{"id":4101,"date":"2026-03-02T22:45:15","date_gmt":"2026-03-02T13:45:15","guid":{"rendered":"https:\/\/h4ck.kr\/?p=4101"},"modified":"2026-03-02T22:46:23","modified_gmt":"2026-03-02T13:46:23","slug":"%ec%b5%9c%ea%b7%bc-%ea%b3%b5%ea%b0%9c%eb%90%9c-pcc-%ed%8e%8c%ec%9b%a8%ec%96%b4%ec%9d%98-vphone600ap-%ec%bb%b4%ed%8f%ac%eb%84%8c%ed%8a%b8%eb%a5%bc-%ec%9d%b4%ec%9a%a9%ed%95%98%ec%97%ac-%ea%b0%80","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=4101","title":{"rendered":"\ucd5c\uadfc \uacf5\uac1c\ub41c PCC \ud38c\uc6e8\uc5b4\uc758 VPHONE600AP \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc774\uc6a9\ud558\uc5ec \uac00\uc0c1 \uc544\uc774\ud3f0 \ud658\uacbd \uad6c\ucd95\ud574\ubcf4\uae30"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><h1>\ub3c4\uc6c0\uc8fc\uc2e0 \uace0\ub9c8\uc6b4 \ubd84<\/h1>\n<ul>\n<li><a href=\"https:\/\/github.com\/dlevi309\">dlevi309<\/a> (\uac00\uc0c1 \uc544\uc774\ud3f0\uc5d0\uc11c \ud130\uce58 \uc0c1\ud638\uc791\uc6a9\uc5d0 \ub300\ud55c \uc544\uc774\ub514\uc5b4 \uc81c\uacf5)<\/li>\n<li><a href=\"https:\/\/github.com\/khanhduytran0\">khanhduytran0<\/a>, <a href=\"https:\/\/github.com\/34306\">34306<\/a>, <a href=\"https:\/\/github.com\/asdfugil\">asdfugil<\/a>, <a href=\"https:\/\/github.com\/verygenericname\">verygenericname<\/a> (\uac00\uc0c1 \uc544\uc774\ud3f0 \uad6c\ucd95\ud558\ub294\ub370 \uae30\ud0c0 \uc544\uc774\ub514\uc5b4 \uc81c\uacf5 (Cryptex, Device Activation, Ramdisk \ubd80\ud305 \uad00\ub828 \ub4f1\ub4f1))<\/li>\n<li><a href=\"https:\/\/github.com\/ma4the\">ma4the<\/a>, <a href=\"https:\/\/github.com\/Mardcelo\">Mard<\/a>, <a href=\"https:\/\/github.com\/swollows\">SwallowS<\/a> (\uac00\uc0c1 \uc544\uc774\ud3f0 \uc791\ub3d9 \ud14c\uc2a4\ud2b8)<\/li>\n<\/ul>\n<h1>\ub3d9\uae30<\/h1>\n<p>\uc560\ud50c\uc740 2024\ub144 \ud6c4\ubc18\ucbe4\uc5d0 \ud074\ub77c\uc6b0\ub4dc \uae30\ubc18 AI \uac1c\uc778\uc815\ubcf4 \ubcf4\ud638\ub97c \uc704\ud55c \uc0c8\ub85c\uc6b4 \uc9c0\ud3c9\uc744 \uc5f0\ub2f5\uc2dc\uace0 <a href=\"https:\/\/security.apple.com\/blog\/private-cloud-compute\/\">Private Cloud Compute<\/a>\ub97c \uacf5\uac1c\ud558\uae30 \uc2dc\uc791\ud588\ub2e4. \uadf8\ub7ec\ub2e4 2025\ub144 \ud6c4\ubc18\ucbe4\uc5d0 \ud765\ubbf8\ub85c\uc6b4 \uc18c\uc2dd\uc774 \ub4e4\ub824\uc624\ub294\ub370, \uc560\ud50c\uc774 PCC \ud38c\uc6e8\uc5b4\uc5d0 cloudOS 26 \ubc84\uc804\ubd80\ud130 vphone600ap \uad00\ub828 \ucef4\ud3ec\ub10c\ud2b8\uac00 \uc0c8\ub85c \ucd94\uac00\ub418\uc5c8\ub2e4\ub294 \uc810\uc774\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image.png\" alt=\"\ucd9c\ucc98: https:\/\/x.com\/matteyeux\/status\/2006339694783848660\/photo\/1\"><\/p>\n<p>\ucd9c\ucc98: <a href=\"https:\/\/x.com\/matteyeux\/status\/2006339694783848660\/photo\/1\">https:\/\/x.com\/matteyeux\/status\/2006339694783848660\/photo\/1<\/a><\/p>\n<p><strong>&quot;iPhone Research Environment Virtual Machine\u201d?<\/strong><\/p>\n<p>\uc560\ud50c\uc774 \ucd94\ud6c4 \ub2e4\ub978 \ubcf4\uc548 \uc5f0\uad6c\uc6d0 \ubd84\ub4e4\uc744 \uc704\ud574 \uac00\uc0c1 \uc544\uc774\ud3f0 \ud658\uacbd\uc744 \uad6c\ucd95\ud558\uc5ec \ubc30\ud3ec\ud558\ub824\uace0 \ub9cc\ub4e0 \uacc4\ud68d\uc77c\uae4c, \uc544\ub2c8\uba74 \uc2e4\uc218\uc77c\uae4c? 2021\ub144 iOS 15.0 beta ~ 15.1 beta3 OTA\uc5d0\uc11c DEVELOPMENT\/KASAN \ube4c\ub4dc\uc6a9 \ucee4\ub110\uc774 \ubc1c\uacac\ub41c\uc801\uc774 \uc788\ub294\ub370, \uc2e4\uc218\ud588\uc744 \uac00\ub2a5\uc131\ub3c4 \uc5c6\uc9c0 \uc54a\uc544 \uc788\uc744 \uac83 \uac19\ub2e4. \ubc1c\uacac\ub41c \uae30\uac04\uc740 \ub300\ub7b5 2021\ub144 6\uc6d4\ubd80\ud130 10\uc6d4\uae4c\uc9c0, \uc57d 4\uac1c\uc6d4\ub3d9\uc548 \ud3ec\ud568\ub418\uc5b4\uc654\ub2e4.<\/p>\n<p>\uadf8\ub7ec\ub2e4 \uc62c\ud574 1\uc6d4 \ucbe4\uc5d0 vphone600ap \uad00\ub828 \ucef4\ud3ec\ub10c\ud2b8\ub97c \ud65c\uc6a9\ud55c \uac00\uc0c1 \uc544\uc774\ud3f0\uc744 \ub744\uc6b0\ub294 \ud2b8\uc717\uc774 \uacf5\uac1c\ub418\uc5c8\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_7.37.31_PM.png\" alt=\"\ucd9c\ucc98: https:\/\/x.com\/_inside\/status\/2008951845725548783\"><\/p>\n<p>\ucd9c\ucc98: <a href=\"https:\/\/x.com\/_inside\/status\/2008951845725548783\">https:\/\/x.com\/_inside\/status\/2008951845725548783<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_7.39.03_PM.png\" alt=\"Screenshot 2026-02-24 at 7.39.03\u202fPM.png\"><\/p>\n<p>\ubd24\uc744\ub54c, \uc815\ub9d0 \uac70\uc758 \ubaa8\ub4e0\uac83\ub4e4\uc774 \uc6b0\uc544\ud558\uac8c \uc798 \uc791\ub3d9\ud558\uc600\ub2e4. \uc774\uc804\uc5d0 \ub0b4\uac00 \ubd10\uc654\ub358 <a href=\"https:\/\/github.com\/ChefKissInc\/Inferno\">QEMUAppleSilicon(Inferno) \ud504\ub85c\uc81d\ud2b8<\/a>\uc5d0 \ube44\ud558\uba74 \ud6e8\uc52c \ub354 \ube60\ub9bf\ud558\uace0 \ubd80\ub4dc\ub7fd\uac8c \uc791\ub3d9\ud55c\ub2e4. \ub354\uad70\ub2e4\ub098 Metal \uac00\uc18d\ud654\uae4c\uc9c0 \uac00\ub2a5\ud574\ubcf4\uc600\ub2e4.<\/p>\n<p>\uacb0\uad6d \ud604\ud639\ub41c \ub098\uba38\uc9c0 \ub2e4\uc9dc\uace0\uc9dc 1\uc6d4 31\uc77c, \uac00\uc0c1 \uc544\uc774\ud3f0\uc744 \ub9cc\ub4e4\uc5b4\ubcf4\uae30 \uc2dc\uc791\ud588\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_7.46.41_PM.png\" alt=\"Screenshot 2026-02-24 at 7.46.41\u202fPM.png\"><\/p>\n<h1>\uac00\uc0c1 \uc544\uc774\ud3f0\uc744 \ub744\uc6b0\uae30 \uc704\ud574 super-tart \uac1c\uc870\ud558\uae30<\/h1>\n<p>\ucc38\uace0\ud55c \ud504\ub85c\uc81d\ud2b8\ub294 <a href=\"https:\/\/github.com\/apple\/security-pcc\">security-pcc<\/a>\uc774\ub2e4. \/System\/Library\/SecurityResearch\/usr\/bin\/vrevm \ubc14\uc774\ub108\ub9ac\uc758 \uc18c\uc2a4\ucf54\ub4dc\uc640 \ub300\uc751\ub41c\ub2e4. \ud765\ubbf8\ub85c\uc6b4 \uc810\uc740 Virtualization.framework\uc5d0\uc11c \uc81c\uacf5\ub418\ub294 Private \uba54\uc18c\ub4dc\ub97c \uc0ac\uc6a9\ud558\uace0 \uc788\ub2e4. PCC \ub9ac\uc11c\uce58\uc5d0 \uc0ac\uc6a9\ub418\ub294 \uac00\uc0c1\uba38\uc2e0\uc5d0\uc11c\ub294 \ud558\ub4dc\uc6e8\uc5b4 \ubaa8\ub378\uc744 \ucd08\uae30\ud654\ud558\ub294 \uacfc\uc815 \uc911 ISA\uc640 PlatformVersion\uc744 \ub530\ub85c \uc9c0\uc815\ud574\uc8fc\ub294 \uac83\uc744 \ubcfc \uc218 \uc788\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_8.27.01_PM.png\" alt=\"Screenshot 2026-02-24 at 8.27.01\u202fPM.png\"><\/p>\n<p>\ubd80\ud2b8\ub86c\uc740 AVPBooter.vresearch1.bin\uc774 \uc0ac\uc6a9\ub418\uace0,(\/System\/Library\/Frameworks\/Virtualization.framework\/Resources\/AVPBooter.vresearch1.bin)<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_8.32.08_PM.png\" alt=\"Screenshot 2026-02-24 at 8.32.08\u202fPM.png\"><\/p>\n<p>SEPROM(avpsepbooter)\uc740 AVPSEPBooter.vresearch1.bin\uc774 \uc0ac\uc6a9\ub418\uba70, <a href=\"https:\/\/developer.apple.com\/documentation\/virtualization\/vzmacplatformconfiguration\/auxiliarystorage\">AuxiliaryStorage<\/a>\uc640 \ube44\uc2b7\ud55c \uc5ed\ud560\uc744 \ud558\ub294 SEPStorage \ud30c\uc77c\uc744 \ubcc4\ub3c4\ub85c \ubd88\ub7ec\uc628\ub2e4.\n(\/System\/Library\/Frameworks\/Virtualization.framework\/Versions\/A\/Resources\/AVPSEPBooter.vresearch1.bin)<\/p>\n<p>\ub610\ub2e4\ub978 \ud765\ubbf8\ub85c\uc6b4 \uc810\uc740 \ud574\uc0c1\ub3c4\ub97c \uc124\uc815\ud558\ub294 \ucf54\ub4dc\ub97c \uc0b4\ud3b4\ubcf4\uba74 1290&#215;2796\uc73c\ub85c, \uc774\ub294 iPhone 14 Pro Max, 15 Plus, 15 Pro Max, 16 Plus \uae30\uae30\uc640 \ub300\uc751\ub41c\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_8.34.11_PM.png\" alt=\"Screenshot 2026-02-24 at 8.34.11\u202fPM.png\"><\/p>\n<p>\uc5ec\uae30\uae4c\uc9c0\uc758 \uc815\ubcf4\ub9cc\uc73c\ub85c, \ucda9\ubd84\ud788 \uac00\uc0c1 \uc544\uc774\ud3f0\uc744 \ub744\uc6b0\uae30 \uc704\ud574 <a href=\"https:\/\/github.com\/JJTech0130\/super-tart\">super-tart<\/a>\ub97c \uac1c\uc870\ud560 \uc218 \uc788\uc744 \uac83\uc774\ub2e4. \ud544\uc790\ub294 \uc544\ub798\uc640 \uac19\uc774 \uc218\uc815\ud574\uc8fc\uc5c8\ub2e4.