|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "DCSD Cable"
P0sidonius (talk | contribs) (Created new page for DCSD hardware) |
(No need. Both are separately categorized. (hardware/software)) |
||
| (16 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
| + | [[File:DCSD_Front_annotated.jpg|right|thumb|Annotated photo of the original Alex DCSD PCB]] |
||
| − | The DCSD Alex cable is used in factories to communicate over serial to run tests and write to the SysCfg (for serial definitions, etc) during production. These cables are produced by Shenzhen Alex connector Co. Ltd. in China, I believe this is why they can be found on obscure markets for sale, if not just taken from a trashcan from factories. |
||
| + | The '''DCSD Alex cable''' is used in factories to communicate over serial to run tests and write to the SysCfg (for serial definitions, etc) during production. These cables are produced by ShenZhen Alex Connector Co., Ltd. in China. They can be purchased from obscure markets. There are two known types of DCSD cable. An older one, with lights and only one USB female USB connector, and a newer model, which lacks lights, and has two female USB connectors. |
||
| − | == Factory DCSD "Alex" Lightning Serial Cable == |
||
| − | [[File:DCSD_Front_annotated.jpg|400px|right|Annotated photo of the main DCSD PCB]] |
||
| + | == 'DCSD Alex' PCB == |
||
| − | '''Top of the board;''' |
||
| + | === Top of the board items of interest=== |
||
| + | {| class="wikitable" | |
||
| + | ! Label |
||
| + | ! Chip |
||
| + | ! Datasheet |
||
| + | ! Noted |
||
| + | |- |
||
| + | | D1 |
||
| + | | rowspan="3" | Low Power Consumption Voltage Regulator with ON/OFF Switch |
||
| + | | rowspan="3" | http://www.s-manuals.com/pdf/datasheet/x/c/xc6215_series_torex.pdf |
||
| + | | |
||
| + | |- |
||
| + | | D5 |
||
| + | | |
||
| + | |- |
||
| + | | D6 |
||
| + | | Tied to TX and an input voltage of 3.3V on the UART J5 pads, this may be a protection in case the host shorts? |
||
| + | |- |
||
| + | | U1 |
||
| + | | rowspan="2" | Micrel 2026A Dual-Channel Power Distribution Switch |
||
| + | | rowspan="2" | https://web.archive.org/web/20141010122122/http://www.xilinx.com/products/boards/ml510/datasheets/mic2076-2bm.pdf |
||
| + | | |
||
| + | |- |
||
| + | | U2 |
||
| + | | |
||
| + | |- |
||
| + | | U3 |
||
| + | | FTDI FT232RQ UART IC |
||
| + | | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf |
||
| + | | Handles stoplight LED controls |
||
| + | |- |
||
| + | | U4 |
||
| + | | Micrel MIC5219 |
||
| + | | http://datasheet.datasheetarchive.com/originals/library/Datasheets-EDS7/DSAEDA000124178.pdf |
||
| + | | 500mA Peak Output LDO Regulator |
||
| + | |- |
||
| + | | U5 |
||
| + | | FTDI FT232RQ UART IC |
||
| + | | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf |
||
| + | | Handles serial mux interface from iPhone |
||
| + | |- |
||
| + | | U6 |
||
| + | | SMSC USB2514 4-port USB hub |
||
| + | | http://www.mouser.com/catalog/specsheets/2514.pdf |
||
| + | | |
||
| + | * The use of this deprecates the previous "Y" style cable, which used two separate USB cables for serial and iPhone data communication |
||
| + | * Three ports are used: |
||
| + | *# iPhone Data USB |
||
| + | *# U4 FTDI IC |
||
| + | *# U5 FTDI IC |
||
| + | |- |
||
| + | | U7 |
||
| + | | Microchip 24AA04/24LC04B |
||
| + | | http://ww1.microchip.com/downloads/en/DeviceDoc/21708G.pdf |
||
| + | | I2C Serial EEPROM (TSSOP Package) |
||
| + | |- |
||
| + | | X1 |
||
| + | | MKC 24 MHz Oscillator |
||
| + | | {{n/a}} |
||
| + | | I'm not 100% sure about the value of the chip, but this should be correct |
||
| + | |} |
||
| + | === Back of the board items of interest === |
||
| − | U1 / U2 - Micrel 2026A Dual-Channel Power Distribution Switch |
||
| + | {| class="wikitable" | |
||
| − | :'''Datasheet;''' http://www.xilinx.com/products/boards/ml510/datasheets/mic2076-2bm.pdf |
||
| + | ! Label |
||
| + | ! Notes |
||
| + | |- |
||
| + | | J9 |
||
| + | | rowspan="4" | I believe these are used to flash the U7 EEPROM with USB IDs for use by the SMSC USB Hub, I have yet to dump the contents of the EEPROM to find out for sure. |
||
| + | |- |
||
| + | | J10 |
||
| + | |- |
||
| + | | J11 |
||
| + | |- |
||
| + | | J12 |
||
| + | |} |
||
| + | == 'DCSD 3.1' PCB == |
||
| − | X1 - MKC 24Mhz Oscillator |
||
| + | This cable is made specifically for USB-C devices such as the newer models in the iPad Pro line, this cable also supports USB 3.1. |
||
| − | :Notes; |
||
| + | USB connection from the main board splits out into a Y-style cable but turns back into one connection in the USB-A male connector . |
||
| − | ::I'm not 100% sure about the value of the chip, but this should be correct |
||
| + | === Top of the board items of interest === |
||
| − | U3 - FTDI FT232RQ UART IC |
||
| + | {| class="wikitable" | |
||
| − | :'''Usage;''' |
||
| + | ! Label |
||
| − | ::Handles stoplight LED controls |
||
| + | ! Chip |
||
| − | :'''Datasheet;''' http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf |
||
| + | ! Datasheet |
||
| + | ! Notes |
||
| + | |- |
||
| + | | U4 |
||
| + | | FTDI FT232RQ UART IC |
||
| + | | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf |
||
| + | | Handles stoplight LED controls |
||
| + | |- |
||
| + | | J2A |
||
| + | | |
||
| + | | |
||
| + | | Presumably test points for UART |
||
| + | |- |
||
| + | | USB-A male connector |
||
| + | | |
||
| + | | |
||
| + | | I haven't actually cut into the hard plastics yet but I presume this is where the actual USB hub is hosted. |
||
| + | |} |
||
| + | === Back of the board items of interest === |
||
| − | U4 - Micrel MIC5219 |
||
| + | There's not much on the back of the board that you couldn't technically see from the front, no ICs or anything of interest really. |
||
| − | :'''Description;''' 500mA-Peak Output LDO Regulator |
||
| − | :'''Datasheet;''' http://datasheet.datasheetarchive.com/originals/library/Datasheets-EDS7/DSAEDA000124178.pdf |
||
| + | [[File:DCSD_USBC_3_1_annotated.png|right|thumb|Annotated photo of the DCSD 3.1 PCB]] |
||
| − | U5 - FTDI FT232RQ UART IC |
||
| − | :'''Usage;''' |
||
| − | ::Handles serial mux interface from iPhone |
||
| − | :'''Datasheet;''' http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf |
||
| + | === Other notes === |
||
| − | U6 - SMSC USB2514 4-port USB hub |
||
| + | * The [[Lightning Connector]] has a specific Accessory ID flashed to it for enabling serial via the Tristar chip. |
||
| − | :'''Datasheet;''' http://www.mouser.com/catalog/specsheets/2514.pdf |
||
| + | * This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his [http://ramtin-amin.fr/#tristar research]. |
||
| − | :'''Notes;''' |
||
| + | * In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status. |
||
| − | ::The use of this deprecates the previous "Y" style cable, which used two separate USB cables for serial and iPhone data communication |
||
| + | * In USB-C capable Macs Apple takes care to note the low speed USB2 pins on the TOP or BOTTOM of the connector (which are usually identical to support passive USB-C <-> USB-A cables). This suggests that these pairs may be treated differently just like how the lightning DCSD cable had a proper TOP and BOTTOM side, which would provide a second USB device on the same plug. |
||
| − | ::Three ports are used; |
||
| − | :::iPhone Data USB |
||
| − | :::U4 FTDI IC |
||
| − | :::U5 FTDI IC |
||
| + | == Uses == |
||
| − | U7 - Microchip 24AA04/24LC04B |
||
| − | :'''Description;''' I2C Serial EEPROM(TSSOP Package) |
||
| − | :'''Datasheet;''' http://ww1.microchip.com/downloads/en/DeviceDoc/21708G.pdf |
||
| + | === Verbose Boot === |
||
| − | D1 / D6 / D5 - Torex XC6215 |
||
| + | One use of the cable was to view verbose boot. You could access this by setting [[Debug-uarts_(iBoot_variable)|debug uarts]] in [[iRecovery]] or nvram, however, since iOS 9, this output has been obfuscated. |
||
| − | :'''Description;''' A Low Power Consumption Voltage Regulator with ON/OFF Switch |
||
| − | :'''Datasheet;''' http://www.s-manuals.com/pdf/datasheet/x/c/xc6215_series_torex.pdf |
||
| − | :'''Notes;''' |
||
| − | ::D6 is tied to TX and an input voltage of 3.3v on the UART J5 pads, this may be a protection in case the host shorts? |
||
| + | === Shell over serial === |
||
| − | '''Back of the board;''' |
||
| + | Using [http://twitter.com/qwertyoruiopz qwertyoruiopz's] [https://twitter.com/qwertyoruiopz/status/711455055401099264 serialsh], it is possible to get shell over serial. This is useful, because it does not require any additional daemons other than those shipped with iOS. An example use case for this would be protecting against bootloops. |
||
| + | === Debugging the kernel === |
||
| − | J11 / J10 / J9 / J12 |
||
| + | Using the DCSD cable, it is possible to attach GDB to the iOS kernel, and pause it's running. |
||
| − | :I believe these are used to flash the U7 EEPROM with USB IDs for use by the SMSC USB Hub, I have yet to dump the contents of the EEPROM to find out for sure. |
||
| + | [[Category:Cables]] |
||
| − | |||
| − | '''Other notes;''' |
||
| − | :The lightning connector has a specific Accessory ID flashed to it for enabling serial via the Tristar chip. |
||
| − | :This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his [http://ramtin-amin.fr/#tristar research]. |
||
| − | :In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets enabled by the device during boot due to production fusing status. |
||
Latest revision as of 03:52, 21 December 2020
The DCSD Alex cable is used in factories to communicate over serial to run tests and write to the SysCfg (for serial definitions, etc) during production. These cables are produced by ShenZhen Alex Connector Co., Ltd. in China. They can be purchased from obscure markets. There are two known types of DCSD cable. An older one, with lights and only one USB female USB connector, and a newer model, which lacks lights, and has two female USB connectors.
