The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "DCSD Cable"
(Reformat page layout) |
(Add more information to the article) |
||
Line 85: | Line 85: | ||
* This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his [http://ramtin-amin.fr/#tristar research]. |
* This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his [http://ramtin-amin.fr/#tristar research]. |
||
* In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status. |
* In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status. |
||
+ | |||
+ | == Uses == |
||
+ | |||
+ | === Verbose Boot === |
||
+ | One use of the cable was to view verbose boot. You could access this by setting [[Debug-uarts_(iBoot_variable)]] in [[iRecovery]] or nvram, however, since iOS 9, this output has been obfuscated. |
||
+ | |||
+ | === SSH over serial === |
||
+ | Using [http://twitter.com/qwertyoruiopz qwertyoruiopz's] serialsh, it is possible to SSH over serial. This is useful, because it does not require any SSH daemon other than those shipped with iOS. An example use case for this would be protecting against bootloops. |
||
+ | |||
+ | === Debugging the kernel === |
||
+ | Using the DCSD cable, it is possible to attach GDB to the iOS kernel, and pause it's running. |
Revision as of 15:01, 5 March 2017
The DCSD Alex cable is used in factories to communicate over serial to run tests and write to the SysCfg (for serial definitions, etc) during production. These cables are produced by Shenzhen Alex Connector Co. Ltd. in China; this may be why they can be found on obscure markets for sale, if not just taken from a trash can from factories.
Contents
PCB
Top of the board
Label | Chip | Datasheet | Notes |
---|---|---|---|
D1 | Low Power Consumption Voltage Regulator with ON/OFF Switch | http://www.s-manuals.com/pdf/datasheet/x/c/xc6215_series_torex.pdf | |
D5 | |||
D6 | Tied to TX and an input voltage of 3.3V on the UART J5 pads, this may be a protection in case the host shorts? | ||
U1 | Micrel 2026A Dual-Channel Power Distribution Switch | http://www.xilinx.com/products/boards/ml510/datasheets/mic2076-2bm.pdf | |
U2 | |||
U3 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles stoplight LED controls |
U4 | Micrel MIC5219 | http://datasheet.datasheetarchive.com/originals/library/Datasheets-EDS7/DSAEDA000124178.pdf | 500mA Peak Output LDO Regulator |
U5 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles serial mux interface from iPhone |
U6 | SMSC USB2514 4-port USB hub | http://www.mouser.com/catalog/specsheets/2514.pdf |
|
U7 | Microchip 24AA04/24LC04B | http://ww1.microchip.com/downloads/en/DeviceDoc/21708G.pdf | I2C Serial EEPROM (TSSOP Package) |
X1 | MKC 24 MHz Oscillator | N/A | I'm not 100% sure about the value of the chip, but this should be correct |
Back of the board
Label | Notes |
---|---|
J9 | I believe these are used to flash the U7 EEPROM with USB IDs for use by the SMSC USB Hub, I have yet to dump the contents of the EEPROM to find out for sure. |
J10 | |
J11 | |
J12 |
Other notes
- The Lightning Connector has a specific Accessory ID flashed to it for enabling serial via the Tristar chip.
- This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his research.
- In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status.
Uses
Verbose Boot
One use of the cable was to view verbose boot. You could access this by setting Debug-uarts_(iBoot_variable) in iRecovery or nvram, however, since iOS 9, this output has been obfuscated.
SSH over serial
Using qwertyoruiopz's serialsh, it is possible to SSH over serial. This is useful, because it does not require any SSH daemon other than those shipped with iOS. An example use case for this would be protecting against bootloops.
Debugging the kernel
Using the DCSD cable, it is possible to attach GDB to the iOS kernel, and pause it's running.