iOS How to Connect to Corellium

Reading time: 4 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Prereqs

A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.
Local tools: ssh/scp.
(Optional) SSH keys added to your Corellium project for passwordless logins.

Connect to the iPhone VM from localhost

A) Quick Connect (no VPN)

Add you ssh key in /admin/projects (recommended).
Open the device page → Connect
Copy the Quick Connect SSH command shown by Corellium and paste it in your terminal.
Enter the password or use your key (recommended).

B) VPN → direct SSH

Add you ssh key in /admin/projects (recommended).
Device page → CONNECT → VPN → download .ovpn and connect with any VPN client that supports TAP mode. (Check https://support.corellium.com/features/connect/vpn if you have issues.)
SSH to the VM’s 10.11.x.x address:

bash

ssh root@10.11.1.1

Upload a native binary & execute it

2.1 Upload

If Quick Connect gave you a host/port:

bash

scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool

If using VPN (10.11.x.x):

bash

scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool

Upload & install an iOS app (.ipa)

Path A — Web UI (fastest)

Device page → Apps tab → Install App → pick your .ipa.
From the same tab you can launch/kill/uninstall.

Path B — Scripted via Corellium Agent

Use the API Agent to upload then install:

js

// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
  console.log(progress, status);
});

Path C — Non-jailbroken (proper signing / Sideloadly)

If you don’t have a provisioning profile, use Sideloadly to re-sign with your Apple ID, or sign in Xcode.
You can also expose the VM to Xcode using USBFlux (see §5).
For quick logs/commands without SSH, use the device Console in the UI.

Extras

Port-forwarding (make the VM feel local for other tools):

bash

# Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@10.11.1.1:/var/root/

LLDB remote debugging: use the LLDB/GDB stub address shown at the bottom of the device page (CONNECT → LLDB).
USBFlux (macOS/Linux): present the VM to Xcode/Sideloadly like a cabled device.

Common pitfalls

Proper signing is required on non-jailbroken devices; unsigned IPAs won’t launch.
Quick Connect vs VPN: Quick Connect is simplest; use VPN when you need the device on your local network (e.g., local proxies/tools).
No App Store on Corellium devices; bring your own (re)signed IPAs.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.