For now I only have got KongSWD, so everything below applies to this type of cable first of all
Show this thread
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use thempic.twitter.com/nhZO6JPC9T
-
-
-
f you’re reading this thread, you’ve most likely seen many photos with these weird Apple internal cables posted here, on Twitter, — Gorilla, Kong, Kanzi, Chimp, Flamingo, etc. https://twitter.com/laobaiTD/status/1026546353319493632 …
This Tweet is unavailable.Show this thread -
But have you ever wondered what they are for, what they can do and why they are so expensive? Answer is simple — they provide JTAG, powerful debug interface
Show this thread -
What can you achieve with JTAG on iOS device? Three major capabilities are:
Show this thread -
1) Arbitrary memory access (well, there’re some weird limitations though) — you can halt CPU and dump arbitrary portions of virtual memory or load arbitrary file from your computer back to devicepic.twitter.com/fn3yDyTeri
Show this thread -
2) Arbitrary CPU register access - you can halt CPU and view current register state and change value in any of thempic.twitter.com/Kcr3JvtqwC
Show this thread -
3) Halt CPU at arbitrary point of execution, so you can use first 2 capabilities
Show this thread -
With these capabilities you can do pretty much whatever you want with a device: execute arbitrary code at any point, dump anything you want (for example, SecureROM), play with MMIO...pic.twitter.com/ON15zL24cj
Show this thread -
...or grab firmware keys, as I did few weeks ago just by dumping iBoot, pointing “ticket” command’s address to load address, sending the patched iBoot back and then executing my custom payload, Lina, which allows to utilize aes_crypto_cmd()pic.twitter.com/KkhXLwdVIP
Show this thread -
Obviously Apple wouldn’t make their production devices vulnerable to some stolen cables. That’s because JTAGging is only possible on devices with CPFM lower or equal to 0x01pic.twitter.com/KykRAhZZZJ
Show this thread -
CPFM stands for ChiP Fusing Mode, as far as I know. It’s fused deep inside of a SoC and cannot be changed. It consists of two boolean values - security mode (bit 0) and production mode (bit 1)
Show this thread -
If bit 0 is set, SoC has Secure security mode, otherwise Insecure If bit 1 is set, SoC has Production production mode, otherwise Development
Show this thread -
So, to be able to JTAG into device, it has to be Development fused (CPFM 0x01 or 0x00). In other cases, this is what you’ll get:pic.twitter.com/ibGkOcIg68
Show this thread -
Cayman (Apple A10) production devices will connect, but no CPUs will be available to choose (about that later)pic.twitter.com/3GgBSFoOyl
Show this thread -
Skye (Apple A11) will connect and have SEP and ANS2 (some co-processor, I believe) available, but they’re always powered offpic.twitter.com/693Xugku9b
Show this thread -
Perhaps that's because the version of Astris I have incorrectly detects chip revision of both Cayman and Skye targets I've got (iPad 2018 and iPhone X)
Show this thread -
Such CPFM can only be on prototype devices, at least DVT or older. PVT always has CPFM 0x03 (Production + Secure)pic.twitter.com/vOP44b4KI6
Show this thread -
To interact with SWD-cables you need a piece of software called Astris. It’s shipped as part of RestoreTools and HomeDiagnostics, never heard it to be shipped as a standalone package
Show this thread -
You still can install it separately using Pacifist, but in that case you’ll have to launch LaunchDaemons and kernel extensions shipped with it manuallypic.twitter.com/bVuwhMNbQR
Show this thread -
When you launch Astris with a probe connected to your Mac and a device connected to the probe, you’ll see something like this:pic.twitter.com/lbwdmUc5cx
Show this thread -
First thing you need to do is to choose CPU. For that: cpu CPU0pic.twitter.com/aK3EzcLZQx
Show this thread -
Then you need to stop its execution: halt Usually it prints register dump:pic.twitter.com/wggrnpyNzE
Show this thread -
Now you can change any register you like including PC reg pc 0x41414141pic.twitter.com/YvcSIksb8L
Show this thread -
Or load patched copy of iBoot back to device, so you can run classic payloads: load path_to_file addresspic.twitter.com/f1uwg76O81
Show this thread -
Some corrections about Astris installation: Astris package inside of RestoreTools/HomeDiagnostics doesn't contain many useful support scripts. So beside Astris itself, you should also install this part of HomeDiagnosticspic.twitter.com/9AXuzW5cJD
Show this thread -
The scripts seem to be (partially) incompatible with older/newer Astris versions, so install only matching versions from the same HomeDiagnostics package For example, when I installed Whitetail scripts along with Electric Astris, I had issues with GDB debugging
Show this thread -
Yes, those 8000...800N ports Astris prints when it detects a target are actually the ports you can use to connect to with GDB/LLDBpic.twitter.com/8FgsazvF0N
Show this thread -
It never worked properly for me for some reason, but those additional scripts add few new debug features to Astris itself. For example, breakpoints and watchpoints (well, I've never noticed these commands before I installed the scripts)pic.twitter.com/41p5733ggp
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.