Nov 03, 2022 / By Wael Alnahari / in Digital Forensics
The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.
Before you begin, make sure you have everything required to perform the extraction. Since checkm8 is a very specific exploit, you’ll need all of the following to do the job.
You must be able to download the official Apple firmware (download link will be provided during the extraction) that matches iOS version installed on the device.
First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:
Power off the device if it is powered on.
Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.
On the computer, run the following command:
./EIFT_cmd tools autobootFalse
(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).
Run EIFT in wait mode:
./EIFT_cmd boot -w
If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.
From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit. After that, run the following commands:
./EIFT_cmd ramdisk loadnfcd ./EIFT_cmd ramdisk unlockdata -s ./EIFT_cmd ramdisk keychain -o {filename} ./EIFT_cmd ramdisk tar -o {filename}
Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):
./EIFT_cmd tools autobootTrue
Power off the device:
./EIFT_cmd ssh halt
First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:
Power off the device if it is powered on.
Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.
On the computer, run the following command:
./EIFT_cmd tools autobootFalse
(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).
Run EIFT in wait mode:
./EIFT_cmd boot -w
If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.
From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit.
Please note: you will need to download the matching firmware file from Apple servers, or specify a download link when prompted.
After that, run the following commands:
./EIFT_cmd ramdisk unlockdata ./EIFT_cmd ramdisk keychain -o {filename} ./EIFT_cmd ramdisk tar -o {filename}
Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):
./EIFT_cmd tools autobootTrue
Power off the device:
./EIFT_cmd ssh halt
Placing the device in DFU mode can be tricky, especially if you’ve never done it before. Steps to enter DFU are different for different device models, and there is no on-screen indication of successfully entering DFU. You must follow the steps while carefully observing the timings, and the end result will be a blank screen. We strongly recommend placing the device in recovery mode first, and entering DFU from recovery.
Step 1: enter Recovery
On the iPhone 7, iPhone 7 Plus:
On the iPhone 6s and older devices including iPhone SE (1st generation):
Step 2: enter DFU
On the iPhone 6s and older devices including iPhone SE (1st generation):
On the iPhone 7 and 7 Plus:
The iPhone screen will remain black. If you see the recovery screen or if the device starts booting into iOS, repeat the steps from the beginning.
Devices based on the A11 Bionic have two slightly different DFU modes. Placing the device in the correct DFU mode is critical for successful acquisition. The correct procedure involves the recovery mode as a required first step.
Step 1: enter Recovery
For iPhone 8, 8 Plus and iPhone X devices use the following sequence:
Step 2: entering DFU for iPhone 8, 8 Plus and iPhone X devices
Keep the iPhone connected to the computer, then launch iOS Forensic Toolkit in wait mode:
./EIFT boot -w
On the iPhone 8, 8 Plus or iPhone X:
Note: if you keep holding a button for longer than 4 seconds, the iPhone may reboot instead of entering DFU. Disable auto boot and practice with another device before the extraction.
If the device cannot be placed in DFU via regular means (for example, if one of the buttons is broken), use the following guide:
DFU steps for iPad, Apple TV, and iPod Touch devices:
Checkm8 extraction requires a certain level of practice, particularly with placing devices into DFU. A wrong DFU sequence may reboot the device into iOS.
Practice DFU mode with a known good device before the extraction!
If the device is running iOS 16, the extraction steps will be slightly different compared to older iOS versions.
iOS Forensic Toolkit 8 supports checkm8 extraction for the following models:
In addition, support is available for the following models:
checkm8 extraction is also supported for 32-bit devices such as the iPod Touch 5, iPad 2/3/4, and iPad Mini. However, the steps are slightly different, and some devices require an additional Raspberry Pi Pico board to apply the exploit.
By Oleg Afonin at 2022-11-03 13:50:26 Source ElcomSoft blog:
May 31, 2024 by Wael Alnahari
May 15, 2024 by Wael Alnahari
WGN | وغن