Debugging an iPhone using our Bonobo cable with OpenOCD
Demote the phone
Following checkm8 bootrom exploit publicly released by @axi0mX, and allowing to demote IOS devices, we decided to release our JTAG/SWD debug cable for iPhone.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
— axi0mX (@axi0mX) September 27, 2019
Mo st generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
Demote means you can enable JTAG/SWD debug on devices that are fused. But you still need a dedicated hardware cable and software to be able to actually use JTAG. Bonobo is such a cable.
Bonobo Hardware design
Our development setup:
- FPGA Spartan6 dev board
- STM32 Nucleo dev board
- Logic analyzer
- Custom Lightning breakout board + Lightning tip
- iPhone board with new A10
- JTAG+Serial programming cable
Step 1: Writing SDQ core
SDQ (or Apple ID Bus) is the protocol used on the Lightning ACC lines to identify the accessory type and Lightning connector orientation.
See http://ramtin-amin.fr/#tristar for details on SDQ.
We want to be able to play different SDQ sequences, most notably the debug cable sequence (0x75 0xa0...), as well as reset the SDQ line. The core is controllable by CSRs mapped on the Wishbone bus. The architecture will be as follows:
We reimplement this protocol in FPGA using Migen. This is our python testbench for SDQ core development:
Testbench results in GTKWave:
Now that we have SDQ working, we can switch the phone into debug mode.
Step 2: Writing SWD core
We also need to implement a core for SWD (Serial Wire Debug) protocol. Once correctly switched, Lightning ACC_ID/ACC_PWR lines become SWDIO/SWCLK respectively.
For improved performance, we queue multiple commands into an SRAM area and run them in one batch. These commands are streamed to the SWD Core and results are placed into another SRAM area. The architecture will be as follows:
The SWD core automatically detects and clears overrun errors.
Migen based SWD core:
Sniffing SWD with Logic analyzer:
Bonobo Cable Architecture
We are ready to move to a dedicated hardware. We need:
- FPGA (Spartan6 XC6SLX16) with custom cores for Lightning operation: SDQ, SWD.
- Microcontroller (STM32F723 with integrated HighSpeed USB PHY) running Nuttx RTOS.
- FT4232H Quad USB UART (2 JTAG + 2 UART).
- USB HighSpeed Hub (3 downstream ports).
- Lightning tip connector.
FPGA SoC is based on a wishbone bus, where SDQ and SWD cores are mapped via CSR (Control/Status Register). The STM32 is bridged on this bus as master via a Quad SPI interface, and thus performs R/W access on FPGA registers in order to control it.
Nuttx RTOS (running on the STM32) runs a HighSpeed USB device driver, with 2 bulk endpoints (1 IN & 1 OUT) for interconnection to the controller PC (USB Host) via the on-board USB hub.
The USB hub also provides access to the FT4232H for FPGA/STM32 Flash programming (through JTAG), Nuttx Shell and iPhone debug console (UART), as well as to the iPhone USB pair (Lightning DP/DM) for DFU.
Bonobo Gateware Architecture
Details of SoC architecture implemented in the FPGA:
The Lightning Multiplexer first connects the SDQ core to the Lightning connector wires (ACC_ID/ACC_PWR). Once the SDQ debug sequence has been played appropriately, the multiplexer connects the SWD core.
Nuttx applications control the FPGA SoC through the master QuadSPI/Wishbone bridge.
Bonobo Cable Pictures
After PCB design and SMT, this is our cable:
We made a custom case for it using a 3D printer. Box size: 5cm x 2.8cm x 1cm.
OpenOCD driver
We wrote a custom OpenOCD driver for our Bonobo cable using the following JTAG/SWD interface:
1static const struct swd_driver bonobo_swd = {
2 .init = bonobo_swd_init,
3 .switch_seq = bonobo_swd_switch_seq,
4 .read_reg = bonobo_swd_read_reg,
5 .write_reg = bonobo_swd_write_reg,
6 .run = bonobo_swd_run,
7};
8
9static const char * const bonobo_transports[] = { "jtag", "swd", NULL };
10
11struct jtag_interface bonobo_interface = {
12 .name = "bonobo",
13 .supported = DEBUG_CAP_TMS_SEQ,
14 .commands = NULL,
15 .transports = bonobo_transports,
16 .swd = &bonobo_swd,
17
18 .init = bonobo_initialize,
19 .quit = bonobo_quit,
20 .speed = bonobo_speed,
21 .speed_div = bonobo_speed_div,
22 .khz = bonobo_khz,
23 .execute_queue = bonobo_execute_queue,
24};
Read & Write registers commands are accumulated into a queue and run in one shot for improved performance.
OpenOCD build instructions
Refer to: http://docs.bonoboswd.com/getting_started.html
iPhone configuration files
Refer to: http://docs.bonoboswd.com/getting_started.html
Example use cases
Running OpenOCD
1$ openocd -f openocd-iphone-7.cfg -d3
Or without make install:
1$ ./src/openocd -f openocd-iphone-7.cfg -d3 -s tcl/
2
3Debug: 477 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.cpu0 on 3333
4Info : 478 81 server.c:311 add_service(): Listening on port 3333 for gdb connections
5Debug: 479 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.cpu1 on 3334
6Info : 480 81 server.c:311 add_service(): Listening on port 3334 for gdb connections
7Debug: 481 81 gdb_server.c:3386 gdb_target_start(): starting gdb server for iphone.sep on 3335
8Info : 482 81 server.c:311 add_service(): Listening on port 3335 for gdb connections
9Info : 483 81 server.c:311 add_service(): Listening on port 6666 for tcl connections
10Info : 484 81 server.c:311 add_service(): Listening on port 4444 for telnet connections
Listing targets
1$ telnet 127.0.0.1 4444
2
3Open On-Chip Debugger
4> targets
5 TargetName Type Endian TapName State
6-- ------------------ ---------- ------ ------------------ ------------
7 0 iphone.mem mem_ap little iphone.cpu running
8 1 iphone.cpu0 aarch64 little iphone.cpu running
9 2 iphone.cpu1 aarch64 little iphone.cpu running
10 3* iphone.sep cortex_a little iphone.cpu running
11
12> targets iphone.cpu0
13
14> halt
15iphone.cpu0 cluster 0 core 0 multi core
16target halted in AArch64 state due to debug-request, current mode: EL1T
17cpsr: 0x800002c4 pc: 0x100000508
18MMU: enabled, D-Cache: enabled, I-Cache: enabled
19
20> targets
21 TargetName Type Endian TapName State
22-- ------------------ ---------- ------ ------------------ ------------
23 0 iphone.mem mem_ap little iphone.cpu running
24 1* iphone.cpu0 aarch64 little iphone.cpu halted
25 2 iphone.cpu1 aarch64 little iphone.cpu running
26 3 iphone.sep cortex_a little iphone.cpu running
Dumping iPhone ROM Table
1$ telnet 127.0.0.1 4444
2
3Open On-Chip Debugger
4> dap info 1
5AP ID register 0x34770002
6 Type is MEM-AP APB
7MEM-AP BASE 0x80000000
8 ROM table in legacy format
9 Component base address 0x80000000
10 Peripheral ID 0x00000c8489
11 Designer is 0x0c8, Apple Computer
12 Part is 0x489, Unrecognized
13 Component class is 0x1, ROM table
14 MEMTYPE system memory not present: dedicated debug bus
15 ROMTABLE[0x0] = 0x40000002
16 Component not present
17 ROMTABLE[0x4] = 0x50300003
18 Component base address 0xd0300000
19 Peripheral ID 0x00000c8489
20 Designer is 0x0c8, Apple Computer
21 Part is 0x489, Unrecognized
22 Component class is 0x1, ROM table
23 MEMTYPE system memory not present: dedicated debug bus
24 [L01] ROMTABLE[0x0] = 0x20002
25 Component not present
26 [L01] ROMTABLE[0x4] = 0x21002
27 Component not present
28 [L01] ROMTABLE[0x8] = 0x22002
29 Component not present
30 [L01] ROMTABLE[0xc] = 0x23002
31 Component not present
32 [L01] ROMTABLE[0x10] = 0x24002
33 Component not present
34 [L01] ROMTABLE[0x14] = 0x25002
35 Component not present
36 [L01] ROMTABLE[0x18] = 0x26002
37 Component not present
38 [L01] ROMTABLE[0x1c] = 0x27002
39 Component not present
40 [L01] ROMTABLE[0x20] = 0x308002
41 Component not present
42 [L01] ROMTABLE[0x24] = 0x330002
43 Component not present
44 [L01] ROMTABLE[0x28] = 0x334002
45 Component not present
46 [L01] ROMTABLE[0x2c] = 0x340002
47 Component not present
48 [L01] ROMTABLE[0x30] = 0x344002
49 Component not present
50 [L01] ROMTABLE[0x34] = 0x350002
51 Component not present
52 [L01] ROMTABLE[0x38] = 0x354002
53 Component not present
54 [L01] ROMTABLE[0x3c] = 0x360002
55 Component not present
56 [L01] ROMTABLE[0x40] = 0x364002
57 Component not present
58 [L01] ROMTABLE[0x44] = 0x1003
59 Component base address 0xd0301000
60 Peripheral ID 0x00004c82c5
61 Designer is 0x0c8, Apple Computer
62 Part is 0x2c5, Unrecognized
63 Component class is 0x1, ROM table
64 MEMTYPE system memory not present: dedicated debug bus
65 [L02] ROMTABLE[0x0] = 0xf1d0f003
66 Component base address 0xc2010000
67 Peripheral ID 0x00004c83c5
68 Designer is 0x0c8, Apple Computer
69 Part is 0x3c5, Unrecognized
70 Component class is 0x9, CoreSight component
71 Type is 0x15, Debug Logic, Processor
72 [L02] ROMTABLE[0x4] = 0xf1d1f003
73 Component base address 0xc2020000
74 Peripheral ID 0x04003bb906
75 Designer is 0x4bb, ARM Ltd.
76 Part is 0x906, CoreSight CTI (Cross Trigger)
77 Component class is 0x9, CoreSight component
78 Type is 0x14, Debug Control, Trigger Matrix
79 [L02] ROMTABLE[0x8] = 0xf1e0f003
80 Component base address 0xc2110000
81 Peripheral ID 0x00004c83c5
82 Designer is 0x0c8, Apple Computer
83 Part is 0x3c5, Unrecognized
84 Component class is 0x9, CoreSight component
85 Type is 0x15, Debug Logic, Processor
86 [L02] ROMTABLE[0xc] = 0xf1e1f003
87 Component base address 0xc2120000
88 Peripheral ID 0x04003bb906
89 Designer is 0x4bb, ARM Ltd.
90 Part is 0x906, CoreSight CTI (Cross Trigger)
91 Component class is 0x9, CoreSight component
92 Type is 0x14, Debug Control, Trigger Matrix
93 [L02] ROMTABLE[0x10] = 0xf2c0f003
94 Component base address 0xc2f10000
95 Peripheral ID 0x00004c84c5
96 Designer is 0x0c8, Apple Computer
97 Part is 0x4c5, Unrecognized
98 Component class is 0xf, PrimeCell or System component
99 [L02] ROMTABLE[0x14] = 0x0
100 [L02] End of ROM table
101 [L01] ROMTABLE[0x48] = 0x2003
102 Component base address 0xd0302000
103 Peripheral ID 0x04000bb4c3
104 Designer is 0x4bb, ARM Ltd.
105 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
106 Component class is 0x1, ROM table
107 MEMTYPE system memory not present: dedicated debug bus
108 [L02] ROMTABLE[0x0] = 0xf7a6c003
109 Component base address 0xc7d6e000
110 Peripheral ID 0x04000bb000
111 Designer is 0x4bb, ARM Ltd.
112 Part is 0x0, Cortex-M3 SCS (System Control Space)
113 Component class is 0xe, Generic IP component
114 [L02] ROMTABLE[0x4] = 0xf7a6b003
115 Component base address 0xc7d6d000
116 Peripheral ID 0x04002bb003
117 Designer is 0x4bb, ARM Ltd.
118 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
119 Component class is 0xe, Generic IP component
120 [L02] ROMTABLE[0x8] = 0xf7a6a003
121 Component base address 0xc7d6c000
122 Peripheral ID 0x04003bb002
123 Designer is 0x4bb, ARM Ltd.
124 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
125 Component class is 0xe, Generic IP component
126 [L02] ROMTABLE[0xc] = 0x0
127 [L02] End of ROM table
128 [L01] ROMTABLE[0x4c] = 0x3003
129 Component base address 0xd0303000
130 Peripheral ID 0x04000bb4c3
131 Designer is 0x4bb, ARM Ltd.
132 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
133 Component class is 0x1, ROM table
134 MEMTYPE system memory not present: dedicated debug bus
135 [L02] ROMTABLE[0x0] = 0xf7a8b003
136 Component base address 0xc7d8e000
137 Peripheral ID 0x04000bb000
138 Designer is 0x4bb, ARM Ltd.
139 Part is 0x0, Cortex-M3 SCS (System Control Space)
140 Component class is 0xe, Generic IP component
141 [L02] ROMTABLE[0x4] = 0xf7a8a003
142 Component base address 0xc7d8d000
143 Peripheral ID 0x04002bb003
144 Designer is 0x4bb, ARM Ltd.
145 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
146 Component class is 0xe, Generic IP component
147 [L02] ROMTABLE[0x8] = 0xf7a89003
148 Component base address 0xc7d8c000
149 Peripheral ID 0x04003bb002
150 Designer is 0x4bb, ARM Ltd.
151 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
152 Component class is 0xe, Generic IP component
153 [L02] ROMTABLE[0xc] = 0x0
154 [L02] End of ROM table
155 [L01] ROMTABLE[0x50] = 0x4003
156 Component base address 0xd0304000
157 Peripheral ID 0x04000bb4c3
158 Designer is 0x4bb, ARM Ltd.
159 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
160 Component class is 0x1, ROM table
161 MEMTYPE system memory not present: dedicated debug bus
162 [L02] ROMTABLE[0x0] = 0xf7b4a003
163 Component base address 0xc7e4e000
164 Peripheral ID 0x04000bb000
165 Designer is 0x4bb, ARM Ltd.
166 Part is 0x0, Cortex-M3 SCS (System Control Space)
167 Component class is 0xe, Generic IP component
168 [L02] ROMTABLE[0x4] = 0xf7b49003
169 Component base address 0xc7e4d000
170 Peripheral ID 0x04002bb003
171 Designer is 0x4bb, ARM Ltd.
172 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
173 Component class is 0xe, Generic IP component
174 [L02] ROMTABLE[0x8] = 0xf7b48003
175 Component base address 0xc7e4c000
176 Peripheral ID 0x04003bb002
177 Designer is 0x4bb, ARM Ltd.
178 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
179 Component class is 0xe, Generic IP component
180 [L02] ROMTABLE[0xc] = 0x0
181 [L02] End of ROM table
182 [L01] ROMTABLE[0x54] = 0x5003
183 Component base address 0xd0305000
184 Peripheral ID 0x04000bb4c3
185 Designer is 0x4bb, ARM Ltd.
186 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
187 Component class is 0x1, ROM table
188 MEMTYPE system memory not present: dedicated debug bus
189 [L02] ROMTABLE[0x0] = 0xf7b69003
190 Component base address 0xc7e6e000
191 Peripheral ID 0x04000bb000
192 Designer is 0x4bb, ARM Ltd.
193 Part is 0x0, Cortex-M3 SCS (System Control Space)
194 Component class is 0xe, Generic IP component
195 [L02] ROMTABLE[0x4] = 0xf7b68003
196 Component base address 0xc7e6d000
197 Peripheral ID 0x04002bb003
198 Designer is 0x4bb, ARM Ltd.
199 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
200 Component class is 0xe, Generic IP component
201 [L02] ROMTABLE[0x8] = 0xf7b67003
202 Component base address 0xc7e6c000
203 Peripheral ID 0x04003bb002
204 Designer is 0x4bb, ARM Ltd.
205 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
206 Component class is 0xe, Generic IP component
207 [L02] ROMTABLE[0xc] = 0x0
208 [L02] End of ROM table
209 [L01] ROMTABLE[0x58] = 0x6003
210 Component base address 0xd0306000
211 Peripheral ID 0x04000bb4c3
212 Designer is 0x4bb, ARM Ltd.
213 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
214 Component class is 0x1, ROM table
215 MEMTYPE system memory not present: dedicated debug bus
216 [L02] ROMTABLE[0x0] = 0xf7b88003
217 Component base address 0xc7e8e000
218 Peripheral ID 0x04000bb000
219 Designer is 0x4bb, ARM Ltd.
220 Part is 0x0, Cortex-M3 SCS (System Control Space)
221 Component class is 0xe, Generic IP component
222 [L02] ROMTABLE[0x4] = 0xf7b87003
223 Component base address 0xc7e8d000
224 Peripheral ID 0x04002bb003
225 Designer is 0x4bb, ARM Ltd.
226 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
227 Component class is 0xe, Generic IP component
228 [L02] ROMTABLE[0x8] = 0xf7b86003
229 Component base address 0xc7e8c000
230 Peripheral ID 0x04003bb002
231 Designer is 0x4bb, ARM Ltd.
232 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
233 Component class is 0xe, Generic IP component
234 [L02] ROMTABLE[0xc] = 0x0
235 [L02] End of ROM table
236 [L01] ROMTABLE[0x5c] = 0x7003
237 Component base address 0xd0307000
238 Peripheral ID 0x04000bb4c3
239 Designer is 0x4bb, ARM Ltd.
240 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
241 Component class is 0x1, ROM table
242 MEMTYPE system memory not present: dedicated debug bus
243 [L02] ROMTABLE[0x0] = 0xf7ba7003
244 Component base address 0xc7eae000
245 Peripheral ID 0x04000bb000
246 Designer is 0x4bb, ARM Ltd.
247 Part is 0x0, Cortex-M3 SCS (System Control Space)
248 Component class is 0xe, Generic IP component
249 [L02] ROMTABLE[0x4] = 0xf7ba6003
250 Component base address 0xc7ead000
251 Peripheral ID 0x04002bb003
252 Designer is 0x4bb, ARM Ltd.
253 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
254 Component class is 0xe, Generic IP component
255 [L02] ROMTABLE[0x8] = 0xf7ba5003
256 Component base address 0xc7eac000
257 Peripheral ID 0x04003bb002
258 Designer is 0x4bb, ARM Ltd.
259 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
260 Component class is 0xe, Generic IP component
261 [L02] ROMTABLE[0xc] = 0x0
262 [L02] End of ROM table
263 [L01] ROMTABLE[0x60] = 0x8003
264 Component base address 0xd0308000
265 Peripheral ID 0x04000bb4c3
266 Designer is 0x4bb, ARM Ltd.
267 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
268 Component class is 0x1, ROM table
269 MEMTYPE system memory not present: dedicated debug bus
270 [L02] ROMTABLE[0x0] = 0xf7bc6003
271 Component base address 0xc7ece000
272 Peripheral ID 0x04000bb000
273 Designer is 0x4bb, ARM Ltd.
274 Part is 0x0, Cortex-M3 SCS (System Control Space)
275 Component class is 0xe, Generic IP component
276 [L02] ROMTABLE[0x4] = 0xf7bc5003
277 Component base address 0xc7ecd000
278 Peripheral ID 0x04002bb003
279 Designer is 0x4bb, ARM Ltd.
280 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
281 Component class is 0xe, Generic IP component
282 [L02] ROMTABLE[0x8] = 0xf7bc4003
283 Component base address 0xc7ecc000
284 Peripheral ID 0x04003bb002
285 Designer is 0x4bb, ARM Ltd.
286 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
287 Component class is 0xe, Generic IP component
288 [L02] ROMTABLE[0xc] = 0x0
289 [L02] End of ROM table
290 [L01] ROMTABLE[0x64] = 0x9003
291 Component base address 0xd0309000
292 Peripheral ID 0x04000bb4c3
293 Designer is 0x4bb, ARM Ltd.
294 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
295 Component class is 0x1, ROM table
296 MEMTYPE system memory not present: dedicated debug bus
297 [L02] ROMTABLE[0x0] = 0xf7c25003
298 Component base address 0xc7f2e000
299 Peripheral ID 0x04000bb000
300 Designer is 0x4bb, ARM Ltd.
301 Part is 0x0, Cortex-M3 SCS (System Control Space)
302 Component class is 0xe, Generic IP component
303 [L02] ROMTABLE[0x4] = 0xf7c24003
304 Component base address 0xc7f2d000
305 Peripheral ID 0x04002bb003
306 Designer is 0x4bb, ARM Ltd.
307 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
308 Component class is 0xe, Generic IP component
309 [L02] ROMTABLE[0x8] = 0xf7c23003
310 Component base address 0xc7f2c000
311 Peripheral ID 0x04003bb002
312 Designer is 0x4bb, ARM Ltd.
313 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
314 Component class is 0xe, Generic IP component
315 [L02] ROMTABLE[0xc] = 0x0
316 [L02] End of ROM table
317 [L01] ROMTABLE[0x68] = 0xa003
318 Component base address 0xd030a000
319 Peripheral ID 0x04000bb4c3
320 Designer is 0x4bb, ARM Ltd.
321 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
322 Component class is 0x1, ROM table
323 MEMTYPE system memory not present: dedicated debug bus
324 [L02] ROMTABLE[0x0] = 0xf7c64003
325 Component base address 0xc7f6e000
326 Peripheral ID 0x04000bb000
327 Designer is 0x4bb, ARM Ltd.
328 Part is 0x0, Cortex-M3 SCS (System Control Space)
329 Component class is 0xe, Generic IP component
330 [L02] ROMTABLE[0x4] = 0xf7c63003
331 Component base address 0xc7f6d000
332 Peripheral ID 0x04002bb003
333 Designer is 0x4bb, ARM Ltd.
334 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
335 Component class is 0xe, Generic IP component
336 [L02] ROMTABLE[0x8] = 0xf7c62003
337 Component base address 0xc7f6c000
338 Peripheral ID 0x04003bb002
339 Designer is 0x4bb, ARM Ltd.
340 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
341 Component class is 0xe, Generic IP component
342 [L02] ROMTABLE[0xc] = 0x0
343 [L02] End of ROM table
344 [L01] ROMTABLE[0x6c] = 0xb003
345 Component base address 0xd030b000
346 Peripheral ID 0x04000bb4c3
347 Designer is 0x4bb, ARM Ltd.
348 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
349 Component class is 0x1, ROM table
350 MEMTYPE system memory not present: dedicated debug bus
351 [L02] ROMTABLE[0x0] = 0xf7c83003
352 Component base address 0xc7f8e000
353 Peripheral ID 0x04000bb000
354 Designer is 0x4bb, ARM Ltd.
355 Part is 0x0, Cortex-M3 SCS (System Control Space)
356 Component class is 0xe, Generic IP component
357 [L02] ROMTABLE[0x4] = 0xf7c82003
358 Component base address 0xc7f8d000
359 Peripheral ID 0x04002bb003
360 Designer is 0x4bb, ARM Ltd.
361 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
362 Component class is 0xe, Generic IP component
363 [L02] ROMTABLE[0x8] = 0xf7c81003
364 Component base address 0xc7f8c000
365 Peripheral ID 0x04003bb002
366 Designer is 0x4bb, ARM Ltd.
367 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
368 Component class is 0xe, Generic IP component
369 [L02] ROMTABLE[0xc] = 0x0
370 [L02] End of ROM table
371 [L01] ROMTABLE[0x70] = 0xc003
372 Component base address 0xd030c000
373 Peripheral ID 0x04000bb4c3
374 Designer is 0x4bb, ARM Ltd.
375 Part is 0x4c3, Cortex-M3 ROM (ROM Table)
376 Component class is 0x1, ROM table
377 MEMTYPE system memory not present: dedicated debug bus
378 [L02] ROMTABLE[0x0] = 0xf7ca2003
379 Component base address 0xc7fae000
380 Peripheral ID 0x04000bb000
381 Designer is 0x4bb, ARM Ltd.
382 Part is 0x0, Cortex-M3 SCS (System Control Space)
383 Component class is 0xe, Generic IP component
384 [L02] ROMTABLE[0x4] = 0xf7ca1003
385 Component base address 0xc7fad000
386 Peripheral ID 0x04002bb003
387 Designer is 0x4bb, ARM Ltd.
388 Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
389 Component class is 0xe, Generic IP component
390 [L02] ROMTABLE[0x8] = 0xf7ca0003
391 Component base address 0xc7fac000
392 Peripheral ID 0x04003bb002
393 Designer is 0x4bb, ARM Ltd.
394 Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
395 Component class is 0xe, Generic IP component
396 [L02] ROMTABLE[0xc] = 0x0
397 [L02] End of ROM table
398 [L01] ROMTABLE[0x74] = 0xf1a40003
399 Component base address 0xc1d40000
400 Peripheral ID 0x04005bbc07
401 Designer is 0x4bb, ARM Ltd.
402 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
403 Component class is 0x9, CoreSight component
404 Type is 0x15, Debug Logic, Processor
405 [L01] ROMTABLE[0x78] = 0xf1a41002
406 Component not present
407 [L01] ROMTABLE[0x7c] = 0xf1a44003
408 Component base address 0xc1d44000
409 Peripheral ID 0x04003bb906
410 Designer is 0x4bb, ARM Ltd.
411 Part is 0x906, CoreSight CTI (Cross Trigger)
412 Component class is 0x9, CoreSight component
413 Type is 0x14, Debug Control, Trigger Matrix
414 [L01] ROMTABLE[0x80] = 0xf1a48003
415 Component base address 0xc1d48000
416 Peripheral ID 0x04003bb906
417 Designer is 0x4bb, ARM Ltd.
418 Part is 0x906, CoreSight CTI (Cross Trigger)
419 Component class is 0x9, CoreSight component
420 Type is 0x14, Debug Control, Trigger Matrix
421 [L01] ROMTABLE[0x84] = 0xf1a4c003
422 Component base address 0xc1d4c000
423 Peripheral ID 0x04000bb956
424 Designer is 0x4bb, ARM Ltd.
425 Part is 0x956, Unrecognized
426 Component class is 0x9, CoreSight component
427 Type is 0x13, Trace Source, Processor
428 [L01] ROMTABLE[0x88] = 0xf1a50003
429 Component base address 0xc1d50000
430 Peripheral ID 0x04003bb907
431 Designer is 0x4bb, ARM Ltd.
432 Part is 0x907, CoreSight ETB (Trace Buffer)
433 Component class is 0x9, CoreSight component
434 Type is 0x21, Trace Sink, Buffer
435 [L01] ROMTABLE[0x8c] = 0xf5920003
436 Component base address 0xc5c20000
437 Peripheral ID 0x04005bbc07
438 Designer is 0x4bb, ARM Ltd.
439 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
440 Component class is 0x9, CoreSight component
441 Type is 0x15, Debug Logic, Processor
442 [L01] ROMTABLE[0x90] = 0xf5921002
443 Component not present
444 [L01] ROMTABLE[0x94] = 0xf5924003
445 Component base address 0xc5c24000
446 Peripheral ID 0x04003bb906
447 Designer is 0x4bb, ARM Ltd.
448 Part is 0x906, CoreSight CTI (Cross Trigger)
449 Component class is 0x9, CoreSight component
450 Type is 0x14, Debug Control, Trigger Matrix
