products:bonobo:iphone_bootrom_debug
Table of Contents
Debugging an iPhone using our Bonobo cable with OpenOCD
Following up with Vice Motherboard article talking about purchasing stolen development iPhones for vulnerability research and exploits, we decided to create a debug cable for iPhone.
Standard iPhones bought from a local shop are fused and debug features are disabled. However, it is possible to replace its fused CPU with a new and never used one.
Replacing the iPhone A10 CPU with a new unfused one
This video shows such replacement process, replacing A10 CPU on a iPhone7:
A10 CPU can be bought from aliexpress:
After some modification on the CPU, it loses its security domain and is ready for debug !
We can put the board back into its case:
Now let's create a SWD (Serial Wire Debug) cable.
Bonobo Hardware design
Our development setup:
- FPGA Spartan6 dev board
- STM32 Nucleo dev board
- Logic analyzer
- Custom Lightning breakout board + Lightning tip
- iPhone board with new A10
- JTAG+Serial programming cable
Step 1: Writing SDQ core
SDQ (or Apple ID Bus) is the protocol used on the Lightning ACC lines to identify the accessory type and Lightning connector orientation.
See http://ramtin-amin.fr/#tristar for details on SDQ.
We want to be able to play different SDQ sequences, most notably the debug cable sequence (0x75 0xa0…), as well as reset the SDQ line. The core is controllable by CSRs mapped on the Wishbone bus. The architecture will be as follows:
We reimplement this protocol in FPGA using Migen. This is our python testbench for SDQ core development:
Testbench results in GTKWave:
Now that we have SDQ working, we can switch the phone into debug mode.
Step 2: Writing SWD core
We also need to implement a core for SWD (Serial Wire Debug) protocol. Once correctly switched, Lightning ACC_ID/ACC_PWR lines become SWDIO/SWCLK respectively.
For improved performance, we queue multiple commands into an SRAM area and run them in one batch. These commands are streamed to the SWD Core and results are placed into another SRAM area. The architecture will be as follows:
The SWD core automatically detects and clears overrun errors.
Migen based SWD core:
Sniffing SWD with Logic analyzer:
Bonobo Cable Architecture
We are ready to move to a dedicated hardware. We need:
- FPGA (Spartan6 XC6SLX16) with custom cores for Lightning operation: SDQ, SWD.
- Microcontroller (STM32F723 with integrated HighSpeed USB PHY) running Nuttx RTOS.
- FT4232H Quad USB UART (2 JTAG + 2 UART).
- USB HighSpeed Hub (3 downstream ports).
- Lightning tip connector.
FPGA SoC is based on a wishbone bus, where SDQ and SWD cores are mapped via CSR (Control/Status Register). The STM32 is bridged on this bus as master via a Quad SPI interface, and thus performs R/W access on FPGA registers in order to control it.
Nuttx RTOS (running on the STM32) runs a HighSpeed USB device driver, with 2 bulk endpoints (1 IN & 1 OUT) for interconnection to the controller PC (USB Host) via the on-board USB hub.
The USB hub also provides access to the FT4232H for FPGA/STM32 Flash programming (through JTAG), Nuttx Shell and iPhone debug console (UART), as well as to the iPhone USB pair (Lightning DP/DM) for DFU.
Bonobo Gateware Architecture
Details of SoC architecture implemented in the FPGA:
The Lightning Multiplexer first connects the SDQ core to the Lightning connector wires (ACC_ID/ACC_PWR). Once the SDQ debug sequence has been played appropriately, the multiplexer connects the SWD core.
Nuttx applications control the FPGA SoC through the master QuadSPI/Wishbone bridge.
Bonobo Cable Pictures
After PCB design and SMT, this is our cable:
We made a custom case for it using a 3D printer. Box size: 5cm x 2.8cm x 1cm.
OpenOCD driver
We wrote a custom OpenOCD driver for our Bonobo cable using the following JTAG/SWD interface:
static const struct swd_driver bonobo_swd = { .init = bonobo_swd_init, .switch_seq = bonobo_swd_switch_seq, .read_reg = bonobo_swd_read_reg, .write_reg = bonobo_swd_write_reg, .run = bonobo_swd_run, }; static const char * const bonobo_transports[] = { "jtag", "swd", NULL }; struct jtag_interface bonobo_interface = { .name = "bonobo", .supported = DEBUG_CAP_TMS_SEQ, .commands = NULL, .transports = bonobo_transports, .swd = &bonobo_swd, .init = bonobo_initialize, .quit = bonobo_quit, .speed = bonobo_speed, .speed_div = bonobo_speed_div, .khz = bonobo_khz, .execute_queue = bonobo_execute_queue, };
Read & Write registers commands are accumulated into a queue and run in one shot for improved performance.
OpenOCD build instructions
Get OpenOCD:
git clone https://github.com/ntfreak/openocd.git cd openocd
Get the Bonobo driver patch: openocd-bonobo.patch
git apply openocd-bonobo.patch
Configure and build:
./bootstrap ./configure --enable-bonobo make -j
Optional, install:
sudo make install
Example use cases
Running OpenOCD
Get the configuration file for iphone: openocd-iphone.cfg
$ openocd -f openocd-iphone.cfg -d3
Or without make install:
$ ./src/openocd -f openocd-iphone.cfg -d3 -s tcl/
Debug: 477 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.cpu0 on 3333 Info : 478 81 server.c:311 add_service(): Listening on port 3333 for gdb connections Debug: 479 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.cpu1 on 3334 Info : 480 81 server.c:311 add_service(): Listening on port 3334 for gdb connections Debug: 481 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.sep on 3335 Info : 482 81 server.c:311 add_service(): Listening on port 3335 for gdb connections Info : 483 81 server.c:311 add_service(): Listening on port 6666 for tcl connections Info : 484 81 server.c:311 add_service(): Listening on port 4444 for telnet connections
Listing targets
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.mem mem_ap little iphone.cpu running
1 iphone.cpu0 aarch64 little iphone.cpu running
2 iphone.cpu1 aarch64 little iphone.cpu running
3* iphone.sep cortex_a little iphone.cpu running
> targets iphone.cpu0
> halt
iphone.cpu0 cluster 0 core 0 multi core
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000508
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.mem mem_ap little iphone.cpu running
1* iphone.cpu0 aarch64 little iphone.cpu halted
2 iphone.cpu1 aarch64 little iphone.cpu running
3 iphone.sep cortex_a little iphone.cpu running
Dumping iPhone ROM Table
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> dap info 1
AP ID register 0x34770002
Type is MEM-AP APB
MEM-AP BASE 0x80000000
ROM table in legacy format
Component base address 0x80000000
Peripheral ID 0x00000c8489
Designer is 0x0c8, Apple Computer
Part is 0x489, Unrecognized
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
ROMTABLE[0x0] = 0x40000002
Component not present
ROMTABLE[0x4] = 0x50300003
Component base address 0xd0300000
Peripheral ID 0x00000c8489
Designer is 0x0c8, Apple Computer
Part is 0x489, Unrecognized
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L01] ROMTABLE[0x0] = 0x20002
Component not present
[L01] ROMTABLE[0x4] = 0x21002
Component not present
[L01] ROMTABLE[0x8] = 0x22002
Component not present
[L01] ROMTABLE[0xc] = 0x23002
Component not present
[L01] ROMTABLE[0x10] = 0x24002
Component not present
[L01] ROMTABLE[0x14] = 0x25002
Component not present
[L01] ROMTABLE[0x18] = 0x26002
Component not present
[L01] ROMTABLE[0x1c] = 0x27002
Component not present
[L01] ROMTABLE[0x20] = 0x308002
Component not present
[L01] ROMTABLE[0x24] = 0x330002
Component not present
[L01] ROMTABLE[0x28] = 0x334002
Component not present
[L01] ROMTABLE[0x2c] = 0x340002
Component not present
[L01] ROMTABLE[0x30] = 0x344002
Component not present
[L01] ROMTABLE[0x34] = 0x350002
Component not present
[L01] ROMTABLE[0x38] = 0x354002
Component not present
[L01] ROMTABLE[0x3c] = 0x360002
Component not present
[L01] ROMTABLE[0x40] = 0x364002
Component not present
[L01] ROMTABLE[0x44] = 0x1003
Component base address 0xd0301000
Peripheral ID 0x00004c82c5
Designer is 0x0c8, Apple Computer
Part is 0x2c5, Unrecognized
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf1d0f003
Component base address 0xc2010000
Peripheral ID 0x00004c83c5
Designer is 0x0c8, Apple Computer
Part is 0x3c5, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L02] ROMTABLE[0x4] = 0xf1d1f003
Component base address 0xc2020000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L02] ROMTABLE[0x8] = 0xf1e0f003
Component base address 0xc2110000
Peripheral ID 0x00004c83c5
Designer is 0x0c8, Apple Computer
Part is 0x3c5, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L02] ROMTABLE[0xc] = 0xf1e1f003
Component base address 0xc2120000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L02] ROMTABLE[0x10] = 0xf2c0f003
Component base address 0xc2f10000
Peripheral ID 0x00004c84c5
Designer is 0x0c8, Apple Computer
Part is 0x4c5, Unrecognized
Component class is 0xf, PrimeCell or System component
[L02] ROMTABLE[0x14] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x48] = 0x2003
Component base address 0xd0302000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7a6c003
Component base address 0xc7d6e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7a6b003
Component base address 0xc7d6d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7a6a003
Component base address 0xc7d6c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x4c] = 0x3003
Component base address 0xd0303000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7a8b003
Component base address 0xc7d8e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7a8a003
Component base address 0xc7d8d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7a89003
Component base address 0xc7d8c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x50] = 0x4003
Component base address 0xd0304000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7b4a003
Component base address 0xc7e4e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7b49003
Component base address 0xc7e4d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7b48003
Component base address 0xc7e4c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x54] = 0x5003
Component base address 0xd0305000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7b69003
Component base address 0xc7e6e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7b68003
Component base address 0xc7e6d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7b67003
Component base address 0xc7e6c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x58] = 0x6003
Component base address 0xd0306000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7b88003
Component base address 0xc7e8e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7b87003
Component base address 0xc7e8d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7b86003
Component base address 0xc7e8c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x5c] = 0x7003
Component base address 0xd0307000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7ba7003
Component base address 0xc7eae000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7ba6003
Component base address 0xc7ead000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7ba5003
Component base address 0xc7eac000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x60] = 0x8003
Component base address 0xd0308000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7bc6003
Component base address 0xc7ece000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7bc5003
Component base address 0xc7ecd000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7bc4003
Component base address 0xc7ecc000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x64] = 0x9003
Component base address 0xd0309000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7c25003
Component base address 0xc7f2e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7c24003
Component base address 0xc7f2d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7c23003
Component base address 0xc7f2c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x68] = 0xa003
Component base address 0xd030a000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7c64003
Component base address 0xc7f6e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7c63003
Component base address 0xc7f6d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7c62003
Component base address 0xc7f6c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x6c] = 0xb003
Component base address 0xd030b000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7c83003
Component base address 0xc7f8e000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7c82003
Component base address 0xc7f8d000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7c81003
Component base address 0xc7f8c000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x70] = 0xc003
Component base address 0xd030c000
Peripheral ID 0x04000bb4c3
Designer is 0x4bb, ARM Ltd.
Part is 0x4c3, Cortex-M3 ROM (ROM Table)
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
[L02] ROMTABLE[0x0] = 0xf7ca2003
Component base address 0xc7fae000
Peripheral ID 0x04000bb000
Designer is 0x4bb, ARM Ltd.
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x4] = 0xf7ca1003
Component base address 0xc7fad000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd.
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0x8] = 0xf7ca0003
Component base address 0xc7fac000
Peripheral ID 0x04003bb002
Designer is 0x4bb, ARM Ltd.
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
[L02] ROMTABLE[0xc] = 0x0
[L02] End of ROM table
[L01] ROMTABLE[0x74] = 0xf1a40003
Component base address 0xc1d40000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0x78] = 0xf1a41002
Component not present
[L01] ROMTABLE[0x7c] = 0xf1a44003
Component base address 0xc1d44000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x80] = 0xf1a48003
Component base address 0xc1d48000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x84] = 0xf1a4c003
Component base address 0xc1d4c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0x88] = 0xf1a50003
Component base address 0xc1d50000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0x8c] = 0xf5920003
Component base address 0xc5c20000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0x90] = 0xf5921002
Component not present
[L01] ROMTABLE[0x94] = 0xf5924003
Component base address 0xc5c24000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x98] = 0xf5928003
Component base address 0xc5c28000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x9c] = 0xf592c003
Component base address 0xc5c2c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0xa0] = 0xf5930003
Component base address 0xc5c30000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0xa4] = 0xf79a0003
Component base address 0xc7ca0000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0xa8] = 0xf79a1002
Component not present
[L01] ROMTABLE[0xac] = 0xf79a4003
Component base address 0xc7ca4000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xb0] = 0xf79a8003
Component base address 0xc7ca8000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xb4] = 0xf79ac003
Component base address 0xc7cac000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0xb8] = 0xf79b0003
Component base address 0xc7cb0000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0xbc] = 0xfab20003
Component base address 0xcae20000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0xc0] = 0xfab21002
Component not present
[L01] ROMTABLE[0xc4] = 0xfab24003
Component base address 0xcae24000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xc8] = 0xfab28003
Component base address 0xcae28000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xcc] = 0xfab2c003
Component base address 0xcae2c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0xd0] = 0xfab30003
Component base address 0xcae30000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0xd4] = 0xfd720003
Component base address 0xcda20000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0xd8] = 0xfd721002
Component not present
[L01] ROMTABLE[0xdc] = 0xfd724003
Component base address 0xcda24000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xe0] = 0xfd728003
Component base address 0xcda28000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xe4] = 0xfd72c003
Component base address 0xcda2c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0xe8] = 0xfd730003
Component base address 0xcda30000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0xec] = 0xfe020003
Component base address 0xce320000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0xf0] = 0xfe021002
Component not present
[L01] ROMTABLE[0xf4] = 0xfe024003
Component base address 0xce324000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xf8] = 0xfe028003
Component base address 0xce328000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0xfc] = 0xfe02c003
Component base address 0xce32c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0x100] = 0xfe030003
Component base address 0xce330000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0x104] = 0x520003
Component base address 0xd0820000
Peripheral ID 0x04005bbc07
Designer is 0x4bb, ARM Ltd.
Part is 0xc07, Cortex-A7 Debug (Debug Unit)
Component class is 0x9, CoreSight component
Type is 0x15, Debug Logic, Processor
[L01] ROMTABLE[0x108] = 0x521002
Component not present
[L01] ROMTABLE[0x10c] = 0x524003
Component base address 0xd0824000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x110] = 0x528003
Component base address 0xd0828000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x114] = 0x52c003
Component base address 0xd082c000
Peripheral ID 0x04000bb956
Designer is 0x4bb, ARM Ltd.
Part is 0x956, Unrecognized
Component class is 0x9, CoreSight component
Type is 0x13, Trace Source, Processor
[L01] ROMTABLE[0x118] = 0x530003
Component base address 0xd0830000
Peripheral ID 0x04003bb907
Designer is 0x4bb, ARM Ltd.
