,29 tweets,7 min read
But even then, these devices are relatively useless unless they are paired with another piece of Apple hardware: a proprietary USB cable called Kanzi. These cables, which can sell for up to $2,000. Travel With Your Playlist Using an iPhone AUX CableYour iPhone can store a comprehensive assortment of files, music, and audiobooks that you can take with you anywhere.
My Authors
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them
For now I only have got KongSWD, so everything below applies to this type of cable first of all
f you’re reading this thread, you’ve most likely seen many photos with these weird Apple internal cables posted here, on Twitter, — Gorilla, Kong, Kanzi, Chimp, Flamingo, etc.
https://twitter.com/laobaiTD/status/1026546353319493632
But have you ever wondered what they are for, what they can do and why they are so expensive? Answer is simple — they provide JTAG, powerful debug interface
- You need to get an extra cable if you own an iPhone or a device with a port other than micro USB to charge from your case. Difference between Jabra Elite two wireless earbud 75t vs 65t. Why Should You Go for the iKanzi Wireless Earbuds? These are a budget option when compared to all the other truly wireless earbuds.
- It is used during repairs to retrieve the S/N if the device is unable to power on or otherwise communicate with a computer. Link: also have the kanzi cable for apple device (Jtag port), Can't Accept Paypal. Only Accept offline payment (Western union, Wire Transfer, or China Local Payment), Place the order online at our.
- Connect Windows 10 laptop to iPhone’s hotspot using a USB cable. If, for some reason, you are unable to connect your Windows 10 laptop to iPhone’s hotspot, you can use your iPhone’s USB cable to connect your Windows 10 laptop to iPhone’s hotspot without any issues. Step 1: Download the latest version of iTunes on your PC and Install the.
- Find many great new & used options and get the best deals for Used Kanzi SWD JTAG Cable at the best online prices at eBay! 3Pack 10FT USB Cable For iPhone 6 7 8.
What can you achieve with JTAG on iOS device? Three major capabilities are:
1) Arbitrary memory access (well, there’re some weird limitations though) — you can halt CPU and dump arbitrary portions of virtual memory or load arbitrary file from your computer back to device
2) Arbitrary CPU register access - you can halt CPU and view current register state and change value in any of them
3) Halt CPU at arbitrary point of execution, so you can use first 2 capabilities
With these capabilities you can do pretty much whatever you want with a device: execute arbitrary code at any point, dump anything you want (for example, SecureROM), play with MMIO...
...or grab firmware keys, as I did few weeks ago just by dumping iBoot, pointing “ticket” command’s address to load address, sending the patched iBoot back and then executing my custom payload, Lina, which allows to utilize aes_crypto_cmd()
Obviously Apple wouldn’t make their production devices vulnerable to some stolen cables. That’s because JTAGging is only possible on devices with CPFM lower or equal to 0x01
CPFM stands for ChiP Fusing Mode, as far as I know. It’s fused deep inside of a SoC and cannot be changed. It consists of two boolean values - security mode (bit 0) and production mode (bit 1)
If bit 0 is set, SoC has Secure security mode, otherwise Insecure
If bit 1 is set, SoC has Production production mode, otherwise Development
If bit 1 is set, SoC has Production production mode, otherwise Development
So, to be able to JTAG into device, it has to be Development fused (CPFM 0x01 or 0x00). In other cases, this is what you’ll get:
Cayman (Apple A10) production devices will connect, but no CPUs will be available to choose (about that later)
Skye (Apple A11) will connect and have SEP and ANS2 (some co-processor, I believe) available, but they’re always powered off
Perhaps that's because the version of Astris I have incorrectly detects chip revision of both Cayman and Skye targets I've got (iPad 2018 and iPhone X)
Such CPFM can only be on prototype devices, at least DVT or older. PVT always has CPFM 0x03 (Production + Secure)
To interact with SWD-cables you need a piece of software called Astris. It’s shipped as part of RestoreTools and HomeDiagnostics, never heard it to be shipped as a standalone package
You still can install it separately using Pacifist, but in that case you’ll have to launch LaunchDaemons and kernel extensions shipped with it manually
When you launch Astris with a probe connected to your Mac and a device connected to the probe, you’ll see something like this:
First thing you need to do is to choose CPU. For that:
cpu CPU0
cpu CPU0
Then you need to stop its execution:
halt
Usually it prints register dump:
halt
Usually it prints register dump:
Now you can change any register you like including PC
reg pc 0x41414141
reg pc 0x41414141
Or load patched copy of iBoot back to device, so you can run classic payloads:
load path_to_file address
load path_to_file address
Some corrections about Astris installation: Astris package inside of RestoreTools/HomeDiagnostics doesn't contain many useful support scripts. So beside Astris itself, you should also install this part of HomeDiagnostics
The scripts seem to be (partially) incompatible with older/newer Astris versions, so install only matching versions from the same HomeDiagnostics package
For example, when I installed Whitetail scripts along with Electric Astris, I had issues with GDB debugging
For example, when I installed Whitetail scripts along with Electric Astris, I had issues with GDB debugging
Yes, those 8000...800N ports Astris prints when it detects a target are actually the ports you can use to connect to with GDB/LLDB
Kanzi Cable Iphone 8
It never worked properly for me for some reason, but those additional scripts add few new debug features to Astris itself. For example, breakpoints and watchpoints (well, I've never noticed these commands before I installed the scripts)