Can Linux really run on iPhone?
Linux on iPhone. It sounds so strange, so out of place, but this is not even the first time this happens. Android, which is essentially Linux at its core, has been achieved twice before on iPhone. The first time it was achieved via OpeniBoot, the project was called iDroid back in the iPod Touch 1st Generation era, and then it was done again in 2020 by the amazing Corellium Team through their Project Sandcastle which brought modern Android on modern Apple hardware (iPhone 7 Plus, etc.).
But today’s article is not about those. It’s about developer Konrad Dybcio / Ptrace Security GmbH’s Linux on iPhone achievement. Over the past two years, this developer has tried their best to achieve a fully functional Linux on their iOS devices.
Konrad Dybcio has posted a complete writeup documenting their journey trying to get Linux to work on Apple devices, so fortunately the path is now much clearer for anyone willing to tackle this kind of project themselves.
Getting Linux on iPhone is not as simple as it sounds. iOS devices have a protected, locked boot chain which is verified at every step. The SecureROM / BootROM which is burned straight into the Silicon and cannot be changed checks iBoot, which is part of the iOS firmware. If everything is right, iBoot loads the iOS kernel and the boot process eventually finishes once you’re on the lock screen/home screen.
Any modification to any of the boot chain files would be detected by the SecureROM and the device would immediately panic and refuse to continue. Compared to computers, you can’t just press F8 and boot from the Linux USB drive.
Even if you could boot from USB on an iPhone, Linux has no idea whatsoever about the components inside the iPhone. Sure, Linux for ARM CPUs exists, but not for Apple’s SoC. The device tree is all different. Linux would have no drivers for the majority of Apple’s components inside the iPhone. So how did they pull off this stunt?
Before we start, here’s the project compatibility:
- iPhone 5S
- iPad Air and Air 2
- iPad Mini 2 and Mini 3
- iPhone 6 / 6 Plus
- iPod Touch 6
- iPad Mini 4
How To Run Linux on iPhone / iPad & How They Achieved This
Enter CheckRa1n. Back in late 2019, security researcher @axi0mX shocked the world with their release of checkm8, a fully functional SecureROM / BootROM exploit for A11 devices and older. This exploit supported iPhone X and everything older than that.
The best part? This exploit could not be patched by Apple without a new chip because as we mentioned earlier, BootROM is burned into the Silicon and it cannot be updated.
It was thanks to this exploit that the CheckRa1n team was formed and they’ve started building CheckRa1n Jailbreak, but most importantly PongoOS, a pre-boot execution environment for Apple devices built on top of checkra1n.
Project Sandcastle, the famous Android on iPhone stunt from back in 2020 was built on top of PongoOS because thanks to the checkm8 exploit, you could now run anything you wanted. Any check the boot chain would perform could easily be bypassed or turned off.
If you didn’t mind having a fully tethered boot, you could even modify the kernel itself and load a custom one.
This is where Konrad Dybcio sat down and took notes. They have combed through the PongoOS code after multiple failed attempts to get Linux to boot on their iPhone when it finally snapped. They’ve realized that the bootr (boots a raw image) and bootl (boots a Linux image) which are part of PongoOS, actually behave in a different manner.
After figuring out the proper entry point for Linux, they finally managed to see Linux booting on their device.
How we got Linux on the iPhone, iPad and other iDevices https://t.co/9USjf5eRWl #MobileSecurity #iOSsecurity #Infosec pic.twitter.com/qaHTktbbOn
— Ptrace Security GmbH (@ptracesecurity) June 10, 2022
This was not an easy feat!
I make it sound easy right? Just audit PongoOS and see how Project Sandcastle managed to do it, right? Not really. CheckRa1n team is an amazingly talented team, they’ve managed to pull the biggest hacks in history on modern iOS devices, but their code is a pain to read.
Both PongoOS and Corellium’s Project Sandcastle are full of low-level assembler code that is not documented. Formatting and cleaning their code was not a priority so making sense of what’s going on behind the scenes on PongoOS is actually pretty darn difficult.
Konrad Dybcio has had three different attempts over the past 2 years to get Linux working on their iPhone, but no matter what they tried, the whole thing would stop at enable_mmu. MMU stands for Memory Management Unit by the way.
They’ve shelved the project multiple times and came back to it only to hit roadblocks again. It was after they finally understood how PongoOS works that they finally managed to go past the enable_mmu issue and boot Linux.
I tried doing a couple more things around enabling MMU that I don’t even quite remember now, but to no avail.
While I only have blurry recollections of what I did in this stage, I recall that I often came back to it and put the device back into the drawer again and again. – Konrad Dybcio
Of course, work was not done yet. Just because the boot process starts doesn’t mean you have fully functional Linux.
They’ve continued their journey by hacking the AIC driver to add support for A7-A8X, as well as A9-A11 SoCs, and created device trees for A7-A8X devices. That was necessary because I said at the beginning of this article, Linux has no idea what iPhone’s components are. It has no built-in drivers for it.
How to run Linux on your iPhone
Thanks to Konrad Dybcio, you can now easily try this yourself by following the instructions in their writeup which read as follows:
- Get pongoOS from Dybcio’s fork (Unfortunately, you can only checkm8 A7 devices on macOS currently – iPhone 5S for example).
- Get Dybcio’s fork of Linux.
- Get Corellium’s dtbpack script and change the DTBPATH to arch/arm64/boot/dts/apple/socname-devicename.dtb
The security researcher has also posted the necessary script to boot Linux on your iPhone after you have all the components mentioned above.
# Build pongoOS make -j$(nproc) # yes, it's that simple # Load custom pongoOS with checkra1n macOS: /Applications/checkra1n.app/Contents/MacOS/checkra1n -v -V -p -c -k /path/to/pongoOS/build/Pongo.bin Linux: ./checkra1n -v -V -p -c -k /path/to/pongoOS/build/Pongo.bin # Build Image.lzma and Flattened Device Trees (this assumes you adjusted your defconfig) arm64:make -j$(nproc) Image.lzma dtbs !arm64: make ARCH=arm64 CROSS_COMPILE=your-cross-compiler- -j$(nproc) Image.lzma dtbs # Create a dtbpack cd /path/to/linux-apple /path/to/dtbpack.sh # Load Linux to the device and boot it! python3 /path/to/pongoOS/scripts/load_linux.py -k /path/to/linux-apple/arch/arm64/boot/Image.lzma -d /path/to/linux-apple/dtbpack [-r /path/to/some/ramdisk]
You can help with this project too
If you have an iOS device, you can help Konrad Dybcio by dumping the ADT from it. They have provided instructions on how to do that here. You can also donate crypto to support the developer.
Feel free to play with this project if you have a compatible device (iPhone 5S for example). You can find Konrad Dybcio’s full write-up on their website.
Other guides from iDevice Central
- iOS 15.0 – 15.4 Jailbreak News: Latest Progress & New Techniques
- Unpatchable Apple M1 Chip Vulnerability discovered by MIT
- How to Play Windows Games on macOS / OSX Without Emulators
- How to create a bootable Windows 10 USB Flash Drive on Mac
- iOS Downgrades: Blobs, SEP, And Baseband Explained (FutureRestore)
- iOS Jailbreak Downloads – Download Jailbreak Tools for All iOS Versions