checkm8 Extraction Cheat Sheet: iPhone and iPad Devices

November 3rd, 2022 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

Before you begin

Before you begin, make sure you have everything required to perform the extraction. Since checkm8 is a very specific exploit, you’ll need all of the following to do the job.

  • A Mac computer. You will need a real Mac computer (no VMs) to install the exploit and perform the extraction. We support both Intel and M1-based Macs.
  • iOS Forensic Toolkit 8 for Mac. Note that you will need the Mac edition of the tool.
  • A supported iPhone or iPad device (the full list is available at the bottom of the page). The device must be functional enough to be placed into DFU mode. Locked and USB-restricted devices are supported.
  • Screen lock passcode must be known or empty. Otherwise, limited BFU extraction may be available, but very little information can be obtained this way.
  • A supported version of iOS. Note that iPhone devices running iOS 16.x only have a limited support for checkm8 extraction.
  • A USB-A to Lightning cable. Type-C to Lightning cables are not supported. Use a USB-A to Type-C adapter or, better yet, a USB hub.
  • You will have to determine the exact version and build number of iOS installed on the iPhone. EIFT will attempt to detect the iOS version and build number automatically during the procedure.

You must be able to download the official Apple firmware (download link will be provided during the extraction) that matches iOS version installed on the device.

Extracting iOS 15 and older devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

Note that iOS Forensic Toolkit 8 automatically sets auto-boot value to False at some point after sending iboot, but before sending kernel and booting the ramdisk. This behavior effectively secures the user data against accidental modifications caused by user error when entering DFU. An important consequence: the device will have the ‘autobootFalse’ flag still enabled after you finish the extraction. This means that any subsequent power-on or reboot will make the device launch Recovery instead of starting the installed operating system. We recommend keeping this flag enabled all the time while the device is retained as evidence, and only reverting to ‘autobootTrue’ immediately before the device is returned to its owner.

Eexperts can manually flip the ‘autoboot’ flag with the following command executed while the device was in Recovery:

./EIFT_cmd tools autobootFalse

Once executed, this command modifies device behavior during the boot sequence. If the device is powered on or if the device is restarted, with ‘autobootFalse’ it will load the Recovery instead of the main OS. Booting into recovery is safe as nothing in the user data is modified. The flag is stored in the device’s NVRAM, and survives reboots and power-offs.

We suggested keeping the device in the ‘autobootFalse’ state until the moment the device was released and returned to the owner, in which case another command would restore the ability to boot iOS (the command must be executed when the device is in Recovery):

./EIFT_cmd tools autobootTrue

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit. After that, run the following commands:

./EIFT_cmd ramdisk loadnfcd

./EIFT_cmd ramdisk unlockdata -s

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Power off the device:

./EIFT_cmd ssh halt

Once you are ready to return the device to its owner, re-enable auto-boot. To do that, power on the device. It will automatically boot into Recovery. Launch iOS Forensic Toolkit and run the following command while the device is still in Recovery:

./EIFT_cmd tools autobootTrue

Extracting iOS 16 devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

Note that iOS Forensic Toolkit 8 automatically sets auto-boot value to False at some point after sending iboot, but before sending kernel and booting the ramdisk. This behavior effectively secures the user data against accidental modifications caused by user error when entering DFU. An important consequence: the device will have the ‘autobootFalse’ flag still enabled after you finish the extraction. This means that any subsequent power-on or reboot will make the device launch Recovery instead of starting the installed operating system. We recommend keeping this flag enabled all the time while the device is retained as evidence, and only reverting to ‘autobootTrue’ immediately before the device is returned to its owner.

Eexperts can manually flip the ‘autoboot’ flag with the following command executed while the device was in Recovery:

./EIFT_cmd tools autobootFalse

Once executed, this command modifies device behavior during the boot sequence. If the device is powered on or if the device is restarted, with ‘autobootFalse’ it will load the Recovery instead of the main OS. Booting into recovery is safe as nothing in the user data is modified. The flag is stored in the device’s NVRAM, and survives reboots and power-offs.

We suggested keeping the device in the ‘autobootFalse’ state until the moment the device was released and returned to the owner, in which case another command would restore the ability to boot iOS (the command must be executed when the device is in Recovery):

./EIFT_cmd tools autobootTrue

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit.

Please note: you will need to download the matching firmware file from Apple servers, or specify a download link when prompted.

After that, run the following commands:

./EIFT_cmd ramdisk unlockdata

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):

./EIFT_cmd tools autobootTrue

Power off the device:

./EIFT_cmd ssh halt

Once you are ready to return the device to its owner, re-enable auto-boot. To do that, power on the device. It will automatically boot into Recovery. Launch iOS Forensic Toolkit and run the following command while the device is still in Recovery:

./EIFT_cmd tools autobootTrue

Entering DFU mode

Placing the device in DFU mode can be tricky, especially if you’ve never done it before. Steps to enter DFU are different for different device models, and there is no on-screen indication of successfully entering DFU. You must follow the steps while carefully observing the timings, and the end result will be a blank screen. We strongly recommend placing the device in recovery mode first, and entering DFU from recovery.

iPhone 6s, 6s Plus and older

Step 1: enter Recovery

On the iPhone 7, iPhone 7 Plus:

  • Make sure that the device is powered off. Of not, power it off normally.
  • Press and hold the Vol-
  • Keep holding the button; connect the iPhone to the computer.
  • Still keep holding the button until the device displays the recovery screen.

On the iPhone 6s and older devices including iPhone SE (1st generation):

  • Make sure that the device is powered off. Of not, power it off normally.
  • Press and hold the Home
  • Keep holding the button; connect the iPhone to the computer.
  • Still keep holding the button until the device displays the recovery screen.

Step 2: enter DFU

On the iPhone 6s and older devices including iPhone SE (1st generation):

  • Press the Power button (or the side button) and the Home (Touch ID) button. Hold for exactly 8 seconds.
  • Release the Power (side) button; keep holding the Home button for exactly 8 seconds.

On the iPhone 7 and 7 Plus:

  • Press the side button and the Vol- button. Hold for exactly 8 seconds.
  • Release the side button; keep holding the Vol- button for exactly 8 seconds.

The iPhone screen will remain black. If you see the recovery screen or if the device starts booting into iOS, repeat the steps from the beginning.

iPhone 8, 8 Plus and iPhone X

Devices based on the A11 Bionic have two slightly different DFU modes. Placing the device in the correct DFU mode is critical for successful acquisition. The correct procedure involves the recovery mode as a required first step.

Step 1: enter Recovery

For iPhone 8, 8 Plus and iPhone X devices use the following sequence:

  • Make sure that the device is powered off. Of not, power it off normally.
  • Press and hold the side button.
  • Keep holding the button and quickly connect the iPhone to the computer. If you are not fast enough, the device may begin the boot sequence.
  • Still keep holding the button until the device displays the recovery screen:

Step 2: entering DFU for iPhone 8, 8 Plus and iPhone X devices

Keep the iPhone connected to the computer, then launch iOS Forensic Toolkit in wait mode:

./EIFT boot -w

On the iPhone 8, 8 Plus or iPhone X:

  • Press and release Vol+ quickly
  • Press and release Vol- quickly
  • Press and hold the side button until iOS Forensic Toolkit prints “iPhone disconnected”. This message means the iPhone has been disconnected from the computer.
  • While still holding the side button, press and hold Vol- for exactly 4 seconds.
  • Release the side button (keep holding Vol-).
  • iOS Forensic Toolkit will detect the iPhone in DFU mode. Once this happens, release Vol-.

Note: if you keep holding a button for longer than 4 seconds, the iPhone may reboot instead of entering DFU. Disable auto boot and practice with another device before the extraction.

Other ways to place an iPhone into DFU

If the device cannot be placed in DFU via regular means (for example, if one of the buttons is broken), use the following guide:

DFU steps for iPad, Apple TV, and iPod Touch devices:

Checkm8 extraction requires a certain level of practice, particularly with placing devices into DFU. A wrong DFU sequence may reboot the device into iOS.

Practice DFU mode with a known good device before the extraction!

If the device is running iOS 16, the extraction steps will be slightly different compared to older iOS versions.

Compatible devices

iOS Forensic Toolkit 8 supports checkm8 extraction for the following models:

  • iPhone 5S (iPhone6,1): A1453, A1533
  • iPhone 5S (iPhone6,2): A1457, A1518, A1528, A1530
  • iPhone 6 (iPhone7,2): A1549, A1586, A1589
  • iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
  • iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
  • iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
  • iPhone SE (iPhone8,4): A1662, A1723, A1724
  • iPhone 7 (iPhone9,1 и iPhone9,3): A1778, A1660, A1780, A1779, A1853, A1866
  • iPhone 7 Plus (iPhone9,2 и iPhone9,4): A1784, A1661, A1785, A1786
  • iPhone 8 (iPhone10,1/iPhone10,4): A1863, A1905, A1906, A1907
  • iPhone 8 Plus (iPhone10,2/iPhone10,5): A1864, A1897, A1898, A1899
  • iPhone X (iPhone10,3/iPhone10,6): A1865, A1901, A1902, A1903

In addition, support is available for the following models:

  • iPod Touch 6/7: A1574, A2178
  • iPad Air 1/2: A1474, A1475, A1476, A1566, A1567
  • iPad Mini 2/3/4: A1489, A1490, A1491, A1599, A1600, A1601, A1538, A1550
  • iPad 5/6/7: A1822, A1823, A1893, A1954, A2197, A2198, A2200
  • iPad Pro 1/2: A1584, A1652, A1673, A1674, A1675, A1670, A1671, A1701, A1709, A1821, A1852

checkm8 extraction is also supported for 32-bit devices such as the iPod Touch 5, iPad 2/3/4, and iPad Mini. However, the steps are slightly different, and some devices require an additional Raspberry Pi Pico board to apply the exploit.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »