The seventh beta of iOS Forensic Toolkit 8.0 for Mac introduces passcode unlock and forensically sound checkm8 extraction of iPhone 4s, iPad 2 and 3. The new solution employs a Raspberry Pi Pico board to apply the exploit. Learn how to configure and use the Pico microcontroller for extracting an iPhone 4s!

Introduction

We are introducing a hardware add-on to help experts use checkm8-based extraction on supported iPhone and iPad devices. The Raspberry Pi Pico board can be used to streamline the process of placing the iPhone or iPad into DFU and performing the initial steps of the exploit. By offloading this job onto the hardware board we are making the process easier for the expert while adding support for Apple hardware for which software-only support is unfeasible or plain impossible.

For most devices susceptible to the checkm8 exploit experts can do with or without the Pico board. However, there is one notable exception, which includes the entire range of Apple devices based on the A5 SoC: the iPhone 4s, iPod Touch 5, iPad 2 and 3, the original iPad mini and Apple TV 3. Due to device specifics, the exploit requires a fine-grained control that we get by using a microcontroller. To achieve this task, checkm8 developers had only released the exploit for Arduino boards, while we opted for the Raspberry Pi Pico instead.

If you need to unlock and/or extract an iPhone 4s, you will require a custom firmware image for the Pico board. The firmware image is included with iOS Forensic Toolkit free of charge. We are planning to add support for newer generations of Apple devices in near future.

Compatibility

This guide is applicable to the iPhone 4s, iPod Touch 5, iPad 2 and iPad 3, iPad Mini, Apple TV 3 devices running any version of iOS.

Before you begin

Checkm8 is a complex exploit with several pre-requisites, while the iPhone 4s uses a different USB controller requiring a very special approach for entering pwned DFU. Make sure you have everything handy before you begin.

1. A Mac computer. You will need a Mac to install the exploit and perform the extraction. We support both Intel and M1-based Macs with a universal build of iOS Forensic Toolkit. At this time, Windows is not supported.
2. iOS Forensic Toolkit 8.0 beta for Mac. You will require the Mac edition of the tool. Both Windows and Mac editions are included with every purchase of iOS Forensic Toolkit. iPhone 4s support has appeared in the seventh beta of the tool.
3. A compatible iPhone 4s, iPod Touch 5, iPad 2 or iPad 3, iPad Mini, Apple TV 3 device. At this time, devices based on the A5 (S5L8940), A5 Rev A (S5L8942) and A5X (S5L8945) are supported. The device must be functional enough to be placed into DFU mode.
4. If the screen lock passcode is unknown, you will have an option to recover it.
5. A Raspberry Pi Pico board built to specification (see below).

Building the Pico board

You will need a Raspberry Pi Pico to apply the checkm8 exploit to the iPhone 4s. Since the Pico board has a single USB port, which will be used to connect to the iPhone, you will also need a power source. We recommend the following configuration:

1. A Raspberry Pi Pico board with soldered pin headers:
2. A battery “UPS” solution for the board such as the Pico-UPS-A-EN (Amazon link, manufacturer) as well as a compatible battery.We used the following battery backup based on a single 14500N element because we had it handy; battery not shown and must be purchased separately:
3. An micro-USB OTG cable:
4. A regular USB to micro-USB cable to flash the Pico board.

The finished board will look as follows:

A word on battery backup

The listed battery backup solution for the Pico board based on a single 14500 element will only provide 3.7V, which is enough to apply the exploit but NOT enough to place the iPhone into DFU. For placing the device into DFU you’ll have to do it manually (and then connect the iPhone to the Pico board).

Installing iOS Forensic Toolkit 8.0

Please refer to checkm8 Extraction of iPhone 8, 8 Plus and iPhone X for detailed installation instructions. The only difference will be the folder name; EIFT8B7 instead of EIFT8B4. Please note that there are two different images for macOS Big Sur and newer (normal), as well as High Sierra through Catalina (legacy).

1. There are separate installation packages for current and legacy versions of macOS.
   • macOS Monterey and Big Sur: Intel and M1 are supported
   • For legacy macOS versions including macOS High Sierra, Mojave, Catalina: Intel only
2. Download the .dmg image and mount it with a double-click (you will need a password for that; the password was provided in your order confirmation email).
3. Copy the EIFT8B8 or EIFT8B7L to a known location on your computer (e.g. desktop).
4. Launch Terminal and remove the quarantine flag (make sure to specify the full path to the installation folder).
5. In Terminal, cd into the EIFT installation folder and launch ./EIFT_cmd with required command-line parameters.

Flashing the Pico board

Before connecting the iPhone to the Pico board, you will need to flash it with a custom firmware image. The firmware image is provided with iOS Forensic Toolkit.

To flash the Raspberry Pi Pico board, follow these steps.

1. Make sure that the latest build of iOS Forensic Toolkit 8.0 for Mac is installed. You will need the beta 7 or newer.
2. Press and hold the button on the Pico board.
3. Connect the board to the Mac with a regular micro-USB cable.
4. The board will appear as an external storage.
5. Drag and drop the “picom8.uf2” file from the EIFT root folder onto the storage.
6. The Pico board will be flashed and rebooted.
7. After the board finishes rebooting, it is ready for work.

Command line parameters

Once again, refer to checkm8 Extraction of iPhone 8, 8 Plus and iPhone X to understand the basic command line  parameters of iOS Forensic Toolkit. We’ll use those commands in the subsequent step-by-step guide.

iPhone 4s checkm8 extraction

First, you will need to place the iPhone into DFU. You will need to connect the device to a computer first to put into DFU mode, then disconnect from computer and connect to the Pico board.

• The device will not go into DFU mode if less than 5V are applied.
• The device will not go into DFU mode if it’s not connected to anything at all.

To place the device into DFU, follow these steps:

1. Plug the iPhone into the computer.
2. Turn it off.
3. Press and hold the Power button for 3 seconds.
4. Press and hold the Home button without releasing the Power button for 10 seconds.
5. Release the Power Button but keep holding the Home button.
6. Keep holding the Home button until you are alerted by iTunes saying that it has detected a device in Recovery Mode.

The phone screen should remain blank. If the iTunes logo is present, you are in Recovery and not DFU. If this is the case, repeat the steps to get into DFU.

Once the iPhone is in DFU, connect it to the Raspberry Pi Pico board to apply the exploit. The exploit is applied automatically by the board. A repeated short blink and long pause of the LED will indicate success once the device is exploited. For error codes and for more information on LED status please refer to the user manual provided with EIFT.

Once the exploit has been applied, disconnect the iPhone from the Pico board and connect it to the computer. You will then use iOS Forensic Toolkit normally by following the unlock and extraction process for 32-bit devices (iPhone 4 and 5/5c).

Notes on applying the exploit

Sometimes it takes two to three tries for the exploit to work. The Pico board may indicate an error; if that happens, place the iPhone into DFU again and connect it to the Pico for another try.

Once device is exploited, boot the ramdisk by executing the following command in iOS Forensic Toolkit:

./EIFT_cmd boot

The command launches the exploit. The code detects the OS version installed on the iPhone and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop the .ipsw file onto the console window.

Our extraction solution does not use the operating system installed on the iPhone to boot the device. Instead, a separate, patched version of the original Apple firmware is booted in the device RAM.

Like with other checkm8-compatible devices, you will see “Booting” then “Exploited” on the device screen. For 32-bit devices, use the following commands:

Mount the filesystem:

./EIFT_cmd ramdisk mount

This may require running fsck if there was an unclean shutdown and the dirty bit is set:

EIFT_cmd ramdisk fsck_hfs –data

Unlock

If the iPhone is locked and the passcode is not known, run the following command to brute-force the passcode:

./EIFT_cmd ramdisk passcode

Dump keys:

./EIFT_cmd ramdisk dumpkeys -p <passcode> -o keys.plist

Dump data by imaging the user partition:

./EIFT_cmd ramdisk diskdump -o data.dmg

Decrypt data using the previously extracted keys:

./EIFT_cmd tools decrypthfs -i data.dmg -o data_dec.dmg -k keys.plist

Decrypt keychain:

./EIFT_cmd tools keychain -i data.dmg -o keychain.xml -k keys.plist

For faster decryption you can optionally add the -j parameter to decrypt with more threads. For example “-j 10” for spawning ten decryption threads.

Conclusion

The iPhone 4s and iPad 2 and 3 are undoubtedly legacy. Despite that, these devices are still relatively common. They may still contain valuable evidence ranging from personal pictures to messages and other data, not to mention the passwords. The hardware-based approach made it possible to create a truly reliable and complete solution for unlocking and extracting the device and decrypting the user’s passwords. As opposed to software-only solutions, the Pico-based one is very reliable, as there are no dependencies on the host system or version, USB controller and voltage, cables, and so on (everyone who worked with checkm8 knows what I am talking about).