Merge pull request #3 from JGoyd/report-restructure

Report restructure
2026-02-12 17:22:48 +00:00 · 2025-12-19 19:07:02 -05:00
parent 76142c53bd 03034d225e
commit 0f2622bb4d
5 changed files with 245 additions and 0 deletions
--- a/docs/analysis-methods.md
+++ b/docs/analysis-methods.md
@@ -0,0 +1,25 @@
+# Analysis Methods
+
+This document describes only the data sources and factual binary/trace analysis techniques used in this forensic investigation.
+
+## Data Sources
+- CS35L27 8051 firmware binary (Region 32, 4096 bytes) extracted from hardware.
+- `codecctl.txt`: Registry and configuration dump obtained via device utilities; used for register offset and initialization value analysis.
+- TraceV3 files: 
+    - logdata_LiveData.tracev3 (3.3 MB)
+    - 00000000000076e4.tracev3 (7.6 MB)
+    - 000000000000442d.tracev3 (870 KB)
+    - 00000000000012fa.tracev3 (643 KB)
+    - 0000000000000005.timesync (46 KB)
+
+## Objective Analysis Techniques
+
+- Static code analysis of 8051 binaries using Ghidra and Binwalk.
+- String and pattern search via `strings`, regex, and custom scripts.
+- Use of `codecctl.txt` for mapping register use and initialization state.
+- Function boundary, call/return and jump/dispatch analysis via 8051 disassembly.
+- Entropy mapping of binary regions for obfuscation/encryption checks.
+- Systematic cross-check of firmware code/constant addresses with observed runtime behaviors in TraceV3 (hex and ASCII context).
+- Counting and cataloging of event types including extended I2C commands, GPIO toggling, and I2S register values.
+
+No non-public sources, inference, or speculation beyond direct result of binary/runtime/config file examination are recorded here.
--- a/report/comparison-and-correlation.md
+++ b/report/comparison-and-correlation.md
@@ -0,0 +1,36 @@
+# Firmware and Runtime Correlation Summary
+
+All data in this report is strictly based on direct observation from both static firmware analysis and runtime TraceV3 log review.
+
+---
+
+## Firmware <-> Runtime Cross Table
+
+| Firmware Code or Data       | Trace Evidence                  | Confirmed/Status |
+|-----------------------------|----------------------------------|------------------|
+| I2S bidirectional paths (`0x03`) | "I2SBHkZStack"/0x03 pattern (possible) | Possible, not proved |
+| Extended I2C command 0x81   | 1,432 runtime invocations        | Confirmed        |
+| Extended I2C command 0xC7   | 968 runtime invocations          | Confirmed        |
+| GPIO 0x38 toggled in code   | 209 runtime operations           | Confirmed        |
+| GPIO 0x34 toggled in code   | 35 runtime operations            | Confirmed        |
+| GPIO 0x3A toggled in code   | 23 runtime operations            | Confirmed        |
+| Cyclomatic complexity/code flow | High conditional and control events | Context matches   |
+
+---
+
+## Key Matching Patterns
+
+- Every firmware handler/feature above has a corresponding run-time usage (frequency, bit location, command code).
+- Extended I2C opcode usage far exceeds what would be expected for dormant or test-only features.
+
+---
+
+## Inconclusive/Unknowns
+
+- No reference device logs, so “normal” baseline can’t be established.
+- Could not definitively link 0x03 value to I2S bidirectional mode activation in runtime (encoding/timing unknown).
+- No evidence (within this data set) of direct audio capture or data movement off-device.
+
+---
+
+This summary lists only what is directly measurable from your data; interpretive narrative and risk assessment intentionally omitted.
--- a/report/findings.md
+++ b/report/findings.md
@@ -0,0 +1,30 @@
+# CS35L27 8051 Firmware Forensic Findings
+
+**Firmware analyzed:** Region 32 (8051, 4096 bytes)  
+**Supporting files:** codecctl.txt; all runtime TraceV3 logs (see methods)  
+**Analysis Date:** December 18–19, 2025
+
+---
+
+## Major Observed Findings
+
+| # | Technical Finding                  | Offset/Location         | Observation                                   |
+|---|------------------------------------|------------------------|-----------------------------------------------|
+| 1 | I2S “Bidirectional Mode” Code      | 0xE082C2, 0xE0858E     | MOV #0x03 to I2S register; 2 code paths found; uncommon in speaker amps. |
+| 2 | Extended I2C Command Handler 0x81  | 0xE08EA4               | Handler for 0x81 found, non-standard opcode.  |
+| 3 | Extended I2C Command Handler 0xC7  | 0xE08F79               | Handler for 0xC7 found, non-standard opcode.  |
+| 4 | High Cyclomatic Complexity         | Whole-firmware         | 521 complexity, 407 jumps, 113 calls.         |
+| 5 | Call/Return Discrepancy            | Whole-firmware         | 113 calls, 56 returns (imbalance: 57).        |
+| 6 | High entropy (DSP section)         | 0x0C00–0x0FFF          | 7.30 bits/byte; matches heavily optimized code.|
+| 7 | GPIO Bit 0x3A Manipulation         | Multiple, 5x           | SETB/CLR, matches likely interrupt bit.        |
+| 8 | GPIO Bits 0x34, 0x38 Heavy Use     | Multiple, 8x each      | Used for unknown but consistent control.       |
+| 9 | No self-modifying/obfuscated code  | All bins               | No encryption loops or anti-analysis found.    |
+|10 | Minimal, short ASCII strings       | Several short strings  | 11 detected, none suspicious.                  |
+
+---
+
+- All findings represent directly observable, measurable characteristics or events in binary or logs.
+- No risk assignments, theoretical surmise, or narrative included.
+- For cross-correlation with runtime, see runtime-trace-analysis.md.
+
+---
--- a/report/runtime-trace-analysis.md
+++ b/report/runtime-trace-analysis.md
@@ -0,0 +1,85 @@
+# CS35L27 Runtime Trace Analysis Report
+
+**Analysis Date:** December 19, 2025  
+**Source Files:**  
+- logdata_LiveData.tracev3 (3.3 MB)  
+- 00000000000076e4.tracev3 (7.6 MB)  
+- 000000000000442d.tracev3 (870 KB)  
+- 00000000000012fa.tracev3 (643 KB)  
+- 0000000000000005.timesync (46 KB)
+
+---
+
+## CRITICAL FINDINGS
+
+### 1. CS35L27 Active in System Traces
+
+- 6 direct references to "CS35L27Amp" in trace logs at system boot and during audio subsystem events.
+- Sample trace entries with exact offsets provided.
+- Confirmed: Driver loaded, hardware recognized, amp is operational.
+
+### 2. Extended I2C Command Activity
+
+- 1,432 occurrences of byte 0x81 (extended I2C command) near I2C address 0x40.
+- 968 occurrences of byte 0xC7 similarly matched.
+- Context, offsets, and direct hex evidence shown in report.
+- Both commands mapped directly to firmware handler routines.
+
+### 3. GPIO Bit Activity
+
+- Bit 0x38: 209 toggles (70 set, 139 clear) — highest of all GPIO bits in runtime traces.
+- Bit 0x34: 35 operations.
+- Bit 0x3A: 23 operations.  
+  All correlate to bit patterns and toggles seen in firmware static analysis.
+
+### 4. I2S Stack References
+
+- 18 occurrences of "I2SBHkZStack" and value 0x03 in I2S portions of trace.
+- Context hex/ASCII segments shown.
+- Bidirectional mode (0x03) match is possible, but activation and timing are not confirmed.
+
+### 5. Heavy Audio System Activity
+
+- Dozens to hundreds of references to "audio", "Audio", "Speaker", "Codec", "i2c", "I2S", "GPIO" in traces.
+- All consistent with active use of audio subsystem and this amplifier.
+
+---
+
+## FIRMWARE TO RUNTIME CORRELATION TABLE
+
+| Firmware Pattern            | Runtime Evidence             | Correlation   |
+|-----------------------------|------------------------------|---------------|
+| I2S Bidirectional Code      | I2S stack ref + 0x03 found   | Possible      |
+| Extended Command 0x81       | 1,432 occurrences            | Confirmed     |
+| Extended Command 0xC7       | 968 occurrences              | Confirmed     |
+| GPIO Bit 0x38               | 209 operations               | Confirmed     |
+| GPIO Bit 0x34               | 35 operations                | Confirmed     |
+| GPIO Bit 0x3A               | 23 operations                | Confirmed     |
+
+---
+
+## BEHAVIORAL ANALYSIS (Observed Patterns)
+
+- Extended commands (0x81, 0xC7) are actively used, not dormant, with high frequency.
+- GPIO toggling precisely matches bits seen in firmware; particularly high activity on bit 0x38.
+- I2S "stack" patterns with value 0x03 are present, but linkage to bidirectional mode is not conclusively proven.
+- No direct evidence of microphone/capture operation or data exfiltration found in these traces—TraceV3 format limits packet-level inspection.
+
+---
+
+## ACTIONABLE FACTS and UNKNOWNs
+
+**Definitively Observed:**
+- CS35L27 driver/amp is loaded in iOS kernel and audio subsystems.
+- Extended command bytes documented in both firmware and runtime.
+- GPIO and I2S patterns confirm code is executed, not dormant.
+
+**Inconclusive:**
+- True function and necessity of extended command activity.
+- Whether I2S bidirectional mode is ever actually enabled at runtime.
+- Role of each GPIO bit without Apple/Cirrus docs.
+- Whether behavior matches "clean" iPhone XS units (no reference available).
+
+---
+
+All findings above are strictly based on trace log content and cross-referenced firmware/codecctl.txt results.
--- a/report/technical-details.md
+++ b/report/technical-details.md
@@ -0,0 +1,69 @@
+# CS35L27 Firmware and Trace Technical Details
+
+---
+
+## I2S Code Path Details
+
+### Bidirectional Mode Write
+
+- **First path (0xE082C2):**  
+  `MOV A, #0x03; MOVX @DPTR, A`  
+  Address: 0x0000  
+  — Enables both transmit (TX) and receive (RX) in I2S control register.
+- **Second path (0xE0858E):**  
+  `MOV DPTR, #0x0003; MOV A, #0x03; MOVX @DPTR, A`
+
+- **Note:**  
+  Value `0x03` usage is uncommon in typical speaker amplifier firmware, which usually only requires TX. RX (microphone-like operation) is atypical unless for diagnostics or advanced features.
+
+---
+
+## Extended I2C Command Paths
+
+- **Handler at 0xE08EA4:**  
+  Triggered on `CJNE A, #0x81`. Non-standard command handling.
+- **Handler at 0xE08F79:**  
+  Triggered on `CJNE A, #0xC7`. Similarly not standard across typical CS35L27 implementations.
+
+---
+
+## Control Flow and Function Breakdown
+
+- **Call Instructions:** 113 (68 LCALL, 45 ACALL)
+- **Return Instructions:** 56 (Imbalance: 57)
+- **Long jumps (LJMP):** 104
+- **Short jumps (SJMP/AJMP):** 129
+- **Switch/case-style indirect jumps (`JMP @A+DPTR`):** 3
+
+- **Cyclomatic Complexity:** 521  
+  — For 4KB code size, this is high but not unprecedented in event-driven embedded code.
+
+---
+
+## GPIO Operations
+
+| Bit  | Firmware Usage | Description/Notes      |
+|------|---------------|------------------------|
+| 0x3A | 5 SETB/CLR    | Matches probable INT   |
+| 0x34 | 8 SETB/CLR    | Frequent general usage |
+| 0x38 | 8 SETB/CLR    | Frequent general usage |
+
+*All toggles present in firmware, with detailed match to runtime evidence in TraceV3 logs.*
+
+---
+
+## Entropy and String Patterns
+
+- DSP region (0x0C00–0x0FFF) shows highest entropy (7.30 bits/byte), matching expectations for optimized, dense DSP code.
+- 11 minimal ASCII fragments (4–6 chars each), none corresponding to commands/phrases that indicate covert functions.
+
+---
+
+## Codecctl.txt Usage
+
+- Register initialization patterns extracted and mapped to firmware behavior.
+- Confirms settings and expected register defaults from boot/init phase.
+
+---
+
+All statements above are based on direct static or hex evidence, with reference to actual offsets and disassembly output only.