<\/p>\n<ul>\n<li>\/Sources\/tart\/VM.swift<\/li>\n<\/ul>\n<pre><code class=\"language-swift\">...\nclass VM: NSObject, VZVirtualMachineDelegate, ObservableObject {\n...\n  \/\/ vzHardwareModel derives the VZMacHardwareModel config specific to the &quot;platform type&quot;\n  \/\/ of the VM (currently only vresearch101 supported)\n  static private func vzHardwareModel_VRESEARCH101() throws -&gt; VZMacHardwareModel {\n    var hw_model: VZMacHardwareModel\n\n    guard let hw_descriptor = _VZMacHardwareModelDescriptor() else {\n      fatalError(&quot;Failed to create hardware descriptor&quot;)\n    }\n    hw_descriptor.setPlatformVersion(3) \/\/ .appleInternal4 = 3\n    hw_descriptor.setBoardID(0x90)\n    hw_descriptor.setISA(2)\n    hw_model = VZMacHardwareModel._hardwareModel(withDescriptor: hw_descriptor)\n\n    guard hw_model.isSupported else {\n        fatalError(&quot;VM hardware config not supported (model.isSupported = false)&quot;)\n    }\n\n    return hw_model\n  }\n\n  static func craftConfiguration(\n    diskURL: URL,\n    nvramURL: URL,\n    romURL: URL,\n    sepromURL: URL? = nil,\n    vmConfig: VMConfig,\n    network: Network = NetworkShared(),\n    additionalStorageDevices: [VZStorageDeviceConfiguration],\n    directorySharingDevices: [VZDirectorySharingDeviceConfiguration],\n    serialPorts: [VZSerialPortConfiguration],\n    suspendable: Bool = false,\n    nested: Bool = false,\n    audio: Bool = true,\n    clipboard: Bool = true,\n    sync: VZDiskImageSynchronizationMode = .full,\n    caching: VZDiskImageCachingMode? = nil\n  ) throws -&gt; VZVirtualMachineConfiguration {\n    let configuration: VZVirtualMachineConfiguration = .init()\n\n    \/\/ Boot loader\n    let bootloader = try vmConfig.platform.bootLoader(nvramURL: nvramURL)\n    Dynamic(bootloader)._setROMURL(romURL)\n    configuration.bootLoader = bootloader\n\n    \/\/ SEP ROM\n    let homeURL = FileManager.default.homeDirectoryForCurrentUser\n    var sepstoragePath = homeURL.appendingPathComponent(&quot;.tart\/vms\/vphone\/SEPStorage&quot;).path\n    let sepstorageURL = URL(fileURLWithPath: sepstoragePath)\n    let sep_config = Dynamic._VZSEPCoprocessorConfiguration(storageURL: sepstorageURL)\n    if let sepromURL { \/\/ default AVPSEPBooter.vresearch1.bin from VZ framework\n        sep_config.romBinaryURL = sepromURL\n    }\n    sep_config.debugStub = Dynamic._VZGDBDebugStubConfiguration(port: 8001)\n    configuration._setCoprocessors([sep_config.asObject])\n    \n    \/\/ Some vresearch101 config\n    let pconf = VZMacPlatformConfiguration()\n    pconf.hardwareModel = try vzHardwareModel_VRESEARCH101()\n\n    let serial = Dynamic._VZMacSerialNumber.initWithString(&quot;AAAAAA1337&quot;)\n    let identifier = Dynamic.VZMacMachineIdentifier._machineIdentifierWithECID(0x1111111111111111, serialNumber: serial.asObject)\n    pconf.machineIdentifier = identifier.asObject as! VZMacMachineIdentifier\n\n    pconf._setProductionModeEnabled(true)\n    var auxiliaryStoragePath = homeURL.appendingPathComponent(&quot;.tart\/vms\/vphone\/nvram.bin&quot;).path\n    let auxiliaryStorageURL = URL(fileURLWithPath: auxiliaryStoragePath)\n    pconf.auxiliaryStorage = VZMacAuxiliaryStorage(url: auxiliaryStorageURL)\n\n    if #available(macOS 14, *) {\n      let keyboard = VZUSBKeyboardConfiguration()\n      configuration.keyboards = [keyboard]\n    }\n\n    if #available(macOS 14, *) {\n      let touch = _VZUSBTouchScreenConfiguration()\n      configuration._setMultiTouchDevices([touch])\n    }\n    ...\n    configuration.platform = pconf\n\n    \/\/ Display\n    let graphics_config = VZMacGraphicsDeviceConfiguration()\n    let displays_config = VZMacGraphicsDisplayConfiguration(\n        widthInPixels: 1179,\n        heightInPixels: 2556,\n        pixelsPerInch: 460\n    )\n    graphics_config.displays.append(displays_config)\n    configuration.graphicsDevices = [graphics_config]\n ...   \n<\/code><\/pre>\n<h1>\ud38c\uc6e8\uc5b4 \uac1c\uc870\ud558\uae30<\/h1>\n<p>\ucc38\uace0\ud55c \ud504\ub85c\uc81d\ud2b8\ub294 <a href=\"https:\/\/github.com\/nick-botticelli\/vma2pwn\">vma2pwn<\/a>\uc774\ub2e4. 12.0.1 \ubc84\uc804\uc744 \ud55c\uc815\uc73c\ub85c, \uac70\uc758 \ubaa8\ub4e0 \ubd80\ud2b8\uccb4\uc778\uc744 \uc218\uc815\ud55c \ub9e5 \uac00\uc0c1\uba38\uc2e0\uc744 \ub744\uc6cc\uc900\ub2e4.<\/p>\n<p><a href=\"https:\/\/github.com\/nick-botticelli\/vma2pwn\/blob\/main\/prepare.sh\">prepare.sh<\/a> \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uba3c\uc800 \uc0b4\ud3b4\ubcf4\uc790. IM4P \ud615\uc2dd\uc73c\ub85c\ub85c \uc555\ucd95\ub41c \ubd80\ud2b8\ub85c\ub354\ub098 \ucee4\ub110 \ub4f1 \ud38c\uc6e8\uc5b4 \uad6c\uc131\uc694\uc18c\ub4e4\uc744 RAW \ud615\uc2dd\uc73c\ub85c \ucd94\ucd9c\ud558\uace0 \ud558\ub4dc\ucf54\ub529\ub41c \ud2b9\uc815 \uc8fc\uc18c\uc5d0 \uc788\ub294 \uba85\ub839\uc5b4\/\ub370\uc774\ud130\ub4e4\uc744 \ud328\uce58\ud55c\ub2e4. RestoreRamdisk\ub294 \ud38c\uc6e8\uc5b4\ub97c \ubcf5\uc6d0\ud560\ub54c \uc0ac\uc6a9\ub418\ub294 \ub8e8\ud2b8 \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc774\uace0, AVPBooter\ub294 \uac00\uc0c1\uba38\uc2e0\uc5d0\uc11c \uc0ac\uc6a9\ub418\ub294 BootROM\uc774\ub2e4.<\/p>\n<p>\uc815\ub9ac\ud558\uc790\uba74, \ud38c\uc6e8\uc5b4\uc5d0 \ub4e4\uc5b4\uac04 \uac01\uac01\uc758 \ud30c\uc77c\ub4e4\uc744 \ucd94\ucd9c\ud558\uc5ec \ucee4\uc2a4\ud140 \ud38c\uc6e8\uc5b4\ub97c \ubcf5\uc6cc \uac00\ub2a5\ucf00\ud558\uae30 \uc704\ud574 \ubb34\uacb0\uc131 \uac80\uc99d\uc744 \ud328\uce58\ud558\uac70\ub098, \ubd80\ud305 \uad00\ub828 \ub85c\uadf8\ub97c \uc27d\uac8c \ubcf4\ub3c4\ub85d boot-args \ub9e4\uac1c\ubcc0\uc218\ub97c \uc218\uc815\ud55c\ub2e4.<\/p>\n<p>\ub9c8\uc9c0\ub9c9\uc73c\ub85c <a href=\"https:\/\/github.com\/nick-botticelli\/vma2pwn\/blob\/main\/vma2pwn.sh\">vma2pwn.sh<\/a>\ub294 \ucee4\uc2a4\ud140\ud38c\uc6e8\uc5b4\ub97c \ubcf5\uc6d0\ud574\uc8fc\ub294 \uc5ed\ud560\uc744 \ud55c\ub2e4. \uc0ac\uc804\uc5d0 DFU \ubaa8\ub4dc\ub85c \uc9c4\uc785\ud574\uc11c \ubcf5\uc6d0\ud558\ub294\ub370, \uc5ec\uae30\uc11c \uac00\uc0c1\uba38\uc2e0\uc740 <a href=\"https:\/\/github.com\/JJTech0130\/super-tart\">super-tart<\/a>\ub77c\ub294 \uac83\uc744 \uc0ac\uc6a9\ud55c\ub2e4. \uae30\uc874 tart \uac00\uc0c1\uba38\uc2e0\uc5d0\ub2e4\uac00 \ucee4\uc2a4\ud140 \ubd80\ud2b8\ub86c, \uc2dc\ub9ac\uc5bc \ucd9c\ub825, DFU \ubaa8\ub4dc, GDB \ub514\ubc84\uae45\uae4c\uc9c0 \uae30\ub2a5\uc744 \ucd94\uac00\ud55c \ubc84\uc804\uc774\ub2e4. (\ucc38\uace0\ub85c, SIP\/AMFI \ube44\ud65c\uc131\ud654\ub97c \ud574\uc918\uc57c \uc791\ub3d9\ud55c\ub2e4)<\/p>\n<p>\ucd5c\uadfc\uc5d0\ub3c4 \uaf64\ub098 \uc720\uc6a9\ud558\uac8c \uc0ac\uc6a9\ud588\uc5c8\ub294\ub370, <a href=\"https:\/\/github.com\/wh1te4ever\/xnu_1day_practice\">XNU \ucee4\ub110 1\ub370\uc774 \ucde8\uc57d\uc810(CVE-2021-30937, CVE-2021-30955)<\/a>\uc744 \uacf5\ubd80\ud558\ub824\ub294\ub370 \uc37c\ub2e4. \ucee4\ub110 \ub77c\uc774\ube0c \ub514\ubc84\uae45\uc744 \uc9c0\uc6d0\ud574\uc11c \uc544\uc8fc \uc88b\ub2e4.<\/p>\n<h2>\ucee4\uc2a4\ud140 \ud38c\uc6e8\uc5b4 \ub9cc\ub4e4\uae30<\/h2>\n<p><a href=\"https:\/\/appledb.dev\/firmware\/cloudOS\/23B85.html\">cloudOS 26.1(23B85)<\/a>\uc640 <a href=\"https:\/\/appledb.dev\/device\/iPhone-16-series\">iOS 26.1(iPhone17,3; 23B85)<\/a> \uad6c\uc131\uc694\uc18c\ub97c \ubbf9\uc2f1\ud588\ub294\ub370,<\/p>\n<p>\uae30\uc5b5\uc774 \uc790\uc138\ud788\ub294 \uc798\ub098\uc9c0 \uc54a\ub294\ub2e4. \uc815\ud655\ud788 \ub9d0\ud558\uc790\uba74, \uc544\uc774\ud3f0 16\uacfc vphone \uad00\ub828 \ucef4\ud37c\ub10c\ud2b8\ub97c \uc801\uc808\ud788 \ubbf9\uc2f1\ud574\uc11c \ucee4\uc2a4\ud140 \ud38c\uc6e8\uc5b4\ub97c \ub9cc\ub4e4\uc5b4\uc57c\ud558\ub294\ub370, \uc5b4\ub5a4\uac78 \ubbf9\uc2f1\ud588\ub294\uc9c0 \uae30\uc5b5\ub098\uc9c0 \uc54a\ub294\ub2e4\ub294\uac70\ub2e4. \ub0b4 \uae30\uc5b5\uc0c1\uc73c\ub860,<\/p>\n<ul>\n<li>BuildManifest.plist \ud30c\uc77c\uc758 \uacbd\uc6b0:\nManifest \ud0a4 \ud558\uc704\uc758 \ub515\uc154\ub0b4\ub9ac \uc694\uc18c\ub4e4\uc911 \uc218\uc815\ud558\uc600\ub294\ub370, \ubcf5\uc6d0\ud560\ub54c <a href=\"https:\/\/ipsw.me\/download\/iPhone17,3\/23B85\">iPhone 16(iOS 26.1)<\/a> \ubaa8\ub378\uc5d0\uc11c\uc758\nSystemVolume, SystemVolumeCanonicalMetadata, OS, StaticTrustCache, RestoreTrustCache, RestoreRamDisk\ub4e4\uc774 \uc0ac\uc6a9\ub418\ub3c4\ub85d \ub9cc\ub4e4\uace0, \ub098\uba38\uc9c0\ub294 PCC \ud38c\uc6e8\uc5b4\uc758 vphone \uad00\ub828 \ud30c\uc77c\ub4e4\uc774 \uc0ac\uc6a9\ub418\ub3c4\ub85d \ub9cc\ub4e4\uc5b4\ub480\ub358 \uac83 \uac19\ub2e4.<\/li>\n<li>Restore.plist \ud30c\uc77c\uc758 \uacbd\uc6b0:\nDeviceMap \uad00\ub828 \ud504\ub85c\ud37c\ud2f0\ub098 SupportedProductTypes\ub4e4\uc744 \ucd94\uac00\ud558\uac70\ub098, SystemRestoreImageFileSystems \uc694\uc18c\ub97c \ubcc0\uacbd\ud588\ub358 \uac83 \uac19\ub2e4.<\/li>\n<\/ul>\n<p>\uc544\ub798 \ud30c\uc77c\ub4e4\uc740 \ub0b4\uac00 \ubbf9\uc2f1\ud55c \ucd5c\uc885 \uacb0\uacfc\ubb3c\uc774\ub2e4.<\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Restore.plist\">Restore.plist<\/a><\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/BuildManifest.plist\">BuildManifest.plist<\/a><\/p>\n<ul>\n<li>get_fw.py (\uc77c\ubd80 \ub0b4\uc6a9)<\/li>\n<\/ul>\n<pre><code class=\"language-python\">...\n\n# 3. Import things from cloudOS\n# kernelcache\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/kernelcache.* iPhone17,3_26.1_23B85_Restore&quot;)\n# agx, all_flash, ane, dfu, pmp...\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/agx\/* iPhone17,3_26.1_23B85_Restore\/Firmware\/agx&quot;)\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/all_flash\/* iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash&quot;)\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/ane\/* iPhone17,3_26.1_23B85_Restore\/Firmware\/ane&quot;)\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/dfu\/* iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu&quot;)\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/pmp\/* iPhone17,3_26.1_23B85_Restore\/Firmware\/pmp&quot;)\n# sptm, txm, etc...\nos.system(&quot;cp 399b664dd623358c3de118ffc114e42dcd51c9309e751d43bc949b98f4e31349_extracted\/Firmware\/*.im4p iPhone17,3_26.1_23B85_Restore\/Firmware&quot;)\n\n# 4. TODO: parse what things needed from BuildManifest.plist, Restore.plist in cloudOS 26.1\n# It will be really complicated, so import things from already parse completed\nos.system(&quot;sudo cp custom_26.1\/BuildManifest.plist iPhone17,3_26.1_23B85_Restore&quot;)\nos.system(&quot;sudo cp custom_26.1\/Restore.plist iPhone17,3_26.1_23B85_Restore&quot;)\n\nos.system(&quot;echo 'Done, grabbed all needed components for restoring'&quot;)\n<\/code><\/pre>\n<h2>AVPBooter.vresearch1.bin \ud328\uce58\ud558\uae30<\/h2>\n<p><a href=\"https:\/\/gist.github.com\/steven-michaud\/fda019a4ae2df3a9295409053a53a65c#iboot-stage-0-avpbootervmapple2binorg\">\ud574\ub2f9 \uac8c\uc2dc\ubb3c<\/a>\uc744 \ucc38\uace0\ud558\uc600\ub2e4. <code>image4_validate_property_callback<\/code>\uc744 \ud328\uce58\ud574\uc8fc\uc5b4\uc57c\ub9cc, \uadf8 \ub2e4\uc74c\uc73c\ub85c \ucee4\uc2a4\ud140 \ubd80\ud2b8\ub85c\ub354\ub97c \ub85c\ub4dc\uc2dc\ucf1c\uc904 \uc218 \uc788\ub2e4. IDA Pro\uc5d0\uc11c Text-search (slow!) \uae30\ub2a5\uc744 \ud1b5\ud574 \u201c0x4447\u201d\ub97c \uac80\uc0c9\ud558\uace0 \ud574\ub2f9 \ud568\uc218\uc758 \uc5d0\ud544\ub85c\uadf8 \ubd80\ubd84\uc5d0\uc11c \ud56d\uc0c1 0\uc744 \ubc18\ud658\ud558\ub3c4\ub85d \ud328\uce58\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%201.png\" alt=\"image.png\"><\/p>\n<h2>libirecovery \uc218\uc815\/\ube4c\ub4dc\ud558\uae30<\/h2>\n<p>\ud38c\uc6e8\uc5b4 \ubcf5\uc6d0\ud558\ub294\ub370\uc5d0 \uc55e\uc11c vresearch101ap \ubaa8\ub378\uc744 \uc9c0\uc6d0\ud558\uae30 \uc704\ud574\uc11c\ub294 \uc57d\uac04\uc758 \uc218\uc815\uc774 \ud544\uc694\ud588\ub2e4.<\/p>\n<p>\ube4c\ub4dc\ud558\uace0 \ub098\uba74, <a href=\"https:\/\/github.com\/libimobiledevice\/idevicerestore\">idevicerestore<\/a> \ud234\ub85c \ud38c\uc6e8\uc5b4 \ubcf5\uc6d0\uc774 \uac00\ub2a5\ud574\uc9c4\ub2e4.<\/p>\n<p><a href=\"https:\/\/github.com\/wh1te4ever\/libirecovery\">https:\/\/github.com\/wh1te4ever\/libirecovery<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_9.52.14_PM.png\" alt=\"Screenshot 2026-02-24 at 9.52.14\u202fPM.png\"><\/p>\n<h2>\ud38c\uc6e8\uc5b4 \uad6c\uc131\uc694\uc18c \ud328\uce58\ud558\uae30<\/h2>\n<p>AVPBooter\uc640 \ub9c8\ucc2c\uac00\uc9c0\ub85c, \ubcf5\uc6d0\ud558\ub294\ub370 \ub4e4\uc5b4\uac00\ub294 \ubd80\ud2b8\ub85c\ub354\uc778 iBSS, iBEC\uc740 \uc11c\uba85 \uac80\uc99d\uc744 \uc6b0\ud68c\ud558\uae30 \uc704\ud574 \ud328\uce58\ud558\uc600\uace0, \ubd80\ud305\ud558\ub294\ub370 \ubb38\uc81c \uc788\uc73c\uba74 \uc6d0\uc778\uc744 \ubc14\ub85c \ud30c\uc545\ud558\uae30 \uc704\ud574 \uc2dc\ub9ac\uc5bc \ub85c\uadf8\uac00 \ucd9c\ub825\ub418\ub3c4\ub85d \ub9cc\ub4e4\uc5c8\ub2e4.<\/p>\n<p>\ub098\uc911\uc5d0 \ubcf4\uba74 \uc54c\uac8c \ub418\uaca0\uc9c0\ub9cc, \uc784\uc758\uc758 Cryptex\ub97c \ub85c\ub4dc\uc2dc\ud0a4\uae30 \uc704\ud574\uc11c\ub294 <a href=\"https:\/\/support.apple.com\/fr-lu\/guide\/security\/secd698747c9\/web\">SSV \uac80\uc99d<\/a> \uc6b0\ud68c\uac00 \ud544\uc694\ud558\ub2e4.\nDFU\uac00 \uc544\ub2cc \uc77c\ubc18\ubaa8\ub4dc\uc5d0\uc11c \ubd80\ud305\ud560\ub54c \ub85c\ub4dc\ub418\ub294 LLB\uc5d0\uc11c \uc218\ud589\ub418\uba70, \ucee4\ub110\uc5d0\uc11c\ub3c4 \uac80\uc99d\uc774 \uc218\ud589\ub418\uae30\ub3c4 \ud55c\ub2e4.<\/p>\n<p>\uadf8\ub9ac\uace0 TXM\uc744 \ud328\uce58\ud558\ub294\ub370, Trustcache\uc5d0 \ub4f1\ub85d\ub41c \ubc14\uc774\ub108\ub9ac\/\ub77c\uc774\ube0c\ub7ec\ub9ac\uac00 \uc544\ub2c8\ub354\ub77c\ub3c4, \ub9c8\uce58 \ub4f1\ub85d\ub41c\uac83 \ub9c8\ub0e5 \uc778\uc2dd\ub418\uac8c\ub054 \ub9cc\ub4e4\uc5c8\ub2e4.<\/p>\n<ul>\n<li>patch_fw.py (\uc77c\ubd80 \ub0b4\uc6a9, \ud30c\ud2b81)<\/li>\n<\/ul>\n<pre><code class=\"language-python\"># Patch iBSS\n# patch image4_validate_property_callback\npatch(0x9D10, 0xd503201f)   #nop\npatch(0x9D14, 0xd2800000)   #mov x0, #0\n\n# Patch iBEC\n# patch image4_validate_property_callback\npatch(0x9D10, 0xd503201f)   #nop\npatch(0x9D14, 0xd2800000)   #mov x0, #0\n# patch boot-args with &quot;serial=3 -v debug=0x2014e %s&quot;\npatch(0x122d4, 0xd0000082)  #adrp x2, #0x12000\npatch(0x122d8, 0x9101c042)  #add x2, x2, #0x70\npatch(0x24070, &quot;serial=3 -v debug=0x2014e %s&quot;)\n\n# Patch LLB\n# patch image4_validate_property_callback\npatch(0xA0D8, 0xd503201f)   #nop\npatch(0xA0DC, 0xd2800000)   #mov x0, #0\n# patch boot-args with &quot;serial=3 -v debug=0x2014e %s&quot;\npatch(0x12888, 0xD0000082)  #adrp x2, #0x12000\npatch(0x1288C, 0x91264042)  #add x2, x2, #0x990\npatch(0x24990, &quot;serial=3 -v debug=0x2014e %s&quot;)\n# make possible load edited rootfs (needed to command snaputil -n later)\npatch(0x2BFE8, 0x1400000b)\npatch(0x2bca0, 0xd503201f)\npatch(0x2C03C, 0x17ffff6a)\npatch(0x2fcec, 0xd503201f)\npatch(0x2FEE8, 0x14000009)\n# some unknown patch, bypass panic\npatch(0x1AEE4, 0xd503201f)  #nop\n\n# 6. Grab &amp; Patch TXM\n# Patch TXM for make running binary which is not registered in trustcache\n# TXM [Error]: CodeSignature: selector: 24 | 0xA8 | 0x30 | 1\n# Some trace: FFFFFFF01702B018-&gt;sub_FFFFFFF0170306E4-&gt;sub_FFFFFFF01703059C-&gt;sub_FFFFFFF01703037C-&gt;sub_FFFFFFF017030164-&gt;sub_FFFFFFF01702EC70 (base: 0xFFFFFFF017004000)\npatch(0x2c1f8, 0xd2800000)      #FFFFFFF0170301F8\npatch(0x2bef4, 0xd2800000)      #FFFFFFF01702FEF4\npatch(0x2c060, 0xd2800000)      #FFFFFFF017030060\n\n# 7. Grab &amp; patch kernelcache\n# ========= Bypass SSV =========\n# _apfs_vfsop_mount: Prevent panic &quot;Failed to find the root snapshot. Rooting from the live fs ...&quot;\npatch(0x2476964, 0xd503201f)  #FFFFFE000947A964\n# _authapfs_seal_is_broken: Prevent panic &quot;root volume seal is broken ...&quot;\npatch(0x23cfde4, 0xd503201f) #FFFFFE00093D3DE4 \n# _bsd_init: Prevent panic &quot;rootvp not authenticated after mounting ...&quot;\npatch(0xf6d960, 0xd503201f)    #FFFFFE0007F71960\n...\n<\/code><\/pre>\n<p>RAW \ud615\uc2dd\uc73c\ub85c \ubcc0\ud658\ud574\uace0 \ud328\uce58\ud55c \uc774\ud6c4\uc5d0\ub294, \ub2e4\uc2dc IM4P\ub85c \ubcc0\ud658\uc2dc\ucf1c\uc8fc\uc5b4\uc57c \ud55c\ub2e4.\n\ucee4\ub110\uc774\ub098 TXM\uc758 \uacbd\uc6b0, PAYP \uad6c\uc870\uac00 \uc874\uc7ac\ud558\ubbc0\ub85c \ud574\ub2f9 \uad6c\uc870\ub97c \uc720\uc9c0\ud574\uc904 \ud544\uc694\uac00 \uc788\uc5c8\ub2e4.<\/p>\n<p>\uc544\ub798\ub294 <a href=\"https:\/\/pypi.org\/project\/pyimg4\/\">pyimg4<\/a>, <a href=\"https:\/\/github.com\/tihmstar\/img4tool\">img4tool<\/a>, <a href=\"https:\/\/github.com\/xerub\/img4lib\">img4<\/a> \ud234\uc744 \uc774\uc6a9\ud558\uc5ec IM4P \u2192 RAW \u2192 IM4P\ub85c \ubcc0\ud658\ud574\uc8fc\ub294 \ucf54\ub4dc\uc774\ub2e4.<\/p>\n<ul>\n<li>patch_fw.py (\uc77c\ubd80 \ub0b4\uc6a9, \ud30c\ud2b82)<\/li>\n<\/ul>\n<pre><code class=\"language-python\">...\n\n# Patch iBSS\nif not os.path.exists(&quot;iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak&quot;)\nos.system(&quot;tools\/img4 -i iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak -o iBSS.vresearch101.RELEASE&quot;)\n... # patch things from raw\nos.system(&quot;tools\/img4tool -c iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p -t ibss iBSS.vresearch101.RELEASE&quot;)\n\n# Patch iBEC\nif not os.path.exists(&quot;iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p.bak&quot;)\nos.system(&quot;tools\/img4 -i iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p.bak -o iBEC.vresearch101.RELEASE&quot;)\n... # patch things from raw\nos.system(&quot;tools\/img4tool -c iPhone17,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p -t ibec iBEC.vresearch101.RELEASE&quot;)\n\n# Patch LLB\nif not os.path.exists(&quot;iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash\/LLB.vresearch101.RESEARCH_RELEASE.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash\/LLB.vresearch101.RESEARCH_RELEASE.im4p iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash\/LLB.vresearch101.RESEARCH_RELEASE.im4p.bak&quot;)\nos.system(&quot;tools\/img4 -i iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash\/LLB.vresearch101.RESEARCH_RELEASE.im4p.bak -o LLB.vresearch101.RESEARCH_RELEASE&quot;)\n... # patch things from raw\nos.system(&quot;tools\/img4tool -c iPhone17,3_26.1_23B85_Restore\/Firmware\/all_flash\/LLB.vresearch101.RESEARCH_RELEASE.im4p -t illb LLB.vresearch101.RESEARCH_RELEASE&quot;)\n\n# 6. Grab &amp; Patch TXM\nif not os.path.exists(&quot;iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p.bak&quot;)\nos.system(&quot;pyimg4 im4p extract -i iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p.bak -o txm.raw&quot;)\n... # patch things from raw\n#create im4p\nos.system(&quot;pyimg4 im4p create -i txm.raw -o txm.im4p -f trxm --lzfse&quot;)\n# preserve payp structure\ntxm_im4p_data = Path('iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p.bak').read_bytes()\npayp_offset = txm_im4p_data.rfind(b'PAYP')\nif payp_offset == -1:\n    print(&quot;Couldn't find payp structure !!!&quot;)\n    sys.exit()\n\nwith open('txm.im4p', 'ab') as f:\n    f.write(txm_im4p_data[(payp_offset-10):])\n\npayp_sz = len(txm_im4p_data[(payp_offset-10):])\nprint(f&quot;payp sz: {payp_sz}&quot;)\n\ntxm_im4p_data = bytearray(open('txm.im4p', 'rb').read())\ntxm_im4p_data[2:5] = (int.from_bytes(txm_im4p_data[2:5], 'big') + payp_sz).to_bytes(3, 'big')\nopen('txm.im4p', 'wb').write(txm_im4p_data)\nos.system(&quot;mv txm.im4p iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.research.im4p&quot;)\n\n# 7. Grab &amp; patch kernelcache\nif not os.path.exists(&quot;iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak&quot;):\n    os.system(&quot;cp iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600 iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak&quot;)\nos.system(&quot;pyimg4 im4p extract -i iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak -o kcache.raw&quot;)\n... # patch things from raw\n#create im4p\nos.system(&quot;pyimg4 im4p create -i kcache.raw -o krnl.im4p -f krnl --lzfse&quot;)\n\n# preserve payp structure\nkernel_im4p_data = Path('iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak').read_bytes()\npayp_offset = kernel_im4p_data.rfind(b'PAYP')\nif payp_offset == -1:\n    print(&quot;Couldn't find payp structure !!!&quot;)\n    sys.exit()\n\nwith open('krnl.im4p', 'ab') as f:\n    f.write(kernel_im4p_data[(payp_offset-10):])\n\npayp_sz = len(kernel_im4p_data[(payp_offset-10):])\nprint(f&quot;payp sz: {payp_sz}&quot;)\n\nkernel_im4p_data = bytearray(open('krnl.im4p', 'rb').read())\nkernel_im4p_data[2:5] = (int.from_bytes(kernel_im4p_data[2:5], 'big') + payp_sz).to_bytes(3, 'big')\nopen('krnl.im4p', 'wb').write(kernel_im4p_data)\n\nos.system(&quot;mv krnl.im4p iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600&quot;)\n...\n\n<\/code><\/pre>\n<h1>\ud38c\uc6e8\uc5b4 \ubcf5\uc6d0\ud558\uae30<\/h1>\n<p>\uc900\ube44\uac00 \ub2e4\ub410\ub2e4\uba74, \uac00\uc0c1\uba38\uc2e0\uc744 DFU\ubaa8\ub4dc\uc5d0 \uc9c4\uc785\uc2dc\ucf1c\uc11c \ubcf5\uc6d0\uc744 \ud55c\ubc88 \ud574\ubcf4\uc790.<\/p>\n<p>\uc544\ub798\ub294 SEP \uc124\uc815\uc744 \uc81c\ub300\ub85c\ud558\uc9c0 \uc54a\uc73c\uba74 \ub098\ud0c0\ub0ac\ub358 \ud328\ub2c9 \uc0ac\uc9c4\uc774\ub2e4. \uc81c\ub300\ub85c \uc124\uc815\ud588\ub2e4\uba74 \ubb34\uc0ac\ud788 \ub118\uc5b4\uac08 \uac83\uc774\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%202.png\" alt=\"image.png\"><\/p>\n<p>\ubcf5\uc6d0\uc744 \ub9c8\uce58\uba74 \uc790\ub3d9\uc73c\ub85c \uc7ac\ubd80\ud305\ub41c\ub2e4.<\/p>\n<p>\ud558\uc9c0\ub9cc launchd \ud504\ub85c\uc138\uc2a4\uc5d0\uc11c \/usr\/lib\/libSystem.B.dylib \ub77c\uc774\ube0c\ub7ec\ub9ac\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc544 \ud328\ub2c9\uc774 \ubc1c\uc0dd\ud574\ubc84\ub9b0\ub2e4.<\/p>\n<p>\ud574\ub2f9 \ub77c\uc774\ube0c\ub7ec\ub9ac\ub294 Cryptex \ud30c\ud2f0\uc158\uc5d0 \uc788\ub294 dyld_shared_cache\uc5d0 \uc874\uc7ac\ud788\uba70, \ubb34\uc2a8 \uc774\uc720\uc5d0\uc120\uc9c0 Cryptex \ud30c\ud2f0\uc158\uc740 \ubcf5\uc6d0\ud560 \uc218\uac00 \uc5c6\uc5c8\ub2e4. \uc784\uc2dc \ud574\uacb0\ucc45 \uc911 \ud558\ub098\ub85c\uc368, <a href=\"https:\/\/github.com\/verygenericname\/SSHRD_Script\">SSH Ramdisk<\/a>\ub97c \ub9cc\ub4e4\uc5b4\uc11c \ub8e8\ud2b8 \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc744 \uc218\uc815\ud558\uc5ec \ud30c\uc77c\uc744 \ub123\uc5b4\uc8fc\uc5b4\uc57c \ud55c\ub2e4. \uadf8\uac8c \ubc14\ub85c SSV \uac80\uc99d \uad00\ub828 \ud328\uce58\uac00 \ud544\uc694\ud55c \uc774\uc720\uc600\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-24_at_10.24.33_PM.png\" alt=\"Screenshot 2026-02-24 at 10.24.33\u202fPM.png\"><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%203.png\" alt=\"image.png\"><\/p>\n<h1>SSH Ramdisk\ub85c \ubd80\ud305\ud558\uc5ec \ubd80\ud305 \uace0\uce58\uae30<\/h1>\n<p>https:\/\/github.com\/verygenericname\/SSHRD_Script\uc5d0\uc11c \uc0ac\uc6a9\ub41c \ub7a8\ub514\uc2a4\ud06c\ub97c \ud65c\uc6a9\ud558\uc5ec \ubd80\ud305\uc774 \uc548\ub418\ub294 \ubb38\uc81c\ub97c \uace0\uccd0\ubcf4\ub824\uace0 \ud55c\ub2e4.<\/p>\n<p>DFU\ubaa8\ub4dc\uc5d0\uc11c irecovery \ud234\ub85c \ubd80\ud2b8\ub85c\ub354\ub098 \ucee4\ub110 \uac19\uc740 \uad6c\uc131\uc694\uc18c\ub97c \uc5c5\ub85c\ub4dc\ud574\uc11c \ub85c\ub4dc\uc2dc\ud0ac\ub824\uba74 IMG4 \uc774\ubbf8\uc9c0\uac00 \ud544\uc694\ud558\uba70, IM4M \ud30c\uc77c\uc774 \ud544\uc694\ud558\ub2e4. \ub530\ub77c\uc11c \uc6b0\uc120 idevicerestore \ud234\ub85c shsh \ud30c\uc77c\uc744 \uba3c\uc800 \uac00\uc838\uc624\uace0, \uadf8 \ub2e4\uc74c\uc5d0 Im4m \ud30c\uc77c\ub85c \ubcc0\ud658\uc2dc\ucf30\ub2e4.<\/p>\n<pre><code class=\"language-bash\">idevicerestore -e -y .\/iPhone17,3_26.1_23B85_Restore -t\n\nmv shsh\/[ECID]-iPhone99,11-26.1.shsh shsh\/[ECID]-iPhone99,11-26.1.shsh.gz\n\ngunzip shsh\/[ECID]-iPhone99,11-26.1.shsh.gz\n\n...\n\npyimg4 im4m  extract -i shsh\/[ECID]-iPhone99,11-26.1.shsh -o vphone.im4m\n<\/code><\/pre>\n<p>\uadf8\ub9ac\uace0 \ud574\ub2f9 IM4M \ud30c\uc77c\uc744 \uc774\uc6a9\ud558\uc5ec \ud38c\uc6e8\uc5b4 \uad6c\uc131\uc694\uc18c\ub85c \uc0ac\uc6a9\ub418\ub294 \uac01\uac01\uc758 iBSS, iBEC, devicetree \ub4f1\ub4f1 \uc5ec\ub7ec IMG4 \ud30c\uc77c\uc744 \uc0dd\uc131\uc2dc\ucf30\ub2e4.<\/p>\n<pre><code class=\"language-python\"># 1. Grab &amp; Patch iBSS \nif not os.path.exists(&quot;iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak&quot;)\nos.system(&quot;tools\/img4 -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBSS.vresearch101.RELEASE.im4p.bak -o iBSS.vresearch101.RELEASE&quot;)\n... # patch things from raw\nos.system(&quot;tools\/img4tool -c iBSS.vresearch101.RELEASE.im4p -t ibss iBSS.vresearch101.RELEASE&quot;)\nos.system(&quot;tools\/img4 -i iBSS.vresearch101.RELEASE.im4p -o .\/Ramdisk\/iBSS.vresearch101.RELEASE.img4 -M .\/vphone.im4m&quot;)\n\n# 2. Grab &amp; Patch iBEC\nif not os.path.exists(&quot;iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p.bak&quot;)\nos.system(&quot;tools\/img4 -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/dfu\/iBEC.vresearch101.RELEASE.im4p -o iBEC.vresearch101.RELEASE&quot;)\n... # patch things from raw\nos.system(&quot;tools\/img4tool -c iBEC.vresearch101.RELEASE.im4p -t ibec iBEC.vresearch101.RELEASE&quot;)\nos.system(&quot;tools\/img4 -i iBEC.vresearch101.RELEASE.im4p -o Ramdisk\/iBEC.vresearch101.RELEASE.img4 -M vphone.im4m&quot;)\n\n# 3. Grab SPTM\nos.system(&quot;tools\/img4 -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/sptm.vresearch1.release.im4p -o Ramdisk\/sptm.vresearch1.release.img4 -M vphone.im4m -T sptm&quot;)\n\n# 4. Grab devicetree\nos.system(&quot;tools\/img4 -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/all_flash\/DeviceTree.vphone600ap.im4p -o Ramdisk\/DeviceTree.vphone600ap.img4 -M vphone.im4m -T rdtr&quot;)\n\n# 5. Grab sep\nos.system(&quot;tools\/img4 -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/all_flash\/sep-firmware.vresearch101.RELEASE.im4p -o Ramdisk\/sep-firmware.vresearch101.RELEASE.img4 -M vphone.im4m -T rsep&quot;)\n\n# 6. Grab &amp; Patch TXM\nif not os.path.exists(&quot;iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.release.im4p.bak&quot;):\n    os.system(&quot;cp iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.release.im4p iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.release.im4p.bak&quot;)\nos.system(&quot;pyimg4 im4p extract -i iPhone17\\\\,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.release.im4p.bak -o txm.raw&quot;)\n... # patch things from raw\n#create im4p\nos.system(&quot;pyimg4 im4p create -i txm.raw -o txm.im4p -f trxm --lzfse&quot;)\n# preserve payp structure\ntxm_im4p_data = Path('iPhone17,3_26.1_23B85_Restore\/Firmware\/txm.iphoneos.release.im4p.bak').read_bytes()\npayp_offset = txm_im4p_data.rfind(b'PAYP')\nif payp_offset == -1:\n    print(&quot;Couldn't find payp structure !!!&quot;)\n    sys.exit()\n\nwith open('txm.im4p', 'ab') as f:\n    f.write(txm_im4p_data[(payp_offset-10):])\n\npayp_sz = len(txm_im4p_data[(payp_offset-10):])\nprint(f&quot;payp sz: {payp_sz}&quot;)\n\ntxm_im4p_data = bytearray(open('txm.im4p', 'rb').read())\ntxm_im4p_data[2:5] = (int.from_bytes(txm_im4p_data[2:5], 'big') + payp_sz).to_bytes(3, 'big')\nopen('txm.im4p', 'wb').write(txm_im4p_data)\n\n# sign\nos.system(&quot;pyimg4 img4 create -p txm.im4p -o Ramdisk\/txm.img4 -m vphone.im4m&quot;)\n\n# 7. Grab &amp; patch kernelcache\nif not os.path.exists(&quot;iPhone17\\\\,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak&quot;):\n    os.system(&quot;cp iPhone17\\\\,3_26.1_23B85_Restore\/kernelcache.research.vphone600 iPhone17\\\\,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak&quot;)\nos.system(&quot;pyimg4 im4p extract -i iPhone17\\\\,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak -o kcache.raw&quot;)\n... # patch things from raw\n\n#create im4p\nos.system(&quot;pyimg4 im4p create -i kcache.raw -o krnl.im4p -f rkrn --lzfse&quot;)\n\n# preserve payp structure\nkernel_im4p_data = Path('iPhone17,3_26.1_23B85_Restore\/kernelcache.research.vphone600.bak').read_bytes()\npayp_offset = kernel_im4p_data.rfind(b'PAYP')\nif payp_offset == -1:\n    print(&quot;Couldn't find payp structure !!!&quot;)\n    sys.exit()\n\nwith open('krnl.im4p', 'ab') as f:\n    f.write(kernel_im4p_data[(payp_offset-10):])\n\npayp_sz = len(kernel_im4p_data[(payp_offset-10):])\nprint(f&quot;payp sz: {payp_sz}&quot;)\n\nkernel_im4p_data = bytearray(open('krnl.im4p', 'rb').read())\nkernel_im4p_data[2:5] = (int.from_bytes(kernel_im4p_data[2:5], 'big') + payp_sz).to_bytes(3, 'big')\nopen('krnl.im4p', 'wb').write(kernel_im4p_data)\n\n# sign\nos.system(&quot;pyimg4 img4 create -p krnl.im4p -o Ramdisk\/krnl.img4 -m vphone.im4m&quot;)\n\n# 8. Grab ramdisk &amp; build custom ramdisk\nos.system(&quot;pyimg4 im4p extract -i iPhone17,3_26.1_23B85_Restore\/043-53775-129.dmg -o ramdisk.dmg&quot;)\nos.system(&quot;mkdir SSHRD&quot;)\nos.system(&quot;sudo hdiutil attach -mountpoint SSHRD ramdisk.dmg -owners off&quot;)\nos.system(&quot;sudo hdiutil create -size 254m -imagekey diskimage-class=CRawDiskImage -format UDZO -fs APFS -layout NONE -srcfolder SSHRD -copyuid root ramdisk1.dmg&quot;)\nos.system(&quot;sudo hdiutil detach -force SSHRD&quot;)\nos.system(&quot;sudo hdiutil attach -mountpoint SSHRD ramdisk1.dmg -owners off&quot;)\n\n... #remove unneccessary files for expand space\n\n#resign all things preserving ents\ntarget_path= [\n    &quot;SSHRD\/usr\/local\/bin\/*&quot;, &quot;SSHRD\/usr\/local\/lib\/*&quot;,\n    &quot;SSHRD\/usr\/bin\/*&quot;, &quot;SSHRD\/bin\/*&quot;,\n    &quot;SSHRD\/usr\/lib\/*&quot;, &quot;SSHRD\/sbin\/*&quot;, &quot;SSHRD\/usr\/sbin\/*&quot;, &quot;SSHRD\/usr\/libexec\/*&quot;\n]\nfor pattern in target_path:\n    for path in glob.glob(pattern):\n        if os.path.isfile(path) and not os.path.islink(path):\n            if &quot;Mach-O&quot; in subprocess.getoutput(f&quot;file \\&quot;{path}\\&quot;&quot;):\n                os.system(f&quot;tools\/ldid_macosx_arm64 -S -M -Cadhoc \\&quot;{path}\\&quot;&quot;)\n\n#8-2. Grab &amp; build custom ramdisk's trustcache while building custom ramdisk\nos.system(&quot;pyimg4 im4p extract -i iPhone17,3_26.1_23B85_Restore\/Firmware\/043-53775-129.dmg.trustcache -o trustcache.raw&quot;)\nos.system(&quot;tools\/trustcache_macos_arm64 create sshrd.tc SSHRD&quot;)\nos.system(&quot;pyimg4 im4p create -i sshrd.tc -o trustcache.im4p -f rtsc&quot;)\n# sign\nos.system(&quot;pyimg4 img4 create -p trustcache.im4p -o Ramdisk\/trustcache.img4 -m vphone.im4m&quot;)\n#8-2. end\n\nos.system(&quot;sudo hdiutil detach -force SSHRD&quot;)\nos.system(&quot;sudo hdiutil resize -sectors min ramdisk1.dmg&quot;)\n# sign\nos.system(&quot;pyimg4 im4p create -i ramdisk1.dmg -o ramdisk1.dmg.im4p -f rdsk&quot;)\nos.system(&quot;pyimg4 img4 create -p ramdisk1.dmg.im4p -o Ramdisk\/ramdisk.img4 -m vphone.im4m&quot;)\n<\/code><\/pre>\n<p>IMG4 \uc774\ubbf8\uc9c0\ub97c \ub2e4 \ub9cc\ub4e4\uc5c8\ub2e4\uba74, \uc774\uc81c \ud558\ub098\uc529 \ub85c\ub4dc\uc2dc\ucf1c\uc11c Ramdisk\ub85c \ubd80\ud305\ud574\ubcf4\uc790.<\/p>\n<ul>\n<li>boot_rd.sh<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">#!\/bin\/zsh\nirecovery -f Ramdisk\/iBSS.vresearch101.RELEASE.img4\nirecovery -f Ramdisk\/iBEC.vresearch101.RELEASE.img4\nirecovery -c go\n\nsleep 1;\nirecovery -f Ramdisk\/sptm.vresearch1.release.img4\nirecovery -c firmware\n\nirecovery -f Ramdisk\/txm.img4\nirecovery -c firmware\n\nirecovery -f Ramdisk\/trustcache.img4\nirecovery -c firmware\nirecovery -f Ramdisk\/ramdisk.img4\nirecovery -c ramdisk\nirecovery -f Ramdisk\/DeviceTree.vphone600ap.img4\nirecovery -c devicetree\nirecovery -f Ramdisk\/sep-firmware.vresearch101.RELEASE.img4\nirecovery -c firmware\nirecovery -f Ramdisk\/krnl.img4\nirecovery -c bootx\n\n<\/code><\/pre>\n<p>\uadf8\ub7ec\uba74 \uc544\ub798\uc640 \uac19\uc774 \uc67c\ucabd\uc5d0\uc11c 3\ubc88\uc9f8 \ucc3d\uc5d0 \uc788\ub294, \ub9c8\uc778\ud06c\ub798\ud504\ud2b8 \uac8c\uc784 \uc18d\uc758 \ud06c\ub9ac\ud37c \ubaa8\uc591 \uc5bc\uad74\uc744 \ubcf4\uac8c \ub420 \uac83\uc774\ub2e4.<\/p>\n<p>System Information \uc571\uc5d0\uc11c USB \uba54\ub274\ub97c \ubcf4\uba74 \u201ciPhone Research \u2026\u201d\uac00 \ub098\ud0c0\ub098\uc788\ub2e4\uba74,\n\uc774\uc81c <a href=\"https:\/\/github.com\/libimobiledevice\/libusbmuxd\/blob\/master\/tools\/iproxy.c\">iproxy<\/a>\ud234\uc744 \uc774\uc6a9\ud574\uc11c \uac00\uc0c1\uc544\uc774\ud3f0 \uc258\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\ub2e4. (<code>iproxy 2222 22 &amp;<\/code>)<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%204.png\" alt=\"image.png\"><\/p>\n<p>\ub8e8\ud2b8 \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc744 \uc218\uc815\ud558\uae30 \uc704\ud574 snapshot \uc774\ub984\uc744 \ubcc0\uacbd\ud574\uc900\ub2e4.<\/p>\n<pre><code class=\"language-python\">ssh root@127.0.0.1 -p2222\n#pw: alpine\n\nmount_apfs -o rw \/dev\/disk1s1 \/mnt1\n\nsnaputil -l \/mnt1\n# (then will output will be printed with hash, result may be differ)\ncom.apple.os.update-8AAB8DBA5C8F1F756928411675F4A892087B04559CFB084B9E400E661ABAD119\n\nsnaputil -n &lt;com.apple.os.update-hash&gt; orig-fs \/mnt1\n\numount \/mnt1\n\nexit\n<\/code><\/pre>\n<p>AEA \ud30c\uc77c\uc740 <a href=\"https:\/\/github.com\/blacktop\/ipsw\">ipsw<\/a> \ud234\ub85c \ubcf5\ud638\ud654\ud558\uc5ec dmg \ud30c\uc77c\ub85c \ub9cc\ub4e4\uace0 \ub9c8\uc6b4\ud2b8\uc2dc\ud0a8\ub2e4\uc74c,\nCryptex \ud30c\ud2f0\uc158\uc5d0 \uc788\ub294 \ud30c\uc77c\ub4e4\uc744 \uac00\uc0c1\uba38\uc2e0\uc73c\ub85c \uc804\uc1a1\uc2dc\ud0a8\ub2e4.<\/p>\n<p>\ud30c\uc77c \uc804\uc1a1 \ubfd0\ub9cc \uc544\ub2c8\ub77c \ud2b9\uc815 \ud328\uce58\uac00 \ud544\uc694\ud588\uc73c\uba70, \ud3b8\uc758\uc0c1 \ubd80\ud305\ub420\ub54c \ud2b9\uc815 3\uac1c\uc758 \ud504\ub85c\uc138\uc2a4\uc778 bash, dropbear, <a href=\"https:\/\/github.com\/OwnGoalStudio\/TrollVNC\">trollvnc<\/a>\ub97c \ucd94\uac00\ud574\uc8fc\uc5c8\ub2e4.<\/p>\n<p>seputil\uc740 gigalocker\ub77c\ub294 \ud30c\uc77c\uc744 \uc81c\ub300\ub85c \ucc3e\uc9c0 \ubabb\ud558\ub294 \ubb38\uc81c\uac00 \uc788\uc5b4\uc11c AA.gl \ub85c \ud56d\uc0c1 \ucc3e\uc744 \uc218 \uc788\uac8c \ub9cc\ub4e4\uc5c8\uc73c\uba70,\nlaunchd_cache_loader\uc740 \uc218\uc815\ub41c \/System\/Library\/xpc\/launchd.plist\uac00 \ub85c\ub4dc\uac00 \uc798\ub418\uac8c\ub054 \ud328\uce58\ud558\uc600\ub2e4.<\/p>\n<pre><code class=\"language-python\">...\n ========= INSTALL CRYPTEX(SystemOS, AppOS) =========\n# Grab and Decrypt Cryptex(SystemOS) AEA\nkey = subprocess.check_output(&quot;ipsw fw aea --key iPhone17,3_26.1_23B85_Restore\/043-54303-126.dmg.aea&quot;, shell=True, text=True).strip()\nprint(f&quot;key: {key}&quot;)\nos.system(f&quot;aea decrypt -i iPhone17,3_26.1_23B85_Restore\/043-54303-126.dmg.aea -o CryptexSystemOS.dmg -key-value '{key}'&quot;)\n\n# Grab Cryptex(AppOS)\nos.system(f&quot;cp iPhone17,3_26.1_23B85_Restore\/043-54062-129.dmg CryptexAppOS.dmg&quot;)\n\n# Mount CryptexSystemOS\nos.system(&quot;mkdir CryptexSystemOS&quot;)\nos.system(&quot;sudo hdiutil attach -mountpoint CryptexSystemOS CryptexSystemOS.dmg -owners off&quot;)\n\n# Mount CryptexAppOS\nos.system(&quot;mkdir CryptexAppOS&quot;)\nos.system(&quot;sudo hdiutil attach -mountpoint CryptexAppOS CryptexAppOS.dmg -owners off&quot;)\n\n# Prepare\nremote_cmd(&quot;\/sbin\/mount_apfs -o rw \/dev\/disk1s1 \/mnt1&quot;)\n\nremote_cmd(&quot;\/bin\/rm -rf \/mnt1\/System\/Cryptexes\/App&quot;)\nremote_cmd(&quot;\/bin\/rm -rf \/mnt1\/System\/Cryptexes\/OS&quot;)\n\nremote_cmd(&quot;\/bin\/mkdir -p \/mnt1\/System\/Cryptexes\/App&quot;)\nremote_cmd(&quot;\/bin\/chmod 0755 \/mnt1\/System\/Cryptexes\/App&quot;)\nremote_cmd(&quot;\/bin\/mkdir -p \/mnt1\/System\/Cryptexes\/OS&quot;)\nremote_cmd(&quot;\/bin\/chmod 0755 \/mnt1\/System\/Cryptexes\/OS&quot;)\n\n# send Cryptex files to device\nprint(&quot;Copying cryptexs to vphone! Will take about 3 mintues...&quot;)\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 CryptexSystemOS\/. 'root@127.0.0.1:\/mnt1\/System\/Cryptexes\/OS'&quot;)\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 CryptexAppOS\/. 'root@127.0.0.1:\/mnt1\/System\/Cryptexes\/App'&quot;)\n\n# Thanks nathan for idea\n# \/System\/Library\/Caches\/com.apple.dyld -&gt; \/System\/Cryptexes\/OS\/System\/Library\/Caches\/com.apple.dyld\/\nremote_cmd(&quot;\/bin\/ln -sf ..\/..\/..\/System\/Cryptexes\/OS\/System\/Library\/Caches\/com.apple.dyld \/mnt1\/System\/Library\/Caches\/com.apple.dyld&quot;)\n# \/System\/DriverKit\/System\/Library\/dyld -&gt; \/System\/Cryptexes\/OS\/System\/DriverKit\/System\/Library\/dyld\nremote_cmd(&quot;\/bin\/ln -sf ..\/..\/..\/..\/System\/Cryptexes\/OS\/System\/DriverKit\/System\/Library\/dyld \/mnt1\/System\/DriverKit\/System\/Library\/dyld&quot;)\n\n# ========= PATCH SEPUTIL =========\n# remove if already exist\nos.system(&quot;rm custom_26.1\/seputil 2&gt;\/dev\/null&quot;)\nos.system(&quot;rm custom_26.1\/seputil.bak 2&gt;\/dev\/null&quot;)\n# backup seputil before patch\nfile_path = &quot;\/mnt1\/usr\/libexec\/seputil.bak&quot;\nif not check_remote_file_exists(file_path): \n     print(f&quot;Created backup {file_path}&quot;)\n     remote_cmd(&quot;\/bin\/cp \/mnt1\/usr\/libexec\/seputil \/mnt1\/usr\/libexec\/seputil.bak&quot;)\n# grab seputil\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -P 2222 root@127.0.0.1:\/mnt1\/usr\/libexec\/seputil.bak .\/custom_26.1&quot;)\nos.system(&quot;mv custom_26.1\/seputil.bak custom_26.1\/seputil&quot;)\n# patch seputil; prevent error &quot;seputil: Gigalocker file (\/mnt7\/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.gl) doesn't exist: No such file or directory&quot;\nfp = open(&quot;custom_26.1\/seputil&quot;, &quot;r+b&quot;)\npatch(0x1B3F1, &quot;AA&quot;)\nfp.close()\n# sign\nos.system(&quot;tools\/ldid_macosx_arm64 -S -M -Ksigncert.p12 -Icom.apple.seputil custom_26.1\/seputil&quot;)\n# send to apply\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 custom_26.1\/seputil 'root@127.0.0.1:\/mnt1\/usr\/libexec\/seputil'&quot;)\nremote_cmd(&quot;\/bin\/chmod 0755 \/mnt1\/usr\/libexec\/seputil&quot;)\n# clean\nos.system(&quot;rm custom_26.1\/seputil 2&gt;\/dev\/null&quot;)\n\n# Change gigalocker filename to AA.gl\nremote_cmd(&quot;\/sbin\/mount_apfs -o rw \/dev\/disk1s3 \/mnt3&quot;)\nremote_cmd(&quot;\/bin\/mv \/mnt3\/*.gl \/mnt3\/AA.gl&quot;)\n\n... # ========= INSTALL AppleParavirtGPUMetalIOGPUFamily =========\n\n# ========= INSTALL iosbinpack64 =========\n# Send to rootfs\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 jb\/iosbinpack64.tar 'root@127.0.0.1:\/mnt1'&quot;)\n# Unpack \nremote_cmd(&quot;\/usr\/bin\/tar --preserve-permissions --no-overwrite-dir -xvf \/mnt1\/iosbinpack64.tar  -C \/mnt1&quot;)\nremote_cmd(&quot;\/bin\/rm \/mnt1\/iosbinpack64.tar&quot;)\n# Setup initial dropbear after normal boot\n'''\n\/iosbinpack64\/bin\/mkdir -p \/var\/dropbear\n\/iosbinpack64\/bin\/cp \/iosbinpack64\/etc\/profile \/var\/profile\n\/iosbinpack64\/bin\/cp \/iosbinpack64\/etc\/motd \/var\/motd\n'''\n\n# ========= PATCH launchd_cache_loader (patch required if modifying \/System\/Library\/xpc\/launchd.plist) =========\n# remove if already exist\nos.system(&quot;rm custom_26.1\/launchd_cache_loader 2&gt;\/dev\/null&quot;)\nos.system(&quot;rm custom_26.1\/launchd_cache_loader.bak 2&gt;\/dev\/null&quot;)\n# backup launchd_cache_loader before patch\nfile_path = &quot;\/mnt1\/usr\/libexec\/launchd_cache_loader.bak&quot;\nif not check_remote_file_exists(file_path): \n     print(f&quot;Created backup {file_path}&quot;)\n     remote_cmd(&quot;\/bin\/cp \/mnt1\/usr\/libexec\/launchd_cache_loader \/mnt1\/usr\/libexec\/launchd_cache_loader.bak&quot;)\n# grab launchd_cache_loader\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -P 2222 root@127.0.0.1:\/mnt1\/usr\/libexec\/launchd_cache_loader.bak .\/custom_26.1&quot;)\nos.system(&quot;mv custom_26.1\/launchd_cache_loader.bak custom_26.1\/launchd_cache_loader&quot;)\n# patch to apply launchd_unsecure_cache=1\nfp = open(&quot;custom_26.1\/launchd_cache_loader&quot;, &quot;r+b&quot;)\npatch(0xB58, 0xd503201f)\nfp.close()\n# sign\nos.system(&quot;tools\/ldid_macosx_arm64 -S -M -Ksigncert.p12 -Icom.apple.launchd_cache_loader custom_26.1\/launchd_cache_loader&quot;)\n# send to apply\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 custom_26.1\/launchd_cache_loader 'root@127.0.0.1:\/mnt1\/usr\/libexec\/launchd_cache_loader'&quot;)\nremote_cmd(&quot;\/bin\/chmod 0755 \/mnt1\/usr\/libexec\/launchd_cache_loader&quot;)\n# clean\nos.system(&quot;rm custom_26.1\/launchd_cache_loader 2&gt;\/dev\/null&quot;)\n\n# ========= MAKE RUN bash, dropbear, trollvnc automatically when boot =========\n# Send plist to \/System\/Library\/LaunchDaemons\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 jb\/LaunchDaemons\/bash.plist 'root@127.0.0.1:\/mnt1\/System\/Library\/LaunchDaemons'&quot;)\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 jb\/LaunchDaemons\/dropbear.plist 'root@127.0.0.1:\/mnt1\/System\/Library\/LaunchDaemons'&quot;)\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 jb\/LaunchDaemons\/trollvnc.plist 'root@127.0.0.1:\/mnt1\/System\/Library\/LaunchDaemons'&quot;)\nremote_cmd(&quot;\/bin\/chmod 0644 \/mnt1\/System\/Library\/LaunchDaemons\/bash.plist&quot;)\nremote_cmd(&quot;\/bin\/chmod 0644 \/mnt1\/System\/Library\/LaunchDaemons\/dropbear.plist&quot;)\nremote_cmd(&quot;\/bin\/chmod 0644 \/mnt1\/System\/Library\/LaunchDaemons\/trollvnc.plist&quot;)\n\n# Edit \/System\/Library\/xpc\/launchd.plist \n# remove if already exist\nos.system(&quot;rm custom_26.1\/launchd.plist 2&gt;\/dev\/null&quot;)\nos.system(&quot;rm custom_26.1\/launchd.plist.bak 2&gt;\/dev\/null&quot;)\n# backup launchd.plist before patch\nfile_path = &quot;\/mnt1\/System\/Library\/xpc\/launchd.plist.bak&quot;\nif not check_remote_file_exists(file_path): \n     print(f&quot;Created backup {file_path}&quot;)\n     remote_cmd(&quot;\/bin\/cp \/mnt1\/System\/Library\/xpc\/launchd.plist \/mnt1\/System\/Library\/xpc\/launchd.plist.bak&quot;)\n# grab launchd.plist\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -P 2222 root@127.0.0.1:\/mnt1\/System\/Library\/xpc\/launchd.plist.bak .\/custom_26.1&quot;)\nos.system(&quot;mv custom_26.1\/launchd.plist.bak custom_26.1\/launchd.plist&quot;)\n\n# Inject bash, dropbear, trollvnc to launchd.plist\nos.system(&quot;plutil -convert xml1 custom_26.1\/launchd.plist&quot;)\n\n# 1. bash\ntarget_file = 'custom_26.1\/launchd.plist'\nsource_file = 'jb\/LaunchDaemons\/bash.plist'\ninsert_key  = '\/System\/Library\/LaunchDaemons\/bash.plist'\n\nwith open(target_file, 'rb') as ft, open(source_file, 'rb') as fs:\n    target_data = plistlib.load(ft)\n    source_data = plistlib.load(fs)\n\ntarget_data.setdefault('LaunchDaemons', {})[insert_key] = source_data\n\nwith open(target_file, 'wb') as f:\n    plistlib.dump(target_data, f, sort_keys=False)\n\n# 2. dropbear\nsource_file = 'jb\/LaunchDaemons\/dropbear.plist'\ninsert_key  = '\/System\/Library\/LaunchDaemons\/dropbear.plist'\n\nwith open(target_file, 'rb') as ft, open(source_file, 'rb') as fs:\n    target_data = plistlib.load(ft)\n    source_data = plistlib.load(fs)\n\ntarget_data.setdefault('LaunchDaemons', {})[insert_key] = source_data\n\nwith open(target_file, 'wb') as f:\n    plistlib.dump(target_data, f, sort_keys=False)\n\n# 3. trollvnc\nsource_file = 'jb\/LaunchDaemons\/trollvnc.plist'\ninsert_key  = '\/System\/Library\/LaunchDaemons\/trollvnc.plist'\n\nwith open(target_file, 'rb') as ft, open(source_file, 'rb') as fs:\n    target_data = plistlib.load(ft)\n    source_data = plistlib.load(fs)\n\ntarget_data.setdefault('LaunchDaemons', {})[insert_key] = source_data\n\nwith open(target_file, 'wb') as f:\n    plistlib.dump(target_data, f, sort_keys=False)\n\n# send to apply\nos.system(&quot;tools\/sshpass -p 'alpine' scp -q -r -ostricthostkeychecking=false -ouserknownhostsfile=\/dev\/null -o StrictHostKeyChecking=no -P 2222 custom_26.1\/launchd.plist 'root@127.0.0.1:\/mnt1\/System\/Library\/xpc'&quot;)\nremote_cmd(&quot;\/bin\/chmod 0644 \/mnt1\/System\/Library\/xpc\/launchd.plist&quot;)\n# clean\nos.system(&quot;rm custom_26.1\/launchd.plist 2&gt;\/dev\/null&quot;)\n# ========= End of MAKE RUN bash, dropbear, trollvnc automatically when boot =========\n\n...\nremote_cmd(&quot;\/sbin\/halt&quot;)\n...\n<\/code><\/pre>\n<h1>\uccab\ubc88\uc9f8 \ubd80\ud305 \uc2dc\ub3c4<\/h1>\n<p>\uc774\uc81c \ubd80\ud305\uc774 \uc798\ub418\uae34 \ud558\uaca0\uc9c0\ub9cc,\n\uac80\uc740 \ubc30\uacbd\ud654\uba74\uc778 \uc14b\uc5c5 \uc2a4\ud06c\ub9b0\uc5d0\uc11c \ub118\uc5b4\uac08\ub824\uace0 \ud558\uba74 \ub9ac\uc2a4\ud504\ub9c1\ub418\uba74\uc11c \ub354\uc774\uc0c1 \ub118\uc5b4\uac00\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%205.png\" alt=\"image.png\"><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%206.png\" alt=\"image.png\"><\/p>\n<h1>Metal \uad6c\ud604<\/h1>\n<p>MetalTest\ub77c\ub294 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e4\uc5b4\uc11c \ud655\uc778\ud574\ubcf4\uba74, Metal\uc774 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\ub294\ub2e4\uace0 \ub098\uc628\ub2e4.<\/p>\n<pre><code class=\"language-python\">#import &lt;stdio.h&gt;\n#import &lt;Metal\/Metal.h&gt;\n#import &lt;Foundation\/Foundation.h&gt;\n\nint main(int argc, char *argv[], char *envp[]) {\n    id&lt;MTLDevice&gt; device = MTLCreateSystemDefaultDevice();\n    NSLog(@&quot;device: %@&quot;, device);\n\n    if (device) {\n        NSLog(@&quot;Metal Device Create Success: %@&quot;, [device name]);\n    } else {\n        NSLog(@&quot;Metal Not Supported!&quot;);\n    }\n\n    return 0;\n}\n<\/code><\/pre>\n<ul>\n<li>\uc2e4\ud589 \uacb0\uacfc<\/li>\n<\/ul>\n<pre><code class=\"language-python\">-bash-4.4# .\/MetalTest \n2026-02-08 22:49:02.293 MetalTest[633:9434] device: (null)\n2026-02-08 22:49:02.294 MetalTest[633:9434] Metal Not Supported!\n-bash-4.4# sysctl kern.version\nkern.version: Darwin Kernel Version 25.1.0: Thu Oct 23 11:11:48 PDT 2025; root:xnu-12377.42.6~55\/RELEASE_ARM64_VRESEARCH1\n<\/code><\/pre>\n<p>\uc6d0\ub798\ub77c\uba74, \uc544\ub798\uc640 \uac19\uc740 \uacb0\uacfc\uac00 \ub098\uc640\uc57c\ud588\uc744 \uac83\uc774\ub2e4.<\/p>\n<pre><code class=\"language-python\">seo@seos-Virtual-Machine Desktop % sysctl kern.version\nkern.version: Darwin Kernel Version 25.0.0: Mon Aug 25 21:17:21 PDT 2025; root:xnu-12377.1.9~3\/RELEASE_ARM64_VMAPPLE\nseo@seos-Virtual-Machine Desktop % .\/MetalTest        \n2026-02-08 23:16:56.846 MetalTest[682:5810] device: &lt;AppleParavirtDevice: 0x102c48fe0&gt;\n    name = Apple Paravirtual device\n2026-02-08 23:16:56.847 MetalTest[682:5810] Metal Device Create Success: Apple Paravirtual device\nseo@seos-Virtual-Machine Desktop % \n<\/code><\/pre>\n<p><code>ioreg -l<\/code>\ub85c \ud655\uc778\ud574\ubcf4\uba74, \ubcf4\ub2e4\uc2dc\ud53c \ucee4\ub110\uc0c1\uc5d0\uc11c\ub294 AppleParavirtGPU\ub97c \uc778\uc2dd\ud558\uace0 \uc788\uc5c8\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%207.png\" alt=\"image.png\"><\/p>\n<p>\uc544\uc774\ud328\ub4dc7\uc138\ub300\/iOS 16.6.1\uc5d0\uc11c \ud655\uc778\ud574\ubcf4\uba74 <code>MTLCreateSystemDefaultDevice<\/code> \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub54c, \ub0b4\ubd80\uc801\uc73c\ub85c <code>AGXMetalA10<\/code>\uc774\ub77c\ub294 \ud2b9\uc815 \ub77c\uc774\ube0c\ub7ec\ub9ac\ub97c \ud1b5\ud574\uc11c IOGPU \ub4dc\ub77c\uc774\ubc84\uc5d0 \uc811\uadfc\ud55c\ub2e4. \ud574\ub2f9 <code>AGXMetalA10<\/code> \ub77c\uc774\ube0c\ub7ec\ub9ac\ub294 \/System\/Library\/Extensions\uc5d0 \uc788\ub2e4.<\/p>\n<p>\uc5ec\uae30\uc11c \uac11\uc790\uae30 \ub5a0\uc624\ub978 \uc0dd\uac01\uc740 \uac00\uc0c1\uc544\uc774\ud3f0\uc5d0\ub3c4 \uc4f0\uc774\ub294 GPU\/Metal \uad00\ub828 \ub77c\uc774\ube0c\ub7ec\ub9ac\uac00 \uc788\uc9c0 \uc54a\uc744\uae4c?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%208.png\" alt=\"image.png\"><\/p>\n<p>\ud574\ub2f9\uacbd\ub85c\ub97c PCC \uac00\uc0c1\uba38\uc2e0\uc5d0\uc11c \ud655\uc778\ud574\ubcf4\uba74 7\uac1c\uc758 \ud30c\uc77c\ub4e4\uc774 \uc874\uc7ac\ud55c\ub2e4.<\/p>\n<p>PCC\uc5d0 \uc0ac\uc6a9\ub418\ub294 \/System\/Library\/Extensions\/AppleParavirtGPUMetalIOGPUFamily.bundle\uc744 \uadf8\ub300\ub85c \uac00\uc0c1\uc544\uc774\ud3f0\uc5d0 \uac00\uc838\ub2e4\ub193\uc544\ubcf4\uc558\ub2e4. (SSH Ramdisk \uc0ac\uc6a9\ud568)<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%209.png\" alt=\"image.png\"><\/p>\n<p>MetalTest\ub97c \ub2e4\uc2dc \ud655\uc778\ud574\ubcf4\uba74, \uc81c\ub300\ub85c <code>MTLCreateSystemDefaultDevice<\/code> \ud568\uc218\uac00 \uc798 \uc791\ub3d9\ud55c\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%2010.png\" alt=\"image.png\"><\/p>\n<p>\uadf8\ub7ec\ub098 \ud2b9\uc815 dylib \ud30c\uc77c\uc774 \uc544\uc774\ud3f016 \ubaa8\ub378\uc758 dsc\uc5d0\ub294 \uc874\uc7ac\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0, pcc\uc5d0 \uc788\ub294 dsc\ub97c \ub530\ub85c \ub9ac\ubc84\uc2f1\ud574\uc11c \uad6c\ud604\ud574\uc904 \ud544\uc694\uac00 \uc788\uc5c8\ub2e4.<\/p>\n<ul>\n<li>\/System\/Library\/Extensions\/AppleParavirtGPUMetalIOGPUFamily.bundle\/libAppleParavirtCompilerPluginIOGPUFamily.dylib<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/Screenshot_2026-02-25_at_1.19.40_PM.png\" alt=\"Screenshot 2026-02-25 at 1.19.40\u202fPM.png\"><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%2011.png\" alt=\"image.png\"><\/p>\n<h1>\ub450\ubc88\uc9f8 \ubd80\ud305 \uc2dc\ub3c4<\/h1>\n<p>\uad6c\ud604\ud558\uace0 \ub098\uba74, \uc774\uc81c \ubc30\uacbd\uc774 \uc788\ub294 \uc14b\uc5c5 \ud654\uba74\uc744 \ubc18\uaca8\uc900\ub2e4.<\/p>\n<p>\ud648\ubc84\ud2bc\uc744 \uc81c\ub300\ub85c \uad6c\ud604\ud560 \uc218\uac00 \uc5c6\uae30 \ub54c\ubb38\uc5d0 \uc784\uc2dc\ubc29\ud3b8\uc73c\ub85c iproxy\/vnc\ub97c \ud1b5\ud574 \uc870\uc791\ud558\uc5ec \ud574\uacb0\ud558\uc600\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%2012.png\" alt=\"image.png\"><\/p>\n<h1>\ud638\ud658\uc131<\/h1>\n<p>\uc560\ud50c \uc2e4\ub9ac\ucf58 \ub9e5\uc5d0\uc11c\ub9cc \ud638\ud658\ub418\uba70, \uc791\ub3d9 \ud655\uc778\ub41c \uae30\uae30\/\ubc84\uc804\uc740 \ub2e4\uc74c\uacfc \uac19\uc558\ub2e4.<\/p>\n<ul>\n<li>Apple M3, 16G RAM, Sequoia 15.7.4<\/li>\n<li>Apple M1 Pro, 32G RAM, Tahoe 26.3<\/li>\n<\/ul>\n<p>\uc544\ub9c8 pccvre \uc9c0\uc6d0\ud558\ub294 \ub300\uc0c1\uc774\uba74, \uc804\ubd80 \ub2e4 \ub418\uc9c0 \uc54a\uc744\uae4c \uc608\uc0c1\ud574\ubcf8\ub2e4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/image%2013.png\" alt=\"\ucd9c\ucc98: https:\/\/security.apple.com\/documentation\/private-cloud-compute\/vresetup\"><\/p>\n<p>\ucd9c\ucc98: <a href=\"https:\/\/security.apple.com\/documentation\/private-cloud-compute\/vresetup\">https:\/\/security.apple.com\/documentation\/private-cloud-compute\/vresetup<\/a><\/p>\n<h2>Sequoia\uc5d0\uc11c \ud130\uce58 \uc0c1\ud638\uc791\uc6a9 \uac00\ub2a5\ud558\uac8c \ub9cc\ub4e4\uae30<\/h2>\n<p>Tahoe 26\ubc84\uc804\uacfc\ub294 \ub2ec\ub9ac VZVirtualMachineView \uac1d\uccb4\ub9cc\uc73c\ub85c\ub294 \ud130\uce58 \uc0c1\ud638\uc791\uc6a9\uc774 \uc548\ub418\uae30 \ub54c\ubb38\uc5d0\n\ub9c8\uc6b0\uc2a4 \uc791\ub3d9\ud568\uc218 \uad00\ub828\ud574\uc11c \uc624\ubc84\ub77c\uc774\ub529\uc774 \ud544\uc694\ud558\uc600\ub2e4.<\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/super-tart-vphone-writeup\/main\/contents\/ScreenSharingVNC.swift\">ScreenSharingVNC.swift<\/a><\/p>\n<h3>\ud504\ub85c\uc81d\ud2b8 \uc18c\uc2a4\ucf54\ub4dc<\/h3>\n<ul>\n<li>https:\/\/github.com\/wh1te4ever\/super-tart-vphone<\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[72],"tags":[30,11,12,13,24],"class_list":["post-4101","post","type-post","status-publish","format-standard","hentry","category-realworld","tag-diary","tag-ios","tag-ios-kernel","tag-macos","tag-reversing"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4101"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4101\/revisions"}],"predecessor-version":[{"id":4104,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4101\/revisions\/4104"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}