February 14, 2015 at 21:06Got access to iPhone diagnostic console
The Lightning connector presented by Apple along with the 5 iPhone output has replaced the usual 30-pin connector. The emergence of a new connector marked the end of an era of free connection to devices. In the old connector, sound, video, data, power were transmitted through individual pins and there was no problem using non-original cables. A new chip has appeared in the new connector responsible for the originality of the accessory's origin, as well as its type (USB-HOST, USB-DEVICE, SERIAL, POWER-ONLY).
For a long time, the protocol remained a mystery. Recently, he was able to crack the French explorer Ramtin Amin (Ramtin Amin). He managed to access the serial console through the Lightning connector. Probably this will become a new direction in the search and exploitation of vulnerabilities.
Ramtin began with reverse engineering with the study of patents, the search for suppliers and other devices using such equipment. He found Lightning to Serial converter built on the STM32 chip. According to the results of the study of the controller firmware, information from the logical analyzer, he was able to recover part of the protocol, most of the connection scheme.
During the first exploration of the iPhone 5's internal device right after it went on sale, many identified the chip, better known as Tristar (more precisely CBTL1608A1), as a DisplayPort multiplexer. It turned out that this is a multiplexer, but not for DisplayPort, but for connecting accessories with a Lightning connector to UART, debug UART, baseband, SoC, JTAG.
Work with the microcircuit turned out to be quite complicated, because it is a 2.5x2.5 mm BGA chip and has 36 solder points in 0.35 mm increments. Ramtin managed to unsolder and transfer the chip to the breadboard. Having connected using the STM32F4Discovery board, he managed to look into the principles of the device.
So far this does not give full control over the device. But perhaps future exploits will begin with this:
Link with a detailed description of the process http://ramtin-amin.fr/#tristar
I will be glad to hear your error messages or other suggestions in the LAN .
For a long time, the protocol remained a mystery. Recently, he was able to crack the French explorer Ramtin Amin (Ramtin Amin). He managed to access the serial console through the Lightning connector. Probably this will become a new direction in the search and exploitation of vulnerabilities.
Ramtin began with reverse engineering with the study of patents, the search for suppliers and other devices using such equipment. He found Lightning to Serial converter built on the STM32 chip. According to the results of the study of the controller firmware, information from the logical analyzer, he was able to recover part of the protocol, most of the connection scheme.
During the first exploration of the iPhone 5's internal device right after it went on sale, many identified the chip, better known as Tristar (more precisely CBTL1608A1), as a DisplayPort multiplexer. It turned out that this is a multiplexer, but not for DisplayPort, but for connecting accessories with a Lightning connector to UART, debug UART, baseband, SoC, JTAG.
Work with the microcircuit turned out to be quite complicated, because it is a 2.5x2.5 mm BGA chip and has 36 solder points in 0.35 mm increments. Ramtin managed to unsolder and transfer the chip to the breadboard. Having connected using the STM32F4Discovery board, he managed to look into the principles of the device.
So far this does not give full control over the device. But perhaps future exploits will begin with this:
Link with a detailed description of the process http://ramtin-amin.fr/#tristar
I will be glad to hear your error messages or other suggestions in the LAN .