-
-
[原创]如何调试iOS内核-补充说明
-
发表于: 2014-7-7 21:13
-
zhuliang在大作《如何调试iOS内核》已经告诉了我们操作方法
http://bbs.pediy.com/showthread.php?t=157624
我照这份说明做了一边,还是遇到一些小问题,记录在这里,也方便后面的人。
测试环境ipod touch4 6.1.3(10B329)
先制作调试线缆:
测试座子taobao有售,搜索关键字:iPhone4/4SiPod 30PIN公座测试治具,测试板,测试头
按照SysScan-Singapore-Targeting_The_IOS_Kernel.pdf里的说法,在PIN1和PIN21之间串接一个470K欧的电阻。为什么?
http://pinouts.ru/PortableDevices/ipod_pinout.shtml
里说:
PIN21 Accessory Indicator/Serial enable
6.8 kΩ - Serial port mode. Pin 11-13 are TTL level. Requires MAX232 chip to convert to RS232 levels.
500kOhm - related to serial communication / used to enable serial communications Used in Dension Ice Link Plus car interface
注:
参考IPHONE4的原理图,发现这个信号是接到dialog 电源管理芯片D1815A4的F3脚,这是一个ADC采样脚,外面串接不同的阻值,这里反应出不同的电压值。主芯片通过i2c接口将这个信息读走。
然后将PIN12 RX,PIN13 TX,PIN1 GND连接到串口转USB的小板上。
因为要使用redsn0w来修改传递给内核的参数,这就需要用到USB信号,于是继续焊接USB的信号线。
参考官方的USB线,看到他一共使用了7个pin脚
1(GND),15(GND),16(GND),23(5V),25(D-),27(D+),29(GND)
测量发现1,15,16,29就连通的。
http://pinouts.ru/PortableDevices/ipod_pinout.shtml
里说PIN16是USB的GND,在ipod的pcb板上和PIN15是连通的,所以只要16,23,25,27就可以。然后找个USB线,将上面4个信号和下图依次连接。
焊接效果图:
正面:
反面:
这时USB头子连接主机,30PIN座子接ITOUCH,iTunes弹出,找到itouch设备。
下面测试串口线缆:
将串口转USB的板子连接到PC,打开串口终端软件,找到对应的串口设备,设置波特率为115200N81,等待数据。
为了让串口可以显示出信息,可以用红雪将调试参数0x08传递给内核:
0x08 DB_KPRT Send kernel debugging kprintf output to serial port.
命令行运行:
./redsn0w.exe -i iPod4,1_6.0_10A403_Restore.ipsw -j -a "-v debug=0x08"
然后按照红雪的提示,让itouch进入DFU模式,一直点下一步就好了。
串口终端看到下面信息,说明串口tx信号(itouch侧)连接正常:
AppleS5L8930XIO::start: chip-revision: C0
AppleS5L8930XIO::start: PIO Errors Enabled
AppleARMPL192VIC::start: _vicBaseAddress = 0x86e7d000
AppleS5L8930XGPIOIC::start: gpioicBaseAddress: 0x85536000
AppleARMPerformanceController::traceBufferEnable: Trace is enabled
AppleS5L8930XPerformanceController::start: _pcBaseAddress: 0x86ec5000
AppleARMPerformanceController configured with 1 Performance Domains
...
注:
1. 这个信息和-v,在itouch lcd屏幕上显示的信息是不一样的。
2. 为什么是115200波特率?下面是逻辑分析仪捕获的信号,1bit的传送时间是8.750us
1*1000*1000/8.750=114285
后来我在SerialKDPProxy.c里也看到:
execlp("/bin/stty", "/bin/stty", "115200", "raw", "clocal", "crtscts", NULL);
3. 红雪命令参数说明:
$ ./redsn0w.exe -h
Usage: redsn0w [-i <str>] [-J] [-j] [-f] [-H] [-o] [-n] [-b <str>] [-k <str>] [-d <str>] [-r <str>] [-a <str>] [-K] [-S] [-U] [-D <str>] [-t <str>] [-x <str>] [-h]
-i, --ipsw=<str> use specified IPSW
-J, --justPwnDFU just enter pwned DFU mode
-j, --justBoot just do tethered boot
-f, --justFixRecovery just fix recovery loop
-H, --shshBlobs fetch the currently installed SHSH blobs
-o, --oldBootrom device has an old (not fixed) bootrom
-n, --noActivate don't activate an unactivated device
-b, --tetheredBootLogo=<str> boot logo PNG file for tethered boots
-k, --kernelcache=<str> use specified kernelcache (advanced)
-d, --devicetree=<str> use specified devicetree (advanced)
-r, --ramdisk=<str> use specified ramdisk (advanced)
-a, --bootArgs=<str> use specified kernel boot-args (advanced)
-K, --noKernelPatches don't pre-apply default set of kernel patches (advanced)
-S, --noStashing don't stash (implied when custom bundle is used) (advanced)
-U, --noUntetherHacks don't do normal untether hacks (implied when custom bundle is used) (advanced)
-D, --download=<str> download a file or directory via afc2
-t, --tempDir=<str> temporary directory to use for backups
-x, --extraFlags=<str> extra flags (advanced)
-h, --help show this help
下面编译KDP(Kernel Debugger Protocol)调试代理,使用zhuliang提供的Albert_liuwei修改版。
这个东西就是将gdb里kdp所需要使用的udp,端口41139上的信息通过串口透传给itouch
kdp-remote -- Connect to a remote KDP server. udp port 41139 is the default port number.
因运行在windows上,使用Cygwin编译。
编译提示错误:
SerialKDPProxy.c
找不到头文件:net/ethernet.h
-#include <net/ethernet.h>
+#include "ethernet.h"
然后下载份ethernet.h,放进来,编译通过。
$ ./SerialKDPProxy.exe /dev/ttyS3
Opening Serial
Waiting for packets, pid=4392
^@
这时将内核调试参数改为DB_KPRT | DB_HALT
0x01 DB_HALT Halt at boot-time and wait for debugger attach.
./redsn0w.exe -i iPod4,1_6.0_10A403_Restore.ipsw -j -a "-v debug=0x09"
内核开始运行时会被挂起(Itouch屏幕上停在被咬了一口的菠萝画面),SerialKDPProxy所在的终端继续显示(串口显示的信息也被定向到了这里):
-----------START----------
Debugger message: inline call to debugger(machine_startup)
OS version: Not set yet
Kernel version: Darwin Kernel Version 13.0.0: Sun Aug 19 00:27:34 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8930X
iBoot version: iBoot-1537.4.18
secure boot?: NO
Paniclog version: 1
Kernel slide: 0x0000000019400000
Kernel text base: 0x99401000
Epoch Time: sec usec
Boot : 0x00000000 0x00000000
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x0000001c 0x0002d349
Task 0x801e6c20: 762 pages, 7 threads: unknown task
^Ithread 0x99700650
^I^Ikernel backtrace: 853cbe80
^I^I lr: 0x99488f61 fp: 0x853cbeb0
^I^I lr: 0x994898ad fp: 0x853cbedc
^I^I lr: 0x9940ada1 fp: 0x853cbf14
^I^I lr: 0x9940cffb fp: 0x853cbf9c
^I^I lr: 0x99427167 fp: 0x853cbfa8
^I^I lr: 0x9948705c fp: 0x00000000
Debugger message: inline call to debugger(machine_startup)
OS version: Not set yet
Kernel version: Darwin Kernel Version 13.0.0: Sun Aug 19 00:27:34 PDT 2012; root:xnu-2107.2.33~4/RELEASE_ARM_S5L8930X
iBoot version: iBoot-1537.4.18
secure boot?: NO
Paniclog version: 1
Kernel slide: 0x0000000019400000
Kernel text base: 0x99401000
Epoch Time: sec usec
Boot : 0x00000000 0x00000000
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x0000001c 0x0005da82
********* Dumping thread state and stacks *********
Task 0x801e6c20: 762 pages, 7 threads: unknown task
>>>>>>>>thread 0x99700650
>>>>>>>>^Ikernel backtrace: 853cbeb0
>>>>>>>>^I lr: 0x994898b5 fp: 0x853cbedc
>>>>>>>>^I lr: 0x9940ada1 fp: 0x853cbf14
>>>>>>>>^I lr: 0x9940cffb fp: 0x853cbf9c
>>>>>>>>^I lr: 0x99427167 fp: 0x853cbfa8
>>>>>>>>^I lr: 0x9948705c fp: 0x00000000
^Ithread 0x801f36b0
^I^Ikernel continuation: 0x994256c9
^Ithread 0x801f3140
^I^Ikernel state:
^I^I r0: 0x00000000 r1: 0x00000000 r2: 0x00000000 r3: 0x00000000
^I^I r4: 0x2846a216 r5: 0x99700650 r6: 0x00000000 r7: 0x853dbf70
^I^I r8: 0x00000000 r9: 0x00000001 r10: 0x99727838 r11: 0x801f3140
^I^I r12: 0x994870a0 sp: 0x853dbf44 lr: 0x99424cab pc: 0x00000000
^I^Icpsr: 0x00000093 fsr: 0x00000000 far: 0x00000000
^I^Ikernel backtrace: 853dbf70
^I^I lr: 0x994244d9 fp: 0x853dbf9c
^I^I lr: 0x994257c7 fp: 0x853dbfa8
^I^I lr: 0x9948705c fp: 0x00000000
^Ithread 0x801f2bd0
^I^Ikernel continuation: 0x9942cf39
^Ithread 0x801f2660
^I^Ikernel continuation: 0x9942d135
^Ithread 0x801f20f0
^I^Ikernel continuation: 0x9942f035
^Ithread 0x801f1b80
^I^Ikernel continuation: 0x99433131
-----------END----------
这时来到macbook,运行下面命令(其中192.168.1.234为SerialKDPProxy所运行机器的IP地址。):
$ gdb-arm-apple-darwin -arch armv7
GNU gdb 6.3.50-20050815 (Apple version gdb-1821) (Fri Jun 29 08:50:21 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i386-apple-darwin --target=arm-apple-darwin".
(gdb) target remote-kdp
(gdb) attach 192.168.1.234
kdp_reply_wait: error from kdp_receive: receive timeout exceeded
kdp_transaction (kdp_attach): transaction timed out
kdp_transaction (kdp_attach): re-sending transaction
warning: Can't find dSYM for mach kernel (10CDDC0C-A9AC-3CC4-BD6D-9404074C194D)
Kernel is located in memory at 0x91601000 with uuid of 10CDDC0C-A9AC-3CC4-BD6D-9404074C194D
Connected.
(gdb) i r
r0 0x1 1
r1 0x1 1
r2 0x0 0
r3 0x0 0
r4 0x918da1c4 -1852988988
r5 0x91928f38 -1852666056
r6 0x0 0
r7 0x852a3edc -2060828964
r8 0x0 0
r9 0x9191e920 -1852708576
r10 0xfffffff9 -7
r11 0x0 0
r12 0x91928f38 -1852666056
sp 0x852a3eb8 -2060829000
lr 0x916898db -1855416101
pc 0x9168995c -1855415972
cpsr {
0x600000f3,
n = 0x0,
z = 0x1,
c = 0x1,
v = 0x0,
q = 0x0,
j = 0x0,
ge = 0x0,
e = 0x0,
a = 0x0,
i = 0x1,
f = 0x1,
t = 0x1,
mode = 0x13
} {
0x600000f3,
n = 0,
z = 1,
c = 1,
v = 0,
q = 0,
j = 0,
ge = 0,
e = 0,
a = 0,
i = 1,
f = 1,
t = 1,
mode = svc
}
(gdb) x /16xw $pc
0x9168995c: 0xe7ffdeff 0x4658e003 0xf0004641 0xf1baf8e3
0x9168996c: 0xd0f20f00 0xf89af1f1 0xbf1c2800 0xf1d92004
0x9168997c: 0xf1bafebf 0xd1420f00 0x0f90ee1d 0x04c0f8d0
0x9168998c: 0x1128f8d0 0xf8c03901 0xf8d01128 0xb9a91128
在attach、执行gdb命令时,SerialKDPProxy.exe终端可看到信息交互,例如:
Received 13 bytes from port 51335...and ouput over serial
Sent reply packet 12, 12, 12 to UDP 51335
Received 8 bytes from port 51335...and ouput over serial
Sent reply packet 24, 24, 24 to UDP 51335
注:
1. Can't find dSYM for mach kernel,pdf文件里使用的命令是:
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gdb -arch armv7 \
kernelcache.iPod4,1_4.3.2_8H7.symbolized
这个symbolized是说…
2. 我在macbook里找gdb-arm-apple-darwin这个命令花了些时间,因我装的xcode版本是5.0.2,据说从5.0开始,apple SDK中不再包含gdb,所以/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/libexec目录下只有as,没有gdb了。回退到xcode 4.6.1,问题解决。
3. 在我测试的过程中经常发现timed out
kdp_transaction (kdp_attach): transaction timed out
有时单步几下就会gdb端就会停止响应,SerialKDPProxy端无限看到信息交互的打印。
我觉得LAN的网络环境应该不用怀疑,所以感觉这个调试代理还是不稳定。
最后感谢引路人zhuliang,还有那个30PIN的调试座子也是他告诉我在哪里买的,找这个东西花了很长时间,之前看到国外有卖,还想海外购来着…
然后谢谢www.aol.com吧,当我遇到问题时,都是在这里找到的答案。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
