Koan-Sin Tan, profile picture
Uploaded byKoan-Sin Tan
2,675 views

Exploring Thermal Related Stuff in iDevices using Open-Source Tool

The document discusses thermal sensors in iOS devices, specifically focusing on the iPhone 6 and the use of open-source tools for exploring these sensors. It highlights the number and types of thermal sensors in various iPhone models, the methods for accessing this data via iOS APIs, and the challenges faced during development. Additionally, the paper emphasizes the importance of thermal control in modern devices and provides insights into the underlying technical mechanisms.

Technology
In this document
Powered by AI

Overview of thermal sensors and control mechanisms in iOS. Discusses software and hardware tools including IOKit and class-dump for analyzing thermal data.

Details on thermal management systems, their components, and control processes used in recent iOS updates. Discusses runtime information and PID control.

Exploration of various tools like cycript, lldb for process exploration, and debugging. Emphasizes open-source tools for interacting with iOS devices.

Includes references for further reading on related tools, methods, and historical background on iOS thermal management.

Downloaded 13 times
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploring Thermal Related Stuff in iDevices using Open-Source Tools 用 Iōng open-source 工具 kang-kū 來 lâi 探看 thàm-khàn 走 tsáu iOS ê 物仔 mih-â 內底 lāi-té 佮 kah 溫度 un-tōo相關 siong-kuan ê software 佮 kah hardware Tân Koan-Sîn freedom@computer.org COSCUP 2019 Lâi Tâi Káng December 21, 2019 Updated January 5, 2020
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table of contents I Introduction A Peek into Thermal Sensors More Thermal Control Related Mechanisms Other Tools
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Who am I? ▶ “ 我是 Guá-sī 一个 tsi ̍t-ê 寫 siá code 个 ê 人 lâng, 我个苦 guá-ê-khóo 攏 lóng 寫佇 siá-tī 面頂 bīn-tíng” – Somebody I Don’t Know His Name, COSCUP 2017 ▶ Learnt to use open source on a VAX-11/780 running 4.3BSD, before the term “open source” was coined ▶ Learnt a bit Pe̍h-ōe-jī about the same time ▶ feel free to interrupt me anytime
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why this topic? ▶ This is the era of so-called “dark silicon” [6]. ▶ Thermal control is an important but seldom-talked topic. I could not find public information on how iOS does it. ▶ Recent checkm8 [1] and follow-on checkra1n [2] enable jailbreaking of iPhone 5s –iPhone X, iOS 12.3 and up.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iPhone 6 Thermal Sensors I ▶ There are 32 thermal sensors (and 21 current and voltage sensors) on iPhone 6! ▶ Above information are from my little program on github [10].
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iPhone 6 Thermal Sensors II ▶ No jailbreak required, but “undocumented” API is used. So don’t submit it to App Store (mostly it will be rejected).
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . some numbers of sensors Model thermal current voltage iPhone 6 32 21 29 iPhone 6s 48 27 23 iPhone 7 47 32 35 iPhone 8 plus 68 3 7 iPhone Xs Max 67 4 8 iPhone 11 Pro 76 2 6 Table 1: Some numbers of sensors I collected
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does the App Work? ▶ IOKit: public and documented on macOS, but not on iOS. ▶ IOKit: Apple “hidclass” ▶ Code: ▶ Objective-C: Get sensor information using the IOKit framework ▶ Swift: wrapper. ’Cause I wanna learn a bit Swift.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IOKit ▶ derived from NeXTSTEP’s DriverKit, which uses Objective-C [8]. As you might know, in WWDC 2019, the name DriverKit is back in macOS [3]. ▶ macOS/iOS device driver development framework: For kernel model divers and user model access [5] Figure 1: Figure from [9]
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IOKit HIDClass I ▶ IOKit/IOKit Family/HID class [4]: Originally it’s for USB, but it’s far beyond that now. So there is Usage Page. ▶ a command line tool that can be used to enumrate IOKit devices is ioreg(8) ▶ you can see in Listing 1, there are "PrimaryUsage" = 5, "PrimaryUsagePage" = 65280, and "DeviceUsagePairs" = ("DeviceUsagePage"=65280,"DeviceUsage"=5) Listing 1: Example TemperatureSensor in ioreg output . . . +−o AppleEmbeddedNVMeTemperatureSensor <class AppleEmbeddedNVMeTemperatureSensor , id 0x1000003f8 , registered , matched , active , busy 0 (1 ms) , r e t a i n 8> | | | | | { | | | | | ” IOCFPlugInTypes ” = {”7DDEECA8−A7B4−11DA−8A0E−0014519758EF”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” , ” FA12FA38−6F1A−11D4−BA0C−0005028F18D5”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” } | | | | | ” VendorID ” = 0 | | | | | ” CountryCode ” = 0 | | | | | ” IOUserClientClass ” = ” IOHIDEventServiceUserClient ” | | | | | ” Product ” = ”NAND CH0 temp ” | | | | | ” VersionNumber ” = 0 | | | | | ” IOGeneralInterest ” = ”IOCommand i s not s e r i a l i z a b l e ” | | | | | ” PrimaryUsage ” = 5 | | | | | ” LocationID ” = 1414410350 | | | | | ” HIDEventServiceProperties ” = { ” DeviceOpenedByEventSystem”=Yes , ” PreserveTimestamp ”=Yes , ” BatchInterval ”=1 ,” LogLevel ”=6} | | | | | ” ProductID ” = 0 | | | | | ” DeviceUsagePairs ” = ( { ” DeviceUsagePage”=65280 ,” DeviceUsage ”=5}) | | | | | ” B u i l t −In ” = Yes | | | | | ” ReportInterval ” = 0 | | | | | ” HIDServiceSupport ” = Yes | | | | | ” PrimaryUsagePage ” = 65280 | | | | | ” VendorIDSource ” = 0 | | | | | ” QueueSize ” = 0 | | | | | } . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Build the App ▶ if you git clone the source code and try to build it, you will get error message saying IOKit related header can’t be found (of course, you know you have to change signing stuff) ▶ you have to borrow them from macOS SDK, 1. pushd . 2. cd /Applications/Xcode.app/Contents/Developer/ Platforms/iPhoneOS.platform/Developer/SDKs/ iPhoneOS.sdk/System/Library/Frameworks/IOKit. framework/ 3. sudo ln -s /Applications/Xcode.app/Contents/ Developer/Platforms/MacOSX.platform/Developer/ SDKs/MacOSX.sdk/System/Library/Frameworks/IOKit. framework/Headers . 4. popd
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The devil is in the detail I ▶ some non public data types ▶ AppleHIDUsageTables ▶ IOHIDEventTypes ▶ some functions from source code. e.g., IOHIDEventSystemClientRef IOHIDEventSystemClientCreate(CFAllocatorRef allocator); ▶ .plist file(s) in /System/Library/ThermalMonitor/
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The devil is in the detail II CSE-iPhone-8-plus:~ root# hidutil list Services: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x54683378 65280 5 0x100000270 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x5450336c 65280 5 0x100000336 (null) AppleSMC PMU tdie3 (null) 1 0x0 0x0 0x54503562 65280 5 0x10000033d (null) AppleSMC PMU tdie5 (null) 1 0x0 0x0 0x54633161 65280 5 0x100000277 (null) AppleT8015TempSensor Avg: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54503962 65280 5 0x10000034b (null) AppleSMC PMU tdie9 (null) 1 0x0 0x0 0x54563073 65280 5 0x100000352 (null) AppleSMC Unknown Source TV0s (null) 1 0x0 0x0 0x5651306c 65288 3 0x100000359 (null) AppleSMC Charger VQ0l (null) 1 0x5ac 0x8104 0x0 65280 10 0x100000501 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54473042 65280 5 0x10000038a (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x54534644 65280 5 0x1000005ff (null) AppleVTempDispatcher CGCenterSkin (null) 1 0x0 0x0 0x5453524d 65280 5 0x100000606 (null) AppleVTempDispatcher BandMLBSkin (null) 1 0x0 0x0 0x54534643 65280 5 0x10000060d (null) AppleVTempDispatcher CGRearCamera (null) 1 0x0 0x0 0x54503464 65280 5 0x100000318 (null) AppleSMC PMU tdev4 (null) 1 0x0 0x0 0x54683161 65280 5 0x100000267 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54683369 65280 5 0x10000026e (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x54 13 4 0x100000571 SPI (null) (null) (null) 1 0x0 0x0 0x54633278 65280 5 0x10000027c (null) AppleT8015TempSensor Max: ACC Temp Sensor2 (null) 1 0x0 0x0 0x54506562 65280 5 0x100000350 (null) AppleSMC PMU tdie14 (null) 1 0x0 0x0 0x5451306a 65280 5 0x100000357 (null) AppleSMC Charger TQ0j (null) 1 0x0 0x0 0x0 65292 4 0x1000004f8 SPU AppleSPUHIDDriver (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x1000004ff SPU AppleSPUHIDDriver (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x10000050d SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 8 0x10000051b SPU AppleProxHIDEventDriver (null) (null) 1 0x0 0x0 0x54534261 65280 5 0x100000612 (null) AppleVTempDispatcher BCArc (null) 1 0x0 0x0 0x54683278 65280 5 0x10000026c (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54633061 65280 5 0x100000273 (null) AppleT8015TempSensor Avg: ACC Temp Sensor0 (null) 1 0x0 0x0 0x544e306e 65280 5 0x1000003f8 (null) AppleANS2NVMeController NAND CH0 temp (null) 1 0x0 0x0 0x54503862 65280 5 0x100000340 (null) AppleSMC PMU tdie8 (null) 1 0x0 0x0 0x5450346c 65280 5 0x100000339 (null) AppleSMC PMU tdie4 (null) 1 0x0 0x0 0x54506362 65280 5 0x10000034e (null) AppleSMC PMU tdie12 (null) 1 0x0 0x0 0x51513075 65288 2 0x100000355 (null) AppleSMC Charger QQ0u (null) 1 0x0 0x0 0x54633269 65280 5 0x10000027a (null) AppleT8015TempSensor ACC Temp Sensor2 (null) 1 0x0 0x0 0x57513075 65288 3 0x100000363 (null) AppleSMC Charger WQ0u (null) 1 0x0 0x0 0x0 65292 5 0x100000504 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54473056 65280 5 0x100000394 (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x0 11 1 0x100000216 (null) AppleM68Buttons (null) (null) 1 0x0 0x0 0x0 65280 11 0x1000003a2 (null) AppleMesaShim (null) (null) 1 0x0 0x0 0x54534245 65280 5 0x100000602 (null) AppleVTempDispatcher BCMLBSkin (null) 1 0x0 0x0 0x54534251 65280 5 0x100000609 (null) AppleVTempDispatcher BCCharger (null) 1 0x0 0x0 0x54503364 65280 5 0x100000314 (null) AppleSMC PMU tdev3 (null) 1 0x0 0x0 0x5450316c 65280 5 0x10000031b (null) AppleSMC PMU tdie1 (null) 1 0x0 0x0 0x54683061 65280 5 0x100000263 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54683269 65280 5 0x10000026a (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54503264 65280 5 0x10000030d (null) AppleSMC PMU tdev2 (null) 1 0x0 0x0 0x54633178 65280 5 0x100000278 (null) AppleT8015TempSensor Max: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54503662 65280 5 0x10000033e (null) AppleSMC PMU tdie6 (null) 1 0x0 0x0 0x54506162 65280 5 0x10000034c (null) AppleSMC PMU tdie10 (null) 1 0x0 0x0 0x49513042 65288 2 0x100000353 (null) AppleSMC Charger IQ0B (null) 1 0x0 0x0 0x56513075 65288 3 0x10000035a (null) AppleSMC Charger VQ0u (null) 1 0x0 0x0 0x54473048 65280 5 0x100000392 (null) AppleSMC gas gauge battery (null) 1 0x5ac 0x8104 0x0 65280 3 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 4 0x10000052c SPU AppleSPUCT709 (null) (null) 1 0x0 0x0 0x544b3046 65280 5 0x1000005f9 (null) AppleVTempDispatcher FrontCameraDie (null) 1 0x0 0x0 0x54535252 65280 5 0x100000607 (null) AppleVTempDispatcher BandRadioSkin (null) 1 0x0 0x0 0x54503564 65280 5 0x100000319 (null) AppleSMC PMU tdev5 (null) 1 0x0 0x0 0x54683178 65280 5 0x100000268 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54683361 65280 5 0x10000026f (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x54633169 65280 5 0x100000276 (null) AppleT8015TempSensor ACC Temp Sensor1 (null) 1 0x0 0x0 0x54506662 65280 5 0x100000351 (null) AppleSMC PMU tdie15 (null) 1 0x0 0x0 0x56513042 65288 3 0x100000358 (null) AppleSMC Charger VQ0B (null) 1 0x0 0x0 0x6d696331 65280 5 0x1000002b5 (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004f9 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65292 8 0x100000500 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54503164 65280 5 0x100000309 (null) AppleSMC PMU tdev1 (null) 1 0x0 0x0 0x54533041 65280 5 0x100000613 (null) AppleVTempDispatcher Ambient (null) 1 0x0 0x0 0x54683169 65280 5 0x100000266 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54633078 65280 5 0x100000274 (null) AppleT8015TempSensor Max: ACC Temp Sensor0 (null) 1 0x0 0x0 0x54633261 65280 5 0x10000027b (null) AppleT8015TempSensor Avg: ACC Temp Sensor2 (null) 1 0x0 0x0 0x54506462 65280 5 0x10000034f (null) AppleSMC PMU tdie13 (null) 1 0x0 0x0 0x54513064 65280 5 0x100000356 (null) AppleSMC Charger TQ0d (null) 1 0x0 0x0 0x0 32 100 0x1000004f7 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004fe SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54617263 65280 5 0x100000446 (null) AppleHapticsSupportCallan AppleHapticsSupportTemperatureReporter (null) (null) 0x0 0x0 0x54473043 65280 5 0x10000038e (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x56514444 65288 3 0x100000387 (null) AppleSMC Charger VQDD (null) 1 0x0 0x0 0x56503075 65288 3 0x1000002f9 (null) AppleSMC PMU VP0u (null) 1 0x0 0x0 0x544b3143 65280 5 0x1000005fc (null) AppleVTempDispatcher RearCameraTeleDie (null) 1 0x0 0x0 0x54534248 65280 5 0x100000603 (null) AppleVTempDispatcher BCH7Skin (null) 1 0x0 0x0 0x5450306a 65280 5 0x100000300 (null) AppleSMC PMU tjunc (null) 1 0x0 0x0 0x5450326c 65280 5 0x10000031c (null) AppleSMC PMU tdie2 (null) 1 0x0 0x0 0x54683078 65280 5 0x100000264 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54683261 65280 5 0x10000026b (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54433673 65280 5 0x10000025d (null) AMCTempSensor AMC ODTS (null) 1 0x0 0x0 0x54633069 65280 5 0x100000272 (null) AppleT8015TempSensor ACC Temp Sensor0 (null) 1 0x0 0x0 0x54503762 65280 5 0x10000033f (null) AppleSMC PMU tdie7 (null) 1 0x0 0x0 0x54506262 65280 5 0x10000034d (null) AppleSMC PMU tdie11 (null) 1 0x0 0x0 0x49513075 65288 2 0x100000354 (null) AppleSMC Charger IQ0u (null) 1 0x0 0x0 0x56513175 65288 3 0x10000035b (null) AppleSMC Charger VQ1u (null) 1 0x0 0x0 0x0 32 19 0x1000004ee SPU AppleSPUMesaDriver (null) (null) 1 0x0 0x0 0x0 11 1 0x1000004fc SPU AppleSPUButtonDriver (null) (null) 1 0x0 0x0 0x6d696332 65280 5 0x1000002c6 (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 32 138 0x100000511 SPU IOHIDEventDriver (null) (null) 1 0x0 0x0 0x544b3043 65280 5 0x1000005fa (null) AppleVTempDispatcher RearCameraDie (null) 1 0x0 0x0 0x5450305a 65280 5 0x100000305 (null) AppleSMC PMU tcal (null) 1 0x0 0x0 0x5453464c 65280 5 0x10000060f (null) AppleVTempDispatcher CGLED (null) 1 0x0 0x0 0x54683069 65280 5 0x100000262 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor0 (null) 1 Devices: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x0 65292 5 0x1000004b5 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 11 1 0x1000004af SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 138 0x1000004ba SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 100 0x1000004b9 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 8 0x1000004bf SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004b6 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x1000004b1 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 10 0x1000004b0 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x54 13 4 0x10000056d SPI AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 65292 4 0x1000004b3 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004b4 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x1000004ad SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 4 0x1000004be SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 3 0x1000004ac SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 8 0x1000004b2 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 19 0x1000004bb SPU AppleSPUHIDDevice (null) (null) 1 CSE-iPhone-8-plus:~ root# exit freedoms-iPhone:~ root# hidutil list Services: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x4950356c 65288 2 0x100000309 (null) AppleD2333PMU PMU ldo5 (null) 1 0x0 0x0 0x54534643 65280 5 0x100000637 (null) AppleVTempDispatcher CGRCAMSkin (null) 1 0x0 0x0 0x49503962 65288 2 0x100000346 (null) AppleD2333PMU PMU ibuck1 (null) 1 0x0 0x0 0x4950656c 65288 2 0x10000031b (null) AppleD2333PMU PMU ldo14 (null) 1 0x0 0x0 0x5450306c 65280 5 0x10000032d (null) AppleD2333PMU PMU tdie0 (null) 1 0x0 0x0 0x5650326c 65288 3 0x100000302 (null) AppleD2333PMU PMU ldo2 (null) 1 0x0 0x0 0x47 13 4 0x100000560 SPI (null) (null) (null) 1 0x0 0x0 0x54683178 65280 5 0x100000244 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x56503462 65288 3 0x10000033f (null) AppleD2333PMU PMU vbuck4 (null) 1 0x0 0x0 0x5650626c 65288 3 0x100000314 (null) AppleD2333PMU PMU ldo11 (null) 1 0x0 0x0 0x49513075 65288 2 0x100000351 (null) AppleSN2400Charger Charger vbus (null) 1 0x0 0x0 0x5450306a 65280 5 0x100000326 (null) AppleD2333PMU PMU tjunc (null) 1 0x0 0x0 0x54633161 65280 5 0x10000023d (null) AppleT700XTempSensor Avg: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54506262 65280 5 0x100000338 (null) AppleD2333PMU PMU tdie11 (null) 1 0x0 0x0 0x4950376c 65288 2 0x10000030d (null) AppleD2333PMU PMU ldo7 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034a (null) AppleD2333PMU PMU ibuck5 (null) 1 0x0 0x0 0x4950676c 65288 2 0x10000031f (null) AppleD2333PMU PMU ldo16 (null) 1 0x0 0x0 0x0 65292 3 0x100000515 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54633269 65280 5 0x100000236 (null) AppleT700XTempSensor ACC Temp Sensor2 (null) 1 0x0 0x0 0x544b3043 65280 5 0x100000622 (null) AppleVTempDispatcher RearCameraDie (null) 1 0x0 0x0 0x5650346c 65288 3 0x100000306 (null) AppleD2333PMU PMU ldo4 (null) 1 0x0 0x0 0x54503462 65280 5 0x100000331 (null) AppleD2333PMU PMU tdie4 (null) 1 0x0 0x0 0x0 11 1 0x1000001e0 (null) AppleM68Buttons (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x100000539 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x56503862 65288 3 0x100000343 (null) AppleD2333PMU PMU vbuck8 (null) 1 0x0 0x0 0x5650646c 65288 3 0x100000318 (null) AppleD2333PMU PMU ldo13 (null) 1 0x0 0x0 0x54683078 65280 5 0x100000248 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54534252 65280 5 0x100000634 (null) AppleVTempDispatcher BCRadioSkin (null) 1 0x0 0x0 0x56513042 65288 3 0x100000355 (null) AppleSN2400Charger Charger vbat (null) 1 0x0 0x0 0x0 65280 255 0x1000004fc SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54503364 65280 5 0x10000032a (null) AppleD2333PMU PMU tdev3 (null) 1 0x0 0x0 0x56503064 65288 3 0x1000002ff (null) AppleD2333PMU PMU vdd_main (null) 1 0x0 0x0 0x56503162 65288 3 0x10000033c (null) AppleD2333PMU PMU vbuck1 (null) 1 0x0 0x0 0x54683278 65280 5 0x100000241 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x4950396c 65288 2 0x100000311 (null) AppleD2333PMU PMU ldo9 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034e (null) AppleD2333PMU PMU ibuck9 (null) 1 0x0 0x0 0x54433673 65280 5 0x100000228 (null) AMCTempSensor AMC ODTS (null) 1 0x0 0x0 0x4950696c 65288 2 0x100000323 (null) AppleD2333PMU PMU ldo18 (null) 1 0x0 0x0 0x54503862 65280 5 0x100000335 (null) AppleD2333PMU PMU tdie8 (null) 1 0x0 0x0 0x54633061 65280 5 0x10000023a (null) AppleT700XTempSensor Avg: ACC Temp Sensor0 (null) 1 0x0 0x0 0x5650366c 65288 3 0x10000030a (null) AppleD2333PMU PMU ldo6 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000347 (null) AppleD2333PMU PMU ibuck2 (null) 1 0x0 0x0 0x54533041 65280 5 0x100000638 (null) AppleVTempDispatcher Ambient (null) 1 0x0 0x0 0x5650666c 65288 3 0x10000031c (null) AppleD2333PMU PMU ldo15 (null) 1 0x0 0x0 0x5450316c 65280 5 0x10000032e (null) AppleD2333PMU PMU tdie1 (null) 1 0x0 0x0 0x544b3046 65280 5 0x10000061f (null) AppleVTempDispatcher FrontCameraDie (null) 1 0x0 0x0 0x4950326c 65288 2 0x100000303 (null) AppleD2333PMU PMU ldo2 (null) 1 0x0 0x0 0x56503562 65288 3 0x100000340 (null) AppleD2333PMU PMU vbuck5 (null) 1 0x0 0x0 0x54534245 65280 5 0x100000631 (null) AppleVTempDispatcher BCMLBSkin (null) 1 0x0 0x0 0x4950626c 65288 2 0x100000315 (null) AppleD2333PMU PMU ldo11 (null) 1 0x0 0x0 0x49513042 65288 2 0x100000352 (null) AppleSN2400Charger Charger ibat (null) 1 0x0 0x0 0x5450305a 65280 5 0x100000327 (null) AppleD2333PMU PMU tcal (null) 1 0x0 0x0 0x54506362 65280 5 0x100000339 (null) AppleD2333PMU PMU tdie12 (null) 1 0x0 0x0 0x54633178 65280 5 0x10000023e (null) AppleT700XTempSensor Max: ACC Temp Sensor1 (null) 1 0x5ac 0x8104 0x0 32 49 0x10000052f SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x5650386c 65288 3 0x10000030e (null) AppleD2333PMU PMU ldo8 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034b (null) AppleD2333PMU PMU ibuck6 (null) 1 0x0 0x0 0x5650686c 65288 3 0x100000320 (null) AppleD2333PMU PMU ldo17 (null) 1 0x0 0x0 0x54503562 65280 5 0x100000332 (null) AppleD2333PMU PMU tdie5 (null) 1 0x0 0x0 0x54633261 65280 5 0x100000237 (null) AppleT700XTempSensor Avg: ACC Temp Sensor2 (null) 1 0x0 0x0 0x4950346c 65288 2 0x100000307 (null) AppleD2333PMU PMU ldo4 (null) 1 0x0 0x0 0x56503962 65288 3 0x100000344 (null) AppleD2333PMU PMU vbuck9 (null) 1 0x5ac 0x8104 0x0 65280 10 0x10000053a SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 8 0x10000050f SPU AppleProxHIDEventDriver (null) (null) 1 0x0 0x0 0x4950646c 65288 2 0x100000319 (null) AppleD2333PMU PMU ldo13 (null) 1 0x0 0x0 0x57513075 65288 3 0x100000356 (null) AppleSN2400Charger Charger vbus_accum (null) 1 0x0 0x0 0x0 65280 11 0x1000003be (null) AppleMesaShim (null) (null) 1 0x0 0x0 0x54503464 65280 5 0x10000032b (null) AppleD2333PMU PMU tdev4 (null) 1 0x0 0x0 0x0 32 138 0x100000521 SPU IOHIDEventDriver (null) (null) 1 0x0 0x0 0x5650316c 65288 3 0x100000300 (null) AppleD2333PMU PMU ldo1 (null) 1 0x0 0x0 0x56503262 65288 3 0x10000033d (null) AppleD2333PMU PMU vbuck2 (null) 1 0x0 0x0 0x54683169 65280 5 0x100000242 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x5650616c 65288 3 0x100000312 (null) AppleD2333PMU PMU ldo10 (null) 1 0x0 0x0 0x6d696331 65280 5 0x1000002aa (null) AppleICA60 (null) (null) 1 0x0 0x0 0x544e306e 65280 5 0x1000003e2 (null) AppleEmbeddedNVMeController NAND CH0 temp (null) 1 0x0 0x0 0x56503078 65288 3 0x10000034f (null) AppleD2333PMU PMU vmon (null) 1 0x0 0x0 0x42 65280 32 0x1000004b2 Serial AppleHomerDriver (null) (null) 1 0x0 0x0 0x56506a6c 65288 3 0x100000324 (null) AppleD2333PMU PMU ldo19 (null) 1 0x0 0x0 0x54503962 65280 5 0x100000336 (null) AppleD2333PMU PMU tdie9 (null) 1 0x0 0x0 0x54633078 65280 5 0x10000023b (null) AppleT700XTempSensor Max: ACC Temp Sensor0 (null) 1 0x0 0x0 0x0 32 19 0x100000501 SPU AppleSPUMesaDriver (null) (null) 1 0x0 0x0 0x4950366c 65288 2 0x10000030b (null) AppleD2333PMU PMU ldo6 (null) 1 0x0 0x0 0x54473042 65280 5 0x1000002a3 (null) (null) gas gauge battery (null) (null) 0x0 0x0 0x49503962 65288 2 0x100000348 (null) AppleD2333PMU PMU ibuck3 (null) 1 0x0 0x0 0x4950666c 65288 2 0x10000031d (null) AppleD2333PMU PMU ldo15 (null) 1 0x0 0x0 0x5450326c 65280 5 0x10000032f (null) AppleD2333PMU PMU tdie2 (null) 1 0x0 0x0 0x5650336c 65288 3 0x100000304 (null) AppleD2333PMU PMU ldo3 (null) 1 0x0 0x0 0x56503662 65288 3 0x100000341 (null) AppleD2333PMU PMU vbuck6 (null) 1 0x0 0x0 0x54683069 65280 5 0x100000246 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x5650636c 65288 3 0x100000316 (null) AppleD2333PMU PMU ldo12 (null) 1 0x5ac 0x8104 0x0 65280 3 0x10000050c SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x56513063 65288 3 0x100000353 (null) AppleSN2400Charger Charger vdd_main (null) 1 0x0 0x0 0x54617263 65280 5 0x1000004b6 Serial AppleHomerTemperature (null) (null) 1 0x0 0x0 0x54503164 65280 5 0x100000328 (null) AppleD2333PMU PMU tdev1 (null) 1 0x0 0x0 0x0 65292 4 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54534644 65280 5 0x10000062b (null) AppleVTempDispatcher CGCenterSkin (null) 1 0x0 0x0 0x54506462 65280 5 0x10000033a (null) AppleD2333PMU PMU tdie13 (null) 1 0x0 0x0 0x4950386c 65288 2 0x10000030f (null) AppleD2333PMU PMU ldo8 (null) 1 0x0 0x0 0x0 11 1 0x100000505 SPU AppleSPUButtonDriver (null) (null) 1 0x0 0x0 0x54683269 65280 5 0x10000023f (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034c (null) AppleD2333PMU PMU ibuck7 (null) 1 0x0 0x0 0x4950686c 65288 2 0x100000321 (null) AppleD2333PMU PMU ldo17 (null) 1 0x0 0x0 0x54503662 65280 5 0x100000333 (null) AppleD2333PMU PMU tdie6 (null) 1 0x0 0x0 0x54633278 65280 5 0x100000238 (null) AppleT700XTempSensor Max: ACC Temp Sensor2 (null) 1 0x0 0x0 0x5650356c 65288 3 0x100000308 (null) AppleD2333PMU PMU ldo5 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000345 (null) AppleD2333PMU PMU ibuck0 (null) 1 0x0 0x0 0x5650656c 65288 3 0x10000031a (null) AppleD2333PMU PMU ldo14 (null) 1 0x0 0x0 0x51513075 65288 2 0x100000357 (null) AppleSN2400Charger Charger ibus_accum (null) 1 0x0 0x0 0x54503564 65280 5 0x10000032c (null) AppleD2333PMU PMU tdev5 (null) 1 0x0 0x0 0x4950316c 65288 2 0x100000301 (null) AppleD2333PMU PMU ldo1 (null) 1 0x0 0x0 0x56503362 65288 3 0x10000033e (null) AppleD2333PMU PMU vbuck3 (null) 1 0x0 0x0 0x6d696332 65280 5 0x1000002ab (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 65292 1 0x100000509 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54683161 65280 5 0x100000243 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x4950616c 65288 2 0x100000313 (null) AppleD2333PMU PMU ldo10 (null) 1 0x0 0x0 0x56513075 65288 3 0x100000350 (null) AppleSN2400Charger Charger vbus (null) 1 0x0 0x0 0x0 65292 5 0x10000051b SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x49506a6c 65288 2 0x100000325 (null) AppleD2333PMU PMU ldo19 (null) 1 0x0 0x0 0x54506162 65280 5 0x100000337 (null) AppleD2333PMU PMU tdie10 (null) 1 0x0 0x0 0x0 65280 4 0x1000002a4 (null) AppleCT821 (null) (null) 1 0x0 0x0 0x5650376c 65288 3 0x10000030c (null) AppleD2333PMU PMU ldo7 (null) 1 0x0 0x0 0x5453464c 65280 5 0x100000628 (null) AppleVTempDispatcher CGLEDHSSkin (null) 1 0x0 0x0 0x54633169 65280 5 0x10000023c (null) AppleT700XTempSensor ACC Temp Sensor1 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000349 (null) AppleD2333PMU PMU ibuck4 (null) 1 0x0 0x0 0x0 65292 8 0x100000514 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x5650676c 65288 3 0x10000031e (null) AppleD2333PMU PMU ldo16 (null) 1 0x0 0x0 0x5450336c 65280 5 0x100000330 (null) AppleD2333PMU PMU tdie3 (null) 1 0x0 0x0 0x4950336c 65288 2 0x100000305 (null) AppleD2333PMU PMU ldo3 (null) 1 0x0 0x0 0x56503762 65288 3 0x100000342 (null) AppleD2333PMU PMU vbuck7 (null) 1 0x0 0x0 0x54683061 65280 5 0x100000247 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x4950636c 65288 2 0x100000317 (null) AppleD2333PMU PMU ldo12 (null) 1 0x0 0x0 0x5451306a 65280 5 0x100000354 (null) AppleSN2400Charger Charger tjunc (null) 1 0x0 0x0 0x54503264 65280 5 0x100000329 (null) AppleD2333PMU PMU tdev2 (null) 1 0x0 0x0 0x56503062 65288 3 0x10000033b (null) AppleD2333PMU PMU vbuck0 (null) 1 0x0 0x0 0x54534248 65280 5 0x10000062c (null) AppleVTempDispatcher BCH7Skin (null) 1 0x0 0x0 0x5650396c 65288 3 0x100000310 (null) AppleD2333PMU PMU ldo9 (null) 1 0x0 0x0 0x54683261 65280 5 0x100000240 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54534261 65280 5 0x10000063e (null) AppleVTempDispatcher Arc (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034d (null) AppleD2333PMU PMU ibuck8 (null) 1 0x0 0x0 0x5650696c 65288 3 0x100000322 (null) AppleD2333PMU PMU ldo18 (null) 1 0x0 0x0 0x0 32 100 0x100000518 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54633069 65280 5 0x100000239 (null) AppleT700XTempSensor ACC Temp Sensor0 (null) 1 0x0 0x0 0x54503762 65280 5 0x100000334 (null) AppleD2333PMU PMU tdie7 (null) 1 0x0 0x0 0x54534648 65280 5 0x100000625 (null) AppleVTempDispatcher CGH7Skin (null) 1 Devices: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x0 65280 255 0x1000004e1 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 4 0x1000004e6 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x42 65280 32 0x1000004ad Serial AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 11 1 0x1000004dc SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x54617263 65280 5 0x1000004b1 Serial AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 65292 5 0x1000004e7 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 8 0x1000004e8 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004e2 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004e5 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x1000004e0 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x47 13 4 0x10000055c SPI AppleHIDTransportHIDDevice (null) (null) (null) 0x5ac 0x8104 0x0 65280 9 0x1000004de SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 8 0x1000004e4 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 100 0x1000004e9 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 138 0x1000004e3 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 19 0x1000004db SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 3 0x1000004dd SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 10 0x1000004df SPU AppleSPUHIDDevice (null) (null) 1 freedoms-iPhone:~ root# exit Script done on Sun Jan 5 08:40:24 2020 Figure 2: Outputs of hidutil list on jailbroken iPhone 7 and 8 Plus to verify that number of power senors are less on devices after A11.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . More Thermal Control Related Mechanisms I ▶ There is /usr/libexec/thermalmonitord in iOS 13 (/usr/libexec/mobilewatchdog in iOS 12.x), which collects thermal information and does thermal-throttling when necessary. ▶ The thermalmonitord is mainly written in Objective-C (how to know that? there are Objective-C sections in Mach-O). ▶ Mach-O has been around for more than 30 years.There are many tools we can used to inspect Mach-O files. E.g., if you know binutils, llvm-based binutils. ▶ class-dump, one of the interesting Mach-O tools, could extract Objective-C class related information (including protocols and methods) from Mach-O files and convert those them to Objective-C headers. ▶ class-dump thermalmonitord of iPhone 8 running iOS 13.3 (class-dump thermalmonitord -H -o /tmp/thermal_headers), we can get more than 100 headers.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . More Thermal Control Related Mechanisms II ▶ How about runtime infomation? So far, I think cycript [7] is the most convenient tool if you are willing to learn a new language.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateThermRelease; - (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2; - (void)updateDecayStatus; - (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2; - (void)updateAllThermalLoad; - (void)tryTakeAction; - (int)totalSensors; - (void)probeAllSupervisorControlLoadingIndex; - (_Bool)hasSolarMode; - (unsigned long long)getWatchDogMode; - (_Bool)getNaviStatus; - (unsigned long long)getMaxSensorValue; - (int)getHighestSkinTemp; - (struct iir_filter_t *)getFilterValues; - (void)getAllComponentID:(struct __SCPreferences *)arg1; - (id)findComponent:(int)arg1; - (void)evaluteMitigationMaxLoadingIndex; - (void)enableRadioDataCollection:(_Bool)arg1; - (void)createConnectionToCT:(int)arg1; - (void)clearLoadingIndexOverrides; - (void)clearControlEffortOverrides; - (void)dealloc; - (id)init; AggDThermalMonitor *aggdTM; _Bool thermalTrap; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; int calibrationResistorSensor; int calibrationResistorTempDefault; TableDrivenDecisionTree *decisionTree; int thermalState; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; unsigned long long componentThermalStatusLevel; unsigned long long previousOSThermalNotificationLevel; CommonProduct …. struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager ComponentControl SupervisorControl TableDrivenDecisionTree ThermalStatusLevel TableDrivenDecisionTree TwoHotSpotDecisionTree ThreeHotSpotDecisionTree FourHotSpotDecisionTree FiveHotSpotDecisionTree SixHotSpotDecisionTree + (id)sharedInstance - (void)updateSystemPowerState:(_Bool)arg1; - (void)iterateAndUpdateContexts; - (_Bool)isContextTriggered:(int)arg1; - (int)getContextState:(int)arg1; - (id)createNewContext:(int)arg1; - (void)dealloc; - (id)init; NSObject<OS_dispatch_queue> *catmQueue; NSObject<OS_dispatch_source> *theTimer; struct __CFArray *ctxObjects; ContexAwareThermalManager Figure 3: iOS Thermal Manager
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateThermRelease; - (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2; - (void)updateDecayStatus; - (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2; - (void)updateAllThermalLoad; - (void)tryTakeAction; - (int)totalSensors; - (void)probeAllSupervisorControlLoadingIndex; - (_Bool)hasSolarMode; - (unsigned long long)getWatchDogMode; - (_Bool)getNaviStatus; - (unsigned long long)getMaxSensorValue; - (int)getHighestSkinTemp; - (struct iir_filter_t *)getFilterValues; - (void)getAllComponentID:(struct __SCPreferences *)arg1; - (id)findComponent:(int)arg1; - (void)evaluteMitigationMaxLoadingIndex; - (void)enableRadioDataCollection:(_Bool)arg1; - (void)createConnectionToCT:(int)arg1; - (void)clearLoadingIndexOverrides; - (void)clearControlEffortOverrides; - (void)dealloc; - (id)init; AggDThermalMonitor *aggdTM; _Bool thermalTrap; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; int calibrationResistorSensor; int calibrationResistorTempDefault; TableDrivenDecisionTree *decisionTree; int thermalState; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; unsigned long long componentThermalStatusLevel; unsigned long long previousOSThermalNotificationLevel; CommonProduct …. struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager ComponentControl SupervisorControl TableDrivenDecisionTree ThermalStatusLevel TableDrivenDecisionTree TwoHotSpotDecisionTree ThreeHotSpotDecisionTree FourHotSpotDecisionTree FiveHotSpotDecisionTree SixHotSpotDecisionTree + (id)sharedInstance - (void)updateSystemPowerState:(_Bool)arg1; - (void)iterateAndUpdateContexts; - (_Bool)isContextTriggered:(int)arg1; - (int)getContextState:(int)arg1; - (id)createNewContext:(int)arg1; - (void)dealloc; - (id)init; NSObject<OS_dispatch_queue> *catmQueue; NSObject<OS_dispatch_source> *theTimer; struct __CFArray *ctxObjects; ContexAwareThermalManager - (_Bool)isInternalBuild; - (struct __CFDictionary *)createPowerLogDictionaryForExtraSensors; - (struct __CFDictionary *)createPowerLogDictionaryForExtraInternals; - (struct __CFDictionary *)createPowerLogDictionaryForFixedHeaders; - (struct __CFDictionary *)createPowerLogDictionaryForSensors; - (struct __CFDictionary *)createPowerLogDictionaryForComponentControl; - (struct __CFDictionary *)createPowerLogDictionaryForHotspotControl; - (int)maxControlEffort; - (_Bool)useTcalAdjust:(int)arg1; - (struct __CFString *)getTGraphData:(int)arg1; - (void)initDataCollection; - (void)updateSystemLoad; - (void)updatePrefs:(struct __SCPreferences *)arg1:(_Bool)arg2; - (void)updateDecayStatus; - (void)SaveProductString:(int)arg1; - (void)probeAllSupervisorControlLoadingIndex; - (void)initializeReadPrefs:(struct __SCPreferences *)arg1; - (void)hintComponentControlTakeAction; - (unsigned long long)getWatchDogMode; - (int)getProductTotalSensors; - (struct iir_filter_t *)getProductFilterValues; - (unsigned long long)getMaxSensorValue; - (int)getProductCalibrationSensorID; - (int)getProductCalibrationDefault; - (void *)getConfigurationFor:(struct __CFString *)arg1; - (void)createNewProduct:(struct __CFRunLoop *)arg1; - (void)createConnectionToCT:(int)arg1; - (void)dealloc; - (id)initWithConfig:(struct __CFBundle *)arg1; struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager …. CommonProduct *productObj; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; struct __CFArray *extraSensorDataSources; struct __CFArray *extraInternalDataSources; struct __CFString *tGraphDataString; _Bool isInternal; TGraphSampler - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)updateSystemPowerState:(_Bool)arg1; - (_Bool)synchContext; - (void)updateContextActiveState; - (_Bool)isContextTriggered; - (int)getContextState; - (void)initAudioHandling; - (void)initBacklightHandling; - (void)initPowerHandling; - (void)dealloc; - (id)init; _Bool contextIsActive; _Bool connectedExternally; _Bool backlightIsOn; _Bool audioIsOn; _Bool powerIsOn; int mitigationControllerListID; int _displayToken; int _audioRunningToken; unsigned int pmuPowerService; unsigned int _notification; unsigned int _ioIterator; struct IONotificationPort *notificationPort; NSObject<OS_dispatch_queue> *_inPocketQueue; ContextInPocket - (id)initProduct:(id)arg1; …. BaseCCList - (_Bool)getNaviStatus; - (id)initProduct:(id)arg1; Navigation *navi; BaseCCDisplayAndPower - (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateDecayStatus; - (void)updateAllThermalLoad; - (int)totalSensors; - (void)createConnectionToCT:(int)arg1; - (void)dealloc; - (id)initProduct:(id)arg1; RadioPassthroughCC *radioCC; CameraTS *camSensor; DieControlLoop *dieControlLoop; unsigned char dieControlLoopMaxLoadIndexTableCPU[256]; unsigned char dieControlLoopMaxLoadIndexTableGPU[256]; tm60ebe335d9a55c5e521f51bf0dadbce6 Figure 4: iOS Thermal Manager and others
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (_Bool)isEqualMType:(int)arg1; - (void)calculateControlEffort:(float)arg1; - (void)dealloc; - (id)initPIDWith:(struct __CFDictionary *)arg1; _Bool allowCEOverride; float kp; float ki; float ts; float integrator; float integratorMin; float integratorMax; float TARGET; int mitigationType; struct __CFString *nameofComponent; int boundCheckLow; int boundCheckHigh; int controlEffort; PidComponent - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)testLoadingIndexLevel; - (void)refreshCurrentLoadingIndex; - (_Bool)isEqualMType:(int)arg1; - (void)filteredMaxLoadingIndex; - (void)defaultAction; - (void)dealloc; - (id)initWithCC:(const char *)arg1:(const char *)arg2:(int)arg3:(struct __CFDictionary *)arg4; _Bool allowLIOverride; _Bool thermRelease; double lastTime; NSObject<OS_dispatch_queue> *myCustomQueue; unsigned int currentLoadingIndex; unsigned int maxLoadingIndex; unsigned int previousValue; unsigned int releaseMaxLI; unsigned int releaseRate; NSObject<OS_dispatch_source> *theTimer; int loopTimer; CompoentControl - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)refreshCurrentLoadingIndex; - (void)defaultAction; - (void)calculateMitigation; - (id)initWithSOC:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(int)arg4:(int)arg5; int listIDPos; unsigned int gpuPowerTarget; int dutyCyclingCrossOverThreshold; float timeActive; SocCC - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)usesPID; - (void)refreshCurrentLoadingIndex; - (void)refreshCurrentLoadingIndexUsingPID; - (unsigned int)getUserUsage; - (void)defaultAction; - (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5; int listIDPos; unsigned int host; struct host_cpu_load_info currCpu; struct host_cpu_load_info prevCpu; float powerScale; float timeActive; unsigned int kDVD1Level; _Bool _useDirectMap; unsigned int _minReachableLoadIndex; float _directMapSlope; float _directMapIntercept; CpuCC - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)startLoop; - (void)startLoopIfNeeded; - (void)controlDie; - (void)updateComponentsForMaxCPULoadIndex:(int)arg1 andMaxGPULoadIndex:(int)arg2; - (void)dealloc; - (id)initWithRunLoop:(struct __CFRunLoop *)arg1 maxLoadTableCPU:(char *)arg2 maxLoadTableGPU:(char *)arg3 sgxCrossover:(int)arg4 andPIDList:(struct __CFDictionary *)arg5; - (void)initSensorContext:(CDStruct_beb0aeb4 *)arg1 forService:(const char *)arg2 key:(struct __CFString *)arg3 value:(struct __CFString *)arg4; CDStruct_beb0aeb4 dieTempSensorContext[4]; int listIDPos; float PANIC_LEVEL; float RELEASE_TEMP; NSObject<OS_dispatch_source> *theTimer; unsigned int note; unsigned int sochotPMGR; unsigned int sochotCCC; struct IONotificationPort *notificationPort; char *maxLoadIndexTableCPU; char *maxLoadIndexTableGPU; NSObject<OS_dispatch_queue> *dieControlQueue; _Bool dieControlLoopIsRunning; DieControlLoop SupervisorControl CommonProduct *cProduct; float hotspotTemperature; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; float releaseHysteresis; int tState; struct ForcedThermalLevelStruct forcedThermalLevel[2]; _Bool isEngagedWithHysteresis; - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)shouldForceThermalLevelForThreshold:(int)arg1; - (_Bool)hotspotIsEngaged; - (int)getThermalStateofHotspot; - (float)calculateTargetDifference; - (void)calculateControlEffort:(float)arg1; - (void)dealloc; - (id)initWithSC:(const char *)arg1:(int)arg2:(id)arg3:(struct __CFDictionary *)arg4; - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)usesPID; - (void)refreshCurrentLoadingIndex; - (void)refreshCurrentLoadingIndexUsingPID; - (unsigned int)getUserUsage; - (void)defaultAction; - (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5; int listIDPos; unsigned int host; struct host_cpu_load_info currCpu; struct host_cpu_load_info prevCpu; float powerScale; float timeActive; unsigned int kDVD1Level; _Bool _useDirectMap; unsigned int _minReachableLoadIndex; float _directMapSlope; float _directMapIntercept; BackligtCC Figure 5: Example iOS Thermal Control Loops
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yes, PID control is used Figure 6: PID figure from Wikipedia, https://en.wikipedia.org/wiki/PID_controller
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systems with cycript I ▶ attaching cycript to a running system process is a bit more complicated after iOS 12. We could start from a wrapper called cycrun, https://www.reddit.com/r/ jailbreakdevelopers/comments/b1r5kq/question_is_ cycript_coming_to_ios_12_unc0ver_jb/ ▶ with cyrun+cycript, ▶ cyrun -x thermalmonitord -e ▶ then where to start, singleton ones are less intrusive and easier ▶ as you see, we can get productObj ▶ as you can see, the thermalmonitord uses HID sensors.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systems with cycript II Listing 2: Cyrun ~ root # cyrun −x thermalmonitord −e applicationName : thermalmonitord i s running (64) executableName : thermalmonitord b u n d l e I d e n t i f i e r : Cycript i s active : thermalmonitord Device i s passcode locked Tweak Mode Success , Cycript was already active f o r the Process . You may now run c y c r i p t −r 127.0.0.1:8556 cy# tgs = [ TGraphSampler sharedInstance ] #”<TGraphSampler : 0x104f04330 >” cy# tgs−>productObj #”<tm0148f449e0ff00c77f11492610c521ce : 0x104f04090 >” cy# tgs−> __defineGetter__ extratGraphDataSources __defineSetter__ gotDataToLogToLiteMode __lookupGetter__ hasOwnProperty __lookupSetter__ i s I n t e r n a l __proto__ isPrototypeOf _appleCareState isa _appleCareStateLastLogged lastLogTimestamp _powerlogQueue listOfSupervisorControl _powerlogSubkeyController_Components listofComponentControl _powerlogSubkeyController_HiP previousThermalSensorValues _powerlogSubkeyController_Hotspots productObj _powerlogSubkeyController_LiteMode propertyIsEnumerable _powerlogSubkeyController_MiscExternalState tGraphDataString _powerlogSubkeyController_MiscInternalState toLocaleString _powerlogSubkeyController_Sensors t o S t r i n g _powerlogSubkeyController_Sensors_Components valueOf constructor
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systems with cycript III Listing 3: Cycript HidSensos cy# hs = [ HidSensors sharedInstance ] #”<HidSensors : 0x10582bac0 >” cy# new Instance ( hs−>_tempSensors ) [ 0 ] #”+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n RegistryID : 0x0000000100000277 n B u i l t I n : 1n Product : Avg : PMGR SOC Die Temp Sensor0 n LocationID : 1416114273n VendorID : 0n ProductID : 0n CountryCode : 0n PrimaryUsagePage : 65280n PrimaryUsage : 5n DeviceUsagePairs : n DeviceUsagePage : 65280n DeviceUsage : 5n +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n ” cy#
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools I ▶ binutils and other hacking tools, such as lsof ▶ lldb/gdb on devices: Apple used to ship “fat” gdb and lldb, but not anymore(?). LLDB allows using Objective-C style syntax (most iOS programmers before Swift was introduced know Objective-C). ▶ remote debbuging: either cross building or native building of lldb could be an ostacle, if you are not afraind of using remote debugging, they (debuggserver and lldb) are open source too. Example usage (my iMAC: 192.168.1.80, the iPhone: 192.168.1.115) 1. install debuggerserver on your iDevice. Then, run debugserver 192.168.1.80:5555 --attach=thermalmonitord to wait for connection from 192.168.1.80 to port 5555 of this devices.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools II 2. on you host, launch lldb, then use platform select remote-ios and process connect connect://192.168.1.115:5555 to connect to the debugserver on the remote device. You should see something like Listing 4 3. we can examine TGraphSampler as in Listing 5 4. and HidSenors as in Listing 6 ▶ NOTE: DON’T interrupt the thermalmonitord too long, otherwise the device will reboot. Listing 4: connect to debugserver from lldb ( l l d b ) platform select remote−ios Platform : remote−ios Connected : no SDK Path : ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ” SDK Roots : [ 0] ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ” ( l l d b ) process connect connect ://192.168.1.115:5555 Process 64 stopped * thread #1 , queue = ’com. apple . main−thread ’ , stop reason = signal SIGSTOP frame #0: 0x0000000184864634 libsystem_kernel . dylib ‘ mach_msg_trap + 8 libsystem_kernel . dylib ‘ mach_msg_trap : −> 0x184864634 <+8>: r e t
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools III libsystem_kernel . dylib ‘ mach_msg_overwrite_trap : 0x184864638 <+0>: mov x16 , #−0x20 0x18486463c <+4>: svc #0x80 0x184864640 <+8>: r e t Target 0: ( thermalmonitord ) stopped . Listing 5: TGraphSampler ( l l d b ) expr TGraphSampler * $tgs = [ TGraphSampler sharedInstance ] ( l l d b ) p * $tgs ( TGraphSampler ) $0 = { NSObject = { isa = TGraphSampler } productObj = 0x0000000103e03f80 listofComponentControl = 0x0000000103e041a0 @”9 elements ” listOfSupervisorC ontrol = 0x0000000103e041d0 @”12 elements ” extratGraphDataSources = 0x0000000103e04520 tGraphDataString = 0x0000000000000000 i s I n t e r n a l = fa ls e gotDataToLogToLiteMode = fa ls e lastLogTimestamp = 38967673125 previousThermalSensorValues = { [ 0 ] = 0 [ 1 ] = 0 [ 2 ] = 0 [ 3 ] = 0 [ 4 ] = 0 [ 5 ] = 0 [ 6 ] = 0
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools IV [ 7 ] = 0 [ 8 ] = 0 [ 9 ] = 0 [10] = 0 [11] = 0 [12] = 0 [13] = 0 [14] = 0 [15] = 0 [16] = 0 [17] = 0 [18] = 0 [19] = 0 [20] = 0 [21] = 0 [22] = 0 [23] = 0 [24] = 0 [25] = 0 [26] = 0 [27] = 0 [28] = 0 [29] = 0 [30] = 0 [31] = 0 [32] = 0 [33] = 0 [34] = 0 [35] = 0 [36] = 0 [37] = 0 [38] = 0
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools V [39] = 0 [40] = 0 [41] = 0 [42] = 0 [43] = 0 [44] = 0 [45] = 0 [46] = 0 [47] = 0 [48] = 0 [49] = 0 [50] = 0 [51] = 0 [52] = 0 [53] = 0 [54] = 0 [55] = 0 [56] = 0 [57] = 0 [58] = 0 [59] = 0 [60] = 0 [61] = 0 [62] = 0 [63] = 0 } _powerlogQueue = 0x0000000103e04850 _powerlogSubkeyController_Hotspots = 0x0000000103e04610 _powerlogSubkeyController_Components = 0x0000000103e04690 _powerlogSubkeyController_Sensors = 0x0000000103e046d0 _powerlogSubkeyController_MiscInternalState = 0x0000000103e04710 _powerlogSubkeyController_MiscExternalState = 0x0000000103e04750
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools VI _powerlogSubkeyController_LiteMode = 0x0000000103e04790 _powerlogSubkeyController_HiP = 0x0000000103e047d0 _powerlogSubkeyController_Sensors_Components = 0x0000000103e04810 _appleCareState = 0x0000000103e048d0 @”5 elements ” _appleCareStateLastLogged = 0x0000000103e04af0 @”5 elements ” } ( l l d b ) po $tgs−>productObj <tm0148f449e0ff00c77f11492610c521ce : 0x103e03f80> Listing 6: ”HidSensors” ( l l d b ) expr HidSensors * $hs = [ HidSensors sharedInstance ] ( l l d b ) p * $hs ( HidSensors ) $1 = { NSObject = { isa = HidSensors } _hidEventSystem = 0x0000000103d0f9c0 _infoOnlyHIDSensors = 0x0000000103f2d400 _callbackSensorIntervals = 0x0000000103f2cc10 _readFailuresExpected = 0x0000000000000000 _powerSensors = 0x0000000000000000 hidSensorKeys = 0x0000000103e037a0 sensorFourCharCode = 0x0000000103e03db0 synthSensorKeys = 0x0000000103e03de0 _callbackTemperatures = 0x0000000103f31630 _potentiallyStaleSensorTimestamps = 0x0000000103e03e10 _potentiallyStaleSensorDefaults = 0x0000000103f2c840 _callbackTemperaturesQueue = 0x0000000103f2d570 sensorWatchdogMask = 1236950581247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools VII _infoOnlySensorsActive = fa lse _dispatchVirtualTemp = true _send2DTempGrid = fa ls e _tempSensors = 0x0000000105015fc0 _count = 36 _shadowSensorCount = 8 _sensorDict = 0x0000000103f30e80 _serviceToName = 0x0000000103f31670 } ( l l d b ) po $hs−>_tempSensors <__NSArrayI 0x105015fc0 >( +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ RegistryID : 0x0000000100000270 B u i l t I n : 1 Product : Max: PMGR SOC Die Temp Sensor3 LocationID : 1416115064 VendorID : 0 ProductID : 0 CountryCode : 0 PrimaryUsagePage : 65280 PrimaryUsage : 5 DeviceUsagePairs : DeviceUsagePage : 65280 DeviceUsage : 5 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ , . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . concluding remarks ▶ iOS uses many open source components and you can use open source tools to explore iDevices. ▶ how about Android devices: as far as I can tell, most Android devices the “standard” Linux thermal framework.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References I [1] Checkm8. https://github.com/axi0mX/ipwndfu/. Accessed: 2019-12-20. [2] checkra1n. https://checkra.in/. Accessed: 2019-12-20. [3] Apple. Driver kit. https://developer.apple.com/documentation/driverkit/. Accessed: 2019-12-20. [4] Apple. Iokit family. https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/ IOKitFundamentals/Families_Ref/Families_Ref.html. Accessed: 2019-12-20. [5] Apple. Iokit fundamentals. https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/ IOKitFundamentals/. Accessed: 2019-12-20. [6] Esmaeilzadeh, H., Blem, E., St. Amant, R., Sankaralingam, K., and Burger, D. Dark silicon and the end of multicore scaling. In Proceedings of the 38th Annual International Symposium on Computer Architecture (New York, NY, USA, 2011), ISCA ’11, ACM, pp. 365–376. [7] Freeman, J. cycript. http://www.cycript.org. Accessed: 2019-12-20.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References II [8] NeXT. Driver kit. http://www.nextcomputers.org/NeXTfiles/Docs/Developer/DriverKit/DriverKit.pdf. Accessed: 2019-12-20. [9] Singh, A. Mac OS X Internals. Addison-Wesley Professional, 2006. [10] Tân, K.-S. https://github.com/freedomtan/sensors/. Accessed: 2019-12-20.

More Related Content

PDF
Présentation Modul\'Data Center
byncambazard
 
PDF
Mise en place d’un système de détection
byManassé Achim kpaya
 
PDF
Alphorm.com Formation CEHV9 I
byAlphorm
 
PDF
Application Spring MVC/IOC & Hibernate
byInes Ouaz
 
PDF
Cumulus networks conversion guide
byScott Suehle
 
PDF
Exercices shell
byulratique
 
PDF
31886426 simulation-des-correcteurs-pid
byMayssa Rjaibia
 
PDF
Logique floue - Implication de Mamdani
byYassine Zahraoui
 
Présentation Modul\'Data Center
byncambazard
 
Mise en place d’un système de détection
byManassé Achim kpaya
 
Alphorm.com Formation CEHV9 I
byAlphorm
 
Application Spring MVC/IOC & Hibernate
byInes Ouaz
 
Cumulus networks conversion guide
byScott Suehle
 
Exercices shell
byulratique
 
31886426 simulation-des-correcteurs-pid
byMayssa Rjaibia
 
Logique floue - Implication de Mamdani
byYassine Zahraoui
 

What's hot

PPTX
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
byAyoub R.
 
PDF
Alphorm.com support de la formation Git avancé
byAlphorm
 
PDF
Alphorm.com Formation Wireshark : L'essentiel
byAlphorm
 
PDF
Interface fonctionnelle, Lambda expression, méthode par défaut, référence de...
byMICHRAFY MUSTAFA
 
PDF
Projet ROBOT MOBILE SUIVEUR DE LIGNE BASE SUR LE TRAITEMENT D'IMAGE
byHASSOU mohamed
 
PPTX
L’algorithme 1.pptx
byOkanimegamers
 
PPTX
Unix shell scripting basics
byManav Prasad
 
PDF
éTude et mise_en_place_d_une_solution_voip_sécurisée
byahmedElkha
 
PDF
Alphorm.com Formation Hacking et Sécurité , avancé
byAlphorm
 
PDF
Alphorm.com Formation Hacking et Sécurité, l'essentiel
byAlphorm
 
PPSX
Formation JAVA/J2EE
byInes Ouaz
 
PDF
Tp2 - Latex
byLilia Sfaxi
 
PDF
Alphorm.com : Formation Active directory 2008 R2 (70-640)
byAlphorm
 
PDF
Mémoire - L'automatisation des tests fonctionnels - Emeline Simon
byEmeline Simon
 
DOC
La sécurité des systèmes d’information
bylara houda
 
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
byAyoub R.
 
Alphorm.com support de la formation Git avancé
byAlphorm
 
Alphorm.com Formation Wireshark : L'essentiel
byAlphorm
 
Interface fonctionnelle, Lambda expression, méthode par défaut, référence de...
byMICHRAFY MUSTAFA
 
Projet ROBOT MOBILE SUIVEUR DE LIGNE BASE SUR LE TRAITEMENT D'IMAGE
byHASSOU mohamed
 
L’algorithme 1.pptx
byOkanimegamers
 
Unix shell scripting basics
byManav Prasad
 
éTude et mise_en_place_d_une_solution_voip_sécurisée
byahmedElkha
 
Alphorm.com Formation Hacking et Sécurité , avancé
byAlphorm
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
byAlphorm
 
Formation JAVA/J2EE
byInes Ouaz
 
Tp2 - Latex
byLilia Sfaxi
 
Alphorm.com : Formation Active directory 2008 R2 (70-640)
byAlphorm
 
Mémoire - L'automatisation des tests fonctionnels - Emeline Simon
byEmeline Simon
 
La sécurité des systèmes d’information
bylara houda
 

Similar to Exploring Thermal Related Stuff in iDevices using Open-Source Tool

PDF
Exploring Your Apple M1 devices with Open Source Tools
byKoan-Sin Tan
 
PDF
Find your own iOS kernel bug
byGustavo Martinez
 
PDF
Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?
byKoan-Sin Tan
 
PDF
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
byHackito Ergo Sum
 
DOCX
Panic report 121112
bywangxueGT
 
PDF
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
byLiang Chen
 
PDF
Iot for smart agriculture
byAtit Patumvan
 
PDF
David Thiel - Secure Development On iOS
bySource Conference
 
PDF
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
byStefan Esser
 
PPTX
AN IOT BASED AIR POLLUTION MONITORING SYSTEM pptx (1).pptx
by20Q95A0402AVULAKALYA
 
PDF
iPhone App Development
byManekTech
 
PDF
Swift Development
byManekTech
 
PDF
Mobile app development
byManekTech
 
PDF
Control all the Things with Node-JS
byDavid Janes
 
PDF
README
byMike Zhao
 
PPTX
Distance Machine Locker
byyeokm1
 
PDF
Intel Lightning Talk
byEd Donahue
 
PPTX
JS gesture sensor driver
byTechnicalMachine
 
PDF
Arduino: Proyectos prácticos Arduino cool para hardware de codigo abierto par...
bySANTIAGO PABLO ALBERTO
 
PDF
CNIT 128: 3. Attacking iOS Applications (Part 2)
bySam Bowne
 
Exploring Your Apple M1 devices with Open Source Tools
byKoan-Sin Tan
 
Find your own iOS kernel bug
byGustavo Martinez
 
Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?
byKoan-Sin Tan
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
byHackito Ergo Sum
 
Panic report 121112
bywangxueGT
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
byLiang Chen
 
Iot for smart agriculture
byAtit Patumvan
 
David Thiel - Secure Development On iOS
bySource Conference
 
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
byStefan Esser
 
AN IOT BASED AIR POLLUTION MONITORING SYSTEM pptx (1).pptx
by20Q95A0402AVULAKALYA
 
iPhone App Development
byManekTech
 
Swift Development
byManekTech
 
Mobile app development
byManekTech
 
Control all the Things with Node-JS
byDavid Janes
 
README
byMike Zhao
 
Distance Machine Locker
byyeokm1
 
Intel Lightning Talk
byEd Donahue
 
JS gesture sensor driver
byTechnicalMachine
 
Arduino: Proyectos prácticos Arduino cool para hardware de codigo abierto par...
bySANTIAGO PABLO ALBERTO
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
bySam Bowne
 

More from Koan-Sin Tan

PDF
Understanding Android Benchmarks
byKoan-Sin Tan
 
PDF
running stable diffusion on android
byKoan-Sin Tan
 
PDF
Introduction to TensorFlow Lite
byKoan-Sin Tan
 
PDF
A Peek into Google's Edge TPU
byKoan-Sin Tan
 
PDF
Running TFLite on Your Mobile Devices, 2020
byKoan-Sin Tan
 
PDF
TFLite NNAPI and GPU Delegates
byKoan-Sin Tan
 
PDF
Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
byKoan-Sin Tan
 
PDF
A Peek into TFRT
byKoan-Sin Tan
 
PDF
SoC Idling for unconf COSCUP 2016
byKoan-Sin Tan
 
PDF
Learning Swift: A Stupid Way -- How to use Swift API in private frameworks
byKoan-Sin Tan
 
PDF
Tensorflow on Android
byKoan-Sin Tan
 
PDF
A Sneak Peek of MLIR in TensorFlow
byKoan-Sin Tan
 
PDF
Android Wear and the Future of Smartwatch
byKoan-Sin Tan
 
PDF
A peek into Python's Metaclass and Bytecode from a Smalltalk User
byKoan-Sin Tan
 
PDF
Smalltalk and ruby - 2012-12-08
byKoan-Sin Tan
 
PDF
Caffe2 on Android
byKoan-Sin Tan
 
PDF
open source nn frameworks on cellphones
byKoan-Sin Tan
 
Understanding Android Benchmarks
byKoan-Sin Tan
 
running stable diffusion on android
byKoan-Sin Tan
 
Introduction to TensorFlow Lite
byKoan-Sin Tan
 
A Peek into Google's Edge TPU
byKoan-Sin Tan
 
Running TFLite on Your Mobile Devices, 2020
byKoan-Sin Tan
 
TFLite NNAPI and GPU Delegates
byKoan-Sin Tan
 
Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
byKoan-Sin Tan
 
A Peek into TFRT
byKoan-Sin Tan
 
SoC Idling for unconf COSCUP 2016
byKoan-Sin Tan
 
Learning Swift: A Stupid Way -- How to use Swift API in private frameworks
byKoan-Sin Tan
 
Tensorflow on Android
byKoan-Sin Tan
 
A Sneak Peek of MLIR in TensorFlow
byKoan-Sin Tan
 
Android Wear and the Future of Smartwatch
byKoan-Sin Tan
 
A peek into Python's Metaclass and Bytecode from a Smalltalk User
byKoan-Sin Tan
 
Smalltalk and ruby - 2012-12-08
byKoan-Sin Tan
 
Caffe2 on Android
byKoan-Sin Tan
 
open source nn frameworks on cellphones
byKoan-Sin Tan
 

Recently uploaded

PDF
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PDF
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PPTX
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PPTX
RAPTOR_Intro_Exercises_Presentation.pptx
bySwatiMalik36
 
PDF
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
RAPTOR_Intro_Exercises_Presentation.pptx
bySwatiMalik36
 
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 

Exploring Thermal Related Stuff in iDevices using Open-Source Tool

  • 1.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploring Thermal RelatedStuff in iDevices using Open-Source Tools 用 Iōng open-source 工具 kang-kū 來 lâi 探看 thàm-khàn 走 tsáu iOS ê 物仔 mih-â 內底 lāi-té 佮 kah 溫度 un-tōo相關 siong-kuan ê software 佮 kah hardware Tân Koan-Sîn freedom@computer.org COSCUP 2019 Lâi Tâi Káng December 21, 2019 Updated January 5, 2020
  • 2.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table of contentsI Introduction A Peek into Thermal Sensors More Thermal Control Related Mechanisms Other Tools
  • 3.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Who am I? ▶“ 我是 Guá-sī 一个 tsi ̍t-ê 寫 siá code 个 ê 人 lâng, 我个苦 guá-ê-khóo 攏 lóng 寫佇 siá-tī 面頂 bīn-tíng” – Somebody I Don’t Know His Name, COSCUP 2017 ▶ Learnt to use open source on a VAX-11/780 running 4.3BSD, before the term “open source” was coined ▶ Learnt a bit Pe̍h-ōe-jī about the same time ▶ feel free to interrupt me anytime
  • 4.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why this topic? ▶This is the era of so-called “dark silicon” [6]. ▶ Thermal control is an important but seldom-talked topic. I could not find public information on how iOS does it. ▶ Recent checkm8 [1] and follow-on checkra1n [2] enable jailbreaking of iPhone 5s –iPhone X, iOS 12.3 and up.
  • 5.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iPhone 6 ThermalSensors I ▶ There are 32 thermal sensors (and 21 current and voltage sensors) on iPhone 6! ▶ Above information are from my little program on github [10].
  • 6.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iPhone 6 ThermalSensors II ▶ No jailbreak required, but “undocumented” API is used. So don’t submit it to App Store (mostly it will be rejected).
  • 7.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . some numbers ofsensors Model thermal current voltage iPhone 6 32 21 29 iPhone 6s 48 27 23 iPhone 7 47 32 35 iPhone 8 plus 68 3 7 iPhone Xs Max 67 4 8 iPhone 11 Pro 76 2 6 Table 1: Some numbers of sensors I collected
  • 8.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does theApp Work? ▶ IOKit: public and documented on macOS, but not on iOS. ▶ IOKit: Apple “hidclass” ▶ Code: ▶ Objective-C: Get sensor information using the IOKit framework ▶ Swift: wrapper. ’Cause I wanna learn a bit Swift.
  • 9.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IOKit ▶ derived fromNeXTSTEP’s DriverKit, which uses Objective-C [8]. As you might know, in WWDC 2019, the name DriverKit is back in macOS [3]. ▶ macOS/iOS device driver development framework: For kernel model divers and user model access [5] Figure 1: Figure from [9]
  • 10.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IOKit HIDClass I ▶IOKit/IOKit Family/HID class [4]: Originally it’s for USB, but it’s far beyond that now. So there is Usage Page. ▶ a command line tool that can be used to enumrate IOKit devices is ioreg(8) ▶ you can see in Listing 1, there are "PrimaryUsage" = 5, "PrimaryUsagePage" = 65280, and "DeviceUsagePairs" = ("DeviceUsagePage"=65280,"DeviceUsage"=5) Listing 1: Example TemperatureSensor in ioreg output . . . +−o AppleEmbeddedNVMeTemperatureSensor <class AppleEmbeddedNVMeTemperatureSensor , id 0x1000003f8 , registered , matched , active , busy 0 (1 ms) , r e t a i n 8> | | | | | { | | | | | ” IOCFPlugInTypes ” = {”7DDEECA8−A7B4−11DA−8A0E−0014519758EF”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” , ” FA12FA38−6F1A−11D4−BA0C−0005028F18D5”=” IOHIDFamily . kext / PlugIns / IOHIDLib . plugin ” } | | | | | ” VendorID ” = 0 | | | | | ” CountryCode ” = 0 | | | | | ” IOUserClientClass ” = ” IOHIDEventServiceUserClient ” | | | | | ” Product ” = ”NAND CH0 temp ” | | | | | ” VersionNumber ” = 0 | | | | | ” IOGeneralInterest ” = ”IOCommand i s not s e r i a l i z a b l e ” | | | | | ” PrimaryUsage ” = 5 | | | | | ” LocationID ” = 1414410350 | | | | | ” HIDEventServiceProperties ” = { ” DeviceOpenedByEventSystem”=Yes , ” PreserveTimestamp ”=Yes , ” BatchInterval ”=1 ,” LogLevel ”=6} | | | | | ” ProductID ” = 0 | | | | | ” DeviceUsagePairs ” = ( { ” DeviceUsagePage”=65280 ,” DeviceUsage ”=5}) | | | | | ” B u i l t −In ” = Yes | | | | | ” ReportInterval ” = 0 | | | | | ” HIDServiceSupport ” = Yes | | | | | ” PrimaryUsagePage ” = 65280 | | | | | ” VendorIDSource ” = 0 | | | | | ” QueueSize ” = 0 | | | | | } . . .
  • 11.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Build the App ▶if you git clone the source code and try to build it, you will get error message saying IOKit related header can’t be found (of course, you know you have to change signing stuff) ▶ you have to borrow them from macOS SDK, 1. pushd . 2. cd /Applications/Xcode.app/Contents/Developer/ Platforms/iPhoneOS.platform/Developer/SDKs/ iPhoneOS.sdk/System/Library/Frameworks/IOKit. framework/ 3. sudo ln -s /Applications/Xcode.app/Contents/ Developer/Platforms/MacOSX.platform/Developer/ SDKs/MacOSX.sdk/System/Library/Frameworks/IOKit. framework/Headers . 4. popd
  • 12.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The devil isin the detail I ▶ some non public data types ▶ AppleHIDUsageTables ▶ IOHIDEventTypes ▶ some functions from source code. e.g., IOHIDEventSystemClientRef IOHIDEventSystemClientCreate(CFAllocatorRef allocator); ▶ .plist file(s) in /System/Library/ThermalMonitor/
  • 13.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The devil isin the detail II CSE-iPhone-8-plus:~ root# hidutil list Services: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x54683378 65280 5 0x100000270 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x5450336c 65280 5 0x100000336 (null) AppleSMC PMU tdie3 (null) 1 0x0 0x0 0x54503562 65280 5 0x10000033d (null) AppleSMC PMU tdie5 (null) 1 0x0 0x0 0x54633161 65280 5 0x100000277 (null) AppleT8015TempSensor Avg: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54503962 65280 5 0x10000034b (null) AppleSMC PMU tdie9 (null) 1 0x0 0x0 0x54563073 65280 5 0x100000352 (null) AppleSMC Unknown Source TV0s (null) 1 0x0 0x0 0x5651306c 65288 3 0x100000359 (null) AppleSMC Charger VQ0l (null) 1 0x5ac 0x8104 0x0 65280 10 0x100000501 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54473042 65280 5 0x10000038a (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x54534644 65280 5 0x1000005ff (null) AppleVTempDispatcher CGCenterSkin (null) 1 0x0 0x0 0x5453524d 65280 5 0x100000606 (null) AppleVTempDispatcher BandMLBSkin (null) 1 0x0 0x0 0x54534643 65280 5 0x10000060d (null) AppleVTempDispatcher CGRearCamera (null) 1 0x0 0x0 0x54503464 65280 5 0x100000318 (null) AppleSMC PMU tdev4 (null) 1 0x0 0x0 0x54683161 65280 5 0x100000267 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54683369 65280 5 0x10000026e (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x54 13 4 0x100000571 SPI (null) (null) (null) 1 0x0 0x0 0x54633278 65280 5 0x10000027c (null) AppleT8015TempSensor Max: ACC Temp Sensor2 (null) 1 0x0 0x0 0x54506562 65280 5 0x100000350 (null) AppleSMC PMU tdie14 (null) 1 0x0 0x0 0x5451306a 65280 5 0x100000357 (null) AppleSMC Charger TQ0j (null) 1 0x0 0x0 0x0 65292 4 0x1000004f8 SPU AppleSPUHIDDriver (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x1000004ff SPU AppleSPUHIDDriver (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x10000050d SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 8 0x10000051b SPU AppleProxHIDEventDriver (null) (null) 1 0x0 0x0 0x54534261 65280 5 0x100000612 (null) AppleVTempDispatcher BCArc (null) 1 0x0 0x0 0x54683278 65280 5 0x10000026c (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54633061 65280 5 0x100000273 (null) AppleT8015TempSensor Avg: ACC Temp Sensor0 (null) 1 0x0 0x0 0x544e306e 65280 5 0x1000003f8 (null) AppleANS2NVMeController NAND CH0 temp (null) 1 0x0 0x0 0x54503862 65280 5 0x100000340 (null) AppleSMC PMU tdie8 (null) 1 0x0 0x0 0x5450346c 65280 5 0x100000339 (null) AppleSMC PMU tdie4 (null) 1 0x0 0x0 0x54506362 65280 5 0x10000034e (null) AppleSMC PMU tdie12 (null) 1 0x0 0x0 0x51513075 65288 2 0x100000355 (null) AppleSMC Charger QQ0u (null) 1 0x0 0x0 0x54633269 65280 5 0x10000027a (null) AppleT8015TempSensor ACC Temp Sensor2 (null) 1 0x0 0x0 0x57513075 65288 3 0x100000363 (null) AppleSMC Charger WQ0u (null) 1 0x0 0x0 0x0 65292 5 0x100000504 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54473056 65280 5 0x100000394 (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x0 11 1 0x100000216 (null) AppleM68Buttons (null) (null) 1 0x0 0x0 0x0 65280 11 0x1000003a2 (null) AppleMesaShim (null) (null) 1 0x0 0x0 0x54534245 65280 5 0x100000602 (null) AppleVTempDispatcher BCMLBSkin (null) 1 0x0 0x0 0x54534251 65280 5 0x100000609 (null) AppleVTempDispatcher BCCharger (null) 1 0x0 0x0 0x54503364 65280 5 0x100000314 (null) AppleSMC PMU tdev3 (null) 1 0x0 0x0 0x5450316c 65280 5 0x10000031b (null) AppleSMC PMU tdie1 (null) 1 0x0 0x0 0x54683061 65280 5 0x100000263 (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54683269 65280 5 0x10000026a (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54503264 65280 5 0x10000030d (null) AppleSMC PMU tdev2 (null) 1 0x0 0x0 0x54633178 65280 5 0x100000278 (null) AppleT8015TempSensor Max: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54503662 65280 5 0x10000033e (null) AppleSMC PMU tdie6 (null) 1 0x0 0x0 0x54506162 65280 5 0x10000034c (null) AppleSMC PMU tdie10 (null) 1 0x0 0x0 0x49513042 65288 2 0x100000353 (null) AppleSMC Charger IQ0B (null) 1 0x0 0x0 0x56513075 65288 3 0x10000035a (null) AppleSMC Charger VQ0u (null) 1 0x0 0x0 0x54473048 65280 5 0x100000392 (null) AppleSMC gas gauge battery (null) 1 0x5ac 0x8104 0x0 65280 3 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 4 0x10000052c SPU AppleSPUCT709 (null) (null) 1 0x0 0x0 0x544b3046 65280 5 0x1000005f9 (null) AppleVTempDispatcher FrontCameraDie (null) 1 0x0 0x0 0x54535252 65280 5 0x100000607 (null) AppleVTempDispatcher BandRadioSkin (null) 1 0x0 0x0 0x54503564 65280 5 0x100000319 (null) AppleSMC PMU tdev5 (null) 1 0x0 0x0 0x54683178 65280 5 0x100000268 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54683361 65280 5 0x10000026f (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor3 (null) 1 0x0 0x0 0x54633169 65280 5 0x100000276 (null) AppleT8015TempSensor ACC Temp Sensor1 (null) 1 0x0 0x0 0x54506662 65280 5 0x100000351 (null) AppleSMC PMU tdie15 (null) 1 0x0 0x0 0x56513042 65288 3 0x100000358 (null) AppleSMC Charger VQ0B (null) 1 0x0 0x0 0x6d696331 65280 5 0x1000002b5 (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004f9 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65292 8 0x100000500 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54503164 65280 5 0x100000309 (null) AppleSMC PMU tdev1 (null) 1 0x0 0x0 0x54533041 65280 5 0x100000613 (null) AppleVTempDispatcher Ambient (null) 1 0x0 0x0 0x54683169 65280 5 0x100000266 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x54633078 65280 5 0x100000274 (null) AppleT8015TempSensor Max: ACC Temp Sensor0 (null) 1 0x0 0x0 0x54633261 65280 5 0x10000027b (null) AppleT8015TempSensor Avg: ACC Temp Sensor2 (null) 1 0x0 0x0 0x54506462 65280 5 0x10000034f (null) AppleSMC PMU tdie13 (null) 1 0x0 0x0 0x54513064 65280 5 0x100000356 (null) AppleSMC Charger TQ0d (null) 1 0x0 0x0 0x0 32 100 0x1000004f7 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004fe SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54617263 65280 5 0x100000446 (null) AppleHapticsSupportCallan AppleHapticsSupportTemperatureReporter (null) (null) 0x0 0x0 0x54473043 65280 5 0x10000038e (null) AppleSMC gas gauge battery (null) 1 0x0 0x0 0x56514444 65288 3 0x100000387 (null) AppleSMC Charger VQDD (null) 1 0x0 0x0 0x56503075 65288 3 0x1000002f9 (null) AppleSMC PMU VP0u (null) 1 0x0 0x0 0x544b3143 65280 5 0x1000005fc (null) AppleVTempDispatcher RearCameraTeleDie (null) 1 0x0 0x0 0x54534248 65280 5 0x100000603 (null) AppleVTempDispatcher BCH7Skin (null) 1 0x0 0x0 0x5450306a 65280 5 0x100000300 (null) AppleSMC PMU tjunc (null) 1 0x0 0x0 0x5450326c 65280 5 0x10000031c (null) AppleSMC PMU tdie2 (null) 1 0x0 0x0 0x54683078 65280 5 0x100000264 (null) AppleT8015TempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54683261 65280 5 0x10000026b (null) AppleT8015TempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54433673 65280 5 0x10000025d (null) AMCTempSensor AMC ODTS (null) 1 0x0 0x0 0x54633069 65280 5 0x100000272 (null) AppleT8015TempSensor ACC Temp Sensor0 (null) 1 0x0 0x0 0x54503762 65280 5 0x10000033f (null) AppleSMC PMU tdie7 (null) 1 0x0 0x0 0x54506262 65280 5 0x10000034d (null) AppleSMC PMU tdie11 (null) 1 0x0 0x0 0x49513075 65288 2 0x100000354 (null) AppleSMC Charger IQ0u (null) 1 0x0 0x0 0x56513175 65288 3 0x10000035b (null) AppleSMC Charger VQ1u (null) 1 0x0 0x0 0x0 32 19 0x1000004ee SPU AppleSPUMesaDriver (null) (null) 1 0x0 0x0 0x0 11 1 0x1000004fc SPU AppleSPUButtonDriver (null) (null) 1 0x0 0x0 0x6d696332 65280 5 0x1000002c6 (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 32 138 0x100000511 SPU IOHIDEventDriver (null) (null) 1 0x0 0x0 0x544b3043 65280 5 0x1000005fa (null) AppleVTempDispatcher RearCameraDie (null) 1 0x0 0x0 0x5450305a 65280 5 0x100000305 (null) AppleSMC PMU tcal (null) 1 0x0 0x0 0x5453464c 65280 5 0x10000060f (null) AppleVTempDispatcher CGLED (null) 1 0x0 0x0 0x54683069 65280 5 0x100000262 (null) AppleT8015TempSensor PMGR SOC Die Temp Sensor0 (null) 1 Devices: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x0 65292 5 0x1000004b5 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 11 1 0x1000004af SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 138 0x1000004ba SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 100 0x1000004b9 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 8 0x1000004bf SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004b6 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x1000004b1 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 10 0x1000004b0 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x54 13 4 0x10000056d SPI AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 65292 4 0x1000004b3 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004b4 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x1000004ad SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 4 0x1000004be SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 3 0x1000004ac SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 8 0x1000004b2 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 19 0x1000004bb SPU AppleSPUHIDDevice (null) (null) 1 CSE-iPhone-8-plus:~ root# exit freedoms-iPhone:~ root# hidutil list Services: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x4950356c 65288 2 0x100000309 (null) AppleD2333PMU PMU ldo5 (null) 1 0x0 0x0 0x54534643 65280 5 0x100000637 (null) AppleVTempDispatcher CGRCAMSkin (null) 1 0x0 0x0 0x49503962 65288 2 0x100000346 (null) AppleD2333PMU PMU ibuck1 (null) 1 0x0 0x0 0x4950656c 65288 2 0x10000031b (null) AppleD2333PMU PMU ldo14 (null) 1 0x0 0x0 0x5450306c 65280 5 0x10000032d (null) AppleD2333PMU PMU tdie0 (null) 1 0x0 0x0 0x5650326c 65288 3 0x100000302 (null) AppleD2333PMU PMU ldo2 (null) 1 0x0 0x0 0x47 13 4 0x100000560 SPI (null) (null) (null) 1 0x0 0x0 0x54683178 65280 5 0x100000244 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x56503462 65288 3 0x10000033f (null) AppleD2333PMU PMU vbuck4 (null) 1 0x0 0x0 0x5650626c 65288 3 0x100000314 (null) AppleD2333PMU PMU ldo11 (null) 1 0x0 0x0 0x49513075 65288 2 0x100000351 (null) AppleSN2400Charger Charger vbus (null) 1 0x0 0x0 0x5450306a 65280 5 0x100000326 (null) AppleD2333PMU PMU tjunc (null) 1 0x0 0x0 0x54633161 65280 5 0x10000023d (null) AppleT700XTempSensor Avg: ACC Temp Sensor1 (null) 1 0x0 0x0 0x54506262 65280 5 0x100000338 (null) AppleD2333PMU PMU tdie11 (null) 1 0x0 0x0 0x4950376c 65288 2 0x10000030d (null) AppleD2333PMU PMU ldo7 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034a (null) AppleD2333PMU PMU ibuck5 (null) 1 0x0 0x0 0x4950676c 65288 2 0x10000031f (null) AppleD2333PMU PMU ldo16 (null) 1 0x0 0x0 0x0 65292 3 0x100000515 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54633269 65280 5 0x100000236 (null) AppleT700XTempSensor ACC Temp Sensor2 (null) 1 0x0 0x0 0x544b3043 65280 5 0x100000622 (null) AppleVTempDispatcher RearCameraDie (null) 1 0x0 0x0 0x5650346c 65288 3 0x100000306 (null) AppleD2333PMU PMU ldo4 (null) 1 0x0 0x0 0x54503462 65280 5 0x100000331 (null) AppleD2333PMU PMU tdie4 (null) 1 0x0 0x0 0x0 11 1 0x1000001e0 (null) AppleM68Buttons (null) (null) 1 0x5ac 0x8104 0x0 65280 9 0x100000539 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x56503862 65288 3 0x100000343 (null) AppleD2333PMU PMU vbuck8 (null) 1 0x0 0x0 0x5650646c 65288 3 0x100000318 (null) AppleD2333PMU PMU ldo13 (null) 1 0x0 0x0 0x54683078 65280 5 0x100000248 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x54534252 65280 5 0x100000634 (null) AppleVTempDispatcher BCRadioSkin (null) 1 0x0 0x0 0x56513042 65288 3 0x100000355 (null) AppleSN2400Charger Charger vbat (null) 1 0x0 0x0 0x0 65280 255 0x1000004fc SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54503364 65280 5 0x10000032a (null) AppleD2333PMU PMU tdev3 (null) 1 0x0 0x0 0x56503064 65288 3 0x1000002ff (null) AppleD2333PMU PMU vdd_main (null) 1 0x0 0x0 0x56503162 65288 3 0x10000033c (null) AppleD2333PMU PMU vbuck1 (null) 1 0x0 0x0 0x54683278 65280 5 0x100000241 (null) AppleT700XTempSensor Max: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x4950396c 65288 2 0x100000311 (null) AppleD2333PMU PMU ldo9 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034e (null) AppleD2333PMU PMU ibuck9 (null) 1 0x0 0x0 0x54433673 65280 5 0x100000228 (null) AMCTempSensor AMC ODTS (null) 1 0x0 0x0 0x4950696c 65288 2 0x100000323 (null) AppleD2333PMU PMU ldo18 (null) 1 0x0 0x0 0x54503862 65280 5 0x100000335 (null) AppleD2333PMU PMU tdie8 (null) 1 0x0 0x0 0x54633061 65280 5 0x10000023a (null) AppleT700XTempSensor Avg: ACC Temp Sensor0 (null) 1 0x0 0x0 0x5650366c 65288 3 0x10000030a (null) AppleD2333PMU PMU ldo6 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000347 (null) AppleD2333PMU PMU ibuck2 (null) 1 0x0 0x0 0x54533041 65280 5 0x100000638 (null) AppleVTempDispatcher Ambient (null) 1 0x0 0x0 0x5650666c 65288 3 0x10000031c (null) AppleD2333PMU PMU ldo15 (null) 1 0x0 0x0 0x5450316c 65280 5 0x10000032e (null) AppleD2333PMU PMU tdie1 (null) 1 0x0 0x0 0x544b3046 65280 5 0x10000061f (null) AppleVTempDispatcher FrontCameraDie (null) 1 0x0 0x0 0x4950326c 65288 2 0x100000303 (null) AppleD2333PMU PMU ldo2 (null) 1 0x0 0x0 0x56503562 65288 3 0x100000340 (null) AppleD2333PMU PMU vbuck5 (null) 1 0x0 0x0 0x54534245 65280 5 0x100000631 (null) AppleVTempDispatcher BCMLBSkin (null) 1 0x0 0x0 0x4950626c 65288 2 0x100000315 (null) AppleD2333PMU PMU ldo11 (null) 1 0x0 0x0 0x49513042 65288 2 0x100000352 (null) AppleSN2400Charger Charger ibat (null) 1 0x0 0x0 0x5450305a 65280 5 0x100000327 (null) AppleD2333PMU PMU tcal (null) 1 0x0 0x0 0x54506362 65280 5 0x100000339 (null) AppleD2333PMU PMU tdie12 (null) 1 0x0 0x0 0x54633178 65280 5 0x10000023e (null) AppleT700XTempSensor Max: ACC Temp Sensor1 (null) 1 0x5ac 0x8104 0x0 32 49 0x10000052f SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x5650386c 65288 3 0x10000030e (null) AppleD2333PMU PMU ldo8 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034b (null) AppleD2333PMU PMU ibuck6 (null) 1 0x0 0x0 0x5650686c 65288 3 0x100000320 (null) AppleD2333PMU PMU ldo17 (null) 1 0x0 0x0 0x54503562 65280 5 0x100000332 (null) AppleD2333PMU PMU tdie5 (null) 1 0x0 0x0 0x54633261 65280 5 0x100000237 (null) AppleT700XTempSensor Avg: ACC Temp Sensor2 (null) 1 0x0 0x0 0x4950346c 65288 2 0x100000307 (null) AppleD2333PMU PMU ldo4 (null) 1 0x0 0x0 0x56503962 65288 3 0x100000344 (null) AppleD2333PMU PMU vbuck9 (null) 1 0x5ac 0x8104 0x0 65280 10 0x10000053a SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x0 65280 8 0x10000050f SPU AppleProxHIDEventDriver (null) (null) 1 0x0 0x0 0x4950646c 65288 2 0x100000319 (null) AppleD2333PMU PMU ldo13 (null) 1 0x0 0x0 0x57513075 65288 3 0x100000356 (null) AppleSN2400Charger Charger vbus_accum (null) 1 0x0 0x0 0x0 65280 11 0x1000003be (null) AppleMesaShim (null) (null) 1 0x0 0x0 0x54503464 65280 5 0x10000032b (null) AppleD2333PMU PMU tdev4 (null) 1 0x0 0x0 0x0 32 138 0x100000521 SPU IOHIDEventDriver (null) (null) 1 0x0 0x0 0x5650316c 65288 3 0x100000300 (null) AppleD2333PMU PMU ldo1 (null) 1 0x0 0x0 0x56503262 65288 3 0x10000033d (null) AppleD2333PMU PMU vbuck2 (null) 1 0x0 0x0 0x54683169 65280 5 0x100000242 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x5650616c 65288 3 0x100000312 (null) AppleD2333PMU PMU ldo10 (null) 1 0x0 0x0 0x6d696331 65280 5 0x1000002aa (null) AppleICA60 (null) (null) 1 0x0 0x0 0x544e306e 65280 5 0x1000003e2 (null) AppleEmbeddedNVMeController NAND CH0 temp (null) 1 0x0 0x0 0x56503078 65288 3 0x10000034f (null) AppleD2333PMU PMU vmon (null) 1 0x0 0x0 0x42 65280 32 0x1000004b2 Serial AppleHomerDriver (null) (null) 1 0x0 0x0 0x56506a6c 65288 3 0x100000324 (null) AppleD2333PMU PMU ldo19 (null) 1 0x0 0x0 0x54503962 65280 5 0x100000336 (null) AppleD2333PMU PMU tdie9 (null) 1 0x0 0x0 0x54633078 65280 5 0x10000023b (null) AppleT700XTempSensor Max: ACC Temp Sensor0 (null) 1 0x0 0x0 0x0 32 19 0x100000501 SPU AppleSPUMesaDriver (null) (null) 1 0x0 0x0 0x4950366c 65288 2 0x10000030b (null) AppleD2333PMU PMU ldo6 (null) 1 0x0 0x0 0x54473042 65280 5 0x1000002a3 (null) (null) gas gauge battery (null) (null) 0x0 0x0 0x49503962 65288 2 0x100000348 (null) AppleD2333PMU PMU ibuck3 (null) 1 0x0 0x0 0x4950666c 65288 2 0x10000031d (null) AppleD2333PMU PMU ldo15 (null) 1 0x0 0x0 0x5450326c 65280 5 0x10000032f (null) AppleD2333PMU PMU tdie2 (null) 1 0x0 0x0 0x5650336c 65288 3 0x100000304 (null) AppleD2333PMU PMU ldo3 (null) 1 0x0 0x0 0x56503662 65288 3 0x100000341 (null) AppleD2333PMU PMU vbuck6 (null) 1 0x0 0x0 0x54683069 65280 5 0x100000246 (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x5650636c 65288 3 0x100000316 (null) AppleD2333PMU PMU ldo12 (null) 1 0x5ac 0x8104 0x0 65280 3 0x10000050c SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x56513063 65288 3 0x100000353 (null) AppleSN2400Charger Charger vdd_main (null) 1 0x0 0x0 0x54617263 65280 5 0x1000004b6 Serial AppleHomerTemperature (null) (null) 1 0x0 0x0 0x54503164 65280 5 0x100000328 (null) AppleD2333PMU PMU tdev1 (null) 1 0x0 0x0 0x0 65292 4 0x10000051e SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54534644 65280 5 0x10000062b (null) AppleVTempDispatcher CGCenterSkin (null) 1 0x0 0x0 0x54506462 65280 5 0x10000033a (null) AppleD2333PMU PMU tdie13 (null) 1 0x0 0x0 0x4950386c 65288 2 0x10000030f (null) AppleD2333PMU PMU ldo8 (null) 1 0x0 0x0 0x0 11 1 0x100000505 SPU AppleSPUButtonDriver (null) (null) 1 0x0 0x0 0x54683269 65280 5 0x10000023f (null) AppleT700XTempSensor PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034c (null) AppleD2333PMU PMU ibuck7 (null) 1 0x0 0x0 0x4950686c 65288 2 0x100000321 (null) AppleD2333PMU PMU ldo17 (null) 1 0x0 0x0 0x54503662 65280 5 0x100000333 (null) AppleD2333PMU PMU tdie6 (null) 1 0x0 0x0 0x54633278 65280 5 0x100000238 (null) AppleT700XTempSensor Max: ACC Temp Sensor2 (null) 1 0x0 0x0 0x5650356c 65288 3 0x100000308 (null) AppleD2333PMU PMU ldo5 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000345 (null) AppleD2333PMU PMU ibuck0 (null) 1 0x0 0x0 0x5650656c 65288 3 0x10000031a (null) AppleD2333PMU PMU ldo14 (null) 1 0x0 0x0 0x51513075 65288 2 0x100000357 (null) AppleSN2400Charger Charger ibus_accum (null) 1 0x0 0x0 0x54503564 65280 5 0x10000032c (null) AppleD2333PMU PMU tdev5 (null) 1 0x0 0x0 0x4950316c 65288 2 0x100000301 (null) AppleD2333PMU PMU ldo1 (null) 1 0x0 0x0 0x56503362 65288 3 0x10000033e (null) AppleD2333PMU PMU vbuck3 (null) 1 0x0 0x0 0x6d696332 65280 5 0x1000002ab (null) AppleICA60 (null) (null) 1 0x0 0x0 0x0 65292 1 0x100000509 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54683161 65280 5 0x100000243 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor1 (null) 1 0x0 0x0 0x4950616c 65288 2 0x100000313 (null) AppleD2333PMU PMU ldo10 (null) 1 0x0 0x0 0x56513075 65288 3 0x100000350 (null) AppleSN2400Charger Charger vbus (null) 1 0x0 0x0 0x0 65292 5 0x10000051b SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x49506a6c 65288 2 0x100000325 (null) AppleD2333PMU PMU ldo19 (null) 1 0x0 0x0 0x54506162 65280 5 0x100000337 (null) AppleD2333PMU PMU tdie10 (null) 1 0x0 0x0 0x0 65280 4 0x1000002a4 (null) AppleCT821 (null) (null) 1 0x0 0x0 0x5650376c 65288 3 0x10000030c (null) AppleD2333PMU PMU ldo7 (null) 1 0x0 0x0 0x5453464c 65280 5 0x100000628 (null) AppleVTempDispatcher CGLEDHSSkin (null) 1 0x0 0x0 0x54633169 65280 5 0x10000023c (null) AppleT700XTempSensor ACC Temp Sensor1 (null) 1 0x0 0x0 0x49503962 65288 2 0x100000349 (null) AppleD2333PMU PMU ibuck4 (null) 1 0x0 0x0 0x0 65292 8 0x100000514 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x5650676c 65288 3 0x10000031e (null) AppleD2333PMU PMU ldo16 (null) 1 0x0 0x0 0x5450336c 65280 5 0x100000330 (null) AppleD2333PMU PMU tdie3 (null) 1 0x0 0x0 0x4950336c 65288 2 0x100000305 (null) AppleD2333PMU PMU ldo3 (null) 1 0x0 0x0 0x56503762 65288 3 0x100000342 (null) AppleD2333PMU PMU vbuck7 (null) 1 0x0 0x0 0x54683061 65280 5 0x100000247 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor0 (null) 1 0x0 0x0 0x4950636c 65288 2 0x100000317 (null) AppleD2333PMU PMU ldo12 (null) 1 0x0 0x0 0x5451306a 65280 5 0x100000354 (null) AppleSN2400Charger Charger tjunc (null) 1 0x0 0x0 0x54503264 65280 5 0x100000329 (null) AppleD2333PMU PMU tdev2 (null) 1 0x0 0x0 0x56503062 65288 3 0x10000033b (null) AppleD2333PMU PMU vbuck0 (null) 1 0x0 0x0 0x54534248 65280 5 0x10000062c (null) AppleVTempDispatcher BCH7Skin (null) 1 0x0 0x0 0x5650396c 65288 3 0x100000310 (null) AppleD2333PMU PMU ldo9 (null) 1 0x0 0x0 0x54683261 65280 5 0x100000240 (null) AppleT700XTempSensor Avg: PMGR SOC Die Temp Sensor2 (null) 1 0x0 0x0 0x54534261 65280 5 0x10000063e (null) AppleVTempDispatcher Arc (null) 1 0x0 0x0 0x49503962 65288 2 0x10000034d (null) AppleD2333PMU PMU ibuck8 (null) 1 0x0 0x0 0x5650696c 65288 3 0x100000322 (null) AppleD2333PMU PMU ldo18 (null) 1 0x0 0x0 0x0 32 100 0x100000518 SPU AppleSPUHIDDriver (null) (null) 1 0x0 0x0 0x54633069 65280 5 0x100000239 (null) AppleT700XTempSensor ACC Temp Sensor0 (null) 1 0x0 0x0 0x54503762 65280 5 0x100000334 (null) AppleD2333PMU PMU tdie7 (null) 1 0x0 0x0 0x54534648 65280 5 0x100000625 (null) AppleVTempDispatcher CGH7Skin (null) 1 Devices: VendorID ProductID LocationID UsagePage Usage RegistryID Transport Class Product UserClass Built-In 0x0 0x0 0x0 65280 255 0x1000004e1 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 4 0x1000004e6 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x42 65280 32 0x1000004ad Serial AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 11 1 0x1000004dc SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x54617263 65280 5 0x1000004b1 Serial AppleHIDTransportHIDDevice (null) (null) (null) 0x0 0x0 0x0 65292 5 0x1000004e7 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65280 8 0x1000004e8 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 3 0x1000004e2 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 1 0x1000004e5 SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 32 49 0x1000004e0 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x47 13 4 0x10000055c SPI AppleHIDTransportHIDDevice (null) (null) (null) 0x5ac 0x8104 0x0 65280 9 0x1000004de SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 65292 8 0x1000004e4 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 100 0x1000004e9 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 138 0x1000004e3 SPU AppleSPUHIDDevice (null) (null) 1 0x0 0x0 0x0 32 19 0x1000004db SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 3 0x1000004dd SPU AppleSPUHIDDevice (null) (null) 1 0x5ac 0x8104 0x0 65280 10 0x1000004df SPU AppleSPUHIDDevice (null) (null) 1 freedoms-iPhone:~ root# exit Script done on Sun Jan 5 08:40:24 2020 Figure 2: Outputs of hidutil list on jailbroken iPhone 7 and 8 Plus to verify that number of power senors are less on devices after A11.
  • 14.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . More Thermal ControlRelated Mechanisms I ▶ There is /usr/libexec/thermalmonitord in iOS 13 (/usr/libexec/mobilewatchdog in iOS 12.x), which collects thermal information and does thermal-throttling when necessary. ▶ The thermalmonitord is mainly written in Objective-C (how to know that? there are Objective-C sections in Mach-O). ▶ Mach-O has been around for more than 30 years.There are many tools we can used to inspect Mach-O files. E.g., if you know binutils, llvm-based binutils. ▶ class-dump, one of the interesting Mach-O tools, could extract Objective-C class related information (including protocols and methods) from Mach-O files and convert those them to Objective-C headers. ▶ class-dump thermalmonitord of iPhone 8 running iOS 13.3 (class-dump thermalmonitord -H -o /tmp/thermal_headers), we can get more than 100 headers.
  • 15.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . More Thermal ControlRelated Mechanisms II ▶ How about runtime infomation? So far, I think cycript [7] is the most convenient tool if you are willing to learn a new language.
  • 16.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (unsigned longlong)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateThermRelease; - (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2; - (void)updateDecayStatus; - (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2; - (void)updateAllThermalLoad; - (void)tryTakeAction; - (int)totalSensors; - (void)probeAllSupervisorControlLoadingIndex; - (_Bool)hasSolarMode; - (unsigned long long)getWatchDogMode; - (_Bool)getNaviStatus; - (unsigned long long)getMaxSensorValue; - (int)getHighestSkinTemp; - (struct iir_filter_t *)getFilterValues; - (void)getAllComponentID:(struct __SCPreferences *)arg1; - (id)findComponent:(int)arg1; - (void)evaluteMitigationMaxLoadingIndex; - (void)enableRadioDataCollection:(_Bool)arg1; - (void)createConnectionToCT:(int)arg1; - (void)clearLoadingIndexOverrides; - (void)clearControlEffortOverrides; - (void)dealloc; - (id)init; AggDThermalMonitor *aggdTM; _Bool thermalTrap; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; int calibrationResistorSensor; int calibrationResistorTempDefault; TableDrivenDecisionTree *decisionTree; int thermalState; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; unsigned long long componentThermalStatusLevel; unsigned long long previousOSThermalNotificationLevel; CommonProduct …. struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager ComponentControl SupervisorControl TableDrivenDecisionTree ThermalStatusLevel TableDrivenDecisionTree TwoHotSpotDecisionTree ThreeHotSpotDecisionTree FourHotSpotDecisionTree FiveHotSpotDecisionTree SixHotSpotDecisionTree + (id)sharedInstance - (void)updateSystemPowerState:(_Bool)arg1; - (void)iterateAndUpdateContexts; - (_Bool)isContextTriggered:(int)arg1; - (int)getContextState:(int)arg1; - (id)createNewContext:(int)arg1; - (void)dealloc; - (id)init; NSObject<OS_dispatch_queue> *catmQueue; NSObject<OS_dispatch_source> *theTimer; struct __CFArray *ctxObjects; ContexAwareThermalManager Figure 3: iOS Thermal Manager
  • 17.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (unsigned longlong)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateTrapTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateThermRelease; - (void)updateSleepTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateMaxLIFor:(int)arg1:(unsigned int)arg2; - (void)updateDecayStatus; - (void)updateHotSpotPIDTargetFor:(int)arg1:(unsigned int)arg2; - (void)updateControlEffortFor:(int)arg1:(unsigned int)arg2; - (void)updateAllThermalLoad; - (void)tryTakeAction; - (int)totalSensors; - (void)probeAllSupervisorControlLoadingIndex; - (_Bool)hasSolarMode; - (unsigned long long)getWatchDogMode; - (_Bool)getNaviStatus; - (unsigned long long)getMaxSensorValue; - (int)getHighestSkinTemp; - (struct iir_filter_t *)getFilterValues; - (void)getAllComponentID:(struct __SCPreferences *)arg1; - (id)findComponent:(int)arg1; - (void)evaluteMitigationMaxLoadingIndex; - (void)enableRadioDataCollection:(_Bool)arg1; - (void)createConnectionToCT:(int)arg1; - (void)clearLoadingIndexOverrides; - (void)clearControlEffortOverrides; - (void)dealloc; - (id)init; AggDThermalMonitor *aggdTM; _Bool thermalTrap; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; int calibrationResistorSensor; int calibrationResistorTempDefault; TableDrivenDecisionTree *decisionTree; int thermalState; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; unsigned long long componentThermalStatusLevel; unsigned long long previousOSThermalNotificationLevel; CommonProduct …. struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager ComponentControl SupervisorControl TableDrivenDecisionTree ThermalStatusLevel TableDrivenDecisionTree TwoHotSpotDecisionTree ThreeHotSpotDecisionTree FourHotSpotDecisionTree FiveHotSpotDecisionTree SixHotSpotDecisionTree + (id)sharedInstance - (void)updateSystemPowerState:(_Bool)arg1; - (void)iterateAndUpdateContexts; - (_Bool)isContextTriggered:(int)arg1; - (int)getContextState:(int)arg1; - (id)createNewContext:(int)arg1; - (void)dealloc; - (id)init; NSObject<OS_dispatch_queue> *catmQueue; NSObject<OS_dispatch_source> *theTimer; struct __CFArray *ctxObjects; ContexAwareThermalManager - (_Bool)isInternalBuild; - (struct __CFDictionary *)createPowerLogDictionaryForExtraSensors; - (struct __CFDictionary *)createPowerLogDictionaryForExtraInternals; - (struct __CFDictionary *)createPowerLogDictionaryForFixedHeaders; - (struct __CFDictionary *)createPowerLogDictionaryForSensors; - (struct __CFDictionary *)createPowerLogDictionaryForComponentControl; - (struct __CFDictionary *)createPowerLogDictionaryForHotspotControl; - (int)maxControlEffort; - (_Bool)useTcalAdjust:(int)arg1; - (struct __CFString *)getTGraphData:(int)arg1; - (void)initDataCollection; - (void)updateSystemLoad; - (void)updatePrefs:(struct __SCPreferences *)arg1:(_Bool)arg2; - (void)updateDecayStatus; - (void)SaveProductString:(int)arg1; - (void)probeAllSupervisorControlLoadingIndex; - (void)initializeReadPrefs:(struct __SCPreferences *)arg1; - (void)hintComponentControlTakeAction; - (unsigned long long)getWatchDogMode; - (int)getProductTotalSensors; - (struct iir_filter_t *)getProductFilterValues; - (unsigned long long)getMaxSensorValue; - (int)getProductCalibrationSensorID; - (int)getProductCalibrationDefault; - (void *)getConfigurationFor:(struct __CFString *)arg1; - (void)createNewProduct:(struct __CFRunLoop *)arg1; - (void)createConnectionToCT:(int)arg1; - (void)dealloc; - (id)initWithConfig:(struct __CFBundle *)arg1; struct __CFRunLoop *localMainRunloop; int productName; struct __CFBundle *bundle; CommonProduct *product; ThermalManager …. CommonProduct *productObj; NSMutableArray *listofComponentControl; NSMutableArray *listOfSupervisorControl; struct __CFArray *extraSensorDataSources; struct __CFArray *extraInternalDataSources; struct __CFString *tGraphDataString; _Bool isInternal; TGraphSampler - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)updateSystemPowerState:(_Bool)arg1; - (_Bool)synchContext; - (void)updateContextActiveState; - (_Bool)isContextTriggered; - (int)getContextState; - (void)initAudioHandling; - (void)initBacklightHandling; - (void)initPowerHandling; - (void)dealloc; - (id)init; _Bool contextIsActive; _Bool connectedExternally; _Bool backlightIsOn; _Bool audioIsOn; _Bool powerIsOn; int mitigationControllerListID; int _displayToken; int _audioRunningToken; unsigned int pmuPowerService; unsigned int _notification; unsigned int _ioIterator; struct IONotificationPort *notificationPort; NSObject<OS_dispatch_queue> *_inPocketQueue; ContextInPocket - (id)initProduct:(id)arg1; …. BaseCCList - (_Bool)getNaviStatus; - (id)initProduct:(id)arg1; Navigation *navi; BaseCCDisplayAndPower - (unsigned long long)getPotentialForcedThermalLevel:(unsigned long long)arg1; - (_Bool)useTcalAdjust:(int)arg1; - (void)updateDecayStatus; - (void)updateAllThermalLoad; - (int)totalSensors; - (void)createConnectionToCT:(int)arg1; - (void)dealloc; - (id)initProduct:(id)arg1; RadioPassthroughCC *radioCC; CameraTS *camSensor; DieControlLoop *dieControlLoop; unsigned char dieControlLoopMaxLoadIndexTableCPU[256]; unsigned char dieControlLoopMaxLoadIndexTableGPU[256]; tm60ebe335d9a55c5e521f51bf0dadbce6 Figure 4: iOS Thermal Manager and others
  • 18.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (_Bool)isEqualMType:(int)arg1; - (void)calculateControlEffort:(float)arg1; -(void)dealloc; - (id)initPIDWith:(struct __CFDictionary *)arg1; _Bool allowCEOverride; float kp; float ki; float ts; float integrator; float integratorMin; float integratorMax; float TARGET; int mitigationType; struct __CFString *nameofComponent; int boundCheckLow; int boundCheckHigh; int controlEffort; PidComponent - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)testLoadingIndexLevel; - (void)refreshCurrentLoadingIndex; - (_Bool)isEqualMType:(int)arg1; - (void)filteredMaxLoadingIndex; - (void)defaultAction; - (void)dealloc; - (id)initWithCC:(const char *)arg1:(const char *)arg2:(int)arg3:(struct __CFDictionary *)arg4; _Bool allowLIOverride; _Bool thermRelease; double lastTime; NSObject<OS_dispatch_queue> *myCustomQueue; unsigned int currentLoadingIndex; unsigned int maxLoadingIndex; unsigned int previousValue; unsigned int releaseMaxLI; unsigned int releaseRate; NSObject<OS_dispatch_source> *theTimer; int loopTimer; CompoentControl - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)refreshCurrentLoadingIndex; - (void)defaultAction; - (void)calculateMitigation; - (id)initWithSOC:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(int)arg4:(int)arg5; int listIDPos; unsigned int gpuPowerTarget; int dutyCyclingCrossOverThreshold; float timeActive; SocCC - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)usesPID; - (void)refreshCurrentLoadingIndex; - (void)refreshCurrentLoadingIndexUsingPID; - (unsigned int)getUserUsage; - (void)defaultAction; - (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5; int listIDPos; unsigned int host; struct host_cpu_load_info currCpu; struct host_cpu_load_info prevCpu; float powerScale; float timeActive; unsigned int kDVD1Level; _Bool _useDirectMap; unsigned int _minReachableLoadIndex; float _directMapSlope; float _directMapIntercept; CpuCC - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (void)startLoop; - (void)startLoopIfNeeded; - (void)controlDie; - (void)updateComponentsForMaxCPULoadIndex:(int)arg1 andMaxGPULoadIndex:(int)arg2; - (void)dealloc; - (id)initWithRunLoop:(struct __CFRunLoop *)arg1 maxLoadTableCPU:(char *)arg2 maxLoadTableGPU:(char *)arg3 sgxCrossover:(int)arg4 andPIDList:(struct __CFDictionary *)arg5; - (void)initSensorContext:(CDStruct_beb0aeb4 *)arg1 forService:(const char *)arg2 key:(struct __CFString *)arg3 value:(struct __CFString *)arg4; CDStruct_beb0aeb4 dieTempSensorContext[4]; int listIDPos; float PANIC_LEVEL; float RELEASE_TEMP; NSObject<OS_dispatch_source> *theTimer; unsigned int note; unsigned int sochotPMGR; unsigned int sochotCCC; struct IONotificationPort *notificationPort; char *maxLoadIndexTableCPU; char *maxLoadIndexTableGPU; NSObject<OS_dispatch_queue> *dieControlQueue; _Bool dieControlLoopIsRunning; DieControlLoop SupervisorControl CommonProduct *cProduct; float hotspotTemperature; float THERMAL_TRAP_LOAD; float THERMAL_TRAP_SLEEP; float releaseHysteresis; int tState; struct ForcedThermalLevelStruct forcedThermalLevel[2]; _Bool isEngagedWithHysteresis; - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)shouldForceThermalLevelForThreshold:(int)arg1; - (_Bool)hotspotIsEngaged; - (int)getThermalStateofHotspot; - (float)calculateTargetDifference; - (void)calculateControlEffort:(float)arg1; - (void)dealloc; - (id)initWithSC:(const char *)arg1:(int)arg2:(id)arg3:(struct __CFDictionary *)arg4; - (struct __CFString *)copyFieldCurrentValueForIndex:(int)arg1; - (struct __CFString *)copyHeaderForIndex:(int)arg1; - (int)numberOfFields; - (_Bool)usesPID; - (void)refreshCurrentLoadingIndex; - (void)refreshCurrentLoadingIndexUsingPID; - (unsigned int)getUserUsage; - (void)defaultAction; - (id)initWithCPU:(const char *)arg1:(int)arg2:(struct __CFDictionary *)arg3:(float)arg4:(int)arg5; int listIDPos; unsigned int host; struct host_cpu_load_info currCpu; struct host_cpu_load_info prevCpu; float powerScale; float timeActive; unsigned int kDVD1Level; _Bool _useDirectMap; unsigned int _minReachableLoadIndex; float _directMapSlope; float _directMapIntercept; BackligtCC Figure 5: Example iOS Thermal Control Loops
  • 19.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yes, PID controlis used Figure 6: PID figure from Wikipedia, https://en.wikipedia.org/wiki/PID_controller
  • 20.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systemswith cycript I ▶ attaching cycript to a running system process is a bit more complicated after iOS 12. We could start from a wrapper called cycrun, https://www.reddit.com/r/ jailbreakdevelopers/comments/b1r5kq/question_is_ cycript_coming_to_ios_12_unc0ver_jb/ ▶ with cyrun+cycript, ▶ cyrun -x thermalmonitord -e ▶ then where to start, singleton ones are less intrusive and easier ▶ as you see, we can get productObj ▶ as you can see, the thermalmonitord uses HID sensors.
  • 21.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systemswith cycript II Listing 2: Cyrun ~ root # cyrun −x thermalmonitord −e applicationName : thermalmonitord i s running (64) executableName : thermalmonitord b u n d l e I d e n t i f i e r : Cycript i s active : thermalmonitord Device i s passcode locked Tweak Mode Success , Cycript was already active f o r the Process . You may now run c y c r i p t −r 127.0.0.1:8556 cy# tgs = [ TGraphSampler sharedInstance ] #”<TGraphSampler : 0x104f04330 >” cy# tgs−>productObj #”<tm0148f449e0ff00c77f11492610c521ce : 0x104f04090 >” cy# tgs−> __defineGetter__ extratGraphDataSources __defineSetter__ gotDataToLogToLiteMode __lookupGetter__ hasOwnProperty __lookupSetter__ i s I n t e r n a l __proto__ isPrototypeOf _appleCareState isa _appleCareStateLastLogged lastLogTimestamp _powerlogQueue listOfSupervisorControl _powerlogSubkeyController_Components listofComponentControl _powerlogSubkeyController_HiP previousThermalSensorValues _powerlogSubkeyController_Hotspots productObj _powerlogSubkeyController_LiteMode propertyIsEnumerable _powerlogSubkeyController_MiscExternalState tGraphDataString _powerlogSubkeyController_MiscInternalState toLocaleString _powerlogSubkeyController_Sensors t o S t r i n g _powerlogSubkeyController_Sensors_Components valueOf constructor
  • 22.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . peeking running systemswith cycript III Listing 3: Cycript HidSensos cy# hs = [ HidSensors sharedInstance ] #”<HidSensors : 0x10582bac0 >” cy# new Instance ( hs−>_tempSensors ) [ 0 ] #”+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n RegistryID : 0x0000000100000277 n B u i l t I n : 1n Product : Avg : PMGR SOC Die Temp Sensor0 n LocationID : 1416114273n VendorID : 0n ProductID : 0n CountryCode : 0n PrimaryUsagePage : 65280n PrimaryUsage : 5n DeviceUsagePairs : n DeviceUsagePage : 65280n DeviceUsage : 5n +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n ” cy#
  • 23.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools I ▶binutils and other hacking tools, such as lsof ▶ lldb/gdb on devices: Apple used to ship “fat” gdb and lldb, but not anymore(?). LLDB allows using Objective-C style syntax (most iOS programmers before Swift was introduced know Objective-C). ▶ remote debbuging: either cross building or native building of lldb could be an ostacle, if you are not afraind of using remote debugging, they (debuggserver and lldb) are open source too. Example usage (my iMAC: 192.168.1.80, the iPhone: 192.168.1.115) 1. install debuggerserver on your iDevice. Then, run debugserver 192.168.1.80:5555 --attach=thermalmonitord to wait for connection from 192.168.1.80 to port 5555 of this devices.
  • 24.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools II 2.on you host, launch lldb, then use platform select remote-ios and process connect connect://192.168.1.115:5555 to connect to the debugserver on the remote device. You should see something like Listing 4 3. we can examine TGraphSampler as in Listing 5 4. and HidSenors as in Listing 6 ▶ NOTE: DON’T interrupt the thermalmonitord too long, otherwise the device will reboot. Listing 4: connect to debugserver from lldb ( l l d b ) platform select remote−ios Platform : remote−ios Connected : no SDK Path : ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ” SDK Roots : [ 0] ” / Users / freedom / Library / Developer / Xcode / iOS DeviceSupport /13.3 (17C54 ) ” ( l l d b ) process connect connect ://192.168.1.115:5555 Process 64 stopped * thread #1 , queue = ’com. apple . main−thread ’ , stop reason = signal SIGSTOP frame #0: 0x0000000184864634 libsystem_kernel . dylib ‘ mach_msg_trap + 8 libsystem_kernel . dylib ‘ mach_msg_trap : −> 0x184864634 <+8>: r e t
  • 25.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools III libsystem_kernel. dylib ‘ mach_msg_overwrite_trap : 0x184864638 <+0>: mov x16 , #−0x20 0x18486463c <+4>: svc #0x80 0x184864640 <+8>: r e t Target 0: ( thermalmonitord ) stopped . Listing 5: TGraphSampler ( l l d b ) expr TGraphSampler * $tgs = [ TGraphSampler sharedInstance ] ( l l d b ) p * $tgs ( TGraphSampler ) $0 = { NSObject = { isa = TGraphSampler } productObj = 0x0000000103e03f80 listofComponentControl = 0x0000000103e041a0 @”9 elements ” listOfSupervisorC ontrol = 0x0000000103e041d0 @”12 elements ” extratGraphDataSources = 0x0000000103e04520 tGraphDataString = 0x0000000000000000 i s I n t e r n a l = fa ls e gotDataToLogToLiteMode = fa ls e lastLogTimestamp = 38967673125 previousThermalSensorValues = { [ 0 ] = 0 [ 1 ] = 0 [ 2 ] = 0 [ 3 ] = 0 [ 4 ] = 0 [ 5 ] = 0 [ 6 ] = 0
  • 26.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools IV [7 ] = 0 [ 8 ] = 0 [ 9 ] = 0 [10] = 0 [11] = 0 [12] = 0 [13] = 0 [14] = 0 [15] = 0 [16] = 0 [17] = 0 [18] = 0 [19] = 0 [20] = 0 [21] = 0 [22] = 0 [23] = 0 [24] = 0 [25] = 0 [26] = 0 [27] = 0 [28] = 0 [29] = 0 [30] = 0 [31] = 0 [32] = 0 [33] = 0 [34] = 0 [35] = 0 [36] = 0 [37] = 0 [38] = 0
  • 27.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools V [39]= 0 [40] = 0 [41] = 0 [42] = 0 [43] = 0 [44] = 0 [45] = 0 [46] = 0 [47] = 0 [48] = 0 [49] = 0 [50] = 0 [51] = 0 [52] = 0 [53] = 0 [54] = 0 [55] = 0 [56] = 0 [57] = 0 [58] = 0 [59] = 0 [60] = 0 [61] = 0 [62] = 0 [63] = 0 } _powerlogQueue = 0x0000000103e04850 _powerlogSubkeyController_Hotspots = 0x0000000103e04610 _powerlogSubkeyController_Components = 0x0000000103e04690 _powerlogSubkeyController_Sensors = 0x0000000103e046d0 _powerlogSubkeyController_MiscInternalState = 0x0000000103e04710 _powerlogSubkeyController_MiscExternalState = 0x0000000103e04750
  • 28.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools VI _powerlogSubkeyController_LiteMode= 0x0000000103e04790 _powerlogSubkeyController_HiP = 0x0000000103e047d0 _powerlogSubkeyController_Sensors_Components = 0x0000000103e04810 _appleCareState = 0x0000000103e048d0 @”5 elements ” _appleCareStateLastLogged = 0x0000000103e04af0 @”5 elements ” } ( l l d b ) po $tgs−>productObj <tm0148f449e0ff00c77f11492610c521ce : 0x103e03f80> Listing 6: ”HidSensors” ( l l d b ) expr HidSensors * $hs = [ HidSensors sharedInstance ] ( l l d b ) p * $hs ( HidSensors ) $1 = { NSObject = { isa = HidSensors } _hidEventSystem = 0x0000000103d0f9c0 _infoOnlyHIDSensors = 0x0000000103f2d400 _callbackSensorIntervals = 0x0000000103f2cc10 _readFailuresExpected = 0x0000000000000000 _powerSensors = 0x0000000000000000 hidSensorKeys = 0x0000000103e037a0 sensorFourCharCode = 0x0000000103e03db0 synthSensorKeys = 0x0000000103e03de0 _callbackTemperatures = 0x0000000103f31630 _potentiallyStaleSensorTimestamps = 0x0000000103e03e10 _potentiallyStaleSensorDefaults = 0x0000000103f2c840 _callbackTemperaturesQueue = 0x0000000103f2d570 sensorWatchdogMask = 1236950581247
  • 29.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other tools VII _infoOnlySensorsActive= fa lse _dispatchVirtualTemp = true _send2DTempGrid = fa ls e _tempSensors = 0x0000000105015fc0 _count = 36 _shadowSensorCount = 8 _sensorDict = 0x0000000103f30e80 _serviceToName = 0x0000000103f31670 } ( l l d b ) po $hs−>_tempSensors <__NSArrayI 0x105015fc0 >( +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ RegistryID : 0x0000000100000270 B u i l t I n : 1 Product : Max: PMGR SOC Die Temp Sensor3 LocationID : 1416115064 VendorID : 0 ProductID : 0 CountryCode : 0 PrimaryUsagePage : 65280 PrimaryUsage : 5 DeviceUsagePairs : DeviceUsagePage : 65280 DeviceUsage : 5 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ , . . . .
  • 30.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . concluding remarks ▶ iOSuses many open source components and you can use open source tools to explore iDevices. ▶ how about Android devices: as far as I can tell, most Android devices the “standard” Linux thermal framework.
  • 31.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References I [1] Checkm8. https://github.com/axi0mX/ipwndfu/. Accessed:2019-12-20. [2] checkra1n. https://checkra.in/. Accessed: 2019-12-20. [3] Apple. Driver kit. https://developer.apple.com/documentation/driverkit/. Accessed: 2019-12-20. [4] Apple. Iokit family. https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/ IOKitFundamentals/Families_Ref/Families_Ref.html. Accessed: 2019-12-20. [5] Apple. Iokit fundamentals. https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/ IOKitFundamentals/. Accessed: 2019-12-20. [6] Esmaeilzadeh, H., Blem, E., St. Amant, R., Sankaralingam, K., and Burger, D. Dark silicon and the end of multicore scaling. In Proceedings of the 38th Annual International Symposium on Computer Architecture (New York, NY, USA, 2011), ISCA ’11, ACM, pp. 365–376. [7] Freeman, J. cycript. http://www.cycript.org. Accessed: 2019-12-20.
  • 32.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References II [8] NeXT. Driverkit. http://www.nextcomputers.org/NeXTfiles/Docs/Developer/DriverKit/DriverKit.pdf. Accessed: 2019-12-20. [9] Singh, A. Mac OS X Internals. Addison-Wesley Professional, 2006. [10] Tân, K.-S. https://github.com/freedomtan/sensors/. Accessed: 2019-12-20.