Repository files navigation

vma2pwn is a command-line tool for arm64 macOS to patch VMA2 (virtual Mac platform) components forrestoring and booting a fully modded chain of iBoot + macOS components.

This is very much a work-in-progress, and more functionality and support will be added over time.

• 12.0.1 (21A559)

• Apple Silicon (arm64) Mac (at least 12.0 host preferred). There are no plans to support anything else.
• A tool to run vma2 virtual machines through Virtualization.framework. I recommendsuper-tart, my fork of tart.
• idevicerestore,but preferably my fork with a fewchanges. Currently not fully tested, but maybe required for successful restore.

1. Download and build super-tart from the link above.
2. Create a new virtual machine (VM) withtart create <VM name> --from-ipsw <matching IPSW> --disk-size <disk size in GB>. You should havea minimum of about ~25 GB for the disk. Don't specify a custom AVPBooter path here.
3. Wait for the VM to be created (probably doesn't even need to fully install, just enough tolaunch in DFU mode).
4. Note: The AVPBooter image will now need to be patched. Move on to the steps invma2pwnsection.

1. Download or clone the repository, and open a Terminal in this directory.
2. Run./vma2pwn.sh prepare <macOS version>, e.g.,./vma2pwn.sh prepare 12.0.1, and wait for itto complete.

1. Copy the patched AVPBooter image created (avpbooter-images/<version>/AVPBooter.vmapple2.bin)to~/.tart/vms/<VM name>/AVPBooter.vmapple2.bin, replacing the one that already exists.
2. Start the virtual machine in DFU mode (i.e.,tart run <VM name> --force-dfu).
3. Restore this modded image via idevicerestore with./vma2pwn.sh restore <output from step 2>,e.g.,./vma2pwn.sh restore UniversalMac_12.0.1_21A559_Restore.
4. Wait for the restore process to complete, and your macOS virtual machine should automaticallystartup to the Setup Assistant like normal.

• This is a work in progress. File an issue if you have one, make a pull request if you want to;I recommend filing an issue first.
• Scripts are not always fully tested before uploading. There may be slight issues.
• This tool relies on two binaries downloaded from myvma2pwn-tools repository:bspatch andimg4.If you don't want to use these, build them yourself.
• iBoot (iBootStage2 post-restore) is patched with various debugging boot-args, which means thatyou currently cannot set your own. I may testnvram's boot-arg functionality and remove this partof the patch.
• Kernelcache currently contains many patches, not all of which are likely necessary. I hope towork on reducing the number of patches.

• Double-patching (runningvma2pwn.sh twice on) the same extracted IPSW may result in brokencomponents
• You tell me

GNU Lesser General Public License v3.0

• NyanSatan – Initial iBoot + kernel patches fromVirtual-iBoot-Fun
• Various members of the Hack Different Discord server – Answering and putting up with myconstant bombardment of questions