iPhone debugging requires proper tools. The Bonobo cable connects to your target through Lightning and allows CPU debugging through JTAG/SWD using OpenOCD + AArch64 GDB. Among others, you can: access all CPUs and registers, single step, put hardware breakpoints, dump memory, etc… Perfect for security research.
The target serial console can be accessed on the control PC through Minicom (iBoot prompt), as well as Lightning USB (For DFU, USB exploitation, etc.)
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
— axi0mX (@axi0mX) September 27, 2019
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
Bonobo | ipwndfu (demote) | |
* iPhone 5 / A6 | Yes | Yes |
* iPhone 6 / A8 | Yes | Yes |
* iPhone 6s / A9 | Yes | Yes |
* iPhone 7 / A10 | Yes | Yes |
* iPhone 8 / A11 | Yes | Yes |
* iPhone XR / A12 | Yes | No |
The FPGA and STM32 come pre-flashed with a custom Gateware and Firmware, ready to be used with our open-source OpenOCD driver.
Configure and build:
git clone https://github.com/lambdaconcept/openocd.git cd openocd ./bootstrap ./configure --enable-bonobo --disable-werror make -j make install
Get aarch64-linux-gnu-gdb from your distribution package manager.
Get the configuration file for iPhone. Depending on your target:
Plug the phone and run:
$ openocd -f openocd-iphone-7.cfg
or
$ openocd -f openocd-iphone-xr.cfg
At that stage, OpenOCD should have attached to your phone using Bonobo. More details
$ aarch64-linux-gnu-gdb (gdb) target remote :3333 0x0000000100000508 in ?? ()
Note: To be able to use this cable, the target system (iPhone) must be demoted to allow JTAG/SWD thanks to @axi0mX.
For full details on using the Bonobo cable refer to the blog article