🤖 HackTricks / ios Corellium

iOS How to Connect to Corellium

Prereqs

  • A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.
  • Local tools: ssh/scp.
  • (Optional) SSH keys added to your Corellium project for passwordless logins.

Connect to the iPhone VM from localhost

A) Quick Connect (no VPN)

0) Add you ssh key in /admin/projects (recommended). 1) Open the device page → Connect 2) Copy the Quick Connect SSH command shown by Corellium and paste it in your terminal. 3) Enter the password or use your key (recommended).

B) VPN → direct SSH

0) Add you ssh key in /admin/projects (recommended). 1) Device page → CONNECTVPN → download .ovpn and connect with any VPN client that supports TAP mode. (Check https://support.corellium.com/features/connect/vpn if you have issues.) 2) SSH to the VM’s 10.11.x.x address: 

ssh root@10.11.1.1

Upload a native binary & execute it

2.1 Upload

  • If Quick Connect gave you a host/port: 

    scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool

  • If using VPN (10.11.x.x): 

    scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool

Upload & install an iOS app (.ipa)

Path A — Web UI (fastest)

1) Device page → Apps tab → Install App → pick your .ipa.
2) From the same tab you can launch/kill/uninstall.

Path B — Scripted via Corellium Agent

1) Use the API Agent to upload then install: 

// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
  console.log(progress, status);
});

Path C — Non-jailbroken (proper signing / Sideloadly)

  • If you don’t have a provisioning profile, use Sideloadly to re-sign with your Apple ID, or sign in Xcode.

  • You can also expose the VM to Xcode using USBFlux (see §5).

  • For quick logs/commands without SSH, use the device Console in the UI.

Extras

  • Port-forwarding (make the VM feel local for other tools): 

    # Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@<TARGET>:/var/root/

  • LLDB remote debugging: use the LLDB/GDB stub address shown at the bottom of the device page (CONNECT → LLDB).

  • USBFlux (macOS/Linux): present the VM to Xcode/Sideloadly like a cabled device.

Common pitfalls

  • Proper signing is required on non-jailbroken devices; unsigned IPAs won’t launch.
  • Quick Connect vs VPN: Quick Connect is simplest; use VPN when you need the device on your local network (e.g., local proxies/tools).
  • No App Store on Corellium devices; bring your own (re)signed IPAs.