Getting JTAG on the iPhone 15

a week ago Apple released the iPhone 15 and with that the first iPhone with USBC and if you follow me the past one and a half years you probably know that I've been doing some Hardware hacking with iPhones for example we released an open source serial and JTAG adapter for iPhones called The Tamarind cable and with apple finally switching to USBC I was quite curious to see whether the same can be done with the iPhone 15. so I pre-ordered an iPhone 15 a couple of pcbs a stack of electronic components and got started now before we start a small disclaimer this is not a vulnerability j-brake this video is just me being curious about USBC on the iPhone 15 and having some fun with hardbacking but first things first what actually is JTAG originally in the 80s JTAG was developed to test printed circuit boards and the connectivity on it using something called boundary skin however nowadays when someone mentions jtech they mainly mean the low-level debugging interface of a processor via JTAG you can access memory all the CPU single step and so on even very early in the boot chain before you have any operating system that could run a software debugger also and swd or a Serial via debug is basically a different electrical interface for JTAG defined by arm the original JTAG needs at least four pins while swd only needs two with that covered and having the iPhone 15 in hand where do we start well on Lightning iPhones there was a chip called TriStar that let you switch the contacts on the lightning connector to different modes basically by sending the right bytes using the sdq protocol we looked at in the last video we can tell the iPhone to switch the mode of some of the lightning contacts into ethereal or JTAG or USB and given the sheer amount of contacts that USBC has to offer I thought that Apple probably did something similar on the iPhone but also the iPhone is not the first usb-c device from Apple for example both the MacBook Pro with M1 and the iPad Pro already come with USBC and when starting to look for existing research on those I found that in 2019 the t8012 team investigated USBC on MacBook Pros and found that on MacBook Pros with a T2 security chip one of the USBC ports can be mixed two different modes home user from the t8012 team was able to dump the firmware of the chip which is called Ace responsible for this and by reverse engineering the firmware they found that Apple uses a USBC feature called vdm vendor defined messages vdm allows custom communication over the CC or general configuration lines of the USBC Port these lines are normally used for orientation detection and power delivery but can also be used for custom communication and based on this reverse engineering it was found that using vdm commands the mode of certain pins on the USBC Port can be switched to for example serial there's a cool tool by the sahi Linux project Mac vdm Tool with macvdm tool you can use the ace chip in one MacBook to communicate with another MacBook it allows you to send these window defined messages and for example get the serial boot lock directly on your MacBook I then talk to teamstar and he mentioned that this even works on his iPad Pro with USBC and so using these vendor defined messages sounded like a great approach to try to get JTAG on the iPhone 15. after a bit more research I also found an awesome PCB design called Central scrutinizer designed by Mark zonji which is based on a tool called vdm tool created by the azahi Linux project it's basically a Raspberry Pi Pico based implementation of Mac vtm Tool so you can use it to send these custom vdm messages after looking at the Open Source Hardware design I decided to get a couple of unpopulated pcbs manufactured and only place the components that I knew I would need to start communicating with the iPhone so I put on the fusb 302 which is a programmable USBC controller some of the level shifters some passives such as capacitors and resistors and the Raspberry Pi Pico on the back and when I tried it on an M1 Mac it worked I can reboot the Mac I can put it into dfu and I could even see the serial communication using a logic analyzer with the central scrutinizer working on a MacBook it was time to try it on the iPhone 15. I connected it to the central scrutinizer and I could see some activity in the lock but it didn't work I couldn't reboot the iPhone and the lock was missing a lot of the messages that indicated success on the MacBook time to start debugging first I wanted to see if this vdm approach could work at all and so I tried with a Mac vdm Tool works with the iPhone 15 and it does I can reboot the phone I can also get the serial console so the general approach should work just not yet with the central scrutinizer I thought of a couple of things and I even tried logic analyzing the USB PD communication and that I had an idea when I plugged the iPhone into my Mac it starts charging however it doesn't do that when I plug it into the Central scrutinizer and also in the firmware of the central scrutinizer I saw the power delivery configuration was set to 0 milliamperes so the central scrutinizer can't provide Power so I decided to check the V Bus Line the power supply line using my oscilloscope and when the iPhone was not connected I could see the line was pulled to 5 volts however when I connected the iPhone V Bus Wiggles a bit

and then stays at 2. 5 volts even though it should be at 5. I thought that this might be the problem and so I started thinking how to solve this luckily I had the solution in my component box an r552 4 USB power switch a chip that is used to enable the power supply of a USB port just the right thing for my use case and after a quick hack with some Magnet Wire my mod was done the central scrutinizer with a USB power switch I also adjusted the power delivery indication in the firmware to your random value to indicate that we support providing power and save the moment of truth let's plug the iPhone in and it works we can see the same log messages that we saw with the MacBook and when sending the reboot command using the central scrutinizer the iPhone reboot and even better on the logic analyzer connected to the spu pins we see the boot lock awesome the central scrutinizer works on the iPhone 15. but that's not yet JTAG how do we get JTAG on the iPhone instead of just serial well during my research I stumbled upon this page in the azai Linux Hardware documentation they reverse engineered the different actions they can send via vdm and so for example you get the serial or uart console they sent the command 306 however on the bottom of the page was an interest testing note o206 weak 30k ohm pull to 1. 2 volts no reaction to ground no transitions good chance this is also Beauty so exactly what we are looking for and so I search for a 306 the command for serial in the central scrutinizer code base and found this line I simply replaced 306 with 206 and thought I would give that a try but to try whether this works I also had to build a bit of a more involved setup according to the documentation the pins were at 1. 2 volts and so I needed a voltage reference for my debugger so I sold it on a small pin header giving me ground and 1. 2 volts from one of the level shifters basically my plan was to use the central scrutinizer to send the 206 command we saw in the assign Linux documentation via vdm to the iPhone My Hope was that this would change the configuration of the two USBC sbu pins to expose swd the two pin JTAG interface then I could just hook up an swd debugger to the pin header on the central scrutinizer that exposes these sbu signals and could hopefully try to connect via jtek and this here is the final testing setup with the debugger Central scrutinizer and the iPhone I also hooked up an oscilloscope to the spu pins so that I could see what's going on the signal lines and so let's give it a try I try to connect with the debugger and we can see that there's some activity on the oscilloscope but unfortunately the debugger just errors as if nothing is connected but wait I hooked up the two signals needed for swd but what if I got the other wrong the chances were basically 50 to get it right so I switched the two jumper wires and tried again and what's that the lock output looks very different it says that it found a zero wire debug port and it's even able to read out the debug Port identification register it seems to be working we just got swd on the iPhone 15. awesome however we can also see some errors it can't find an AP or debug access port this is to be expected production iPhones can't just be debugged without an exploit for example to debug the iPhone x using Tamarind we need the Checkmate boot ROM exploit so even though we got JTAG working we can't use it to actually debug the processor however even on the iPhone 15 we might still be able to explore some interesting things via swt in the future and I for sure learned a lot and had a ton of fun getting this far as always I've published all my code below and I will also publish the design files for a hardware variant of the central scrutinizer that works with the iPhone 15. now if you've stayed this long on this video I want to tell you about something that I've been working on together with live overflow hex3. io our online security learning platform on x3. io you will be able to learn reverse engineering Hardware hacking web security and More in well-produced micro courses you can sign up to our waiting list using the link below I hope you like this video and to see you on this channel again soon