iOS Extraction Without a Jailbreak: Full iOS 10 Support

June 16th, 2020 by Oleg Afonin
Category: «Elcomsoft News», «Mobile», «Tips & Tricks»

Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.

Why supporting iOS 10 in 2020?

iOS 10 was available on four generations of 64-bit devices ranging from the iPhone 5s all the way to the iPhone 7 and 7 Plus. While many users regularly update their OS, many others don’t, and some users just keep their iPhones on whatever iOS version was installed in the factory. This means a not insignificant chunk of iPhone 7-generation devices processed in forensic labs are still running the original version of iOS 10.

There are also jailbreaks. We counted as many as six different jailbreaks, each covering a particular set of iOS 10 releases. The Yalu jailbreak covers iOS 10.0 through 10.1.1. A separate version of Yalu is available for iOS 10.2. iOS 10.2.1 requires Saïgon, while doubleH3lix and Meridian support 10.0 – 10.3.3. Finally, the g0blin jailbreak supports 10.3 – 10.3.3.

Sounds complicated? Let me add that the required SSH daemon is only available in some of these jailbreaks, others requiring a separate OpenSSH installation from Cydia (which means you are risking while connecting the device to the Internet). Adding salt to injury, the most compatible g0blin jailbreak only includes Dropbear SSH with RC1; g0blin RC2 requires installing OpenSSH from Cydia.

The latest release of the Meridian jailbreak works well enough, advertising gapless support for all versions of iOS and bundling an SSH daemon running on the standard port 22 instead of the custom port 2222. However, our customers and us have experienced multiple cases when Meridian simply refused to install. Jailbreak-free extraction is significantly more robust.

There is also iOS 12. Apple routinely patches discovered vulnerabilities. For this reason, our software lacked support for the iPhone 5s and 6 generations of devices running  iOS 12.3, 12.3.1 and 12.4.1-12.4.7 (iOS 12.4.7 being the last available version of iOS for those models). For at least some of these versions, the unc0ver jailbreak is not available, leaving checkra1n as the only acquisition option. We have added support for these versions of iOS without a jailbreak on the affected devices, albeit for the time being the support is limited to file system extraction only (no keychain). Using an acquisition agent removes the guesswork and risks associated with jailbreaking, making the acquisition process simple and straightforward.

The new device compatibility matrix looks as follows:

Devices compatible with iOS 10

The following 64-bit iPhone models are able to run iOS 10: iPhone 5s, 6, 6 Plus, 7 and 7 Plus. Newer models were released with newer versions of iOS on board, and are not compatible with iOS 10.

Prerequisites

There are no iOS 10 specific requirements to perform file system extraction or keychain decryption. You will need iOS Forensic Toolkit 6.20 or newer, and you must be able to unlock the iPhone you are extracting (the screen lock passcode must be known or empty). Note that we do not recommend removing the screen lock passcode as some information may go missing if you do so.

Similar to other cases, agent-based extraction requires the use of an Apple Developer Account. We wrote a comprehensive article about that: Why Mobile Forensic Specialists Need a Developer Account with Apple

Steps to extract an iPhone running iOS 10

To extract the file system and decrypt the keychain from an iOS 10 device without a jailbreak, follow these steps.

      1. Launch iOS Forensic Toolkit 6.20 or newer
      2. Press 1 to sideload the agent onto the device
      3. Press 2 to extract and decrypt the keychain

    1. Press 3 to extract the file system image
    2. Press 4 to remove the extraction agent from the device

    Apple TV Support

    We have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5. The acquisition is made possible with unc0ver jailbreak.

    In order to extract the keychain from the Apple TV, do the following.

      1. Install the unc0ver jailbreak onto the Apple TV. For instructions, please refer to the following article: Jailbreaking Apple TV 4K
      2. Launch iOS Forensic Toolkit 6.20 or newer
      3. Use the K command to extract the keychain


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »