Obtaining Serial Number, MAC, MEID and IMEI of a locked iPhone

March 31st, 2023 by Oleg Afonin
Category: «Tips & Tricks»

Obtaining information from a locked iPhone can be challenging, particularly when the device is passcode-protected. However, four critical pieces of information that can aid forensic analysis are the device’s International Mobile Equipment Identity (IMEI), Mobile Equipment IDentifier (MEID), MAC address of the device’s Wi-Fi adapter, and its serial number. These unique identifiers can provide valuable insights into a device’s history, including its manufacture date, hardware specifications, and carrier information.

In forensic investigations, accessing this information can be crucial for tracing a device’s ownership, determining if it has been stolen or involved in criminal activity, and retrieving important data for legal or investigative purposes. This article will explore the various methods available to forensic investigators for obtaining the device’s MAC address, MEID, IMEI, and serial number information from a locked iPhone.

Method 1: iPhone Diagnostic Mode

The iPhone diagnostic mode reveals essential information about the device such as its serial number, IMEI, and MEID numbers. Additional information such as the exact model identification, iOS version and MAC address of the device’s Wi-Fi adapter is accessible with third-party software such as iOS Forensic Toolkit. Importantly, the diagnostic mode can be invoked even if the iPhone is passcode-protected or locked.

To enter iPhone Diagnostic Mode follow these steps.

  1. Press and hold both the volume up and volume down buttons.
  2. While holding the two buttons, plug the Lightning cable into the iPhone‌ and connect it to a computer or power adapter.
  3. Wait for the Apple logo to appear, then release the buttons.

The following screen will display the device’s serial number, MEID, and IMEI numbers.

If you use iOS Forensic Toolkit while the iPhone is in Diagnostic Mode, you will be able to access additional information that does not appear on the device’s display, such as:

  • Exact model number and color of the iPhone
  • Wi-Fi MAC address
  • iOS version number and built number
  • IDs of certain hardware
  • Some additional information, which will be exported as an XML

Method 2: Recovery Mode

In iOS, Recovery is a failsafe method for recovering devices if they become unresponsive. The Recovery mode, also known as “second-stage loader”, boots the device in iBoot (bootloader) mode. iBoot can be used to flash the device with a new OS. iBoot responds to a limited number of commands, and can return some limited information about the device. As iBoot does not load iOS, it also does not carry many iOS restrictions. In particular, iBoot/Recovery mode allows connecting the device to the computer even if USB data transfers are disabled, the device is locked, or the screen lock passcode is unknown.

Compared to Diagnostic Mode, Recovery provides even less information about the device. In particular, the following data is available:

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID (UCID). The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
  • Serial number

Read more about the Recovery mode:

The True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics

Method 3: DFU mode

Unlike Recovery, DFU mode was never intended for general use. This mode lacks proper documentation, and requires precise timing for every step (otherwise the device will simply reboot). As a result, entering DFU mode can be difficult even for experts, especially if the device has one or more buttons broken.

The DFU mode returns even less information compared to the Recovery mode, and significantly less information than Diagnostic mode.

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID/Unique Chip ID: XXXXXXXXXXXXXXXX

Serial number and IMEI number are never available in DFU. DFU does not return iOS version number; however, iBoot version number is available through DFU, which allows guesstimating iOS version number.

Read more about information available in DFU mode and steps to enter DFU on various Apple devices:

The True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics

Conclusion

The IMEI, MEID, MAC address, and serial number of the device are crucial pieces of information that can aid forensic investigations in understanding an iPhone’s history, ownership, and involvement in criminal activities. While obtaining this information from a locked iPhone can be challenging, various methods are available to forensic investigators, including iPhone Diagnostic Mode, Recovery Mode, and DFU Mode. Each method provides different levels of information, with iPhone Diagnostic Mode providing the most comprehensive details.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »