Shennaitong-wangchao/HackinBoot

# HackinBoot HackinBoot 是一个面向研究的 ARM EL2 hypervisor 原型，用来探索在 QEMU/通用 ARM 虚拟化环境中拦截并模拟 Apple Silicon 早期启动所需的硬件接口。 HackinBoot is a research-oriented ARM EL2 hypervisor prototype for exploring how Apple Silicon early-boot hardware assumptions can be trapped and modeled in QEMU or a generic ARM virtualization environment. This repository does not contain Apple proprietary kernels, firmware, restore images, kexts, or system images. Local experiments may use lawful, user-obtained artifacts, but those artifacts must never be committed or redistributed here. 本仓库不包含 Apple 专有内核、固件、恢复镜像、kext 或系统镜像。你可以在本地使用合法取得的实验材料，但不得把这些材料提交或再分发到本仓库。 ## Current Milestone / 当前里程碑 The current public baseline reaches XNU early serial output in QEMU and has reproduced the banner: 当前公开基线已经能在 QEMU 中推进到 XNU 早期串口输出，并复现如下 banner： >>> GUEST OUTPUT START >>> Darwin Kernel Version 23.5.0: Wed May 1 20:16:51 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T8103 That milestone is documented in [docs/PHASE3_6_4_FIRST_OUTPUT.md](docs/PHASE3_6_4_FIRST_OUTPUT.md). A clean bilingual reproduction guide is available at [docs/REPRODUCE_DARWIN_VERSION.md](docs/REPRODUCE_DARWIN_VERSION.md). 该里程碑记录在 [docs/PHASE3_6_4_FIRST_OUTPUT.md](docs/PHASE3_6_4_FIRST_OUTPUT.md)。完整的中英双语复现流程见 [docs/REPRODUCE_DARWIN_VERSION.md](docs/REPRODUCE_DARWIN_VERSION.md)。 ## Scope / 范围 - EL2 entry, exception vectors, and ERET into an EL1 guest. - Stage-2 mapping, permission repair for bring-up, and MMIO trap dispatch. - Apple-like UART, AIC, timer, DART, PMGR, SMC, and sysreg stubs. - Fake Apple Device Tree and boot arguments sufficient for early XNU bring-up research. - Mach-O64 metadata parsing, mapping, and local-only kernelcache loading for lawful fixtures. - EL2 入口、异常向量表，以及 ERET 到 EL1 guest。 - Stage-2 映射、bring-up 阶段权限修复，以及 MMIO trap 分发。 - Apple-like UART、AIC、timer、DART、PMGR、SMC 和 sysreg stub。 - 用于早期 XNU bring-up 研究的 fake Apple Device Tree 与 boot arguments。 - Mach-O64 元数据解析、映射，以及仅限本地合法材料的 kernelcache 加载。 This is not a production bootloader, not a supported way to run macOS, and not an Apple security-bypass toolkit. 这不是生产级 bootloader，不是受支持的 macOS 运行方式，也不是 Apple 安全机制绕过工具包。 ## Quick Start / 快速开始 Run the synthetic QEMU test suite first: 先运行合成 payload 的 QEMU 测试： cd hypervisor make make test-all On Ubuntu, use the packaged cross toolchain: 在 Ubuntu 上通常使用发行版提供的交叉编译工具链： sudo apt-get update sudo apt-get install -y build-essential gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu qemu-system-arm cd hypervisor CROSS_COMPILE=aarch64-linux-gnu- make test-all 如需本地复现 Darwin banner，请按以下文档操作： docs/REPRODUCE_DARWIN_VERSION.md ## Repository Layout / 仓库结构 hypervisor/ QEMU EL2 research prototype and guest payload tests docs/ Architecture notes, phase reports, debugging guides, and reproduction docs tools/ Local helper scripts; generated Apple artifacts are ignored src/ Open-source reference trees used as local research context ## Documentation / 文档 - [docs/README.md](docs/README.md) - bilingual documentation index / 中英双语文档索引 - [docs/REPRODUCE_DARWIN_VERSION.md](docs/REPRODUCE_DARWIN_VERSION.md) - Darwin banner reproduction / Darwin banner 复现流程 - [docs/OPEN_SOURCE_RELEASE.md](docs/OPEN_SOURCE_RELEASE.md) - release and maintainer checklist / 开源发布检查清单 - [docs/LEGAL_AND_ETHICS.md](docs/LEGAL_AND_ETHICS.md) - legal, ethics, and artifact policy / 法律、伦理与材料边界 - [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) - architecture notes / 架构说明 - [docs/TRAP_MATRIX.md](docs/TRAP_MATRIX.md) - trap and stub matrix / trap 与 stub 矩阵 - [docs/DEBUGGING.md](docs/DEBUGGING.md) - debugging guide / 调试指南 - [docs/ROADMAP.md](docs/ROADMAP.md) - roadmap / 路线图 - [docs/LIMITATIONS.md](docs/LIMITATIONS.md) - limitations / 限制说明 - [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md) - contribution rules / 贡献规则 ## Compliance Boundary / 合规边界 - Use open-source references and lawful user-provided artifacts only. - Do not fetch, commit, publish, or redistribute proprietary Apple binaries. - Keep `tools/kernelcache.macho`, IPSW files, logs, and local extraction work directories ignored. - Respect each reference tree's license; the top-level MIT license only covers HackinBoot original code and documentation unless a file states otherwise. - 仅使用开源参考资料和用户合法取得的本地材料。 - 不要抓取、提交、发布或再分发 Apple 专有二进制。 - 保持 `tools/kernelcache.macho`、IPSW 文件、日志和本地解包目录处于 ignored 状态。 - 尊重每个参考源码树的许可证；顶层 MIT 许可证只覆盖 HackinBoot 原创代码和文档，除非单个文件另有声明。 ## License / 许可证 HackinBoot original code and documentation are released under the MIT License. Vendored or copied open-source reference trees keep their original licenses; see [THIRD_PARTY.md](THIRD_PARTY.md). HackinBoot 原创代码和文档使用 MIT License 发布。仓库中的第三方开源参考源码树保留其原始许可证；见 [THIRD_PARTY.md](THIRD_PARTY.md)。

标签：客户端加密