Table of Contents
Bonobo JTAG/SWD Debug Cable
iPhone debugging requires proper tools. The Bonobo cable connects to your target through Lightning and allows CPU debugging through JTAG/SWD using OpenOCD + AArch64 GDB. Among others, you can: access all CPUs and registers, single step, put hardware breakpoints, dump memory, etc… Perfect for security research.
The target serial console can be accessed on the control PC through Minicom (iBoot prompt), as well as Lightning USB (For DFU, USB exploitation, etc.)
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
— axi0mX (@axi0mX) September 27, 2019
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
Buy
- Buy it on our shop: Buy Bonobo Cable
Description
Specifications
- FPGA Chipset: Xilinx Spartan6 XC6SLX16
- Microcontroller: STM32F723
- USB HighSpeed Hub
- Serial + JTAG interfaces: Hi-Speed Quad USB UART FTDI FT4232H
- Lightning connector
- User Interfaces: 2x RBG LEDs
Features
On the target side (through the Lightning tip):
- Lightning SWD on ACC_ID/ACC_PWR wires.
- Lightning Serial (For iBoot console, etc.).
- Lightning USB (For DFU, …).
- Lightning ACC_ID sequence (As debug accessory).
- Lightning Power (For charging or if the target does not have a battery)
On the control side (through USB connector):
- OpenOCD (With Open Source Bonobo driver patch)
- ARMv8 / ADIv5
- Support SWD commands queue
- Support target board reset
- GDB (AArch64)
- Connects to OpenOCD
- For Registers access, Hardware breakpoints, Instruction stepping, R/W memory, etc.
Use case
- iPhone debugging: iPhone BootROM Debug/SWD cable
Supported versions:
| Bonobo | ipwndfu (demote) | |
| * iPhone 5 / A6 | Yes | Yes |
| * iPhone 6 / A8 | Yes | Yes |
| * iPhone 6s / A9 | Yes | Yes |
| * iPhone 7 / A10 | Yes | Yes |
| * iPhone 8 / A11 | Yes | Yes |
| * iPhone XR / A12 | Yes | No |
Hardware Architecture
Gateware & Firmware
The FPGA and STM32 come pre-flashed with a custom Gateware and Firmware, ready to be used with our open-source OpenOCD driver.
Quick Start
1. Get OpenOCD + Bonobo patch
Configure and build:
git clone https://github.com/lambdaconcept/openocd.git cd openocd ./bootstrap ./configure --enable-bonobo --disable-werror make -j make install
2. Get GDB Aarch64
Get aarch64-linux-gnu-gdb from your distribution package manager.
3. Get iPhone configuration files
Get the configuration file for iPhone. Depending on your target:
- iPhone 7: openocd-iphone-7.cfg
- iPhone 8: soon available.
- iPhone XR: openocd-iphone-xr.cfg
4. Demote your iDevice
5. Run OpenOCD
Plug the phone and run:
$ openocd -f openocd-iphone-7.cfg
or
$ openocd -f openocd-iphone-xr.cfg
At that stage, OpenOCD should have attached to your phone using Bonobo. More details
5. Attach with GDB
$ aarch64-linux-gnu-gdb (gdb) target remote :3333 0x0000000100000508 in ?? ()
Demonstration:
Note: To be able to use this cable, the target system (iPhone) must be demoted to allow JTAG/SWD thanks to @axi0mX.
For full details on using the Bonobo cable refer to the blog article
Page Tools
