How Apple Lightning Video Adapter Works
This is my little Twitter thread about Lightning video adapters, also known as Haywire, which are actually Apple Secure Boot computers with Darwin core.
There are two types of Haywire:
Both support video up to 1080p and use the same SoC - S5L8747. Chip number H9TKNNN2GD. According to the iPhone Wiki, it has 256 MB of RAM. Nothing more is known.
Unfortunately, these adapters have terrible quality. The HDMI adapter received 2 out of 5 stars on the Apple Store in the United States, and reviews for it are approximately the following:
My b137 suffered the same fate, so there was an opportunity to disassemble it. Here's how it looks without plastic:
So, destroy the metal case with pliers.
These copper contacts are test points: some must be UART and SWD (both are not available through Lightning):
Haywire itself does not store any firmware (well, except for SecureROM), so iOS must download it every time. The firmware is quite small, about 25 MB in uncompressed form. It comes as a predefined resource with iOS and / or it can be downloaded. Here is the folder structure:
The firmware is pre-signed and does not require any personalization. APTicket, although used, is still static, that is, it is not tied to any ECID and nonce.
Unlike all other devices starting with iOS 5, iBSS for Haywire has Recovery mode with an interactive shell. It is used to load the kernel cache via USB (along with DeviceTree and ramdisk, of course).
Some interesting ramdisk software information here .
Image3 in iBSS has a weird, previously unknown 'RAND' tag containing a 64-bit integer and some padding. I could not find what this tag means, even in the iBoot source code leak. In addition, he always has only one KBAG:
Its SecureROM (iBoot-1413.8 in the latest version of the chip), as you know, is reset using hardware tricks. At least one person has. I asked him for a dump, but was refused for an obvious reason. According to him, ROM is very similar to the A6.
According to leaked iBoot sources, Haywire uses SPI NOR flash memory, and it is in commercial copies, but it does not seem to be formatted, since the saveenv command in iBoot does not work:
You can easily connect Haywire to a PC, because it is essentially a USB device. All you need is a breakout board with Lightning contacts, a micro-USB mother and a few connecting wires:
Wiring diagram:
Please note that the iPhone initially gives 3.3 V, but on USB it gives 5 V. I'm not sure if this is a good idea, but it works. In any case, if you break something, it's not my fault.
And here is the result!
There are two types of Haywire:
- Lightning Digital AV Adapter (b137ap / iAccy1,1): adapter from Lightning to HDMI, supports video and audio.
')
- Lightning to VGA Adapter (b165ap / iAccy1,2) - does not support audio for an obvious reason.
Both support video up to 1080p and use the same SoC - S5L8747. Chip number H9TKNNN2GD. According to the iPhone Wiki, it has 256 MB of RAM. Nothing more is known.
Unfortunately, these adapters have terrible quality. The HDMI adapter received 2 out of 5 stars on the Apple Store in the United States, and reviews for it are approximately the following:
1 star out of 5
Stopped working after several uses! Waste of money!
I bought this Lightning video adapter for $ 50. I and the children really liked him. On the first evening everything worked fine! We were able to watch the movie through the application on the phone. The second time there were no problems either. But the third time he stopped working. I thought the problem was in the HDMI cable, so I went and bought a more expensive one. He returned home, connected it, but the situation has not changed! I tried on three different TVs, but to no avail! Last week I upgraded to the iPhone XR (it used to be the iPhone 6) and decided that now everything would work, but no! Absolutely waste of money! Apple makes great products, but it's definitely not one of them! Just disappointed. If I knew that he would fail in a few days, I would have spent $ 50 on something more useful for the kids.
Posted by Joyce W of Grand Rapids on July 19, 2019
My b137 suffered the same fate, so there was an opportunity to disassemble it. Here's how it looks without plastic:
So, destroy the metal case with pliers.
These copper contacts are test points: some must be UART and SWD (both are not available through Lightning):
Haywire itself does not store any firmware (well, except for SecureROM), so iOS must download it every time. The firmware is quite small, about 25 MB in uncompressed form. It comes as a predefined resource with iOS and / or it can be downloaded. Here is the folder structure:
The firmware is pre-signed and does not require any personalization. APTicket, although used, is still static, that is, it is not tied to any ECID and nonce.
Unlike all other devices starting with iOS 5, iBSS for Haywire has Recovery mode with an interactive shell. It is used to load the kernel cache via USB (along with DeviceTree and ramdisk, of course).
Some interesting ramdisk software information here .
Image3 in iBSS has a weird, previously unknown 'RAND' tag containing a 64-bit integer and some padding. I could not find what this tag means, even in the iBoot source code leak. In addition, he always has only one KBAG:
Memory allocation map:
0x20000000-0x20020000 - ROM (128 KB) 0x22000000-0x22020000 - SRAM (128 KB) (iBSS works from here) 0x8000000-0x18000000 - SDRAM (256 MB) 0x08000000-0x0B000000 - Download Area (48 MB) 0x0B000000-0x0DF00000 - Core (47 MB) 0x0DF00000-0x0E000000 - Device Tree (1 MB) 0x0E000000-0x11000000 - Ramdisk (48 MB) 0x11000000-0x17F00000 - Heap (111 MB) 0x17F00000-0x17FFC000 - iBoot (not used) (1008 kB) 0x17FFC000-0x18000000 - Panic (16kB)
Its SecureROM (iBoot-1413.8 in the latest version of the chip), as you know, is reset using hardware tricks. At least one person has. I asked him for a dump, but was refused for an obvious reason. According to him, ROM is very similar to the A6.
According to leaked iBoot sources, Haywire uses SPI NOR flash memory, and it is in commercial copies, but it does not seem to be formatted, since the saveenv command in iBoot does not work:
You can easily connect Haywire to a PC, because it is essentially a USB device. All you need is a breakout board with Lightning contacts, a micro-USB mother and a few connecting wires:
Wiring diagram:
GND -> GND L0p -> D + L0n -> D- ID1 (ACC_PWR1) -> VCC
Please note that the iPhone initially gives 3.3 V, but on USB it gives 5 V. I'm not sure if this is a good idea, but it works. In any case, if you break something, it's not my fault.
And here is the result!
Source: https://habr.com/ru/post/461607/
All Articles