Examples¶
Dump ROM table¶
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> dap info 1
AP ID register 0x34770002
Type is MEM-AP APB
MEM-AP BASE 0x80000000
ROM table in legacy format
Component base address 0x80000000
Peripheral ID 0x00000c8489
Designer is 0x0c8, Apple Computer
Part is 0x489, Unrecognized
Component class is 0x1, ROM table
MEMTYPE system memory not present: dedicated debug bus
ROMTABLE[0x0] = 0x40000002
Component not present
[...]
List targets & CPU states¶
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.mem mem_ap little iphone.cpu running
1 iphone.cpu0 aarch64 little iphone.cpu running
2 iphone.cpu1 aarch64 little iphone.cpu poweroff
3* iphone.sep cortex_a little iphone.cpu unknown
Selecting another target:
> targets iphone.cpu0
Halt & Resume¶
Select first the target CPU you want to halt/resume:
> targets iphone.cpu0
> halt
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000508
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.mem mem_ap little iphone.cpu running
1* iphone.cpu0 aarch64 little iphone.cpu halted
2 iphone.cpu1 aarch64 little iphone.cpu poweroff
3 iphone.sep cortex_a little iphone.cpu halted
> resume
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.mem mem_ap little iphone.cpu running
1* iphone.cpu0 aarch64 little iphone.cpu running
2 iphone.cpu1 aarch64 little iphone.cpu poweroff
3 iphone.sep cortex_a little iphone.cpu halted
Or attach GDB and use “Ctrl-C” and “continue” commands.
Memory access¶
For most targets, MEM-AP iphone.mem uses 64bits addresses and 64bits words. When reading or writing memory via MEM-AP target, a direct connection (bus master) to the AXI bus is used. It can be done while the CPUs are running.
Read memory as bytes:
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> iphone.mem mdb 0x100000000 16
0x100000000: 00 00 00 90 00 00 00 91 81 18 00 58 f3 1e 00 94
Read memory as 64bits words:
> iphone.mem mdd 0x100000000 2
0x100000000: 9100000090000000 94001ef358001881
For other commands:
> help iphone.mem
[...]
iphone.mem mdb address [count]
Display target memory as 8-bit bytes
iphone.mem mdd address [count]
Display target memory as 64-bit words
iphone.mem mdh address [count]
Display target memory as 16-bit half-words
iphone.mem mdw address [count]
Display target memory as 32-bit words
[...]
iphone.mem mwb address data [count]
Write byte(s) to target memory
iphone.mem mwd address data [count]
Write 64-bit word(s) to target memory
iphone.mem mwh address data [count]
Write 16-bit half-word(s) to target memory
iphone.mem mww address data [count]
Write 32-bit word(s) to target memory
Accessing memory through CPUs is possible as well but requires the corresponding CPU to be halted:
> iphone.cpu0 mdb 0x100000000 16
0x100000000: 00 00 00 90 00 00 00 91 81 18 00 58 f3 1e 00 94
Dump BootROM¶
$ telnet 127.0.0.1 4444
Open On-Chip Debugger
> targets iphone.mem
> dump_image bootrom.bin 0x100000000 0x20000
dumped 131072 bytes in 1.443821s (88.654 KiB/s)
Note
In case of bulk error refer to “Bulk read/write failed” section.
The file is created within OpenOCD working directory:
$ hexdump -C bootrom.bin | head -n 34
00000000 00 00 00 90 00 00 00 91 81 18 00 58 f3 1e 00 94 |...........X....|
00000010 3f 00 00 eb 40 01 00 54 fe 03 01 aa 22 18 00 58 |?...@..T...."..X|
00000020 c3 17 00 58 42 00 03 cb 03 10 c1 a8 23 10 81 a8 |...XB.......#...|
00000030 42 40 00 f1 a1 ff ff 54 c0 03 5f d6 df 4f 03 d5 |B@.....T.._..O..|
00000040 1e 00 00 90 de 53 14 91 6a 00 00 90 4a 01 00 91 |.....S..j...J...|
00000050 0a c0 18 d5 2a 18 00 58 4b 18 00 58 6b 01 0a 8b |....*..XK..Xk...|
00000060 0c 00 80 d2 4c 31 81 a8 5f 01 0b eb c1 ff ff 54 |....L1.._......T|
00000070 ca 17 00 58 eb 17 00 58 6b 01 0a 8b 0c 00 80 d2 |...X...Xk.......|
00000080 4c 31 81 a8 5f 01 0b eb c1 ff ff 54 6a 16 00 58 |L1.._......Tj..X|
00000090 4a 05 40 91 5f 01 00 91 bf 40 00 d5 4a 05 40 91 |J.@._....@..J.@.|
000000a0 5f 01 00 91 54 09 40 91 4a 14 00 58 eb ff 87 d2 |_...T.@.J..X....|
000000b0 4a 01 0b 8b 4a 01 2b 8a 0b 14 00 58 5f 01 0b eb |J...J.+....X_...|
000000c0 c0 00 00 54 ec 13 00 58 4d 39 c1 a8 6d 39 81 a8 |...T...XM9..m9..|
000000d0 7f 01 0c eb a1 ff ff 54 8a 13 00 58 ab 13 00 58 |.......T...X...X|
000000e0 ec 01 80 d2 6c 01 2c 8a 0d 00 80 d2 4d 35 81 a8 |....l.,.....M5..|
000000f0 5f 01 0c eb c1 ff ff 54 7f 01 0c eb 80 00 00 54 |_......T.......T|
00000100 4d 45 00 b8 5f 01 0b eb c1 ff ff 54 0b 04 40 90 |ME.._......T..@.|
00000110 6b 01 00 91 74 01 00 f9 0d 00 80 d2 ea 12 00 58 |k...t..........X|
00000120 0b 00 88 d2 4b 01 0b 8b 4d 35 81 a8 4d 35 81 a8 |....K...M5..M5..|
00000130 4d 35 81 a8 4d 35 81 a8 5f 01 0b eb 61 ff ff 54 |M5..M5.._...a..T|
00000140 03 12 00 58 24 12 00 58 45 12 00 58 66 1c c1 a8 |...X$..XE..Xf...|
00000150 a6 1c 81 a8 7f 00 04 eb a3 ff ff 54 c0 03 5f d6 |...........T.._.|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 53 65 63 75 72 65 52 4f 4d 20 66 6f 72 20 74 38 |SecureROM for t8|
00000210 30 31 30 73 69 2c 20 43 6f 70 79 72 69 67 68 74 |010si, Copyright|
00000220 20 32 30 30 37 2d 32 30 31 35 2c 20 41 70 70 6c | 2007-2015, Appl|
00000230 65 20 49 6e 63 2e 00 00 00 00 00 00 00 00 00 00 |e Inc...........|
00000240 52 4f 4d 52 45 4c 45 41 53 45 00 00 00 00 00 00 |ROMRELEASE......|
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000280 69 42 6f 6f 74 2d 32 36 39 36 2e 30 2e 30 2e 31 |iBoot-2696.0.0.1|
00000290 2e 33 33 00 00 00 00 00 00 00 00 00 00 00 00 00 |.33.............|
000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Serial console¶
The phone debug console (Lightning D2_P and D2_N pins) is exposed via /dev/ttyUSB3. Connect to it with minicom.
- Serial line configuration
Device: /dev/ttyUSB3
Baudrate: 115200
Hardware Flow Control: No
$ minicom -s
9b27283b9415d0f:1165
power supply type usb charger
5125787b716fa36:173
5125787b716fa36:181
182a39cb3418017:607
182a39cb3418017:609
182a39cb3418017:661
constructing idle task
d64e4ac4ef51039:2254
[...]
2b61073566fcb68:136
image <ptr>: bdev <ptr> type illb offset 0x0 len 0x6f9ed
image <ptr>: bdev <ptr> type bat1 offset 0x6f9ed len 0x222a
image <ptr>: bdev <ptr> type liqd offset 0x71c17 len 0x788d5
image <ptr>: bdev <ptr> type dtre offset 0xea4ec len 0x257b9
image <ptr>: bdev <ptr> type glyP offset 0x10fca5 len 0x2cdc
image <ptr>: bdev <ptr> type chg0 offset 0x112981 len 0x3eb6
image <ptr>: bdev <ptr> type bat0 offset 0x116837 len 0xc3d0
image <ptr>: bdev <ptr> type batF offset 0x122c07 len 0x15b2e
image <ptr>: bdev <ptr> type chg1 offset 0x138735 len 0xa178
image <ptr>: bdev <ptr> type logo offset 0x1428ad len 0x334d
image <ptr>: bdev <ptr> type recm offset 0x145bfa len 0x408a8
e51893b627f0e6e:1983
[...]
=======================================
::
:: iBoot for d10, Copyright 2007-2018, Apple Inc.
::
:: Local boot, Board 0xc (d101ap)/Rev 0xd
::
:: BUILD_TAG: iBoot-4513.260.81
::
:: BUILD_STYLE: RELEASE
::
:: USB_SERIAL_NUMBER: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001D7946249B8D26 IBFL:3D SRNM:[F71SLDBKHG7G]
::
=======================================
d64e4ac4ef51039:2123
d64e4ac4ef51039:2082
d64e4ac4ef51039:2093
d64e4ac4ef51039:2130
16fc6bd46eff0a3:277
3974bfd3d441da3:841
Delaying boot for 0 seconds. Hit enter to break into the command prompt...
USB¶
The phone USB port (Lightning D1_P and D1_N pair) is connected to the Bonobo USB Hub and thus reachable from the control PC:
$ lsusb -d 05ac:
Bus 001 Device 021: ID 05ac:12a8 Apple, Inc. iPhone5/5C/5S/6
$ dmesg -w
[21620.468082] usb 1-1.1: new high-speed USB device number 24 using xhci_hcd
[21620.560979] usb 1-1.1: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice= 9.03
[21620.560981] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[21620.560982] usb 1-1.1: Product: iPhone
[21620.560983] usb 1-1.1: Manufacturer: Apple Inc.
[21620.560984] usb 1-1.1: SerialNumber: 7901d5e0bce445b43b2de404a2786dcbf4ea6576
[21620.623245] ipheth 1-1.1:4.2: Apple iPhone USB Ethernet device attached
Or when the phone is in DFU:
$ lsusb -d 05ac:
Bus 001 Device 025: ID 05ac:1227 Apple, Inc. Mobile Device (DFU Mode)
$ dmesg -w
[21646.581426] usb 1-1.1: new high-speed USB device number 25 using xhci_hcd
[21646.672360] usb 1-1.1: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[21646.672367] usb 1-1.1: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[21646.672370] usb 1-1.1: Product: Apple Mobile Device (DFU Mode)
[21646.672374] usb 1-1.1: Manufacturer: Apple Inc.
[21646.672377] usb 1-1.1: SerialNumber: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001D7946249B8D26 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
iPhone7 + GDB¶
In this video we demote the phone (iPhone7) with checkm8 exploit, and then attach to OpenOCD using GDB to step in BootROM code and access CPU registers:
iPhone7 + IDA Pro¶
Here we show how to dump the BootROM on a previously demoted phone (iPhone7) and load it inside IDA Pro for static analysis. Then we use the debugger feature of IDA to connect to OpenOCD and perform dynamic analysis, stepping in the BootROM instructions and accessing memory and CPU registers: