Help with jailbreaking and Cydia for iPhones, iPads, and iPod touches.

How to jailbreak iOS 7.1-7.1.2 (using Pangu) or iOS 7.0-7.0.6 (using evasi0n7). How to jailbreak iOS 6.0-6.1.6.
Before asking a question, check Frequently Asked Questions to find quick answers!
How to fix some mysterious problems. If you'd like to ask for live help, you can join our chat room.

2
1

I am trying to get setup to do some kernel level debugging on iOS based on Stefan Esser's presentation (Targeting the iOS Kernel).

I've got nearly all of the pieces (cable, SerialKDPProxy, redsn0w) and I believe they are all working correctly. However, the tiny piece I am having trouble with is setting the the boot-arg “debug“. In the boot arg field in the redsn0w app, I have tried:

debug=9 debug=0x09 debug=0x01 --debug=0x09

and many other variants with an iPhone 4 running iOS 4.3.3.

However, the iPhone boots normally all of the time and I would have expected it to halt the process at some point.

I am wondering if anyone has successfully set this up and could answer this question.

Thank you.

asked 12 Oct '11, 21:57

seanmcbride84's gravatar image

seanmcbride84
31112

does anyone found an answer for this? I am also trying the experiment and have all the hardware set up. Thanks!!

(27 Oct '11, 10:00) gigasai gigasai's gravatar image

Hi I can't set boot-args on redsnow 0.9.10b5c, on the iphone 3g. it boot ups normally.. please reply

(15 Feb '12, 06:25) harrypale harrypale's gravatar image

Try asking @comex and all those famous jailbreakers like @chpwn or something.

link

answered 28 Oct '11, 00:58

sfiq12's gravatar image

sfiq12
4929717108

Update, (tidied using the inline code) I managed to get it halted at the pineapple logo using redsn0w 0.9.8b4 on my iPhone 3GS 4.3.2. The flags i used are "debug=0x9 kdp_match_name=serial" SerialKDPProxy also managed to capture the following traffic when the phone boots:

@^@^@^@^@Debugger message: inline call to debugger(machine_startup)
OS version: Not set yet
Kernel version: Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X
iBoot version: iBoot-1072.61
secure boot?: NO
Paniclog version: 1
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000016 0x0005bcff
Task 0x80da8c60: 73 pages, 6 threads: unknown task
^Ithread 0x8029f720
^I^Ikernel backtrace: c5a23eb0
^I^I  lr: 0x8006de75  fp: 0xc5a23edc
^I^I  lr: 0x8006e0df  fp: 0xc5a23efc
^I^I  lr: 0x8006e19f  fp: 0xc5a23f04
^I^I  lr: 0x8007402b  fp: 0xc5a23f0c
^I^I  lr: 0x8000a9a1  fp: 0xc5a23f38
^I^I  lr: 0x8000ac89  fp: 0xc5a23f9c
^I^I  lr: 0x80020cf7  fp: 0xc5a23fa8
^I^I  lr: 0x8006c31c  fp: 0x00000000
Debugger message: inline call to debugger(machine_startup)
OS version: Not set yet
Kernel version: Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X
iBoot version: iBoot-1072.61
secure boot?: NO
Paniclog version: 1
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000016 0x000765e5
*  Dumping thread state and stacks *
Task 0x80da8c60: 73 pages, 6 threads: unknown task
thread 0x8029f720
kernel backtrace: c5a23edc
lr: 0x8006e0e7  fp: 0xc5a23efc
lr: 0x8006e19f  fp: 0xc5a23f04
lr: 0x8007402b  fp: 0xc5a23f0c
lr: 0x8000a9a1  fp: 0xc5a23f38
lr: 0x8000ac89  fp: 0xc5a23f9c
lr: 0x80020cf7  fp: 0xc5a23fa8
lr: 0x8006c31c  fp: 0x00000000
thread 0xc0446b00
kernel continuation: 0x8001fd35
thread 0xc0446650
kernel continuation: 0x8002011d
thread 0xc04461a0
kernel continuation: 0x80024b29
thread 0xc0445cf0
kernel continuation: 0x80024fa5
thread 0xc0445840
kernel continuation: 0x80025c2d
Received 10 bytes from port 49707...and ouput over serial

Yes, at the end of the line you see the serial output something from UDP-GDB. However, GDB kept timing out and the TX LEDs on my FT232RL doesn't seem to be lighting up...

