Jailbreaking Apple TV 4K

June 12th, 2020 by Vladimir Katalov
Category: «General», «Mobile», «Tips & Tricks»

Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.

Introduction

We have already covered the Apple TV acquisition topic before (see Apple TV and Apple Watch Forensics 01: Acquisition), but that one was about the 4th generation device. The Apple TV 4K is very, very different. What is the big difference? There are several of them, but the most important part for us is that the Apple TV 4K does not have a USB port. The previous model had one, the USB Type-C port on the back. The new generation can be only connected to over Wi-Fi. And that also means that you won’t be able to use Cydia Impactor to sideload apps (including jailbreaks). Still, jailbreaking remains possible in several different ways.

We also wrote about using checkra1n on the Apple TV (see Forensic Acquisition of Apple TV with checkra1n Jailbreak), but again, that was about the 4th gen.

The hidden Lightning port

Big surprise: the Apple TV 4K does have the port for wired connections, and the port is… Lightning! It is well hidden inside the Eithernet socket, discovered in October last year by Kevin Bradley (@nitoTV). Can we have an adapter? There you go, available from JinStore.

Anything else? Oh yes. You can get the Apple TV Advanced Breakout Cable, but the installation is tough. In the end, you will get an external micro USB connection, and that’s not the only difference. And it seems to be the only way to install the checkra1n jailbreak, I’ll explain why in just a bit.

unc0ver

The unc0ver jailbreak is fantastic, it is compatible with most iPhone and iPad models running iOS up to 13.5 (almost the latest version for now). We actively use it, see Full File System and Keychain Acquisition with unc0ver jailbreak: iOS 13.3.1 to 13.5. Since recently, tvOS version also exists, compatible with tvOS versions up to 13.4.5.

The problem? Installing the jailbreak. Sure, you can do it over Wi-Fi; you will need a computer running masOS, XCode and an Apple Developer Account.

Our friend and partner James Duffy (see his ZPET project) has created a wonderful guide on Apple TV 4K app sideloading (PDF). Enjoy!

However, if you have an adapter (I used the JinStore version), you can do the jailbreaking in the familiar manner, using the good old Cydia Impactor (you will still need an Apple Developer Account). Works like a charm!

checkra1n

The advantage of the checkra1n jailbreak is that it based on a hardware vulnerability, and is compatible with all current and future versions of tvOS including tvOS 13.4.6 and 13.4.8 (although we did not try the latter).

The problem is that you need to put the device in DFU (Device Firmware Update) mode, and you cannot to that via software means. So the special Lightning adapter from JinStore will not help; you need the breakout cable (that has a special button just for that purpose). The instructions given below (in checkra1n) are good for the Apple TV 4 (but not 4K).

Data analysis

Knowing the regular benefits of jailbreaking, what can you get from an Apple TV device after jailbreaking? As usual, you can obtain the full file system from the Apple TV, and then the keychain. The keychain, however, contains significantly less data compared to its iOS counterpart; unfortunately, iCloud keychain is not being synced to the Apple TV (no passcode protection?), so you mostly get only Wi-Fi password(s), and sometimes (on accounts without 2FA) the iCloud authentication token, which may help accessing the user’s iCloud account.

The other data is valuable. First, the Apple TV may sync iCloud Photos, and even if they are not synced, you get thumbnails for most of them, including location data from EXIF tags and databases with metadata. We recommend using Elcomsoft Phone Viewer to analyze it in a convenient way.

Next, you also get the knowledgeC (system database) that contains important events on the Apple TV usage; to analyze that, we recommend Oxygen Forensic Detective.

Finally, even without jailbreaking, you can get media files and metadata from the Apple TV with iOS Forensic Toolkit:


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »