Kanzi Cable Iphone
Dec 21, 2020 This cable is made specifically for USB-C devices such as the newer models in the iPad Pro line, this cable also supports USB 3.1. USB connection from the main board splits out into a Y-style cable but turns back into one connection in the USB-A male connector. Top of the board items of interest Back of the board items of interest. But even then, these devices are relatively useless unless they are paired with another piece of Apple hardware: a proprietary USB cable called Kanzi. These cables, which can sell for up to $2,000. IPhone debugging requires proper tools. The Bonobo cable connects to your target through Lightning and allows CPU debugging through JTAG/SWD using OpenOCD + AArch64 GDB. Among others, you can: access all CPUs and registers, single.
Kanzi Cable Iphone Psp Cricket Game Iso Download Wwe 12 Xbox Torrent Iso Files Tachosoft Airbag Resetter V6 4 Download Difference Between 4th And 5th Generation Laptops V Gear Amvg1 Drivers For Mac Dark Souls 2 Save Editor Pc Download How To Use Ps4 Controller With Sixtyforce Emulator On Mac.
Ask just about anyone who uses an Apple product and they will tell you that it is basically impenetrable. Whether it is an iPhone or a MacBook Pro laptop, most consumers rightly believe that their Apple device has a very low probability of getting ‘infected’ by a harmful virus or malware. It is this particular claim that has triggered cut-throat competition for Apple – to the extent that some lines, both legal and ethical, are starting to get blurred.
Digital Crowbar
According to Lorenzo Franceschi-Bicchierai, technology journalist, hacking into Apple’s iPhone is like trying to break into a black box. Franceschi-Bicchierai, who spent months investigating the secret iPhone phenomenon for Vice.com, says that these dev-fused iPhones are extremely valuable for iOS hackers. There are entire companies dedicated to cracking iPhones for a substantial fee. In addition to hackers, law enforcement officials and security professionals from around the globe request iPhone-cracking services on a daily basis. Essentially, everyone who does security research on iPhones has them.
What’s the Deal?
These “special iPhones”, dev-fused iPhones, have security features turned off or the user can turn them off as fewer core security features are enabled. Franceschi-Bicchierai says that for a researcher it is easier to find infosec vulnerabilities on a dev-fused iPhone than an ‘off-the-shelf’ model. These devices still require specialized knowledge, and using them is still a complicated task. However, Franceschi-Bicchierai remarks that it can be done because it’s like ‘breaking into a house where the lock is already broken’.
Reminder: These iPhones were never meant to leave Apple’s production facilities in the first place.
“Insidious Companies”
The sale of these phones on the grey market is an open secret in the infosec community. Some times all it takes is a direct message on Twitter to one of the many anonymous dealers. Industry insiders do not like to talk about it. Getting ‘root’ access to an iPhone allows researchers to locate vulnerabilities or bugs that can be used by law enforcement agents and governments. Companies like Australian-based Azimuth provide exclusive hacking tools and their customers often include the UK, the USA, and Canadian governments. Another company mentioned in Franceschi-Bicchierai’s investigation, Cellebrite is a forensic services provider that also offers devices that unlock iPhones. In the story, multiple sources have indicated that Cellebrite uses dev-fused smartphones to create their proprietary devices.
Simple Math
Dev-fused iPhones can cost anywhere from $5,000 to $20,000. The final price depends on the phone’s model as well as the particular features or security aspects it contains. It is not enough to get your hands on the dev-fused version of the iPhone. To truly have a ‘behind-the-scenes’ experience, you will need Apple’s special USB cable known as “Kanzi”. After buying the cable, which costs about $2,000 on the grey market, you will need a Mac computer to gain root access to the smartphone.
Mum’s the Word
In the off-line world, many aspects of the special iPhones remain shrouded in mystery – from the total quantity to their point of origin. Apple maintains complete secrecy on the matter. It is also unclear whether it is legal or not to own dev-fused iPhones. Dev-fused iPhones are smuggled out from Shenzen’s electronics market though few are sure how they get from the factory to there in the first place.
Apple’s core marketing strategy revolves around (and has always been about) designing and selling secure, hack-proof and bug-free premium technology products. The presence of these special iPhones and related switchboard devices messes up Apple’s entire ‘our phones are more secure than Android’ assertion.
The DCSD Alex cable is used in factories to communicate over serial to run tests and write to the SysCfg (for serial definitions, etc) during production. These cables are produced by ShenZhen Alex Connector Co., Ltd. in China. They can be purchased from obscure markets. There are two known types of DCSD cable. An older one, with lights and only one USB female USB connector, and a newer model, which lacks lights, and has two female USB connectors.
- 1'DCSD Alex' PCB
- 2'DCSD 3.1' PCB
- 3Uses
'DCSD Alex' PCB
Top of the board items of interest
| Label | Chip | Datasheet | Noted |
|---|---|---|---|
| D1 | Low Power Consumption Voltage Regulator with ON/OFF Switch | http://www.s-manuals.com/pdf/datasheet/x/c/xc6215_series_torex.pdf | |
| D5 | |||
| D6 | Tied to TX and an input voltage of 3.3V on the UART J5 pads, this may be a protection in case the host shorts? | ||
| U1 | Micrel 2026A Dual-Channel Power Distribution Switch | https://web.archive.org/web/20141010122122/http://www.xilinx.com/products/boards/ml510/datasheets/mic2076-2bm.pdf | |
| U2 | |||
| U3 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles stoplight LED controls |
| U4 | Micrel MIC5219 | http://datasheet.datasheetarchive.com/originals/library/Datasheets-EDS7/DSAEDA000124178.pdf | 500mA Peak Output LDO Regulator |
| U5 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles serial mux interface from iPhone |
| U6 | SMSC USB2514 4-port USB hub | http://www.mouser.com/catalog/specsheets/2514.pdf |
|
| U7 | Microchip 24AA04/24LC04B | http://ww1.microchip.com/downloads/en/DeviceDoc/21708G.pdf | I2C Serial EEPROM (TSSOP Package) |
| X1 | MKC 24 MHz Oscillator | N/A | I'm not 100% sure about the value of the chip, but this should be correct |
Back of the board items of interest
| Label | Notes |
|---|---|
| J9 | I believe these are used to flash the U7 EEPROM with USB IDs for use by the SMSC USB Hub, I have yet to dump the contents of the EEPROM to find out for sure. |
| J10 | |
| J11 | |
| J12 |
'DCSD 3.1' PCB
This cable is made specifically for USB-C devices such as the newer models in the iPad Pro line, this cable also supports USB 3.1.USB connection from the main board splits out into a Y-style cable but turns back into one connection in the USB-A male connector .
Top of the board items of interest
| Label | Chip | Datasheet | Notes |
|---|---|---|---|
| U4 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles stoplight LED controls |
| J2A | Presumably test points for UART | ||
| USB-A male connector | I haven't actually cut into the hard plastics yet but I presume this is where the actual USB hub is hosted. |
Back of the board items of interest
There's not much on the back of the board that you couldn't technically see from the front, no ICs or anything of interest really.
Other notes
- The Lightning Connector has a specific Accessory ID flashed to it for enabling serial via the Tristar chip.
- This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his research.
- In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status.
- In USB-C capable Macs Apple takes care to note the low speed USB2 pins on the TOP or BOTTOM of the connector (which are usually identical to support passive USB-C <-> USB-A cables). This suggests that these pairs may be treated differently just like how the lightning DCSD cable had a proper TOP and BOTTOM side, which would provide a second USB device on the same plug.
Uses
Verbose Boot
One use of the cable was to view verbose boot. You could access this by setting debug uarts in iRecovery or nvram, however, since iOS 9, this output has been obfuscated.
Shell over serial
Using qwertyoruiopz'sserialsh, it is possible to get shell over serial. This is useful, because it does not require any additional daemons other than those shipped with iOS. An example use case for this would be protecting against bootloops.
Kanzi Cable Iphone 6
Debugging the kernel
Kanzi Cable Iphone 7
Using the DCSD cable, it is possible to attach GDB to the iOS kernel, and pause it's running.