Contents
'DCSD Alex' PCB
Top of the board items of interest
| Label | Chip | Datasheet | Noted |
|---|---|---|---|
| D1 | Low Power Consumption Voltage Regulator with ON/OFF Switch | http://www.s-manuals.com/pdf/datasheet/x/c/xc6215_series_torex.pdf | |
| D5 | |||
| D6 | Tied to TX and an input voltage of 3.3V on the UART J5 pads, this may be a protection in case the host shorts? | ||
| U1 | Micrel 2026A Dual-Channel Power Distribution Switch | https://web.archive.org/web/20141010122122/http://www.xilinx.com/products/boards/ml510/datasheets/mic2076-2bm.pdf | |
| U2 | |||
| U3 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles stoplight LED controls |
| U4 | Micrel MIC5219 | http://datasheet.datasheetarchive.com/originals/library/Datasheets-EDS7/DSAEDA000124178.pdf | 500mA Peak Output LDO Regulator |
| U5 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles serial mux interface from iPhone |
| U6 | SMSC USB2514 4-port USB hub | http://www.mouser.com/catalog/specsheets/2514.pdf |
|
| U7 | Microchip 24AA04/24LC04B | http://ww1.microchip.com/downloads/en/DeviceDoc/21708G.pdf | I2C Serial EEPROM (TSSOP Package) |
| X1 | MKC 24 MHz Oscillator | N/A | I'm not 100% sure about the value of the chip, but this should be correct |
Back of the board items of interest
| Label | Notes |
|---|---|
| J9 | I believe these are used to flash the U7 EEPROM with USB IDs for use by the SMSC USB Hub, I have yet to dump the contents of the EEPROM to find out for sure. |
| J10 | |
| J11 | |
| J12 |
'DCSD 3.1' PCB
This cable is made specifically for USB-C devices such as the newer models in the iPad Pro line, this cable also supports USB 3.1. USB connection from the main board splits out into a Y-style cable but turns back into one connection in the USB-A male connector .
Top of the board items of interest
| Label | Chip | Datasheet | Notes |
|---|---|---|---|
| U4 | FTDI FT232RQ UART IC | http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf | Handles stoplight LED controls |
| J2A | Presumably test points for UART | ||
| USB-A male connector | I haven't actually cut into the hard plastics yet but I presume this is where the actual USB hub is hosted. |
Back of the board items of interest
There's not much on the back of the board that you couldn't technically see from the front, no ICs or anything of interest really.
Other notes
- The Lightning Connector has a specific Accessory ID flashed to it for enabling serial via the Tristar chip.
- This PCB is quite easy to replicate, but without the proper Accessory ID you will need to mimic the protocol similar to how key2fr did in his research.
- In theory, you can use the Tristar for JTAG through a similar board, but JTAG gets disabled by the device during boot due to production fusing status.
- In USB-C capable Macs Apple takes care to note the low speed USB2 pins on the TOP or BOTTOM of the connector (which are usually identical to support passive USB-C <-> USB-A cables). This suggests that these pairs may be treated differently just like how the lightning DCSD cable had a proper TOP and BOTTOM side, which would provide a second USB device on the same plug.
Uses
Verbose Boot
One use of the cable was to view verbose boot. You could access this by setting debug uarts in iRecovery or nvram, however, since iOS 9, this output has been obfuscated.
Shell over serial
Using qwertyoruiopz's serialsh, it is possible to get shell over serial. This is useful, because it does not require any additional daemons other than those shipped with iOS. An example use case for this would be protecting against bootloops.
Debugging the kernel
Using the DCSD cable, it is possible to attach GDB to the iOS kernel, and pause it's running.
