The USB restricted mode was introduced in iOS 11.4.1, improved in iOS 12 and further strengthened in iOS 13. The USB restrictions are a real headache for iPhone investigators. We’ve discovered a simple yet effective trick to fool it in some cases, but currently it securely protects the iPhones from passcode cracking and BFU (Before First Unlock) extractions. However, there is a trick allowing you to obtain some information from devices with disabled USB interface. Learn how to use this trick with the recently updated iOS Forensic Toolkit.

The USB Restricted Mode

What is it all about? See Apple Platform Security, Spring 2020, Activating data connections securely chapter:

To improve security while maintaining usability Touch ID, Face ID, or passcode entry is required to activate data connections via the Lightning, USB, or Smart Connector interface if no data connection has been established recently. This limits the attack surface against physically connected devices such as malicious chargers while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iOS or iPadOS device has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. These accessories are remembered for 30 days after the last time they were connected. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over Lighting, USB, and Smart Connector until the device is unlocked again. This hour period:

• Ensures that frequent users of connections to a Mac or PC, to accessories, or wired to CarPlay won’t need to input their passcodes every time they attach their device.
• Is necessary because the accessory ecosystem doesn’t provide a cryptographically reliable way to identify accessories before establishing a data connection.

In addition, if it’s been more than three days since a data connection has been established with an accessory, the device will disallow new data connections immediately after it locks. This is to increase protection for users that don’t often make use of such accessories. Data connections over Lightning, USB, and Smart Connector are also disabled whenever the device is in a state where it requires a passcode to reenable biometric authentication.

The user can choose to reenable always-on data connections in Settings (setting up some assistive devices does this automatically).

So once this mode is activated, there is almost nothing you can do with the iPhone, even check iOS version (or any other useful information). All you can do is start the iPhone in DFU (Device Firmware Update) mode and check the device model and serial number – or install the checkra1n jailbreak.

iOS Diagnostics Mode

You should be familiar with DFU (Device Firmware Update) and Recovery modes (see The True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics), but have you ever heard of the iOS diagnostics mode? Even if you have, you may not have paid much attention.

This mode has been introduced in iOS 10.3, and was first discovered by an independent researcher in February 2017. You can also enter the “diagnostics://” link in Safari; however, you will only get the start screen of a special Apple app, which cannot do anything unless the device is connected to the internal Apple network.

Now watch this video:

Yes, it works. Some tricky key combination, and… the iPhone is booted into this special mode, and… it shows up on the computer it is connected to! Not impressed yet? Wait a bit, I will explain.

Check Device Information

As noted above, the USB restricted mode does not affect the ability to switch the device into DFU (or Recovery) mode. Check out Everything about iOS DFU and Recovery Modes to lean what we can get from that mode:

• Device model
• ECID (Exclusive Chip Identification)
• Serial number
• IMEI (sometimes)

Can we have more with diagnostics mode? Surprisingly, we can! Check out the What can be extracted from locked iPhones with new iOS Forensic Toolkit article. In Elcomsoft iOS Forensic Toolkit, the (I)nfo item extracts device information:

No user data is available. The iOS version and MAC address of the Wi-Fi adapter is still much better than nothing.

checkra1n

As you know, we already support the full file system acquisition with the help of the checkra1n jailbreak, see iOS Device Acquisition with checkra1n Jailbreak. It works perfectly with all legacy iPhones from iPhone 5s to iPhone X, through the life-saving DFU mode and the checkm8 exploit.

But what if you do not have the passcode? We know that some data (even parts of the keychain) in the iPhone file system is not encrypted, and so it can be obtained. Elcomsoft iOS Forensic Toolkit can handle locked devices as well (see BFU Extraction: Forensic Analysis of Locked and Disabled iPhones), but you have to install checkra1n first.

And there comes the problem. If the device is already in USB restricted mode, you can still boot it into the DFU mode. However, whether this mode has been activated before or not, checkra1n 0.9.6 and newer versions will force USB restrictions to be activated at the first stage. To complete jailbreaking, USB restrictions must be disabled, otherwise checkra1n installation will not complete. Turning this mode off requires entering the passcode. Deadlock?

Not exactly. First, you can still use the good old checkra1n 0.9.5. However, it does not support the latest versions of iOS including the 13.4, 13.4.1, and 13.4.5 beta. For these versions of iOS, you are limited to checkra1n 0.10.1 (the latest version). Which, again, activates USB restrictions, so you will not be able to perform BFU extraction with it.

But there is a solution. You will need minaUSB (macOS only) and some additional (a bit tricky) steps, as described in this video (and slightly different one is here):

It allows to install the latest version of checkra1n and fool the USB restricted mode with the help of Apple Diagnostics mode. And so you can perform BFU extraction easily!

Conclusion

Apple does its best in protecting the user’s data in their devices and iCloud accounts. Still, several extraction possibilities exist, and in most cases, there is one or another way to extract data from the iPhone or iPad, Windows of macOS computer, or the iCloud account, or at least collect some information that may become useful for your investigation.