Process 1 exec of /sbin/launchd failed, errno 86

[iarchiveml]

I am trying to boot iOS 14.0 (18A188 InternalUI) in the emulator.
Error log:

`Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b9f47e0]::init(0xffffffe19ba323c8)

AUC:[0xffffffe19b9f47e0]::probe(0xffffffe19b7c1ea0, 0xffffffe80e3abdac)

AppleCredentialManager: init: called, instance = .
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = .
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b9f47e0]::start(0xffffffe19b7c1ea0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = .
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = .
AppleCredentialManager: start: started, instance = .
AppleCredentialManager: start: returning, result = true, instance = .
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x/0x0x4000 / 0x/0x0x4000
AppleGPIOICController::start: this: , _gpioicBaseAddress:
AppleGPIOICController::start: this: , _gpioicBaseAddress:
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
000001.085722 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.121777 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.121898 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
000001.138758 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
Identified Serial Port uart7 at 0x23521c000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

Identified Serial Port uart0 at 0x235200000()
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

RTBuddy(SMC): start() - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): start() - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

RTBuddy(SMC): Resuming...

Starting AppleSMC kext() - (Aug 12 2020@22:51:44)
000001.210077 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
AppleA7IOPNub: withRegistryEntry, 47: allocated nub

virtual IOService AppleANS2NVMeController::probe(IOService , SInt32 )::194:Found (ANS2) provider, returning score 100000
000001.217358 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
RTBuddy(SIO): start() - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
virtual bool AppleANS2NVMeController::start(IOService )::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService )::2719:ANS2 NVMe interrupt index - 0x4
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!
Failed to read info-leg_scrpad/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number : QEMU NVMe Ctrl
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev : 1.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0 device_handle block size 512 block count 67108864 features 0 internal
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 355, best xid 355 @ 33
import_iboot_forwarded_roothash:2577: importing root hash ...
apfs_extract_root_hash_arm:10001: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2580: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 512 block count 67108864 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 512
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 2048
virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 355, best xid 355 @ 33
apfs_vfsop_mount:1848: Promoter has been locked for disk0s1
failed to find root-snapshot-name snapshot
handle_mount:627: vol-uuid: 5133F48D-5D9E-499B-A8BA-45E692E36FD9 block size: 4096 block count: 8388608 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:640: setting dev block size to 4096 from 512
nx_volume_group_update:6634: Volume System is not in a volume group
apfs_vfsop_mount:2171: disk0s1s1:0 mounted volume: System
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff007e63dfc): "Process 1 exec of /sbin/launchd failed, errno 86"
Debugger message: panic
Memory ID: 0x0
OS release type: Not set yet
OS version: Not set yet
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x3a68cda
Epoch Time: sec usec
Boot : 0x62471b68 0x00092c8a
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x62471b69 0x000da7c4

Panicked task 0xffffffe19b795f40: 1 pages, 1 threads: pid 1: init
Panicked thread: 0xffffffe19ba185d0, backtrace: 0xffffffe8139e37f0, tid: 358
lr: 0xfffffff007a2af48 fp: 0xffffffe8139e3830
lr: 0xfffffff007a2ad48 fp: 0xffffffe8139e38a0
lr: 0xfffffff007b64940 fp: 0xffffffe8139e38c0
lr: 0xfffffff007b56e1c fp: 0xffffffe8139e3980
lr: 0xfffffff00811c5f4 fp: 0xffffffe8139e3990
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d10
lr: 0xfffffff007a2aa30 fp: 0xffffffe8139e3d70
lr: 0xfffffff0097db97c fp: 0xffffffe8139e3d90
lr: 0xfffffff007e63dfc fp: 0xffffffe8139e3e40
lr: 0xfffffff007e2fea0 fp: 0xffffffe8139e3e60
lr: 0xfffffff007a21b7c fp: 0xffffffe8139e3e90
lr: 0xfffffff00811caec fp: 0xffffffe8139e3ea0
lr: 0xfffffff007a61fd0 fp: 0xffffffe8139e3f00
lr: 0xfffffff00812495c fp: 0x0000000000000000

** Stackshot Succeeded ** Bytes Traced 10867 (Uncompressed 36160) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
`
Boot command:

../qemu-system-aarch64 -accel tcg,tb-size=8192 -s -M t8030,trustcache-filename=static_tc,ticket-filename=root_ticket.der \ -kernel kernelcache.research.iphone12b \ -dtb Firmware/all_flash/DeviceTree.n104ap.im4p \ -append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1 launchd_unsecure_cache=1" \ -initrd 038-44135-124.dmg \ -cpu max -smp 4 \ -m 4G -serial mon:stdio \ -drive file=disk.1,format=raw,if=none,id=drive.1 \ -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1 \ -drive file=nvme.2,format=raw,if=none,id=drive.2 \ -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2 \ -drive file=nvme.3,format=raw,if=none,id=drive.3 \ -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3 \ -drive file=nvme.4,format=raw,if=none,id=drive.4 \ -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4 \ -drive file=nvram,if=none,format=raw,id=nvram \ -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram \ -drive file=nvme.6,format=raw,if=none,id=drive.6 \ -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6 \ -drive file=nvme.7,format=raw,if=none,id=drive.7 \ -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8 \ -monitor telnet:127.0.0.1:1235,server,nowait

With blocksize set to 4096, I get mount errors.

[TrungNguyen1909]

errno 86 is EBADARCH. You are running a binary that is likely built for a different kernel.

[iarchiveml]

That's odd, the 18A188 dump was from an iPhone 11

[asdfugil]

I believe this is due to the changes in arm64e between iOS 13 and 14 (it affected tweaks, look it up) Unfortunately the iOS 13.7 kernel does not boot in this emulator:

Loading iOS 13.7...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00963b4f0
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d01c04
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff009288884
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x000000080620c4f0
boot_mode: 0
auto-boot=true
cmdline: [kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1 wdt=-1]
iBoot version: qemu-t8030
corecrypto_kext_start called
FIPSPOST_KEXT [20321624] fipspost_post:156: PASSED: (3 ms) - fipspost_post_integrity
FIPSPOST_KEXT [20375219] fipspost_post:162: PASSED: (1 ms) - fipspost_post_hmac
FIPSPOST_KEXT [20394743] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [20414265] fipspost_post:164: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [21293665] fipspost_post:165: PASSED: (36 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [21664548] fipspost_post:166: PASSED: (15 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [21737193] fipspost_post:167: PASSED: (2 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [21753870] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [21789997] fipspost_post:169: PASSED: (1 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [21830713] fipspost_post:171: PASSED: (1 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [21858866] fipspost_post:172: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [21902352] fipspost_post:173: PASSED: (1 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [21931828] fipspost_post:174: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [21940653] fipspost_post:197: all tests PASSED (71 ms)
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMRM-C: _loadAccCacheSize: acc-cache size = 16 (from 'acm_trm_acc_cache_size' boot-arg: NO).
ACMRM-C: _loadAccCacheExpiration: acc-cache expiration = 2592000 (from 'acm_trm_acc_cache_expiration' boot-arg: NO).
ACMRM: init: called, starting TRM service, EN=YES, KB_OBS=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, starting TRM Analytics service.
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 .
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO* OSEnv=NO MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO OSEnv=NO* MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: set TRM_GracePeriodTimeout = 3600.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=2) while DISABLED, TRM: 259200 -/ff 3600 -/ff miss=ff (CUR: 259200 -/ff 3600 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
Darwin Image4 Validator Version 2.2.0: Sat Jul 11 00:57:01 PDT 2020; root:AppleImage4-61.60.4~3445/AppleImage4/RELEASE_ARM64E
AppleT803xIO::start: chip-revision: B0
AppleT803xIO::start: this: <ptr>, ACCE virt addr: <ptr>, phys addr: 0x210f00000
AppleT803xIO::start: this: <ptr>, ACCP virt addr: <ptr>, phys addr: 0x211f00000
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC[<ptr>]::start(<ptr>)
AppleKeyStore starting (BUILT: Jul 11 2020 02:04:15)
AppleSEPKeyStore::start: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleInterruptController::start: _aicVersion = 2 _aicBaseAddress = 0x<ptr> _aicNumExtInts = 0x00000240 _aicNumIPIs = 0x00000008
AppleInterruptController::start: Num Shared Timestamps == 0
panic(cpu 0 caller 0xfffffff008639c84): "ApplePMGR: virtual void ApplePMGR::initDriver(IOService *):720 REQUIRE failed: found"@/Library/Caches/com.apple.xbs/Sources/ApplePMGR/ApplePMGR-527.100.13/ApplePMGR/ApplePMGR.cpp:720
Debugger message: panic
Memory ID: 0x0
OS version: Not set yet
Kernel version: Darwin Kernel Version 19.6.0: Sat Jul 11 00:59:26 PDT 2020; root:xnu-6153.142.1~8/RELEASE_ARM64_T8030
Kernel UUID: 49D21DDE-74B4-327B-948C-7CD318E0796D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
mach_absolute_time: 0x2199eaa
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000000 0x00000000

Panicked task 0xffffffe000a1e430: 1314 pages, 84 threads: pid 0: kernel_task
Panicked thread: 0xffffffe000d7d540, backtrace: 0xffffffe06655b270, tid: 168
                  lr: 0xfffffff007be8810  fp: 0xffffffe06655b2b0
                  lr: 0xfffffff007be8664  fp: 0xffffffe06655b320
                  lr: 0xfffffff007d0872c  fp: 0xffffffe06655b340
                  lr: 0xfffffff007cfcc40  fp: 0xffffffe06655b3f0
                  lr: 0xfffffff008209598  fp: 0xffffffe06655b400
                  lr: 0xfffffff007be7f84  fp: 0xffffffe06655b770
                  lr: 0xfffffff007be8320  fp: 0xffffffe06655b7c0
                  lr: 0xfffffff00927b6b4  fp: 0xffffffe06655b7e0
                  lr: 0xfffffff008639c84  fp: 0xffffffe06655b810
                  lr: 0xfffffff008624aac  fp: 0xffffffe06655b990
                  lr: 0xfffffff0088ad1f8  fp: 0xffffffe06655ba20
                  lr: 0xfffffff00861d8ac  fp: 0xffffffe06655ba80
                  lr: 0xfffffff0081513e0  fp: 0xffffffe06655baf0
                  lr: 0xfffffff0081510f0  fp: 0xffffffe06655bbb0
                  lr: 0xfffffff00815028c  fp: 0xffffffe06655bc20
                  lr: 0xfffffff0081532cc  fp: 0xffffffe06655bc90
                  lr: 0xfffffff0082108cc  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 30176 **

Please go to https://panic.apple.com to report this panic

And trying to use the kernel included in that internal build causes segfault after printing kernel low and high: core dump
(Well according to what I tried, the emulator does not work with an iOS 15.0 and 15.4 development kernels either)

try 18C57 instead with an iPhone 11 kernel

[iarchiveml]

That firmware works?

[iarchiveml]

I believe this is due to the changes in arm64e between iOS 13 and 14 (it affected tweaks, look it up) Unfortunately the iOS 13.7 kernel does not boot in this emulator:

Loading iOS 13.7...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00963b4f0
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d01c04
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff009288884
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x000000080620c4f0
boot_mode: 0
auto-boot=true
cmdline: [kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1 wdt=-1]
iBoot version: qemu-t8030
corecrypto_kext_start called
FIPSPOST_KEXT [20321624] fipspost_post:156: PASSED: (3 ms) - fipspost_post_integrity
FIPSPOST_KEXT [20375219] fipspost_post:162: PASSED: (1 ms) - fipspost_post_hmac
FIPSPOST_KEXT [20394743] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [20414265] fipspost_post:164: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [21293665] fipspost_post:165: PASSED: (36 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [21664548] fipspost_post:166: PASSED: (15 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [21737193] fipspost_post:167: PASSED: (2 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [21753870] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [21789997] fipspost_post:169: PASSED: (1 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [21830713] fipspost_post:171: PASSED: (1 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [21858866] fipspost_post:172: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [21902352] fipspost_post:173: PASSED: (1 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [21931828] fipspost_post:174: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [21940653] fipspost_post:197: all tests PASSED (71 ms)
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMRM-C: _loadAccCacheSize: acc-cache size = 16 (from 'acm_trm_acc_cache_size' boot-arg: NO).
ACMRM-C: _loadAccCacheExpiration: acc-cache expiration = 2592000 (from 'acm_trm_acc_cache_expiration' boot-arg: NO).
ACMRM: init: called, starting TRM service, EN=YES, KB_OBS=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, starting TRM Analytics service.
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 .
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO* OSEnv=NO MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO OSEnv=NO* MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: set TRM_GracePeriodTimeout = 3600.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=2) while DISABLED, TRM: 259200 -/ff 3600 -/ff miss=ff (CUR: 259200 -/ff 3600 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
Darwin Image4 Validator Version 2.2.0: Sat Jul 11 00:57:01 PDT 2020; root:AppleImage4-61.60.4~3445/AppleImage4/RELEASE_ARM64E
AppleT803xIO::start: chip-revision: B0
AppleT803xIO::start: this: <ptr>, ACCE virt addr: <ptr>, phys addr: 0x210f00000
AppleT803xIO::start: this: <ptr>, ACCP virt addr: <ptr>, phys addr: 0x211f00000
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC[<ptr>]::start(<ptr>)
AppleKeyStore starting (BUILT: Jul 11 2020 02:04:15)
AppleSEPKeyStore::start: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleInterruptController::start: _aicVersion = 2 _aicBaseAddress = 0x<ptr> _aicNumExtInts = 0x00000240 _aicNumIPIs = 0x00000008
AppleInterruptController::start: Num Shared Timestamps == 0
panic(cpu 0 caller 0xfffffff008639c84): "ApplePMGR: virtual void ApplePMGR::initDriver(IOService *):720 REQUIRE failed: found"@/Library/Caches/com.apple.xbs/Sources/ApplePMGR/ApplePMGR-527.100.13/ApplePMGR/ApplePMGR.cpp:720
Debugger message: panic
Memory ID: 0x0
OS version: Not set yet
Kernel version: Darwin Kernel Version 19.6.0: Sat Jul 11 00:59:26 PDT 2020; root:xnu-6153.142.1~8/RELEASE_ARM64_T8030
Kernel UUID: 49D21DDE-74B4-327B-948C-7CD318E0796D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
mach_absolute_time: 0x2199eaa
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000000 0x00000000

Panicked task 0xffffffe000a1e430: 1314 pages, 84 threads: pid 0: kernel_task
Panicked thread: 0xffffffe000d7d540, backtrace: 0xffffffe06655b270, tid: 168
                  lr: 0xfffffff007be8810  fp: 0xffffffe06655b2b0
                  lr: 0xfffffff007be8664  fp: 0xffffffe06655b320
                  lr: 0xfffffff007d0872c  fp: 0xffffffe06655b340
                  lr: 0xfffffff007cfcc40  fp: 0xffffffe06655b3f0
                  lr: 0xfffffff008209598  fp: 0xffffffe06655b400
                  lr: 0xfffffff007be7f84  fp: 0xffffffe06655b770
                  lr: 0xfffffff007be8320  fp: 0xffffffe06655b7c0
                  lr: 0xfffffff00927b6b4  fp: 0xffffffe06655b7e0
                  lr: 0xfffffff008639c84  fp: 0xffffffe06655b810
                  lr: 0xfffffff008624aac  fp: 0xffffffe06655b990
                  lr: 0xfffffff0088ad1f8  fp: 0xffffffe06655ba20
                  lr: 0xfffffff00861d8ac  fp: 0xffffffe06655ba80
                  lr: 0xfffffff0081513e0  fp: 0xffffffe06655baf0
                  lr: 0xfffffff0081510f0  fp: 0xffffffe06655bbb0
                  lr: 0xfffffff00815028c  fp: 0xffffffe06655bc20
                  lr: 0xfffffff0081532cc  fp: 0xffffffe06655bc90
                  lr: 0xfffffff0082108cc  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 30176 **

Please go to https://panic.apple.com to report this panic

And trying to use the kernel included in that internal build causes segfault after printing kernel low and high: core dump (Well according to what I tried, the emulator does not work with an iOS 15.0 and 15.4 development kernels either)

try 18C57 instead with an iPhone 11 kernel

18C57 is an iPhone 12 Pro firmware, can you go into more detail?

[asdfugil]

Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x000000080620c4f0
boot_mode: 0
auto-boot=true
cmdline: [kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1 wdt=-1]
iBoot version: qemu-t8030
corecrypto_kext_start called
FIPSPOST_KEXT [20321624] fipspost_post:156: PASSED: (3 ms) - fipspost_post_integrity
FIPSPOST_KEXT [20375219] fipspost_post:162: PASSED: (1 ms) - fipspost_post_hmac
FIPSPOST_KEXT [20394743] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [20414265] fipspost_post:164: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [21293665] fipspost_post:165: PASSED: (36 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [21664548] fipspost_post:166: PASSED: (15 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [21737193] fipspost_post:167: PASSED: (2 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [21753870] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [21789997] fipspost_post:169: PASSED: (1 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [21830713] fipspost_post:171: PASSED: (1 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [21858866] fipspost_post:172: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [21902352] fipspost_post:173: PASSED: (1 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [21931828] fipspost_post:174: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [21940653] fipspost_post:197: all tests PASSED (71 ms)
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMRM-C: _loadAccCacheSize: acc-cache size = 16 (from 'acm_trm_acc_cache_size' boot-arg: NO).
ACMRM-C: _loadAccCacheExpiration: acc-cache expiration = 2592000 (from 'acm_trm_acc_cache_expiration' boot-arg: NO).
ACMRM: init: called, starting TRM service, EN=YES, KB_OBS=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, starting TRM Analytics service.
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 .
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO* OSEnv=NO MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: BtArg=NO OSEnv=NO* MngCo=NO DwnOS=NO ChkBd=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: set TRM_GracePeriodTimeout = 3600.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=2) while DISABLED, TRM: 259200 -/ff 3600 -/ff miss=ff (CUR: 259200 -/ff 3600 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
Darwin Image4 Validator Version 2.2.0: Sat Jul 11 00:57:01 PDT 2020; root:AppleImage4-61.60.4~3445/AppleImage4/RELEASE_ARM64E
AppleT803xIO::start: chip-revision: B0
AppleT803xIO::start: this: <ptr>, ACCE virt addr: <ptr>, phys addr: 0x210f00000
AppleT803xIO::start: this: <ptr>, ACCP virt addr: <ptr>, phys addr: 0x211f00000
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC[<ptr>]::start(<ptr>)
AppleKeyStore starting (BUILT: Jul 11 2020 02:04:15)
AppleSEPKeyStore::start: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleInterruptController::start: _aicVersion = 2 _aicBaseAddress = 0x<ptr> _aicNumExtInts = 0x00000240 _aicNumIPIs = 0x00000008
AppleInterruptController::start: Num Shared Timestamps == 0
panic(cpu 0 caller 0xfffffff008639c84): "ApplePMGR: virtual void ApplePMGR::initDriver(IOService *):720 REQUIRE failed: found"@/Library/Caches/com.apple.xbs/Sources/ApplePMGR/ApplePMGR-527.100.13/ApplePMGR/ApplePMGR.cpp:720
Debugger message: panic
Memory ID: 0x0
OS version: Not set yet
Kernel version: Darwin Kernel Version 19.6.0: Sat Jul 11 00:59:26 PDT 2020; root:xnu-6153.142.1~8/RELEASE_ARM64_T8030
Kernel UUID: 49D21DDE-74B4-327B-948C-7CD318E0796D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
mach_absolute_time: 0x2199eaa
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000000 0x00000000

Panicked task 0xffffffe000a1e430: 1314 pages, 84 threads: pid 0: kernel_task
Panicked thread: 0xffffffe000d7d540, backtrace: 0xffffffe06655b270, tid: 168
                  lr: 0xfffffff007be8810  fp: 0xffffffe06655b2b0
                  lr: 0xfffffff007be8664  fp: 0xffffffe06655b320
                  lr: 0xfffffff007d0872c  fp: 0xffffffe06655b340
                  lr: 0xfffffff007cfcc40  fp: 0xffffffe06655b3f0
                  lr: 0xfffffff008209598  fp: 0xffffffe06655b400
                  lr: 0xfffffff007be7f84  fp: 0xffffffe06655b770
                  lr: 0xfffffff007be8320  fp: 0xffffffe06655b7c0
                  lr: 0xfffffff00927b6b4  fp: 0xffffffe06655b7e0
                  lr: 0xfffffff008639c84  fp: 0xffffffe06655b810
                  lr: 0xfffffff008624aac  fp: 0xffffffe06655b990
                  lr: 0xfffffff0088ad1f8  fp: 0xffffffe06655ba20
                  lr: 0xfffffff00861d8ac  fp: 0xffffffe06655ba80
                  lr: 0xfffffff0081513e0  fp: 0xffffffe06655baf0
                  lr: 0xfffffff0081510f0  fp: 0xffffffe06655bbb0
                  lr: 0xfffffff00815028c  fp: 0xffffffe06655bc20
                  lr: 0xfffffff0081532cc  fp: 0xffffffe06655bc90
                  lr: 0xfffffff0082108cc  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 30176 **

Please go to https://panic.apple.com to report this panic

And trying to use the kernel included in that internal build causes segfault after printing kernel low and high: core dump (Well according to what I tried, the emulator does not work with an iOS 15.0 and 15.4 development kernels either)
try 18C57 instead with an iPhone 11 kernel

im not aware of any way of downloading a > 5GB file from MEGA on Linux because that's the trasnfer limit

[iarchiveml]

You could probably use a VPN

[iarchiveml]

I forgot to mention, the leaked dump on my website doesn't have files in /private

[asdfugil]

I forgot to mention, the leaked dump on my website doesn't have files in /private

i have 18A188 dump with /private, no problem.

[iarchiveml]

You should give it a try

[asdfugil]

18C57... almost
fud fails

Loading iOS 14.3...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff009c5c488
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b8f844
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff00988dfb4
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008061644e8
boot_mode: 0
auto-boot=true
cmdline: [kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1 wdt=-1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.1.0: Thu Nov 12 23:51:05 PST 2020; root:AppleImage4-106.40.12~2955/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe4cdc0c500]::init(0xffffffe19b8a1c70)

AUC:[0xffffffe4cdc0c500]::probe(0xffffffe4cdd96120, 0xffffffe808393dac)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe4cdc0c500]::start(0xffffffe4cdd96120)

AppleSEPKeyStore:321:0: starting (BUILT: Nov 13 2020 00:47:07)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c2 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

Identified Serial Port uart0 at 0x235200000(<ptr>)
Identified Serial Port uart7 at 0x23521c000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SMC): start(<ptr>) - (Nov 13 2020@00:47:00)
AppleS5L8960XUSBPhy::start: hsic disabled
RTBuddy(ANS2): start(<ptr>) - (Nov 13 2020@00:47:00)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Boot args override: wdt = -1
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
RTBuddy(ANS2): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SMC): Resuming...

virtual bool AppleARMLightEmUp::start(IOService *): starting...
Starting AppleSMC kext(<ptr>) - (Dec  2 2020@20:30:31)
RTBuddy(SIO): start(<ptr>) - (Nov 13 2020@00:47:00)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=17 newState=1
RTBuddy(SIO): Boot args override: wdt = -1
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleS5L8940XI2CController::start: smc-i2c0 this: <ptr> _i2cBaseAddress: <ptr>
AppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleS5L8940XI2CController::start: smc-i2c1 this: <ptr> _i2cBaseAddress: <ptr>
AppleS5L8940XI2CController::start: i2c3 this: <ptr> _i2cBaseAddress: <ptr>
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::194:Obtained 7 namespaces from DT
000002.396793 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
000002.399645 wlan0.A[1] start@971:Default options property found with value 4
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
000002.410965 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000002.416052 wlan0.A[2] start@1404: Raised adjustBusy(+1), getBusyState() -> 2
000002.416761 wlan0.A[3] start@1406:Setting up notifier for CoreAnalyticsHub
000002.418515 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
apfs_module_start:2436: load: com.apple.filesystems.apfs, v1677.62.1, apfs-1677.62.1, 2020/11/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1251: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOMedia</string><key>IOPropertyMatch</key><dict ID="2"><key>Partition ID</key><integer size="64" ID="3">0x1</integer></dict></dict>
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2887:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2887:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                          
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS        
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0     
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[8]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
dev_init:297: disk0 device accelerated crypto: 0 (compiled @ Nov 12 2020 23:47:00)
dev_init:300: disk0 device_handle block size 4096 block count 8388597 features 0 internal 
nx_kernel_mount:1134: disk0 initializing cache w/hash_size 4096 and cache size 10064
nx_kernel_mount:1402: disk0 checkpoint search: largest xid 1568, best xid 1568 @ 127
import_iboot_forwarded_roothash:2691: importing root hash (basesystem ? 0)...
apfs_extract_root_hash_arm:10091: could not retrieve system-volume-auth-blob from device tree
import_iboot_forwarded_roothash:2696: apfs_extract_root_hash_and_manifest failed with error: No such file or directory (2)
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOGUIDPartitionScheme/Container@1
BSD root: disk0s1, major 1, minor 1
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 2, NSTYPE - 2
apfs_vfsop_mountroot:2214: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Nov 12 2020 23:47:00)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388597 features 22 internal solidstate
nx_kernel_mount:1134: disk0s1 initializing cache w/hash_size 4096 and cache size 10064
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 3, NSTYPE - 3
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 6, NSTYPE - 6
[effaceable:ERR ] unable to find content
[effaceable:INIT] started
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1605:Creating blockdevice with NSID - 7, NSTYPE - 8
virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::269: Logical Blocks Size = 4096 
 virtual IOReturn AppleNVMeNamespaceDevice::GetDeviceProperties()::272: Block Count = 256 
 virtual bool AppleNVMeNamespaceDevice::start(IOService *)::111:NVMe Namespace Device registration done for NSID: 7, NSTYPE: 8
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
nx_kernel_mount:1402: disk0s1 checkpoint search: largest xid 1568, best xid 1568 @ 127
apfs_vfsop_mount:1883: Promoter has been locked for disk0s1
fs_lookup_root_snapshot_xid:439: disk0s1s1:0 failed to look up root snapshot name
apfs_vfsop_mount:1920: disk0s1s1:0 failed to retrieve default root snapshot xid - No such file or directory (2)
handle_mount:620: vol-uuid: B4137A47-7675-45B9-8F77-7724E51D9B12 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.12)
handle_mount:633: setting dev block size to 4096 from 512
nx_volume_group_update:6779: Volume System is not in a volume group
apfs_vfsop_mount:2197: disk0s1s1:0 mounted volume: System
dyld: setting comm page to 0x0
Sun Apr 17 15:58:31 2022 localhost com.apple.xpc.launchd[1] <Notice>: hello
Darwin Bootstrapper Version 7.0.0: Fri Nov 13 02:15:10 PST 2020; root:libxpc_executables-2038.40.38~273/launchd/RELEASE_ARM64E
boot-args = kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 keepsyms=1 launchd_unsecure_cache=1 wdt=-1
Sun Apr 17 15:58:31 2022 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Notice>: entering ondemand mode
Sun Apr 17 15:58:31 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fsck
** Checking the container superblock.
** Checking the object map.
** Checking volume.
** Checking the APFS volume superblock.
** The volume System was formatted by newfs_apfs (945.200.129.100.12) and last modified by apfs_kext (1933.80.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Data was formatted by newfs_apfs (1677.62.1) and last modified by apfs_kext (1933.80.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Hardware was formatted by newfs_apfs (1677.62.1) and last modified by apfs_kext (1933.80.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Preboot was formatted by newfs_apfs (1677.62.1) and last modified by apfs_kext (1933.80.3).
** Checking volume.
** Checking the APFS volume superblock.
** The volume Update was formatted by newfs_apfs (1677.62.1) and last modified by apfs_kext (1933.80.3).
** QUICKCHECK ONLY; FILESYSTEM CLEAN
Sun Apr 17 15:58:33 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-1
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
handle_mount:620: vol-uuid: 098C36C9-9954-4374-97CF-8DB4663C2AE4 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:633: setting dev block size to 4096 from 512
