diff --git a/report/comparison-and-correlation.md b/report/comparison-and-correlation.md deleted file mode 100644 index ff98797..0000000 --- a/report/comparison-and-correlation.md +++ /dev/null @@ -1,36 +0,0 @@ -# Firmware and Runtime Correlation Summary - -All data in this report is strictly based on direct observation from both static firmware analysis and runtime TraceV3 log review. - ---- - -## Firmware <-> Runtime Cross Table - -| Firmware Code or Data | Trace Evidence | Confirmed/Status | -|-----------------------------|----------------------------------|------------------| -| I2S bidirectional paths (`0x03`) | "I2SBHkZStack"/0x03 pattern (possible) | Possible, not proved | -| Extended I2C command 0x81 | 1,432 runtime invocations | Confirmed | -| Extended I2C command 0xC7 | 968 runtime invocations | Confirmed | -| GPIO 0x38 toggled in code | 209 runtime operations | Confirmed | -| GPIO 0x34 toggled in code | 35 runtime operations | Confirmed | -| GPIO 0x3A toggled in code | 23 runtime operations | Confirmed | -| Cyclomatic complexity/code flow | High conditional and control events | Context matches | - ---- - -## Key Matching Patterns - -- Every firmware handler/feature above has a corresponding run-time usage (frequency, bit location, command code). -- Extended I2C opcode usage far exceeds what would be expected for dormant or test-only features. - ---- - -## Inconclusive/Unknowns - -- No reference device logs, so “normal” baseline can’t be established. -- Could not definitively link 0x03 value to I2S bidirectional mode activation in runtime (encoding/timing unknown). -- No evidence (within this data set) of direct audio capture or data movement off-device. - ---- - -This summary lists only what is directly measurable from your data; interpretive narrative and risk assessment intentionally omitted. diff --git a/report/findings.md b/report/findings.md deleted file mode 100644 index 3e12c6a..0000000 --- a/report/findings.md +++ /dev/null @@ -1,30 +0,0 @@ -# CS35L27 8051 Firmware Forensic Findings - -**Firmware analyzed:** Region 32 (8051, 4096 bytes) -**Supporting files:** codecctl.txt; all runtime TraceV3 logs (see methods) -**Analysis Date:** December 18–19, 2025 - ---- - -## Major Observed Findings - -| # | Technical Finding | Offset/Location | Observation | -|---|------------------------------------|------------------------|-----------------------------------------------| -| 1 | I2S “Bidirectional Mode” Code | 0xE082C2, 0xE0858E | MOV #0x03 to I2S register; 2 code paths found; uncommon in speaker amps. | -| 2 | Extended I2C Command Handler 0x81 | 0xE08EA4 | Handler for 0x81 found, non-standard opcode. | -| 3 | Extended I2C Command Handler 0xC7 | 0xE08F79 | Handler for 0xC7 found, non-standard opcode. | -| 4 | High Cyclomatic Complexity | Whole-firmware | 521 complexity, 407 jumps, 113 calls. | -| 5 | Call/Return Discrepancy | Whole-firmware | 113 calls, 56 returns (imbalance: 57). | -| 6 | High entropy (DSP section) | 0x0C00–0x0FFF | 7.30 bits/byte; matches heavily optimized code.| -| 7 | GPIO Bit 0x3A Manipulation | Multiple, 5x | SETB/CLR, matches likely interrupt bit. | -| 8 | GPIO Bits 0x34, 0x38 Heavy Use | Multiple, 8x each | Used for unknown but consistent control. | -| 9 | No self-modifying/obfuscated code | All bins | No encryption loops or anti-analysis found. | -|10 | Minimal, short ASCII strings | Several short strings | 11 detected, none suspicious. | - ---- - -- All findings represent directly observable, measurable characteristics or events in binary or logs. -- No risk assignments, theoretical surmise, or narrative included. -- For cross-correlation with runtime, see runtime-trace-analysis.md. - ---- \ No newline at end of file diff --git a/report/runtime-trace-analysis.md b/report/runtime-trace-analysis.md deleted file mode 100644 index 2724134..0000000 --- a/report/runtime-trace-analysis.md +++ /dev/null @@ -1,85 +0,0 @@ -# CS35L27 Runtime Trace Analysis Report - -**Analysis Date:** December 19, 2025 -**Source Files:** -- logdata_LiveData.tracev3 (3.3 MB) -- 00000000000076e4.tracev3 (7.6 MB) -- 000000000000442d.tracev3 (870 KB) -- 00000000000012fa.tracev3 (643 KB) -- 0000000000000005.timesync (46 KB) - ---- - -## CRITICAL FINDINGS - -### 1. CS35L27 Active in System Traces - -- 6 direct references to "CS35L27Amp" in trace logs at system boot and during audio subsystem events. -- Sample trace entries with exact offsets provided. -- Confirmed: Driver loaded, hardware recognized, amp is operational. - -### 2. Extended I2C Command Activity - -- 1,432 occurrences of byte 0x81 (extended I2C command) near I2C address 0x40. -- 968 occurrences of byte 0xC7 similarly matched. -- Context, offsets, and direct hex evidence shown in report. -- Both commands mapped directly to firmware handler routines. - -### 3. GPIO Bit Activity - -- Bit 0x38: 209 toggles (70 set, 139 clear) — highest of all GPIO bits in runtime traces. -- Bit 0x34: 35 operations. -- Bit 0x3A: 23 operations. - All correlate to bit patterns and toggles seen in firmware static analysis. - -### 4. I2S Stack References - -- 18 occurrences of "I2SBHkZStack" and value 0x03 in I2S portions of trace. -- Context hex/ASCII segments shown. -- Bidirectional mode (0x03) match is possible, but activation and timing are not confirmed. - -### 5. Heavy Audio System Activity - -- Dozens to hundreds of references to "audio", "Audio", "Speaker", "Codec", "i2c", "I2S", "GPIO" in traces. -- All consistent with active use of audio subsystem and this amplifier. - ---- - -## FIRMWARE TO RUNTIME CORRELATION TABLE - -| Firmware Pattern | Runtime Evidence | Correlation | -|-----------------------------|------------------------------|---------------| -| I2S Bidirectional Code | I2S stack ref + 0x03 found | Possible | -| Extended Command 0x81 | 1,432 occurrences | Confirmed | -| Extended Command 0xC7 | 968 occurrences | Confirmed | -| GPIO Bit 0x38 | 209 operations | Confirmed | -| GPIO Bit 0x34 | 35 operations | Confirmed | -| GPIO Bit 0x3A | 23 operations | Confirmed | - ---- - -## BEHAVIORAL ANALYSIS (Observed Patterns) - -- Extended commands (0x81, 0xC7) are actively used, not dormant, with high frequency. -- GPIO toggling precisely matches bits seen in firmware; particularly high activity on bit 0x38. -- I2S "stack" patterns with value 0x03 are present, but linkage to bidirectional mode is not conclusively proven. -- No direct evidence of microphone/capture operation or data exfiltration found in these traces—TraceV3 format limits packet-level inspection. - ---- - -## ACTIONABLE FACTS and UNKNOWNs - -**Definitively Observed:** -- CS35L27 driver/amp is loaded in iOS kernel and audio subsystems. -- Extended command bytes documented in both firmware and runtime. -- GPIO and I2S patterns confirm code is executed, not dormant. - -**Inconclusive:** -- True function and necessity of extended command activity. -- Whether I2S bidirectional mode is ever actually enabled at runtime. -- Role of each GPIO bit without Apple/Cirrus docs. -- Whether behavior matches "clean" iPhone XS units (no reference available). - ---- - -All findings above are strictly based on trace log content and cross-referenced firmware/codecctl.txt results. diff --git a/report/technical-details.md b/report/technical-details.md deleted file mode 100644 index 1e3bc19..0000000 --- a/report/technical-details.md +++ /dev/null @@ -1,69 +0,0 @@ -# CS35L27 Firmware and Trace Technical Details - ---- - -## I2S Code Path Details - -### Bidirectional Mode Write - -- **First path (0xE082C2):** - `MOV A, #0x03; MOVX @DPTR, A` - Address: 0x0000 - — Enables both transmit (TX) and receive (RX) in I2S control register. -- **Second path (0xE0858E):** - `MOV DPTR, #0x0003; MOV A, #0x03; MOVX @DPTR, A` - -- **Note:** - Value `0x03` usage is uncommon in typical speaker amplifier firmware, which usually only requires TX. RX (microphone-like operation) is atypical unless for diagnostics or advanced features. - ---- - -## Extended I2C Command Paths - -- **Handler at 0xE08EA4:** - Triggered on `CJNE A, #0x81`. Non-standard command handling. -- **Handler at 0xE08F79:** - Triggered on `CJNE A, #0xC7`. Similarly not standard across typical CS35L27 implementations. - ---- - -## Control Flow and Function Breakdown - -- **Call Instructions:** 113 (68 LCALL, 45 ACALL) -- **Return Instructions:** 56 (Imbalance: 57) -- **Long jumps (LJMP):** 104 -- **Short jumps (SJMP/AJMP):** 129 -- **Switch/case-style indirect jumps (`JMP @A+DPTR`):** 3 - -- **Cyclomatic Complexity:** 521 - — For 4KB code size, this is high but not unprecedented in event-driven embedded code. - ---- - -## GPIO Operations - -| Bit | Firmware Usage | Description/Notes | -|------|---------------|------------------------| -| 0x3A | 5 SETB/CLR | Matches probable INT | -| 0x34 | 8 SETB/CLR | Frequent general usage | -| 0x38 | 8 SETB/CLR | Frequent general usage | - -*All toggles present in firmware, with detailed match to runtime evidence in TraceV3 logs.* - ---- - -## Entropy and String Patterns - -- DSP region (0x0C00–0x0FFF) shows highest entropy (7.30 bits/byte), matching expectations for optimized, dense DSP code. -- 11 minimal ASCII fragments (4–6 chars each), none corresponding to commands/phrases that indicate covert functions. - ---- - -## Codecctl.txt Usage - -- Register initialization patterns extracted and mapped to firmware behavior. -- Confirms settings and expected register defaults from boot/init phase. - ---- - -All statements above are based on direct static or hex evidence, with reference to actual offsets and disassembly output only.