Kanzi Cable Iphone

It can be retrieved over IDBUS using Serial Number Reader cable (or Kanzi, they are basically the same thing, except for a different USB PID and a little bit different enclosure) In simple words, by sending this blob to ttrs.apple.com, you can get device's serial number. Step 1: Apple IOS Serial/USB Cable for Kernel Debugging. Solder pieces of wire to pin 12, pin 13 and pin 18 of the PodBreakout v1.5 board. You may wish to construct the PodBreakout plastic housing AFTER construction (despite what is shown here) to ease soldering to the PCB.

  1. Kanzi Cable Iphone 7
  2. Kanzi Cable Iphone 8
  3. Kanzi Cable Iphone Xr
  4. Kanzi Cable Iphone 10

Ask just about anyone who uses an Apple product and they will tell you that it is basically impenetrable. Whether it is an iPhone or a MacBook Pro laptop, most consumers rightly believe that their Apple device has a very low probability of getting ‘infected’ by a harmful virus or malware. It is this particular claim that has triggered cut-throat competition for Apple – to the extent that some lines, both legal and ethical, are starting to get blurred.

Digital Crowbar

According to Lorenzo Franceschi-Bicchierai, technology journalist, hacking into Apple’s iPhone is like trying to break into a black box. Franceschi-Bicchierai, who spent months investigating the secret iPhone phenomenon for Vice.com, says that these dev-fused iPhones are extremely valuable for iOS hackers. There are entire companies dedicated to cracking iPhones for a substantial fee. In addition to hackers, law enforcement officials and security professionals from around the globe request iPhone-cracking services on a daily basis. Essentially, everyone who does security research on iPhones has them.

What’s the Deal?

Kanzi Cable Iphone 7

These “special iPhones”, dev-fused iPhones, have security features turned off or the user can turn them off as fewer core security features are enabled. Franceschi-Bicchierai says that for a researcher it is easier to find infosec vulnerabilities on a dev-fused iPhone than an ‘off-the-shelf’ model. These devices still require specialized knowledge, and using them is still a complicated task. However, Franceschi-Bicchierai remarks that it can be done because it’s like ‘breaking into a house where the lock is already broken’.

Reminder: These iPhones were never meant to leave Apple’s production facilities in the first place.

“Insidious Companies”

The sale of these phones on the grey market is an open secret in the infosec community. Some times all it takes is a direct message on Twitter to one of the many anonymous dealers. Industry insiders do not like to talk about it. Getting ‘root’ access to an iPhone allows researchers to locate vulnerabilities or bugs that can be used by law enforcement agents and governments. Companies like Australian-based Azimuth provide exclusive hacking tools and their customers often include the UK, the USA, and Canadian governments. Another company mentioned in Franceschi-Bicchierai’s investigation, Cellebrite is a forensic services provider that also offers devices that unlock iPhones. In the story, multiple sources have indicated that Cellebrite uses dev-fused smartphones to create their proprietary devices.

Simple Math

Dev-fused iPhones can cost anywhere from $5,000 to $20,000. The final price depends on the phone’s model as well as the particular features or security aspects it contains. It is not enough to get your hands on the dev-fused version of the iPhone. To truly have a ‘behind-the-scenes’ experience, you will need Apple’s special USB cable known as “Kanzi”. After buying the cable, which costs about $2,000 on the grey market, you will need a Mac computer to gain root access to the smartphone.

Kanzi Cable Iphone

Mum’s the Word

In the off-line world, many aspects of the special iPhones remain shrouded in mystery – from the total quantity to their point of origin. Apple maintains complete secrecy on the matter. It is also unclear whether it is legal or not to own dev-fused iPhones. Dev-fused iPhones are smuggled out from Shenzen’s electronics market though few are sure how they get from the factory to there in the first place.

Apple’s core marketing strategy revolves around (and has always been about) designing and selling secure, hack-proof and bug-free premium technology products. The presence of these special iPhones and related switchboard devices messes up Apple’s entire ‘our phones are more secure than Android’ assertion.

,29 tweets,7 min read
My Authors
Cable
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them
For now I only have got KongSWD, so everything below applies to this type of cable first of all
f you’re reading this thread, you’ve most likely seen many photos with these weird Apple internal cables posted here, on Twitter, — Gorilla, Kong, Kanzi, Chimp, Flamingo, etc.
https://twitter.com/laobaiTD/status/1026546353319493632
But have you ever wondered what they are for, what they can do and why they are so expensive? Answer is simple — they provide JTAG, powerful debug interface
What can you achieve with JTAG on iOS device? Three major capabilities are:
1) Arbitrary memory access (well, there’re some weird limitations though) — you can halt CPU and dump arbitrary portions of virtual memory or load arbitrary file from your computer back to device
2) Arbitrary CPU register access - you can halt CPU and view current register state and change value in any of them
3) Halt CPU at arbitrary point of execution, so you can use first 2 capabilities
With these capabilities you can do pretty much whatever you want with a device: execute arbitrary code at any point, dump anything you want (for example, SecureROM), play with MMIO...
...or grab firmware keys, as I did few weeks ago just by dumping iBoot, pointing “ticket” command’s address to load address, sending the patched iBoot back and then executing my custom payload, Lina, which allows to utilize aes_crypto_cmd()
Obviously Apple wouldn’t make their production devices vulnerable to some stolen cables. That’s because JTAGging is only possible on devices with CPFM lower or equal to 0x01
Kanzi

Kanzi Cable Iphone 8

CPFM stands for ChiP Fusing Mode, as far as I know. It’s fused deep inside of a SoC and cannot be changed. It consists of two boolean values - security mode (bit 0) and production mode (bit 1)
If bit 0 is set, SoC has Secure security mode, otherwise Insecure
If bit 1 is set, SoC has Production production mode, otherwise Development
So, to be able to JTAG into device, it has to be Development fused (CPFM 0x01 or 0x00). In other cases, this is what you’ll get:
Cayman (Apple A10) production devices will connect, but no CPUs will be available to choose (about that later)
Skye (Apple A11) will connect and have SEP and ANS2 (some co-processor, I believe) available, but they’re always powered off
Perhaps that's because the version of Astris I have incorrectly detects chip revision of both Cayman and Skye targets I've got (iPad 2018 and iPhone X)
Such CPFM can only be on prototype devices, at least DVT or older. PVT always has CPFM 0x03 (Production + Secure)
To interact with SWD-cables you need a piece of software called Astris. It’s shipped as part of RestoreTools and HomeDiagnostics, never heard it to be shipped as a standalone package

Kanzi Cable Iphone Xr

You still can install it separately using Pacifist, but in that case you’ll have to launch LaunchDaemons and kernel extensions shipped with it manually
When you launch Astris with a probe connected to your Mac and a device connected to the probe, you’ll see something like this:
First thing you need to do is to choose CPU. For that:
cpu CPU0
Then you need to stop its execution:
halt
Usually it prints register dump:
Now you can change any register you like including PC
reg pc 0x41414141
Or load patched copy of iBoot back to device, so you can run classic payloads:
load path_to_file address
Some corrections about Astris installation: Astris package inside of RestoreTools/HomeDiagnostics doesn't contain many useful support scripts. So beside Astris itself, you should also install this part of HomeDiagnostics
The scripts seem to be (partially) incompatible with older/newer Astris versions, so install only matching versions from the same HomeDiagnostics package
For example, when I installed Whitetail scripts along with Electric Astris, I had issues with GDB debugging
Yes, those 8000...800N ports Astris prints when it detects a target are actually the ports you can use to connect to with GDB/LLDB

Kanzi Cable Iphone 10

It never worked properly for me for some reason, but those additional scripts add few new debug features to Astris itself. For example, breakpoints and watchpoints (well, I've never noticed these commands before I installed the scripts)