-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New GDB Connection: 1, Target iphone.cpu0, state: poweroff #20
Comments
hello, I tested with another Iphone but I have same trouble :( i run tamarin program to switch to JTAG mode Good morning!
1: JTAG mode
2: DCSD mode
3: Reset device
4: Reset and enter DFU mode (iPhone X and up only)
5: Reenumerate
F: Force JTAG mode without sending command
R: Reset Tamarin cable
U: Go into firmware update mode
> F
Forcing JTAG mode.
JTAG mode active, ID pin in Hi-Z.
You can now connect with an SWD debugger.
Please note: Reset/Reset to DFU will be unavailable until
the device is rebooted or the cable is re-plugged.
DCSD mode active.
Connect to the second serial port of the try with openocd sudo openocd -f interface/tamarin.cfg -f t8015.cfg
Open On-Chip Debugger 0.10.0+dev-gc6d4abbe (2024-03-09-18:12)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Warn : Transport "swd" was already selected
adapter speed: 5000 kHz
Warn : Interface already configured, ignoring
Warn : Transport "swd" was already selected
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x20040f40
Error: iphone.ecore0: missing UTT configuration, halt may not work
Error: iphone.ecore0 powered down!
Error: iphone.ecore1: missing UTT configuration, halt may not work
Error: iphone.ecore1 powered down!
Error: iphone.ecore2: missing UTT configuration, halt may not work
Error: iphone.ecore2 powered down!
Error: iphone.ecore3: missing UTT configuration, halt may not work
Error: iphone.ecore3 powered down!
Error: iphone.pcore0: missing UTT configuration, halt may not work
Error: iphone.pcore0 powered down!
Error: iphone.pcore1: missing UTT configuration, halt may not work
Error: iphone.pcore1 powered down!
Error: iphone.sep: missing UTT configuration, halt may not work
Info : Listening on port 3333 for gdb connections
Info : Listening on port 3334 for gdb connections
Info : Listening on port 3335 for gdb connections
Info : Listening on port 3336 for gdb connections
Info : Listening on port 3337 for gdb connections
Info : Listening on port 3338 for gdb connections
Info : Listening on port 3339 for gdb connections
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : accepting 'telnet' connection on tcp/4444
Error: Target not examined yet after nc > targets
targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.dbg mem_ap little iphone.cpu running
1 iphone.mem mem_ap little iphone.cpu running
2 iphone.ecore0 aarch64 little iphone.cpu poweroff
3 iphone.ecore1 aarch64 little iphone.cpu poweroff
4 iphone.ecore2 aarch64 little iphone.cpu poweroff
5 iphone.ecore3 aarch64 little iphone.cpu poweroff
6 iphone.pcore0 aarch64 little iphone.cpu poweroff
7 iphone.pcore1 aarch64 little iphone.cpu poweroff
8* iphone.sep aarch64 little iphone.cpu unknown change from sep to ecore0 > targets iphone.ecore0
targets iphone.ecore0 I can see, it works > targets
targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 iphone.dbg mem_ap little iphone.cpu running
1 iphone.mem mem_ap little iphone.cpu running
2* iphone.ecore0 aarch64 little iphone.cpu poweroff
3 iphone.ecore1 aarch64 little iphone.cpu poweroff
4 iphone.ecore2 aarch64 little iphone.cpu poweroff
5 iphone.ecore3 aarch64 little iphone.cpu poweroff
6 iphone.pcore0 aarch64 little iphone.cpu poweroff
7 iphone.pcore1 aarch64 little iphone.cpu poweroff
8 iphone.sep aarch64 little iphone.cpu unknown try to perform a dump :( > dump_image iboot_partial.bin 0x18001c1e1 0x100
dump_image iboot_partial.bin 0x18001c1e1 0x100
Target not examined yet another trouble when I want to use gdb, it crashs. (gdb) target remote 127.0.0.1:3334
Remote debugging using 127.0.0.1:3334
Remote connection closed Info : accepting 'gdb' connection on tcp/3334
Error: Target not examined yet
Error executing event gdb-attach on target iphone.ecore1:
Info : New GDB Connection: 1, Target iphone.ecore1, state: poweroff
Erreur de segmentation if someone knows what I do wrong or how can I correct these issues, I'll be happy :) Thanks |
I managed to make GDB work with openocd (
But now if I send the command
Then I can connect with GDB and see registers and stepi. Thou I can't manage to perform a
PS: I'm using old Tamarin firmware |
I have encountered the same problem when using iphoneX. openocd displays error missing UTT configuration. Normal jtag mode cannot be shut down, forcing jtag to debug but not dump. Could you solve this problem or find the error |
hello,
I tried to reproduce the defcon presentation https://www.youtube.com/watch?v=7p_njRMqzrY
I 'am able to exploit the device with the ./pwndfu -d and demote it with ./ipwndfu --demote ( I loose a lot of time because I used a computer with a AMD cpu... after several hours, I tested with a Intel cpu and it worked each time...)
Tamarin firmware has been pushed on pico successfully and I'm able to interact with it
I'm able to run openocd , run a nc to 4444 and a gdb to 3333
it seems I'm not able to continue because both CPU is poweroff.
Do you know what I can do to solve this issue ?
Thanks
The text was updated successfully, but these errors were encountered: