The results of detailed investigation of Apple's ``Lightning'' specifications adopted for iPhone and iPad are being released



'

Lightning, ' an interface standard developed by Apple, is an important interface that is installed in devices such as iPhone and iPad to charge the device and exchange data with a computer. About Lightning, Nyan Satan, who analyzes Apple products, has investigated and published detailed specifications on the blog.

Apple Lightning
https://nyansatan.github.io/lightning/

The pin layout of the Lightning port on the device looks like this. It is said that there is a power supply pin for No. 5 'PWR' and an authentication management pin represented by No. 4 'ID0' and No. 8 'ID1'.



Lightning can be used regardless of the orientation of the cable to be inserted, but the port pin layout is different on the upper side and lower side.



' Tristar ', one of the circuits that make up Lightning, is a

multiplexer that can output multiple input signals as a single signal, and is said to be mounted on the port of the device itself. Nyan Satan explains that Tristar is used to identify the direction of the Lightning plug on the cable side and identify the accessory ID. Also, from iPhone 8/X, 'Hydra' compatible with wireless power supply has been adopted, but it seems that it has the same role as Tristar.



' HiFive ' is a Lightning plug on the cable side that has a built-in chip such as SN2025 or BQ2025. Tristar on the device side and HiFive on the cable side communicate using a protocol called ' IDBUS '. IDBUS communication is used not only for exchanging data between the device and the cable, but also for controlling power supply to the device.



Nyan Satan analyzes IDBUS communication between Tristar and HiFive using a logic analyzer that can analyze digital signals.



With no Lightning peripherals connected, Tristar will continue to emit

polling signals looking for peripherals.



Looking at the polling signal in detail, it is said that there is about 1.1 milliseconds when nothing is happening just because the voltage is high. Nyan Satan explains that this is the time it takes to charge the capacitor mounted on the HiFive on the cable side, and HiFive uses that power to activate the internal chip.



After powering HiFive, Tristar is sending a polling signal containing the data. The signal containing data corresponds to the red frame in the image above.



If you take a closer look at the signal containing the data, you can see the transition from a low voltage state to a high voltage state as a unit. Nyan Satan describes the group separated by red lines as a 'word'.



Words can be divided into 'significant stages' and 'recovery stages,' Nyan Satan said. The 'meaningful stage' is the stage of defining meaningful words, and the 'recovery stage' is the stage of preparation for transmission and reception. The definition of the word expressed by each time interval is different.



Since the relationship between the time interval and the word definition has been analyzed, it is possible to understand the meaning of the signal analyzed by the logic analyzer.



Analyzing the IDBUS communication between Tristar and HiFive using the word definition, we can see that Tristar is sending 'BREAK' first. After that, the request type expressed by a bit string such as hexadecimal number '0x74' is transmitted, the communication content is transmitted to the communication partner, and the bit string such as '0x00' or '0x02' corresponding to the actual data part is transmitted to request the request type. Send CRC8 of the actual data part. Nyan Satan analyzes that he is sending BREAK one last time. However, at this stage, there are no peripherals attached, so there is no response to Tristar's request.



Next, Nyan Satan attaches peripherals to the device and analyzes the signal. Lightning cable is inserted in the board for analysis.



When Tristar sends a request...



HiFive returned the response signal to the request.



Nyan Satan says that most requests are represented by a bit string of '0x74' and the response signal is represented by a bit string of '0x75' which is 1 added to the request. The contents of the known response signal from HiFive are as follows, and can be divided into the 'ACCx' and 'Dx' parts that represent the types of peripheral devices and the actual data part.



The signal definition of the first 2 bits “ACCx” differs depending on which of the two authentication management pins mounted on the Lightning port responds. The table above is the definition when 'ID0' of the authentication control pin responds, and the table below is the definition when 'ID1' responds.



Like the ACCx part, the 'Dx' part has different signal definitions depending on the authenticated authentication management pin.



The table below shows the correspondence between peripheral devices and cable IDs.



The ID of the connected peripheral device can be confirmed by executing the 'accctl' command if the device body has already been

jailbroken .



You can also check the peripheral device type with the 'tristar' command for iOS7 or later devices.



The request sent by the device contains a 16-bit value called 'HOSTID', and HiFive will not work unless the HOSTID is a regular value. For example, if the HOSTID is set to 0 and the tristar command is executed, the information on peripheral devices cannot be obtained.



Also, Tristar holds data called 'ESN' in EEPROM , and it is possible to acquire ESN by using a special cable. It is also possible to obtain the device ID by sending the ESN to 'ttrs.apple.com', and Apple Store staff said that Nyan Satan is using the ESN to obtain the device ID from a terminal that does not start up. He points out.

Nyan Satan's explanation is based on internal information of leaked Apple and information that Nyan Satan himself investigated and obtained, and it is possible that some or all may be wrong. 'Please read at your own risk when reading the article,' with the proviso.

Related Posts:

in Hardware, Posted by darkhorse_log