iOS Forensic Toolkit Maintenance: Following Apple iOS Updates

February 7th, 2023 by Oleg Afonin
Category: «Elcomsoft News», «Mobile», «Tips & Tricks»

On January 23, 2023, Apple have released a bunch of system updates that target the different device architectures. iOS 16.3 is available for many recent devices, while older models were updated to iOS 12.5.7, iOS 15.7.3 and iPadOS 15.7.3 respectively. While Elcomsoft iOS Forensic Toolkit supported these versions of the system from the get go, today we are rolling out an update that irons out minor inconveniences when imaging such devices.

iOS, iPadOS and tvOS 16.3 are available for multiple Apple devices, yet only a handful of them are affected by the bootloader vulnerability utilized in the checkm8 exploit. While Apple only release iOS 16 for the iPhone 8, 8 Plus, and iPhone X, many more devices received iOS 16 update even when built with an older SoC. A good example is the Apple TV HD (Apple TV 4), which are built on the Apple A8 chip used in the iPhone 6 (which, in turn, did not receive major system updates beyond iOS 12.x).

In addition, Apple rolled out security patches to older devices. iOS 12.5.7 targets devices based on the Apple A7, A8, and A8X chip sets, which includes the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), while iOS 15.7.3 and iPadOS 15.7.3 target devices based on the A9/A9X and A10/A10X chip sets, which includes the iPhone 6s and iPhone 6s Plus, iPhone 7 and iPhone 7 Plus, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

As we have previously posted in Apple Releases iOS 12.5.7, iOS 15.7.3. What About Low-Level Extraction?, iOS Forensic Toolkit utilizes an extremely robust extraction process that is almost OS-agnostic. Our implementation of the checkm8 extraction process survives through minor iOS updates such as iOS/iPadOS 15.7.3, and supports most public and developer pre-release versions of iOS/iPadOS. However, there is a minor inconvenience when using the checkm8 process with a version of iOS/iPadOS that is not yet known to iOS Forensic Toolkit.

The fixed inconvenience

Our checkm8 extraction process does not require us redistributing any parts of Apple proprietary code. Instead, the tool will request the end user to download the original firmware image from Apple, which will be used to boot the device. The tool displays a list of download links at some point of applying the exploit; the URLs depend on the hardware and version of iOS installed on the device. In some cases detecting the exact iOS build based on the iBoot version is impossible as some versions of iOS use the same iBoot. If this happens, the tool lists several download links to potential matches.

The inconvenience is this: if the device runs a version of iOS that iOS Forensic Toolkit does not know anything about, the correct download link will not be displayed. There are two possible solutions. First, one can try using the best match (the iOS build that is closest to the installed OS). This may or may not work. If it doesn’t, the device may simply reboot (learn how to deal with accidental reboots); in this case one can find the installed OS version in the log. Alternatively, one can manually look for the matching .ipsw image on Apple Web site and simply pass the URL as an argument when prompted. Yet another way is downloading the required .ipsw file and using the downloaded firmware image instead.

Things get a bit easier if iOS Forensic Toolkit knows about the installed version of iOS. In this case, the correct download link will appear on the list of potential matches. One can simply copy the right URL and paste it into the prompt, or download the firmware image and use its local path as an argument.

TL&DR: support for iOS/iPadOS 16.3, 15.7.3, and 12.5.7 added, download links correctly displayed, inconvenience solved.

The extraction agent

The checkm8 extraction utilizes a hardcoded vulnerability in the bootloader to obtain the highest possible privilege level on affected devices. The vulnerability exists in multiple generations of Apple devices up to and including the A11 generation (the iPhone 8, 8 Plus, iPhone X, and other Apple devices built on similar SoC). iOS 16 effectively mitigates the vulnerability for the iPhone 8, 8 Plus, iPhone X, which makes the checkm8 extraction ineffective on these iPhones.

For all newer devices a different extraction method can be used. We developed an in-house extraction agent,  which is a small app that, once sideloaded onto a device, attempts privilege escalation by exploiting system vulnerabilities. The agent returns pretty much the same set of data as the checkm8 process, which includes the full file system image and keychain. While the extraction agent is device-agnostic, it is limited to certain versions of iOS for which a kernel exploit is available, which is currently iOS 15.5 and older.

Apple TV and Apple Watch

Apple Watch и Apple TV are also supported by our checkm8 extraction process. iOS Forensic Toolkit is the only tool on the market that supports checkm8 on Apple TV and Apple Watch devices. While the Apple TV and Apple Watch devices use identical or similar SoC to other models from the Apple ecosystem, there are important differences that must be taken care of. The latest version of iOS Forensic Toolkit takes care of extraction issues with the Apple TV HD (aka Apple TV 4) running iOS 16. This model is based on the A8 SoC, which is identical to the SoC used in the iPhone 6, and runs a forked version of iOS 16. It is interesting to note that the iPhone 6 and 6 Plus devices do not support iOS 16, while the Apple TV HD (Apple TV 4) does. This in turn means that we had to adapt the checkm8 extraction process specifically for this platform, without a corresponding iPhone device.

In addition, we fixed checkm8 extraction on the Apple Watch S3, a device that set a record on being the longest Apple Watch model available for sale.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »