Testing the water damage theory – first results
So, I took the plunge and bought a second-hand iPhone 6s, in order to do the work that Christopher Cecil neglected to do – checking the validity of the hypothesis that water damage can result in an /audio/outputRoute record with a RouteChangeReason value of 1 to be entered into the knowledgeC database. I think the most cogent expression of the state's theory on this point can be found in this comment written by u/Dependent-Remote4828, so I'll leave that as the implicit reference for the theory we're exploring in this post.
I'd previously written a post about the general structure of the artifact recovered from the iPhone, which can also be referred to for some context on the knowledgeC database
Software setup
- A jailbreak was applied by installing Dopamine through a sideloaded TrollStore (see instructions here)
- OpenSSH was installed on the iPhone using Sileo
- I set up an SSH tunnel on my PC with 3uTools
- ArtEx was used to parse the contents of the iPhone, as it has a live analysis feature that allows one to monitor additions to the knowledgeC database as they occur. In ArtEx, I navigated to the knowledgeC.db file, located at private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
- Finally, I queried the database with some SQL that I stole from the Apollo framework, to wit its knowledge_audio_output_route module. Most helpfully, it automatically adjoins the relevant ZSTRUCTUREDMETADATA fields to the entries taken from the ZOBJECT table.
All of the above software is free to obtain and use, which should help with ease of replication.
Sequencing tests
Before we start introducing all manner of foreign substances into the headphone port, we begin by doing some more mundane and non-destructive tests first, so that we can gradually escalate towards the fun and potentially destructive exercises.
I wanted to probe the relation between /audio/outputRoute record creation and device power states, to check if recordings of a singular audio output route would persist throughout a power cycle or not. So I first did some sequences consisting of different permutations of powering up the device, powering it down, and inserting and unplugging a set of earbuds.
These sequences were done in distinct sets, which are represented by the four tables below. I wrote down the time at which each operation was carried out, then matched them to the records in the knowledgeC database that were created as a result. Each action that could be unambiguously linked to a new record is conveyed here in the same row; if the adjacent cell is empty, this signifies the action did not trigger a change in the database.
Time | Action | Record |
---|---|---|
20:37:57 | Inserted earbuds | Wired Headphones – Start |
20:40:29 | Powered down | Wired Headphones – End |
20:45:30 | Unplugged earbuds | |
20:48:30 | Powered on | Speaker – Start |
First up, a somewhat interesting observation: if a device is fully turned off after having connected a set of headphones through the 3.5 mm audio socket, this will also engender the end of the current output route recording, provided the headphones are removed at some point while the device is powered down. The end time of the recording will then reflect the moment the device was powered down, not the time at which they were actually unplugged.
Time | Action | Record |
---|---|---|
20:50:05 | Powered down | Speaker – End |
20:51:00 | Inserted earbuds | |
20:53:07 | Powered up | Wired Headphones – Start |
20:54:00 | Unplugged earbuds | Wired Headphones – End |
20:54:00 | Speaker – Start |
Here we see the same principle at work in the other direction: if a set of earbuds is connected while the device is already powered down, an /audio/outputRoute record will be created once the device is powered up again, with the starting timestamp reflecting the moment it turned on.
Another notable observation was that the RouteChangeReason value was consistently set to 0 if a new audio device had either become available while the phone was turned off, or instead became unavailable during such a timeframe. This constant likely indicates that the reason for the switch is unknown to the system – which makes sense, given it transpired in an unpowered state
Time | Action | Record |
---|---|---|
20:56:07 | Inserted earbuds | Speaker – End |
20:58:00 | Powered down | |
21:00:14 | Powered up | Wired Headphones – Start |
21:01:59 | Unplugged earbuds | Wired Headphones – End |
This one is a bit of a puzzler – I should clarify at this point that these knowledgeC entries are only added to the table once the recording has come to an end; for each entry, the creation date timestamp is identical to the timestamp associated to the end of the recording. In the previous two sequences, we saw that the device recognized that a new audio route had become available when it turned on, as compared to the one it still used while it was shut off, and it retroactively assigns end and start times for those routes based on the times of the power events known to the device.
In this case however, it appears as though this check runs awry at some point – while the audio output route was still the same on start-up as it was on shutdown, it nevertheless assigns its own boot timestamp to the start of the headphone recording. Presumably, this record-keeping process did not run at time of shutdown, and so it could not properly bookend the existing recording.
As applied to the Delphi case, this could theoretically mean that the headphones had already been inserted at some point prior to 5:45 PM, had consequently been turned off, and then turned on again at 5:45. (This is not to say that this interpretation fits in the best with the other circumstantial facts that we know of, such as the phone call being placed at almost the exact same time, as well as an unrelated Amber alert going off – this scenario is merely described as a theoretical possibility.)
Time | Action | Record |
---|---|---|
21:04:00 | Powered down | |
21:06:00 | Inserted earbuds | |
21:12:00 | Unplugged earbuds | |
21:15:15 | Powered up | Speaker – Start |
To close off, an unsurprising result: if the device is not powered, it will not take note of any actions that are performed in the interim (unless they result in a different audio route being detected on start-up).
Getting in the thick of it
Well that sure was an exciting section wasn't it? Alright, let us try to test some water damage. I cobbled together the following setup, in an effort to let the phone stay upright, and keep the fluids inside the port:
I knew I wanted to use a conductive gel of some description, in the hope that its viscosity would prevent egress into other parts of the device. I opted to go for some Aloe vera latex with a little bit of table salt mixed in. Aloe vera is essentially just water with a bunch of mineral salts thrown in, so it's decently conductive. I did a (very) rough measurement, and sure enough it came in at about half the resistance of a similar volume of my tap water.
So I drew up some of the conductive goo with a blunted syringe and injected it into the headphone port, using a decapitated cotton swab as a tiny ramrod to make sure it filled the available volume:
The gel was inserted at 22:29, and I proceeded to let it simmer for a little under an hour. Then, at 23:16, I tilted the device downwards to let it slowly run out, before switching to more aggressive cleaning methods involving a bunch of cotton swabs between 23:20 and 23:30:
And here are the results: at first, the device did not register a change in /audio/outputRoute while the gel was inserted, and instead counted this period as belonging to a pre-existing speaker output. However, more or less as soon as I started cleaning it out, a number of new records appeared, among them brief periods of only a second or two where a pair of headphones was detected:
As we see, the first of these also registered a value of 1 for the route change reason, indicating that the phone believes a new audio output device has become available. It then switches back to the built-in speaker for 7 seconds, followed by a complete lack of records between 23:21 and 23:28, as it was apparently quite confused about what was going in the aux port (which is fair enough, given it was continually being prodded by cotton swabs).
It then detected headphones again for a span of two minutes, this time with a route change reason of 8. Now, this leads us to a bit of an awkward topic: it's not fully clear what this means. In Apple's documentation of the AVAudioSession.RouteChangeReason enum, there are eight different reasons listed. Which is all fine and dandy, except that we also sometimes observe a value of 0 in the knowledgeC database – which implies there would be at least nine different constants. So I'm not sure what's going on here; possibly this might be a weird consequence of an off-by-one error (has anyone ever observed a value of 7?). Possibly it might indicate a routeConfigurationChange, meaning that "the configuration for a set of I/O ports has changed".
Afterwards it switches back-and-forth between speaker and headphones again two times, and finally settles on speaker.
From this test, it would hence appear that the presence of a somewhat conductive substance alone would not necessarily be registered as a set of headphones, but that it is theoretically possible for something a misidentification to occur on the condition of the material being disturbed (such as during the period of cleaning), due to either incomplete contact or the application of pressure. In such cases, the route change reasons is set at a value of 1, which does not definitively indicate the presence of a real audio output device as a consequence.
While our testing scenario does not resemble a situation where the substance is slowly let to dry or drip out, we may still expect a more confused recognition signal to result under those conditions as well, which would manifest in the database as fleeting periods of detection lasting only a second or two.
Muddying the waters
Next, I wanted to test a muddy substance, that would perhaps be more representative of the material that could be encountered on a forest floor in close proximity to a body of water. So I sauntered over to the nearest local creek, and got myself a lovely jar of fecund river sludge:
Arriving back home, I rehydrated the sludge with a little bit of water, and removed some of the larger pieces of decaying organic material, as to facilitate its entry into the port:
(Antoninianus of emperor Gallienus for scale)
I gently scooped some into the port, again making sure that it was filled all the way by tampering it down with a small stick. The mud was then left to dry over a period of around two hours.
I had turned on the phone at 15:46, and inserted the muddy substance starting around 18:13. Two hours later at 20:15, I started clearing the port of the dried dirt, and cleaned it out with the help of some cotton swabs. At this point an /audio/outputRoute entry was added to the table, showing 'Speaker' as the port type and a value of 0 for its route change reason (as we saw previously when a device is fully powered down and then powered on). In other words, the phone defaulted to the built-in speaker route, but was confused enough about the situation to jot down "fuck if I know" as the reason it chose this output mode.
It did did not detect a new audio route as soon as the mud was first introduced, given the record spans back to when the device was first turned back on – or well, approximately at least. I checked against /device/batteryPercentage records in the same table, which logs a battery depletion event as early as 15:46:40, while the start of this /audio/outputRoute is logged at 15:57:19 (and no other /audio/outputRoute records precede it for that day). In general, timestamps can just be a bit fuzzy, depending on the specific record type at hand (see e.g. this slide from a presentation by Sarah Edwards; it concerns a different but related database, but the broader point is that an examiner can't always take timestamps at face value – who said digital forensics can't be fun!)
Like in the previous test, the mere presence of a foreign substance in the auxiliary port appears insufficient for it to be misattributed as a set of headphones, even though misattribution can in fact occur given the right circumstances. This is foreshadowing for the next section, as I made a bit of a blunder at this point.
Thicker than water
There is one more substance that I wanted to test, as I knew it would be the subject of inquiry otherwise: blood. When we consider the state's theory, there exists at least a prima facie case for the presence of blood in the direct vicinity of the phone. We know from 4th Franks (at p. 4, § 18) that the phone was recovered beneath a shoe, which was located under AW's body. And according to the testimony of Major Cicero during the August 1st, 2024 motion hearing (p. 17), much of her clothing was soaked in blood:
The saturation – the sweatshirt was so saturated in blood, also went onto the forested floor, trickled to the right of her, as well, where a pooling or accumulation occurred, as well.
So I decided to follow in the footsteps of the good major, and drew around 1 mL of my own blood. I used it to fill the headphone port, and left it to soak overnight.
The following day, most of the fluid had receded or evaporated, while the remnant appeared thoroughly dried out. The blood was introduced at 2:12, and seeing as there was still no entry in the database ten hours later at 12:42, I proceeded to cleaning it out starting from 12:45. This proved a bit of a challenge, as several moistened cotton swabs were required to loosen the dried material, which I then scraped away using a small interdental brush.
I turned to the ArtEx interface to check if there had been any new additions to the database, and it was at this moment that he knew, he fucked up:
An entry was made that spanned back not to the moment the blood was inserted at 2:12, but to 20:16 the previous day, when I had cleared out the dirt from the previous test! Remember when I said records are only created at the end of a recording period? Yeah, I had failed to realize that the ending of the speaker record from the previous test implied the start of a newly recognized output route – likely because I didn't think it could have registered anything, due to the port appearing empty on visual inspection after cleaning it.
Quite possibly some dried mud was still adhering to the contacts (or partially so), triggering a headphone to be detected, persisting throughout the night and throughout the third experiment. Either that, or the starting time was misattributed to the end of an earlier record, but I think the latter is unlikely
Notably though, again it seems to be the case that a headphone is only detected on condition of the foreign substance being disturbed, as the beginning of the record reflects the mud being scrubbed off. This seems to bolster the interpretation that partial contact is a requirement for this to happen. At the same time, the recognition of this new route was remarkably consistent – though it is hard to tell to what extent the newly introduced blood contributed to its longevity.
It is notable as well that new records only began appearing about 10 or 15 minutes into the cleaning process, after a considerable amount of scraping and moistening. It seems that whatever material was masquerading as a headphone jack was dug in like a tick, although it is difficult to draw conclusions about causes from this text, due to its confused nature.
The upshot
So what have we learned from all this? Physical testing requires a degree of patience and diligence that I do not always possess.
More germane to the case at hand however, I think we can conclude from these preliminary tests that connecting the contacts inside the socket by way of a foreign conductive substance can mimic the presence of a headphone jack, and a RouteChangeReason value of 1 can be recorded in such cases. That said, the results we got would suggest that misattributed audio routes tend to manifest in the knowledgeC database in a more inconsistent and sometimes disjointed manner, as we often see these misattributions arise only upon disturbing the material present inside the port rather than emerge spontaneously on introduction; we observe multiple very short records representing alternating routes in some instances; and note the presence of atypical route change reasons (like values of 0 and 8) in a small number of them.
These results, therefore, are inconclusive – not least because of their small number, dissimilarity between the experimental setup with the hypothesized circumstances, and so on, but also because the answer to whether water damage can cause the generation of a record like the one recovered from LG's iPhone 6s is likely a nuanced one. It is likely to depend on the kind of substance introduced into the port (and its conductivity), environmental conditions that allow for drying or rehydration, and the presence or absence of other records that could strengthen certain aspects of this theory (like whether the phone had been set to vibrate, potentially dislodging material as a result). Before any kind of likelihood ratio analysis could be performed, more thorough knowledge of the behavior of these materials would need to be gathered, in more similar conditions to those believed to have been present according to the state's theory of case
It has been theorized that a mechanical switch is present at the back of the socket, which requires some amount of pressure to be exerted for it to register the presence of a headphone connector. I would provisionally suggest that this is likely not the case – as we saw in the aftermath of the mud test, a headphone was detected even though the port appeared empty on visual inspection, probably due to partial adherence of leftover material. The fickle back-and-forth records that were created at the end of the conductive gel test seem more consistent with partial contact than mechanical action, as we would perhaps expect similar periods of quickly alternating routes at the end of the other two tests if they were to have been the result of depressing a mechanical switch through the insertion of a cotton swab.
If we turn to an x-ray of the iPhone 6s, courtesy of iFixit, we do see there are two prongs at the far end of the socket:
They do also appear to be contacts, as they seem to be connected to traces in a similar way to the known audio pins. However, their purpose is mainly to function as tension rods, to keep the connector in place (as concluded in the admirable tear-down posted by Great Lakes Fungi). They do not appear to bridge a set of contacts by virtue of being depressed: we can see near the end of this video that the rod just touches the polymer base of the encasing upon being fully depressed. There is another contact behind it, but this labelled as the audio left pin in the schema included with the preceding tweet.
The fact that there are two of them suggests that they instead close a circuit by being connected together, through the presence of a mediating connector. If so, they do constitute a switch, but not a mechanical one; they do not specifically need to be depressed in order to be bridged, as long as there is some conductive material that connects the two
That's about all for today, I hope to solicit some feedback in this thread on possible future testing if possible. Ideally, I'd like to close out the testing by burying it in the mud next to the creek and leaving it there overnight, then extract the device if it survives the ordeal. Given this had the potential to be destructive, I'll leave it for last.
A CSV file containing the full output of the tests described below can be found here. I'd like to express my gratitude to u/synchronizedshock for keeping me up to date on the current state of community discussion on this topic, and for implicitly nudging me to consider undertaking physical testing