The iPhone recovery mode has limited use for mobile forensics. However, even the limited amount of information available through recovery mode can be essential for an investigation. Recovery access can be also the only available analysis method if the device becomes unusable, is locked or disabled after ten unsuccessful unlocking attempts, or had entered the USB restricted mode. Learn how to enter and leave Recovery and what information you can obtain in this mode.

Entering recovery mode

There multiple instructions on the Web about entering the recovery mode, and most of them list several redundant or unnecessary steps. The shortest and simplest instructions are listed below.

Information available in recovery mode

When performing a forensic extraction of a device running in the recovery mode, note that only a very limited set of data will be available.

The following information is available:

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXX
IMEI: XXXXXXXXXXXXXXX
MODE: Recovery
iBoot: bootloader version
iOS version: installed iOS version number or range

The Recovery mode may return the following information:

• Device model: device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc. You can identify the model by following the link.
• ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
• Serial number: XXXXXXXXXXX (or N/A)
• IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
• Mode: Recovery
• iBoot: this is the bootloader version in the format “iBoot-[version_number]”. This information can be used to identify the version of iOS (or, of there is no concrete match, the range of iOS versions) running on the device.
• iOS version: installed iOS version number or range as estimated from the bootloader version.

As you can see, there’s not a lot you can get from the recovery mode; however, this amount of data is generally enough to request information from Apple. The bootloader version is probably the most important piece, as it can be used to roughly establish the probable date the iOS device was last used. The last use data cannot be earlier than the release date of the version of iOS installed on the device. In addition, the bootloader version can be used to determine compatibility with certain unlock and extraction methods.

How can one determine the version of iOS based on the bootloader version? While Elcomsoft iOS Forensic Toolkit 6.71 and newer will display the corresponding version automatically, you can also use the table available in iBoot (Bootloader) – The iPhone Wiki. Note that some versions of iOS are based on the same bootloader version. If this is the case, Elcomsoft iOS Forensic Toolkit will display the range of iOS versions based on the detected bootloader version. For example, the above screen shot demonstrates bootloader version iBoot-6723.42.4, which was used in iOS 14.2 through 14.2.1.

Exiting recovery mode

To leave the recovery mode, perform the following steps.

iPhone 6s and earlier, iPads: hold the Home button and the Lock button until the device reboots.

iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.

iPhone 8 and newer: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.