User Tools

Site Tools


products:bonobo:iphone_bootrom_debug

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
products:bonobo:iphone_bootrom_debug [2019/06/12 17:38]
po
products:bonobo:iphone_bootrom_debug [2019/09/06 13:01] (current)
po [OpenOCD build instructions]
Line 5: Line 5:
 Following up with [[https://​motherboard.vice.com/​en_us/​article/​gyakgw/​the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days|Vice Motherboard article]] talking about purchasing stolen development iPhones for vulnerability research and exploits, we decided to create a debug cable for iPhone. Following up with [[https://​motherboard.vice.com/​en_us/​article/​gyakgw/​the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days|Vice Motherboard article]] talking about purchasing stolen development iPhones for vulnerability research and exploits, we decided to create a debug cable for iPhone.
  
-Standard iPhones ​legitimately ​bought from a local shop are fused and debug features are disabled. ​+Standard iPhones bought from a local shop are fused and debug features are disabled. ​
 However, it is possible to replace its fused CPU with a new and never used one. However, it is possible to replace its fused CPU with a new and never used one.
  
Line 115: Line 115:
 {{:​products:​bonobo:​bonobo_cable_01.jpg?​400|}} {{:​products:​bonobo:​bonobo_cable_01.jpg?​400|}}
  
-We even made a custom case for it using a 3D printer:+We made a custom case for it using a 3D printer. Box size5cm x 2.8cm x 1cm.
  
 {{:​products:​bonobo:​blender_bonobo.png?​400|}} {{:​products:​bonobo:​blender_bonobo.png?​400|}}
Line 123: Line 123:
 ===== OpenOCD driver ===== ===== OpenOCD driver =====
  
-We wrote a custom OpenOCD driver for our Bonobo cable using the following interface: +We wrote a custom OpenOCD driver for our Bonobo cable using the following ​JTAG/​SWD ​interface:
- +
-Read & Write reg commands are accumulated into a queue and run in one shot.+
  
 <code c> <code c>
 static const struct swd_driver bonobo_swd = { static const struct swd_driver bonobo_swd = {
   .init = bonobo_swd_init,​   .init = bonobo_swd_init,​
-  .frequency = bonobo_swd_frequency,​ 
   .switch_seq = bonobo_swd_switch_seq,​   .switch_seq = bonobo_swd_switch_seq,​
   .read_reg = bonobo_swd_read_reg,​   .read_reg = bonobo_swd_read_reg,​
Line 154: Line 151:
 }; };
 </​code>​ </​code>​
 +
 +Read & Write registers commands are accumulated into a queue and run in one shot for improved performance.
 +
 +==== OpenOCD build instructions ====
 +
 +Get OpenOCD:
 +
 +<code bash>
 +git clone https://​github.com/​ntfreak/​openocd.git
 +cd openocd
 +</​code>​
 +
 +Get the Bonobo driver patch: {{ :​products:​bonobo:​openocd-bonobo.patch |}}
 +<code bash>
 +git apply openocd-bonobo.patch
 +</​code>​
 +
 +Configure and build:
 +<code bash>
 +./bootstrap
 +./configure --enable-bonobo
 +make -j
 +</​code>​
 +
 +Optional, install:
 +<code bash>
 +sudo make install
 +</​code>​
 +
 +==== iPhone configuration files ====
 +
 +Get the configuration file for iPhone. Depending on your target:
 +
 +  * iPhone 7: {{ :​products:​bonobo:​openocd-iphone-7.cfg |}}
 +  * iPhone 8: soon available.
 +  * iPhone X: {{ :​products:​bonobo:​openocd-iphone-x.cfg |}}
  
 ====== Example use cases ====== ====== Example use cases ======
  
-===== Dumping iPhone ROM Table =====+ 
 +===== Running OpenOCD ​=====
  
 <​code>​ <​code>​
-./src/openocd -f iphone.cfg -d3+$ openocd -f openocd-iphone-7.cfg -d3
 </​code>​ </​code>​
 +
 +Or without make install:
 +<​code>​
 +$ ./​src/​openocd -f openocd-iphone-7.cfg -d3 -s tcl/
 +</​code>​
 +
 +<​code>​
 +Debug: 477 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.cpu0 on 3333
 +Info : 478 81 server.c:​311 add_service():​ Listening on port 3333 for gdb connections
 +Debug: 479 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.cpu1 on 3334
 +Info : 480 81 server.c:​311 add_service():​ Listening on port 3334 for gdb connections
 +Debug: 481 81 gdb_server.c:​3386 gdb_target_start():​ starting gdb server for iphone.sep on 3335
 +Info : 482 81 server.c:​311 add_service():​ Listening on port 3335 for gdb connections
 +Info : 483 81 server.c:​311 add_service():​ Listening on port 6666 for tcl connections
 +Info : 484 81 server.c:​311 add_service():​ Listening on port 4444 for telnet connections
 +</​code>​
 +
 +===== Listing targets =====
 +
 +<​code>​
 +$ telnet 127.0.0.1 4444
 +
 +Open On-Chip Debugger
 +> targets
 +    TargetName ​        ​Type ​      ​Endian TapName ​           State       
 +--  ------------------ ---------- ------ ------------------ ------------
 + ​0 ​ iphone.mem ​        ​mem_ap ​    ​little iphone.cpu ​        ​running
 + ​1 ​ iphone.cpu0 ​       aarch64 ​   little iphone.cpu ​        ​running
 + ​2 ​ iphone.cpu1 ​       aarch64 ​   little iphone.cpu ​        ​running
 + 3* iphone.sep ​        ​cortex_a ​  ​little iphone.cpu ​        ​running
 +
 +> targets iphone.cpu0
 +
 +> halt
 +iphone.cpu0 cluster 0 core 0 multi core
 +target halted in AArch64 state due to debug-request,​ current mode: EL1T
 +cpsr: 0x800002c4 pc: 0x100000508
 +MMU: enabled, D-Cache: enabled, I-Cache: enabled
 +
 +> targets
 +    TargetName ​        ​Type ​      ​Endian TapName ​           State       
 +--  ------------------ ---------- ------ ------------------ ------------
 + ​0 ​ iphone.mem ​        ​mem_ap ​    ​little iphone.cpu ​        ​running
 + 1* iphone.cpu0 ​       aarch64 ​   little iphone.cpu ​        ​halted
 + ​2 ​ iphone.cpu1 ​       aarch64 ​   little iphone.cpu ​        ​running
 + ​3 ​ iphone.sep ​        ​cortex_a ​  ​little iphone.cpu ​        ​running
 +
 +</​code>​
 +
 +===== Dumping iPhone ROM Table =====
  
 <​html>​ <​html>​
 <pre class="​code"​ style="​height:​400px">​ <pre class="​code"​ style="​height:​400px">​
 $ telnet 127.0.0.1 4444 $ telnet 127.0.0.1 4444
-Trying 127.0.0.1... +
-Connected to 127.0.0.1. +
-Escape character is '​^]'​.+
 Open On-Chip Debugger Open On-Chip Debugger
 > dap info 1 > dap info 1
products/bonobo/iphone_bootrom_debug.1560353917.txt.gz · Last modified: 2019/06/12 17:38 by po