Caution
Intel PT virtualization is BROKEN, as it has multiple fatal flaws, several which put the host at risk. Use at your own risk.
This guide will most likely become obsolete once the feature will be removed from the various linux distros. For more info check out KVM: VMX: Mark Intel PT virtualization as BROKEN and CVE-2024-53135
This script sets KVM Processor Trace feature in host-guest mode enabling VMs to use intel-pt
| diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c | |
| index 551a055715..0cceeb7936 100644 | |
| --- a/hw/arm/apple_a13.c | |
| +++ b/hw/arm/apple_a13.c | |
| @@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
| A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), | |
| - A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), | |
| + A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS |
In order to extract such a package following software is requried:
7zip for general .pkg
pbzx for Payload files Github Source
libbzip2 / bzip2 and enable it in xar compilation configuration. This enables use or xar for extracting .pkggcc pbzx.c -o pbzx -llzma -lxar
Guide updated to use the official installation .iso from Microsoft, which finally became available in Dec. 2024! For the VHDX disk image based guide check an earlier version of this gist.
When following this guide on a host not capable of aarch64 virtualization, replace -cpu host -accel kvm with -cpu neoverse-n1 (faster to emulate then -cpu max).
qemu-img create -f qcow2 win11.qcow2 25GAll license keys and activation files have been removed in accordance with GitHub's Terms of Service.
Only official trial installers are available. Bring your own license (BYOL).
| Key Name Description | |
| ======== =========== | |
| 3GProximityCapability Whether the device has a 3G proximity sensor | |
| 3GVeniceCapability Whether the device supports FaceTime over cellular | |
| 720pPlaybackCapability Whether the device supports 720p video (identical to kMGQDeviceSupports720p) | |
| APNCapability | |
| ARM64ExecutionCapability Whether the device supports executing arm64 binaries | |
| ARMV6ExecutionCapability Whether the device supports executing armv6 binaries | |
| ARMV7ExecutionCapability Whether the device supports executing armv7 binaries | |
| ARMV7SExecutionCapability Whether the device supports executing armv7s binaries |
| virt-install \ | |
| --boot uefi \ | |
| --cdrom /var/lib/libvirt/images/Windows.iso \ | |
| --features vmport.state=off,hyperv.vapic.state=on,hyperv.spinlocks.state=on,hyperv.spinlocks.retries=8191,hyperv.relaxed.state=on \ | |
| --clock offset=localtime,hypervclock_present=yes,rtc_tickpolicy=catchup,hpet_present=no,pit_tickpolicy=delay \ | |
| --machine q35 \ | |
| --vcpus 2 \ | |
| --cpu host \ | |
| --graphics spice \ | |
| --sound ich9 \ |
| // Searches all instructions for any references to undefined memory addresses. | |
| // Useful for reversing firmware when you are still determining the correct memory mappings. | |
| // Invalid addresses could indicate that you need to add a new segment at that address. | |
| // | |
| // @author starfleetcadet75 | |
| // @category Search | |
| // @keybinding | |
| // @menupath | |
| // @toolbar |
| #!/usr/bin/env zsh | |
| set -e; | |
| set +m; # Job control would've been nice, but manual round robin it is, sigh. | |
| if [ -z "${ZSH_VERSION+x}" ]; then | |
| echo 'Try again with zsh.'; | |
| exit 1; | |
| fi; |
| device-tree: | |
| target-type (5): "D421" | |
| mlb-serial-number (32): "C07947707R3LTPJB" | |
| compatible (27): "D421AP\0iPhone12,3\0AppleARM\0" | |
| secure-root-prefix (3): "md" | |
| AAPL,phandle (4): 0x1 | |
| platform-name (32): "t8030" | |
| device_type (8): "bootrom" | |
| region-info (32): "LL/A" | |
| regulatory-model-number (32): "A2160" |
