-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacBook Pro M3 2023 Unable to connect to device #123
Comments
I assume that you are trying with the latest code? |
Yes I'm trying with the latest code. |
Ahhh I see. It's using KIS DFU. I have pending commits to push that add support for it (macOS and Linux -- windows not yet). Will push it later today and then you can try again. |
I actually pushed the commits now. Let me know if this works now. |
Sure, I'll test this. |
@nikias it is working with the new commits. But the thing is if I have 2 Macs connected in DFU it only gives 1 device, Is there a way to list them all? |
Thanks for confirming. The irecovery tool hasn't been designed to support multiple devices; the underlying library code could handle it though. The enumeration of devices is missing, then it would be just a matter of calling |
@nikias I got M3 Pro (15,6) as well and that is not showing in irecovery -q and this one looks different from the simple M3 in terms of response from System report. Please check the below screenshots. |
I see. The USB Product ID is different, 0xf014 as you can see in the screenshot. This is Port DFU mode, not sure how this is different... |
So what change you recommend should I do to add this product support? |
Also look at the CPID and BDID they look totally different, and this Mac15,6 doesn't have these CPID and BDID. |
Yes it's a totally different mode it seems... you could try to add the 0xf014 here: libirecovery/src/libirecovery.c Line 1644 in 1a12fc2
but I don't really think this will work |
Just for reference, adding this here: https://infosec.exchange/@siguza/111118479751581819 |
Also FWIW if you use macvdmtool to put the target into DFU, then the AP will be in DFU but the USB-C port will not be, so it will enumerate as KIS (Debug USB). |
Hi guys, we started hacking around with idevicerestore and M3 Pro laptop. Our findings are the same:
Not sure yet what we can do with idevicerestore from either mode, we'll start digging into that. We may end up with the oscilloscope to reverse any new VDM that may be required. Happy to share our future findings to contribute to M3 (not yet tried) and M3 Pro (M3 Max unlikely at this stage) support to idevicerestore as we did with M1 a few years back. Please reach out to me. |
@scwgoire KIS DFU support is tracked in #106 and should be supported on macOS and Linux hosts already. Port DFU mode seems to want a personalised USB-C firmware uploaded first. The CPID and BDID of Port DFU Mode are also found in the BuildManifest.plist of devices that have it, and the BDID of Port DFU is just |
Following the @scwgoire message, when testing against M3 in KIS mode, we have a segfault on The reason is that when calling the We tried to forcefully enter the
When recovering using apple configurator 2 the usb "sequence" seems to be :
The question now seems to be, how to transition from KIS to Recovery mode 2 (our setup is to go to KIS directly with USB VDM messages, so we are not yet blocked by port DFU) ? How can we help ? |
For the |
@Cardiox12 file path is |
@Cardiox12 in KIS mode, the serial string is taken from a buffer (KIS_device_info) read from the device, that contains a usb descriptor buffer. It's not read from a typical string descriptor. |
You can turn on debug info for libirecovery by setting an environment variable, so you can run LIBIRECOVERY_DEBUG_LEVEL=1 idevicerestore file.ipsw Look out for a line |
idevicerestore SEGFAULTs (in We managed to leverage code from |
Just tested on macOS and it has the same issue when the _irecv_handle_device_add code is used; the KIS init is missing. Working on a fix. |
Thanks, excited to see the results. |
We tried on M3-Pro, it does not work yet, we may not be very far from making it. It is probably caused by how idevicerestore handles the 4 USBPortControllers (those ones are not present on M3 "not pro" variant). See the log file m3-pro.log First clue is line 198 (not sure what RestoreRequestRules are) :
Second clue, is line 2386-2421:
Third clue:
We are working on it, if you have any ideas on where we can start, we would love to hear about it. |
About lin 4180, the culprit is in
If multiple tickets are requested, we only keep track of the first one to verify the response is correct. However this simply is a warning, no big deal. Some oddities:
Keeping up with digging... 😄 |
Little update: I couldn't find something suspicious in the code today. idevicerestore seems to be performing the job, properly forwarding Ace3 TSS requests from the mac to the TSS server and sending back the tickets to the mac. The following questions remain unanswered:
The Still pretty much in the dark there. |
Allright, time for a little update. I have been skimming through a USB dump of the communication between an M2 Pro being restored and Apple Configurator 2 restoring it. In this dump, after the 3 tickets are send back to the mac, I get 7 With I now think the problem is somewhere else. If the Ace3 TSS process was incorrect, it would probably fail before asking for the 3 tickets. |
Allright, I found something promising! Maybe
Some more fun next time... see ya! 😄 |
Allright guys, I'm back with some new, I hope you didn't miss me 😄 Looks like this is a usbmuxd problem after all. After lots of attempts I could sometimes have So, here is how it goes in idevicerestore when it fails (see previously posted log):
Now, on the usbmuxd side (in very verbose mode), we can also observe the 2 pauses (I guess the mac has stuff to do there), but after the second one an error happens. (with errno -104 or -71).
Right after that, clients are disconnected.
Then usbmuxd goes in an infinite loop, it has to be
As for when the operation succeeds, I suspect this is a lucky timing, instead of failing after sending the USBFirmware with the following log lines,
the
Does this ring any bell? |
Ok folks, this seems to be harder than I thought. Here is a kernel log for the event:
As you can see, when the restore process fails after sending USBPortController firmware, there is an EPROTO error on the USB bus. My current guess is the USB controller on the mac is restarted after new firmware is applied. Sometimes this generates a protocol error (due to an USB timeout?) and Linux removes the device, and sometimes the device has better luck and this is only seen as a "USB lag" by the kernel. This really sucks because Do you think we could and/or should expect usbmuxd disconnections during the restore process and implement a retry logic somewhere there? |
Hi all, I added port DFU support to libirecovery with the latest commit. However this does not allow port DFU restoring, this will be implemented in idevicerestore. I already figured out a part of the process, namely:
I can create that file now with the required checksum. This file is sent to the port DFU device. Not sure yet what is the next step. I just wanted to document this somewhere. |
In case you missed it, I got Port DFU restore working: libimobiledevice/idevicerestore@e4a5ac4. The only thing wrong was that the nonce I get via USB string descriptor has to be reversed in order... took me only a day to see that 🤦 |
I've M3 Mac connected in DFU mode, Apple Configurator is showing the DFU Mac connected but irecovery is not showing it. Below are the logs coming up when I executed with -v -q parameters.
I want to get the ECID of the connected Mac. I've latest compiled binaries.
need your help @nikias
The text was updated successfully, but these errors were encountered: