The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!

apple airtag being opened to remove the sounder

Apple AirTag: Antitheft Or Antistalking?

Occasionally, the extra features added to a product can negate some of the reasons you wanted to buy the thing in the first place. Take, for example, Apple’s AirTag — billed as an affordable way to link your physical stuff to your phone. If some light-fingered ne’er-do-well wanders by and half-inches your gear, you get notified. The thing is, the AirTag also has an anti-stalking measure, which after a while, notifies nearby iPhones, should the tag move but not be near your iPhone!

In a recent video, [David Manning] explains that this feature is great for preventing the device from being used to track people. But it also means that if said thief happens to own an iPhone, they will be notified of the nearby tag, and can find it and disable it. So in the end, it’s a bit less useful as an anti-theft measure!

The solution is to pop the back off the tag and yank out the little sounder module from the rear plastic. You lose the ability to locate the tag audibly, but you gain a little more chance of returning your stolen goods. Apple could easily remove this feature with a firmware update, but it’s a matter of picking your poison: antistalking or antitheft?

Continue reading “Apple AirTag: Antitheft Or Antistalking?”

Stereo Photography With Smartphones Made Better With Syncing

Stereo photography has been around for almost as long as photography itself, and it remains a popular way to capture a scene in its 3D glory. Yet despite the fact that pretty much everyone carries one or more cameras with them every day in the form of a smartphone, carrying a stereo photography-capable system with you remains tricky. As [Pascal Martiné] explains in a How-To article, although you can take two smartphones with you, syncing up both cameras to get a stereo image isn’t so straightforward, even though this is essential if you want to prevent jarring shifts between the left and right image.

Custom made twin shutter. (Credit: Pascal Martiné)
Custom made twin shutter. (Credit: Pascal Martiné)

Fortunately, having two of the exact same smartphone with the exact same camera modules is not an absolute requirement, as apps like i3DStereoid offer auto-adjustments. But activating the camera trigger on each phone is essential. The usual assortment of wireless remote triggers don’t work well here, and the twin-pairing in i3DStereoid had too much delay for dynamic scenes. This left the wired remote trigger option, but with a dearth of existing stereo trigger options [Pascal] was forced to make his own for two iPhones out of Apple Lightning cables and wired earbud volume controls.

Although the initial prototype more or less worked, [Pascal] found that each iPhone would often ‘decide’ to release the trigger at a slightly different time, requiring multiple attempts at the perfect shot. This led him down a rabbit hole of investigating different camera apps and configurations to make shutter delay as deterministic as possible. Much of this turned out to be due to auto exposure and auto focus, with enabling AE/AF lock drastically increasing the success rate, though this has to be done manually before each shot as an extra step.

With this one tweak, he found that most of the stereo photo pairs are now perfectly synced, while occasionally there is about a ~3 ms jitter, the cause of which he hasn’t tracked down yet, but which could be due to the camera app or iOS being busy with something else.

In the end, this iPhone-based stereo photography setup might not be as reliable or capable as some of the purpose-built rigs we’ve covered over the years, but it does get extra points for portability.

37C3: When Apple Ditches Lightning, Hack USB-C

[Thomas Roth], aka [Ghidraninja], and author of the [Stacksmashing] YouTube channel, investigated Apple’s Lightning port and created a cool debugging tool that allowed one to get JTAG on the device. Then, Apple went to USB-C for their new phones, and all his work went to waste. Oh well, start again — and take a look at USB-C.

Turns out, though, that the iPhone 15 uses the vendor-defined messages (VDM) capability of USB-PD to get all sorts of fun features out. Others had explored the VDM capabilities on Mac notebooks, and it turns out that the VDM messages on the phone are the same. Some more fiddling, and he got a serial port and JTAG up and running. But JTAG is locked down in the production devices, so that will have to wait for an iPhone 15 jailbreak. So he went poking around elsewhere.

He found some other funny signals that turned out to be System Power Management Interface (SPMI), one of the horribly closed and NDA-documented dialects owned by the MIPI Alliance. Digging around on the Interwebs, he found enough documentation to build an open-source SPMI plugin that he said should be out on his GitHub soon.

The end result? He reworked his old Lightning hardware tool for USB-C and poked around enough in the various available protocols to get a foothold on serial, JTAG, and SPMI. This is just the beginning, but if you’re interested in playing with the new iPhone, this talk is a great place to start. Want to know all about USB-C? We’ve got plenty of reading for you.

Reverse Engineering The Apple Lightning Connector

A frequent contributor to the hacker community, [stacksmashing] has prepared an excellent instructional video on reverse engineering Apple’s Lighting connector proprietary protocol. The video begins by showing how to gain physical access to the signals and hooking them up to a logic analyzer. He then notes that the handshaking uses only a single signal and proposes that Apple isn’t going to re-invent the wheel (perhaps a risky assumption). Using a ChatGPT search, obligatory these days, we learn that Dallas Semiconductor / Microchip 1-wire is probably the protocol employed.

Which embedded single-wire busses exist that encode bits with different lengths of low and high signals?

At the basic level, 1-wire and protocols like Texas Instruments SDQ operate in a similar manner. It turns out that [stacksmashing] already wrote a SDQ analyzer module for the Saleae logic analyzer. Aided by this tool, he digs deeper and learns more about the kinds of messages and their contents. For example, upon being plugged in, the host system queries the accessory’s serial number, manufacturer, model number, and product description. Finally, he introduces the CRC reverse engineering tool reveng to determine which CRC polynomial and algorithm the protocol uses to frame each packet.

Even if you have no interest in Lightning cables, this video is a great tutorial on the types of things you need to do in order to make sense of an unknown communications protocol. Gather what information you can, make some educated guesses, observe the signals, revise your guesses, and repeat. In part two, [stacksmashing] will show how to build a homemade iPhone JTAG cable.

We wrote in more detail about cracking the Lightning interface back in 2015. The Lightning interface may have been a good solution in its day, foreshadowing some of the features we now have in USB-C. But its proprietary and closed nature meant it wasn’t used outside of the Apple ecosystem. With the proliferation and capabilities of USB-C, not to mention various legislative edicts, Lightning’s days seem numbered. Is the industry finally settling on one interface? Let us know your thoughts in the comments below.

Continue reading “Reverse Engineering The Apple Lightning Connector”

An iPhone sits in a users hand open to the YouTube app. What is unusual is that the iPhone is bent in an L shape and is still functioning properly.

First Folding IPhone Doesn’t Come From Apple

Folding phones are all the rage these days, with many of the major smartphone manufacturer’s having something in this form factor. Apple has been conspicuously absent in this market segment, so [KJMX] decided to take matters into their own hands with the “iPhone V.” (YouTube – Chinese w/subtitles via MacRumors).

Instead of trying to interface an existing folding phone’s screen with the iPhone, these makers delaminated an actual iPhone X screen to use in the mod. It took 37 attempts before they had a screen with layers that properly separated to be both flexible and functional. Several different folding phones were disassembled, and [KJMX] found a Motorola Razr folding mechanism would work best with the iPhone X screen. Unfortunately, since the iPhone screen isn’t designed to fold, it still will fail after a relatively small number of folds.

Other sacrifices were made, like the removal of the Taptic Engine and a smaller battery to fit everything into the desired form factor. The “iPhone V” boasts the worst battery life of any iPhone to date. After nearly a year of work though, [KJMX] can truly claim to have made what Apple hasn’t.

Curious about other hacks to let an iPhone do more than Apple intended? Check out how to add USB-C to an iPhone, try to charge it faster, or give one a big memory upgrade.

PSU charging an externally connected supercapacitor bank that's powering the phone. There's a current clamp on one of the wires to measure charging current, and a multimeter measuring the charging voltage.

Just How Fast Could You Charge An IPhone?

An iPhone 8, now a relatively cheap model, can charge its battery fully in two hours’ time. There’s hardly ever a need for faster charging, but it’s fair to ask – how much faster could it really go? [Scotty Allen] from [Strange Parts], back after a hiatus, is back to stretching the limits of what a regular iPhone can do, and decides to start off with an exploration of battery technologies.

What people commonly encounter is that charging speed depends on the charger involved, but even one hundred chargers in parallel won’t speed up this iPhone’s charging rate, so what’s up? First off, the phone’s charger chip and the battery’s BMS will both limit charging current, so for experiment purposes, those had to be bypassed. First attempt was using a hefty DC power supply with the original cell, and, unsatisfied with the lack of fire and still relatively slow charging, [Scotty] decides to up the ante.
Continue reading “Just How Fast Could You Charge An IPhone?”