Tamarin Firmware

PICO SDK NOTE

Please build with the Pico-SDK Version 4fe995d0ec984833a7ea9c33bac5c67a53c04178

Newer versions have some USB incompatibility.

Build

mkdir build
cd build
cmake ..
make

Hooking it up

With this cable, connect:

• [GP0] L1n (Purple)
• [GP1] L1p (Orange)
• [GND] GND (Black)
• [GP2] ID1 (Blue)
• [GP3] ID0 (Yellow)
• [5V] 5V (Red)

Note: The colors might be different for your cable. I recommend checking the pinout using a voltmeter.

Another cable was observed to have the following pinout:

• [GP0] L1n (Green)
• [GP1] L1p (White)
• [GND] GND (Black)
• [GP2] ID1 (Orange)
• [GP3] ID0 (Red)
• [5V] 5V (Yellow)

If you would like to connect to your device over USB, cut a USB cable and connect its wires like this:

• USB cable D+ (green) -> L0p (color depends on your cable)
• USB cable D- (white) -> L0n (color depends on your cable)
• USB cable GND (black) -> GND

Usage

Tamarin Cable provides three USB endpoints, of which two are serial ports.

Serial port 1 is the control serial port, use it to configure DCSD/JTAG mode.

Serial port 2 is the DCSD port, when Tamarin Cable is in DCSD mode the serial output will be provided here.

OpenOCD

To use Tamarin as a JTAG adapter you need to use our OpenOCD fork that includes support for the Tamarin probe.

To enable JTAG on production iPhones they need to be demoted. For checkm8 vulnerable iPhones this can be done using ipwndfu.

Once the phone is successfully demoted the bonobo configs can be used to connect to the iPhone like so:

openocd -f interface/tamarin.cfg -f t8015.cfg

Known issues

1. Commands are unavailable in JTAG mode. Workaround: Enter the desired command and then reconnect the device. To reset the device you can also use JTAG.
2. JTAG is not re-enabled after manual device reset. Workaround: Run the JTAG command again, then reconnect the device (or the Tamarin cable).