451 [L01] ROMTABLE[0x98] = 0xf5928003
452 Component base address 0xc5c28000
453 Peripheral ID 0x04003bb906
454 Designer is 0x4bb, ARM Ltd.
455 Part is 0x906, CoreSight CTI (Cross Trigger)
456 Component class is 0x9, CoreSight component
457 Type is 0x14, Debug Control, Trigger Matrix
458 [L01] ROMTABLE[0x9c] = 0xf592c003
459 Component base address 0xc5c2c000
460 Peripheral ID 0x04000bb956
461 Designer is 0x4bb, ARM Ltd.
462 Part is 0x956, Unrecognized
463 Component class is 0x9, CoreSight component
464 Type is 0x13, Trace Source, Processor
465 [L01] ROMTABLE[0xa0] = 0xf5930003
466 Component base address 0xc5c30000
467 Peripheral ID 0x04003bb907
468 Designer is 0x4bb, ARM Ltd.
469 Part is 0x907, CoreSight ETB (Trace Buffer)
470 Component class is 0x9, CoreSight component
471 Type is 0x21, Trace Sink, Buffer
472 [L01] ROMTABLE[0xa4] = 0xf79a0003
473 Component base address 0xc7ca0000
474 Peripheral ID 0x04005bbc07
475 Designer is 0x4bb, ARM Ltd.
476 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
477 Component class is 0x9, CoreSight component
478 Type is 0x15, Debug Logic, Processor
479 [L01] ROMTABLE[0xa8] = 0xf79a1002
480 Component not present
481 [L01] ROMTABLE[0xac] = 0xf79a4003
482 Component base address 0xc7ca4000
483 Peripheral ID 0x04003bb906
484 Designer is 0x4bb, ARM Ltd.
485 Part is 0x906, CoreSight CTI (Cross Trigger)
486 Component class is 0x9, CoreSight component
487 Type is 0x14, Debug Control, Trigger Matrix
488 [L01] ROMTABLE[0xb0] = 0xf79a8003
489 Component base address 0xc7ca8000
490 Peripheral ID 0x04003bb906
491 Designer is 0x4bb, ARM Ltd.
492 Part is 0x906, CoreSight CTI (Cross Trigger)
493 Component class is 0x9, CoreSight component
494 Type is 0x14, Debug Control, Trigger Matrix
495 [L01] ROMTABLE[0xb4] = 0xf79ac003
496 Component base address 0xc7cac000
497 Peripheral ID 0x04000bb956
498 Designer is 0x4bb, ARM Ltd.
499 Part is 0x956, Unrecognized
500 Component class is 0x9, CoreSight component
501 Type is 0x13, Trace Source, Processor
502 [L01] ROMTABLE[0xb8] = 0xf79b0003
503 Component base address 0xc7cb0000
504 Peripheral ID 0x04003bb907
505 Designer is 0x4bb, ARM Ltd.
506 Part is 0x907, CoreSight ETB (Trace Buffer)
507 Component class is 0x9, CoreSight component
508 Type is 0x21, Trace Sink, Buffer
509 [L01] ROMTABLE[0xbc] = 0xfab20003
510 Component base address 0xcae20000
511 Peripheral ID 0x04005bbc07
512 Designer is 0x4bb, ARM Ltd.
513 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
514 Component class is 0x9, CoreSight component
515 Type is 0x15, Debug Logic, Processor
516 [L01] ROMTABLE[0xc0] = 0xfab21002
517 Component not present
518 [L01] ROMTABLE[0xc4] = 0xfab24003
519 Component base address 0xcae24000
520 Peripheral ID 0x04003bb906
521 Designer is 0x4bb, ARM Ltd.
522 Part is 0x906, CoreSight CTI (Cross Trigger)
523 Component class is 0x9, CoreSight component
524 Type is 0x14, Debug Control, Trigger Matrix
525 [L01] ROMTABLE[0xc8] = 0xfab28003
526 Component base address 0xcae28000
527 Peripheral ID 0x04003bb906
528 Designer is 0x4bb, ARM Ltd.
529 Part is 0x906, CoreSight CTI (Cross Trigger)
530 Component class is 0x9, CoreSight component
531 Type is 0x14, Debug Control, Trigger Matrix
532 [L01] ROMTABLE[0xcc] = 0xfab2c003
533 Component base address 0xcae2c000
534 Peripheral ID 0x04000bb956
535 Designer is 0x4bb, ARM Ltd.
536 Part is 0x956, Unrecognized
537 Component class is 0x9, CoreSight component
538 Type is 0x13, Trace Source, Processor
539 [L01] ROMTABLE[0xd0] = 0xfab30003
540 Component base address 0xcae30000
541 Peripheral ID 0x04003bb907
542 Designer is 0x4bb, ARM Ltd.
543 Part is 0x907, CoreSight ETB (Trace Buffer)
544 Component class is 0x9, CoreSight component
545 Type is 0x21, Trace Sink, Buffer
546 [L01] ROMTABLE[0xd4] = 0xfd720003
547 Component base address 0xcda20000
548 Peripheral ID 0x04005bbc07
549 Designer is 0x4bb, ARM Ltd.
550 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
551 Component class is 0x9, CoreSight component
552 Type is 0x15, Debug Logic, Processor
553 [L01] ROMTABLE[0xd8] = 0xfd721002
554 Component not present
555 [L01] ROMTABLE[0xdc] = 0xfd724003
556 Component base address 0xcda24000
557 Peripheral ID 0x04003bb906
558 Designer is 0x4bb, ARM Ltd.
559 Part is 0x906, CoreSight CTI (Cross Trigger)
560 Component class is 0x9, CoreSight component
561 Type is 0x14, Debug Control, Trigger Matrix
562 [L01] ROMTABLE[0xe0] = 0xfd728003
563 Component base address 0xcda28000
564 Peripheral ID 0x04003bb906
565 Designer is 0x4bb, ARM Ltd.
566 Part is 0x906, CoreSight CTI (Cross Trigger)
567 Component class is 0x9, CoreSight component
568 Type is 0x14, Debug Control, Trigger Matrix
569 [L01] ROMTABLE[0xe4] = 0xfd72c003
570 Component base address 0xcda2c000
571 Peripheral ID 0x04000bb956
572 Designer is 0x4bb, ARM Ltd.
573 Part is 0x956, Unrecognized
574 Component class is 0x9, CoreSight component
575 Type is 0x13, Trace Source, Processor
576 [L01] ROMTABLE[0xe8] = 0xfd730003
577 Component base address 0xcda30000
578 Peripheral ID 0x04003bb907
579 Designer is 0x4bb, ARM Ltd.
580 Part is 0x907, CoreSight ETB (Trace Buffer)
581 Component class is 0x9, CoreSight component
582 Type is 0x21, Trace Sink, Buffer
583 [L01] ROMTABLE[0xec] = 0xfe020003
584 Component base address 0xce320000
585 Peripheral ID 0x04005bbc07
586 Designer is 0x4bb, ARM Ltd.
587 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
588 Component class is 0x9, CoreSight component
589 Type is 0x15, Debug Logic, Processor
590 [L01] ROMTABLE[0xf0] = 0xfe021002
591 Component not present
592 [L01] ROMTABLE[0xf4] = 0xfe024003
593 Component base address 0xce324000
594 Peripheral ID 0x04003bb906
595 Designer is 0x4bb, ARM Ltd.
596 Part is 0x906, CoreSight CTI (Cross Trigger)
597 Component class is 0x9, CoreSight component
598 Type is 0x14, Debug Control, Trigger Matrix
599 [L01] ROMTABLE[0xf8] = 0xfe028003
600 Component base address 0xce328000
601 Peripheral ID 0x04003bb906
602 Designer is 0x4bb, ARM Ltd.
603 Part is 0x906, CoreSight CTI (Cross Trigger)
604 Component class is 0x9, CoreSight component
605 Type is 0x14, Debug Control, Trigger Matrix
606 [L01] ROMTABLE[0xfc] = 0xfe02c003
607 Component base address 0xce32c000
608 Peripheral ID 0x04000bb956
609 Designer is 0x4bb, ARM Ltd.
610 Part is 0x956, Unrecognized
611 Component class is 0x9, CoreSight component
612 Type is 0x13, Trace Source, Processor
613 [L01] ROMTABLE[0x100] = 0xfe030003
614 Component base address 0xce330000
615 Peripheral ID 0x04003bb907
616 Designer is 0x4bb, ARM Ltd.
617 Part is 0x907, CoreSight ETB (Trace Buffer)
618 Component class is 0x9, CoreSight component
619 Type is 0x21, Trace Sink, Buffer
620 [L01] ROMTABLE[0x104] = 0x520003
621 Component base address 0xd0820000
622 Peripheral ID 0x04005bbc07
623 Designer is 0x4bb, ARM Ltd.
624 Part is 0xc07, Cortex-A7 Debug (Debug Unit)
625 Component class is 0x9, CoreSight component
626 Type is 0x15, Debug Logic, Processor
627 [L01] ROMTABLE[0x108] = 0x521002
628 Component not present
629 [L01] ROMTABLE[0x10c] = 0x524003
630 Component base address 0xd0824000
631 Peripheral ID 0x04003bb906
632 Designer is 0x4bb, ARM Ltd.
633 Part is 0x906, CoreSight CTI (Cross Trigger)
634 Component class is 0x9, CoreSight component
635 Type is 0x14, Debug Control, Trigger Matrix
636 [L01] ROMTABLE[0x110] = 0x528003
637 Component base address 0xd0828000
638 Peripheral ID 0x04003bb906
639 Designer is 0x4bb, ARM Ltd.
640 Part is 0x906, CoreSight CTI (Cross Trigger)
641 Component class is 0x9, CoreSight component
642 Type is 0x14, Debug Control, Trigger Matrix
643 [L01] ROMTABLE[0x114] = 0x52c003
644 Component base address 0xd082c000
645 Peripheral ID 0x04000bb956
646 Designer is 0x4bb, ARM Ltd.
647 Part is 0x956, Unrecognized
648 Component class is 0x9, CoreSight component
649 Type is 0x13, Trace Source, Processor
650 [L01] ROMTABLE[0x118] = 0x530003
651 Component base address 0xd0830000
652 Peripheral ID 0x04003bb907
653 Designer is 0x4bb, ARM Ltd.
654 Part is 0x907, CoreSight ETB (Trace Buffer)
655 Component class is 0x9, CoreSight component
656 Type is 0x21, Trace Sink, Buffer
657 [L01] ROMTABLE[0x11c] = 0xefef8003
658 Component base address 0xc01f8000
659 Peripheral ID 0x04003bb906
660 Designer is 0x4bb, ARM Ltd.
661 Part is 0x906, CoreSight CTI (Cross Trigger)
662 Component class is 0x9, CoreSight component
663 Type is 0x14, Debug Control, Trigger Matrix
664 [L01] ROMTABLE[0x120] = 0xefefc003
665 Component base address 0xc01fc000
666 Peripheral ID 0x04003bb906
667 Designer is 0x4bb, ARM Ltd.
668 Part is 0x906, CoreSight CTI (Cross Trigger)
669 Component class is 0x9, CoreSight component
670 Type is 0x14, Debug Control, Trigger Matrix
671 [L01] ROMTABLE[0x124] = 0xf0a11003
672 Component base address 0xc0d11000
673 Peripheral ID 0x04003bb906
674 Designer is 0x4bb, ARM Ltd.
675 Part is 0x906, CoreSight CTI (Cross Trigger)
676 Component class is 0x9, CoreSight component
677 Type is 0x14, Debug Control, Trigger Matrix
678 [L01] ROMTABLE[0x128] = 0xf0a12003
679 Component base address 0xc0d12000
680 Peripheral ID 0x04003bb906
681 Designer is 0x4bb, ARM Ltd.
682 Part is 0x906, CoreSight CTI (Cross Trigger)
683 Component class is 0x9, CoreSight component
684 Type is 0x14, Debug Control, Trigger Matrix
685 [L01] ROMTABLE[0x12c] = 0xf0c00003
686 Component base address 0xc0f00000
687 Peripheral ID 0x00003c80af
688 Designer is 0x0c8, Apple Computer
689 Part is 0xaf, Unrecognized
690 Component class is 0xf, PrimeCell or System component
691 [L01] ROMTABLE[0x130] = 0xf0c20003
692 Component base address 0xc0f20000
693 Peripheral ID 0x04003bb906
694 Designer is 0x4bb, ARM Ltd.
695 Part is 0x906, CoreSight CTI (Cross Trigger)
