maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/ios-exploiting/ios-corellium.md
carlospolop 14b55c6309 f
2025-09-29 15:42:47 +02:00

86 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# iOS How to Connect to Corellium
{{#include ../../banners/hacktricks-training.md}}
## **Prereqs**
- A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.
- Local tools: **ssh/scp**.
- (Optional) **SSH keys** added to your Corellium project for passwordless logins.
## **Connect to the iPhone VM from localhost**
### A) **Quick Connect (no VPN)**
0) Add you ssh key in **`/admin/projects`** (recommended).
1) Open the device page → **Connect**
2) **Copy the Quick Connect SSH command** shown by Corellium and paste it in your terminal.
3) Enter the password or use your key (recommended).
### B) **VPN → direct SSH**
0) Add you ssh key in **`/admin/projects`** (recommended).
1) Device page → **CONNECT****VPN** → download `.ovpn` and connect with any VPN client that supports TAP mode. (Check [https://support.corellium.com/features/connect/vpn](https://support.corellium.com/features/connect/vpn) if you have issues.)
2) SSH to the VMs **10.11.x.x** address:
```bash
ssh root@10.11.1.1
```
## **Upload a native binary & execute it**
### 2.1 **Upload**
- If Quick Connect gave you a host/port:
```bash
scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool
```
- If using VPN (10.11.x.x):
```bash
scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool
```
## **Upload & install an iOS app (.ipa)**
### Path A — **Web UI (fastest)**
1) Device page → **Apps** tab → **Install App** → pick your `.ipa`.
2) From the same tab you can **launch/kill/uninstall**.
### Path B — **Scripted via Corellium Agent**
1) Use the API Agent to **upload** then **install**:
```js
// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
console.log(progress, status);
});
```
### Path C — **Non-jailbroken (proper signing / Sideloadly)**
- If you dont have a provisioning profile, use **Sideloadly** to re-sign with your Apple ID, or sign in Xcode.
- You can also expose the VM to Xcode using **USBFlux** (see §5).
- For quick logs/commands without SSH, use the device **Console** in the UI.
## **Extras**
- **Port-forwarding** (make the VM feel local for other tools):
```bash
# Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@10.11.1.1:/var/root/
```
- **LLDB remote debugging**: use the **LLDB/GDB stub** address shown at the bottom of the device page (CONNECT → LLDB).
- **USBFlux (macOS/Linux)**: present the VM to **Xcode/Sideloadly** like a cabled device.
## **Common pitfalls**
- **Proper signing** is required on **non-jailbroken** devices; unsigned IPAs wont launch.
- **Quick Connect vs VPN**: Quick Connect is simplest; use **VPN** when you need the device on your local network (e.g., local proxies/tools).
- **No App Store** on Corellium devices; bring your own (re)signed IPAs.
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink