Attesor: AI-Powered Reverse Engineering of Rosetta 2 for Linux VM

Attesor is a GitHub repository containing a reverse-engineering project focused on Apple's Rosetta 2 binary translation system. The project aims to understand and document how Rosetta 2 enables x86_64 applications to run on ARM64 Apple Silicon hardware, with potential implications for Linux virtualization.

Project Background

The project documents Apple's architecture transitions: 1994 (Motorola 68000 to PowerPC), 2006 (PowerPC to Intel x86_64), and 2020 (Intel x86_64 to Apple Silicon ARM64). Rosetta 2 is Apple's third-generation binary translation solution, following the original Rosetta (2006-2011) that enabled PowerPC applications on Intel Macs.

Rosetta 2 Architecture

According to the source material, Rosetta 2 operates as a translation layer between x86_64 user applications and the ARM64 macOS kernel. The architecture includes:

• Translator (AOT/JIT): Handles both ahead-of-time and just-in-time translation
• Runtime Library: Provides runtime support functions
• System Call Translation: Converts x86_64 syscalls to ARM64 equivalents

Key Technologies

• Ahead-of-Time (AOT) Translation: Translates x86_64 binaries to ARM64 at install time, storing translated code in a cache
• Just-in-Time (JIT) Translation: Translates code blocks on-demand during execution, handling dynamically loaded code
• Instruction Set Translation: Maps x86_64 to ARM64 instructions, SSE/AVX to NEON vector instructions, and x86_64 flags to ARM64 condition codes
• System Call Translation: Manages different calling conventions and register state across syscall boundaries

Implementation Details

Rosetta 2 is located at /Library/Apple/usr/libexec/oah/ (where "oah" stands for "Old Architecture Hardware"), containing:

• rosetta - Main translator binary
• rosettad - Rosetta daemon
• librosetta.* - Runtime libraries

On Apple Silicon Macs, Rosetta 2 is not installed by default. Installation is triggered either by the first launch prompt of an Intel application or via the command line with softwareupdate --install-rosetta.

Project Structure

The repository contains multiple files including:

• ExportDecomp.java and export_decomp.py for export and decompilation
• rosetta_decomp.c and rosettad_decomp.c for decompiled components
• rosetta_function_map.h and various refactored C files
• rosetta.TODO.md documenting remaining work

The project represents an ongoing effort to document Rosetta 2's internals, which could inform development of similar translation layers for Linux virtualization environments.