696 Component class is 0x9, CoreSight component
697 Type is 0x14, Debug Control, Trigger Matrix
698 [L01] ROMTABLE[0x134] = 0xf5830003
699 Component base address 0xc5b30000
700 Peripheral ID 0x04003bb906
701 Designer is 0x4bb, ARM Ltd.
702 Part is 0x906, CoreSight CTI (Cross Trigger)
703 Component class is 0x9, CoreSight component
704 Type is 0x14, Debug Control, Trigger Matrix
705 [L01] ROMTABLE[0x138] = 0xf5831003
706 Component base address 0xc5b31000
707 Peripheral ID 0x04003bb906
708 Designer is 0x4bb, ARM Ltd.
709 Part is 0x906, CoreSight CTI (Cross Trigger)
710 Component class is 0x9, CoreSight component
711 Type is 0x14, Debug Control, Trigger Matrix
712 [L01] ROMTABLE[0x13c] = 0xf5e0c003
713 Component base address 0xc610c000
714 Peripheral ID 0x04003bb906
715 Designer is 0x4bb, ARM Ltd.
716 Part is 0x906, CoreSight CTI (Cross Trigger)
717 Component class is 0x9, CoreSight component
718 Type is 0x14, Debug Control, Trigger Matrix
719 [L01] ROMTABLE[0x140] = 0xfcc00003
720 Component base address 0xccf00000
721 Peripheral ID 0x00000c87ad
722 Designer is 0x0c8, Apple Computer
723 Part is 0x7ad, Unrecognized
724 Component class is 0xf, PrimeCell or System component
725 [L01] ROMTABLE[0x144] = 0xfcc10003
726 Component base address 0xccf10000
727 Peripheral ID 0x04003bb906
728 Designer is 0x4bb, ARM Ltd.
729 Part is 0x906, CoreSight CTI (Cross Trigger)
730 Component class is 0x9, CoreSight component
731 Type is 0x14, Debug Control, Trigger Matrix
732 [L01] ROMTABLE[0x148] = 0xfcc11003
733 Component base address 0xccf11000
734 Peripheral ID 0x04003bb906
735 Designer is 0x4bb, ARM Ltd.
736 Part is 0x906, CoreSight CTI (Cross Trigger)
737 Component class is 0x9, CoreSight component
738 Type is 0x14, Debug Control, Trigger Matrix
739 [L01] ROMTABLE[0x14c] = 0xfcc20002
740 Component not present
741 [L01] ROMTABLE[0x150] = 0xfcc21003
742 Component base address 0xccf21000
743 Peripheral ID 0x00002c85ad
744 Designer is 0x0c8, Apple Computer
745 Part is 0x5ad, Unrecognized
746 Component class is 0xf, PrimeCell or System component
747 [L01] ROMTABLE[0x154] = 0xfdda4003
748 Component base address 0xce0a4000
749 Peripheral ID 0x00003c8088
750 Designer is 0x0c8, Apple Computer
751 Part is 0x88, Unrecognized
752 Component class is 0xf, PrimeCell or System component
753 [L01] ROMTABLE[0x158] = 0xfdda8003
754 Component base address 0xce0a8000
755 Peripheral ID 0x04003bb906
756 Designer is 0x4bb, ARM Ltd.
757 Part is 0x906, CoreSight CTI (Cross Trigger)
758 Component class is 0x9, CoreSight component
759 Type is 0x14, Debug Control, Trigger Matrix
760 [L01] ROMTABLE[0x15c] = 0x10003
761 Component base address 0xd0310000
762 Peripheral ID 0x00006c8000
763 Designer is 0x0c8, Apple Computer
764 Part is 0x0, Unrecognized
765 Component class is 0xf, PrimeCell or System component
766 [L01] ROMTABLE[0x160] = 0x14003
767 Component base address 0xd0314000
768 Peripheral ID 0x00002c84ad
769 Designer is 0x0c8, Apple Computer
770 Part is 0x4ad, Unrecognized
771 Component class is 0xf, PrimeCell or System component
772 [L01] ROMTABLE[0x164] = 0x30003
773 Component base address 0xd0330000
774 Peripheral ID 0x04003bb906
775 Designer is 0x4bb, ARM Ltd.
776 Part is 0x906, CoreSight CTI (Cross Trigger)
777 Component class is 0x9, CoreSight component
778 Type is 0x14, Debug Control, Trigger Matrix
779 [L01] ROMTABLE[0x168] = 0x0
780 [L01] End of ROM table
781 ROMTABLE[0x8] = 0x0
782 End of ROM table
783</pre>
784`{=html}
785
786## Debugging iPhone with GDB
787
788 $ aarch64-linux-gnu-gdb
789
790 (gdb) target remote :3333
791 0x0000000100000508 in ?? ()
792
793 (gdb) x/i $pc
794 => 0x100000508: ret
795
796 (gdb) info registers
797 x0 0x118e094 18407572
798 x1 0x180088310 6443008784
799 x2 0x1801b8d50 6444256592
800 x3 0x180083c78 6442990712
801 x4 0x180083940 6442989888
802 x5 0x4000 16384
803 x6 0x8 8
804 x7 0x199443e7e29a829f 1843172810719658655
805 x8 0x6 6
806 x9 0x1800883e0 6443008992
807 x10 0x1 1
808 x11 0xf 15
809 x12 0xe 14
810 x13 0x8 8
811 x14 0xffffffff 4294967295
812 x15 0x0 0
813 x16 0x0 0
814 x17 0x0 0
815 x18 0x0 0
816 x19 0x1800887a0 6443009952
817 x20 0x10000b0d0 4295012560
818 x21 0x118e094 18407572
819 x22 0x1800883a0 6443008928
820 x23 0x180088000 6443008000
821 x24 0x180080000 6442975232
822 x25 0x1800883c0 6443008960
823 x26 0x0 0
824 x27 0x0 0
825 x28 0x0 0
826 x29 0x180088380 6443008896
827 x30 0x10000a97c 4295010684
828 sp 0x180088340 0x180088340
829 pc 0x100000508 0x100000508
830 CPSR 0x800002c4 2147484356
831 ELR_EL1 0x1000004f4 0x1000004f4
832 ESR_EL1 0x0 0
833 SPSR_EL1 0x20000204 536871428
834 ELR_EL2 0x0 0x0
835 ESR_EL2 0x0 0
836 SPSR_EL2 0x0 0
837 ELR_EL3 0x0 0x0
838 ESR_EL3 0x0 0
839 SPSR_EL3 0x0 0
840
841 (gdb) stepi
842 0x000000010000a97c in ?? ()
843 (gdb) x/2i $pc
844 => 0x10000a97c: add x25, x22, #0x20
845 0x10000a980: bl 0x10000a514