2fea0 fp: 0xffffffe8139e3e60
lr: 0xfffffff007a21b7c fp: 0xffffffe8139e3e90
lr: 0xfffffff00811caec fp: 0xffffffe8139e3ea0
lr: 0xfffffff007a61fd0 fp: 0xffffffe8139e3f00
lr: 0xfffffff00812495c fp: 0x0000000000000000

** Stackshot Succeeded ** Bytes Traced 10867 (Uncompressed 36160) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
`
Boot command:

../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" \ -initrd 038-44135-124.dmg \ -cpu max -smp 4 \ -m 4G -serial mon:stdio \ -drive file=disk.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1 \ -drive file=nvme.2,format=raw,if=none,id=drive.2 \ -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2 \ -drive file=nvme.3,format=raw,if=none,id=drive.3 \ -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3 \ -drive file=nvme.4,format=raw,if=none,id=drive.4 \ -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram \ -drive file=nvme.6,format=raw,if=none,id=drive.6 \ -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6 \ -drive file=nvme.7,format=raw,if=none,id=drive.7 \ -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8 \ -monitor telnet:127.0.0.1:1235,server,nowait

With blocksize set to 4096, I get mount errors.

Cannot get Bash on iOS 15.0

I've restored iOS 15.0, edited launchd.plist and added bash.plist to /System/Library/LaunchDaemons however bash is not starting. There are no APFS Snapshots to rename.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=15.0/static_tc,ticket-filename=15.0/root_ticket.der -kernel 15.0/kernelcache.research.iphone12b -dtb 15.0/Firmware/all_flash/DeviceTree.n104ap.im4p -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" -initrd 15.0/038-42528-639.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait
Log:
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
com.apple.xpc.launchd|2022-04-17 08:16:14.555550 : Doing boot task: data-protection
init_data_protection: No SEP present on this device
com.apple.xpc.launchd|2022-04-17 08:16:14.814353 : Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
com.apple.xpc.launchd|2022-04-17 08:16:15.028039 : Doing boot task: commit-boot-mode
com.apple.xpc.launchd|2022-04-17 08:16:15.029260 : boot-mode committed: (null)
com.apple.xpc.launchd|2022-04-17 08:16:15.030008 : Doing boot task: restore-datapartition
com.apple.xpc.launchd|2022-04-17 08:16:15.033256 : restore-datapartition: optional boot task not present
com.apple.xpc.launchd|2022-04-17 08:16:15.046458 : Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:191: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597)
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536
spaceman_datazone_init:625: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304
dev_dump:256: Aggregate constructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
migrate_media_keys_if_needed:1254: disk0s1 no media keys to migrate
spaceman_scan_free_blocks:3171: disk0s1 scan took 0.015712 s (no trims)
mount: failed to migrate Media Keys, error = c002
handle_mount:654: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s2 setting dev block size to 4096 from 512
nx_volume_group_update:7713: disk0s1s2 Volume Data is not in a volume group
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:654: disk0s1s5 vol-uuid: E3918FE6-47D6-43AD-9A10-058CDC596EB4 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s5 setting dev block size to 4096 from 512
nx_volume_group_update:7707: disk0s1s5 Volume Update role c0 Not a System or data volume
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:654: disk0s1s3 vol-uuid: 61706673-7575-6964-0140-766F6C756D02 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s3 setting dev block size to 4096 from 512
nx_volume_group_update:7707: disk0s1s3 Volume Hardware role 140 Not a System or data volume
fastsim_is_enabled:9457: ================ fastsim is enabled ================
apfs_vfsop_mount:2354: mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
com.apple.xpc.launchd|2022-04-17 01:16:16.033083 : Doing boot task: init-with-data-volume
com.apple.xpc.launchd|2022-04-17 01:16:16.095901 : Doing boot task: MSUEarlyBootTask
spaceman_scan_free_blocks:3153: disk0s1 scan took 1.025618 s, trims took 0.983285 s
spaceman_scan_free_blocks:3155: disk0s1 6089571 blocks free in 17906 extents
spaceman_scan_free_blocks:3163: disk0s1 6089571 blocks trimmed in 17906 extents (54 us/trim, 18210 trims/s)
spaceman_scan_free_blocks:3166: disk0s1 trim distribution 1:12171 2+:1962 4+:2516 16+:796 64+:310 256+:151
MSUEarlyBootTask: MSUEarlyBootTask running
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate//2b906ac48e7b89aa76bdc77cf2eb46a52a5cfc4d863d676f515d4c2a3fcd87c5203e5dc133c771fde7038ea4513d4dd6-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
com.apple.xpc.launchd|2022-04-17 01:16:16.328821 : Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [270726780] fipspost_post:155: [FIPSPOST][Module-ID] Apple corecrypto Module v12.0 [Apple ARM, User, Software, SL1]
FIPSPOST_USER [270839121] fipspost_post:165: PASSED: (4 ms) - fipspost_post_hmac
FIPSPOST_USER [271036682] fipspost_post:166: PASSED: (12 ms) - fipspost_post_integrity
FIPSPOST_USER [271068000] fipspost_post:172: PASSED: (14 ms) - fipspost_post_indicator
FIPSPOST_USER [271078926] fipspost_post:173: PASSED: (14 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [271088853] fipspost_post:174: PASSED: (15 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [271452097] fipspost_post:175: PASSED: (30 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [272340780] fipspost_post:176: PASSED: (67 ms) - fipspost_post_ecdsa
FIPSPOST_USER [272388121] fipspost_post:177: PASSED: (69 ms) - fipspost_post_ecdh
FIPSPOST_USER [272413658] fipspost_post:178: PASSED: (70 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [272428439] fipspost_post:179: PASSED: (70 ms) - fipspost_post_aes_cmac
FIPSPOST_USER [272438097] fipspost_post:180: PASSED: (71 ms) - fipspost_post_hkdf
FIPSPOST_USER [272933219] fipspost_post:182: PASSED: (91 ms) - fipspost_post_pbkdf
FIPSPOST_USER [272942512] fipspost_post:183: PASSED: (92 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [272960731] fipspost_post:184: PASSED: (93 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [272973585] fipspost_post:185: PASSED: (93 ms) - fipspost_post_aes_xts
FIPSPOST_USER [273002609] fipspost_post:186: PASSED: (94 ms) - fipspost_post_tdes_ecb
FIPSPOST_USER [273011609] fipspost_post:187: PASSED: (95 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [273026219] fipspost_post:188: PASSED: (95 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [282071512] fipspost_post:190: PASSED: (472 ms) - fipspost_post_ffdh
FIPSPOST_USER [282638439] fipspost_post:191: PASSED: (496 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [282641804] fipspost_post:210: all tests PASSED (496 ms)
com.apple.xpc.launchd|2022-04-17 01:16:16.953443 : Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
com.apple.xpc.launchd|2022-04-17 01:16:17.201197 : Doing boot task: usermanagerd
com.apple.xpc.launchd|2022-04-17 01:16:17.203375 : usermanagerd: optional boot task not present
com.apple.xpc.launchd|2022-04-17 01:16:17.228387 : launchd logging initialized. name: com.apple.xpc.launchd pid: 1
com.apple.xpc.launchd|2022-04-17 01:16:17.248288 : Doing boot task: xpcroleaccountd
com.apple.xpc.launchd|2022-04-17 01:16:17.385264 : Doing boot task: init_featureflags
com.apple.xpc.launchd|2022-04-17 01:16:17.902870 : Doing boot task: fud
fud: Early Boot
fud: -FudEarlyBoot doFUDEarlyBoot:: Starting Early Boot
fud: No Early Boot Accessories
fud: -FudEarlyBoot doFUDEarlyBoot:: End Early Boot
fud: Exitng Early Boot
com.apple.xpc.launchd|2022-04-17 01:16:18.438675 : Doing boot task: tzinit
com.apple.xpc.launchd|2022-04-17 01:16:18.574303 : Doing boot task: finish-restore
com.apple.xpc.launchd|2022-04-17 01:16:18.697320 : Doing boot task: finish-demo-restore
com.apple.xpc.launchd|2022-04-17 01:16:18.821920 : Doing boot task: sysstatuscheck
com.apple.xpc.launchd|2022-04-17 01:16:18.947177 : Doing boot task: prng_seedctl
kern.prng.user_reseed_count: (-1) (2) No such file or directory
failed to load virtual random: (-147) (-536870212)
com.apple.xpc.launchd|2022-04-17 01:16:19.088041 : Doing boot task: launchd_cache_loader
0 Found valid port: 2307 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
Using unsecure cache: /System/Library/xpc/launchd.plist
Trying to send bytes to launchd: 2307 16384
Sending validated cache to launchd
Cache sent to launchd successfully
com.apple.xpc.launchd|2022-04-17 01:16:19.388631 : launchd UUID: D1C385F5-82FE-32CD-9F8F-2C4A3A640895
com.apple.xpc.launchd|2022-04-17 01:16:19.388733 : Early boot complete. Continuing system boot.
000021.115717 AppleOLYHAL_log.A[1] AppleOLYHALPortInterfacePCIeAMFM::initWithProvider: amfm not matched
000021.122704 wlan0.A[4] deferredStart@2734: Lowered adjustBusy(-1), getBusyState() -> 4

Read-only file system on disk.1

I think the problem is pretty simple to fix, but the command I typed (copy and pasted from the wiki) seems to be correct, but after I've mounted disk.1 (aka. /Volumes/AzulSeed18A5351d.N104N841DeveloperOS), it says that it's read-only, and I can't do anything on the disk.
I'm on a clear install of Big Sur 11.3.1, so it shouldn't be the problem.

example of the issue:
/System/Volumes/Data/SWE/macOS/BuildRoots/2288acc43c/Library/Caches/com.apple.xbs/Sources/AppleFSCompression_executables/AppleFSCompression-125/Libraries/CompressData/CompressData.c:211: chflags /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/AccessibilityBundles/SoundsAndHapticsSettings.axbundle/es_419.lproj/Accessibility.strings: Read-only file system (this happens when running sudo afscexpand /Volumes/AzulSeed18A5351d.N104N841DeveloperOS, but also trying to write something into the disk fails obv)

Removing LaunchDaemons as detailed in the wiki will trigger a panic after 600 seconds

In a nutshell: watchdogd must be kept running

iOS version: 14.3 (don't think it matters), with reserach kernels (don't think this mattered too)
qemu-t8030 commit: 42fedc7
To reproduce

  1. Remove all LaunchDaemons entries from /System/Library/LaunchDaemons/xpc/launchd.plist as detailed in the wiki
  2. Boot the system
  3. Wait 600 seconds
  4. ...
  5. panic(cpu 0 caller 0xfffffff0091c85d4): watchdog timeout: no checkins from watchdogd since boot (600 seconds ago)

kernel watchdog timeout panic:

IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff0091c85d4): watchdog timeout: no checkins from watchdogd since boot (600 seconds ago)
Debugger message: panic
Memory ID: 0x0
OS release type: User
OS version: 18C66
Kernel version: Darwin Kernel Version 20.2.0: Fri Nov 13 01:00:15 PST 2020; root:xnu-7195.62.1~4/RELEASE_ARM64_T8030
Kernel UUID: 73CDC310-07B4-3CB1-9F61-114FA9D77E4D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x35e3ab49e
Epoch Time:        sec       usec
  Boot    : 0x622c0777 0x00042b47
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x622c09cf 0x0003d01d

Total cpu_usage: 129487437
Thread task pri cpu_usage
0xffffffe19c87c5d0 com.apple.datami 37 47767
0xffffffe19bbf68b0 com.apple.datami 31 77901
0xffffffe19b76d740 kernel_task 0 5372077
0xffffffe19b76e8b0 kernel_task 0 802121
0xffffffe19b67d740 kernel_task 0 4436923

Panicked task 0xffffffe19b669900: 5100 pages, 118 threads: pid 0: kernel_task
Panicked thread: 0xffffffe19b67d740, backtrace: 0xffffffe80a5b78f0, tid: 102
                  lr: 0xfffffff007a58c90  fp: 0xffffffe80a5b7930
                  lr: 0xfffffff007a58a90  fp: 0xffffffe80a5b79a0
                  lr: 0xfffffff007b96b90  fp: 0xffffffe80a5b79c0
                  lr: 0xfffffff007b88c9c  fp: 0xffffffe80a5b7a80
                  lr: 0xfffffff008160600  fp: 0xffffffe80a5b7a90
                  lr: 0xfffffff007a58778  fp: 0xffffffe80a5b7e10
                  lr: 0xfffffff007a58778  fp: 0xffffffe80a5b7e70
                  lr: 0xfffffff00987ba18  fp: 0xffffffe80a5b7e90
                  lr: 0xfffffff0091c85d4  fp: 0xffffffe80a5b7ec0
                  lr: 0xfffffff0091c7e54  fp: 0xffffffe80a5b7f00
                  lr: 0xfffffff0097089b0  fp: 0xffffffe80a5b7f20
                  lr: 0xfffffff009233990  fp: 0xffffffe80a5b7fb0
                  lr: 0xfffffff0080bab20  fp: 0xffffffe80a5b7fc0
                  lr: 0xfffffff007b8a3fc  fp: 0xffffffe80a5b7fe0
                  lr: 0xfffffff008160674  fp: 0xffffffe80a5b7ff0
                  lr: 0xfffffff007a86d9c  fp: 0xffffffe8b7c2bee0
                  lr: 0xfffffff007a8701c  fp: 0xffffffe8b7c2bf00
                  lr: 0xfffffff00816895c  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 117405 (Uncompressed 303632) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip

boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-83075-083.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '038-83075-083.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

stuck at auto boot

I'm using Macbook Pro (Intel), follow side bar guide compile codes is fine, but auto boot stuck at apfs: mountroot , how can I fix it ?
-------logs-------
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2188: apfs: mountroot called!
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 2
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
hfs: mounted AzulSeed18A5351d.arm64eCustomerRamDisk on device b(3, 0)

FAILED: qemu-system-aarch64 c++ @qemu-system-aarch64.rsp

Hi, trying build emulator, but get this error after
make -j$(nproc) command.
error log:

[991/1378] Linking target qemu-system-aarch64
FAILED: qemu-system-aarch64
c++ @qemu-system-aarch64.rsp
/usr/bin/ld: libqemu-aarch64-softmmu.fa.p/hw_arm_xnu.c.o: in function `extract_im4p_payload':
/mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:224: undefined reference to `asn1_array2tree'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:229: undefined reference to `asn1_create_element'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:234: undefined reference to `asn1_der_decoding'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:241: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:252: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:258: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:266: undefined reference to `asn1_read_value'
/usr/bin/ld: /mnt/c/Users/pyell/lzfse/qemu-t8030/build/../hw/arm/xnu.c:273: undefined reference to `asn1_read_value'
collect2: error: ld returned 1 exit status
[992/1378] Compiling C object tests/unit/check-qnull.p/check-qnull.c.o
[993/1378] Compiling C object tests/unit/check-qdict.p/check-qdict.c.o
[994/1378] Compiling C object tests/fp/fp-test-log2.p/fp-test-log2.c.o
[995/1378] Compiling C object tests/unit/check-block-qdict.p/check-block-qdict.c.o
[996/1378] Compiling C object tests/fp/fp-test.p/fp-test.c.o
[997/1378] Compiling C object tests/unit/check-qstring.p/check-qstring.c.o
[998/1378] Compiling C object tests/fp/fp-bench.p/fp-bench.c.o
[999/1378] Compiling C object tests/fp/fp-test-log2.p/.._.._fpu_softfloat.c.o
[1000/1378] Compiling C object tests/fp/fp-bench.p/.._.._fpu_softfloat.c.o
[1001/1378] Compiling C object tests/fp/fp-test.p/.._.._fpu_softfloat.c.o
[1002/1378] Linking target qemu-system-x86_64
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1

could not boot the secure rom for iphone 6s

Followed the wiki.

 qemu-t8030/build/qemu-system-aarch64 -s -M s8000,force-dfu=false \
-bios "s8000/SecureROM for s8000si, iBoot-2234.0.0.3.3" \
-dtb DeviceTree.n71ap.im4p \
-cpu max -smp 1 -nographic \
-d guest_errors \
-m 4G -serial mon:stdio \
-drive file=s8000.nor,format=raw,if=none,id=nor \
-device m25p128,drive=nor,bus=spi0.bus \
-monitor telnet:127.0.0.1:1235,server,nowait
Register redefined: cp=19 32 bit crn=15 crm=0 opc1=4 opc2=4, was ARM64_REG_APCTL_EL1, now APCTL_EL1
**
ERROR:../target/arm/helper.c:8836:add_cpreg_to_hashtable: code should not be reached
Bail out! ERROR:../target/arm/helper.c:8836:add_cpreg_to_hashtable: code should not be reached
[1]    11936 abort      qemu-t8030/build/qemu-system-aarch64 -s -M s8000,force-dfu=false -bios  -dtb

RootTicket verification error

I cannot seem to restore the device:

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 14.0
Product Build: 18A5351d Major: 18
Device supports Image4: true
ERROR: Unable to find any build identities

idevicerestore commit 38595f0b7dac3d53033f93e9893d9be49996ba95 with patch applied
iOS version: 14.0
VM is kali linux rolling (minimal)
root_ticket.der made from ticket.shsh2 in xnu-qemu-arm64-tools
Device appears to enter restore mode successfully

Additionally, the patch does not apply for configure.ac
I ended up adding AC_SEARCH_LIBS([pthread_create], [pthread]) to configure.ac myself and then remove that hunk of the patch.

Linux boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 1 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait

iOS boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-44135-124.dmg.trustcache.out \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Nick Chan

Unable to build

Machine : macbook m1

command used:
brew install libtasn1 meson ninja pixman lzfse jtool2 jq

git clone --recursive https://github.com/TrungNguyen1909/qemu-t8030
cd qemu-t8030
mkdir build; cd build
../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --disable-slirp make -j$(nproc)

configure result

make result

cannot connect qemu with gdb

Environment:
os: Macos bigsur
gdb: GNU gdb (GDB) 12.1

Step to reproduce:

  1. followed the wiki for boot secure rom
  2. connect the qemu with gdb
(gdb) set debug remote 1
(gdb) target remote :1235
Remote debugging using :1235
[remote] start_remote_1: enter
  [remote] Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;memory-tagging+;xmlRegisters=i386#77
  [remote] Junk: 
  [remote] Junk: {
  [remote] Junk: 
  [remote] Junk: 
  [remote] Junk: {
  [remote] Junk: 
  [remote] Junk: 
  [remote] Junk: {
  [remote] Junk: 
  [remote] Junk: 
  [remote] Junk: }
  [remote] Junk: 
  [remote] Junk: Q
  [remote] Junk: E
  [remote] Junk: M
  [remote] Junk: U
  [remote] Junk:  
  [remote] Junk: 7
  [remote] Junk: .
  [remote] Junk: 0
  [remote] Junk: .
  [remote] Junk: 0
  [remote] Junk:  
  [remote] Junk: m
  [remote] Junk: o
  [remote] Junk: n
  [remote] Junk: i
  [remote] Junk: t
  [remote] Junk: o
  [remote] Junk: r
  [remote] Junk:  
  [remote] Received Nak
  [remote] Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;memory-tagging+;xmlRegisters=i386#77
  [remote] Junk:  
  [remote] Junk: t
  [remote] Junk: y
  [remote] Junk: p
  [remote] Junk: e
  [remote] Junk:  
  [remote] Junk: '
  [remote] Junk: h
  [remote] Junk: e
  [remote] Junk: l
  [remote] Junk: p
  [remote] Junk: '
  [remote] Junk:  
  [remote] Junk: f
  [remote] Junk: o
  [remote] Junk: r
  [remote] Junk:  
  [remote] Junk: m
  [remote] Junk: o
  [remote] Junk: r
  [remote] Junk: e
  [remote] Junk:  
  [remote] Junk: i
  [remote] Junk: n
  [remote] Junk: f
  [remote] Junk: o
  [remote] Junk: r
  [remote] Junk: m
  [remote] Junk: a
  [remote] Junk: t
  [remote] Junk: i
  [remote] Junk: o
  [remote] Junk: n
  [remote] Junk: 
  [remote] Junk: 

  [remote] Junk: (
  [remote] Junk: q
  [remote] Junk: e
  [remote] Junk: m
  [remote] Junk: u
  [remote] Junk: )
  [remote] Junk:  
  [remote] Received Ack
  [remote] read_frame: Saw new packet start in middle of old one
  [remote] read_frame: Saw new packet start in middle of old one
  [remote] read_frame: Saw new packet start in middle of old one
Ignoring packet error, continuing...
  [remote] packet_ok: Packet qSupported (supported-packets) is supported
  [remote] Sending packet: $vMustReplyEmpty#3a
  [remote] Junk: qqSup
  [remote] Junk: SqSup
  [remote] Junk: uqSup
  [remote] Junk: pqSup
  [remote] Junk: pqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: KqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Junk: Sup
  [remote] Junk: [qSup
  [remote] Junk: DqSup
  [remote] Received Ack
  [remote] read_frame: Saw new packet start in middle of old one
  [remote] read_frame: Saw new packet start in middle of old one
  [remote] read_frame: Saw new packet start in middle of old one
Ignoring packet error, continuing...
[remote] start_remote_1: exit
Remote replied unexpectedly to 'vMustReplyEmpty'+ qSupported
(gdb)

unencrypted data volume is not allowed - iOS 15.3.1 restore

iOS 15.3.1 cannot be restored - unencrypted data volume is not allowed panic
Kernel is a research kernel
xnu cmdline: -restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1
IPSW download
root_ticket.der generated with BuildManifest in ipsw and the ticket.shsh2 in qemu-t8030-tools
Host is Debian bullseye Linux 5.15.0-0.bpo.3-amd64 #1 SMP Debian 5.15.15-2~bpo11+1 (2022-02-03) x86_64
qemu-t8030 commit: 42fedc7
boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-restore kextlog=0xffff debug=0x14e -v rd=md0 launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '018-92126-069.dmg.out'   \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Serial port output right before panic

entering mount_partition                          
executing /sbin/mount_apfs -R /dev/disk0s1s2 /mnt2                                                  
apfs_mount:26376: disk0s1s2 mount for ramdisk                                                       
set_cloneinfo_id_epoch:25743: disk0s1s2 set cloneinfo_id_epoch to 16                                
apfs_log_mount_unmount:1828: disk0s1s2 mounting volume Data, requested by: mount_apfs (pid 37); parent: restored_externa (pid 6)                                                                         
handle_mount:654: disk0s1s2 vol-uuid: 61706673-7575-6964-0040-766F6C756D01 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:667: disk0s1s2 setting dev block size to 4096 from 512                                 
nx_volume_group_update:7715: disk0s1s2 Volume Data is not in a volume group                         
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
panic(cpu 2 caller 0xfffffff0093c31c8): "unencrypted data volume is not allowed" @apfs_vfsops.c:2357                                                                                                     
Debugger message: panic                           
Memory ID: 0x0                                    
OS release type: Restore                          
OS version: 19D52                                 
Kernel version: Darwin Kernel Version 21.3.0: Wed Jan  5 21:44:45 PST 2022; root:xnu-8019.80.24~23/RELEASE_ARM64_T8030                                                                                   
Kernel UUID: 5703F07F-AEE8-3207-8205-203C7B11B3C2                                                   
iBoot version: qemu-t8030                         
secure boot?: YES                                 
Paniclog version: 13                              
Kernel text base:  0xfffffff007004000             
mach_absolute_time: 0x8fcb69550                   
Epoch Time:        sec       usec                 
  Boot    : 0x6228c86d 0x000d892c                 
  Sleep   : 0x00000000 0x00000000                 
  Wake    : 0x00000000 0x00000000                 
  Calendar: 0x6228ceb3 0x0000edac
  
  Zone info:                                        
Foreign   : 0xfffffff0b83dc000 - 0xfffffff0b83ec000                                                 
Native    : 0xffffffe000588000 - 0xffffffe600588000                                                 
Readonly  : 0xffffffe0e6bec000 - 0xffffffe1338b0000                                                 
Metadata  : 0xffffffeb018cc000 - 0xffffffeb05bac000                                                 
Bitmaps   : 0xffffffeb030cc000 - 0xffffffeb03b28000                                                 
CORE 0: PC=0xfffffff007d4dadc, LR=0xfffffff007c77134, FP=0xffffffeb057bbd60                         
CORE 1: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb0578be80                         
CORE 2 is the one that panicked. Check the full backtrace for details.                              
CORE 3: PC=0xfffffff007d4e650, LR=0xfffffff007d4e64c, FP=0xffffffeb10693e80                         
Panicked task 0xffffffe3006cece8: 658 pages, 1 threads: pid 37: mount_apfs                          
Panicked thread: 0xffffffe3e6cbb020, backtrace: 0xffffffeb0583a990, tid: 551                                                                                                                             
                  lr: 0xfffffff007c08c18  fp: 0xffffffeb0583a9d0                                    
                  lr: 0xfffffff007c08938  fp: 0xffffffeb0583aa40                                    
                  lr: 0xfffffff007d5a2cc  fp: 0xffffffeb0583aa60                                    
                  lr: 0xfffffff007d4bae0  fp: 0xffffffeb0583aae0                                    
                  lr: 0xfffffff007d4a894  fp: 0xffffffeb0583aba0                                    
                  lr: 0xfffffff00835a610  fp: 0xffffffeb0583abb0                                    
                  lr: 0xfffffff007c08604  fp: 0xffffffeb0583af40                                    
                  lr: 0xfffffff007c08604  fp: 0xffffffeb0583afa0                                    
                  lr: 0xfffffff009cf01a8  fp: 0xffffffeb0583afc0                                    
                  lr: 0xfffffff0093c31c8  fp: 0xffffffeb0583b890                                    
                  lr: 0xfffffff007de7ee0  fp: 0xffffffeb0583bb40                                    
                  lr: 0xfffffff007de9974  fp: 0xffffffeb0583bd70                                    
                  lr: 0xfffffff007de96bc  fp: 0xffffffeb0583bdb0                                    
                  lr: 0xfffffff0081a8a98  fp: 0xffffffeb0583be50                                    
                  lr: 0xfffffff007d4a960  fp: 0xffffffeb0583bf10                                    
                  lr: 0xfffffff00835a610  fp: 0xffffffeb0583bf20                                    


** Stackshot Succeeded ** Bytes Traced 18741 (Uncompressed 50480) **                                
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> AppleANS2NVMeController                                                    
IOPlatformPanicAction -> AppleT8030PMGR                                                             
IOPlatformPanicAction -> AppleARMWatchdogTimer                                                      
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device                                                 
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                
IOPlatformPanicAction -> RTBuddyV2                

Please go to https://panic.apple.com to report this panic

idevicerestore log

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 *.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 15.3.1
Product Build: 19D52 Major: 19
Device supports Image4: true
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
################################ [ WARNING ] #################################
# You are about to perform an *ERASE* restore. ALL DATA on the target device #
# will be IRREVERSIBLY DESTROYED. If you want to update your device without  #
# erasing the user data, hit CTRL+C now and restart without -e or --erase    #
# command line switch.                                                       #
# If you want to continue with the ERASE, please type YES and press ENTER.   #
##############################################################################
> YES  
progress: 1 0.000000
Checking IPSW for required components...
All required components found in IPSW
Using cached filesystem from 'iPhone11,8,iPhone12,1_15.3.1_19D52_Restore/018-91937-063.dmg'
progress: 1 0.200000
progress: 1 0.250000
progress: 1 0.300000
progress: 1 0.500000
progress: 1 0.700000
progress: 1 0.900000
About to restore device... 
restore_is_current_device: Connected to com.apple.mobile.restored, version 15
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device 00008030-1122334455667788 has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 32816
UniqueChipID: 1234605616436508552
ProductionMode: false
Starting FDR listener thread
Connecting to FDR client at port 1082
About to do ctrl handshake
FDR sending 89 bytes:
common.c:printing 287 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
</dict>
</plist>
FDR Sent 89 bytes
FDR Received 105 bytes
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
        <key>ConnPort</key>
        <integer>49161</integer>
</dict>
</plist>
Ctrl handshake done (ConnPort = 49161)
FDR 0x56033bcb5bc0 waiting for message...
progress: 1 1.000000
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Updating NAND Firmware (58)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Checking for uncollected logs (44)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
About to send filesystem...
Connecting to ASR
Retrying connection...
Received 272 bytes:
common.c:printing 272 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Checksum Chunks</key>
        <true/>
        <key>Command</key>
        <string>Initiate</string>
</dict>
</plist>
Connected to ASR
Validating the filesystem
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>55</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>210</integer>
        <key>OOB Offset</key>
        <integer>163</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 330 bytes:
common.c:printing 330 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>18797</integer>
        <key>OOB Offset</key>
        <integer>373</integer>
</dict>
</plist>
Received 327 bytes:
common.c:printing 327 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>108</integer>
        <key>OOB Offset</key>
        <integer>55</integer>
</dict>
</plist>
Received 328 bytes:
common.c:printing 328 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>210</integer>
        <key>OOB Offset</key>
        <integer>163</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>55</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 331 bytes:
common.c:printing 331 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>204</integer>
        <key>OOB Offset</key>
        <integer>175612</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7085</integer>
        <key>OOB Offset</key>
        <integer>138866</integer>
</dict>
</plist>
Received 334 bytes:
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>192423</integer>
        <key>OOB Offset</key>
        <integer>175816</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>213761</integer>
        <key>OOB Offset</key>
        <integer>21904205</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>3186</integer>
        <key>OOB Offset</key>
        <integer>164926</integer>
</dict>
</plist>
Received 332 bytes:
common.c:printing 332 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>7500</integer>
        <key>OOB Offset</key>
        <integer>168112</integer>
</dict>
</plist>
Received 336 bytes:
common.c:printing 336 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>1276</integer>
        <key>OOB Offset</key>
        <integer>6562671111</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>72</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 335 bytes:
common.c:printing 335 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>512</integer>
        <key>OOB Offset</key>
        <integer>6562671875</integer>
</dict>
</plist>
Received 325 bytes:
common.c:printing 325 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>64</integer>
        <key>OOB Offset</key>
        <integer>0</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 338 bytes:
common.c:printing 338 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>OOBData</string>
        <key>OOB Length</key>
        <integer>399069</integer>
        <key>OOB Offset</key>
        <integer>6562272806</integer>
</dict>
</plist>
Received 234 bytes:
common.c:printing 234 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>Payload</string>
</dict>
</plist>
Filesystem validated
Sending filesystem now...
progress: 2 0.010006
progress: 2 0.020012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.030018
progress: 2 0.040005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.050011
progress: 2 0.060017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.070003
progress: 2 0.080009
progress: 2 0.090015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.100002
progress: 2 0.110008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.120014
progress: 2 0.130000
progress: 2 0.140006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.150012
progress: 2 0.160018
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.170005
progress: 2 0.180011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.190017
progress: 2 0.200003
progress: 2 0.210009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.220015
progress: 2 0.230002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.240008
progress: 2 0.250014
progress: 2 0.260000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.270006
progress: 2 0.280012
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.290019
progress: 2 0.300005
progress: 2 0.310011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.320017
progress: 2 0.330003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.340009
progress: 2 0.350015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.360002
progress: 2 0.370008
progress: 2 0.380014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.390000
progress: 2 0.400006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.410012
progress: 2 0.420019
progress: 2 0.430005
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.440011
progress: 2 0.450017
progress: 2 0.460003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.470009
progress: 2 0.480015
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.490002
progress: 2 0.500008
progress: 2 0.510014
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.520000
progress: 2 0.530006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.540012
progress: 2 0.550019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.560005
progress: 2 0.570011
progress: 2 0.580017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.590003
progress: 2 0.600009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.610016
progress: 2 0.620002
progress: 2 0.630008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.640014
progress: 2 0.650000
progress: 2 0.660006
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.670012
progress: 2 0.680019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.690005
progress: 2 0.700011
progress: 2 0.710017
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.720003
progress: 2 0.730009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.740016
progress: 2 0.750002
progress: 2 0.760008
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.770014
progress: 2 0.780000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.790006
progress: 2 0.800013
progress: 2 0.810019
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.820005
progress: 2 0.830011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.840017
progress: 2 0.850003
progress: 2 0.860009
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.870016
progress: 2 0.880002
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.890008
progress: 2 0.900014
progress: 2 0.910000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.920006
progress: 2 0.930013
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.940019
progress: 2 0.950005
progress: 2 0.960011
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.970017
progress: 2 0.980003
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 2 0.990009
progress: 2 1.000000
Done sending filesystem
Verifying restore (14)
progress: 3 0.020000
progress: 3 0.040000
progress: 3 0.060000
progress: 3 0.080000
progress: 3 0.100000
progress: 3 0.120000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.140000
progress: 3 0.160000
progress: 3 0.180000
progress: 3 0.200000
progress: 3 0.220000
progress: 3 0.240000
progress: 3 0.260000
progress: 3 0.280000
progress: 3 0.300000
progress: 3 0.320000
progress: 3 0.340000
progress: 3 0.360000
progress: 3 0.380000
progress: 3 0.400000
progress: 3 0.420000
progress: 3 0.440000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.460000
progress: 3 0.480000
progress: 3 0.500000
progress: 3 0.520000
progress: 3 0.540000
progress: 3 0.560000
progress: 3 0.580000
progress: 3 0.600000
progress: 3 0.620000
progress: 3 0.640000
progress: 3 0.660000
progress: 3 0.680000
progress: 3 0.700000
progress: 3 0.720000
progress: 3 0.740000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 3 0.760000
progress: 3 0.780000
progress: 3 0.800000
progress: 3 0.820000
progress: 3 0.840000
progress: 3 0.860000
progress: 3 0.880000
progress: 3 0.900000
progress: 3 0.920000
progress: 3 0.940000
progress: 3 0.960000
progress: 3 0.980000
progress: 3 1.000000
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checking filesystems (15)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
No data to read (timeout)
Checking filesystems (15)
Checking filesystems (15)
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.n104.RELEASE.im4p (Firmware/all_flash/LLB.n104.RELEASE.im4p)...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
Not personalizing component LLB...
Extracting applelogo@1792~iphone.im4p (Firmware/all_flash/applelogo@1792~iphone.im4p)...
Not personalizing component AppleLogo...
Extracting batterycharging0@1792~iphone.im4p (Firmware/all_flash/batterycharging0@1792~iphone.im4p)...
Not personalizing component BatteryCharging0...
Extracting batterycharging1@1792~iphone.im4p (Firmware/all_flash/batterycharging1@1792~iphone.im4p)...
Not personalizing component BatteryCharging1...
Extracting batteryfull@2x~iphone.im4p (Firmware/all_flash/batteryfull@2x~iphone.im4p)...
Not personalizing component BatteryFull...
Extracting batterylow0@2x~iphone.im4p (Firmware/all_flash/batterylow0@2x~iphone.im4p)...
Not personalizing component BatteryLow0...
Extracting batterylow1@2x~iphone.im4p (Firmware/all_flash/batterylow1@2x~iphone.im4p)...
Not personalizing component BatteryLow1...
Extracting glyphplugin@1792~iphone-lightning.im4p (Firmware/all_flash/glyphplugin@1792~iphone-lightning.im4p)...
Not personalizing component BatteryPlugin...
Extracting DeviceTree.n104ap.im4p (Firmware/all_flash/DeviceTree.n104ap.im4p)...
Not personalizing component DeviceTree...
Extracting lowpowermode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowermode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet0...
Extracting lowpowerfindmymode@1792~iphone-lightning.im4p (Firmware/all_flash/lowpowerfindmymode@1792~iphone-lightning.im4p)...
Not personalizing component LowPowerWallet1...
Extracting recoverymode@1792~iphone-lightning.im4p (Firmware/all_flash/recoverymode@1792~iphone-lightning.im4p)...
Not personalizing component RecoveryMode...
Extracting WirelessPower.iphone12b.im4p (Firmware/WirelessPower/WirelessPower.iphone12b.im4p)...
Not personalizing component WCHFirmwareUpdater...
Extracting iBoot.n104.RELEASE.im4p (Firmware/all_flash/iBoot.n104.RELEASE.im4p)...
Not personalizing component iBoot...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component RestoreSEP...
Extracting sep-firmware.n104.RELEASE.im4p (Firmware/all_flash/sep-firmware.n104.RELEASE.im4p)...
Not personalizing component SEP...
common.c:supressed printing 27932382 bytes plist...
Sending NORData now...
Done sending NORData
Flashing firmware (18)
progress: 4 1.000000
Unknown operation (80)
Unhandled progress operation 80 (80)
Sending IsEarlyAccessFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootEANFirmware image list
Unhandled progress operation 80 (80)
Sending IsiBootNonEssentialFirmware image list
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
Extracting h12_ane_fw_metis.im4p (Firmware/ane/h12_ane_fw_metis.im4p)...
Not personalizing component ANE...
Sending IsFUDFirmware for ANE...
progress: 6 0.060000
Extracting aopfw-iphone12baop.im4p (Firmware/AOP/aopfw-iphone12baop.im4p)...
Not personalizing component AOP...
Sending IsFUDFirmware for AOP...
progress: 6 0.130000
Extracting AppleAVE2FW_H12.im4p (Firmware/ave/AppleAVE2FW_H12.im4p)...
Not personalizing component AVE...
Sending IsFUDFirmware for AVE...
progress: 6 0.200000
Extracting N104_HapticAssets.im4p (Firmware/N104_HapticAssets.im4p)...
Not personalizing component Ap,HapticAssets...
Sending IsFUDFirmware for Ap,HapticAssets...
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
Extracting N104_AudioCodecFirmware.im4p (Firmware/N104_AudioCodecFirmware.im4p)...
Not personalizing component AudioCodecFirmware...
Sending IsFUDFirmware for AudioCodecFirmware...
progress: 6 0.400000
Extracting armfw_g12p.im4p (Firmware/agx/armfw_g12p.im4p)...
Not personalizing component GFX...
Sending IsFUDFirmware for GFX...
progress: 6 0.460000
Extracting adc-zelus-n104.im4p (Firmware/isp_bni/adc-zelus-n104.im4p)...
Not personalizing component ISP...
Sending IsFUDFirmware for ISP...
progress: 6 0.530000
Extracting N104_LeapHapticsFirmware.im4p (Firmware/N104_LeapHapticsFirmware.im4p)...
Not personalizing component LeapHaptics...
Sending IsFUDFirmware for LeapHaptics...
progress: 6 0.600000
Extracting N104_Multitouch.im4p (Firmware/N104_Multitouch.im4p)...
Not personalizing component Multitouch...
Sending IsFUDFirmware for Multitouch...
FDR 0x56033bcb5bc0 timeout waiting for command
FDR 0x56033bcb5bc0 waiting for message...
progress: 6 0.660000
Extracting t8030pmp.im4p (Firmware/pmp/t8030pmp.im4p)...
Not personalizing component PMP...
Sending IsFUDFirmware for PMP...
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
Extracting SmartIOFirmware_ASCv2.im4p (Firmware/SmartIOFirmware_ASCv2.im4p)...
Not personalizing component SIO...
Sending IsFUDFirmware for SIO...
progress: 6 0.860000
Extracting 018-91937-063.dmg.trustcache (Firmware/018-91937-063.dmg.trustcache)...
Not personalizing component StaticTrustCache...
Sending IsFUDFirmware for StaticTrustCache...
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating Stockholm (55)
Requesting FUD data (36)
progress: 6 0.010000
Found IsFUDFirmware component ANE
Found IsFUDFirmware component AOP
Found IsFUDFirmware component AVE
Found IsFUDFirmware component Ap,HapticAssets
Found IsFUDFirmware component Ap,SystemVolumeCanonicalMetadata
Found IsFUDFirmware component AudioCodecFirmware
Found IsFUDFirmware component GFX
Found IsFUDFirmware component ISP
Found IsFUDFirmware component LeapHaptics
Found IsFUDFirmware component Multitouch
Found IsFUDFirmware component PMP
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component SIO
Found IsFUDFirmware component StaticTrustCache
Found IsFUDFirmware component SystemVolume
Sending IsFUDFirmware image list
progress: 6 0.060000
progress: 6 0.130000
progress: 6 0.200000
progress: 6 0.260000
Extracting 018-91937-063.dmg.mtree (Firmware/018-91937-063.dmg.mtree)...
Not personalizing component Ap,SystemVolumeCanonicalMetadata...
Sending IsFUDFirmware for Ap,SystemVolumeCanonicalMetadata...
progress: 6 0.330000
progress: 6 0.400000
progress: 6 0.460000
progress: 6 0.530000
progress: 6 0.600000
progress: 6 0.660000
progress: 6 0.730000
Extracting 018-92126-069.dmg.trustcache (Firmware/018-92126-069.dmg.trustcache)...
Not personalizing component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
progress: 6 0.800000
progress: 6 0.860000
progress: 6 0.930000
Extracting 018-91937-063.dmg.root_hash (Firmware/018-91937-063.dmg.root_hash)...
Not personalizing component SystemVolume...
Sending IsFUDFirmware for SystemVolume...
progress: 6 1.000000
Updating Veridian (66)
Unknown operation (79)
Unhandled progress operation 79 (79)
Requesting EAN Data (74)
Creating Protected Volume (67)
ERROR: Could not read data (-256). Aborting.
FDR 0x56033bcb5bc0 terminating...
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) disconnected
ERROR: Unable to restore device

How to create an iOS VM

UPDATE: Check out the latest guide

I'd be grateful if you could provide some instructions on how we can create a VM which can use the xnu kernel using this project.

Do we need to follow the instructions from https://github.com/alephsecurity/xnu-qemu-arm64/wiki/Build-iOS-on-QEMU? Which ipsw / iOS version did you use?

It looks like you're on iOS 14, so I guess that would make iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw then, right?
Did you use the kernelcache.release.iphone11b kernel image and the DeviceTree.n104ap.im4p device tree?

PS - I had issues using the Python tools to extract the kernel image & device tree, but https://github.com/blacktop/ipsw seemed to work fine.

Build dependencies

sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build build-essential cmake gdb

Build script

git clone https://github.com/TrungNguyen1909/qemu-t8030
cd qemu-t8030
mkdir build
cd build
../configure --enable-debug --target-list=aarch64-softmmu --disable-capstone --disable-slirp
make -j$(nproc)

Install lzfse

git clone https://github.com/lzfse/lzfse
cd lzfse
mkdir build
cmake ..
make
sudo make install

Extract disks from IPSW file

wget https://github.com/blacktop/ipsw/releases/download/v20.08.87/ipsw_20.08.87_Linux_x86_64.tar.gz
tar xvzf ipsw_20.08.87_Linux_x86_64.tar.gz

wget -nv -nc http://updates-http.cdn-apple.com/2021WinterFCS/fullrestores/001-98427/9C42F04F-C1B3-41C5-8E0D-0EDCB5087BB5/iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw
unzip iPhone11,8,iPhone12,1_14.4_18D52_Restore.ipsw

./ipsw img4 extract kernelcache.research.iphone12b
lzfse -decode -i kernelcache.research.iphone12b.payload -o kernelcache.research.iphone12b.out

./ipsw img4 extract Firmware/all_flash/DeviceTree.n104ap.im4p
lzfse -decode -i Firmware/all_flash/DeviceTree.n104ap.im4p.payload -o Firmware/all_flash/DeviceTree.n104ap.im4p.out

./ipsw img4 extract 038-96262-062.dmg
./ipsw img4 extract Firmware/038-96262-062.dmg.trustcache

Launch script

~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b,dtb-filename=DeviceTree.n104ap,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg,xnu-ramfb=on,trustcache-filename=038-96262-062.dmg.trustcache -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6

~/git/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,kernel-filename=kernelcache.research.iphone12b.out,dtb-filename=Firmware/all_flash/DeviceTree.n104ap.im4p.out,kern-cmd-args="debug=0x8 kextlog=0xffff io=0xfff rd=md0 serial=2 -v nvme=0xffff pmgr-debug=0xff",ramdisk-filename=038-96262-062.dmg.payload,xnu-ramfb=on,trustcache-filename=Firmware/038-96262-062.dmg.trustcache.payload -cpu max -m 4G -serial mon:stdio -monitor telnet:127.0.0.1:1235,server,nowait -smp 6

NVME_CMD_REPRIORITIZE undeclared (fe3d463)

Seems that you forgot this enum entry

../hw/nvme/nvme.h: In function ‘nvme_io_opc_str’:
../hw/nvme/nvme.h:349:10: error: ‘NVME_CMD_REPRIORITIZE’ undeclared (first use in this function)
  349 |     case NVME_CMD_REPRIORITIZE:     return "NVME_CMD_REPRIORITIZE";
      |          ^~~~~~~~~~~~~~~~~~~~~
../hw/nvme/nvme.h:349:10: note: each undeclared identifier is reported only once for each function it appears in

"reboot" command not working, stuck on "AMFI is running in RESEARCH mode!"

The "reboot" command which worked in previous commits now causes the emulator to hang on "AMFI is running in RESEARCH mode!"
Boot command:

../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der -kernel kernelcache.research.iphone12b -dtb Firmware/all_flash/DeviceTree.n104ap.im4p -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" -initrd 038-44135-124.dmg -cpu max -smp 4 -m 4G -serial mon:stdio -drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 -drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 -drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 -monitor telnet:127.0.0.1:1235,server,nowait -nographic

Full log:
`Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b7cf810]::init(0xffffffe19b80e2d8)

AUC:[0xffffffe19b7cf810]::probe(0xffffffe19b59dd60, 0xffffffe8080cbdac)

AppleCredentialManager: init: called, instance = .
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = .
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b7cf810]::start(0xffffffe19b59dd60)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = .
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = .
AppleCredentialManager: start: started, instance = .
AppleCredentialManager: start: returning, result = true, instance = .
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleGPIOICController::start: this: , _gpioicBaseAddress:
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
000001.007726 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.032073 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.032210 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000001.046332 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Identified Serial Port uart0 at 0x235200000()
Identified Serial Port uart7 at 0x23521c000()
RTBuddy(SMC): start() - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Starting AppleSMC kext() - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub

RTBuddy(SIO): start() - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!***
Failed to read info-leg_scrpadvirtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
000001.146106 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleARMRTC registering service!@@@@@@
000001.150276 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 4096 block count 8388597 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1234: disk0 container cleanly-unmounted flag set.
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 376, best xid 376 @ 187
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Container@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388597 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1234: disk0s1 container cleanly-unmounted flag set.
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 4096
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 256
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 376, best xid 376 @ 187
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
failed to find root-snapshot-name snapshot
handle_mount:627: vol-uuid: 75563A84-CD28-4FDF-A5CD-FDFB101AF003 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
dyld: setting comm page to 0x0
Sun Apr 10 10:57:29 2022 com.apple.xpc.launchd[1] : hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.1313/launchd/RELEASE_ARM64E
boot-args = debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1
Sun Apr 10 10:57:29 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : entering ondemand mode
Sun Apr 10 10:57:29 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fsck
** Checking the container superblock.
** Checking the object map.
** Checking volume.
** Checking the APFS volume superblock.
** The volume System was formatted by newfs_apfs (945.200.129.100.10) and last modified by apfs_kext (1934.101.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Data was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Hardware was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Preboot was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Update was formatted by newfs_apfs (1677.0.5) and last modified by apfs_kext (1677.0.5).
** QUICKCHECK ONLY; FILESYSTEM CLEAN
Sun Apr 10 10:57:30 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: mount-phase-1
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
handle_mount:627: vol-uuid: C022658D-2D8A-43EF-9511-578DEA98F3F6 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s4:0 mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
Sun Apr 10 10:57:30 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: data-protection
init_data_protection: No SEP present on this device
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: commit-boot-mode
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : boot-mode committed: (null)
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: restore-datapartition
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : restore-datapartition: optional boot task not present
Sun Apr 10 10:57:31 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:189: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597)
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304
dev_dump:256: Aggregate constructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
migrate_media_keys_if_needed:1206: no media keys to migrate for container = disk0s1
mount: failed to migrate Media Keys, error = c002
handle_mount:627: vol-uuid: 3344C381-3F31-4426-8AD2-CE2A55208C63 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs_vfsop_mount:2171: disk0s1s2:0 mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:627: vol-uuid: 1EB53D1F-1473-4853-8EB9-2AA055605BF1 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s5:0 mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:627: vol-uuid: A285CE9A-F9B3-4409-8E33-0BB7E2341F82 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs_vfsop_mount:2171: disk0s1s3:0 mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: init-with-data-volume
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: MSUEarlyBootTask
main: MSUEarlyBootTask running
spaceman_trim_free_blocks:3361: disk0s1 scan took 0.962146 s, trims took 0.716117 s
spaceman_trim_free_blocks:3369: disk0s1 6511505 blocks free in 17343 extents
spaceman_trim_free_blocks:3377: disk0s1 6511505 blocks trimmed in 17343 extents (41 us/trim, 24218 trims/s)
spaceman_trim_free_blocks:3380: disk0s1 trim distribution 1:11316 2+:2452 4+:1743 16+:1305 64+:459 256+:68
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate/5118ea8f39ff61d152ba7e1f92591910cde7a2b09b867d8d58dc37e2cdc0b7c98dd296d4bf57862d143413dd17012d70-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [146790609] fipspost_post:158: PASSED: (7 ms) - fipspost_post_integrity
FIPSPOST_USER [146820463] fipspost_post:164: PASSED: (0 ms) - fipspost_post_hmac
FIPSPOST_USER [146829292] fipspost_post:165: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [146838341] fipspost_post:166: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [147183878] fipspost_post:167: PASSED: (14 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [147380878] fipspost_post:168: PASSED: (8 ms) - fipspost_post_ecdsa
FIPSPOST_USER [147424804] fipspost_post:169: PASSED: (1 ms) - fipspost_post_ecdh
FIPSPOST_USER [147436170] fipspost_post:170: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [147455780] fipspost_post:171: PASSED: (0 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [148233512] fipspost_post:173: PASSED: (32 ms) - fipspost_post_pbkdf
FIPSPOST_USER [148242268] fipspost_post:174: PASSED: (0 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [148452926] fipspost_post:175: PASSED: (8 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [148467024] fipspost_post:176: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_USER [148490219] fipspost_post:177: PASSED: (0 ms) - fipspost_post_tdes_cbc
FIPSPOST_USER [148506780] fipspost_post:178: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [148743317] fipspost_post:180: PASSED: (9 ms) - fipspost_post_ffdh
FIPSPOST_USER [149010926] fipspost_post:181: PASSED: (11 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [149013853] fipspost_post:201: all tests PASSED (100 ms)
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
Sun Apr 10 03:57:32 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: usermanagerd
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : usermanagerd: optional boot task not present
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : launchd logging initialized
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: xpcroleaccountd
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: init_featureflags
init_featureflags: skipping directory: /System/Library/FeatureFlags/Domain
init_featureflags: skipping directory: /Library/Preferences/FeatureFlags/Domain
Sun Apr 10 03:57:33 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: fud
objc[19]: Class UARPManifestProperties is implemented in both /System/Library/PrivateFrameworks/CoreUARP.framework/CoreUARP and /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud. One of the two will be used. Which one is undefined.
fud: -FudEarlyBoot doFUDEarlyBoot:: Starting Early Boot
fud: No Early Boot Accessories
fud: -FudEarlyBoot doFUDEarlyBoot:: End Early Boot
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: tzinit
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-restore
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: finish-demo-restore
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: sysstatuscheck
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: prng_seedctl
PRNG diagnostics:
0 user reseeds, 1 scheduled reseeds, 80 max samples in a scheduled reseed, 122 max samples in an entropy input
generator 0: 2 rekeys, 481 requests, 5808 total bytes requested, 64 max bytes requested in a request, 3656 bytes requested since rekey, 3656 max bytes requested between rekeys
generator 1: 2 rekeys, 47 requests, 836 total bytes requested, 64 max bytes requested in a request, 788 bytes requested since rekey, 788 max bytes requested between rekeys
generator 2: 2 rekeys, 10 requests, 112 total bytes requested, 16 max bytes requested in a request, 32 bytes requested since rekey, 80 max bytes requested between rekeys
generator 3: 2 rekeys, 0 requests, 0 total bytes requested, 0 max bytes requested in a request, 0 bytes requested since rekey, 0 max bytes requested between rekeys
pool 0: 0 samples, 1 drains, 80 max samples
pool 1: 122 samples, 0 drains, 122 max samples
pool 2: 41 samples, 0 drains, 41 max samples
pool 3: 69 samples, 0 drains, 69 max samples
pool 4: 87 samples, 0 drains, 87 max samples
pool 5: 114 samples, 0 drains, 114 max samples
pool 6: 34 samples, 0 drains, 34 max samples
pool 7: 50 samples, 0 drains, 50 max samples
pool 8: 88 samples, 0 drains, 88 max samples
pool 9: 41 samples, 0 drains, 41 max samples
pool 10: 83 samples, 0 drains, 83 max samples
pool 11: 49 samples, 0 drains, 49 max samples
pool 12: 40 samples, 0 drains, 40 max samples
pool 13: 50 samples, 0 drains, 50 max samples
pool 14: 122 samples, 0 drains, 122 max samples
pool 15: 70 samples, 0 drains, 70 max samples
pool 16: 0 samples, 0 drains, 0 max samples
pool 17: 0 samples, 0 drains, 0 max samples
pool 18: 0 samples, 0 drains, 0 max samples
pool 19: 0 samples, 0 drains, 0 max samples
pool 20: 0 samples, 0 drains, 0 max samples
pool 21: 0 samples, 0 drains, 0 max samples
pool 22: 0 samples, 0 drains, 0 max samples
pool 23: 0 samples, 0 drains, 0 max samples
pool 24: 0 samples, 0 drains, 0 max samples
pool 25: 0 samples, 0 drains, 0 max samples
pool 26: 0 samples, 0 drains, 0 max samples
pool 27: 0 samples, 0 drains, 0 max samples
pool 28: 0 samples, 0 drains, 0 max samples
pool 29: 0 samples, 0 drains, 0 max samples
pool 30: 0 samples, 0 drains, 0 max samples
pool 31: 0 samples, 0 drains, 0 max samples
failed to load virtual random: (-147) (-536870212)
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Doing boot task: launchd_cache_loader
0 Found valid port: 5123 Valid: 1
1 Found valid port: 0 Valid: 0
2 Found valid port: 0 Valid: 0
Using default cache paths
Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
Using unsecure cache: /System/Library/xpc/launchd.plist
Trying to send bytes to launchd: 5123 16384
Sending validated cache to launchd
Cache sent to launchd successfully
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Sun Apr 10 03:57:34 2022 localhost com.apple.xpc.launchd[1] : Early boot complete. Continuing system boot.
bash-5.0# reboot
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : System shutdown initiated by: reboot.27<-bash.26<-launchd.1
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown UNINITIALIZED -> COMMITTED
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown WAITING_ON_COALITIONS -> LAUNCH_SHUTDOWN_TEARDOWN
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : Userspace teardown took: 166 ms
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : Will be calling reboot(2) with flags: 0x0
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] : Quiescing queues
Sun Apr 10 03:57:37 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) : shutdown LAUNCH_SHUTDOWN_TEARDOWN -> WAITING_ON_QUIESCE
launchd quiesce complete
apfs_stop_bg_work:1019: System is shutting down stop any bg work
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Hardware'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6628: Volume Hardware role 140 Not a System or data volume
apfs: total mem allocated: 1504392 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 4)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Update'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6628: Volume Update role c0 Not a System or data volume
apfs: total mem allocated: 1501756 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 3)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Data'
apfs_vfsop_unmount:2406: waiting for cleaners to finish: purgatory
nx_volume_group_update:6634: Volume Data is not in a volume group
apfs: total mem allocated: 1490675 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 2)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'Preboot'
nx_volume_group_update:6628: Volume Preboot role 10 Not a System or data volume
apfs: total mem allocated: 1486659 (1 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 1)
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
nx_volume_group_update:6634: Volume System is not in a volume group
dev_dump:256: Aggregate destructed: dev= di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
apfs: total mem allocated: 64 (0 mb);
apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 0)
virtual void AppleEmbeddedNVMeController::systemWillShutdown(IOOptionBits)::4247:Entry, inOptions - 0xe0000310
virtual void AppleNVMeController::systemWillShutdown(IOOptionBits)::1311:Entry, inOptions - 0xe0000310
virtual void IONVMeController::systemWillShutdown(IOOptionBits)::509:Entry, inOptions - 0xe0000310
virtual void IONVMeController::systemWillShutdown(IOOptionBits)::559:Exit, inOptions - 0xe0000310
virtual void AppleEmbeddedNVMeController::systemWillShutdown(IOOptionBits)::4257:Exit, inOptions - 0xe0000310
IOPlatformHaltRestartAction -> AppleT8030PMGR
wdog restart
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!`

Restore failed with CFError: 0: AMRestoreErrorDomain/4e: Storage with invalid GPT header 0000000000000000 0000000000000000

I am attempting to install iOS 15.5 on the QEMU machine with an iOS 15.5 kernelcache. Every time when I go through the restore procedure, it fails at checkpoint 1662 with an invalid GPT header error.

iOS log excerpt (Full iOS log)

[23:53:00.0051-GMT]{3>6} CHECKPOINT BEGIN: RESTORED:[0x067E] verify_storage_for_update

restore-step-ids = {0x1103067E:26}

restore-step-names = {0x1103067E:verify_storage_for_update}

restore-step-uptime = 103

restore-step-user-progress = 0

[23:53:00.0106-GMT]{3>6} CHECKPOINT FAILURE:(FAILURE:78) RESTORED:[0x067E] verify_storage_for_update [0]D(Storage with invalid GPT header 0000000000000000 0000000000000000)

restore-step-results = {0x1107067E:{0:78}}

restore-step-codes = {0x1107067E:{0:78}}

restore-step-domains = {0x1107067E:{0:"AMRestoreErrorDomain"}}

restore-step-error = {0x1107067E:"[0]D(Storage with invalid GPT header 0000000000000000 0000000000000000)"}

restore-step-uptime = 103

restore-step-user-progress = 0

[23:53:00.0135-GMT]{3>6} CHECKPOINT NOTICE: (NVRAM set) restore-step-user-progress=0 [sync=true] (first failure)

[23:53:00.0141-GMT]{3>6} CHECKPOINT BEGIN: RESTORED:[0x067C] cleanup_boot_command

QEMU boot args

#!/bin/sh

~/ios_test/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=Firmware/078-12427-117.dmg.trustcache,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 078-12427-117.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait -vnc 127.0.0.2:1

Couldn't boot either from Ramdisk or NAND

Hi,
I have followed all the steps given in the tutorial and in the final step getting stuck at the following place.

apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
AppleNVMe Assert failed: ( 0 != resources ) ErrorExit file: /Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-557.0.2.152.1/Embedded/AppleEmbeddedNVMeController.cpp line: 5248
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2188: apfs: mountroot called!
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 2
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
hfs: mounted AzulSeed18A5351d.arm64eUpdateRamDisk on device b(3, 0)
virtual void AppleEmbeddedNVMeController::InitializeWallTime()::5248:nvme: IOBSD didn't show up in 60 secs
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff00934c658): "Could not initialize wall time.\n"

Dependencies not included in brew install command for macOS

ERROR: glib-2.56 gthread-2.0 is required to compile QEMU

glib seems to be required to compile QEMU, it might be good to add glib to the brew install command in the Bringing up the emulator guide.

zsh: command not found: wget

In the Getting precompiled system binaries section, wget is also used. It will be great to add wget into the brew install command too.

Cannot mount root from NAND after successful restore

After a successful restore, rootfs cannot be mounted for some reason.
The rootfs is already modified, and have its snapshot renamed to orig-fs

rootfs binaries (not the one in the wiki as I wanted a newer bash)
bash.plist and launchd.plist from setup-ios
Although I do not these details mattered when the rootfs is not even mounted.

A filesystem check on the APFS container reported no problem, and it can be mounted on macOS.

This appears to be the log related the the problem:

Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed

Host is Debian bullseye
Full log:

Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000800000000
entry: 0x00000008041204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff rd=disk0s1 serial=3 -v wdt=-1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b677dd0]::init(0xffffffe19b5cc1b8)

AUC:[0xffffffe19b677dd0]::probe(0xffffffe19b445fe0, 0xffffffe80a31bdac)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b677dd0]::start(0xffffffe19b445fe0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
virtual bool AppleARMLightEmUp::start(IOService *): starting...
000001.935910 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.948877 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.949319 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...

Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
000002.252741 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
000002.282571 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
000002.287644 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                          
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS        
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0     
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(3) failed

Nick Chan

Failure when using compressed disk

You've mentioned that the ramdisk should be decompressed before being used. That seems to be correct - booting from a ramdisk with compressed files gives the following error:

BSD root: md0, major 3, minor 0
apfs_vfsop_mountroot:2214: apfs: mountroot called!
apfs_vfsop_mount:1777: unable to root from devvp <ptr> (root_device): 2
apfs_vfsop_mountroot:2218: apfs: mountroot failed, error: 2
hfs: mounted AzulD18D52.arm64eCustomerRamDisk on device b(3, 0)
/Library/Caches/com.apple.xbs/Sources/AppleFSCompression/AppleFSCompression-125/Common/ChunkCompression.cpp:604: /usr/lib/dyld: invalid zlib header
Attempting to forcibly halt cpu 1
cpu 1 failed to halt with error -5: halt not supported for this configuration
Debugger synchronization timed out; waited 10000000 nanoseconds
IOPlatformPanicAction -> AppleT8030PMGR
Kernel data abort. at pc 0xfffffff008bcad2c, lr 0xfffffff008bcad24 (saved state: 0xffffffe8162a3040)
          x0: 0x0000000000000000  x1:  0x0000000000000014  x2:  0x0000000000000000  x3:  0x0000000000000000
          x4: 0x0000000000000062  x5:  0x000000023b040000  x6:  0xffffffe8008b1d80  x7:  0x0988fff0078f14f0
          x8: 0xffffffe80ec58048  x9:  0x0000000000000028  x10: 0x00000000fffd8000  x11: 0xffffffe4ce1511d0
          x12: 0x000000007fffffff x13: 0x00000000ffffffff  x14: 0x0000000000000000  x15: 0x0000000000000010
          x16: 0xfffffff0078f1148 x17: 0xfffffff0078f1148  x18: 0x0000000000000001  x19: 0xffffffe800890000
          x20: 0x0000000000088000 x21: 0xffffffe8008b23a0  x22: 0xcda1ffe800890000  x23: 0x000000023b084000
          x24: 0x0000000000084000 x25: 0x000000023d284000  x26: 0x0000000000000001  x27: 0xfffffff13630e910
          x28: 0xfffffff009aa8000 fp:  0xffffffe8162a33d0  lr:  0xfffffff008bcad24  sp:  0xffffffe8162a3390
          pc:  0xfffffff008bcad2c cpsr: 0x204003c4         esr: 0x96000010          far: 0xffffffe80ec58048
panic(cpu 4 caller 0xfffffff007ec6e40): unexpected SIGKILL of init  with reason -- namespace 9 code 0x1 description none

I find the /Library/Caches/com.apple.xbs/Sources/AppleFSCompression/AppleFSCompression-125/Common/ChunkCompression.cpp:604: /usr/lib/dyld: invalid zlib header error odd.

Do you have any idea why this is raised / how this can be troubleshooted? I know there are version of zlib which are heavily optimized for ARM. Could it be an error in the ARM translation which causes the zlib library to fail?

Buggy PMGR implementation

Currently, the implementation of ApplePMGR device is inadequate that it will cause a kernel data abort in ApplePMGR::panicHW when the kernel panics.

In the mean time, the issue can be workaround by replacing the first instruction of ApplePMGR::panicHW with a RET instruction. mapping pmp's reg.

This issue should be addressed by either implementing a better version of PMGR or patching the DeviceTree from xnu.c.

Not getting shell

I am booting emulator with auto boot instructions but not getting shell access. This is the log of running it

AppleUSBDeviceMux build: Aug 12 2020 22:50:42
000042.269962 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBMux
IOAccessoryPortUSB::start
AppleUSBEthernetDevice::start: no device-mac-address present
000042.274005 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBNCMControl
000042.274572 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function IapOverUsbHid
000042.282476 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBNCMData
000042.295219 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function PTP
000042.295823 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function Valeria
000042.296267 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::startUSBStack: starting usb stack
qemu-system-aarch64: usb_tcp_host_attach: failed to connect to server: -1

apfs_is_valid_class:2253: rejecting class open (class 2) because we're not content protected
handle_mount:627: vol-uuid: FE08F35A-6B73-4D6B-A39A-B83D81136524 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
handle_revert_to_snapshot:5195: On next mount, volume will revert to snapshot 'com.apple.os.update-5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70' w/snap xid 133
apfs_stop_bg_work:1028: disk0s1s1:0 Volume System is unmounting, stop any bg work
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 11952394 (11 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
tx_flush:1075: disk0s1 xid 242 tx stats: # 20 finish 20 enter 775 wait 1 3033us close 2317us flush 8062us
revert_to_snapshot:1260: Reverting to snapshot w/xid 133 and old sblock oid 8259547.
revert_extents_to_snapshot:1093: free'ing extents in main extentref tree 8257579
free_allocated_snapshot_extents:1008: processed 0 extents and free'd 0 blocks
obj_cache_remove_reverted_fs_objects:1547: disk0s1s1:0 removing reverted fs objects for fs 1026: 134 - 244
revert_to_snapshot:1336: DONE reverting to snapshot w/xid 133
handle_mount:627: vol-uuid: FE08F35A-6B73-4D6B-A39A-B83D81136524 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
apfs_vfsop_unmount:2375: disk0s1: unmounting volume 'System'
apfs: total mem allocated: 12886655 (12 mb);
apfs_vfsop_unmount:2682: all done.  going home.  (numMountedAPFSVolumes 5)
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 163 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 163
ls
tx_flush:1075: disk0s1 xid 262 tx stats: # 40 finish 40 enter 3141 wait 6 2470us close 1664us flush 13359us

ls
tx_flush:1075: disk0s1 xid 282 tx stats: # 60 finish 60 enter 2155 wait 6 2470us close 1219us flush 19586us

Failed to read nvram property

I followed the bringing the emulator, from what I could understand from the error is there could be some issue with nvram or missing plist files.

Following is the directory strucuture

iphone:
total 5304212
-rw-r--r--  1 zoro zoro   107767835 Jan  9  2007 038-44087-125.dmg
-rw-r--r--  1 zoro zoro   104685595 Jan  9  2007 038-44135-124.dmg
-rw-r--r--  1 zoro zoro  5155389281 Jan  9  2007 038-44337-083.dmg
-r--r--r--  1 zoro zoro      729171 Jan  9  2007 BuildManifest.plist
drwxr-xr-x 18 zoro zoro        4096 Jan  9  2007 Firmware
-rw-r--r--  1 zoro zoro    15278127 Jan  9  2007 kernelcache.release.iphone11b
-rw-r--r--  1 zoro zoro    15704952 Jan  9  2007 kernelcache.release.iphone12b
-rw-r--r--  1 zoro zoro    17429507 Jan  9  2007 kernelcache.research.iphone12b
-rw-r--r--  1 zoro zoro 34359738368 May 26 17:49 nvme.1
-rw-r--r--  1 zoro zoro     8388608 May 26 17:49 nvme.2
-rw-r--r--  1 zoro zoro      131072 May 26 17:49 nvme.3
-rw-r--r--  1 zoro zoro        8192 May 26 17:49 nvme.4
-rw-r--r--  1 zoro zoro        4096 May 26 17:49 nvme.6
-rw-r--r--  1 zoro zoro     1048576 May 26 17:49 nvme.7
-rw-r--r--  1 zoro zoro        8192 May 26 18:09 nvram
-r--r--r--  1 zoro zoro        1420 Jan  9  2007 Restore.plist
drwxr-xr-x 13 zoro zoro        4096 May 26 20:17 strap
-rw-r--r--  1 zoro zoro    14458876 May 26 20:17 strap.tar.lzma

lzfse:
total 40
-rw-r--r-- 1 zoro zoro  458 May 16 17:25 appveyor.yml
drwxr-xr-x 6 zoro zoro 4096 May 16 17:25 build
-rw-r--r-- 1 zoro zoro 4231 May 16 17:25 CMakeLists.txt
-rw-r--r-- 1 zoro zoro 1514 May 16 17:25 LICENSE
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 lzfse.xcodeproj
-rw-r--r-- 1 zoro zoro 3022 May 16 17:25 Makefile
-rw-r--r-- 1 zoro zoro 2582 May 16 17:25 README.md
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 src
drwxr-xr-x 2 zoro zoro 4096 May 16 17:25 tests

qemu-t8030:
total 1924
drwxr-xr-x  8 zoro zoro   4096 May 16 17:26 accel
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 audio
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 authz
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 backends
drwxr-xr-x  4 zoro zoro   4096 May 16 17:26 block
-rw-r--r--  1 zoro zoro 247543 May 16 17:26 block.c
-rw-r--r--  1 zoro zoro 119968 May 16 17:26 blockdev.c
-rw-r--r--  1 zoro zoro   7497 May 16 17:26 blockdev-nbd.c
-rw-r--r--  1 zoro zoro  16520 May 16 17:26 blockjob.c
drwxr-xr-x 10 zoro zoro   4096 May 16 17:26 bsd-user
drwxr-xr-x 77 zoro zoro   4096 May 26 12:49 build
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 capstone
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 chardev
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 common-user
drwxr-xr-x  4 zoro zoro   4096 May 16 17:26 configs
-rwxr-xr-x  1 zoro zoro  91796 May 16 17:26 configure
drwxr-xr-x 13 zoro zoro   4096 May 16 17:26 contrib
-rw-r--r--  1 zoro zoro  17992 May 16 17:26 COPYING
-rw-r--r--  1 zoro zoro  26530 May 16 17:26 COPYING.LIB
-rw-r--r--  1 zoro zoro  12950 May 16 17:26 cpu.c
-rw-r--r--  1 zoro zoro  10318 May 16 17:26 cpus-common.c
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 crypto
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 disas
-rw-r--r--  1 zoro zoro  10982 May 16 17:26 disas.c
drwxr-xr-x 14 zoro zoro   4096 May 16 17:26 docs
drwxr-xr-x  7 zoro zoro   4096 May 16 17:27 dtc
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 dump
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 ebpf
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 fpu
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 fsdev
-rw-r--r--  1 zoro zoro  93984 May 16 17:26 gdbstub.c
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 gdb-xml
-rw-r--r--  1 zoro zoro   1835 May 16 17:26 gitdm.config
-rw-r--r--  1 zoro zoro  52286 May 16 17:26 hmp-commands.hx
-rw-r--r--  1 zoro zoro  19607 May 16 17:26 hmp-commands-info.hx
drwxr-xr-x 68 zoro zoro   4096 May 16 17:26 hw
drwxr-xr-x 25 zoro zoro   4096 May 16 17:26 include
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 io
-rw-r--r--  1 zoro zoro  12640 May 16 17:26 iothread.c
-rw-r--r--  1 zoro zoro  27882 May 16 17:26 job.c
-rw-r--r--  1 zoro zoro   4997 May 16 17:26 job-qmp.c
-rw-r--r--  1 zoro zoro    132 May 16 17:26 Kconfig
-rw-r--r--  1 zoro zoro    598 May 16 17:26 Kconfig.host
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 libdecnumber
-rw-r--r--  1 zoro zoro   1177 May 16 17:26 LICENSE
drwxr-xr-x 12 zoro zoro   4096 May 16 17:26 linux-headers
drwxr-xr-x 24 zoro zoro   4096 May 16 17:26 linux-user
-rw-r--r--  1 zoro zoro  86163 May 16 17:26 MAINTAINERS
-rw-r--r--  1 zoro zoro  11567 May 16 17:26 Makefile
-rw-r--r--  1 zoro zoro  16093 May 16 17:26 memory_ldst.c.inc
drwxr-xr-x 14 zoro zoro   4096 May 16 17:27 meson
-rw-r--r--  1 zoro zoro 138523 May 16 17:26 meson.build
-rw-r--r--  1 zoro zoro  13676 May 16 17:26 meson_options.txt
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 migration
-rw-r--r--  1 zoro zoro    113 May 16 17:26 module-common.c
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 monitor
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 nbd
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 net
-rw-r--r--  1 zoro zoro   8495 May 16 17:26 os-posix.c
-rw-r--r--  1 zoro zoro   2249 May 16 17:26 os-win32.c
-rw-r--r--  1 zoro zoro   1223 May 16 17:26 page-vary.c
-rw-r--r--  1 zoro zoro   1668 May 16 17:26 page-vary-common.c
drwxr-xr-x  7 zoro zoro   4096 May 16 17:26 pc-bios
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 plugins
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 po
drwxr-xr-x  4 zoro zoro   4096 May 16 17:26 python
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 qapi
-rw-r--r--  1 zoro zoro  12152 May 16 17:26 qemu-bridge-helper.c
-rw-r--r--  1 zoro zoro   3681 May 16 17:26 qemu-edid.c
-rw-r--r--  1 zoro zoro 163649 May 16 17:26 qemu-img.c
-rw-r--r--  1 zoro zoro   5654 May 16 17:26 qemu-img-cmds.hx
-rw-r--r--  1 zoro zoro  18269 May 16 17:26 qemu-io.c
-rw-r--r--  1 zoro zoro  66195 May 16 17:26 qemu-io-cmds.c
-rw-r--r--  1 zoro zoro   7588 May 16 17:26 qemu-keymap.c
-rw-r--r--  1 zoro zoro  38211 May 16 17:26 qemu-nbd.c
-rw-r--r--  1 zoro zoro   6916 May 16 17:26 qemu.nsi
-rw-r--r--  1 zoro zoro 235167 May 16 17:26 qemu-options.hx
-rw-r--r--  1 zoro zoro   1694 May 16 17:26 qemu.sasl
drwxr-xr-x  4 zoro zoro   4096 May 16 17:26 qga
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 qobject
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 qom
-rw-r--r--  1 zoro zoro   5575 May 16 17:26 README.rst
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 replay
-rw-r--r--  1 zoro zoro   2530 May 16 17:26 replication.c
drwxr-xr-x 17 zoro zoro   4096 May 16 17:26 roms
drwxr-xr-x 16 zoro zoro   4096 May 16 17:26 scripts
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 scsi
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 semihosting
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 setup-ios
drwxr-xr-x  4 zoro zoro   4096 May 16 17:27 slirp
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 softmmu
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 storage-daemon
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 stubs
drwxr-xr-x  3 zoro zoro   4096 May 16 17:26 subprojects
drwxr-xr-x 22 zoro zoro   4096 May 16 17:26 target
drwxr-xr-x 12 zoro zoro   4096 May 16 17:26 tcg
drwxr-xr-x 27 zoro zoro   4096 May 16 17:26 tests
drwxr-xr-x  4 zoro zoro   4096 May 16 17:26 tools
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 trace
-rw-r--r--  1 zoro zoro   5582 May 16 17:26 trace-events
drwxr-xr-x  5 zoro zoro   4096 May 16 17:26 ui
drwxr-xr-x  2 zoro zoro   4096 May 16 17:26 util
-rw-r--r--  1 zoro zoro      6 May 16 17:26 VERSION.QEMU
-rw-r--r--  1 zoro zoro    867 May 16 17:26 version.rc

qemu-t8030-tools:
total 12
drwxr-xr-x 2 zoro zoro 4096 May 16 17:19 bootstrap_scripts
drwxr-xr-x 2 zoro zoro 4096 May 16 17:19 libimobiledevice_patches
-rw-r--r-- 1 zoro zoro  327 May 16 17:19 README.md

Following is the qemu logs

../qemu-t8030/build/qemu-system-aarch64 -snapshot -s -M t8030,trustcache-filename=Firmware/038-44135-124.dmg.trustcache \ 
-kernel kernelcache.research.iphone12b \
-dtb Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: Found lookup_in_trust_cache_module @ 0xfffffff007b5d71c
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: Found lookup_in_static_trust_cache @ 0xfffffff0097edcb8
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff00a000000
g_phys_base: 0x0000000802000000
slide_virt: 0x0000000007000000
slide_phys: 0x0000000001000000
entry: 0x00000008071204e8
boot_mode: 0
auto-boot=false
cmdline: [-restore rd=md0 nand-enable-reformat=1 -progress debug=0x14e kextlog=0xffff serial=3 -v]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1 ~ 129/AppleImage4/RELEASE_ARM64E
AppleImage4: failed to read nvram property: nonce-seeds: 2
AppleImage4: error reading seeds: 2
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19bb18950]::init(0xffffffe19bb4a0a8)
AUC:[0xffffffe19bb18950]::probe(0xffffffe19b8e2300, 0xffffffe8080abdac)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19bb18950]::start(0xffffffe19b8e2300)
AppleS5L8940XI2CController::start: smc-i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleS5L8940XI2CController::start: i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c2 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: smc-i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
000002.788268 wlan0.A[1] start@968:Default options property found with value 4
AppleS5L8940XI2CController::start: i2c3 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000002.898100 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000002.898560 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000002.939384 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
LPM state clear
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
RTBuddy(SMC): Resuming...
RTBuddy(ANS2): Resuming...
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
void AppleEmbeddedNVMeController::GetRestoreEnvironment()::444:Restore Environment!
RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
000003.144880 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=17 newState=1
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
000003.164450 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
void AppleEmbeddedNVMeController::GetRestoreEnvironment()::444:Restore Environment!
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
BSD root: md0, major 3, minor 0
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
apfs_vfsop_mountroot:2188: apfs: mountroot called!
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
apfs_vfsop_mANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ount:1745: unable to root from devvpANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
 <ptr> (ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
roANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
otANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
_dANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
evice): 2
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 2
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 4
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x4, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                          
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS        
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0     
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
hfs: mounted AzulSeed18A5351d.arm64eCustomerRamDisk on device b(3, 0)
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
virtual bool AppleEmbeddedNVMeController::InitializeController()::507:FW update not complete, create dummy block device
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
dyld: setting comm page to 0x0
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: hello
Darwin Bootstrapper Version 7.0.0: Mon Aug 10 04:09:14 PDT 2020; root:libxpc_executables-2038.0.13~13/launchd/RELEASE_ARM64E
boot-args = -restore rd=md0 nand-enable-reformat=1 -progress debug=0x14e kextlog=0xffff serial=3 -v
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Restore environment starting.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering ondemand mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fsck
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: mount-phase-1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: data-protection
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-obliteration
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: commit-boot-mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: boot-mode committed: (null)
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: restore-datapartition
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: restore-datapartition: optional boot task not present
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: mount-phase-2
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init-with-data-volume
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: MSUEarlyBootTask
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fips
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: keybag
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: usermanagerd
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: init_featureflags
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: fud
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: tzinit
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-restore
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: finish-demo-restore
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: sysstatuscheck
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: prng_seedctl
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Error>: Unable to open /System/Library/xpc/launchd.plist [2:No such file or directory]
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Skipping boot-task: launchd_cache_loader
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Error>: No MRM cache found
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Warning>: Unable to load cache
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering bootstrap mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker) <Warning>: Unknown key for Boolean: EnablePressureExit
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.KeyMaker (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.PurpleReverseProxy.ramdisk (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.diskimagesiod.ram (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: com.apple.restored_external (lint): Unable to find persona with type 6: kpersona_find returned -1
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemonsAltAccount, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /AppleInternal/Library/LaunchDaemons, error = 2: No such file or directory
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: exiting bootstrap mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: exiting ondemand mode
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Warning>: Could not find and/or execute program specified by service: 2: No such file or directory: /usr/local/bin/KeyMaker
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Notice>: Service setup event to handle failure and will not launch until it fires.
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Error>: Missing executable detected. Job: 'com.apple.KeyMaker' Executable: '/usr/local/bin/KeyMaker'
Thu May 26 14:48:05 2022 localhost com.apple.xpc.launchd[1] (com.apple.KeyMaker.3) <Warning>: Service exited with abnormal code: 78
objc[4]: Class AMSupportURLConnectionDelegate is implemented in both ?? (0x1014a0000) and ?? (0x101eb0028). One of the two will be used. Which one is undefined.
objc[4]: Class AMSupportURLSession is implemented in both ?? (0x1014a0050) and ?? (0x101eb0078). One of the two will be used. Which one is undefined.
[14:48:08.0929-GMT]{1>4} CHECKPOINT ANOMALY: [check_collection]auto-boot(does_not_exist)
[14:48:08.0955-GMT]{1>4} CHECKPOINT PROGRESS: START (unknown) -> (initial_monitor_no_return)
[14:48:08.0958-GMT]{1>4} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-anomalies = {0x00000000:[check_collection]auto-boot(does_not_exist)}
restore-outcome = initial_monitor_no_return
executing /usr/sbin/nvram -s restore-outcome=initial_monitor_no_return
[14:48:09.0589-GMT]{1>4} CHECKPOINT NOTICE: (NVRAM set) restore-outcome=initial_monitor_no_return [sync=true] (initial entry)
entering set_boot_stage
[14:48:09.0684-GMT]{1>4} CHECKPOINT MONITOR: [0x0204] boot_stage
restore-step-monitor = {0x11010204:"boot_stage"}
executing /sbin/mount_tmpfs /mnt5
entering show_service_nodes
disk0
IOBlockStorageDriver RegistryID : 0x10000021e Busy State : 0x0 Service State : 0x1e
NS_01 RegistryID : 0x10000021d Busy State : 0x0 Service State : 0x1e
AppleANS2NVMeController RegistryID : 0x1000001fb Busy State : 0x0 Service State : 0x1e
RTBuddyService RegistryID : 0x1000001f3 Busy State : 0x0 Service State : 0x1e
RTBuddyV2 RegistryID : 0x1000001ea Busy State : 0x0 Service State : 0x1e
iop-ans-nub RegistryID : 0x100000132 Busy State : 0x0 Service State : 0x1e
AppleASCWrapV2 RegistryID : 0x1000001d8 Busy State : 0x0 Service State : 0x0
ans RegistryID : 0x100000131 Busy State : 0x0 Service State : 0x1e
AppleT803xIO RegistryID : 0x1000001a6 Busy State : 0x5 Service State : 0x1e
arm-io RegistryID : 0x100000116 Busy State : 0x1 Service State : 0x1e
AppleARMPE RegistryID : 0x100000186 Busy State : 0x2 Service State : 0x1e
N104DEV RegistryID : 0x100000185 Busy State : 0x1 Service State : 0x1e
Root RegistryID : 0x100000100 Busy State : 0x0 Service State : 0x0
[14:48:10.0034-GMT]{1>4} CHECKPOINT MONITOR: [0x1180] create_ramdisk
restore-step-monitor = {0x11011180:"create_ramdisk"}
[14:48:10.0036-GMT]{1>4} CHECKPOINT MONITOR: [0x0206] monitoring_child
restore-step-monitor = {0x11010206:"monitoring_child"}
objc[7]: Class AMSupportURLConnectionDelegate is implemented in both ?? (0x1017f0000) and ?? (0x102200028). One of the two will be used. Which one is undefined.
objc[7]: Class AMSupportURLSession is implemented in both ?? (0x1017f0050) and ?? (0x102200078). One of the two will be used. Which one is undefined.
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: Image4Supported
2022-05-26 14:48:11.678882+0000 restored_external[7:370] RestoreLog: Client Query: Image4Supported
libMobileGestalt utility.c:64: Could not open /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist: No such file or directory
2022-05-26 14:48:11.698142+0000 restored_external[7:370] Could not open /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist: No such file or directory
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: Image4Supported : true
2022-05-26 14:48:11.717470+0000 restored_external[7:370] RestoreLog: Client Response: Image4Supported : 1
[14:48:11.0719-GMT]{4>7} CHECKPOINT NOTICE: Image4 device: AP nonce clearable
entering ramrod_clear_ap_nonce
[14:48:11.0772-GMT]{4>7} CHECKPOINT NOTICE: AP nonce consumed
[14:48:11.0791-GMT]{4>7} CHECKPOINT NOTICE: Pre-existing NVRAM variable: restore-outcome=initial_monitor_no_return
[14:48:11.0822-GMT]{4>7} CHECKPOINT ANOMALY: [check_collection]auto-boot(does_not_exist)
[14:48:11.0825-GMT]{4>7} CHECKPOINT PROGRESS: START (unknown) -> (initial_engine_no_return)
[14:48:11.0826-GMT]{4>7} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-anomalies = {0x00000000:[check_collection]auto-boot(does_not_exist)}
restore-outcome = initial_engine_no_return
executing /usr/sbin/nvram restore-outcome=initial_engine_no_return
[14:48:12.0325-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0400] umask
restore-step-ids = {0x11030400:1}
restore-step-names = {0x11030400:umask}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0332-GMT]{4>7} CHECKPOINT END: MAIN:[0x0400] umask
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0337-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0402] setvbuf
restore-step-ids = {0x11030402:2}
restore-step-names = {0x11030402:setvbuf}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0342-GMT]{4>7} CHECKPOINT END: MAIN:[0x0402] setvbuf
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0347-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {0x11030403:3}
restore-step-names = {0x11030403:kernel_logger_thread}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0352-GMT]{4>7} CHECKPOINT END: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 9
restore-step-user-progress = -1
[14:48:12.0359-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0406] set_progress_0
restore-step-ids = {0x11030406:4}
restore-step-names = {0x11030406:set_progress_0}
restore-step-uptime = 9
restore-step-user-progress = -1
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: DeviceClass
2022-05-26 14:48:12.367467+0000 restored_external[7:370] RestoreLog: Client Query: DeviceClass
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: DeviceClass : iPhone
2022-05-26 14:48:12.370310+0000 restored_external[7:370] RestoreLog: Client Response: DeviceClass : iPhone
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: DeviceColorMapPolicy
2022-05-26 14:48:12.372004+0000 restored_external[7:370] RestoreLog: Client Query: DeviceColorMapPolicy
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: DeviceColorMapPolicy : 0
2022-05-26 14:48:12.382616+0000 restored_external[7:370] RestoreLog: Client Response: DeviceColorMapPolicy : 0
2022-05-26 14:48:12.393758+0000 restored_external[7:370] IOMFB: /System/Library/Frameworks/MediaToolbox.framework/MediaToolbox not found
2022-05-26 14:48:12.397712+0000 restored_external[7:370] IOMFB: /System/Library/PrivateFrameworks/MediaToolbox.framework/MediaToolbox not found
2022-05-26 14:48:12.400924+0000 restored_external[7:370] IOMFB: /System/Library/PrivateFrameworks/Celestial.framework/Celestial not found
2022-05-26 14:48:12.402334+0000 restored_external[7:370] IOMFB: FigInstallVirtualDisplay not found
unable to get display list
unable to get framebuffer
No framebuffer but an internal display. Ok on bridge but weird anywhere else.
ramrod_display_set_granular_progress_forced: 0.000000
[14:48:18.0016-GMT]{4>7} CHECKPOINT END: MAIN:[0x0406] set_progress_0
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0027-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {0x11030407:5}
restore-step-names = {0x11030407:start_gasgauge_thread}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0052-GMT]{4>7} CHECKPOINT WARNING: MAIN:[0x0407] gasgauge_start_update_thread failed: -1
restored_external: gasgauge_start_update_thread failed: -1
[14:48:18.0057-GMT]{4>7} CHECKPOINT END: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-warnings = {0x11060407:{0:"gasgauge_start_update_thread failed: -1"}}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0074-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {0x11030408:6}
restore-step-names = {0x11030408:listen_for_log_client}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0097-GMT]{4>7} CHECKPOINT END: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0103-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040D] create_listen_socket
restore-step-ids = {0x1103040D:7}
restore-step-names = {0x1103040D:create_listen_socket}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0111-GMT]{4>7} CHECKPOINT END: MAIN:[0x040D] create_listen_socket
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0117-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0404] update_root_mount
restore-step-ids = {0x11030404:8}
restore-step-names = {0x11030404:update_root_mount}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0158-GMT]{4>7} CHECKPOINT END: MAIN:[0x0404] update_root_mount
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0163-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0405] disable_watchdog
restore-step-ids = {0x11030405:9}
restore-step-names = {0x11030405:disable_watchdog}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0177-GMT]{4>7} CHECKPOINT END: MAIN:[0x0405] disable_watchdog
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 15
restore-step-user-progress = 0
[14:48:18.0190-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040E] enable_usb
restore-step-ids = {0x1103040E:10}
restore-step-names = {0x1103040E:enable_usb}
restore-step-uptime = 15
restore-step-user-progress = 0
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: UniqueDeviceID
2022-05-26 14:48:18.259105+0000 restored_external[7:370] RestoreLog: Client Query: UniqueDeviceID
2022-05-26 14:48:18.261258+0000 restored_external[7:370] [fast-path] taking platform fast path for key: re6Zb+zwFKJNlkQTUeT+/w
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: nFRqKto/RuQAV1P+0/qkBA
2022-05-26 14:48:18.263541+0000 restored_external[7:370] RestoreLog: Client Query: nFRqKto/RuQAV1P+0/qkBA
2022-05-26 14:48:18.264773+0000 restored_external[7:370] [fast-path] taking platform fast path for key: nFRqKto/RuQAV1P+0/qkBA
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: TF31PAB6aO8KAbPyNKSxKA
2022-05-26 14:48:18.268898+0000 restored_external[7:370] RestoreLog: Client Query: TF31PAB6aO8KAbPyNKSxKA
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: TF31PAB6aO8KAbPyNKSxKA : 1234605616436508552
2022-05-26 14:48:18.275121+0000 restored_external[7:370] RestoreLog: Client Response: TF31PAB6aO8KAbPyNKSxKA : 1234605616436508552
libMobileGestalt MobileGestalt.c:711: RestoreLog: Client Query: 566JrJVMlDfnslGpwUzNlQ
2022-05-26 14:48:18.277011+0000 restored_external[7:370] RestoreLog: Client Query: 566JrJVMlDfnslGpwUzNlQ
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: 566JrJVMlDfnslGpwUzNlQ : 32816
2022-05-26 14:48:18.283882+0000 restored_external[7:370] RestoreLog: Client Response: 566JrJVMlDfnslGpwUzNlQ : 32816
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: nFRqKto/RuQAV1P+0/qkBA : <CFData 0x13880e540 [0x101ee41b8]>{length = 25, capacity = 25, bytes = 0x30303030383033302d31313232333334 ... 3535363637373838}
2022-05-26 14:48:18.304635+0000 restored_external[7:370] RestoreLog: Client Response: nFRqKto/RuQAV1P+0/qkBA : {length = 25, bytes = 0x30303030 38303330 2d313132 32333334 ... 35353636 37373838 }
libMobileGestalt MobileGestalt.c:743: RestoreLog: Client Response: UniqueDeviceID : 00008030-1122334455667788
2022-05-26 14:48:18.307444+0000 restored_external[7:370] RestoreLog: Client Response: UniqueDeviceID : 00008030-1122334455667788
000017.727052 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Apple Mobile Device
000017.727788 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: AppleUSBMux
000017.728893 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 1 + Apple Mobile Device
000017.729475 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: Reserved
000017.730027 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: AppleUSBMux
000017.730562 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 2 + Apple Mobile Device
000017.731165 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: Reserved
000017.731708 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: AppleUSBMux
000017.732254 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice: configuration: Reserved 3 + Apple Mobile Device
000017.732852 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: Reserved
000017.733326 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::createUSBDevice:    interface: AppleUSBMux
waiting for matching IOKit service: {
    IOProviderClass = AppleUSBDeviceMux;
}
000017.752422 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function Reserved
AppleUSBDeviceMux build: Aug 12 2020 22:50:42
000017.769377 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_registerFunction: register function AppleUSBMux
000017.770859 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::startUSBStack: starting usb stack
qemu: usb_tcp_host_attach: failed to connect to server: -1
IOReturn AppleUSBDeviceMux::setPropertiesGated(OSObject *) setting debug level to 7
[14:48:21.0340-GMT]{4>7} CHECKPOINT END: MAIN:[0x040E] enable_usb
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 18
restore-step-user-progress = 0
waiting for host to trigger start of restore [timeout of 120 seconds]
000022.894390 wlan0.A[4] initWithProvider@120:amfm not matched
000022.900667 wlan0.A[5] deferredStart@1730: Lowered adjustBusy(-1), getBusyState() -> 4
```

Cannot load Bash

The emulated device will not load bash, even after adding setup-ios/launchd.plist and setup-ios/bash.plist to the filesystem.
Boot command:
../qemu-system-aarch64 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v launchd_insecure_cache=1 wdt=-1" \ -initrd 038-44087-125.dmg.out \ -cpu max -smp 1 \ -m 4G -serial mon:stdio \ -drive file=nvme.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096

ERROR: Dependency "appleframeworks" not found

When running the below command as per the Wiki, I'm receiving the following error:

$ ../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror
[…]
../meson.build:192:2: ERROR: Dependency "appleframeworks" not found, tried framework

My system is a 2021 16" MacBook Pro w/ M1 Max:

$ uname -a
Darwin Jacobs-MBP.lan 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T6000 x86_64

Cannot build on Debian bullseye

Machine: Debian bullseye x86_64
Linux 5.15.0-0.bpo.3-amd64
C compiler is clang 13.0.1

cd build
../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror
make -j4

configure output
make output

The actual error:

[1158/2860] Compiling C object libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o
FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o 
clang -Ilibcommon.fa.p -I../slirp -I../slirp/src -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/gio-unix-2.0 -I/usr/include/libusb-1.0 -I/usr/include/gtk-3.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/fribidi -I/usr/include/harfbuzz -I/usr/include/atk-1.0 -I/usr/include/uuid -I/usr/include/freetype2 -I/usr/include/gdk-pixbuf-2.0 -fcolor-diagnostics -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/nick/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/nick/qemu-t8030 -iquote /home/nick/qemu-t8030/include -iquote /home/nick/qemu-t8030/disas/libvixl -iquote /home/nick/qemu-t8030/tcg/i386 -pthread -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -MD -MQ libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -MF libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o.d -o libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -c ../hw/misc/apple_spmi_pmu.c
../hw/misc/apple_spmi_pmu.c:51:25: error: expected ';' after top level declarator
static uint64_t __unused tick_to_ns(AppleSPMIPMUState *p, uint64_t tick)
                        ^
                        ;
../hw/misc/apple_spmi_pmu.c:246:17: error: use of undeclared identifier 'vmstate_apple_spmi_pmu'
    dc->vmsd = &vmstate_apple_spmi_pmu;
                ^
../hw/misc/apple_spmi_pmu.c:248:16: error: use of undeclared identifier 'apple_spmi_pmu_send'; did you mean 'apple_spmi_pmu_create'?
    sc->send = apple_spmi_pmu_send;
               ^~~~~~~~~~~~~~~~~~~
               apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
             ^
../hw/misc/apple_spmi_pmu.c:249:16: error: use of undeclared identifier 'apple_spmi_pmu_recv'; did you mean 'apple_spmi_pmu_create'?
    sc->recv = apple_spmi_pmu_recv;
               ^~~~~~~~~~~~~~~~~~~
               apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
             ^
../hw/misc/apple_spmi_pmu.c:250:19: error: use of undeclared identifier 'apple_spmi_pmu_command'; did you mean 'apple_spmi_pmu_create'?
    sc->command = apple_spmi_pmu_command;
                  ^~~~~~~~~~~~~~~~~~~~~~
                  apple_spmi_pmu_create
/home/nick/qemu-t8030/include/hw/spmi/apple_spmi_pmu.h:9:14: note: 'apple_spmi_pmu_create' declared here
DeviceState *apple_spmi_pmu_create(DTBNode *node);
             ^
5 errors generated.
[1159/2860] Compiling C object libcommon.fa.p/hw_misc_apple_mbox.c.o
../hw/misc/apple_mbox.c:838:53: warning: format specifies type 'unsigned long long' but the argument has type 'uint64_t' (aka 'unsigned long') [-Wformat]
                                     s->role, addr, ret);
                                                    ^~~
/home/nick/qemu-t8030/include/qemu/log.h:120:30: note: expanded from macro 'qemu_log_mask'
            qemu_log(FMT, ## __VA_ARGS__);              \
                     ~~~     ^~~~~~~~~~~
1 warning generated.

Nick Chan

FAILED: libcommon.fa.p/hw_block_apple_ans.c.o

I was compiling this to try it out myself, but then after a while of complilation, it gave out this error:

FAILED: libcommon.fa.p/hw_block_apple_ans.c.o 
cc -Ilibcommon.fa.p -I../capstone/include/capstone -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/local/include -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/lzo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cloudproviders -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/libusb-1.0 -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -isystem /home/porya/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/porya/qemu-t8030 -iquote /home/porya/qemu-t8030/include -iquote /home/porya/qemu-t8030/disas/libvixl -iquote /home/porya/qemu-t8030/tcg/i386 -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -Wno-undef -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.fa.p/hw_block_apple_ans.c.o -MF libcommon.fa.p/hw_block_apple_ans.c.o.d -o libcommon.fa.p/hw_block_apple_ans.c.o -c ../hw/block/apple_ans.c
../hw/block/apple_ans.c: In function ‘apple_ans_create’:
../hw/block/apple_ans.c:141:9: error: unused variable ‘i’ [-Werror=unused-variable]
  141 |     int i;
      |         ^
cc1: all warnings being treated as errors
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1

No idea what could've caused this

libiosexec does not work

libiosexec - an execve shim to allow executing shell scripts on ios
libiosexec does not work here - it is almost like it isn't there
iOS version: 14.3 with RELEASE kernel - so it definitely works on a real device (can also be reproduced with research kernels though)
In fact this could also be reproduced on an iOS 15.3.1 arm64eCustomerRamDisk with research kernels

bootstrap tarball
To reproduce
From a bash linked with libiosexec (/bin/bash will do), execute /usr/bin/apt-key (or any other script)

shell output:
bash: /usr/bin/apt-key: /bin/sh: bad interpreter: No such file or directory

dmesg output
[ 286.963467]: System Policy: bash(231) deny(1) process-exec-interpreter /usr/bin/dash
for some reason the shebang exec ended up passed to the kernel, even with libiosexec.

Note: I am not asking for a shebang exec kernel patch here - libiosexec is supposed to work around that. There is something else that prevent it from working. (although a shebang exec kernel patch will still fix my apparent issue)

boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-83075-083.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "-v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1" \
-initrd '038-83075-083.dmg.out' \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o

Hello, it's me again,

I tried the other documentation, and it was successful until some time later only. It got stuck on another module this time:

FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o 
cc -Ilibcommon.fa.p -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/local/include -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/lzo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cloudproviders -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/libusb-1.0 -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/porya/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/porya/qemu-t8030 -iquote /home/porya/qemu-t8030/include -iquote /home/porya/qemu-t8030/disas/libvixl -iquote /home/porya/qemu-t8030/tcg/i386 -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -Wno-undef -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -MF libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o.d -o libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -c ../hw/misc/apple_spmi_pmu.c
../hw/misc/apple_spmi_pmu.c:51:26: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘tick_to_ns’
   51 | static uint64_t __unused tick_to_ns(AppleSPMIPMUState *p, uint64_t tick)
      |                          ^~~~~~~~~~
[1349/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_xdma.c.o
[1350/3071] Compiling C object libcommon.fa.p/hw_misc_nrf51_rng.c.o
[1351/3071] Compiling C object libcommon.fa.p/hw_misc_msf2-sysreg.c.o
[1352/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_sdmc.c.o
[1353/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_scu.c.o
[1354/3071] Compiling C object libcommon.fa.p/hw_net_ne2000-pci.c.o
[1355/3071] Compiling C object libcommon.fa.p/hw_misc_apple_smc.c.o
../hw/misc/apple_smc.c: In function ‘smc_key_mbse_write’:
../hw/misc/apple_smc.c:238:10: warning: multi-character character constant [-Wmultichar]
  238 |     case 'off1':
      |          ^~~~~~
../hw/misc/apple_smc.c:241:10: warning: multi-character character constant [-Wmultichar]
  241 |     case 'susp':
      |          ^~~~~~
../hw/misc/apple_smc.c:251:10: warning: multi-character character constant [-Wmultichar]
  251 |     case 'rest':
      |          ^~~~~~
../hw/misc/apple_smc.c:254:10: warning: multi-character character constant [-Wmultichar]
  254 |     case 'slpw':
      |          ^~~~~~
../hw/misc/apple_smc.c: In function ‘smc_key_nesn_write’:
../hw/misc/apple_smc.c:281:14: warning: unused variable ‘p’ [-Wunused-variable]
  281 |     uint8_t *p = (uint8_t *)payload;
      |              ^
../hw/misc/apple_smc.c: In function ‘apple_smc_handle_key_endpoint’:
../hw/misc/apple_smc.c:354:34: warning: taking address of packed member of ‘struct key_response’ may result in an unaligned pointer value [-Waddress-of-packed-member]
  354 |             bswap32s((uint32_t *)r.response);
      |                                  ^
../hw/misc/apple_smc.c: In function ‘apple_smc_create’:
../hw/misc/apple_smc.c:428:9: warning: unused variable ‘i’ [-Wunused-variable]
  428 |     int i;
      |         ^
../hw/misc/apple_smc.c: In function ‘apple_smc_realize’:
../hw/misc/apple_smc.c:529:28: warning: multi-character character constant [-Wmultichar]
  529 |     smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:529:47: warning: multi-character character constant [-Wmultichar]
  529 |     smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:532:23: warning: multi-character character constant [-Wmultichar]
  532 |     smc_create_key(s, 'CLKH', 8, 0x7b636c68, SMC_ATTR_LITTLE_ENDIAN, data);
      |                       ^~~~~~
../hw/misc/apple_smc.c:535:23: warning: multi-character character constant [-Wmultichar]
  535 |     smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
      |                       ^~~~~~
../hw/misc/apple_smc.c:535:42: warning: multi-character character constant [-Wmultichar]
  535 |     smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
      |                                          ^~~~~~
../hw/misc/apple_smc.c:538:23: warning: multi-character character constant [-Wmultichar]
  538 |     smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
      |                       ^~~~~~
../hw/misc/apple_smc.c:538:42: warning: multi-character character constant [-Wmultichar]
  538 |     smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
      |                                          ^~~~~~
../hw/misc/apple_smc.c:540:28: warning: multi-character character constant [-Wmultichar]
  540 |     smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:540:47: warning: multi-character character constant [-Wmultichar]
  540 |     smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:543:28: warning: multi-character character constant [-Wmultichar]
  543 |     smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:543:47: warning: multi-character character constant [-Wmultichar]
  543 |     smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:545:28: warning: multi-character character constant [-Wmultichar]
  545 |     smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:545:47: warning: multi-character character constant [-Wmultichar]
  545 |     smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:547:28: warning: multi-character character constant [-Wmultichar]
  547 |     smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:547:47: warning: multi-character character constant [-Wmultichar]
  547 |     smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
At top level:
../hw/misc/apple_smc.c:415:13: warning: ‘apple_smc_set_irq’ defined but not used [-Wunused-function]
  415 | static void apple_smc_set_irq(void *opaque, int irq_num, int level)
      |             ^~~~~~~~~~~~~~~~~
../hw/misc/apple_smc.c:213:16: warning: ‘smc_key_copy_write’ defined but not used [-Wunused-function]
  213 | static uint8_t smc_key_copy_write(AppleSMCState *s, smc_key *k,
      |                ^~~~~~~~~~~~~~~~~~
[1356/3071] Compiling C object libcommon.fa.p/hw_net_ne2000.c.o
[1357/3071] Compiling C object libcommon.fa.p/hw_misc_apple_mbox.c.o
In file included from ../hw/misc/apple_mbox.c:3:
../hw/misc/apple_mbox.c: In function ‘apple_mbox_iop_reg_read’:
../hw/misc/apple_mbox.c:836:38: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=]
  836 |             qemu_log_mask(LOG_UNIMP, "%s: AppleA7IOP AKF unknown IOP reg READ @ 0x"
      |                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  837 |                                      TARGET_FMT_plx " ret: 0x%08llx\n",
  838 |                                      s->role, addr, ret);
      |                                                     ~~~
      |                                                     |
      |                                                     uint64_t {aka long unsigned int}
/home/porya/qemu-t8030/include/qemu/log.h:120:22: note: in definition of macro ‘qemu_log_mask’
  120 |             qemu_log(FMT, ## __VA_ARGS__);              \
      |                      ^~~
[1358/3071] Compiling C object libcommon.fa.p/hw_net_pcnet-pci.c.o
[1359/3071] Compiling C object libcommon.fa.p/hw_misc_apple_aes.c.o
../hw/misc/apple_aes.c: In function ‘key_mode’:
../hw/misc/apple_aes.c:92:1: warning: control reaches end of non-void function [-Wreturn-type]
   92 | }
      | ^
[1360/3071] Compiling C object libcommon.fa.p/hw_net_eepro100.c.o
[1361/3071] Compiling C object libcommon.fa.p/hw_net_pcnet.c.o
[1362/3071] Compiling C object libcommon.fa.p/hw_net_e1000.c.o
[1363/3071] Compiling C object libcommon.fa.p/hw_display_cirrus_vga.c.o
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.