This talk presents QEMU-iOS, an open-source emulator of legacy Apple devices. I outline the process of emulating an iPod Touch 2G, discussing the technical challenges and reverse engineering methodologies applied. The talk starts with an overview of the project's goals and then outlines the reverse engineering process, utilizing tools like Ghidra for disassembling the Apple bootloader, XNU kernel, and other binaries. Then, I describe QEMU, a popular framework for emulation, and show how essential iPod Touch peripherals such as the touchscreen, storage, and display have been implemented. Finally, this talk touches upon the implications of open-sourcing this project, its contribution to the emulation and reverse engineering landscape, and its potential for future efforts to emulate newer Apple devices.
During the past decades, Apple has created iconic devices that have found a place in the hands and hearts of millions of people around the world. As many of these devices have become obsolete, the importance of preserving their digital essence has grown. The emulation of legacy devices with software allows enthusiasts and researchers to explore and interact with them long after the original hardware has ceased to be available. Emulation, therefore, allows the digital preservation of obsolete hardware, ensuring these devices are accessible to future generations.
This talk describes a multi-year project named QEMU-iOS that lays the groundwork for emulating legacy Apple devices. In particular, we have focussed on emulating the iPod Touch 2G using QEMU, an open-source framework for hardware emulation. Yet, even emulating an old device with a few peripherals compared to contemporary devices is challenging since the specifications and inner workings of many peripherals are proprietary and completely undocumented.
The talk first describes the overall project motivation, goals, and vision. Then, I will discuss the reverse engineering process where multiple undocumented peripherals of the iPod Touch have been analyzed to understand and replicate their specifications in software. A key talking point will be the working of essential peripherals, including the cryptographic engines, the LCD, the Flash memory controller, various hardware communication protocols, the touchscreen driver, and other peripherals. The talk will also detail the booting procedure of the iPod Touch, elaborating on the emulation of the iBoot bootloader, the XNU kernel, and the Springboard application in iOS. Getting the boot chain up and running required extensive debugging efforts using powerful reverse engineering tools such as Ghidra to disassemble and analyze all essential binaries in the boot procedure. After outlining the reverse engineering process, I will present the implementation of QEMU-iOS, which entails a functional emulator that boots the iOS operating system, renders the display, and responds to touches on the screen.
The final part of this talk will touch upon the implications of open-sourcing this project, its contribution to the broader emulation and reverse engineering landscape, and the potential it holds for future efforts in emulating other legacy Apple devices, as well as the viability of emulating newer devices with advanced peripherals such as the Neural Engine. I will also discuss existing approaches, highlight where QEMU-iOS differs, and summarize the lessons learned while emulating these devices.
This talk is designed for a wide range of people, whether you are new to reverse engineering and emulation or have experience in these fields. The goal is to explain the technical challenges faced during this project in a way that's easy for beginners to understand while also providing more in-depth insights I discovered while working on QEMU-iOS. Through this talk, the aim is not only to share the technical knowledge gained from this project but also to explore the merits of emulation and reverse engineering to keep old devices alive.