DFU Mode Cheat Sheet

January 14th, 2021 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»
  • 32
  • 25
  •  
  •  
  •  
  •  
  •  
  •  
    57
    Shares

The Device Firmware Upgrade mode, or simply DFU, just got a second breath. The ability to image the file system, decrypt the keychain and even do passcode unlocks on some older iPhone models has been made possible thanks to the checkm8 exploit and the checkra1n jailbreak, both of which require switching the phone into DFU. The procedure is undocumented, and the steps are different for the various devices.

Why DFU?

Literally, you need DFU when performing checkm8 or checkra1n extraction of an iPhone 5 through iPhone X, or using limera1n for the same purpose on older devices. You also need DFU when performing passcode unlocks (currently, we support the iPhone 4, 5 and 5c only). You can also use DFU for “Before First Unlock” (BFU) extractions. Finally, DFU can be used to reset a locked phone (although you’ll be facing iCloud lock when setting it up, and all the data will be irreversibly gone).

Before you begin

Before you begin, there is one thing to consider. For a long time, we’ve seen reports of experts using a trick to increase their success rate of installing the exploit. For the purpose of exploiting the bootloader vulnerability, many experts have a greater success rate if they switched the device to recovery mode first, followed by switching to DFU. This is applicable to most models, including phones as old as the iPhone 5 and as new as the iPhone 8. Interestingly, we could not confirm this on the latest iPhone 12.

To sum it up: if you are pursuing checkm8 or checkra1n extraction, consider switching the phone into recovery and only then to DFU mode.

Switching to recovery mode

Unlike DFU, the recovery mode is well documented in “If you can’t update or restore your iPhone, iPad, or iPod touch”. Steps for entering the Recovery mode are different between iOS devices. Devices with a physical Home button, capacitive Home button and without the Home button employ different steps to enter Recovery mode.

For devices with physical Home buttons, follow these steps:

  1. Turn off the device.
  2. Press and hold the home button.
  3. Connect the device to computer with iTunes.
  4. Wait until you see the iTunes logo and the cable on the iPhone.

Apple recommends the following steps for entering Recovery mode:

  1. If iTunes is already open, close it. Connect your device to your computer and open iTunes.
  2. While your device is connected, force restart it with these steps, but don’t release the buttons when you see the Apple logo, wait until the connect to iTunes screen appears:
    • On iPhone 8 and later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Side button until you see the connect to iTunes screen.
    • On an iPhone 7 or iPhone 7 Plus: Press and hold the Side and Volume Down buttons at the same time. Keep holding them until you see connect to iTunes screen.
    • On an iPhone 6s and earlier, iPad, or iPod touch: Press and hold both the Home and the Top (or Side) buttons at the same time. Keep holding them until you see the connect to iTunes screen.

How to exit recovery mode

The procedure for leaving the recovery mode is different for different devices. In general, you’ll use the following steps:

  • Unplug the USB cable.
  • Hold down the sleep/wake button or side button depending on device model until the device turns off.
  • Either keep holding the button combination or release and hold it down again until the Apple logo appears.
  • Let go of the buttons and let the device start up.

This is the Apple-recommended procedure for exiting the recovery mode:

  • iPhone 6s and earlier, Touch ID equipped iPads: hold the Home button and the Lock button until the device reboots.
  • iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.
  • iPhone 8 and newer: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

The DFU mode

The undocumented DFU stands for “Device Firmware Upgrade”. Unlike the recovery mode, which is designed with an ordinary user in mind, the DFU mode was never intended for the public. There is no documentation about DFU anywhere in Apple Knowledge Base. Entering the DFU more involves a complicated sequence of pressing, holding and releasing buttons with precise timings. Wrong timings during any of the multiple steps would reboot the device instead of switching it to DFU. Finally, there is no on-screen indication of DFU mode. If the device is successfully switched to DFU, the display remains black. Entering DFU mode can be difficult even for experts.

DFU is part of the bootrom, which is burned into the hardware. On A7 through A11 devices, a vulnerability has been discovered allowing to bypass SecureROM protection and jailbreak the device via DFU mode. More in our blog: BFU Extraction: Forensic Analysis of Locked and Disabled iPhones.

Entering DFU mode

Steps for entering DFU mode differ between devices. Some devices have several different methods to invoke DFU, making it even more confusing. The differences in procedures may be severe between device generations. Since no official instructions are available, one has to rely on third-party sources for information.

Sources:

Additional information:

Note: the device screen will be completely black while in DFU mode. The iPhone Wiki explains steps required to enter the DFU mode in a dedicated article. According to the article, this is how you enter DFU mode on the different device models.

Apple TV

  1. Plug the device into your computer using a USB cable.
  2. Force the device to reboot by holding down the “Menu” and “Down” buttons simultaneously for 6-7 seconds.
  3. Press “Menu” and “Play” simultaneously right after reboot, until a message pops up in iTunes, saying that it has detected an Apple TV in Recovery Mode.

A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Home button and Lock button.
  3. After 8 seconds, release the Lock button while continuing to hold down the Home button.
    • If the Apple logo appears, the Lock button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Alternative method 1:

  1. Hold the Lock Button for 3 seconds
  2. Continue holding the Lock button and also hold the Home button (15 seconds)
  3. Release the Lock button while continuing to hold the Home button (10 seconds)
  4. Your device should enter DFU mode

Alternative method 2:

  1. Connect the device to your computer and launch iTunes. Turn the device off.
  2. Hold down the Lock button and Home button together for exactly 10 seconds, then release the Lock button.
  3. Continue holding the Home button until iTunes on your computer displays a message that a device in recovery mode has been detected. The device screen will remain completely black.

A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Side button and Volume Down button.
  3. After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A11 and newer devices (iPhone 8 and above, iPad Pro 2018, iPad Air 2019, iPad Mini 2019)

Note: for these devices, higher success rate has been reported when using the recovery mode first.

  1. Connect the device to a computer using a USB cable.
  2. Quick-press the Volume Up button
  3. Quick-press the Volume Down button
  4. Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  5. After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  6. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A12, A13 and A14 Bionic devices (iPhone Xr and Xs range, iPhone 11 and iPhone 12 range)

While you can switch these devices into DFU, there is little point in doing so. The checkm8 exploit is not applicable to any of these models, so there is a very little practical benefit of the DFU mode from the forensic standpoint.

How to exit DFU mode

The process of exiting DFU mode is also different across devices.

For devices with a physical Home button (up to and including iPhone 6s and iPhone SE): hold the Home button and the Lock button until the device reboots.

For iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.

For iPhone 8 and iPhone 8 Plus, iPhone X: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.


  • 32
  • 25
  •  
  •  
  •  
  •  
  •  
  •  
    57
    Shares

REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »