Apple Lightning

To be updated on the cable availability, Follow me on twitter

The lightning cable is a 8 pin connector. It could be inserted in both side The pinout is found in Apple's patent

After some reading about the connector, and gathering some informations and leaked docs here and there, one of the interesting part was this one

As one can read, there are actually 4 connector type:

Therefor, the goal was to find one of those C10C connector in order to get the serial. The problem is that in order to buy those, one need to have a MFI agreement with Apple. After looking further, some Serial port device were available for apple, such as the redpark.

when looking inside, we see that it is based on a STM32 with a MFi Chip. Extracting the firmware let us analyze it a bit. In STM32 speaks on the second lane of the lightning port for the device authentication (MFI), and then forward the first one to a voltage converter.

After a bit of research, I could find someone that accepted to sell me some of those C10C connectors

But when giving it a try, and booting with it, nothing gets output on the serial !

As one could read from this pinout description, the cable is not wired exactly the same way on both side. In fact, the ACC_ID could be at two different places. One of the first thing that came in mind was to find a way to understand how the communication is done between the cable and the phone. In order to do that, I have decided to use those chinese cable which have no shield to remove, and are cheap.

Connecting them to the logic analyzer, it could be possible to see some snippet of the communication

The communication protocol looks like the SDQ which is a kinf od 1-wire protocol. The difference is that in the 1-Wire, the clocking is done by the master. While in the SDQ, the master sends the request and clocks it, then the slave does the same. The communication always starts on one of the 2 possible ACC_ID.

So it looks like a command is sent with a number that is EVEN (first one is 0x74) and a response is sent with an ODD number which is CMD + 1. (0x75) In order to get it better, we need to look at the tristar

When looking at some chinese online store, they actually make some lightning cable reader:

Tristar

After having found some schematics, here we can see how the Tristar is wired

It appears that tristar is a MUX ! in fact, on one side, it could deal with:

on the other side, we could see pretty much what goes to the lightning: ACC_ID 1,2 as well as both lane PAIR1 and PAIR2. When looking at the chip:

It's a VERY small WLCSP chip which looks like a BGA of 36 balls spaced by 0.35mm !

One interesting thing is that it is connected via I2C to the SoC. In order to find out how it is connected, and eventually to see if it was possible to sniff the I2C, it was necessary to unsolder the Tristar as well as the SoC.

The interesting part was that it is that the testpoint for i2c were found ! Only problem is that it is only 1.8v tolerent. a voltage translator is necessary. but this one has to cope with the opendrain used by i2c.

One of the solution to bruteforce the tristar would be to send everytime a sequence and see how the mux has been done. In order to do that, one need to connect to the tristar. The chip is so small that there is no adapter.

In this picture, we can see that the ballgrid. each case = 0.1mm so the chip is not bigger than 2.5x2.5 mm

By zooming more, we could even see the DIE that is under.

I designed a PCB adapter that is on 4 layer with blind vias. the clearance is 0.1mm. Only Laser precision tools could be used for that, making it very expensive.

A first batch has been created. Then the tristar has been soldered on it using a reflow oven

It was possible from there to trigger an interrupt corresponding to a Connector connection, send the sequences corresponding to some connector ID, and then test each of the connectivities on the left and see if it is connected to the PAIR1/PAIR2.


Redpark:
--------
74:75 08 c0 00 00 00 00 9f 
76:77 01 25 01 00 86 71 35 38 54 3a 39 
78:79 46 31 31 34 31 33 32 31 37 53 31 46 36 39 4b 42 41 00 5e 88 7e 
7a:7b 43 30 38 34 32 35 37 41 38 50 39 46 39 34 48 31 45 00 38 08 b8 
72:73 80 00 c0 00 87 

C10C:
--------
74:75 08 c0 00 00 00 00 9f 
76:77 01 25 01 00 a3 2a 49 34 18 0d 6b 
78:79 44 57 48 35 37 31 34 31 52 5a 46 4c 39 35 31 42 5a 00 04 08 99 
7a:7b 46 43 39 34 31 38 35 30 43 4c 37 46 57 4c 38 42 4c 00 30 00 57 
72:73 80 00 c0 00 87 


OTG Orignial:
-----------------
74:75 11 f0 00 00 00 00 d6 
76:77 01 25 01 80 8c 7b 19 25 01 c8 a4 
78:79 44 57 48 32 34 34 35 32 41 36 5a 46 35 4c 34 41 47 00 97 88 7b 
7a:7b 43 30 38 32 34 38 35 30 41 4a 39 44 59 37 50 41 56 00 30 00 32 
72:73 80 00 c0 00 87 


OTG fake (chinese):
--------------
74:75 11 f0 00 00 00 00 d6 
76:77 01 25 01 80 97 01 6f 25 5f 6b 90 
78:79 44 57 48 32 34 34 37 32 5a 30 54 46 35 4c 34 41 46 00 6b 88 01 
7a:7b 43 30 38 32 34 36 36 30 32 37 34 44 59 37 50 41 43 00 30 00 3e 
72:73 00 00 c0 00 5e 


HDMI:
---------------
74:75 0b f0 00 00 00 00 42 
76:77 01 25 01 80 ac 38 af 44 26 3e 25 
78:79 44 59 47 34 32 38 31 35 46 4a 45 46 36 4c 47 32 44 00 fa 88 13 
7a:7b 43 43 34 34 33 31 34 31 30 44 31 44 59 37 48 41 47 00 20 00 de 
72:73 80 00 c0 00 87

Chinese Sync
-----
74:75 10 0c 00 00 00 00 66
76:77 01 25 01 80 b0 25 83 25 5a d0 f2
78:79 46 31 31 32 36 33 35 51 31 58 4b 46 35 56 39 41 36 00 d7 88 cd
7a:7b 43 34 4d 32 34 37 34 30 47 4c 50 46 37 43 30 41 39 00 33 08 ba
72:73 00 00 c0 00 5e

Connector Emulation

In order to emulate a connector, I have written some code for an STM32F4Discover board. It basically implements a SDQ protocol the way I sniffed it. I then respond to the request made by a phone. In order to do that. I had to find some chinese connector manufacturer which agreed to sell me some

Then some PCB that I created that switches both side of the lightning, so the connector could be plugged on both direction

Now the connector cable to a 3.3V/1.8V voltage translator