What happened?
cloudOS is a stripped down iOS system that grants advanced research capabilities.
A "new" security mitigation, described in the context of cloudOS, is the Restricted Execution Mode (REM) (docs). While it is described only for cloudOS, also iOS is capable of these functionalities.
We find that when restoring cloudOS with pymobiledevice (or idevicerestore), REM is not being activated. We further find that other functionalities, such as mounting Cryptexes fails.
While we assume that this might be some initial configuration of TXM or the environment, we have not found the difference to the MobileDevice restore process.
How can we reproduce this?
Let's follow [the Apple docs](https://security.apple.com/documentation/private-cloud-compute/vresetup) and [the blog post by matteyeux](https://matteyeux.com/posts/2024-11-01-pcc-2/) on how to create a virtual research environment to restore cloudOS (Apple Silicon-only).
1. `csrutil allow-research-guests enable`
2. `pccvre release download --release 2764`
3. `pccvre instance create -N pcc-research -R 2764 --variant research`
4. `vrevm modify -N pcc-research -B serial=3`
5. `pccvre instance configure ssh -N pcc-research -p ~/.ssh/id_ed25519.pub`
6. `pccvre instance start -N pcc-research`
7. In another terminal: `pccvre instance list`
8. `ssh root@192.168.64.xyz`
9. `/bin/ps`
This is the ground behavior showing that REM is enabled with MobileDevice restore. The logs also indicate the successful mounting of the SSH Cryptex.
For the pymobiledevice3 behavior, we can reuse the same vm:
10. `vrevm run --dfu -N pcc-research`
11. In another terminal: `pymobiledevice3 restore update --erase --ipsw $HOME/Library/Caches/com.apple.security-research.pccvre/assets/a1245d6d56b3de6009d1bbfe452262ff2e953034636e9b47d83e4c2a2d2540f7`
You will see that connecting via SSH does no longer works. For more information, we want to re-enable the serial logs. For that, we need to restore the "research" variant in the ipsw firmware. We do so by adjusting the pymobiledevice3 or idevicerestore source code.
12. `vrevm modify -N pcc-research -B serial=3`
13. `pccvre instance start -N pcc-research`
In the logs, you will find the notices of failing Cryptex installations:
cryptexctl: failed to install cryptex
Error Domain: "com.apple.security.cryptex" Code: 14 (Failed to install cryptex) Detail: "FM_LANGUAGE_SECURITY_RESEARCH_V1: Install failed"
b0b Error Domain: "com.apple.security.cryptex" Code: 14 (Failed to install cryptex) Detail: "FM_LANGUAGE_SECURITY_RESEARCH_V1: install rpc"
b0b Error Domain: "com.apple.security.cryptex" Code: 16 (Daemon failed a request) Detail: "Error from daemon"
...
b0b Error Domain: "com.apple.security.cryptex.posix" Code: 1 (Operation not permitted) Detail: "FM_LANGUAGE_SECURITY_RESEARCH_V1: hdi_mount [1: Operation not permitted]"
When you play around with the flags of the executables in the trust cache, you will notice that REM is no longer enabled.Environment
Host OS: macOS 26.5.1
Python: 3.9.6
pymobiledevice3: 9.9.0
Device: Virtual Research Environment
Target OS: cloudOS 18 - 26
Relevant log output
Search
AI assistance
none
Code of Conduct
Additional context
No response
What happened?
cloudOS is a stripped down iOS system that grants advanced research capabilities.
A "new" security mitigation, described in the context of cloudOS, is the Restricted Execution Mode (REM) (docs). While it is described only for cloudOS, also iOS is capable of these functionalities.
We find that when restoring cloudOS with pymobiledevice (or idevicerestore), REM is not being activated. We further find that other functionalities, such as mounting Cryptexes fails.
While we assume that this might be some initial configuration of TXM or the environment, we have not found the difference to the MobileDevice restore process.
How can we reproduce this?
Environment
Host OS: macOS 26.5.1
Python: 3.9.6
pymobiledevice3: 9.9.0
Device: Virtual Research Environment
Target OS: cloudOS 18 - 26
Relevant log output
Search
AI assistance
none
Code of Conduct
Additional context
No response