Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New GDB Connection: 1, Target iphone.cpu0, state: poweroff #20

Open
tcccorp opened this issue Dec 10, 2023 · 3 comments
Open

New GDB Connection: 1, Target iphone.cpu0, state: poweroff #20

tcccorp opened this issue Dec 10, 2023 · 3 comments

Comments

@tcccorp
Copy link

tcccorp commented Dec 10, 2023

hello,

I tried to reproduce the defcon presentation https://www.youtube.com/watch?v=7p_njRMqzrY

I 'am able to exploit the device with the ./pwndfu -d and demote it with ./ipwndfu --demote ( I loose a lot of time because I used a computer with a AMD cpu... after several hours, I tested with a Intel cpu and it worked each time...)

ubuntu@ubuntu:~/git/ipwndfu$ sudo python2 ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
Found: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:08 ECID:001E30C0000xxxxx  IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Device is now in pwned DFU Mode.
(1.59 seconds)
ubuntu@ubuntu:~/git/ipwndfu$ sudo python2 ./ipwndfu --demote
Demotion register: 0x287
Attempting to demote device.
Demotion register: 0x286
Success!

Tamarin firmware has been pushed on pico successfully and I'm able to interact with it

1: JTAG mode                                         
2: DCSD mode                                         
3: Reset device                                      
4: Reset and enter DFU mode (iPhone X and up only)   
5: Reenumerate                                       
                                                     
F: Force JTAG mode without sending command           
R: Reset Tamarin cable                               
U: Go into firmware update mode                      
> Tristar request received: 74 00 02 1F              
JTAG mode active, ID pin in Hi-Z.                    
You can now connect with an SWD debugger.            
Please note: Reset/Reset to DFU will be unavailable l
the device is rebooted or the cable is re-plugged.   
DCSD mode active.                                    
Connect to the second serial port of the             
Tamarin Cable to access the monitor. 

I'm able to run openocd , run a nc to 4444 and a gdb to 3333

  • openocd
ubuntu@ubuntu:~/git/openocd$ sudo openocd -f interface/tamarin.cfg -f bonobo/t8010.cfg 
Open On-Chip Debugger 0.10.0+dev-gc6d4abbe (2023-12-09-21:18)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Warn : Transport "swd" was already selected
adapter speed: 5000 kHz

Warn : Interface already configured, ignoring
Warn : Transport "swd" was already selected
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x20040f40
Error: iphone.cpu0 powered down!
Error: iphone.cpu1 powered down!
Error: target->coreid 0 powered down!
Info : Listening on port 3333 for gdb connections
Info : Listening on port 3334 for gdb connections
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : accepting 'telnet' connection on tcp/4444
Error: Target not examined yet

Error: Target not examined yet

invalid command name "quit"
Info : dropped 'telnet' connection
Info : accepting 'telnet' connection on tcp/4444
Info : accepting 'gdb' connection on tcp/3333
Error: Target not examined yet
Error executing event gdb-attach on target iphone.cpu0:

Info : New GDB Connection: 1, Target iphone.cpu0, state: poweroff
Erreur de segmentation
  • nc to 4444
ubuntu@ubuntu:~$ nc 127.0.0.1 4444
��������Open On-Chip Debugger
> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.cpu0        aarch64    little iphone.cpu         poweroff
 3  iphone.cpu1        aarch64    little iphone.cpu         poweroff
 4* iphone.sep         cortex_a   little iphone.cpu         unknown
  • dgb to 3333
ubuntu@ubuntu:~/git/openocd$ gdb
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
.....
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) target remote 127.0.0.1:3333
Remote debugging using 127.0.0.1:3333
Remote connection closed
(gdb)

it seems I'm not able to continue because both CPU is poweroff.

Do you know what I can do to solve this issue ?

Thanks

@tcccorp
Copy link
Author

tcccorp commented Mar 9, 2024

hello,

I tested with another Iphone but I have same trouble :(

i run tamarin program to switch to JTAG mode

Good morning!                                                                   
                                                                                
1: JTAG mode                                                                    
2: DCSD mode                                                                    
3: Reset device                                                                 
4: Reset and enter DFU mode (iPhone X and up only)                              
5: Reenumerate                                                                  
                                                                                
F: Force JTAG mode without sending command                                      
R: Reset Tamarin cable                                                          
U: Go into firmware update mode                                                 
> F                                                                             
Forcing JTAG mode.                                                              
JTAG mode active, ID pin in Hi-Z.                                               
You can now connect with an SWD debugger.                                       
Please note: Reset/Reset to DFU will be unavailable until                       
the device is rebooted or the cable is re-plugged.                              
DCSD mode active.                                                               
Connect to the second serial port of the

try with openocd

sudo openocd -f interface/tamarin.cfg -f t8015.cfg
Open On-Chip Debugger 0.10.0+dev-gc6d4abbe (2024-03-09-18:12)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Warn : Transport "swd" was already selected
adapter speed: 5000 kHz

Warn : Interface already configured, ignoring
Warn : Transport "swd" was already selected
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x20040f40
Error: iphone.ecore0: missing UTT configuration, halt may not work
Error: iphone.ecore0 powered down!
Error: iphone.ecore1: missing UTT configuration, halt may not work
Error: iphone.ecore1 powered down!
Error: iphone.ecore2: missing UTT configuration, halt may not work
Error: iphone.ecore2 powered down!
Error: iphone.ecore3: missing UTT configuration, halt may not work
Error: iphone.ecore3 powered down!
Error: iphone.pcore0: missing UTT configuration, halt may not work
Error: iphone.pcore0 powered down!
Error: iphone.pcore1: missing UTT configuration, halt may not work
Error: iphone.pcore1 powered down!
Error: iphone.sep: missing UTT configuration, halt may not work
Info : Listening on port 3333 for gdb connections
Info : Listening on port 3334 for gdb connections
Info : Listening on port 3335 for gdb connections
Info : Listening on port 3336 for gdb connections
Info : Listening on port 3337 for gdb connections
Info : Listening on port 3338 for gdb connections
Info : Listening on port 3339 for gdb connections
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : accepting 'telnet' connection on tcp/4444
Error: Target not examined yet

after nc

> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.ecore0      aarch64    little iphone.cpu         poweroff
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8* iphone.sep         aarch64    little iphone.cpu         unknown

change from sep to ecore0

> targets iphone.ecore0
targets iphone.ecore0

I can see, it works

> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2* iphone.ecore0      aarch64    little iphone.cpu         poweroff
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8  iphone.sep         aarch64    little iphone.cpu         unknown

try to perform a dump :(

> dump_image iboot_partial.bin 0x18001c1e1 0x100
dump_image iboot_partial.bin 0x18001c1e1 0x100
Target not examined yet

another trouble when I want to use gdb, it crashs.

(gdb) target remote 127.0.0.1:3334
Remote debugging using 127.0.0.1:3334
Remote connection closed
Info : accepting 'gdb' connection on tcp/3334
Error: Target not examined yet
Error executing event gdb-attach on target iphone.ecore1:

Info : New GDB Connection: 1, Target iphone.ecore1, state: poweroff
Erreur de segmentation

if someone knows what I do wrong or how can I correct these issues, I'll be happy :)

Thanks

@PatriceBlin
Copy link

I managed to make GDB work with openocd (c6d4abbee6) and an iPhone X but I have a weird behavior

  • pwnd DFU and demote
  • put Tamarin in JTAG mode (command 1)
  • start openocd (with the bonobo config)
  • switch targets (through telnet 4444) from sep to iphone.ecore0 which is showed as running
    At this point halt command will not work and timeout but using F "unblock it"
> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8* iphone.sep         aarch64    little iphone.cpu         unknown

> targets iphone.ecore0
> targets              
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2* iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8  iphone.sep         aarch64    little iphone.cpu         unknown

> halt
Timeout waiting for target iphone.ecore0 halt

But now if I send the command F (Force JTAG mode without sending command) to Tamarin the telnet client will receive the result of the halt command.

iphone.ecore0 cluster 0 core 0 multi core
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000568
MMU: enabled, D-Cache: enabled, I-Cache: enabled

Then I can connect with GDB and see registers and stepi.

Thou I can't manage to perform a dump_image without openocd crashsing

accepting 'gdb' connection on tcp/3333
New GDB Connection: 1, Target iphone.ecore0, state: halted
Opcode 0xd53c4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c4000, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4000, DSCR.ERR=1, DSCR.EL=1
> dump_image iboot_partial.bin 0x180007fa0 0x100
Connection closed by foreign host.
openocd: src/jtag/drivers/tamarin.c:187: tamarin_swd_read_reg: Assertion `tamarin_handle->queue_length < TAMARIN_QUEUE_SIZE-1' failed.
Aborted

PS: I'm using old Tamarin firmware 51f7be33fa and old pico-sdk 4fe995d0ec

@buaa1205
Copy link

buaa1205 commented Dec 4, 2024

I managed to make GDB work with openocd (c6d4abbee6) and an iPhone X but I have a weird behavior

  • pwnd DFU and demote
  • put Tamarin in JTAG mode (command 1)
  • start openocd (with the bonobo config)
  • switch targets (through telnet 4444) from sep to iphone.ecore0 which is showed as running
    At this point halt command will not work and timeout but using F "unblock it"
> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8* iphone.sep         aarch64    little iphone.cpu         unknown

> targets iphone.ecore0
> targets              
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2* iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8  iphone.sep         aarch64    little iphone.cpu         unknown

> halt
Timeout waiting for target iphone.ecore0 halt

But now if I send the command F (Force JTAG mode without sending command) to Tamarin the telnet client will receive the result of the halt command.

iphone.ecore0 cluster 0 core 0 multi core
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000568
MMU: enabled, D-Cache: enabled, I-Cache: enabled

Then I can connect with GDB and see registers and stepi.

Thou I can't manage to perform a dump_image without openocd crashsing

accepting 'gdb' connection on tcp/3333
New GDB Connection: 1, Target iphone.ecore0, state: halted
Opcode 0xd53c4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c4000, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4000, DSCR.ERR=1, DSCR.EL=1
> dump_image iboot_partial.bin 0x180007fa0 0x100
Connection closed by foreign host.
openocd: src/jtag/drivers/tamarin.c:187: tamarin_swd_read_reg: Assertion `tamarin_handle->queue_length < TAMARIN_QUEUE_SIZE-1' failed.
Aborted

PS: I'm using old Tamarin firmware 51f7be33fa and old pico-sdk 4fe995d0ec

I have encountered the same problem when using iphoneX. openocd displays error missing UTT configuration. Normal jtag mode cannot be shut down, forcing jtag to debug but not dump. Could you solve this problem or find the error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants