As a pentester, I often get projects to test iOS applications. In old days, using Windows/Linux based tools was enough for iOS appsec. But nowadays, using MacOS will have additional benefit such as automating IPA analysis via MobSF. Also while doing pentest using non-jailbroken iPhone, it is recommended to inject Frida server dylib in dummy app and install it on iPhone, which requires XCode.
But getting Mac/MacBook can be an expensive affair. An inexpensive alternative can be a making Mac VM (which is fondly called Hackintosh). In this post, we will look at how to create almost perfect Hackintosh VM.
Note: This post will be limited to OS installation only as well as we will be using Windows as Host OS on Intel machines. You can try these steps with Linux Host or AMD Processor or both at your own risk. In another post, we will look at pentesting tools. So lets begin….
1. Minimum Intel i5
2. Minimum 16GB RAM (More is better)
3. 200GB Free Disk Space (SSD will provide performance benefit)
1. VMware Workstation 15+
2. MacOS 11 (Big Sur) iso file
4. Python3 (to run Unlocker)
Now you may ask why can’t we use VirtualBox? There are couple issues with VirtualBox which I have observed during couple of installation. They are as below:
1. Issues with GateKeeper and System Integrity Protection (SIP) of MacOS 15+ — GateKeeper and SIP are two important security mechanisms of MacOS. They restrict apps from untrusted developers. You can install MacOS 11 on VirtualBox, but I faced multiple issues while installing VB Guest Additions due to GateKeeper and SIP. This happens because MacOS do not recognise Oracle as Trusted Dev. As you might already know, without Guest additions multiple features cannot be used.
2. USB connectivity issues: In one of my test, I installed MacOS Catalina successfully on Virtualbox (with Guest Additions). But I observed USB connectivity issues with Virtual Box while attaching iPhone to VM. Even after lots of updating and trial-n-error, this was not resolved. Hence I ditched Virtualbox.
Below are the steps you need follow before, during and after installation.
a. Shutdown VMWare Workstation/Player application.
b. Run win-install.cmd with Admin access via command line. Let unlocker do its work.
c. Once done, start VMware Workstation/Player to configure VM.
a. In VMware option, go to File > New Virtual Machine.
b. Select “Custom (advanced)” and press “Next” to go on next page
c. Keep default option and press next.
d. Select “I will install the operating system later”
e. On next page, select “Apple Mac OS X” and “macOS 11.1”.
f. On next page, add name to VM and location as per your convenience. Then press Next.
g. On “Processor Configuration” page, select following configuration and press Next. (Ignore the warning)
h. On “Memory for VM” page, set memory more than 8GB or above.
i. Keep pressing “Next” till you reach Disk capacity. Select disc size at least 160GB and press go Next, Next, Finish.
j. Once done, VM page will be visible. Click on “Edit virtual machine setting”.
k. We have to add an additional disk of size 20GB as recovery disk. Configuration of this disk will be done in later part. Once done, VM will look something like this.
l. Now close VMware Workstation.
m. Open .vmx file and append below line in it. This will help with VMware unrecoverable error, if occurred.
smc.version = “0”
With this VM is ready for OS installation.
MacOS VM Installation:
a. Open VMware Workstation. It will show last used VM. Select MacOS iso from CD/DVD option.
b. After selecting, press Play (or Power on this virtual machine) to start installation. In very first page, select suitable language and click next.
c. On next page, Recovery menu will be visible.
Select Disk Utility to format Disks. You need to select and Erase the disks.
For bigger disk, make sure to set Format = APFS & Scheme = GUID Partition Map.
For smaller disk, set Format = Mac OS Extended (Journaled) and Scheme = GUID Partition Map. This is important as Recovery disk can only created with said format only. Note: Mac OS Extended format is also known as HFS+.
Once disk erasing done, exit Disk utility. Select “Install macOS Big Sur” for installation
d. Go ahead with agreeing Terms and Conditions. Select bigger disk for installation. On clicking next, installation will start.
e. It will take around 30–40 minutes to install OS completely.
f. Once installation completed, go ahead with below mentioned options.
You can go with default options from here. With this OS installation gets completed. Next step will be Configuring VM.
1. MacOS VM Configuration:
a. Login into Apple Appstore with AppleID
b. Next up is to install VMWare Tools
Continue with installation. In the end you can see “System Extension Blocked” pop-up. Select “Open Security Preferences”.
Click on Lock icon to unlock setting. Provide password in new pop-up and unlock setting. Once unlocked, it will look like below. Click on “Allow” button.
Once clicked, on allow system will ask for Restart. Click on “Restart” button.
After restart, VM will go full screen (this meant VMware Tools installed successfully)
MacOS VM Recovery Disk Configuration:
As discussed earlier, to sideload unsigned/untrusted apps, we have to disable Gatekeeper and System Integrity Protection. For this we need to use “MacOS Recovery Mode”. In this section, we will create MacOS Recovery Disk.
a. Follow steps mentioned under 3.c. to create extra disk of size 20GB.
b. Download “macOS Big Sur” application from App Store.
Once installed, it will be visible in /Applications.
c. Make installation media with “createinstallmedia” command in Terminal.
sudo /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/createinstallmedia — volume /Volumes/MyVolume
Replace “MyVolume” with actual Volume Name. In our case, it will be as follow:
With this recovery disk is available for further configurations.
Disabling Internal Security Mechanisms
How to go in “Recovery Mode”
a. Shutdown MacOS VM.
b. Go to Power on > “Power On to Firmware”. This will provide multiple boot-up options.
c. On selecting the correct disk option, VM will boot into the Recovery mode. Generally 2.0 will be recovery disk.
a. Boot VM into Recovery Mode.
b. Open Terminal from Utilities options.
c. Run below command and then reboot VM to Disable SIP. (You can restart MacOS with command “shutdown -r now”.)
a. Open Terminal and run following command.
sudo spctl –master-disable
b. On successful execution of command, you can find “Anywhere” option for “Allow apps downloaded from” in Security & Privacy.
Now next two steps are not mandatory per say. But they are helpful while installing some other apps.
Change ownership and permissions on filesystem
Warning: This step can make your VM non-bootable. Hence, I recommend to take Snapshot of VM just in case.
a. Disable FileVault. By default, it disabled.
b. Boot into recovery mode and execute below command in Terminal:
csrutil authenticated-root disable
Once done, reboot the VM.
c. Once rebooted, we need to identify the Root Mount device. Disk partitions can be listed by command “diskutil list”
“Main” volume will be the target disk which we need to mount as RW. In our case, “disk2s5” is the target.
d. Create a directory which is to be used as Mount point.
e. Next, mount the disk to mount folder.
f. Next run “chown” & “chmod” on mounted folders.
g. Finally run “bless” command for taking snapshot and make changes in bootefi. Once done, disk will be mounted as read-write after every boot.
Once done, reboot the system.
Whitelisting Kernel Extensions (kext)
KEXT is another name for MacOS Drivers. Just like apps, MacOS do not let unidentified drivers installed on it. Just like 3rd party apps, MacOS do not allow installing unidentified kext (sometimes). In such cases, Kext can be whitelisted in recovery mode.
Note: Run this step on requirement basis. In my experience, I didn’t require to perform this step (atleast during basic setup.) Hence I am putting down steps and no screenshot. Proceed with own risk.
a. Startup the Mac in recovery mode.
b. Click the Utilities menu and select Terminal.
c. Enter the following command:
/usr/sbin/spctl kext-consent add <kextid>
d. Close the Terminal app and restart
Well known apps provide respective kextid on their portal.
Note: Apple has started decommissioning kext. So not sure for how long this step will remain valid.
Attaching External WiFi Card to MacOS VM
Attaching external Wi-Fi card to MacOS VM is not standard affair. There are multiple issues.
First problem is to identify supported Wi-Fi cards. MacOS unfortunately do not support many external Wi-Fi cards. From information I gathered, Realtek chipsets are well supported. I myself used AWUS036ACS and AWUS036ACH Alfa cards. MacOS does not support Atheros chipsets. Hence Alfa cards like AWUS036NHA do not work. (Note: I have checked this, with cards available to me. For enthusiasts, there is this awesome github repo by Chris111 for multiple Realtek Wireless drivers. You can play with this. )
Even after getting correct Wi-Fi card, problem doesn’t end. Due to this problem, I added word “almost” in document title. The problem is Wi-Fi utility for either of these utilities do not get installed permanently. However it can be used temporarily as long as VM is on. (Note: I am not sure if this issues persists with
Installation is straight forward:
1. Download the necessary MacOS drivers for Wi-Fi adapter. You can find them inbuilt or available on website respective website.
2. Attach adapter to VM. On successful attachment, adapter icon will start blinking.
3. Proceed with normal installation.
4. In the end you’ll there will be an installation error. But also you can observe Wi-Fi utility available.
Once you click “Close”, system will ask you to delete installer. But do not delete it, as it will required for next time.
5. Select relevant Wi-Fi and connect to it.
With this, we have completed Hackintosh VM creation successfully. We learned about following things:
a. How to patch VMware for MacOS installation
b. How to create recovery disk for VM
c. How to utilize Recovery mode
d. Issue with external Wi-Fi support to MacOS in general.
In next post, we will look at some important tools in MacOS, which we will use for further iOS MAPT.