The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Apple Wireless Diagnostics Daemon (AWDD)"

From The iPhone Wiki
Jump to: navigation, search
m (formatting)
 
Line 10: Line 10:
 
Tags that are high in the lowest order bit are length prefixed (common of strings)
  
Tags that are high in the lowest order bit are length prefixed (common of strings)
   
0x08 index 1 with a type of 0x00 - e.g. "timestamp"
 +
*0x08 index 1 with a type of 0x00 - e.g. "timestamp"
0x10 index 2 with a type of 0x00 - PropertyDefinition.Index
 +
*0x10 index 2 with a type of 0x00 - PropertyDefinition.Index
0x18 index 3 with a type of 0x00 - PropertyDefinition.Flags
 +
*0x18 index 3 with a type of 0x00 - PropertyDefinition.Flags
0x22 index 4 with a type of 0x02 - PropertyDefinition.Name
 +
*0x22 index 4 with a type of 0x02 - PropertyDefinition.Name
0x0A index 1 with a type of 0x02 - ObjectDefinition
 +
*0x0A index 1 with a type of 0x02 - ObjectDefinition
0x12 index 2 with a type of 0x02 - PropertyDefinition
 +
*0x12 index 2 with a type of 0x02 - PropertyDefinition
 
Clearly we demonstrate a primordial integer vs a length prefixed sequence
  
Clearly we demonstrate a primordial integer vs a length prefixed sequence
   
Line 22: Line 22:
 
Potential for enum or flags
  
Potential for enum or flags
   
0x00 - Length encoded integer
 +
*0x00 - Length encoded integer
0x01 - FLAG?
 +
*0x01 - FLAG?
0x02 - Object with length prefixed multi-byte integer
 +
*0x02 - Object with length prefixed multi-byte integer
0x03
 +
*0x03
0x04 - FLAG?
 +
*0x04 - FLAG?
0x05
 +
*0x05
0x06
 +
*0x06
0x07
 +
*0x07
 
This implies that type 0x02 is some form of sequence
  
This implies that type 0x02 is some form of sequence
   
Line 52: Line 52:
 
The definition table is a collection of ObjectDefinitions and EnumDefinitions
  
The definition table is a collection of ObjectDefinitions and EnumDefinitions
   
DEFINE_OBJECT_TAG = 0x0A
 +
DEFINE_OBJECT_TAG = 0x0A
DEFINE_ENUM_TAG = 0x12
 +
DEFINE_ENUM_TAG = 0x12
 
An ObjectDefinition is either a Class or an Event - they are broadly equal. A class will be a collection of property definitions where each definition is a combination of property name, type (primal), flags, and extensions.
  
An ObjectDefinition is either a Class or an Event - they are broadly equal. A class will be a collection of property definitions where each definition is a combination of property name, type (primal), flags, and extensions.
   
An object definition is TAG_CLASS_DEFINITION followed by a length of the object definition. It is then parsed as a a TAG_CLASS_NAME and a series of TAG_PROPERTY_DEFINITIONs which are a length followed by their fields.
 +
An object definition is <code>TAG_CLASS_DEFINITION</code> followed by a length of the object definition. It is then parsed as a a <code>TAG_CLASS_NAME</code> and a series of <code>TAG_PROPERTY_DEFINITION</code>s which are a length followed by their fields.
   
TAG_CLASS_DEFINITION = 0x0A # Name of the class or event
 +
TAG_CLASS_DEFINITION = 0x0A # Name of the class or event
TAG_CLASS_NAME = 0x0A # The string defining the class name (optional)
 +
TAG_CLASS_NAME = 0x0A # The string defining the class name (optional)
TAG_PROPERTY_DEFINITION = 0x12 # Repeated for each property
 +
TAG_PROPERTY_DEFINITION = 0x12 # Repeated for each property
 
In the context of a property flags can be 0x00 in the case of a normal scalar property of 0x01 in the case of a "multi-property" or a property which can occur multiple times.
  
In the context of a property flags can be 0x00 in the case of a normal scalar property of 0x01 in the case of a "multi-property" or a property which can occur multiple times.
   
# Base Property Types - RE still in progress
 +
# Base Property Types - RE still in progress
class PropertyType(IntEnum):
 +
class PropertyType(IntEnum):
UNKNOWN = 0x00
 +
UNKNOWN = 0x00
DOUBLE = 0x01
 +
DOUBLE = 0x01
FLOAT = 0x02
 +
FLOAT = 0x02
INTEGER_64 = 0x03
 +
INTEGER_64 = 0x03
INTEGER = 0x04
 +
INTEGER = 0x04
UNKNOWN_5 = 0x05
 +
UNKNOWN_5 = 0x05
INTEGER_32 = 0x06
 +
INTEGER_32 = 0x06
INTEGER_UNSIGNED = 0x07
 +
INTEGER_UNSIGNED = 0x07
UNKNOWN_8 = 0x08
 +
UNKNOWN_8 = 0x08
UNKNOWN_9 = 0x09
 +
UNKNOWN_9 = 0x09
BOOLEAN = 0x0C
 +
BOOLEAN = 0x0C
ENUM = 0x0B
 +
ENUM = 0x0B
STRING = 0x0D
 +
STRING = 0x0D
BYTES = 0x0E
 +
BYTES = 0x0E
PACKED_UINT_32 = 0x15
 +
PACKED_UINT_32 = 0x15
UNKNOWN_17 = 0x11
 +
UNKNOWN_17 = 0x11
UNKNOWN_20 = 0x14
 +
UNKNOWN_20 = 0x14
OBJECT = 0x1B
 +
OBJECT = 0x1B
   
# Basic Property Values (must occur)
 +
# Basic Property Values (must occur)
TAG_INDEX = 0x08 # This defines the tag for reference
 +
TAG_INDEX = 0x08 # This defines the tag for reference
TAG_TYPE = 0x10 # Primal object type (PropertyType)
 +
TAG_TYPE = 0x10 # Primal object type (PropertyType)
TAG_FLAGS = 0x18 # PropertyFalgs
 +
TAG_FLAGS = 0x18 # PropertyFlags
TAG_NAME = 0x22 # The name of the property
 +
TAG_NAME = 0x22 # The name of the property
Various base types have extended type information. For instance a string property can have a format type of "UUID" and an integer type can have a value of "Timestamp". Each of these is specified by a particular tag on the property definition.
 +
Various base types have extended type information.
  +
For instance, a string property can have a format type of "UUID" and an integer type can have a value of "Timestamp".
  +
Each of these is specified by a particular tag on the property definition.
  +
  +
# Extended or optinal values on a property definition
  +
TAG_OBJECT_REFERENCE = 0x28 # The class of the property in the case of a non-primitive, scalar
  +
TAG_STRING_FORMAT = 0x30 # StringFormat
  +
TAG_LIST_ITEM_TYPE = 0x38 # Type of the element in the case of a collection
  +
TAG_ENUM_INDEX = 0x40 # The EnumDefinition this enum references
  +
TAG_INTEGER_FORMAT = 0x48 # Integer type sub-specifier
  +
TAG_EXTENSION = 0x50 # Set to 0x01 if this property is an extension on another class
  +
TAG_EXTENSION_TARGET = 0x60 # The class to extend
   
# Extended or optinal values on a property definition
  
TAG_OBJECT_REFERENCE = 0x28 # The class of the property in the case of a non-primitive, scalar
  
TAG_STRING_FORMAT = 0x30 # StringFormat
  
TAG_LIST_ITEM_TYPE = 0x38 # Type of the element in the case of a collection
  
TAG_ENUM_INDEX = 0x40 # The EnumDefinition this enum references
  
TAG_INTEGER_FORMAT = 0x48 # Integer type sub-specifier
  
TAG_EXTENSION = 0x50 # Set to 0x01 if this property is an extension on another class
  
TAG_EXTENSION_TARGET = 0x60 # The class to extend
  
 
Sub-format Specifiers
  
Sub-format Specifiers
   
class PropertyFlags(IntFlag):
 +
class PropertyFlags(IntFlag):
NONE = 0x00
 +
NONE = 0x00
REPEATED = 0x01
 +
REPEATED = 0x01
  +
  +
class IntegerFormat(IntEnum):
  +
TIMESTAMP = 0x01
  +
TRIGGER_ID = 0x03
  +
PROFILE_ID = 0x04
  +
AVERAGE_TIME = 0x15
  +
TIME_DELTA = 0x16
  +
TIMEZONE_OFFSET = 0x17
  +
ASSOCIATED_TIME = 0x18
  +
PERIOD_IN_HOURS = 0x19
  +
TIME_OF_DAY = 0x1E
  +
SAMPLE_TIMESTAMP = 0x1F
  +
  +
class StringFormat(IntEnum):
  +
UNKNOWN = 0x00
  +
UUID = 0x01
   
class IntegerFormat(IntEnum):
  
TIMESTAMP = 0x01
  
TRIGGER_ID = 0x03
  
PROFILE_ID = 0x04
  
AVERAGE_TIME = 0x15
  
TIME_DELTA = 0x16
  
TIMEZONE_OFFSET = 0x17
  
ASSOCIATED_TIME = 0x18
  
PERIOD_IN_HOURS = 0x19
  
TIME_OF_DAY = 0x1E
  
SAMPLE_TIMESTAMP = 0x1F
  
 
class StringFormat(IntEnum):
  
UNKNOWN = 0x00
  
UUID = 0x01
  
 
An EnumDefinition is a class that defines a range of integer values, which can be either a selection enumeration or a flags style enumeration. The definition will include the textual representation of each value.
  
An EnumDefinition is a class that defines a range of integer values, which can be either a selection enumeration or a flags style enumeration. The definition will include the textual representation of each value.
   
= Metadata Files =s
 +
= Metadata Files =
   
Metadata files are a MAGIC (AWDM), a version (0xXXXXYYYY) and N (0xNNNNNNNN) regions
 +
Metadata files are a <code>MAGIC</code> (AWDM), a version (0xXXXXYYYY) and N (0xNNNNNNNN) regions
   
 
If N == 0 then you are reading a root manifest and should read until tag == 0x00000000
  
If N == 0 then you are reading a root manifest and should read until tag == 0x00000000
Line 134: Line 138:
 
Region tags are 0xTTTTFFFF where TTTT is type and FFFF is number of uint32 fields (little endian)
  
Region tags are 0xTTTTFFFF where TTTT is type and FFFF is number of uint32 fields (little endian)
   
struct {
 +
struct {
uint32 magic, // "AWDM"
 +
uint32 magic, // "AWDM"
uint16 major, // 0x0100 - little endian 1
 +
uint16 major, // 0x0100 - little endian 1
uint16 minor, // 0x0100 - little endian 1
 +
uint16 minor, // 0x0100 - little endian 1
uint32 regions // either region count or 0
 +
uint32 regions // either region count or 0
}
 +
}
  +
 
  +
 
  +
Tag specific
  
  +
// Tag specific
 
  +
struct {
  
  +
struct {
uint32 tag,
  
uint32 checksum // assumed
 +
uint32 size,
  +
uint32 checksum // assumed
}
  
  +
}
Tag 0x02000400 - Structure Table
  
// N region entries, see below
 +
// N region entries, see below
struct {
 +
struct {
uint32 zero // = 0x00000000
 +
uint32 zero // = 0x00000000
}
 +
}
uint32 offset,
 +
uint32 tag,
uint32 size,
 +
uint32 offset,
  +
=== Tag 0x02000400 - Structure Table ===
   
 
This is an import or structure table. In the case of the root table of the root manifest the contents are identical to the display or definition table (0x03000400).
  
This is an import or structure table. In the case of the root table of the root manifest the contents are identical to the display or definition table (0x03000400).
Line 160: Line 165:
 
For metadata manifests which extend the root, this file will broadly import from others and not define the display names of properties etc.
  
For metadata manifests which extend the root, this file will broadly import from others and not define the display names of properties etc.
   
Tag 0x03000400 - Definition Table
 +
=== Tag 0x03000400 - Definition Table ===
   
 
This table of definitions create new objects with new properties that extend the existing schema. It will contain object definitions, with property definitions as well as enum definitions.
  
This table of definitions create new objects with new properties that extend the existing schema. It will contain object definitions, with property definitions as well as enum definitions.
Line 168: Line 173:
 
== Non-tag specific ==
  
== Non-tag specific ==
   
struct {
 +
struct {
uint32 offest
 +
uint32 offest
uint32 size
 +
uint32 size
}
 +
}
Tag 0x04000200 - File Identity
 +
=== Tag 0x04000200 - File Identity ===
   
 
This region defines two values, the UUID of the file as well as it's display name.
  
This region defines two values, the UUID of the file as well as it's display name.
   
This is analogous to a LC_UUID in Mach-O
 +
This is analogous to a <code>LC_UUID</code> in Mach-O
   
0x0A - String - File UUID
 +
*0x0A - String - File UUID
0x12 - String - Source File
 +
*0x12 - String - Source File
0x18 - Timestamp - Build Time
 +
*0x18 - Timestamp - Build Time
Tag 0x05000200 - Root Object Class Definitions
 +
=== Tag 0x05000200 - Root Object Class Definitions ===
   
 
This defines the root ambient classes. It's only relevant on the root manifest as it is the only file to define the root object class. These classes are used by the properties on the root object defined by 0x02000400/0x03000400 where tag == 0x00
  
This defines the root ambient classes. It's only relevant on the root manifest as it is the only file to define the root object class. These classes are used by the properties on the root object defined by 0x02000400/0x03000400 where tag == 0x00
   
Tag 0x06000200 - Extension Points
 +
=== Tag 0x06000200 - Extension Points ===
   
 
This region lists all known extension properties. These must be loaded from their assocated constituant extension manifests
  
This region lists all known extension properties. These must be loaded from their assocated constituant extension manifests

Latest revision as of 16:52, 18 October 2021

AWDD is a binary logging system for the Baseband, Bluetooth, NFC, GSM/LTE, WiFi, UWB and other such wireless radio coprocessors. Over the years it has taken on a few other responsibilities such as Springboard Locking, FaceID, and any other system level events best represented in a compact binary format. This is in opposition to text based or Plist style log files, which are also still common for other subsystems. AWDD is a proprietary TLV encoding.


TVL Encoding Scheme

Tags

Tags are multi-byte integers with the lowest 3 bits being the primal type, while the remaining bits get shifted right (>> 3) to become the "index" from the definition. This makes the "timestamp" value in a log (tag 0x08) actually type 0x00 and index 0x01 matching up with definition from the ambiant root file. Having a lowest order bit of 0x00 means that the value is to be interpreted as a multi-byte integer.

Tags that are high in the lowest order bit are length prefixed (common of strings)

  • 0x08 index 1 with a type of 0x00 - e.g. "timestamp"
  • 0x10 index 2 with a type of 0x00 - PropertyDefinition.Index
  • 0x18 index 3 with a type of 0x00 - PropertyDefinition.Flags
  • 0x22 index 4 with a type of 0x02 - PropertyDefinition.Name
  • 0x0A index 1 with a type of 0x02 - ObjectDefinition
  • 0x12 index 2 with a type of 0x02 - PropertyDefinition

Clearly we demonstrate a primordial integer vs a length prefixed sequence

Types

Potential for enum or flags

  • 0x00 - Length encoded integer
  • 0x01 - FLAG?
  • 0x02 - Object with length prefixed multi-byte integer
  • 0x03
  • 0x04 - FLAG?
  • 0x05
  • 0x06
  • 0x07

This implies that type 0x02 is some form of sequence

Multi-byte integers

The AWDD format can encode multi-byte integers in a format similar to ASN.1 (I'm not yet totally convinced this isn't ASN.1 but hey, when have I ever done protocols the easy way?).

For a multi-byte integer the high order bit (0x80) is set on all bytes which are not the final byte of the integer. Once all the bytes of the integer are collected, the high order bit is masked off, (& 0x7F) and the remaining 7 bit bytes are bitstring concatenated to produce the final integer. This is complicated as the integer is still little endian though the encoding uses the most-significant-bit in big-endian format to determine the int's run length. The completed algorith is in decode_variable_length_int which returns the int and how many bytes were used to encode it.

This also means for integers <= 127 the integer is the same as a single byte uint8

Tag, optional length, data

Depending on the type of the value, you will encounter a tag (itself a multi-byte int) per the above specification with a direct value, or a length prefixed value.

An example: If the value type is an int, then a variable length int tag, followed by a variable length int the value

If the value is a string, then a variable length int tag, followed by a variable length int length then the bytes of the string.

Definitions

The definition table is a collection of ObjectDefinitions and EnumDefinitions 

DEFINE_OBJECT_TAG = 0x0A
DEFINE_ENUM_TAG   = 0x12

An ObjectDefinition is either a Class or an Event - they are broadly equal. A class will be a collection of property definitions where each definition is a combination of property name, type (primal), flags, and extensions.

An object definition is TAG_CLASS_DEFINITION followed by a length of the object definition. It is then parsed as a a TAG_CLASS_NAME and a series of TAG_PROPERTY_DEFINITIONs which are a length followed by their fields. 

TAG_CLASS_DEFINITION    = 0x0A # Name of the class or event
TAG_CLASS_NAME          = 0x0A # The string defining the class name (optional)
TAG_PROPERTY_DEFINITION = 0x12 # Repeated for each property

In the context of a property flags can be 0x00 in the case of a normal scalar property of 0x01 in the case of a "multi-property" or a property which can occur multiple times. 

# Base Property Types - RE still in progress
class PropertyType(IntEnum):
    UNKNOWN          = 0x00
    DOUBLE           = 0x01
    FLOAT            = 0x02
    INTEGER_64       = 0x03
    INTEGER          = 0x04
    UNKNOWN_5        = 0x05
    INTEGER_32       = 0x06
    INTEGER_UNSIGNED = 0x07
    UNKNOWN_8        = 0x08
    UNKNOWN_9        = 0x09
    BOOLEAN          = 0x0C
    ENUM             = 0x0B
    STRING           = 0x0D
    BYTES            = 0x0E
    PACKED_UINT_32   = 0x15
    UNKNOWN_17       = 0x11
    UNKNOWN_20       = 0x14
    OBJECT           = 0x1B

# Basic Property Values (must occur)
TAG_INDEX = 0x08 # This defines the tag for reference
TAG_TYPE  = 0x10 # Primal object type (PropertyType)
TAG_FLAGS = 0x18 # PropertyFlags
TAG_NAME  = 0x22 # The name of the property

Various base types have extended type information. For instance, a string property can have a format type of "UUID" and an integer type can have a value of "Timestamp". Each of these is specified by a particular tag on the property definition. 

# Extended or optinal values on a property definition
TAG_OBJECT_REFERENCE = 0x28 # The class of the property in the case of a non-primitive, scalar
TAG_STRING_FORMAT    = 0x30 # StringFormat
TAG_LIST_ITEM_TYPE   = 0x38 # Type of the element in the case of a collection
TAG_ENUM_INDEX       = 0x40 # The EnumDefinition this enum references
TAG_INTEGER_FORMAT   = 0x48 # Integer type sub-specifier
TAG_EXTENSION        = 0x50 # Set to 0x01 if this property is an extension on another class
TAG_EXTENSION_TARGET = 0x60 # The class to extend

Sub-format Specifiers 

class PropertyFlags(IntFlag):
    NONE     = 0x00
    REPEATED = 0x01

class IntegerFormat(IntEnum):
    TIMESTAMP        = 0x01
    TRIGGER_ID       = 0x03
    PROFILE_ID       = 0x04
    AVERAGE_TIME     = 0x15
    TIME_DELTA       = 0x16
    TIMEZONE_OFFSET  = 0x17
    ASSOCIATED_TIME  = 0x18
    PERIOD_IN_HOURS  = 0x19
    TIME_OF_DAY      = 0x1E
    SAMPLE_TIMESTAMP = 0x1F

class StringFormat(IntEnum):
    UNKNOWN = 0x00
    UUID    = 0x01

An EnumDefinition is a class that defines a range of integer values, which can be either a selection enumeration or a flags style enumeration. The definition will include the textual representation of each value.

Metadata Files

Metadata files are a MAGIC (AWDM), a version (0xXXXXYYYY) and N (0xNNNNNNNN) regions

If N == 0 then you are reading a root manifest and should read until tag == 0x00000000

In all cases there should be a 0x00000000 after the region definitions

Regions fall into two broad categories - tag specific and non-tag specific

Region tags are 0xTTTTFFFF where TTTT is type and FFFF is number of uint32 fields (little endian) 

struct {
    uint32 magic,  // "AWDM"
    uint16 major,  // 0x0100 - little endian 1
    uint16 minor,  // 0x0100 - little endian 1
    uint32 regions // either region count or 0
}

// N region entries, see below

struct {
    uint32 zero // = 0x00000000
}

// Tag specific

struct {
  uint32 tag,
  uint32 offset,
  uint32 size,
  uint32 checksum // assumed
}

Tag 0x02000400 - Structure Table

This is an import or structure table. In the case of the root table of the root manifest the contents are identical to the display or definition table (0x03000400).

For metadata manifests which extend the root, this file will broadly import from others and not define the display names of properties etc.

Tag 0x03000400 - Definition Table

This table of definitions create new objects with new properties that extend the existing schema. It will contain object definitions, with property definitions as well as enum definitions.

This table contains class and object definitions designed to "enrich" the definitions from the 0x02000400 table with additional data for translation into text format.

Non-tag specific

struct {
    uint32 offest
    uint32 size
}

Tag 0x04000200 - File Identity

This region defines two values, the UUID of the file as well as it's display name.

This is analogous to a LC_UUID in Mach-O

  • 0x0A - String - File UUID
  • 0x12 - String - Source File
  • 0x18 - Timestamp - Build Time

Tag 0x05000200 - Root Object Class Definitions

This defines the root ambient classes. It's only relevant on the root manifest as it is the only file to define the root object class. These classes are used by the properties on the root object defined by 0x02000400/0x03000400 where tag == 0x00

Tag 0x06000200 - Extension Points

This region lists all known extension properties. These must be loaded from their assocated constituant extension manifests

Log Files

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Apple_Wireless_Diagnostics_Daemon_(AWDD)&oldid=118719"