Share this page!

john Profile picture
Twitter logo
17 Aug 19, 17 tweets, 3 min read
Here is my little thread about Power NVRAM — another persistent key-value storage, located right on PMU chip. Only talking about iBoot context
Modifying certain key there allows to enable debug UART on any boot loader (including DFU ones) very early and without touching normal NVRAM

Both keys and values are unsigned 8-bit integers

Now let’s talk about known keys and values for them:
0x0 — iBootState

Speaks for itself

Values:
0x1 — iBootDebug

The most interesting key for us. That’s the one that can enable debug UARTs and several other things

Values:
kPowerNVRAMiBootDebugIAPSerial (1 << 0)

Enables primary debug UART (defined by DEBUG_SERIAL_PORT which is in its order defined by every iBoot target’s config header)

That’s what we need to set to get UART everywhere
kPowerNVRAMiBootDebugAltSerial (1 << 1)

Enables secondary debug UART (defined by DEBUG_SERIAL_PORT2)

No target in the leaked iBoot source code defines DEBUG_SERIAL_PORT2
kPowerNVRAMiBootDebugJtag (1 << 2)

No, it doesn’t enable SWD-debugging unfortunately, but enables SHMCON (High-level shared memory console interface)

Not sure what that is exactly, must be another debug interface
The rest of the iBootDebug values don’t seem to do anything interesting
0x2 — iBootStage

Speaks for itself

Values:
0x3 — iBootErrorCount

Remember that iBoot prints count of boot failures/panics in the end of its log? That’s where these counts are stored — lower 4 bits for boot failures and upper 4 bits for panics. That’s why they can’t be higher than 15
0x4 — iBootErrorStage

Speaks for itself. Failed iBootStage
0x5 — iBootMemCalCAOffset0
0x6 — iBootMemCalCAOffset1
0x7 — iBootMemCalCAOffset2
0x8 — iBootMemCalCAOffset3

Something related to AMC — Apple Memory Controller
0x9 — iBootBootFlags0
0xA — iBootBootFlags1

Related to PMU
0xB— iBootEnterDFU

Another interesting key. If set to 0xA0, then on next boot LLB will enter DFU. Works since iOS 8
The easiest way to access Power NVRAM is DEBUG iBoot (or old enough RELEASE one with patched permission checks):
In case your device is too new to run iPhoneOS 3.0- iBoot and you haven’t got a DEBUG-one, soon I’ll post an instruction how to access it without these

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with john

john Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nyan_satan

john Profile picture
29 May
Here is my little thread about yet another bug I found in A6 bootrom (and probably any other that boots from H2FMI PPN NAND)

As always, absolutely useless on its own Image
Look at this picture. The bootrom has just read LLB from a bootpage and is now ready to create a Memz structure out of it. Address - 0x10000000, size - 0x24C00, flags - IMAGE_OPTION_LOCAL_STORAGE Image
Since the size was 0x24C00, we expect to see nothing on range of 0x10024C00 - 0x10060000 (the end of load area), right? Wrong! Image
Read 19 tweets
john Profile picture
5 Jul 20
As promised, here’s my little thread about my experience of repairing 1st-gen KongSWD (all-white)
Although that’s most likely not your case if you got such a cable, but I did manage to break firmware on mine completely. So let’s start with restoring it
Both generations of Kong make use of NXP LPC1768 MCU (Cortex-M3) (along with Xilinx Spartan 6 FPGA, by the way), that can be reflashed over SWD Image
Read 18 tweets
john Profile picture
5 Feb 20
Here is my little thread about bugs I’ve found in Image3 parsers of various SecureROMs (well, A4 and A6)

None of them are exploitable, but all of them can cause a crash and/or denial-of-service

Why am I posting this? Just for lulz and from hopelessness

Image
1) memsetting the whole address space

That’s only for A4 (and maybe lower)

Back in February 2019, someone told me about “SHSH tag length underflow”, that allows “arbitrary memset”. The person failed to tell me which ROM it’s for
But for A4 ROM I found something similar. Look at this line of code:

github.com/NyanSatan/Imag… Image
Read 23 tweets
john Profile picture
8 Oct 19
@chronic 1/ there’s no such bootloader as BSS, there’s iBSS (iBoot Single Stage) instead

2/ LLB cannot enter recovery mode, it enters DFU-like mode

3/ boot-command upgrade makes it boot new iBEC, not iBSS

4/ SecureROM versions do NOT match iBoot version at the time of device release
@chronic 5/ there’s console on production iBoot too, although very limited

6/ there’re more iBoot flags than he shows

7/ demotion to 01 is enough to get JTAG (I’d even say SWD). Demotion of Security status isn’t even possible according to @s1guza

@chronic @s1guza 8/8 limera1n isn’t the only bootrom exploit of the past times. There also were Pwnage 1/2, steaks4uce, 24kpwn, SHAtter and alloc8

That was just brief view, by the way
Read 4 tweets
john Profile picture
27 Jul 19
Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel
There’re 2 kinds of Haywire:

1. Lightning Digital AV Adapter (b137ap/iAccy1,1) – Lightning to HDMI adapter, supports both video and audio
2. Lightning to VGA Adapter (b165ap/iAccy1,2) – doesn’t support audio output for obvious reason
Read 20 tweets
john Profile picture
31 Jan 19
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them
For now I only have got KongSWD, so everything below applies to this type of cable first of all
f you’re reading this thread, you’ve most likely seen many photos with these weird Apple internal cables posted here, on Twitter, — Gorilla, Kong, Kanzi, Chimp, Flamingo, etc.

Read 29 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @nyan_satan has new unrolls!

Check out other threads from @nyan_satan!

Read all threads by @nyan_satan

:(