# iOS How to Connect to Corellium {{#include ../../banners/hacktricks-training.md}} ## **Prereqs** - A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium. - Local tools: **ssh/scp**. - (Optional) **SSH keys** added to your Corellium project for passwordless logins. ## **Connect to the iPhone VM from localhost** ### A) **Quick Connect (no VPN)** 0) Add you ssh key in **`/admin/projects`** (recommended). 1) Open the device page → **Connect** 2) **Copy the Quick Connect SSH command** shown by Corellium and paste it in your terminal. 3) Enter the password or use your key (recommended). ### B) **VPN → direct SSH** 0) Add you ssh key in **`/admin/projects`** (recommended). 1) Device page → **CONNECT** → **VPN** → download `.ovpn` and connect with any VPN client that supports TAP mode. (Check [https://support.corellium.com/features/connect/vpn](https://support.corellium.com/features/connect/vpn) if you have issues.) 2) SSH to the VM’s **10.11.x.x** address: ```bash ssh root@10.11.1.1 ``` ## **Upload a native binary & execute it** ### 2.1 **Upload** - If Quick Connect gave you a host/port: ```bash scp -J ./mytool root@10.11.1.1:/var/root/mytool ``` - If using VPN (10.11.x.x): ```bash scp ./mytool -J root@10.11.1.1:/var/root/mytool ``` ## **Upload & install an iOS app (.ipa)** ### Path A — **Web UI (fastest)** 1) Device page → **Apps** tab → **Install App** → pick your `.ipa`. 2) From the same tab you can **launch/kill/uninstall**. ### Path B — **Scripted via Corellium Agent** 1) Use the API Agent to **upload** then **install**: ```js // Node.js (pseudo) using Corellium Agent await agent.upload("./app.ipa", "/var/tmp/app.ipa"); await agent.install("/var/tmp/app.ipa", (progress, status) => { console.log(progress, status); }); ``` ### Path C — **Non-jailbroken (proper signing / Sideloadly)** - If you don’t have a provisioning profile, use **Sideloadly** to re-sign with your Apple ID, or sign in Xcode. - You can also expose the VM to Xcode using **USBFlux** (see §5). - For quick logs/commands without SSH, use the device **Console** in the UI. ## **Extras** - **Port-forwarding** (make the VM feel local for other tools): ```bash # Forward local 2222 -> device 22 ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1 # Now you can: scp -P 2222 file root@10.11.1.1:/var/root/ ``` - **LLDB remote debugging**: use the **LLDB/GDB stub** address shown at the bottom of the device page (CONNECT → LLDB). - **USBFlux (macOS/Linux)**: present the VM to **Xcode/Sideloadly** like a cabled device. ## **Common pitfalls** - **Proper signing** is required on **non-jailbroken** devices; unsigned IPAs won’t launch. - **Quick Connect vs VPN**: Quick Connect is simplest; use **VPN** when you need the device on your local network (e.g., local proxies/tools). - **No App Store** on Corellium devices; bring your own (re)signed IPAs. {{#include ../../banners/hacktricks-training.md}}