Examples

Dump ROM table

$ telnet 127.0.0.1 4444

Open On-Chip Debugger
> dap info 1
AP ID register 0x34770002
    Type is MEM-AP APB
MEM-AP BASE 0x80000000
    ROM table in legacy format
        Component base address 0x80000000
        Peripheral ID 0x00000c8489
        Designer is 0x0c8, Apple Computer
        Part is 0x489, Unrecognized
        Component class is 0x1, ROM table
        MEMTYPE system memory not present: dedicated debug bus
    ROMTABLE[0x0] = 0x40000002
        Component not present

[...]

List targets & CPU states

$ telnet 127.0.0.1 4444

Open On-Chip Debugger
> targets
    TargetName         Type       Endian TapName            State
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.mem         mem_ap     little iphone.cpu         running
 1  iphone.cpu0        aarch64    little iphone.cpu         running
 2  iphone.cpu1        aarch64    little iphone.cpu         poweroff
 3* iphone.sep         cortex_a   little iphone.cpu         unknown

Selecting another target:

> targets iphone.cpu0

Halt & Resume

Select first the target CPU you want to halt/resume:

> targets iphone.cpu0

> halt
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000508
MMU: enabled, D-Cache: enabled, I-Cache: enabled

> targets
    TargetName         Type       Endian TapName            State
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.mem         mem_ap     little iphone.cpu         running
 1* iphone.cpu0        aarch64    little iphone.cpu         halted
 2  iphone.cpu1        aarch64    little iphone.cpu         poweroff
 3  iphone.sep         cortex_a   little iphone.cpu         halted

> resume

> targets
    TargetName         Type       Endian TapName            State
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.mem         mem_ap     little iphone.cpu         running
 1* iphone.cpu0        aarch64    little iphone.cpu         running
 2  iphone.cpu1        aarch64    little iphone.cpu         poweroff
 3  iphone.sep         cortex_a   little iphone.cpu         halted

Or attach GDB and use “Ctrl-C” and “continue” commands.

Memory access

For most targets, MEM-AP iphone.mem uses 64bits addresses and 64bits words. When reading or writing memory via MEM-AP target, a direct connection (bus master) to the AXI bus is used. It can be done while the CPUs are running.

Read memory as bytes:

$ telnet 127.0.0.1 4444

Open On-Chip Debugger
> iphone.mem mdb 0x100000000 16
0x100000000: 00 00 00 90 00 00 00 91 81 18 00 58 f3 1e 00 94

Read memory as 64bits words:

> iphone.mem mdd 0x100000000 2
0x100000000: 9100000090000000 94001ef358001881

For other commands:

> help iphone.mem
[...]
iphone.mem mdb address [count]
      Display target memory as 8-bit bytes
iphone.mem mdd address [count]
      Display target memory as 64-bit words
iphone.mem mdh address [count]
      Display target memory as 16-bit half-words
iphone.mem mdw address [count]
      Display target memory as 32-bit words
[...]
iphone.mem mwb address data [count]
      Write byte(s) to target memory
iphone.mem mwd address data [count]
      Write 64-bit word(s) to target memory
iphone.mem mwh address data [count]
      Write 16-bit half-word(s) to target memory
iphone.mem mww address data [count]
      Write 32-bit word(s) to target memory

Accessing memory through CPUs is possible as well but requires the corresponding CPU to be halted:

> iphone.cpu0 mdb 0x100000000 16
0x100000000: 00 00 00 90 00 00 00 91 81 18 00 58 f3 1e 00 94

Dump BootROM

$ telnet 127.0.0.1 4444

Open On-Chip Debugger
> targets iphone.mem
> dump_image bootrom.bin 0x100000000 0x20000
dumped 131072 bytes in 1.443821s (88.654 KiB/s)

Note

In case of bulk error refer to “Bulk read/write failed” section.

The file is created within OpenOCD working directory:

$ hexdump -C bootrom.bin | head -n 34

00000000  00 00 00 90 00 00 00 91  81 18 00 58 f3 1e 00 94  |...........X....|
00000010  3f 00 00 eb 40 01 00 54  fe 03 01 aa 22 18 00 58  |?...@..T...."..X|
00000020  c3 17 00 58 42 00 03 cb  03 10 c1 a8 23 10 81 a8  |...XB.......#...|
00000030  42 40 00 f1 a1 ff ff 54  c0 03 5f d6 df 4f 03 d5  |B@.....T.._..O..|
00000040  1e 00 00 90 de 53 14 91  6a 00 00 90 4a 01 00 91  |.....S..j...J...|
00000050  0a c0 18 d5 2a 18 00 58  4b 18 00 58 6b 01 0a 8b  |....*..XK..Xk...|
00000060  0c 00 80 d2 4c 31 81 a8  5f 01 0b eb c1 ff ff 54  |....L1.._......T|
00000070  ca 17 00 58 eb 17 00 58  6b 01 0a 8b 0c 00 80 d2  |...X...Xk.......|
00000080  4c 31 81 a8 5f 01 0b eb  c1 ff ff 54 6a 16 00 58  |L1.._......Tj..X|
00000090  4a 05 40 91 5f 01 00 91  bf 40 00 d5 4a 05 40 91  |J.@._....@..J.@.|
000000a0  5f 01 00 91 54 09 40 91  4a 14 00 58 eb ff 87 d2  |_...T.@.J..X....|
000000b0  4a 01 0b 8b 4a 01 2b 8a  0b 14 00 58 5f 01 0b eb  |J...J.+....X_...|
000000c0  c0 00 00 54 ec 13 00 58  4d 39 c1 a8 6d 39 81 a8  |...T...XM9..m9..|
000000d0  7f 01 0c eb a1 ff ff 54  8a 13 00 58 ab 13 00 58  |.......T...X...X|
000000e0  ec 01 80 d2 6c 01 2c 8a  0d 00 80 d2 4d 35 81 a8  |....l.,.....M5..|
000000f0  5f 01 0c eb c1 ff ff 54  7f 01 0c eb 80 00 00 54  |_......T.......T|
00000100  4d 45 00 b8 5f 01 0b eb  c1 ff ff 54 0b 04 40 90  |ME.._......T..@.|
00000110  6b 01 00 91 74 01 00 f9  0d 00 80 d2 ea 12 00 58  |k...t..........X|
00000120  0b 00 88 d2 4b 01 0b 8b  4d 35 81 a8 4d 35 81 a8  |....K...M5..M5..|
00000130  4d 35 81 a8 4d 35 81 a8  5f 01 0b eb 61 ff ff 54  |M5..M5.._...a..T|
00000140  03 12 00 58 24 12 00 58  45 12 00 58 66 1c c1 a8  |...X$..XE..Xf...|
00000150  a6 1c 81 a8 7f 00 04 eb  a3 ff ff 54 c0 03 5f d6  |...........T.._.|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200  53 65 63 75 72 65 52 4f  4d 20 66 6f 72 20 74 38  |SecureROM for t8|
00000210  30 31 30 73 69 2c 20 43  6f 70 79 72 69 67 68 74  |010si, Copyright|
00000220  20 32 30 30 37 2d 32 30  31 35 2c 20 41 70 70 6c  | 2007-2015, Appl|
00000230  65 20 49 6e 63 2e 00 00  00 00 00 00 00 00 00 00  |e Inc...........|
00000240  52 4f 4d 52 45 4c 45 41  53 45 00 00 00 00 00 00  |ROMRELEASE......|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000280  69 42 6f 6f 74 2d 32 36  39 36 2e 30 2e 30 2e 31  |iBoot-2696.0.0.1|
00000290  2e 33 33 00 00 00 00 00  00 00 00 00 00 00 00 00  |.33.............|
000002a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Serial console

The phone debug console (Lightning D2_P and D2_N pins) is exposed via /dev/ttyUSB3. Connect to it with minicom.

Serial line configuration
  • Device: /dev/ttyUSB3

  • Baudrate: 115200

  • Hardware Flow Control: No

$ minicom -s

9b27283b9415d0f:1165
power supply type usb charger
5125787b716fa36:173
5125787b716fa36:181
182a39cb3418017:607
182a39cb3418017:609
182a39cb3418017:661
constructing idle task
d64e4ac4ef51039:2254
[...]
2b61073566fcb68:136
image <ptr>: bdev <ptr> type illb offset 0x0 len 0x6f9ed
image <ptr>: bdev <ptr> type bat1 offset 0x6f9ed len 0x222a
image <ptr>: bdev <ptr> type liqd offset 0x71c17 len 0x788d5
image <ptr>: bdev <ptr> type dtre offset 0xea4ec len 0x257b9
image <ptr>: bdev <ptr> type glyP offset 0x10fca5 len 0x2cdc
image <ptr>: bdev <ptr> type chg0 offset 0x112981 len 0x3eb6
image <ptr>: bdev <ptr> type bat0 offset 0x116837 len 0xc3d0
image <ptr>: bdev <ptr> type batF offset 0x122c07 len 0x15b2e
image <ptr>: bdev <ptr> type chg1 offset 0x138735 len 0xa178
image <ptr>: bdev <ptr> type logo offset 0x1428ad len 0x334d
image <ptr>: bdev <ptr> type recm offset 0x145bfa len 0x408a8
e51893b627f0e6e:1983
[...]

=======================================
::
:: iBoot for d10, Copyright 2007-2018, Apple Inc.
::
::      Local boot, Board 0xc (d101ap)/Rev 0xd
::
::      BUILD_TAG: iBoot-4513.260.81
::
::      BUILD_STYLE: RELEASE
::
::      USB_SERIAL_NUMBER: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001D7946249B8D26 IBFL:3D SRNM:[F71SLDBKHG7G]
::
=======================================

d64e4ac4ef51039:2123
d64e4ac4ef51039:2082
d64e4ac4ef51039:2093
d64e4ac4ef51039:2130
16fc6bd46eff0a3:277
3974bfd3d441da3:841
Delaying boot for 0 seconds. Hit enter to break into the command prompt...

USB

The phone USB port (Lightning D1_P and D1_N pair) is connected to the Bonobo USB Hub and thus reachable from the control PC:

$ lsusb -d 05ac:
Bus 001 Device 021: ID 05ac:12a8 Apple, Inc. iPhone5/5C/5S/6

$ dmesg -w
[21620.468082] usb 1-1.1: new high-speed USB device number 24 using xhci_hcd
[21620.560979] usb 1-1.1: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice= 9.03
[21620.560981] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[21620.560982] usb 1-1.1: Product: iPhone
[21620.560983] usb 1-1.1: Manufacturer: Apple Inc.
[21620.560984] usb 1-1.1: SerialNumber: 7901d5e0bce445b43b2de404a2786dcbf4ea6576
[21620.623245] ipheth 1-1.1:4.2: Apple iPhone USB Ethernet device attached

Or when the phone is in DFU:

$ lsusb -d 05ac:
Bus 001 Device 025: ID 05ac:1227 Apple, Inc. Mobile Device (DFU Mode)

$ dmesg -w
[21646.581426] usb 1-1.1: new high-speed USB device number 25 using xhci_hcd
[21646.672360] usb 1-1.1: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[21646.672367] usb 1-1.1: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[21646.672370] usb 1-1.1: Product: Apple Mobile Device (DFU Mode)
[21646.672374] usb 1-1.1: Manufacturer: Apple Inc.
[21646.672377] usb 1-1.1: SerialNumber: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001D7946249B8D26 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]

iPhone7 + GDB

In this video we demote the phone (iPhone7) with checkm8 exploit, and then attach to OpenOCD using GDB to step in BootROM code and access CPU registers:

iPhone7 + IDA Pro

Here we show how to dump the BootROM on a previously demoted phone (iPhone7) and load it inside IDA Pro for static analysis. Then we use the debugger feature of IDA to connect to OpenOCD and perform dynamic analysis, stepping in the BootROM instructions and accessing memory and CPU registers: