User Tools

Site Tools


products:bonobo:iphone_bootrom_debug

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
products:bonobo:iphone_bootrom_debug [2019/04/29 14:35]
ramtin [Debugging an iPhone using our Bonobo cable with OpenOCD]
products:bonobo:iphone_bootrom_debug [2019/07/03 16:49] (current)
po [Debugging an iPhone using our Bonobo cable with OpenOCD]
Line 1: Line 1:
 ====== Debugging an iPhone using our Bonobo cable with OpenOCD ====== ====== Debugging an iPhone using our Bonobo cable with OpenOCD ======
 +
 +{{:​products:​bonobo:​signal-2019-06-12-171315.jpeg?​680|}}
  
 Following up with [[https://​motherboard.vice.com/​en_us/​article/​gyakgw/​the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days|Vice Motherboard article]] talking about purchasing stolen development iPhones for vulnerability research and exploits, we decided to create a debug cable for iPhone. Following up with [[https://​motherboard.vice.com/​en_us/​article/​gyakgw/​the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days|Vice Motherboard article]] talking about purchasing stolen development iPhones for vulnerability research and exploits, we decided to create a debug cable for iPhone.
  
-Standard iPhones ​legitimately ​bought from a local shop are fused and debug features are disabled. ​+Standard iPhones bought from a local shop are fused and debug features are disabled. ​
 However, it is possible to replace its fused CPU with a new and never used one. However, it is possible to replace its fused CPU with a new and never used one.
  
-===== Replacingthe  ​iPhone A10 CPU with a new unfused one =====+===== Replacing the iPhone A10 CPU with a new unfused one =====
  
 This video shows such replacement process, replacing A10 CPU on a iPhone7: This video shows such replacement process, replacing A10 CPU on a iPhone7:
Line 12: Line 14:
 <​html><​iframe width="​560"​ height="​315"​ src="​https://​www.youtube.com/​embed/​U7F_vwhQvHI"​ frameborder="​0"​ allow="​accelerometer;​ autoplay; encrypted-media;​ gyroscope; picture-in-picture"​ allowfullscreen></​iframe></​html>​ <​html><​iframe width="​560"​ height="​315"​ src="​https://​www.youtube.com/​embed/​U7F_vwhQvHI"​ frameborder="​0"​ allow="​accelerometer;​ autoplay; encrypted-media;​ gyroscope; picture-in-picture"​ allowfullscreen></​iframe></​html>​
  
-Unfused ​A10 CPU can be bought from aliexpress:+A10 CPU can be bought from aliexpress:
  
 {{:​products:​bonobo:​iphone_a10_cpu.png?​600|}} {{:​products:​bonobo:​iphone_a10_cpu.png?​600|}}
  
-After CPU replacementthe phone is ready for debug ! Let's create a SWD debug cable.+After some modification on the CPU, it loses its security domain and is ready for debug !
  
-===== Bonobo Hardware design =====+We can put the board back into its case: 
 + 
 +{{:​products:​bonobo:​signal-2019-06-10-194730_cut.jpeg?​300|}} 
 +{{:​products:​bonobo:​signal-2019-06-12-153519_cut.jpeg?​300|}} 
 + 
 +Now let's create a SWD (Serial Wire Debug) cable. 
 + 
 +====== Bonobo Hardware design ​======
  
 Our development setup: Our development setup:
Line 24: Line 33:
   * STM32 Nucleo dev board   * STM32 Nucleo dev board
   * Logic analyzer   * Logic analyzer
-  * Custom ​lightning ​breakout board+  * Custom ​Lightning ​breakout board + Lightning tip
   * iPhone board with new A10   * iPhone board with new A10
   * JTAG+Serial programming cable   * JTAG+Serial programming cable
 {{ :​products:​bonobo:​img_6659_crop.jpg?​800 |}} {{ :​products:​bonobo:​img_6659_crop.jpg?​800 |}}
  
-==== Step 1: Writing SDQ core ====+===== Step 1: Writing SDQ core =====
  
-FPGA development ​is done using Migen. This is our python testbench for SDQ core development:​+SDQ (or Apple ID Bus) is the protocol used on the Lightning ACC lines to identify the accessory type and Lightning connector orientation. 
 + 
 +See [[http://​ramtin-amin.fr/#​tristar]] for details on SDQ. 
 + 
 +We want to be able to play different SDQ sequences, most notably the debug cable sequence (0x75 0xa0...), as well as reset the SDQ line. The core is controllable by CSRs mapped on the Wishbone bus. The architecture will be as follows: 
 + 
 +{{ :​products:​bonobo:​bonobo_sdq.png?​600 |}} 
 + 
 +We reimplement this protocol in FPGA using Migen. This is our python testbench for SDQ core development:​
  
 {{ :​products:​bonobo:​vim_sdq_core.png?​800 |}} {{ :​products:​bonobo:​vim_sdq_core.png?​800 |}}
 +
 +Testbench results in GTKWave:
 +
 {{ :​products:​bonobo:​gtkwave_sdq_core.png?​800 |}} {{ :​products:​bonobo:​gtkwave_sdq_core.png?​800 |}}
  
-==== Step 2: Writing SWD core ====+Now that we have SDQ working, we can switch the phone into debug mode. 
 +===== Step 2: Writing SWD core =====
  
-Same for Migen based SWD core, and sniffing ​SWD with Logic analyzer:+We also need to implement a core for SWD (Serial Wire Debug) protocol. Once correctly switchedLightning ACC_ID/​ACC_PWR lines become SWDIO/SWCLK respectively. 
 + 
 +{{ :​products:​bonobo:​swd.png |}} 
 + 
 +For improved performance,​ we queue multiple commands into an SRAM area and run them in one batch. These commands are streamed to the SWD Core and results are placed into another SRAM area. The architecture will be as follows: 
 + 
 +{{ :​products:​bonobo:​bonobo_swd.png?​600 |}} 
 + 
 +The SWD core automatically detects and clears overrun errors. 
 + 
 +Migen based SWD core:
  
 {{ :​products:​bonobo:​vim_swd_core.png?​800 |}} {{ :​products:​bonobo:​vim_swd_core.png?​800 |}}
 +
 +Sniffing SWD with Logic analyzer:
 +
 {{ :​products:​bonobo:​dsview_swd.png?​800 |}} {{ :​products:​bonobo:​dsview_swd.png?​800 |}}
  
-===== Bonobo Cable Architecture =====+====== Bonobo Cable Architecture ​======
  
 We are ready to move to a dedicated hardware. We need: We are ready to move to a dedicated hardware. We need:
Line 54: Line 88:
  
 {{ :​products:​bonobo:​bonobo_cable.png?​400 |}} {{ :​products:​bonobo:​bonobo_cable.png?​400 |}}
 +
 +FPGA SoC is based on a wishbone bus, where SDQ and SWD cores are mapped via CSR (Control/​Status Register). The STM32 is bridged on this bus as master via a Quad SPI interface, and thus performs R/W access on FPGA registers in order to control it.
 +
 +Nuttx RTOS (running on the STM32) runs a HighSpeed USB device driver, with 2 bulk endpoints (1 IN & 1 OUT) for interconnection to the controller PC (USB Host) via the on-board USB hub.
 +
 +The USB hub also provides access to the FT4232H for FPGA/STM32 Flash programming (through JTAG), Nuttx Shell 
 + and iPhone debug console (UART), as well as to the iPhone USB pair (Lightning DP/DM) for DFU.
 +
  
 ===== Bonobo Gateware Architecture ===== ===== Bonobo Gateware Architecture =====
Line 61: Line 103:
 {{ :​products:​bonobo:​bonobo_gateware.png?​400 |}} {{ :​products:​bonobo:​bonobo_gateware.png?​400 |}}
  
 +The Lightning Multiplexer first connects the SDQ core to the Lightning connector wires (ACC_ID/​ACC_PWR). Once the SDQ debug sequence has been played appropriately,​ the multiplexer connects the SWD core.
 +
 +Nuttx applications control the FPGA SoC through the master QuadSPI/​Wishbone bridge.
 ===== Bonobo Cable Pictures ===== ===== Bonobo Cable Pictures =====
  
Line 70: Line 115:
 {{:​products:​bonobo:​bonobo_cable_01.jpg?​400|}} {{:​products:​bonobo:​bonobo_cable_01.jpg?​400|}}
  
-We even made a custom case for it using a 3D printer:+We made a custom case for it using a 3D printer. Box size5cm x 2.8cm x 1cm.
  
 {{:​products:​bonobo:​blender_bonobo.png?​400|}} {{:​products:​bonobo:​blender_bonobo.png?​400|}}
Line 78: Line 123:
 ===== OpenOCD driver ===== ===== OpenOCD driver =====
  
-We wrote a custom OpenOCD driver for our Bonobo cable using the following interface:+We wrote a custom OpenOCD driver for our Bonobo cable using the following ​JTAG/​SWD ​interface:
  
 <code c> <code c>
 static const struct swd_driver bonobo_swd = { static const struct swd_driver bonobo_swd = {
   .init = bonobo_swd_init,​   .init = bonobo_swd_init,​
-  .frequency = bonobo_swd_frequency,​ 
   .switch_seq = bonobo_swd_switch_seq,​   .switch_seq = bonobo_swd_switch_seq,​
   .read_reg = bonobo_swd_read_reg,​   .read_reg = bonobo_swd_read_reg,​
Line 108: Line 152:
 </​code>​ </​code>​
  
-===== Example use cases =====+Read & Write registers commands are accumulated into a queue and run in one shot for improved performance. 
 +==== OpenOCD build instructions ​====
  
-==== Dumping iPhone ROM Table ====+Get OpenOCD: 
 + 
 +<code bash> 
 +git clone https://​github.com/​ntfreak/​openocd.git 
 +cd openocd 
 +</​code>​ 
 + 
 +Get the Bonobo driver patch: {{ :​products:​bonobo:​openocd-bonobo.patch |}} 
 +<code bash> 
 +git apply openocd-bonobo.patch 
 +</​code>​ 
 + 
 +Configure and build: 
 +<code bash> 
 +./​bootstrap 
 +./configure --enable-bonobo 
 +make -j 
 +</​code>​ 
 + 
 +Optional, install: 
 +<code bash> 
 +sudo make install 
 +</​code>​ 
 +====== ​Example use cases ====== 
 + 
 +===== Running OpenOCD ===== 
 + 
 +Get the configuration file for iphone: {{ :​products:​bonobo:​openocd-iphone.cfg |}}
  
 <​code>​ <​code>​
-./src/openocd -f iphone.cfg -d3+$ openocd -f openocd-iphone.cfg -d3
 </​code>​ </​code>​
 +
 +Or without make install:
 +<​code>​
 +$ ./​src/​openocd -f openocd-iphone.cfg -d3 -s tcl/
 +</​code>​
 +
 +<​code>​
 +Debug: 477 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.cpu0 on 3333
 +Info : 478 81 server.c:​311 add_service():​ Listening on port 3333 for gdb connections
 +Debug: 479 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.cpu1 on 3334
 +Info : 480 81 server.c:​311 add_service():​ Listening on port 3334 for gdb connections
 +Debug: 481 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.sep on 3335
 +Info : 482 81 server.c:​311 add_service():​ Listening on port 3335 for gdb connections
 +Info : 483 81 server.c:​311 add_service():​ Listening on port 6666 for tcl connections
 +Info : 484 81 server.c:​311 add_service():​ Listening on port 4444 for telnet connections
 +</​code>​
 +
 +===== Listing targets =====
 +
 +<​code>​
 +$ telnet 127.0.0.1 4444
 +
 +Open On-Chip Debugger
 +> targets
 +    TargetName ​        ​Type ​      ​Endian TapName ​           State       
 +--  ------------------ ---------- ------ ------------------ ------------
 + ​0 ​ iphone.mem ​        ​mem_ap ​    ​little iphone.cpu ​        ​running
 + ​1 ​ iphone.cpu0 ​       aarch64 ​   little iphone.cpu ​        ​running
 + ​2 ​ iphone.cpu1 ​       aarch64 ​   little iphone.cpu ​        ​running
 + 3* iphone.sep ​        ​cortex_a ​  ​little iphone.cpu ​        ​running
 +
 +> targets iphone.cpu0
 +
 +> halt
 +iphone.cpu0 cluster 0 core 0 multi core
 +target halted in AArch64 state due to debug-request,​ current mode: EL1T
 +cpsr: 0x800002c4 pc: 0x100000508
 +MMU: enabled, D-Cache: enabled, I-Cache: enabled
 +
 +> targets
 +    TargetName ​        ​Type ​      ​Endian TapName ​           State       
 +--  ------------------ ---------- ------ ------------------ ------------
 + ​0 ​ iphone.mem ​        ​mem_ap ​    ​little iphone.cpu ​        ​running
 + 1* iphone.cpu0 ​       aarch64 ​   little iphone.cpu ​        ​halted
 + ​2 ​ iphone.cpu1 ​       aarch64 ​   little iphone.cpu ​        ​running
 + ​3 ​ iphone.sep ​        ​cortex_a ​  ​little iphone.cpu ​        ​running
 +
 +</​code>​
 +
 +===== Dumping iPhone ROM Table =====
  
 <​html>​ <​html>​
 <pre class="​code"​ style="​height:​400px">​ <pre class="​code"​ style="​height:​400px">​
 $ telnet 127.0.0.1 4444 $ telnet 127.0.0.1 4444
-Trying 127.0.0.1... +
-Connected to 127.0.0.1. +
-Escape character is '​^]'​.+
 Open On-Chip Debugger Open On-Chip Debugger
 > dap info 1 > dap info 1
Line 905: Line 1025:
 </​html>​ </​html>​
  
-==== Debugging iPhone with GDB ====+===== Debugging iPhone with GDB =====
  
 <​code>​ <​code>​
Line 971: Line 1091:
 ====== Full Demo: iPhone 7 debug with OpenOCD / GDB ====== ====== Full Demo: iPhone 7 debug with OpenOCD / GDB ======
  
-<​html><​script id="​asciicast-0tm3X4kMzIUKREBXbfqEBSMjB" src="​https://​asciinema.org/​a/​0tm3X4kMzIUKREBXbfqEBSMjB.js" async></​script></​html>​+<​html><​iframe width="​560"​ height="​315"​ src="​https://​www.youtube.com/​embed/​wpQNxKMn2tw"​ frameborder="​0"​ allow="​accelerometer;​ autoplay; encrypted-media;​ gyroscope; picture-in-picture"​ allowfullscreen></​iframe></​html>​ 
 + 
 +<​html><​script id="​asciicast-18hEcGg5Q9x181eQtXrS0PrEi" src="​https://​asciinema.org/​a/​18hEcGg5Q9x181eQtXrS0PrEi.js" async></​script></​html>​
products/bonobo/iphone_bootrom_debug.1556541358.txt.gz · Last modified: 2019/04/29 14:35 by ramtin