Perfect Acquisition Part 4: The Practical Part

April 11th, 2023 by Elcomsoft R&D
Category: «Mobile», «Tips & Tricks»

Welcome to Part 4 of the Perfect Acquisition series! In case you missed the other parts (1, 2, and 3), please check them out for more background information, or dive straight in and learn how to perform Perfect HFS Acquisition yourself. This section contains a comprehensive guide on how to perform the Perfect HFS Acquisition procedure.

Note: A5-based devices, which include the iPhone 4s, iPod Touch 5, iPad 2 and 3, the original iPad mini and Apple TV 3, require a solution based on the Raspberry Pi Pico. Please refer to checkm8: Unlocking and Imaging the iPhone 4s for details.

TL;DR

The Perfect HFS Acquisition procedure consists of three stages, which are creating a perfect dump, acquiring a complete set of decryption keys, and decrypting the dump. The following conditions must be met to use this method: HFS file system (APFS not supported), and no SEP. The guide then provides instructions for creating a perfect dump, which involves booting into EIFT, creating a disk dump, and optionally dumping the system partition. The next step is to acquire a complete set of decryption keys. We provide instructions on how to extract the system keybag and crack the passcode if necessary.

Compatibility

The following method applies only to devices that meet the following conditions:

  • iOS devices using the HFS file system (APFS not supported)
  • iOS devices without SEP

Furthermore, our software currently does not work on iPhone 2G, iPhone 3G,iPod Touch 1, iPod Touch 2. This can change in future.

The following devices are fully supported:

  • iPhone 3Gs – iPhone 5c
  • iPod Touch 3 – iPod Touch 5
  • iPad 1 – iPad 4, iPad Mini 1
  • Apple TV 2 – Apple TV 3

The three stages of Perfect HFS Acquisition

The Perfect HFS Acquisition procedure consists of three stages.

  1. Create a perfect dump
  2. Acquire a complete set of decryption keys
  3. Decrypt the dump

Creating a perfect dump

In this section, you will be creating a perfect dump of the data partition, extracting BFU keys, and making an optional dump of the system partition.

First boot into EIFT:

./EIFT_cmd boot -w

Dump the data partition

./EIFT_cmd ramdisk diskdump -o data.dmg

Note: If the device was shut down uncleanly or the file system is corrupt, you may get an error like this:

[Error] [!] Data partition is in an unclean state, please run fsck first to fix potential inconsistencies!
    Alternatively pass --unclean, to ignore this and proceed with dumping anyways!

In this case add the --unclean flag to ignore the error and dump anyways.

ATTENTION: If the file system is indeed corrupt, you may need to deal with it at a later stage. It may be require fix corruption in the dump or to inspect the image manually.

Note: In that case it is recommended to create a copy of the dump and perform modifications on the copy rather than on the original dump.

During this procedure the device will not be modified at any time and stays 100% sound and repeatable.

In case of an unclean file system, perform the dump with the following command:

./EIFT_cmd ramdisk diskdump --unclean -o data.dmg

Dump the system partition (optional)

Optionally, it is possible to also dump the system partition. On unmodified devices there will be nothing interesting on the system partition, however a jailbreak or malware could modify the system partition. On older devices (especially those which used to be jailbroken a lot) the system partition should be dumped for good measure.

Dump the system partition with this command:

./EIFT_cmd ramdisk diskdump --system -o system.dmg

Note: If the device was shutdown uncleanly or the file system is corrupt, you may get an error. In that case pass the --unclean parameter to dump the partition anyways.

Dump BFU keys

To dump BFU keys run the following command:

./EIFT_cmd ramdisk dumpkeys -n -o keys_bfu.plist

This dump will contain an incomplete set of keys. A complete set of keys will be acquired at a later stage.

Congratulations, you now have a perfect dump of the device. The system partition is not encrypted and can already be analyzed. To decrypt the data partition, a complete set of keys needs to be acquired as described in the next section.

Acquiring a complete set of decryption keys

You need to acquire a complete set of decryption keys in order to access userdata. Without those keys only limited (BFU) data will be available.

The following passage will describe how to acquire a complete set of keys by using the target device as an oracle.

IMPORTANT: You have to perform the following procedure on the exact same device as you acquired the dump from. You cannot use a different device.

Note: It does not matter what state the device is in. The device can still be used even if it has been tampered with or the data has been erased from device in the meanwhile. Modifications to the device at this point do not impact the soundness of the dump created earlier.

In the following we assume the device is already booted into EIFT ramdisk mode.

Extract systembag.kb

In order to extract the system keybag, you need to be in possession of a data dump (data.dmg) and the corresponding bfu keys (keys_bfu.plist).
Note: A complete set of keys can also be used at this stage.

Run the following command to extract the system keybag:

./EIFT_cmd hfstool -i data.dmg -p /keybags/systembag.kb -e -o systembag.kb -k keys_bfu.plist --no-passcode

The command should create a new file called systembag.kb.
At this point you should verify whether the file got decrypted correctly! The file is expected to start with the bytes bplist. This can be verified using the following command on a UNIX system:

head -c 6 systembag.kb | hexdump -C

This should output:

00000000  62 70 6c 69 73 74                                 |bplist|
00000006

Alternatively, you can try opening the file in any plist viewer. If the file can be opened, then the decryption was successful!

Cracking the passcode

If the passcode is not known, it can be cracked at this point. If you already know the passcode, you can skip this step.

For cracking the passcode you will need the system keybag (systembag.kb) and the BFU keys (keys_bfu.plist). This will allow cracking the passcode of that specific system keybag from the corresponding device.

To run passcode crack with the default config, run the following command:

./EIFT_cmd ramdisk passcode -b systembag.kb -k keys_bfu.plist

Getting a complete set of keys

To get a complete set of keys, you are required to have the system keybag (systembag.kb) and the BFU keys (keys_bfu.plist) as well as to know the passcode of the keybag. If the passcode is not known, you can crack it as described in the previous step.

Run the following command to get a full set of keys:

./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p <PASSCODE>

Replace <PASSCODE> with the device passcode. For example if the passcode if 0000, the command looks like this:

./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p 0000

If the device does not have a passcode set, you can omit the -p parameter.

This should create a new file called keys.plist, which is the complete set of keys required to decrypt all files.

Decrypting the dump

For decrypting the data dump (data.dmg), you need to have a complete set of decryption keys (keys.plist). The previous section describes how to get them using the same device the dump was performed on.

Decrypt the data

To decrypt the dump, run the following command:

./EIFT_cmd hfstool -i data.dmg -o data_dec.dmg -k keys.plist -j 16 -d

Note: The -j parameter specifies the number of threads to use for decryption. The number 16 is a good value for a modern machine. You can decrease the number if you have an old machine with very little RAM or increase it if you have a lot of computing power.

Extract the keychain

To extract and decrypt the keychain from the dump, run the following command:

./EIFT_cmd tools keychain -i data.dmg -k keys.plist -o keychain.xml

Note: It doesn’t matter if the encrypted or decrypted image is used for this command. If the encrypted image is used (as shown) the necessary files are decrypted on the fly.

This should create a new file called keychain.xml