Part is 0x907, CoreSight ETB (Trace Buffer)
Component class is 0x9, CoreSight component
Type is 0x21, Trace Sink, Buffer
[L01] ROMTABLE[0x11c] = 0xefef8003
Component base address 0xc01f8000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x120] = 0xefefc003
Component base address 0xc01fc000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x124] = 0xf0a11003
Component base address 0xc0d11000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x128] = 0xf0a12003
Component base address 0xc0d12000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x12c] = 0xf0c00003
Component base address 0xc0f00000
Peripheral ID 0x00003c80af
Designer is 0x0c8, Apple Computer
Part is 0xaf, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x130] = 0xf0c20003
Component base address 0xc0f20000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x134] = 0xf5830003
Component base address 0xc5b30000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x138] = 0xf5831003
Component base address 0xc5b31000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x13c] = 0xf5e0c003
Component base address 0xc610c000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x140] = 0xfcc00003
Component base address 0xccf00000
Peripheral ID 0x00000c87ad
Designer is 0x0c8, Apple Computer
Part is 0x7ad, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x144] = 0xfcc10003
Component base address 0xccf10000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x148] = 0xfcc11003
Component base address 0xccf11000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x14c] = 0xfcc20002
Component not present
[L01] ROMTABLE[0x150] = 0xfcc21003
Component base address 0xccf21000
Peripheral ID 0x00002c85ad
Designer is 0x0c8, Apple Computer
Part is 0x5ad, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x154] = 0xfdda4003
Component base address 0xce0a4000
Peripheral ID 0x00003c8088
Designer is 0x0c8, Apple Computer
Part is 0x88, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x158] = 0xfdda8003
Component base address 0xce0a8000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x15c] = 0x10003
Component base address 0xd0310000
Peripheral ID 0x00006c8000
Designer is 0x0c8, Apple Computer
Part is 0x0, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x160] = 0x14003
Component base address 0xd0314000
Peripheral ID 0x00002c84ad
Designer is 0x0c8, Apple Computer
Part is 0x4ad, Unrecognized
Component class is 0xf, PrimeCell or System component
[L01] ROMTABLE[0x164] = 0x30003
Component base address 0xd0330000
Peripheral ID 0x04003bb906
Designer is 0x4bb, ARM Ltd.
Part is 0x906, CoreSight CTI (Cross Trigger)
Component class is 0x9, CoreSight component
Type is 0x14, Debug Control, Trigger Matrix
[L01] ROMTABLE[0x168] = 0x0
[L01] End of ROM table
ROMTABLE[0x8] = 0x0
End of ROM table
Debugging iPhone with GDB
$ aarch64-linux-gnu-gdb (gdb) target remote :3333 0x0000000100000508 in ?? () (gdb) x/i $pc => 0x100000508: ret (gdb) info registers x0 0x118e094 18407572 x1 0x180088310 6443008784 x2 0x1801b8d50 6444256592 x3 0x180083c78 6442990712 x4 0x180083940 6442989888 x5 0x4000 16384 x6 0x8 8 x7 0x199443e7e29a829f 1843172810719658655 x8 0x6 6 x9 0x1800883e0 6443008992 x10 0x1 1 x11 0xf 15 x12 0xe 14 x13 0x8 8 x14 0xffffffff 4294967295 x15 0x0 0 x16 0x0 0 x17 0x0 0 x18 0x0 0 x19 0x1800887a0 6443009952 x20 0x10000b0d0 4295012560 x21 0x118e094 18407572 x22 0x1800883a0 6443008928 x23 0x180088000 6443008000 x24 0x180080000 6442975232 x25 0x1800883c0 6443008960 x26 0x0 0 x27 0x0 0 x28 0x0 0 x29 0x180088380 6443008896 x30 0x10000a97c 4295010684 sp 0x180088340 0x180088340 pc 0x100000508 0x100000508 CPSR 0x800002c4 2147484356 ELR_EL1 0x1000004f4 0x1000004f4 ESR_EL1 0x0 0 SPSR_EL1 0x20000204 536871428 ELR_EL2 0x0 0x0 ESR_EL2 0x0 0 SPSR_EL2 0x0 0 ELR_EL3 0x0 0x0 ESR_EL3 0x0 0 SPSR_EL3 0x0 0 (gdb) stepi 0x000000010000a97c in ?? () (gdb) x/2i $pc => 0x10000a97c: add x25, x22, #0x20 0x10000a980: bl 0x10000a514
Full Demo: iPhone 7 debug with OpenOCD / GDB
products/bonobo/iphone_bootrom_debug.txt · Last modified: 2019/07/03 16:49 by po
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