@seanmcbride84, which serial device did you connect to? was it /dev/tty.usbserial-A800f81s or /dev/cu.usbserial-A800f81s? Hope you're progressing faster than I did!

link

answered 28 Oct '11, 06:40

gigasai's gravatar image

gigasai
161

So?

(28 Oct '11, 07:05) sfiq12 sfiq12's gravatar image

where did you download SerialKDPProxy from and what version of redsn0w are you using? Maybe i can help with this info

(15 Dec '11, 20:56) rbcasale rbcasale's gravatar image

Hi,

Thanks for answering, i downloaded the SerialKDPProxy from http://tgwbd.org/svn/Darwin/SerialKDPProxy/trunk/. I used redsn0w 0.9.9b on Snow leopard. I also using iOS 5 SDK (not the 5.1 beta).

(15 Dec '11, 21:35) gigasai gigasai's gravatar image

Ok and also what cables are you using and like what steps are you using to get to the debug

(16 Dec '11, 07:22) rbcasale rbcasale's gravatar image

I soldered the setup exactly like Stefan's sysscan 11' slides mentioned. link text

I also tested the communications by running minicom on the iPhone (downloaded) from cydia and installed the FT232RL drivers from the manufacturer's site for my Mac. They are all ok. It's only until I started ./SerialKDPProxy dev/cu.usbserial-A800f81s. It doesn't seem to be forwarding the UDP packets to serial (no LED is flashing with every packet forwarded by SerialKDPProxy as indicated in the terminal).

I've also even got redsn0w to successfully halt the boot. I suspect the serial KDP proxy code is not in the correct mode.. It seems like so near yet so far..

(16 Dec '11, 09:09) gigasai gigasai's gravatar image

To flag to turn off booting, changing the debug to a memory location won't help. All that does is to turn of debugging.

There is some documentation around, so I'd recommend going to the iPhone Wiki. If I recall correctly there is a flag you can set for switching autoboot on/off.

link

answered 12 Oct '11, 22:12

matoetheiostream's gravatar image

matoetheiostream
73337552

edited 12 Oct '11, 22:18

I am sorry, I don't understand this answer. I am not attempting to change debug to a memory location, but to say that I want to enable the DB_HALT (0X01) & DB_KPRT (0x08) debug flags mentioned in Esser's presentation on enabling kernel debugging. There does not appear to be any documentation at http://theiphonewiki.com. What I need to know is what string to enter in the redsn0w field that allows one to set the boot arg which enables these flags.

(13 Oct '11, 07:56) seanmcbride84 seanmcbride84's gravatar image

does anyone found an answer for this? I am also trying the experiment and have all the hardware set up. Thanks!!

(27 Oct '11, 10:01) gigasai gigasai's gravatar image

Hi Harry,

Are you running iOS5? you should be calling redsnow from the terminal by cd-ing into the redsn0w.app folder

link

answered 16 Feb '12, 06:43

gigasai's gravatar image

gigasai
161

No, i have an iphone 3g with iOS 4.2.1.

(16 Feb '12, 07:45) harrypale harrypale's gravatar image

gigasai please email me: harrypale@hotmail.it I can't set boot-args. It boots normally

(16 Feb '12, 14:16) harrypale harrypale's gravatar image

Is your device jailbroken?

The command is:

1) cd ~/Downloads/redsn0w_mac_0.9.8b4/redsn0w.app/Contents/MacOS/
2) ./redsn0w -i <specified-ipsw> -a "debug=0x9 kdp-match-name=serial"

For those with trouble connecting using SerialKDPProxy try this version: link text

(16 Feb '12, 20:27) gigasai gigasai's gravatar image

i have 4.2.1 jailbroken (iphone 3g). i already compiled SerialKDPProxy and must i do tethered boot or re-jailbreak? if i do tethered, it boots normally

(17 Feb '12, 08:27) harrypale harrypale's gravatar image
Your answer: (please use the "add new comment" button unless you are actually answering the original question)
toggle preview

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1,907
×1,549

Asked: 12 Oct '11, 21:57

Seen: 6,548 times

Last updated: 17 Feb '12, 08:27

JailbreakQA is by chpwn and comex.
About JailbreakQA. Powered by OSQA.