Apple IOS Serial/USB Cable for Kernel Debugging

During the presentation "iOS Kernel Exploitation" at Blackhat/Syscan 2011, Stefan Esser provided some details about how to build an iDevice (iPad/iPod/iPhone) cable that could be used to enable serial console functionality and kernel debugging capabilities within an iOS device. The following instructions will show the complete steps needed to build this cable as some of the information within the publicly available slides was found to be incomplete. You will need the following materials to build this cable:

* Soldering Iron, Solder, Wire, Wire Cutters & Wire Strippers.
* 2x mini-USB-B to USB-A cables
* FT232RL USB to Serial break-out board
* PodGizmo PodBreakout (v1.5 used here)
* 470k (or near enough to 500k) resistor
* An old iPhone or similar for testing purposes.

Please be aware that this is not an Apple approved accessory and connecting it to your IDevice is unsupported and you may damage the iDevice. I cannot be held responsible for anything you choose to do with your equipment or indeed this cable!

Solder pieces of wire to pin 12, pin 13 and pin 18 of the PodBreakout v1.5 board. You may wish to construct the PodBreakout plastic housing AFTER construction (despite what is shown here) to ease soldering to the PCB. With the three short pieces of wire attach (3cm or so) solder the 470k resistor to pin 21. You will also need to solder a piece of wire of similar length to pin 1 and the last leg of the resistor to the same location.

You should now have four pieces of wire and a resistor soldered to the PodBreakout PCB. You will now solder these four pieces of wire to the FT232RL break-out board which will be used to provide serial capabilities to the UART. The resistor between pin 1 and pin 21 of the PodBreakout is an "accessory" indicator, this indicates to the connected iPhone/iPad that serial connectivity is to be enabled by placing resistance between the two pins.

Now connect the pins on the FT232RL to the PodBreakout as in the picture. Pin 1 from the PodBreakout (PB) goes to GND on the FT232RL, Pin 12 on PB to RX, Pin 13 to TX and finally 3.3V VCC to Pin 18. You should now have a functioning serial (only!) cable, this can be used to interact with the UART and access serial console functionality on an iDevice. You can go ahead and test it now if you would like to before you solder the USB functionality.

A great way to test the serial cable functionality is to use an iPhone 3G or similar that has OpeniBoot installed and optionally an alternative OS such as iDroid. By connecting with a terminal program such as minicom to the FT232RL device (e.g. /dev/ttyUSB0) and setting 115200 8N1 and no hardware or software flow control, you could see the following information during OpeniBoot which is not normally visible to users who utilize the OiBC USB console. This helps show that the serial cable is functioning as expected and we can now move on to soldering the USB cable.

Take a USB cable and cut off the mini USB connector (so you can still connect it to your computer at the other end!). Strip the wire back about 1 to 2 inches so you reveal four wires, these should be green, red, white and black. Strip a small amount of wire off the end of the black cable. You will now solder these wires to the PodBreakout board.

Solder the black wire to pin 2 on PB. After you will need to strip the remaining three wires, cutting a little of the excess wire away and solder red wire to pin 23, white wire to pin 25 and finally the green wire to pin 27. These are the USB GND, USB VCC, USB- and USB+ pins of the iDevice and used in a typical iPhone/iPad cable for USB operation.

You can now use the RS232 and USB functionality simultaneously with your iOS device. To test this functionality you could use an iPhone 3G or similar with OpeniBoot installed, just like we used with the serial cable, only this time you could use both the USB interface client OiBC and a serial terminal program at the same time. The example picture shows this, using OiBC on the left of the screen, and a serial connection within a virtual machine on the right to show that different cables are being used for the terminal output. A side benefit of this setup is that the cable will also charge your iDevice and can be used with standard iTunes functionality. It is a widely accepted fact that you may also be able to use this setup to perform IOS Kernel Debugging by triggering vulnerabilities via USB-SSH and debugging them via the Serial output! Hope you enjoy your new IOS cable and happy hacking!