[Georges Gagnerot] has been trying to emulate iOS and run iPhone software in a virtual environment. There were a few choices, and qemu-t8030 had a number of interesting features that you can check out in his post.
The project requires a patched QEMU, and [Georges] did some basic jailbreaking techniques. The real problem, of course, was not having the Apple Silicon GPU. Older versions of iOS let you select software rendering, but that option is gone on newer versions. However, it was possible to patch the phone to still use software rendering. There are still apps that directly use Metal or OpenGL that won’t run, but that’s another problem.
There is a plan to explore forwarding GPU calls to a real device. However, that seems difficult so it will have to wait for now.
Apple likes magnets. They started out with magnetic laptop chargers and then graduated to a system that magnetically holds the phone, charges it, and can facilitate communication between the phone and a charger or other device. Even if you are like me and have no Apple devices, you can retrofit other phones to use Magsafe accessories. In fact, with a little work, you can build your own devices. Regardless, the technology is a clever and simple hack, and we are just a little sorry we didn’t think of it.
Terms
Using a magnet to attach a phone isn’t a new idea. But, historically, the phone had either a metal back or an adhesive metal plate attached that would stick to the magnet. This wouldn’t necessarily help with charging, but was perfectly fine for holding the device. The problem is, it is hard to wirelessly charge the phone through the metal.
Magsafe can do several different things. Obviously, it can attach the phone magnetically. However, since it is a ring shape, you can still have a charging coil in the middle of the ring. Better still, the Magsafe system will align the phone and charger with a satisfying click when you put them together.
It can often feel like modern devices are less hackable than their thicker and far less integrated predecessors, but perhaps it’s just that our techniques need to catch up. Here’s an outstanding hack that adds a dual SIM slot to a US-sold eSIM iPhone 15/15 Pro, while preserving its exclusive mmwave module. No doubt, making use of the boardview files and schematics, it shows us that smartphone modding isn’t dead — it could be that we need to acknowledge the new tools we now have at our disposal.
When different hardware features are region-locked, sometimes you want to get the best of both worlds. This mod lets you go the entire length seamlessly, no bodges. It uses a lovely looking flexible printed circuit (FPC) patch board to tap into a debug header with SIM slot signals, and provides a customized Li-ion pouch cell with a cutout for the SIM slot. There’s just the small matter of using a CNC mill to make a cutout in the case where the SIM slot will go, and you’ll need to cut a buried trace to disable the eSIM module. Hey, we mentioned our skills needed to catch up, right? From there, it appears that iOS recognizes the new two SIM slots seamlessly.
The video is impressive and absolutely worth a watch if modding is your passion, and if you have a suitable CNC and a soldering iron, you can likely install this mod for yourself. Of course, you lose some things, like waterproofing, the eSIM feature, and your warranty. However, nothing could detract from this being a fully functional modkit for a modern-day phone, an inspiration for us all. Now, perhaps one of us can take a look at building a mod helping us do parts transplants between phones, parts pairing be damned.
Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.
The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.
This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.
Occasionally, the extra features added to a product can negate some of the reasons you wanted to buy the thing in the first place. Take, for example, Apple’s AirTag — billed as an affordable way to link your physical stuff to your phone. If some light-fingered ne’er-do-well wanders by and half-inches your gear, you get notified. The thing is, the AirTag also has an anti-stalking measure, which after a while, notifies nearby iPhones, should the tag move but not be near your iPhone!
In a recent video, [David Manning] explains that this feature is great for preventing the device from being used to track people. But it also means that if said thief happens to own an iPhone, they will be notified of the nearby tag, and can find it and disable it. So in the end, it’s a bit less useful as an anti-theft measure!
The solution is to pop the back off the tag and yank out the little sounder module from the rear plastic. You lose the ability to locate the tag audibly, but you gain a little more chance of returning your stolen goods. Apple could easily remove this feature with a firmware update, but it’s a matter of picking your poison: antistalking or antitheft?
Stereo photography has been around for almost as long as photography itself, and it remains a popular way to capture a scene in its 3D glory. Yet despite the fact that pretty much everyone carries one or more cameras with them every day in the form of a smartphone, carrying a stereo photography-capable system with you remains tricky. As [Pascal Martiné] explains in a How-To article, although you can take two smartphones with you, syncing up both cameras to get a stereo image isn’t so straightforward, even though this is essential if you want to prevent jarring shifts between the left and right image.
Custom made twin shutter. (Credit: Pascal Martiné)
Fortunately, having two of the exact same smartphone with the exact same camera modules is not an absolute requirement, as apps like i3DStereoid offer auto-adjustments. But activating the camera trigger on each phone is essential. The usual assortment of wireless remote triggers don’t work well here, and the twin-pairing in i3DStereoid had too much delay for dynamic scenes. This left the wired remote trigger option, but with a dearth of existing stereo trigger options [Pascal] was forced to make his own for two iPhones out of Apple Lightning cables and wired earbud volume controls.
Although the initial prototype more or less worked, [Pascal] found that each iPhone would often ‘decide’ to release the trigger at a slightly different time, requiring multiple attempts at the perfect shot. This led him down a rabbit hole of investigating different camera apps and configurations to make shutter delay as deterministic as possible. Much of this turned out to be due to auto exposure and auto focus, with enabling AE/AF lock drastically increasing the success rate, though this has to be done manually before each shot as an extra step.
With this one tweak, he found that most of the stereo photo pairs are now perfectly synced, while occasionally there is about a ~3 ms jitter, the cause of which he hasn’t tracked down yet, but which could be due to the camera app or iOS being busy with something else.
In the end, this iPhone-based stereo photography setup might not be as reliable or capable as some of the purpose-built rigs we’ve covered over the years, but it does get extra points for portability.
[Thomas Roth], aka [Ghidraninja], and author of the [Stacksmashing] YouTube channel, investigated Apple’s Lightning port and created a cool debugging tool that allowed one to get JTAG on the device. Then, Apple went to USB-C for their new phones, and all his work went to waste. Oh well, start again — and take a look at USB-C.
Turns out, though, that the iPhone 15 uses the vendor-defined messages (VDM) capability of USB-PD to get all sorts of fun features out. Others had explored the VDM capabilities on Mac notebooks, and it turns out that the VDM messages on the phone are the same. Some more fiddling, and he got a serial port and JTAG up and running. But JTAG is locked down in the production devices, so that will have to wait for an iPhone 15 jailbreak. So he went poking around elsewhere.
He found some other funny signals that turned out to be System Power Management Interface (SPMI), one of the horribly closed and NDA-documented dialects owned by the MIPI Alliance. Digging around on the Interwebs, he found enough documentation to build an open-source SPMI plugin that he said should be out on his GitHub soon.
The end result? He reworked his old Lightning hardware tool for USB-C and poked around enough in the various available protocols to get a foothold on serial, JTAG, and SPMI. This is just the beginning, but if you’re interested in playing with the new iPhone, this talk is a great place to start. Want to know all about USB-C? We’ve got plenty of reading for you.
