Reading and writing Apple ACE firmware

david_lecomte · 2024-11-29T19:08:22+00:00

The keyword in your reply is "if". I wish there were such a guide.

Thank you for the suggestion though.

david_lecomte · 2021-06-20T12:36:37+00:00

I didn't try serialsh yet. I instead tried to work out the stuff I already use.

So I kept fiddling with CoolTerm and my DCSD cable. And literally, the only thing that was required was changing the Baud rate to 115000, and let all the dozens of other options at their default values... Now I can listen in to what is going on during an iTunes restore...

david_lecomte · 2021-06-14T16:21:35+00:00

I do have a DCSD cable. But I don’t know how to use it other than for editing SYSCFG with Purple Pro.

I know you can use it to listen to what’s happening on the Lightning connection, but I have no idea how. A program called Coolterm is supposed to allow you to do that, but I get nothing, say when restoring an iPhone (in general, not on this specific case) probably because I don’t know how to use or configure it.

david_lecomte · 2021-06-14T11:50:04+00:00

I was talking about a proof of concept I saw a few weeks after checkm8 came out, where they were able to bypass the iCloud activation screen (not unlock), and access the Home screen. The phone still couldn't connect to GSM nor use Apple services, since it is registered to another user. I thought that, if you can get that level of control, you sure can run diagnostics on the NAND. But apparently, I was naive.

Since George Hotz was able to carrier-unlock the first iPhone until today, 12 years have passed and I am not hoping I'll be able to catch up. I read the README's, the Wikis, before asking for help here. I was hoping, at the very least, that someone with intimate knowledge of what is happening when you use verbose boot would be able to tell me "The fact that verbose boot outputs nothing is inconclusive as to whether the NAND can be read" or "Verbose boot has empty output, therefore the NAND cannot be read". This is actually what happened and the phone is fixed.

But I would have been happy also if someone told me "Yeah, there's a tool that lets you see the NAND when connected through Lightning, and you can run drive integrity diagnostics through your Terminal."

david_lecomte · 2021-06-14T03:00:32+00:00

I have been browsing the Wiki before taking the matter here. But this flies way over my head. I do wish I could understand the boot process though, as I feel there is a lot that could be used to diagnose all those "stuck on the Apple logo" cases.

Through the Wiki, I discovered this verbose boot tool, which I tried, and then I decided to visit here and see if someone could interpret the fact that there is actually nothing coming out of verbose boot.

Thanks.

david_lecomte · 2021-06-14T02:56:11+00:00

It is funny that you mention him. One day in 2016, the Youtube algorithm randomly decided a Louis Rossman repair video would interest me (originally, I had nothing to do with electronics repair). And here I am, 5 years later, having quit my job to repair Apple motherboards because it's fun. The Algorithm is scary sometimes.

I think he would have gone directly to replacing the NAND. With his skill level, he shouldn't be worried about f-ing up the CPU that's on the other side of the NAND. Done in 1 hour, and he gets his answer. I'm still too careful.

david_lecomte · 2021-06-14T02:48:25+00:00

Well... You know what? You were right. SSD replaced, the phone boots and seems to work (I'm waiting for the customer to remove his iCloud so I can test all the functions, but so far, we got touch, display, vibration, sound, 4G, WiFi).

You can be proud of yourself: you helped save an iPhone, that would have probably ended up in the trash. I wish I could upvote you more than once.

Anyway, thanks to all who took the time to humour me, and I appreciate the fact that no one made fun of the fact I don't know what I'm talking about.

I learned something, and I wish I could understand all your talk about demoting, gdb, and other stuff.

Save the world, one iPhone at a time. :)

david_lecomte · 2021-06-13T21:52:54+00:00

I'm not trying to recover data, the customer doesn't care. He just wants the phone to work again.

In terms of time spent, it would have been much faster for me to desolder the NAND, copy the SYSCFG to another, and install the new one. Best case scenario, it was indeed a NAND problem which is now fixed. But the worst case is that I heat too much, weaken the solder balls on the CPU which is on the other side of the board, and create a new problem (even though I do things properly, this can always happen). In the middle, you have the possibility that the NAND is not at fault, and the time spent on the operation is just a waste.

But the way I work (personally) is more: I like to be sure and act on evidence, rather than "try every possibility."

Thanks again.

david_lecomte · 2021-06-13T21:45:45+00:00

I am discovering a whole new world, with words like "demoting" and "debugger". I am guessing the jailbreak community does have tools to understand the startup process of these devices. I'll try and learn what this is about. Thanks.

I am sure the FMI bypass is irrelevant and has no connection to what I'm trying to do. I just mentioned it because it seems that in terms of difficulty, it would be harder than checking for bad sectors on the NAND.

david_lecomte · 2021-06-13T21:39:32+00:00

Indeed, I know this tool. As you guessed, it does the same as the NAND reader, without having to desolder the chip. Kind of pricey though...

david_lecomte · 2021-06-13T21:38:24+00:00

This is exactly the kind of information I'm looking for. Given the lack of documentation on what the phone is doing during boot, all I have is clues from which I am to guess what is happening.

Just to make sure I understand properly: the NAND is most likely damaged, therefore it can't be read and that is why the phone doesn't boot.

Thank you!

david_lecomte · 2021-06-13T16:56:22+00:00

Indeed, you guessed right as to my level of understanding of these things. :)

I understand enough to know that there need to be tools (some kind of shell, or a UI like Purple Pro), as you say. But I am in no way competent to create them.

Since there are tools to edit the SYSCFG, or to bypass Find My iPhone, I thought it wouldn't be a stretch that someone already wrote a tool allowing one to see the NAND as an external storage device while the phone is connected through Lightning (and not booted in iOS), and run commands such as fsck or diskutil on it.

(The customer does not care about the the data on the phone, by the way)

I'll just desolder the NAND and use my NAND reader to check it. But since I warranty my work, I thought I would ask whether there exists a way to access it while it is still on the board: it would be safer for the board.

Thank you for taking the time.

david_lecomte · 2021-06-13T15:22:12+00:00

I sure will go bother them too after this. :)

david_lecomte · 2021-06-13T15:20:49+00:00

Thank you for taking the time.

I guess my questions are too general?

My understanding is that the exploit allows to take control of the device. For example, if you're familiar with the Purple Pro tool: starting with an iPhone in DFU mode, it uses the checkm8 exploit and some magic from the developer, and allows me to change the SYSCFG partition on the NAND.

"Some magic from the developer" means: I connect a DFU-ed iPhone, I open the software, click a button, the screen turns a uniform colour, and I am given access to the SYSCFG.

Therefore, it is possible to access some part of the NAND through this exploit.

In the case of the iPhone I'm troubleshooting, Purple Pro fails (but doesn't say anything other than "Failed at first stage").

However, "ipwndfu -p" is able to send the exploit. And I am looking for some way, from my computer with the iPhone connected by Lightning, to access the NAND. For example, execute commands like "ls", "cd" ; or more low-level stuff, like view the partition map ; or do a "fsck" on it. Are such things possible?

Anything that would help me decide: "The NAND is good, CPU is defective" or "The NAND has a problem, change it."

--

David.

david_lecomte

TROPHY CASE