USB 转UART 连接 simtrace的debug接口（管脚1为 地， 4为发送， 5 为接收)

在PC上配置串口 （921600 8N1）
波特率 921600
8位数据位
无奇偶校验
停止位 1

重启板子(按 RESET 按钮， 或者 重新拔插 usb线缆)
在串口会看到输出

DFU模式(Device Firmware Upgrade)

firemware编译出 几种应用:
dfu: USB DFU 启动加载器，用来 升级其他应用的
ccid: USB CCID读卡器
cardem: 卡模拟，提供本地cos，以及远程sim卡功能
trace: 监听sim卡和设备间的通信
triple_play: 支持 ccid, cardem, trace三种功能，通过usb来配置。

应用可以放在设备的不同位置
flash
bootloader区域内（第1个16k区域保留为bootloader所用，dfu放这里)
ram (通过 jtag/swd 直接下载到ram)

越狱后iPhone(iPad或iPod）

获取debugserver

1. xcode新建一个singleview的简单项目，在iPhone设备上跑一遍。这样在设备的/Developer/usr/bin 下就会有debugserver
2. 第二种方法，在 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ 里找到对应版本的DeveloperDiskImage.dmg， 从里面提取

添加权限

分离fat binary
lipo -thin armv7s ~/debugserver -output ~/debugserver_7s
lipo -thin arm64 ~/debugserver -output ~/debugserver_64  （iPhone 6之后是 64位的)

强制添加权限
codesign -s - --entitlements entitlements.xml -f debugserver_7s

查看权限
codesign -d --entitlements :-  debugserver_7s
codesign -d --entitlements -   debugserver_7s

权限文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.backboardd.launchapplications</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

0000000

开启端口转发
./tcprelay.py -i 192.168.0.119 -b 8192 -t 22:2222 8341:8341

ssh -v root@192.168.0.119 -p 2222
附加到被调试进程

debugserver *:8341 --attach Preferences

开启lldb

(lldb) platform select remote-ios
(lldb) process connect connect://192.168.0.119:1234
(lldb) po [[UIApp keyWindow] recursiveDescription]

Virtualbox虚拟机导入 macOS Catalina Final Version by Geekrar的vmdk
app store下载安装XCode

xcrun --sdk iphoneos --find clang
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang



xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk

编译命令

clang -arch armv7s -mios-version-min=7.0   imei.im -o imei \
-isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk  \
-framework Foundation  -framework CoreTelephony

签名

codesign -s 'iPhone Develoer' ./path/to/binary

将运营商 ID 与 CarrierConfig 集成
从 Android 10 开始，运营商配置支持将运营商 ID 用作密钥，从 CarrierService 获取运营商专属配置。

将运营商 ID 与 CarrierConfig 集成具有以下优势：

将每个运营商的所有 MCC/MNC 对整合到一个位置，从而移除重复或不一致的数据。
为每个运营商创建规范标识符并消除歧义。

允许使用单个 ID 标识移动虚拟网络运营商 (MVNO)，而不是将配置作为移动网络运营商 (MNO) 的一部分。

final CarrierConfigManager configManager = (CarrierConfigManager) mContext.getSystemService(Context.CARRIER_CONFIG_SERVICE);

PersistableBundle b = configManager.getConfig();
b.putBoolean(KEY_PREFER_2G_BOOL, false);

b.putBoolean(KEY_DISPLAY_HD_AUDIO_PROPERTY_BOOL, true);

v4.putBoolean(“prefer_2g_bool”, false);
v4.putBoolean(“carrier_settings_enable_bool”, true);
v4.putBoolean(“carrier_allow_turnoff_ims_bool”, false);
v4.putBoolean(“carrier_wfc_ims_available_bool”, true);
v4.putBoolean(“display_hd_audio_property_bool”, true);
v4.putBoolean(“editable_enhanced_4g_lte_bool”, true);
v4.putBoolean(“carrier_volte_available_bool”, true);
v4.putBoolean(“carrier_volte_provisioning_required_bool”, false);
v4.putBoolean(“carrier_volte_provisioned_bool”, true);
v4.putBoolean(“carrier_vt_available_bool”, true);
v4.putBoolean(“carrier_volte_tty_supported_bool”, false);
v4.putBoolean(“hide_enhanced_4g_lte_bool”, false);
v4.putBoolean(“carrier_wfc_supports_wifi_only_bool”, true);
v4.putBoolean(“allow_adding_apns_bool”, true);
v4.putBoolean(“apn_expand_bool”, true);
v4.putBoolean(“carrier_ims_gba_required_bool”, false);
v4.putBoolean(“require_entitlement_checks_bool”, false);
v4.putBoolean(“hide_ims_apn_bool”, false);
v4.putInt(“volte_replacement_rat_int”, 0);
v4.putBoolean(“carrier_use_ims_first_for_emergency_bool”, true);
v4.putBoolean(“auto_retry_enabled_bool”, true);
v4.putBoolean(“world_phone_bool”, true);
v4.putBoolean(“carrier_ut_provisioning_required_bool”, false);
v4.putBoolean(“carrier_supports_ss_over_ut_bool”, false);
v4.putBoolean(“carrier_volte_default_enabled_bool”, true);
v4.putBoolean(“show_ims_registration_status_bool”, true);
v4.putBoolean(“support_manage_ims_conference_call_bool”, true);
v4.putBoolean(“support_ims_conference_call_bool”, true);
v4.putBoolean(“support_video_conference_call_bool”, true);
v4.putBoolean(“enhanced_4g_lte_on_by_default_bool”, true);
v4.putBoolean(“editable_wfc_mode_bool”, true);
v4.putBoolean(“emergency_sms_support_bool”, false);
v4.putBoolean(“notify_handover_video_from_wifi_to_lte_bool”, true);
v4.putBoolean(“notify_handover_video_from_lte_to_wifi_bool”, true);
v4.putBoolean(“support_downgrade_vt_to_audio_bool”, true);
v4.putInt(“carrier_default_wfc_ims_mode_int”, 1);
v4.putInt(“carrier_default_wfc_ims_roaming_mode_int”, 1);
v4.putBoolean(“carrier_default_wfc_ims_enabled_bool”, true);
v4.putBoolean(“carrier_default_wfc_ims_roaming_enabled_bool”, true);
v4.putBoolean(“carrier_promote_wfc_on_call_fail_bool”, true);
v4.putBoolean(“carrier_volte_override_wfc_provisioning_bool”, true);
v4.putBoolean(“allow_emergency_video_calls_bool”, false);
v4.putBoolean(“editable_wfc_roaming_mode_bool”, true);
v4.putBoolean(“carrier_config_applied_bool”, true);
v4.putStringArray(“carrier_wlan_disallowed_apn_types_string_array”, new String[]{“”});
v4.putStringArray(“carrier_wwan_disallowed_apn_types_string_array”, new String[]{“”});
v4.putBoolean(“hide_preset_apn_details_bool”, false);
v4.putStringArray(“read_only_apn_types_string_array”, new String[]{“”});
v4.putStringArray(“read_only_apn_fields_string_array”, new String[]{“”});
v4.putStringArray(“apn_settings_default_apn_types_string_array”, new String[]{“”});