Apple IOS Serial/USB Cable for Kernel Debugging




During the presentation "iOS Kernel Exploitation" at Blackhat/Syscan 2011, Stefan Esser provided some details about how to build an iDevice (iPad/iPod/iPhone) cable that could be used to enable serial console functionality and kernel debugging capabilities within an iOS device. The following instructions will show the complete steps needed to build this cable as some of the information within the publicly available slides was found to be incomplete. You will need the following materials to build this cable:

* Soldering Iron, Solder, Wire, Wire Cutters & Wire Strippers.
* 2x mini-USB-B to USB-A cables
* FT232RL USB to Serial break-out board
* PodGizmo PodBreakout (v1.5 used here)
* 470k (or near enough to 500k) resistor
* An old iPhone or similar for testing purposes.

Please be aware that this is not an Apple approved accessory and connecting it to your IDevice is unsupported and you may damage the iDevice. I cannot be held responsible for anything you choose to do with your equipment or indeed this cable!

Teacher Notes

Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.

Step 1: Apple IOS Serial/USB Cable for Kernel Debugging

Solder pieces of wire to pin 12, pin 13 and pin 18 of the PodBreakout v1.5 board. You may wish to construct the PodBreakout plastic housing AFTER construction (despite what is shown here) to ease soldering to the PCB. With the three short pieces of wire attach (3cm or so) solder the 470k resistor to pin 21. You will also need to solder a piece of wire of similar length to pin 1 and the last leg of the resistor to the same location.

Step 2: Apple IOS Serial/USB Cable for Kernel Debugging

You should now have four pieces of wire and a resistor soldered to the PodBreakout PCB. You will now solder these four pieces of wire to the FT232RL break-out board which will be used to provide serial capabilities to the UART. The resistor between pin 1 and pin 21 of the PodBreakout is an "accessory" indicator, this indicates to the connected iPhone/iPad that serial connectivity is to be enabled by placing resistance between the two pins.

Step 3: Apple IOS Serial/USB Cable for Kernel Debugging

Now connect the pins on the FT232RL to the PodBreakout as in the picture. Pin 1 from the PodBreakout (PB) goes to GND on the FT232RL, Pin 12 on PB to RX, Pin 13 to TX and finally 3.3V VCC to Pin 18. You should now have a functioning serial (only!) cable, this can be used to interact with the UART and access serial console functionality on an iDevice. You can go ahead and test it now if you would like to before you solder the USB functionality.

Step 4: Apple IOS Serial/USB Cable for Kernel Debugging

A great way to test the serial cable functionality is to use an iPhone 3G or similar that has OpeniBoot installed and optionally an alternative OS such as iDroid. By connecting with a terminal program such as minicom to the FT232RL device (e.g. /dev/ttyUSB0) and setting 115200 8N1 and no hardware or software flow control, you could see the following information during OpeniBoot which is not normally visible to users who utilize the OiBC USB console. This helps show that the serial cable is functioning as expected and we can now move on to soldering the USB cable.

Step 5: Apple IOS Serial/USB Cable for Kernel Debugging

Take a USB cable and cut off the mini USB connector (so you can still connect it to your computer at the other end!). Strip the wire back about 1 to 2 inches so you reveal four wires, these should be green, red, white and black. Strip a small amount of wire off the end of the black cable. You will now solder these wires to the PodBreakout board.

Step 6:

Solder the black wire to pin 2 on PB. After you will need to strip the remaining three wires, cutting a little of the excess wire away and solder red wire to pin 23, white wire to pin 25 and finally the green wire to pin 27. These are the USB GND, USB VCC, USB- and USB+ pins of the iDevice and used in a typical iPhone/iPad cable for USB operation.

Step 7: Apple IOS Serial/USB Cable for Kernel Debugging

You can now use the RS232 and USB functionality simultaneously with your iOS device. To test this functionality you could use an iPhone 3G or similar with OpeniBoot installed, just like we used with the serial cable, only this time you could use both the USB interface client OiBC and a serial terminal program at the same time. The example picture shows this, using OiBC on the left of the screen, and a serial connection within a virtual machine on the right to show that different cables are being used for the terminal output. A side benefit of this setup is that the cable will also charge your iDevice and can be used with standard iTunes functionality. It is a widely accepted fact that you may also be able to use this setup to perform IOS Kernel Debugging by triggering vulnerabilities via USB-SSH and debugging them via the Serial output! Hope you enjoy your new IOS cable and happy hacking!

Hack It! Contest

Runner Up in the
Hack It! Contest

Be the First to Share


    • CNC Contest

      CNC Contest
    • Make it Move

      Make it Move
    • Teacher Contest

      Teacher Contest

    16 Discussions


    Reply 7 weeks ago

    Sorry for the late response.
    You can't; at least, not easily. The Lightning connector is very different from the 30-pin connector, in that its pins don't have definitive functions; they vary based on the circuitry attached to them. You would have to replicate the controller chip Apple uses for their Lightning to RS232 adapters, which I can't imagine would be easy.
    Though, it's really quite interesting! This "adaptive" quality of the Lightning connector is what allows, for example, "fast-charge" Lightning cables to deliver so much power to the device; (almost) every pin on the cable can be repurposed for power delivery. See here for more information:
    Anyway, I believe most people just buy pre-made serial adapters instead of building their own. They're called "DCSD cables" or something.


    5 years ago

    do u live in muscat ?


    6 years ago on Step 7

    If you install perl on your jailbroken device, that allows you to set up and read/write the serial port directly (eg: via ssh).


    6 years ago on Introduction

    Hey congratulations on being a finalist in the hack it contest! Good luck to you!


    6 years ago on Introduction

    I have the same Soldering station in Black!

    Weirdest looking pair I've ever seen, but that's what I was suspecting they were. ^_^
    Mind if i ask what brand they are?


    6 years ago on Introduction

    Great idea and great hack,
    but I hope you don't get the Apple
    litigation machine after you.


    7 years ago on Introduction

    Great project by you...wanted to ask that what are the alternatives for the podgizmo setup as in live in Pakistan, it not available in Karachi.

    1 reply

    Reply 7 years ago on Introduction

    Hi khan12, I am not aware of any alternative to the PodGizmo. Sorry to hear your difficulties in obtaining one.


    7 years ago on Introduction

    You can get the PodBreakout here