nx_volume_group_update:6773: Volume Preboot role 10 Not a System or data volume
apfs_vfsop_mount:2197: disk0s1s4:0 mounted volume: Preboot
/dev/disk0s1s4 on /private/preboot (apfs, local, nodev, nosuid, read-only, journaled, noatime, nobrowse)
Sun Apr 17 15:58:34 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: data-protection
init_data_protection: No SEP present on this device
Sun Apr 17 15:58:35 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: finish-obliteration
Obliterator: In INIT check
IORegistryEntryGetProperty failed, may be does not exist
Obliterator: No obliteration needed, continue booting, returning 0
Sun Apr 17 15:58:36 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: commit-boot-mode
Sun Apr 17 15:58:36 2022 localhost com.apple.xpc.launchd[1] <Notice>: boot-mode committed: (null)
Sun Apr 17 15:58:36 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: restore-datapartition
Sun Apr 17 15:58:36 2022 localhost com.apple.xpc.launchd[1] <Notice>: restore-datapartition: optional boot task not present
Sun Apr 17 15:58:36 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: mount-phase-2
mount: found boot container: /dev/disk0s1, data volume: /dev/disk0s1s2 env: 1
spaceman_metazone_init:189: disk0s1 metazone for device 0 of size 262143 blocks (encrypted: 8126454-8257525 unencrypted: 8257525-8388597)
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 1 blocks starting at paddr 4096000
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 2 blocks starting at paddr 32768
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 3 blocks starting at paddr 65536
spaceman_datazone_init:442: disk0s1 allocation zone on dev 0 for allocations of 4 blocks starting at paddr 98304
dev_dump:256: Aggregate constructed: dev=<ptr> di=0 dv_num_slice=15 dv_num_slice_blk=589824 dv_num_lslice_blk=131061
migrate_media_keys_if_needed:1208: no media keys to migrate for container = disk0s1
mount: failed to migrate Media Keys, error = c002
handle_mount:620: vol-uuid: 348C338E-4537-4DD0-B739-6905B8807143 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:633: setting dev block size to 4096 from 512
nx_volume_group_update:6779: Volume Data is not in a volume group
apfs_vfsop_mount:2197: disk0s1s2:0 mounted volume: Data
/dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime)
handle_mount:620: vol-uuid: 275C7DBF-48CD-45B8-BDB9-956BD213D817 block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:633: setting dev block size to 4096 from 512
nx_volume_group_update:6773: Volume Update role c0 Not a System or data volume
apfs_vfsop_mount:2197: disk0s1s5:0 mounted volume: Update
/dev/disk0s1s5 on /private/var/MobileSoftwareUpdate (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
handle_mount:620: vol-uuid: 7433950F-5CBA-4464-8AC5-65134CFD100D block size: 4096 block count: 8388597 (unencrypted; flags: 0x1; features: 8.0.2)
handle_mount:633: setting dev block size to 4096 from 512
nx_volume_group_update:6773: Volume Hardware role 140 Not a System or data volume
apfs_vfsop_mount:2197: disk0s1s3:0 mounted volume: Hardware
/dev/disk0s1s3 on /private/var/hardware (apfs, local, nodev, nosuid, journaled, noatime, nobrowse)
spaceman_trim_free_blocks:3367: disk0s1 scan took 1.129052 s, trims took 0.325129 s
spaceman_trim_free_blocks:3375: disk0s1 5261513 blocks free in 19747 extents
spaceman_trim_free_blocks:3383: disk0s1 5261513 blocks trimmed in 19747 extents (16 us/trim, 60735 trims/s)
spaceman_trim_free_blocks:3386: disk0s1 trim distribution 1:12826 2+:2113 4+:3875 16+:341 64+:482 256+:110
Sun Apr 17 08:58:37 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init-with-data-volume
Sun Apr 17 08:58:37 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: MSUEarlyBootTask
main: MSUEarlyBootTask running
main: Content from the ramdisk will be present at /private/var/MobileSoftwareUpdate//83f27b0127c305db619783436a4b5bc8ce99c92db7b15db7640203e98d0ce4d80164decea82776495680af618a2f4eec-MSUData if it exists
MSUEarlyBootTask: I have nothing to do. Goodbye!!
Sun Apr 17 08:58:39 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fips
Tracing: disabled
FIPSPOST_USER [346430739] fipspost_post:157: [FIPSPOST][Module-ID] Apple corecrypto Module v11.1 [Apple ARM, User, Software]
FIPSPOST_USER [347112048] fipspost_post:168: PASSED: (3 ms) - fipspost_post_hmac
FIPSPOST_USER [347250689] fipspost_post:169: PASSED: (5 ms) - fipspost_post_integrity
FIPSPOST_USER [347339699] fipspost_post:175: PASSED: (3 ms) - fipspost_post_indicator
FIPSPOST_USER [347361841] fipspost_post:176: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_USER [347381900] fipspost_post:177: PASSED: (0 ms) - fipspost_post_aes_cbc
FIPSPOST_USER [348247734] fipspost_post:178: PASSED: (35 ms) - fipspost_post_rsa_sig
FIPSPOST_USER [348593336] fipspost_post:179: PASSED: (13 ms) - fipspost_post_ecdsa
FIPSPOST_USER [348679050] fipspost_post:180: PASSED: (2 ms) - fipspost_post_ecdh
FIPSPOST_USER [348718142] fipspost_post:181: PASSED: (1 ms) - fipspost_post_aes_ccm
FIPSPOST_USER [348751935] fipspost_post:182: PASSED: (0 ms) - fipspost_post_aes_cmac
FIPSPOST_USER [349851091] fipspost_post:184: PASSED: (45 ms) - fipspost_post_pbkdf
FIPSPOST_USER [349876384] fipspost_post:185: PASSED: (0 ms) - fipspost_post_kdf_ctr
FIPSPOST_USER [353552754] fipspost_post:186: PASSED: (152 ms) - fipspost_post_aes_gcm
FIPSPOST_USER [353582203] fipspost_post:187: PASSED: (0 ms) - fipspost_post_aes_xts
FIPSPOST_USER [353632757] fipspost_post:188: PASSED: (1 ms) - fipspost_post_tdes_cbc
FIPSPOST_USER [353659091] fipspost_post:189: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_USER [353693173] fipspost_post:190: PASSED: (0 ms) - fipspost_post_drbg_hmac
FIPSPOST_USER [354360742] fipspost_post:192: PASSED: (27 ms) - fipspost_post_ffdh
FIPSPOST_USER [355114786] fipspost_post:193: PASSED: (30 ms) - fipspost_post_rsa_enc_dec
FIPSPOST_USER [355128091] fipspost_post:213: all tests PASSED (362 ms)
Sun Apr 17 08:58:39 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: keybag
****** DIAGNOSTICS MODE ENABLED, SKIP INIT ****
Sun Apr 17 08:58:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: usermanagerd
Sun Apr 17 08:58:40 2022 localhost com.apple.xpc.launchd[1] <Notice>: usermanagerd: optional boot task not present
Sun Apr 17 08:58:41 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd logging initialized
Sun Apr 17 08:58:41 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: xpcroleaccountd
Sun Apr 17 08:58:41 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: init_featureflags
init_featureflags: missing 'Enabled' key for feature BrokenTest in FeatureFlagsExample.plist; ignored
init_featureflags: skipping directory: /Library/Preferences/FeatureFlags/Domain
Sun Apr 17 08:58:44 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: fud
Key timed out KeyName =  cdc76926 Tag/ID =0 _activeKeyCommand = 17
Time taken for key timeout 1c9ca135
Unable to obtain shared SRAM Addr
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 1 caller 0xfffffff00850e830): "/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.60.3/AppleSMCEmbedded.cpp:void *AppleSMC::_getSRAMAddressGated():591: REQUIRE failed: NULL != _sharedKeyBuff"
Debugger message: panic
Memory ID: 0x0
OS release type: Internal
OS version: 18C57
Kernel version: Darwin Kernel Version 20.2.0: Fri Nov 13 01:00:15 PST 2020; root:xnu-7195.62.1~4/RELEASE_ARM64_T8030
Kernel UUID: 73CDC310-07B4-3CB1-9F61-114FA9D77E4D
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x1ff84907
Epoch Time:        sec       usec
  Boot    : 0x625c3923 0x000480c0
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x625c3937 0x000383de

Panicked task 0xffffffe19b7c5f40: 2237 pages, 108 threads: pid 0: kernel_task
Panicked thread: 0xffffffe19b8f8000, backtrace: 0xffffffe8083f3550, tid: 249
                  lr: 0xfffffff007a58c90  fp: 0xffffffe8083f3590
                  lr: 0xfffffff007a58a90  fp: 0xffffffe8083f3600
                  lr: 0xfffffff007b96b90  fp: 0xffffffe8083f3620
                  lr: 0xfffffff007b88c9c  fp: 0xffffffe8083f36e0
                  lr: 0xfffffff008160600  fp: 0xffffffe8083f36f0
                  lr: 0xfffffff007a58778  fp: 0xffffffe8083f3a70
                  lr: 0xfffffff007a58778  fp: 0xffffffe8083f3ad0
                  lr: 0xfffffff00987b9d4  fp: 0xffffffe8083f3af0
                  lr: 0xfffffff00850e830  fp: 0xffffffe8083f3b20
                  lr: 0xfffffff0084f5584  fp: 0xffffffe8083f3b50
                  lr: 0xfffffff00808f748  fp: 0xffffffe8083f3bc0
                  lr: 0xfffffff0084f53c0  fp: 0xffffffe8083f3be0
                  lr: 0xfffffff0084f31bc  fp: 0xffffffe8083f3c70
                  lr: 0xfffffff0080509fc  fp: 0xffffffe8083f3d20
                  lr: 0xfffffff008050498  fp: 0xffffffe8083f3e00
                  lr: 0xfffffff00804e75c  fp: 0xffffffe8083f3e80
                  lr: 0xfffffff0080544c8  fp: 0xffffffe8083f3f00
                  lr: 0xfffffff00816895c  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 12023 (Uncompressed 37504) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)

but I am suspecting this to be an unrelated regresssion in qemu-t8030...

[iarchiveml]

You could probably compile an older commit.
You mentioned before that I needed to use an iPhone 11 kernel. Does this mean use an iPhone 11 mach_kernel or kernelcache?

[iarchiveml]

Also how did you create a filesystem to boot off of? I want to replicate this.

[TrungNguyen1909]

Hi, currently iOS 13 is not supported. I'm running into some issues with ASC mailboxes and NVMe.
The 86 thing is caused by a change in binary format. If you want to run iOS 13 binaries anyway, change the 0xb byte of the binary from 0x00 to 0x80 to run it on an iOS 14 kernel. Note that some binaries might not work because it uses a removed library function.

[asdfugil]

Also how did you create a filesystem to boot off of? I want to replicate this.

1. Restore iPhone 11 iOS 14.3 normally
2. Boot the system once
3. Mount the system volume in macOS
4. Delete everything in / of the System Volume except /private
5. Copy said 18C57 dump onto said filesystem
6. Don't bootstrap the volume, we use the internal bash and binaries here.
7. Add the bash service as described in the wiki
8. (?) Probably keep other partition untouched, even though the dump contains information from Update, Hardware and Preboot
9. Unmount and eject the disk.
10. Now try to boot the VM again

im actually not sure about (8) you can try replacing contents of them.
That's what I tried anyways.
In fact, fud is Firmware Update Dameon, and firmware goes into Preboot

[asdfugil]

Success

[asdfugil]

However ls always result in bus error: 10

[iarchiveml]

What did you do to get it working and prevent the fud kernel panic?

[asdfugil]

What did you do to get it working and prevent the fud kernel panic?

Copy from the dump, but don't replace /usr/standalone/firmware into the a directory with long name/usr/standalone/firmware into Preboot Volume
Copy from the dump, but don't replace /usr/standalone/update into the Update partition

Finally, remove the com.apple.getty entry in System/Library/xpc/launchd.plist in System Volume because it conflicts our bash service.

[asdfugil]

Even though the device shows up as a USB device in the Linux VM in lsusb, libimobiledevice tools are not be able to find it.

[TrungNguyen1909]

@asdfugil limb probably won't detect them because lockdownd is not quite working very well (SEP for pairing)...

[asdfugil]

@asdfugil limb probably won't detect them because lockdownd is not quite working very well (SEP for pairing)...

it's detected now (looks like i am too impatient) but

└─$ idevicepair pair
ERROR: Device 00008030-1122334455667788 returned unhandled error code -12

[asdfugil]

I am not very sure what the GNU ls bus error: 10 really means. I can use find to list files so probably not fs corruption
(I replaced and only replaced ls in that build with GNU ls)

[asdfugil]

and it wouldn't allow me to debug it

process attach(lldb) process attach --waitfor -nBoolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
 ls

tx_flush:1074: disk0s1 xid 3334 tx stats: # 60 finish 61 enter 1643 wait 5 16953us close 94us flush 98215us
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid
Boolean tokenIsTrusted(audit_token_t): token is untrusted: hash does not match
int _permitUnrestrictedDebugging(): unable to verify audit token came from amfid

[1]  + done       echo $(sleep 20 && /bin/ls)
error: attach failed: attach failed (Not allowed to attach to process.  Look in the console messages (Console.app), near the debugserver entries when the attached failed.  The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.)

[TrungNguyen1909]

@asdfugil, the issue is quite complicated here.

You can add get-task-allow to fix that errors.

However, in order to have breakpoints working, a pmap cs patch might be needed.
Even though I have a static patch for 14.0b5, I haven't figured out the patchfinder for that yet...

[asdfugil]

At the end of the day, at this stage booting internal iOS without shebang kernel patch/DEVELOPMENT kernel is not very useful because there are so many scripts, and no libiosexec/EPERM workaround like jailbreak bootstraps.

[asdfugil]

compiled latest ls from file_cmds from apple opensource and that worked, guess that original ls is just broken.

[asdfugil]

SSH works, telnet works (via iproxy), AppleUSBEthernet is not yet working.
So 18C57 is pretty much booted and works.

[asdfugil]

...and this issue about errorno 86 is probably resolved

[asdfugil]

the Bus Error: 10 is some error in libintl.8.dylib that breaks pretty much anything linked to it, this also explains why it only happens to GNU stuff.

[asdfugil]

...htop actually shows that SpringBoard.app is running (probably in a crash loop)...

SpringBoard might require Metal besides basic graphical framebuffer...

[iarchiveml]

the Bus Error: 10 is some error in libintl.8.dylib that breaks pretty much anything linked to it, this also explains why it only happens to GNU stuff.

Huh, ls works fine for me

[asdfugil]

the Bus Error: 10 is some error in libintl.8.dylib that breaks pretty much anything linked to it, this also explains why it only happens to GNU stuff.

Huh, ls works fine for me

Did you use GNU ls (from Procursus) on iOS 14.3 qemu-t8030?
BSD ls works for me too.

[iarchiveml]

Nope, I'm using the original one

[iarchiveml]

Steps I took:
1: Restore iPhone 11 iOS 14.3 normally
2: Boot the system once
3: Mount the system volume in macOS
4: Delete everything in / of the System Volume except /private
5: Extract 18C57 dump onto said filesystem
6: Copy launchd.plist and bash.plist onto the filesystem
7: Boot & Profit

[TrungNguyen1909]

@asdfugil How do you even test AppleUSBEthernet though? I don't think there is a limd implementation for that?

SpringBoard might require Metal besides basic graphical framebuffer..
correct...

[asdfugil]

@TrungNguyen1909 I didn't. It is just a statement. I think it requires a certain adapter to be emulated.

[iarchiveml]

Hi, currently iOS 13 is not supported. I'm running into some issues with ASC mailboxes and NVMe.
The 86 thing is caused by a change in binary format. If you want to run iOS 13 binaries anyway, change the 0xb byte of the binary from 0x00 to 0x80 to run it on an iOS 14 kernel. Note that some binaries might not work because it uses a removed library function.

This applies to older 14.0 betas as well right?