search

stacksmashing / tamarin-firmware

GNU General Public License v3.0
432 stars 51 forks source link

New GDB Connection: 1, Target iphone.cpu0, state: poweroff #20

Open tcccorp opened 7 months ago

tcccorp commented 7 months ago

hello,

I tried to reproduce the defcon presentation https://www.youtube.com/watch?v=7p_njRMqzrY

I 'am able to exploit the device with the ./pwndfu -d and demote it with ./ipwndfu --demote ( I loose a lot of time because I used a computer with a AMD cpu... after several hours, I tested with a Intel cpu and it worked each time...) 

ubuntu@ubuntu:~/git/ipwndfu$ sudo python2 ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
Found: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:08 ECID:001E30C0000xxxxx  IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Device is now in pwned DFU Mode.
(1.59 seconds)
ubuntu@ubuntu:~/git/ipwndfu$ sudo python2 ./ipwndfu --demote
Demotion register: 0x287
Attempting to demote device.
Demotion register: 0x286
Success!

Tamarin firmware has been pushed on pico successfully and I'm able to interact with it 

1: JTAG mode                                         
2: DCSD mode                                         
3: Reset device                                      
4: Reset and enter DFU mode (iPhone X and up only)   
5: Reenumerate                                       

F: Force JTAG mode without sending command           
R: Reset Tamarin cable                               
U: Go into firmware update mode                      
> Tristar request received: 74 00 02 1F              
JTAG mode active, ID pin in Hi-Z.                    
You can now connect with an SWD debugger.            
Please note: Reset/Reset to DFU will be unavailable l
the device is rebooted or the cable is re-plugged.   
DCSD mode active.                                    
Connect to the second serial port of the             
Tamarin Cable to access the monitor.

I'm able to run openocd , run a nc to 4444 and a gdb to 3333

Warn : Interface already configured, ignoring Warn : Transport "swd" was already selected Info : clock speed 10000 kHz Info : SWD DPIDR 0x20040f40 Error: iphone.cpu0 powered down! Error: iphone.cpu1 powered down! Error: target->coreid 0 powered down! Info : Listening on port 3333 for gdb connections Info : Listening on port 3334 for gdb connections Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : accepting 'telnet' connection on tcp/4444 Error: Target not examined yet

Error: Target not examined yet

invalid command name "quit" Info : dropped 'telnet' connection Info : accepting 'telnet' connection on tcp/4444 Info : accepting 'gdb' connection on tcp/3333 Error: Target not examined yet Error executing event gdb-attach on target iphone.cpu0:

Info : New GDB Connection: 1, Target iphone.cpu0, state: poweroff Erreur de segmentation


- nc to 4444

```bash
ubuntu@ubuntu:~$ nc 127.0.0.1 4444
��������Open On-Chip Debugger
> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.cpu0        aarch64    little iphone.cpu         poweroff
 3  iphone.cpu1        aarch64    little iphone.cpu         poweroff
 4* iphone.sep         cortex_a   little iphone.cpu         unknown

it seems I'm not able to continue because both CPU is poweroff.

Do you know what I can do to solve this issue ?

Thanks

tcccorp commented 4 months ago

hello,

I tested with another Iphone but I have same trouble :(

i run tamarin program to switch to JTAG mode

Good morning!                                                                   

1: JTAG mode                                                                    
2: DCSD mode                                                                    
3: Reset device                                                                 
4: Reset and enter DFU mode (iPhone X and up only)                              
5: Reenumerate                                                                  

F: Force JTAG mode without sending command                                      
R: Reset Tamarin cable                                                          
U: Go into firmware update mode                                                 
> F                                                                             
Forcing JTAG mode.                                                              
JTAG mode active, ID pin in Hi-Z.                                               
You can now connect with an SWD debugger.                                       
Please note: Reset/Reset to DFU will be unavailable until                       
the device is rebooted or the cable is re-plugged.                              
DCSD mode active.                                                               
Connect to the second serial port of the

try with openocd 

sudo openocd -f interface/tamarin.cfg -f t8015.cfg
Open On-Chip Debugger 0.10.0+dev-gc6d4abbe (2024-03-09-18:12)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Warn : Transport "swd" was already selected
adapter speed: 5000 kHz

Warn : Interface already configured, ignoring
Warn : Transport "swd" was already selected
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x20040f40
Error: iphone.ecore0: missing UTT configuration, halt may not work
Error: iphone.ecore0 powered down!
Error: iphone.ecore1: missing UTT configuration, halt may not work
Error: iphone.ecore1 powered down!
Error: iphone.ecore2: missing UTT configuration, halt may not work
Error: iphone.ecore2 powered down!
Error: iphone.ecore3: missing UTT configuration, halt may not work
Error: iphone.ecore3 powered down!
Error: iphone.pcore0: missing UTT configuration, halt may not work
Error: iphone.pcore0 powered down!
Error: iphone.pcore1: missing UTT configuration, halt may not work
Error: iphone.pcore1 powered down!
Error: iphone.sep: missing UTT configuration, halt may not work
Info : Listening on port 3333 for gdb connections
Info : Listening on port 3334 for gdb connections
Info : Listening on port 3335 for gdb connections
Info : Listening on port 3336 for gdb connections
Info : Listening on port 3337 for gdb connections
Info : Listening on port 3338 for gdb connections
Info : Listening on port 3339 for gdb connections
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : accepting 'telnet' connection on tcp/4444
Error: Target not examined yet

after nc 

> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.ecore0      aarch64    little iphone.cpu         poweroff
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8* iphone.sep         aarch64    little iphone.cpu         unknown

change from sep to ecore0

> targets iphone.ecore0
targets iphone.ecore0

I can see, it works 

> targets
targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2* iphone.ecore0      aarch64    little iphone.cpu         poweroff
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8  iphone.sep         aarch64    little iphone.cpu         unknown

try to perform a dump :(

> dump_image iboot_partial.bin 0x18001c1e1 0x100
dump_image iboot_partial.bin 0x18001c1e1 0x100
Target not examined yet

another trouble when I want to use gdb, it crashs.

(gdb) target remote 127.0.0.1:3334
Remote debugging using 127.0.0.1:3334
Remote connection closed
Info : accepting 'gdb' connection on tcp/3334
Error: Target not examined yet
Error executing event gdb-attach on target iphone.ecore1:

Info : New GDB Connection: 1, Target iphone.ecore1, state: poweroff
Erreur de segmentation

if someone knows what I do wrong or how can I correct these issues, I'll be happy :)

Thanks

PatriceBlin commented 1 month ago

I managed to make GDB work with openocd (c6d4abbee6) and an iPhone X but I have a weird behavior

> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2  iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8* iphone.sep         aarch64    little iphone.cpu         unknown

> targets iphone.ecore0
> targets              
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0  iphone.dbg         mem_ap     little iphone.cpu         running
 1  iphone.mem         mem_ap     little iphone.cpu         running
 2* iphone.ecore0      aarch64    little iphone.cpu         running
 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff
 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff
 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff
 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff
 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff
 8  iphone.sep         aarch64    little iphone.cpu         unknown

> halt
Timeout waiting for target iphone.ecore0 halt

But now if I send the command F (Force JTAG mode without sending command) to Tamarin the telnet client will receive the result of the halt command.

iphone.ecore0 cluster 0 core 0 multi core
target halted in AArch64 state due to debug-request, current mode: EL1T
cpsr: 0x800002c4 pc: 0x100000568
MMU: enabled, D-Cache: enabled, I-Cache: enabled

Then I can connect with GDB and see registers and stepi.

Thou I can't manage to perform a dump_image without openocd crashsing

accepting 'gdb' connection on tcp/3333
New GDB Connection: 1, Target iphone.ecore0, state: halted
Opcode 0xd53c4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53c4000, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4020, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e5200, DSCR.ERR=1, DSCR.EL=1
Opcode 0xd53e4000, DSCR.ERR=1, DSCR.EL=1
> dump_image iboot_partial.bin 0x180007fa0 0x100
Connection closed by foreign host.
openocd: src/jtag/drivers/tamarin.c:187: tamarin_swd_read_reg: Assertion `tamarin_handle->queue_length < TAMARIN_QUEUE_SIZE-1' failed.
Aborted

PS: I'm using old Tamarin firmware 51f7be33fa and old pico-sdk 4fe995d0ec