maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/ios-exploiting/ios-corellium.md
carlospolop 06f8b982b7 f
2025-09-26 00:05:48 +02:00

2.9 KiB
Raw Blame History

iOS How to Connect to Corellium

{{#include ../../banners/hacktricks-training.md}}

Prereqs

  • A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.
  • Local tools: ssh/scp.
  • (Optional) SSH keys added to your Corellium project for passwordless logins.

Connect to the iPhone VM from localhost

A) Quick Connect (no VPN)

  1. Add you ssh key in /admin/projects (recommended).
  2. Open the device page → Connect
  3. Copy the Quick Connect SSH command shown by Corellium and paste it in your terminal.
  4. Enter the password or use your key (recommended).

B) VPN → direct SSH

  1. Add you ssh key in /admin/projects (recommended).
  2. Device page → CONNECTVPN → download .ovpn and connect with any VPN client that supports TAP mode. (Check https://support.corellium.com/features/connect/vpn if you have issues.)
  3. SSH to the VMs 10.11.x.x address:
ssh root@10.11.1.1

Upload a native binary & execute it

2.1 Upload

  • If Quick Connect gave you a host/port:
scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool
  • If using VPN (10.11.x.x):
scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool

Upload & install an iOS app (.ipa)

Path A — Web UI (fastest)

  1. Device page → Apps tab → Install App → pick your .ipa.
  2. From the same tab you can launch/kill/uninstall.

Path B — Scripted via Corellium Agent

  1. Use the API Agent to upload then install:
// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
  console.log(progress, status);
});

Path C — Non-jailbroken (proper signing / Sideloadly)

  • If you dont have a provisioning profile, use Sideloadly to re-sign with your Apple ID, or sign in Xcode.

  • You can also expose the VM to Xcode using USBFlux (see §5).

  • For quick logs/commands without SSH, use the device Console in the UI.

Extras

  • Port-forwarding (make the VM feel local for other tools):
# Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@10.11.1.1:/var/root/

  • LLDB remote debugging: use the LLDB/GDB stub address shown at the bottom of the device page (CONNECT → LLDB).

  • USBFlux (macOS/Linux): present the VM to Xcode/Sideloadly like a cabled device.

Common pitfalls

  • Proper signing is required on non-jailbroken devices; unsigned IPAs wont launch.
  • Quick Connect vs VPN: Quick Connect is simplest; use VPN when you need the device on your local network (e.g., local proxies/tools).
  • No App Store on Corellium devices; bring your own (re)signed IPAs.

{{#include ../../banners/hacktricks-training.md}}