Mais conteúdo relacionado Semelhante a Exploring Thermal Related Stuff in iDevices using Open-Source Tool (20) Mais de Koan-Sin Tan (16) Exploring Thermal Related Stuff in iDevices using Open-Source Tool10. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IOKit HIDClass I
▶ IOKit/IOKit Family/HID class [4]: Originally it’s for USB, but
it’s far beyond that now. So there is Usage Page.
▶ a command line tool that can be used to enumrate IOKit
devices is ioreg(8)
▶ you can see in Listing 1, there are "PrimaryUsage" = 5,
"PrimaryUsagePage" = 65280, and "DeviceUsagePairs"
= ("DeviceUsagePage"=65280,"DeviceUsage"=5)
Listing 1: Example TemperatureSensor in ioreg output
. . .
+−o AppleEmbeddedNVMeTemperatureSensor <class AppleEmbeddedNVMeTemperatureSensor , id 0x1000003f8 , registered , matched , active , busy 0 (1 ms) , r e t a i n 8>
| | | | | {
| | | | | ” IOCFPlugInTypes ” = {”7DDEECA8−A7B4−11DA−8A0E−0014519758EF”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” , ” FA12FA38−6F1A−11D4−BA0C−0005028F18D5”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” }
| | | | | ” VendorID ” = 0
| | | | | ” CountryCode ” = 0
| | | | | ” IOUserClientClass ” = ” IOHIDEventServiceUserClient ”
| | | | | ” Product ” = ”NAND CH0 temp ”
| | | | | ” VersionNumber ” = 0
| | | | | ” IOGeneralInterest ” = ”IOCommand i s not s e r i a l i z a b l e ”
| | | | | ” PrimaryUsage ” = 5
| | | | | ” LocationID ” = 1414410350
| | | | | ” HIDEventServiceProperties ” = { ” DeviceOpenedByEventSystem”=Yes , ” PreserveTimestamp ”=Yes , ” BatchInterval ”=1 ,” LogLevel ”=6}
| | | | | ” ProductID ” = 0
| | | | | ” DeviceUsagePairs ” = ( { ” DeviceUsagePage”=65280 ,” DeviceUsage ”=5})
| | | | | ” B u i l t −In ” = Yes
| | | | | ” ReportInterval ” = 0
| | | | | ” HIDServiceSupport ” = Yes
| | | | | ” PrimaryUsagePage ” = 65280
| | | | | ” VendorIDSource ” = 0
| | | | | ” QueueSize ” = 0
| | | | | }
. . .
11. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Build the App
▶ if you git clone the source code and try to build it, you will
get error message saying IOKit related header can’t be
found (of course, you know you have to change signing
stuff)
▶ you have to borrow them from macOS SDK,
1. pushd .
2. cd /Applications/Xcode.app/Contents/Developer/
Platforms/iPhoneOS.platform/Developer/SDKs/
iPhoneOS.sdk/System/Library/Frameworks/IOKit.
framework/
3. sudo ln -s /Applications/Xcode.app/Contents/
Developer/Platforms/MacOSX.platform/Developer/
SDKs/MacOSX.sdk/System/Library/Frameworks/IOKit.
framework/Headers .
4. popd
13. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The devil is in the detail II
CSE-iPhone-8-plus:~ root# hidutil list
Services:
VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In
0x0 0x0 0x54683378 65280 5 0x100000270 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor3 (null) 1
0x0 0x0 0x5450336c 65280 5 0x100000336 (null) AppleSMC PMU tdie3 (null) 1
0x0 0x0 0x54503562 65280 5 0x10000033d (null) AppleSMC PMU tdie5 (null) 1
0x0 0x0 0x54633161 65280 5 0x100000277 (null) AppleT8015TempSensor Avg: ACC Temp Sensor1 (null) 1
0x0 0x0 0x54503962 65280 5 0x10000034b (null) AppleSMC PMU tdie9 (null) 1
0x0 0x0 0x54563073 65280 5 0x100000352 (null) AppleSMC Unknown Source TV0s (null) 1
0x0 0x0 0x5651306c 65288 3 0x100000359 (null) AppleSMC Charger VQ0l (null) 1
0x5ac 0x8104 0x0 65280 10 0x100000501 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54473042 65280 5 0x10000038a (null) AppleSMC gas gauge battery (null) 1
0x0 0x0 0x54534644 65280 5 0x1000005ff (null) AppleVTempDispatcher CGCenterSkin (null) 1
0x0 0x0 0x5453524d 65280 5 0x100000606 (null) AppleVTempDispatcher BandMLBSkin (null) 1
0x0 0x0 0x54534643 65280 5 0x10000060d (null) AppleVTempDispatcher CGRearCamera (null) 1
0x0 0x0 0x54503464 65280 5 0x100000318 (null) AppleSMC PMU tdev4 (null) 1
0x0 0x0 0x54683161 65280 5 0x100000267 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x54683369 65280 5 0x10000026e (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor3 (null) 1
0x0 0x0 0x54 13 4 0x100000571 SPI (null) (null) (null) 1
0x0 0x0 0x54633278 65280 5 0x10000027c (null) AppleT8015TempSensor Max: ACC Temp Sensor2 (null) 1
0x0 0x0 0x54506562 65280 5 0x100000350 (null) AppleSMC PMU tdie14 (null) 1
0x0 0x0 0x5451306a 65280 5 0x100000357 (null) AppleSMC Charger TQ0j (null) 1
0x0 0x0 0x0 65292 4 0x1000004f8 SPU AppleSPUHIDDriver (null) (null) 1
0x5ac 0x8104 0x0 65280 9 0x1000004ff SPU AppleSPUHIDDriver (null) (null) 1
0x5ac 0x8104 0x0 32 49 0x10000050d SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x0 65280 8 0x10000051b SPU AppleProxHIDEventDriver (null) (null) 1
0x0 0x0 0x54534261 65280 5 0x100000612 (null) AppleVTempDispatcher BCArc (null) 1
0x0 0x0 0x54683278 65280 5 0x10000026c (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x54633061 65280 5 0x100000273 (null) AppleT8015TempSensor Avg: ACC Temp Sensor0 (null) 1
0x0 0x0 0x544e306e 65280 5 0x1000003f8 (null) AppleANS2NVMeController NAND CH0 temp (null) 1
0x0 0x0 0x54503862 65280 5 0x100000340 (null) AppleSMC PMU tdie8 (null) 1
0x0 0x0 0x5450346c 65280 5 0x100000339 (null) AppleSMC PMU tdie4 (null) 1
0x0 0x0 0x54506362 65280 5 0x10000034e (null) AppleSMC PMU tdie12 (null) 1
0x0 0x0 0x51513075 65288 2 0x100000355 (null) AppleSMC Charger QQ0u (null) 1
0x0 0x0 0x54633269 65280 5 0x10000027a (null) AppleT8015TempSensor ACC Temp Sensor2 (null) 1
0x0 0x0 0x57513075 65288 3 0x100000363 (null) AppleSMC Charger WQ0u (null) 1
0x0 0x0 0x0 65292 5 0x100000504 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54473056 65280 5 0x100000394 (null) AppleSMC gas gauge battery (null) 1
0x0 0x0 0x0 11 1 0x100000216 (null) AppleM68Buttons (null) (null) 1
0x0 0x0 0x0 65280 11 0x1000003a2 (null) AppleMesaShim (null) (null) 1
0x0 0x0 0x54534245 65280 5 0x100000602 (null) AppleVTempDispatcher BCMLBSkin (null) 1
0x0 0x0 0x54534251 65280 5 0x100000609 (null) AppleVTempDispatcher BCCharger (null) 1
0x0 0x0 0x54503364 65280 5 0x100000314 (null) AppleSMC PMU tdev3 (null) 1
0x0 0x0 0x5450316c 65280 5 0x10000031b (null) AppleSMC PMU tdie1 (null) 1
0x0 0x0 0x54683061 65280 5 0x100000263 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1
0x0 0x0 0x54683269 65280 5 0x10000026a (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x54503264 65280 5 0x10000030d (null) AppleSMC PMU tdev2 (null) 1
0x0 0x0 0x54633178 65280 5 0x100000278 (null) AppleT8015TempSensor Max: ACC Temp Sensor1 (null) 1
0x0 0x0 0x54503662 65280 5 0x10000033e (null) AppleSMC PMU tdie6 (null) 1
0x0 0x0 0x54506162 65280 5 0x10000034c (null) AppleSMC PMU tdie10 (null) 1
0x0 0x0 0x49513042 65288 2 0x100000353 (null) AppleSMC Charger IQ0B (null) 1
0x0 0x0 0x56513075 65288 3 0x10000035a (null) AppleSMC Charger VQ0u (null) 1
0x0 0x0 0x54473048 65280 5 0x100000392 (null) AppleSMC gas gauge battery (null) 1
0x5ac 0x8104 0x0 65280 3 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x0 65280 4 0x10000052c SPU AppleSPUCT709 (null) (null) 1
0x0 0x0 0x544b3046 65280 5 0x1000005f9 (null) AppleVTempDispatcher FrontCameraDie (null) 1
0x0 0x0 0x54535252 65280 5 0x100000607 (null) AppleVTempDispatcher BandRadioSkin (null) 1
0x0 0x0 0x54503564 65280 5 0x100000319 (null) AppleSMC PMU tdev5 (null) 1
0x0 0x0 0x54683178 65280 5 0x100000268 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x54683361 65280 5 0x10000026f (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor3 (null) 1
0x0 0x0 0x54633169 65280 5 0x100000276 (null) AppleT8015TempSensor ACC Temp Sensor1 (null) 1
0x0 0x0 0x54506662 65280 5 0x100000351 (null) AppleSMC PMU tdie15 (null) 1
0x0 0x0 0x56513042 65288 3 0x100000358 (null) AppleSMC Charger VQ0B (null) 1
0x0 0x0 0x6d696331 65280 5 0x1000002b5 (null) AppleICA60 (null) (null) 1
0x0 0x0 0x0 65292 1 0x1000004f9 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x0 65292 8 0x100000500 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54503164 65280 5 0x100000309 (null) AppleSMC PMU tdev1 (null) 1
0x0 0x0 0x54533041 65280 5 0x100000613 (null) AppleVTempDispatcher Ambient (null) 1
0x0 0x0 0x54683169 65280 5 0x100000266 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x54633078 65280 5 0x100000274 (null) AppleT8015TempSensor Max: ACC Temp Sensor0 (null) 1
0x0 0x0 0x54633261 65280 5 0x10000027b (null) AppleT8015TempSensor Avg: ACC Temp Sensor2 (null) 1
0x0 0x0 0x54506462 65280 5 0x10000034f (null) AppleSMC PMU tdie13 (null) 1
0x0 0x0 0x54513064 65280 5 0x100000356 (null) AppleSMC Charger TQ0d (null) 1
0x0 0x0 0x0 32 100 0x1000004f7 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x0 65292 3 0x1000004fe SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54617263 65280 5 0x100000446 (null) AppleHapticsSupportCallan AppleHapticsSupportTemperatureReporter (null) (null)
0x0 0x0 0x54473043 65280 5 0x10000038e (null) AppleSMC gas gauge battery (null) 1
0x0 0x0 0x56514444 65288 3 0x100000387 (null) AppleSMC Charger VQDD (null) 1
0x0 0x0 0x56503075 65288 3 0x1000002f9 (null) AppleSMC PMU VP0u (null) 1
0x0 0x0 0x544b3143 65280 5 0x1000005fc (null) AppleVTempDispatcher RearCameraTeleDie (null) 1
0x0 0x0 0x54534248 65280 5 0x100000603 (null) AppleVTempDispatcher BCH7Skin (null) 1
0x0 0x0 0x5450306a 65280 5 0x100000300 (null) AppleSMC PMU tjunc (null) 1
0x0 0x0 0x5450326c 65280 5 0x10000031c (null) AppleSMC PMU tdie2 (null) 1
0x0 0x0 0x54683078 65280 5 0x100000264 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1
0x0 0x0 0x54683261 65280 5 0x10000026b (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x54433673 65280 5 0x10000025d (null) AMCTempSensor AMC ODTS (null) 1
0x0 0x0 0x54633069 65280 5 0x100000272 (null) AppleT8015TempSensor ACC Temp Sensor0 (null) 1
0x0 0x0 0x54503762 65280 5 0x10000033f (null) AppleSMC PMU tdie7 (null) 1
0x0 0x0 0x54506262 65280 5 0x10000034d (null) AppleSMC PMU tdie11 (null) 1
0x0 0x0 0x49513075 65288 2 0x100000354 (null) AppleSMC Charger IQ0u (null) 1
0x0 0x0 0x56513175 65288 3 0x10000035b (null) AppleSMC Charger VQ1u (null) 1
0x0 0x0 0x0 32 19 0x1000004ee SPU AppleSPUMesaDriver (null) (null) 1
0x0 0x0 0x0 11 1 0x1000004fc SPU AppleSPUButtonDriver (null) (null) 1
0x0 0x0 0x6d696332 65280 5 0x1000002c6 (null) AppleICA60 (null) (null) 1
0x0 0x0 0x0 32 138 0x100000511 SPU IOHIDEventDriver (null) (null) 1
0x0 0x0 0x544b3043 65280 5 0x1000005fa (null) AppleVTempDispatcher RearCameraDie (null) 1
0x0 0x0 0x5450305a 65280 5 0x100000305 (null) AppleSMC PMU tcal (null) 1
0x0 0x0 0x5453464c 65280 5 0x10000060f (null) AppleVTempDispatcher CGLED (null) 1
0x0 0x0 0x54683069 65280 5 0x100000262 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor0 (null) 1
Devices:
VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In
0x0 0x0 0x0 65292 5 0x1000004b5 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 11 1 0x1000004af SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 138 0x1000004ba SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 100 0x1000004b9 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65280 8 0x1000004bf SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 3 0x1000004b6 SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 32 49 0x1000004b1 SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 65280 10 0x1000004b0 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x54 13 4 0x10000056d SPI AppleHIDTransportHIDDevice (null) (null) (null)
0x0 0x0 0x0 65292 4 0x1000004b3 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 1 0x1000004b4 SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 65280 9 0x1000004ad SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65280 4 0x1000004be SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 65280 3 0x1000004ac SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 8 0x1000004b2 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 19 0x1000004bb SPU AppleSPUHIDDevice (null) (null) 1
CSE-iPhone-8-plus:~ root# exit
freedoms-iPhone:~ root# hidutil list
Services:
VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In
0x0 0x0 0x4950356c 65288 2 0x100000309 (null) AppleD2333PMU PMU ldo5 (null) 1
0x0 0x0 0x54534643 65280 5 0x100000637 (null) AppleVTempDispatcher CGRCAMSkin (null) 1
0x0 0x0 0x49503962 65288 2 0x100000346 (null) AppleD2333PMU PMU ibuck1 (null) 1
0x0 0x0 0x4950656c 65288 2 0x10000031b (null) AppleD2333PMU PMU ldo14 (null) 1
0x0 0x0 0x5450306c 65280 5 0x10000032d (null) AppleD2333PMU PMU tdie0 (null) 1
0x0 0x0 0x5650326c 65288 3 0x100000302 (null) AppleD2333PMU PMU ldo2 (null) 1
0x0 0x0 0x47 13 4 0x100000560 SPI (null) (null) (null) 1
0x0 0x0 0x54683178 65280 5 0x100000244 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x56503462 65288 3 0x10000033f (null) AppleD2333PMU PMU vbuck4 (null) 1
0x0 0x0 0x5650626c 65288 3 0x100000314 (null) AppleD2333PMU PMU ldo11 (null) 1
0x0 0x0 0x49513075 65288 2 0x100000351 (null) AppleSN2400Charger Charger vbus (null) 1
0x0 0x0 0x5450306a 65280 5 0x100000326 (null) AppleD2333PMU PMU tjunc (null) 1
0x0 0x0 0x54633161 65280 5 0x10000023d (null) AppleT700XTempSensor Avg: ACC Temp Sensor1 (null) 1
0x0 0x0 0x54506262 65280 5 0x100000338 (null) AppleD2333PMU PMU tdie11 (null) 1
0x0 0x0 0x4950376c 65288 2 0x10000030d (null) AppleD2333PMU PMU ldo7 (null) 1
0x0 0x0 0x49503962 65288 2 0x10000034a (null) AppleD2333PMU PMU ibuck5 (null) 1
0x0 0x0 0x4950676c 65288 2 0x10000031f (null) AppleD2333PMU PMU ldo16 (null) 1
0x0 0x0 0x0 65292 3 0x100000515 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54633269 65280 5 0x100000236 (null) AppleT700XTempSensor ACC Temp Sensor2 (null) 1
0x0 0x0 0x544b3043 65280 5 0x100000622 (null) AppleVTempDispatcher RearCameraDie (null) 1
0x0 0x0 0x5650346c 65288 3 0x100000306 (null) AppleD2333PMU PMU ldo4 (null) 1
0x0 0x0 0x54503462 65280 5 0x100000331 (null) AppleD2333PMU PMU tdie4 (null) 1
0x0 0x0 0x0 11 1 0x1000001e0 (null) AppleM68Buttons (null) (null) 1
0x5ac 0x8104 0x0 65280 9 0x100000539 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x56503862 65288 3 0x100000343 (null) AppleD2333PMU PMU vbuck8 (null) 1
0x0 0x0 0x5650646c 65288 3 0x100000318 (null) AppleD2333PMU PMU ldo13 (null) 1
0x0 0x0 0x54683078 65280 5 0x100000248 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1
0x0 0x0 0x54534252 65280 5 0x100000634 (null) AppleVTempDispatcher BCRadioSkin (null) 1
0x0 0x0 0x56513042 65288 3 0x100000355 (null) AppleSN2400Charger Charger vbat (null) 1
0x0 0x0 0x0 65280 255 0x1000004fc SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54503364 65280 5 0x10000032a (null) AppleD2333PMU PMU tdev3 (null) 1
0x0 0x0 0x56503064 65288 3 0x1000002ff (null) AppleD2333PMU PMU vdd_main (null) 1
0x0 0x0 0x56503162 65288 3 0x10000033c (null) AppleD2333PMU PMU vbuck1 (null) 1
0x0 0x0 0x54683278 65280 5 0x100000241 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x4950396c 65288 2 0x100000311 (null) AppleD2333PMU PMU ldo9 (null) 1
0x0 0x0 0x49503962 65288 2 0x10000034e (null) AppleD2333PMU PMU ibuck9 (null) 1
0x0 0x0 0x54433673 65280 5 0x100000228 (null) AMCTempSensor AMC ODTS (null) 1
0x0 0x0 0x4950696c 65288 2 0x100000323 (null) AppleD2333PMU PMU ldo18 (null) 1
0x0 0x0 0x54503862 65280 5 0x100000335 (null) AppleD2333PMU PMU tdie8 (null) 1
0x0 0x0 0x54633061 65280 5 0x10000023a (null) AppleT700XTempSensor Avg: ACC Temp Sensor0 (null) 1
0x0 0x0 0x5650366c 65288 3 0x10000030a (null) AppleD2333PMU PMU ldo6 (null) 1
0x0 0x0 0x49503962 65288 2 0x100000347 (null) AppleD2333PMU PMU ibuck2 (null) 1
0x0 0x0 0x54533041 65280 5 0x100000638 (null) AppleVTempDispatcher Ambient (null) 1
0x0 0x0 0x5650666c 65288 3 0x10000031c (null) AppleD2333PMU PMU ldo15 (null) 1
0x0 0x0 0x5450316c 65280 5 0x10000032e (null) AppleD2333PMU PMU tdie1 (null) 1
0x0 0x0 0x544b3046 65280 5 0x10000061f (null) AppleVTempDispatcher FrontCameraDie (null) 1
0x0 0x0 0x4950326c 65288 2 0x100000303 (null) AppleD2333PMU PMU ldo2 (null) 1
0x0 0x0 0x56503562 65288 3 0x100000340 (null) AppleD2333PMU PMU vbuck5 (null) 1
0x0 0x0 0x54534245 65280 5 0x100000631 (null) AppleVTempDispatcher BCMLBSkin (null) 1
0x0 0x0 0x4950626c 65288 2 0x100000315 (null) AppleD2333PMU PMU ldo11 (null) 1
0x0 0x0 0x49513042 65288 2 0x100000352 (null) AppleSN2400Charger Charger ibat (null) 1
0x0 0x0 0x5450305a 65280 5 0x100000327 (null) AppleD2333PMU PMU tcal (null) 1
0x0 0x0 0x54506362 65280 5 0x100000339 (null) AppleD2333PMU PMU tdie12 (null) 1
0x0 0x0 0x54633178 65280 5 0x10000023e (null) AppleT700XTempSensor Max: ACC Temp Sensor1 (null) 1
0x5ac 0x8104 0x0 32 49 0x10000052f SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x5650386c 65288 3 0x10000030e (null) AppleD2333PMU PMU ldo8 (null) 1
0x0 0x0 0x49503962 65288 2 0x10000034b (null) AppleD2333PMU PMU ibuck6 (null) 1
0x0 0x0 0x5650686c 65288 3 0x100000320 (null) AppleD2333PMU PMU ldo17 (null) 1
0x0 0x0 0x54503562 65280 5 0x100000332 (null) AppleD2333PMU PMU tdie5 (null) 1
0x0 0x0 0x54633261 65280 5 0x100000237 (null) AppleT700XTempSensor Avg: ACC Temp Sensor2 (null) 1
0x0 0x0 0x4950346c 65288 2 0x100000307 (null) AppleD2333PMU PMU ldo4 (null) 1
0x0 0x0 0x56503962 65288 3 0x100000344 (null) AppleD2333PMU PMU vbuck9 (null) 1
0x5ac 0x8104 0x0 65280 10 0x10000053a SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x0 65280 8 0x10000050f SPU AppleProxHIDEventDriver (null) (null) 1
0x0 0x0 0x4950646c 65288 2 0x100000319 (null) AppleD2333PMU PMU ldo13 (null) 1
0x0 0x0 0x57513075 65288 3 0x100000356 (null) AppleSN2400Charger Charger vbus_accum (null) 1
0x0 0x0 0x0 65280 11 0x1000003be (null) AppleMesaShim (null) (null) 1
0x0 0x0 0x54503464 65280 5 0x10000032b (null) AppleD2333PMU PMU tdev4 (null) 1
0x0 0x0 0x0 32 138 0x100000521 SPU IOHIDEventDriver (null) (null) 1
0x0 0x0 0x5650316c 65288 3 0x100000300 (null) AppleD2333PMU PMU ldo1 (null) 1
0x0 0x0 0x56503262 65288 3 0x10000033d (null) AppleD2333PMU PMU vbuck2 (null) 1
0x0 0x0 0x54683169 65280 5 0x100000242 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x5650616c 65288 3 0x100000312 (null) AppleD2333PMU PMU ldo10 (null) 1
0x0 0x0 0x6d696331 65280 5 0x1000002aa (null) AppleICA60 (null) (null) 1
0x0 0x0 0x544e306e 65280 5 0x1000003e2 (null) AppleEmbeddedNVMeController NAND CH0 temp (null) 1
0x0 0x0 0x56503078 65288 3 0x10000034f (null) AppleD2333PMU PMU vmon (null) 1
0x0 0x0 0x42 65280 32 0x1000004b2 Serial AppleHomerDriver (null) (null) 1
0x0 0x0 0x56506a6c 65288 3 0x100000324 (null) AppleD2333PMU PMU ldo19 (null) 1
0x0 0x0 0x54503962 65280 5 0x100000336 (null) AppleD2333PMU PMU tdie9 (null) 1
0x0 0x0 0x54633078 65280 5 0x10000023b (null) AppleT700XTempSensor Max: ACC Temp Sensor0 (null) 1
0x0 0x0 0x0 32 19 0x100000501 SPU AppleSPUMesaDriver (null) (null) 1
0x0 0x0 0x4950366c 65288 2 0x10000030b (null) AppleD2333PMU PMU ldo6 (null) 1
0x0 0x0 0x54473042 65280 5 0x1000002a3 (null) (null) gas gauge battery (null) (null)
0x0 0x0 0x49503962 65288 2 0x100000348 (null) AppleD2333PMU PMU ibuck3 (null) 1
0x0 0x0 0x4950666c 65288 2 0x10000031d (null) AppleD2333PMU PMU ldo15 (null) 1
0x0 0x0 0x5450326c 65280 5 0x10000032f (null) AppleD2333PMU PMU tdie2 (null) 1
0x0 0x0 0x5650336c 65288 3 0x100000304 (null) AppleD2333PMU PMU ldo3 (null) 1
0x0 0x0 0x56503662 65288 3 0x100000341 (null) AppleD2333PMU PMU vbuck6 (null) 1
0x0 0x0 0x54683069 65280 5 0x100000246 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor0 (null) 1
0x0 0x0 0x5650636c 65288 3 0x100000316 (null) AppleD2333PMU PMU ldo12 (null) 1
0x5ac 0x8104 0x0 65280 3 0x10000050c SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x56513063 65288 3 0x100000353 (null) AppleSN2400Charger Charger vdd_main (null) 1
0x0 0x0 0x54617263 65280 5 0x1000004b6 Serial AppleHomerTemperature (null) (null) 1
0x0 0x0 0x54503164 65280 5 0x100000328 (null) AppleD2333PMU PMU tdev1 (null) 1
0x0 0x0 0x0 65292 4 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54534644 65280 5 0x10000062b (null) AppleVTempDispatcher CGCenterSkin (null) 1
0x0 0x0 0x54506462 65280 5 0x10000033a (null) AppleD2333PMU PMU tdie13 (null) 1
0x0 0x0 0x4950386c 65288 2 0x10000030f (null) AppleD2333PMU PMU ldo8 (null) 1
0x0 0x0 0x0 11 1 0x100000505 SPU AppleSPUButtonDriver (null) (null) 1
0x0 0x0 0x54683269 65280 5 0x10000023f (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x49503962 65288 2 0x10000034c (null) AppleD2333PMU PMU ibuck7 (null) 1
0x0 0x0 0x4950686c 65288 2 0x100000321 (null) AppleD2333PMU PMU ldo17 (null) 1
0x0 0x0 0x54503662 65280 5 0x100000333 (null) AppleD2333PMU PMU tdie6 (null) 1
0x0 0x0 0x54633278 65280 5 0x100000238 (null) AppleT700XTempSensor Max: ACC Temp Sensor2 (null) 1
0x0 0x0 0x5650356c 65288 3 0x100000308 (null) AppleD2333PMU PMU ldo5 (null) 1
0x0 0x0 0x49503962 65288 2 0x100000345 (null) AppleD2333PMU PMU ibuck0 (null) 1
0x0 0x0 0x5650656c 65288 3 0x10000031a (null) AppleD2333PMU PMU ldo14 (null) 1
0x0 0x0 0x51513075 65288 2 0x100000357 (null) AppleSN2400Charger Charger ibus_accum (null) 1
0x0 0x0 0x54503564 65280 5 0x10000032c (null) AppleD2333PMU PMU tdev5 (null) 1
0x0 0x0 0x4950316c 65288 2 0x100000301 (null) AppleD2333PMU PMU ldo1 (null) 1
0x0 0x0 0x56503362 65288 3 0x10000033e (null) AppleD2333PMU PMU vbuck3 (null) 1
0x0 0x0 0x6d696332 65280 5 0x1000002ab (null) AppleICA60 (null) (null) 1
0x0 0x0 0x0 65292 1 0x100000509 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54683161 65280 5 0x100000243 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1
0x0 0x0 0x4950616c 65288 2 0x100000313 (null) AppleD2333PMU PMU ldo10 (null) 1
0x0 0x0 0x56513075 65288 3 0x100000350 (null) AppleSN2400Charger Charger vbus (null) 1
0x0 0x0 0x0 65292 5 0x10000051b SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x49506a6c 65288 2 0x100000325 (null) AppleD2333PMU PMU ldo19 (null) 1
0x0 0x0 0x54506162 65280 5 0x100000337 (null) AppleD2333PMU PMU tdie10 (null) 1
0x0 0x0 0x0 65280 4 0x1000002a4 (null) AppleCT821 (null) (null) 1
0x0 0x0 0x5650376c 65288 3 0x10000030c (null) AppleD2333PMU PMU ldo7 (null) 1
0x0 0x0 0x5453464c 65280 5 0x100000628 (null) AppleVTempDispatcher CGLEDHSSkin (null) 1
0x0 0x0 0x54633169 65280 5 0x10000023c (null) AppleT700XTempSensor ACC Temp Sensor1 (null) 1
0x0 0x0 0x49503962 65288 2 0x100000349 (null) AppleD2333PMU PMU ibuck4 (null) 1
0x0 0x0 0x0 65292 8 0x100000514 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x5650676c 65288 3 0x10000031e (null) AppleD2333PMU PMU ldo16 (null) 1
0x0 0x0 0x5450336c 65280 5 0x100000330 (null) AppleD2333PMU PMU tdie3 (null) 1
0x0 0x0 0x4950336c 65288 2 0x100000305 (null) AppleD2333PMU PMU ldo3 (null) 1
0x0 0x0 0x56503762 65288 3 0x100000342 (null) AppleD2333PMU PMU vbuck7 (null) 1
0x0 0x0 0x54683061 65280 5 0x100000247 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1
0x0 0x0 0x4950636c 65288 2 0x100000317 (null) AppleD2333PMU PMU ldo12 (null) 1
0x0 0x0 0x5451306a 65280 5 0x100000354 (null) AppleSN2400Charger Charger tjunc (null) 1
0x0 0x0 0x54503264 65280 5 0x100000329 (null) AppleD2333PMU PMU tdev2 (null) 1
0x0 0x0 0x56503062 65288 3 0x10000033b (null) AppleD2333PMU PMU vbuck0 (null) 1
0x0 0x0 0x54534248 65280 5 0x10000062c (null) AppleVTempDispatcher BCH7Skin (null) 1
0x0 0x0 0x5650396c 65288 3 0x100000310 (null) AppleD2333PMU PMU ldo9 (null) 1
0x0 0x0 0x54683261 65280 5 0x100000240 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1
0x0 0x0 0x54534261 65280 5 0x10000063e (null) AppleVTempDispatcher Arc (null) 1
0x0 0x0 0x49503962 65288 2 0x10000034d (null) AppleD2333PMU PMU ibuck8 (null) 1
0x0 0x0 0x5650696c 65288 3 0x100000322 (null) AppleD2333PMU PMU ldo18 (null) 1
0x0 0x0 0x0 32 100 0x100000518 SPU AppleSPUHIDDriver (null) (null) 1
0x0 0x0 0x54633069 65280 5 0x100000239 (null) AppleT700XTempSensor ACC Temp Sensor0 (null) 1
0x0 0x0 0x54503762 65280 5 0x100000334 (null) AppleD2333PMU PMU tdie7 (null) 1
0x0 0x0 0x54534648 65280 5 0x100000625 (null) AppleVTempDispatcher CGH7Skin (null) 1
Devices:
VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In
0x0 0x0 0x0 65280 255 0x1000004e1 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 4 0x1000004e6 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x42 65280 32 0x1000004ad Serial AppleHIDTransportHIDDevice (null) (null) (null)
0x0 0x0 0x0 11 1 0x1000004dc SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x54617263 65280 5 0x1000004b1 Serial AppleHIDTransportHIDDevice (null) (null) (null)
0x0 0x0 0x0 65292 5 0x1000004e7 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65280 8 0x1000004e8 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 3 0x1000004e2 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 1 0x1000004e5 SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 32 49 0x1000004e0 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x47 13 4 0x10000055c SPI AppleHIDTransportHIDDevice (null) (null) (null)
0x5ac 0x8104 0x0 65280 9 0x1000004de SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 65292 8 0x1000004e4 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 100 0x1000004e9 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 138 0x1000004e3 SPU AppleSPUHIDDevice (null) (null) 1
0x0 0x0 0x0 32 19 0x1000004db SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 65280 3 0x1000004dd SPU AppleSPUHIDDevice (null) (null) 1
0x5ac 0x8104 0x0 65280 10 0x1000004df SPU AppleSPUHIDDevice (null) (null) 1
freedoms-iPhone:~ root# exit
Script done on Sun Jan 5 08:40:24 2020
Figure 2: Outputs of hidutil list on jailbroken iPhone 7 and 8 Plus
to verify that number of power senors are less on devices after A11.
14. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
More Thermal Control Related Mechanisms I
▶ There is /usr/libexec/thermalmonitord in iOS 13
(/usr/libexec/mobilewatchdog in iOS 12.x), which
collects thermal information and does thermal-throttling
when necessary.
▶ The thermalmonitord is mainly written in Objective-C (how
to know that? there are Objective-C sections in Mach-O).
▶ Mach-O has been around for more than 30 years.There
are many tools we can used to inspect Mach-O files. E.g.,
if you know binutils, llvm-based binutils.
▶ class-dump, one of the interesting Mach-O tools, could
extract Objective-C class related information (including
protocols and methods) from Mach-O files and convert
those them to Objective-C headers.
▶ class-dump thermalmonitord of iPhone 8 running iOS
13.3 (class-dump thermalmonitord -H -o
/tmp/thermal_headers), we can get more than 100
headers.
16. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1;
- (_Bool)useTcalAdjust:(int)arg1;
- (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateThermRelease;
- (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2;
- (void)updateDecayStatus;
- (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2;
- (void)updateAllThermalLoad;
- (void)tryTakeAction;
- (int)totalSensors;
- (void)probeAllSupervisorControlLoadingIndex;
- (_Bool)hasSolarMode;
- (unsigned long long)getWatchDogMode;
- (_Bool)getNaviStatus;
- (unsigned long long)getMaxSensorValue;
- (int)getHighestSkinTemp;
- (struct iir_filter_t *)getFilterValues;
- (void)getAllComponentID:(struct __SCPreferences *)arg1;
- (id)findComponent:(int)arg1;
- (void)evaluteMitigationMaxLoadingIndex;
- (void)enableRadioDataCollection:(_Bool)arg1;
- (void)createConnectionToCT:(int)arg1;
- (void)clearLoadingIndexOverrides;
- (void)clearControlEffortOverrides;
- (void)dealloc;
- (id)init;
AggDThermalMonitor *aggdTM;
_Bool thermalTrap;
NSMutableArray *listofComponentControl;
NSMutableArray *listOfSupervisorControl;
int calibrationResistorSensor;
int calibrationResistorTempDefault;
TableDrivenDecisionTree *decisionTree;
int thermalState;
float THERMAL_TRAP_LOAD;
float THERMAL_TRAP_SLEEP;
unsigned long long componentThermalStatusLevel;
unsigned long long previousOSThermalNotificationLevel;
CommonProduct
….
struct __CFRunLoop *localMainRunloop;
int productName;
struct __CFBundle *bundle;
CommonProduct *product;
ThermalManager
ComponentControl
SupervisorControl
TableDrivenDecisionTree
ThermalStatusLevel
TableDrivenDecisionTree
TwoHotSpotDecisionTree
ThreeHotSpotDecisionTree
FourHotSpotDecisionTree
FiveHotSpotDecisionTree
SixHotSpotDecisionTree
+ (id)sharedInstance
- (void)updateSystemPowerState:(_Bool)arg1;
- (void)iterateAndUpdateContexts;
- (_Bool)isContextTriggered:(int)arg1;
- (int)getContextState:(int)arg1;
- (id)createNewContext:(int)arg1;
- (void)dealloc;
- (id)init;
NSObject<OS_dispatch_queue> *catmQueue;
NSObject<OS_dispatch_source> *theTimer;
struct __CFArray *ctxObjects;
ContexAwareThermalManager
Figure 3: iOS Thermal Manager
17. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1;
- (_Bool)useTcalAdjust:(int)arg1;
- (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateThermRelease;
- (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2;
- (void)updateDecayStatus;
- (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2;
- (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2;
- (void)updateAllThermalLoad;
- (void)tryTakeAction;
- (int)totalSensors;
- (void)probeAllSupervisorControlLoadingIndex;
- (_Bool)hasSolarMode;
- (unsigned long long)getWatchDogMode;
- (_Bool)getNaviStatus;
- (unsigned long long)getMaxSensorValue;
- (int)getHighestSkinTemp;
- (struct iir_filter_t *)getFilterValues;
- (void)getAllComponentID:(struct __SCPreferences *)arg1;
- (id)findComponent:(int)arg1;
- (void)evaluteMitigationMaxLoadingIndex;
- (void)enableRadioDataCollection:(_Bool)arg1;
- (void)createConnectionToCT:(int)arg1;
- (void)clearLoadingIndexOverrides;
- (void)clearControlEffortOverrides;
- (void)dealloc;
- (id)init;
AggDThermalMonitor *aggdTM;
_Bool thermalTrap;
NSMutableArray *listofComponentControl;
NSMutableArray *listOfSupervisorControl;
int calibrationResistorSensor;
int calibrationResistorTempDefault;
TableDrivenDecisionTree *decisionTree;
int thermalState;
float THERMAL_TRAP_LOAD;
float THERMAL_TRAP_SLEEP;
unsigned long long componentThermalStatusLevel;
unsigned long long previousOSThermalNotificationLevel;
CommonProduct
….
struct __CFRunLoop *localMainRunloop;
int productName;
struct __CFBundle *bundle;
CommonProduct *product;
ThermalManager
ComponentControl
SupervisorControl
TableDrivenDecisionTree
ThermalStatusLevel
TableDrivenDecisionTree
TwoHotSpotDecisionTree
ThreeHotSpotDecisionTree
FourHotSpotDecisionTree
FiveHotSpotDecisionTree
SixHotSpotDecisionTree
+ (id)sharedInstance
- (void)updateSystemPowerState:(_Bool)arg1;
- (void)iterateAndUpdateContexts;
- (_Bool)isContextTriggered:(int)arg1;
- (int)getContextState:(int)arg1;
- (id)createNewContext:(int)arg1;
- (void)dealloc;
- (id)init;
NSObject<OS_dispatch_queue> *catmQueue;
NSObject<OS_dispatch_source> *theTimer;
struct __CFArray *ctxObjects;
ContexAwareThermalManager
- (_Bool)isInternalBuild;
- (struct __CFDictionary *)createPowerLogDictionaryForExtraSensors;
- (struct __CFDictionary *)createPowerLogDictionaryForExtraInternals;
- (struct __CFDictionary *)createPowerLogDictionaryForFixedHeaders;
- (struct __CFDictionary *)createPowerLogDictionaryForSensors;
- (struct __CFDictionary *)createPowerLogDictionaryForComponentControl;
- (struct __CFDictionary *)createPowerLogDictionaryForHotspotControl;
- (int)maxControlEffort;
- (_Bool)useTcalAdjust:(int)arg1;
- (struct __CFString *)getTGraphData:(int)arg1;
- (void)initDataCollection;
- (void)updateSystemLoad;
- (void)updatePrefs:(struct __SCPreferences *)arg1:(_Bool)arg2;
- (void)updateDecayStatus;
- (void)SaveProductString:(int)arg1;
- (void)probeAllSupervisorControlLoadingIndex;
- (void)initializeReadPrefs:(struct __SCPreferences *)arg1;
- (void)hintComponentControlTakeAction;
- (unsigned long long)getWatchDogMode;
- (int)getProductTotalSensors;
- (struct iir_filter_t *)getProductFilterValues;
- (unsigned long long)getMaxSensorValue;
- (int)getProductCalibrationSensorID;
- (int)getProductCalibrationDefault;
- (void *)getConfigurationFor:(struct __CFString *)arg1;
- (void)createNewProduct:(struct __CFRunLoop *)arg1;
- (void)createConnectionToCT:(int)arg1;
- (void)dealloc;
- (id)initWithConfig:(struct __CFBundle *)arg1;
struct __CFRunLoop *localMainRunloop;
int productName;
struct __CFBundle *bundle;
CommonProduct *product;
ThermalManager
….
CommonProduct *productObj;
NSMutableArray *listofComponentControl;
NSMutableArray *listOfSupervisorControl;
struct __CFArray *extraSensorDataSources;
struct __CFArray *extraInternalDataSources;
struct __CFString *tGraphDataString;
_Bool isInternal;
TGraphSampler
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (void)updateSystemPowerState:(_Bool)arg1;
- (_Bool)synchContext;
- (void)updateContextActiveState;
- (_Bool)isContextTriggered;
- (int)getContextState;
- (void)initAudioHandling;
- (void)initBacklightHandling;
- (void)initPowerHandling;
- (void)dealloc;
- (id)init;
_Bool contextIsActive;
_Bool connectedExternally;
_Bool backlightIsOn;
_Bool audioIsOn;
_Bool powerIsOn;
int mitigationControllerListID;
int _displayToken;
int _audioRunningToken;
unsigned int pmuPowerService;
unsigned int _notification;
unsigned int _ioIterator;
struct IONotificationPort *notificationPort;
NSObject<OS_dispatch_queue> *_inPocketQueue;
ContextInPocket
- (id)initProduct:(id)arg1;
….
BaseCCList
- (_Bool)getNaviStatus;
- (id)initProduct:(id)arg1;
Navigation *navi;
BaseCCDisplayAndPower
- (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1;
- (_Bool)useTcalAdjust:(int)arg1;
- (void)updateDecayStatus;
- (void)updateAllThermalLoad;
- (int)totalSensors;
- (void)createConnectionToCT:(int)arg1;
- (void)dealloc;
- (id)initProduct:(id)arg1;
RadioPassthroughCC *radioCC;
CameraTS *camSensor;
DieControlLoop *dieControlLoop;
unsigned char dieControlLoopMaxLoadIndexTableCPU[256];
unsigned char dieControlLoopMaxLoadIndexTableGPU[256];
tm60ebe335d9a55c5e521f51bf0dadbce6
Figure 4: iOS Thermal Manager and others
18. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- (_Bool)isEqualMType:(int)arg1;
- (void)calculateControlEffort:(float)arg1;
- (void)dealloc;
- (id)initPIDWith:(struct __CFDictionary *)arg1;
_Bool allowCEOverride;
float kp;
float ki;
float ts;
float integrator;
float integratorMin;
float integratorMax;
float TARGET;
int mitigationType;
struct __CFString *nameofComponent;
int boundCheckLow;
int boundCheckHigh;
int controlEffort;
PidComponent
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (void)testLoadingIndexLevel;
- (void)refreshCurrentLoadingIndex;
- (_Bool)isEqualMType:(int)arg1;
- (void)filteredMaxLoadingIndex;
- (void)defaultAction;
- (void)dealloc;
- (id)initWithCC:(const char *)arg1:(const char *)arg2:(int)arg3:(struct __CFDictionary *)arg4;
_Bool allowLIOverride;
_Bool thermRelease;
double lastTime;
NSObject<OS_dispatch_queue> *myCustomQueue;
unsigned int currentLoadingIndex;
unsigned int maxLoadingIndex;
unsigned int previousValue;
unsigned int releaseMaxLI;
unsigned int releaseRate;
NSObject<OS_dispatch_source> *theTimer;
int loopTimer;
CompoentControl
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (void)refreshCurrentLoadingIndex;
- (void)defaultAction;
- (void)calculateMitigation;
- (id)initWithSOC:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(int)arg4:(int)arg5;
int listIDPos;
unsigned int gpuPowerTarget;
int dutyCyclingCrossOverThreshold;
float timeActive;
SocCC
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (_Bool)usesPID;
- (void)refreshCurrentLoadingIndex;
- (void)refreshCurrentLoadingIndexUsingPID;
- (unsigned int)getUserUsage;
- (void)defaultAction;
- (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5;
int listIDPos;
unsigned int host;
struct host_cpu_load_info currCpu;
struct host_cpu_load_info prevCpu;
float powerScale;
float timeActive;
unsigned int kDVD1Level;
_Bool _useDirectMap;
unsigned int _minReachableLoadIndex;
float _directMapSlope;
float _directMapIntercept;
CpuCC
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (void)startLoop;
- (void)startLoopIfNeeded;
- (void)controlDie;
- (void)updateComponentsForMaxCPULoadIndex:(int)arg1 andMaxGPULoadIndex:(int)arg2;
- (void)dealloc;
- (id)initWithRunLoop:(struct __CFRunLoop *)arg1 maxLoadTableCPU:(char *)arg2 maxLoadTableGPU:(char *)arg3 sgxCrossover:(int)arg4 andPIDList:(struct __CFDictionary *)arg5;
- (void)initSensorContext:(CDStruct_beb0aeb4 *)arg1 forService:(const char *)arg2 key:(struct __CFString *)arg3 value:(struct __CFString *)arg4;
CDStruct_beb0aeb4 dieTempSensorContext[4];
int listIDPos;
float PANIC_LEVEL;
float RELEASE_TEMP;
NSObject<OS_dispatch_source> *theTimer;
unsigned int note;
unsigned int sochotPMGR;
unsigned int sochotCCC;
struct IONotificationPort *notificationPort;
char *maxLoadIndexTableCPU;
char *maxLoadIndexTableGPU;
NSObject<OS_dispatch_queue> *dieControlQueue;
_Bool dieControlLoopIsRunning;
DieControlLoop
SupervisorControl
CommonProduct *cProduct;
float hotspotTemperature;
float THERMAL_TRAP_LOAD;
float THERMAL_TRAP_SLEEP;
float releaseHysteresis;
int tState;
struct ForcedThermalLevelStruct forcedThermalLevel[2];
_Bool isEngagedWithHysteresis;
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (_Bool)shouldForceThermalLevelForThreshold:(int)arg1;
- (_Bool)hotspotIsEngaged;
- (int)getThermalStateofHotspot;
- (float)calculateTargetDifference;
- (void)calculateControlEffort:(float)arg1;
- (void)dealloc;
- (id)initWithSC:(const char *)arg1:(int)arg2:(id)arg3:(struct __CFDictionary *)arg4;
- (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1;
- (struct __CFString *)copyHeaderForIndex:(int)arg1;
- (int)numberOfFields;
- (_Bool)usesPID;
- (void)refreshCurrentLoadingIndex;
- (void)refreshCurrentLoadingIndexUsingPID;
- (unsigned int)getUserUsage;
- (void)defaultAction;
- (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5;
int listIDPos;
unsigned int host;
struct host_cpu_load_info currCpu;
struct host_cpu_load_info prevCpu;
float powerScale;
float timeActive;
unsigned int kDVD1Level;
_Bool _useDirectMap;
unsigned int _minReachableLoadIndex;
float _directMapSlope;
float _directMapIntercept;
BackligtCC
Figure 5: Example iOS Thermal Control Loops
20. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
peeking running systems with cycript I
▶ attaching cycript to a running system process is a bit more
complicated after iOS 12. We could start from a wrapper
called cycrun, https://www.reddit.com/r/
jailbreakdevelopers/comments/b1r5kq/question_is_
cycript_coming_to_ios_12_unc0ver_jb/
▶ with cyrun+cycript,
▶ cyrun -x thermalmonitord -e
▶ then where to start, singleton ones are less intrusive and
easier
▶ as you see, we can get productObj
▶ as you can see, the thermalmonitord uses HID sensors.
21. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
peeking running systems with cycript II
Listing 2: Cyrun
~ root # cyrun −x thermalmonitord −e
applicationName : thermalmonitord i s running (64)
executableName : thermalmonitord
b u n d l e I d e n t i f i e r :
Cycript i s active : thermalmonitord
Device i s passcode locked
Tweak Mode
Success , Cycript was already active f o r the Process . You may now run
c y c r i p t −r 127.0.0.1:8556
cy# tgs = [ TGraphSampler sharedInstance ]
#”<TGraphSampler : 0x104f04330 >”
cy# tgs−>productObj
#”<tm0148f449e0ff00c77f11492610c521ce : 0x104f04090 >”
cy# tgs−>
__defineGetter__ extratGraphDataSources
__defineSetter__ gotDataToLogToLiteMode
__lookupGetter__ hasOwnProperty
__lookupSetter__ i s I n t e r n a l
__proto__ isPrototypeOf
_appleCareState isa
_appleCareStateLastLogged lastLogTimestamp
_powerlogQueue listOfSupervisorControl
_powerlogSubkeyController_Components listofComponentControl
_powerlogSubkeyController_HiP previousThermalSensorValues
_powerlogSubkeyController_Hotspots productObj
_powerlogSubkeyController_LiteMode propertyIsEnumerable
_powerlogSubkeyController_MiscExternalState tGraphDataString
_powerlogSubkeyController_MiscInternalState toLocaleString
_powerlogSubkeyController_Sensors t o S t r i n g
_powerlogSubkeyController_Sensors_Components valueOf
constructor
22. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
peeking running systems with cycript III
Listing 3: Cycript HidSensos
cy# hs = [ HidSensors sharedInstance ]
#”<HidSensors : 0x10582bac0 >”
cy# new Instance ( hs−>_tempSensors ) [ 0 ]
#”+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n
RegistryID : 0x0000000100000277 n
B u i l t I n : 1n
Product : Avg : PMGR SOC Die Temp Sensor0 n
LocationID : 1416114273n
VendorID : 0n
ProductID : 0n
CountryCode : 0n
PrimaryUsagePage : 65280n
PrimaryUsage : 5n
DeviceUsagePairs : n
DeviceUsagePage : 65280n
DeviceUsage : 5n
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n ”
cy#
23. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools I
▶ binutils and other hacking tools, such as lsof
▶ lldb/gdb on devices: Apple used to ship “fat” gdb and lldb,
but not anymore(?). LLDB allows using Objective-C style
syntax (most iOS programmers before Swift was
introduced know Objective-C).
▶ remote debbuging: either cross building or native building
of lldb could be an ostacle, if you are not afraind of using
remote debugging, they (debuggserver and lldb) are open
source too. Example usage (my iMAC: 192.168.1.80, the
iPhone: 192.168.1.115)
1. install debuggerserver on your iDevice. Then, run
debugserver 192.168.1.80:5555
--attach=thermalmonitord to wait for connection from
192.168.1.80 to port 5555 of this devices.
24. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools II
2. on you host, launch lldb, then use platform select
remote-ios and process connect
connect://192.168.1.115:5555 to connect to the
debugserver on the remote device. You should see
something like Listing 4
3. we can examine TGraphSampler as in Listing 5
4. and HidSenors as in Listing 6
▶ NOTE: DON’T interrupt the thermalmonitord too long,
otherwise the device will reboot.
Listing 4: connect to debugserver from lldb
( l l d b ) platform select remote−ios
Platform : remote−ios
Connected : no
SDK Path : ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ”
SDK Roots : [ 0] ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ”
( l l d b ) process connect connect ://192.168.1.115:5555
Process 64 stopped
* thread #1 , queue = ’com. apple . main−thread ’ , stop reason = signal SIGSTOP
frame #0: 0x0000000184864634 libsystem_kernel . dylib ‘ mach_msg_trap + 8
libsystem_kernel . dylib ‘ mach_msg_trap :
−> 0x184864634 <+8>: r e t
25. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools III
libsystem_kernel . dylib ‘ mach_msg_overwrite_trap :
0x184864638 <+0>: mov x16 , #−0x20
0x18486463c <+4>: svc #0x80
0x184864640 <+8>: r e t
Target 0: ( thermalmonitord ) stopped .
Listing 5: TGraphSampler
( l l d b ) expr TGraphSampler * $tgs = [ TGraphSampler sharedInstance ]
( l l d b ) p * $tgs
( TGraphSampler ) $0 = {
NSObject = {
isa = TGraphSampler
}
productObj = 0x0000000103e03f80
listofComponentControl = 0x0000000103e041a0 @”9 elements ”
listOfSupervisorC ontrol = 0x0000000103e041d0 @”12 elements ”
extratGraphDataSources = 0x0000000103e04520
tGraphDataString = 0x0000000000000000
i s I n t e r n a l = fa ls e
gotDataToLogToLiteMode = fa ls e
lastLogTimestamp = 38967673125
previousThermalSensorValues = {
[ 0 ] = 0
[ 1 ] = 0
[ 2 ] = 0
[ 3 ] = 0
[ 4 ] = 0
[ 5 ] = 0
[ 6 ] = 0
27. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools V
[39] = 0
[40] = 0
[41] = 0
[42] = 0
[43] = 0
[44] = 0
[45] = 0
[46] = 0
[47] = 0
[48] = 0
[49] = 0
[50] = 0
[51] = 0
[52] = 0
[53] = 0
[54] = 0
[55] = 0
[56] = 0
[57] = 0
[58] = 0
[59] = 0
[60] = 0
[61] = 0
[62] = 0
[63] = 0
}
_powerlogQueue = 0x0000000103e04850
_powerlogSubkeyController_Hotspots = 0x0000000103e04610
_powerlogSubkeyController_Components = 0x0000000103e04690
_powerlogSubkeyController_Sensors = 0x0000000103e046d0
_powerlogSubkeyController_MiscInternalState = 0x0000000103e04710
_powerlogSubkeyController_MiscExternalState = 0x0000000103e04750
28. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools VI
_powerlogSubkeyController_LiteMode = 0x0000000103e04790
_powerlogSubkeyController_HiP = 0x0000000103e047d0
_powerlogSubkeyController_Sensors_Components = 0x0000000103e04810
_appleCareState = 0x0000000103e048d0 @”5 elements ”
_appleCareStateLastLogged = 0x0000000103e04af0 @”5 elements ”
}
( l l d b ) po $tgs−>productObj
<tm0148f449e0ff00c77f11492610c521ce : 0x103e03f80>
Listing 6: ”HidSensors”
( l l d b ) expr HidSensors * $hs = [ HidSensors sharedInstance ]
( l l d b ) p * $hs
( HidSensors ) $1 = {
NSObject = {
isa = HidSensors
}
_hidEventSystem = 0x0000000103d0f9c0
_infoOnlyHIDSensors = 0x0000000103f2d400
_callbackSensorIntervals = 0x0000000103f2cc10
_readFailuresExpected = 0x0000000000000000
_powerSensors = 0x0000000000000000
hidSensorKeys = 0x0000000103e037a0
sensorFourCharCode = 0x0000000103e03db0
synthSensorKeys = 0x0000000103e03de0
_callbackTemperatures = 0x0000000103f31630
_potentiallyStaleSensorTimestamps = 0x0000000103e03e10
_potentiallyStaleSensorDefaults = 0x0000000103f2c840
_callbackTemperaturesQueue = 0x0000000103f2d570
sensorWatchdogMask = 1236950581247
29. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Other tools VII
_infoOnlySensorsActive = fa lse
_dispatchVirtualTemp = true
_send2DTempGrid = fa ls e
_tempSensors = 0x0000000105015fc0
_count = 36
_shadowSensorCount = 8
_sensorDict = 0x0000000103f30e80
_serviceToName = 0x0000000103f31670
}
( l l d b ) po $hs−>_tempSensors
<__NSArrayI 0x105015fc0 >(
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
RegistryID : 0x0000000100000270
B u i l t I n : 1
Product : Max: PMGR SOC Die Temp Sensor3
LocationID : 1416115064
VendorID : 0
ProductID : 0
CountryCode : 0
PrimaryUsagePage : 65280
PrimaryUsage : 5
DeviceUsagePairs :
DeviceUsagePage : 65280
DeviceUsage : 5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
,
. . . .
31. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
References I
[1] Checkm8.
https://github.com/axi0mX/ipwndfu/.
Accessed: 2019-12-20.
[2] checkra1n.
https://checkra.in/.
Accessed: 2019-12-20.
[3] Apple.
Driver kit.
https://developer.apple.com/documentation/driverkit/.
Accessed: 2019-12-20.
[4] Apple.
Iokit family.
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/
IOKitFundamentals/Families_Ref/Families_Ref.html.
Accessed: 2019-12-20.
[5] Apple.
Iokit fundamentals.
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/
IOKitFundamentals/.
Accessed: 2019-12-20.
[6] Esmaeilzadeh, H., Blem, E., St. Amant, R., Sankaralingam, K., and Burger, D.
Dark silicon and the end of multicore scaling.
In Proceedings of the 38th Annual International Symposium on Computer Architecture (New York, NY, USA,
2011), ISCA ’11, ACM, pp. 365–376.
[7] Freeman, J.
cycript.
http://www.cycript.org.
Accessed: 2019-12-20.