iOS Forensic Toolkit 5.20 adds future-proof file system extraction support for Apple devices with checkra1n jailbreak

Elcomsoft iOS Forensic Toolkit 5.20 is updated with file system extraction support for select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Making use of the new future-proof bootrom exploit built into the checkra1n jailbreak, EIFT is able to extract the full file system image, decrypt passwords and authentication credentials stored in the iOS keychain.

Elcomsoft iOS Forensic Toolkit 5.20 was a major rework, adding one essential feature and one small but welcome usability improvement. The major addition in this release is the ability to extract the file system of select Apple devices running all versions iOS supported by the new bootrom exploit. iOS Forensic Toolkit 5.20 utilizes the checkra1n exploit to access the file system, extract and decrypt the keychain.

Supported devices range from the iPhone 5s all the way up to the iPhone 8, 8 Plus and the iPhone X. Apple iPad devices running on the corresponding CPUs are also supported, which includes models ranging from the iPad mini 2 all the way up to the 2018 iPad, iPad 10.2, iPad Pro 12.9 (1.Gen) and iPad Pro 10.5. In addition, iOS Forensic Toolkit 5.20 supports Apple TV HD (ATV4) and Apple TV 4K.

In the end, iOS Forensic Toolkit 5.20 brings future-proof physical acquisition support for many Apple devices regardless of the version of iOS. While support for future iOS builds may not instantly appear, only minor modifications are expected to support Apple’s future versions of iOS.

A jailbreak is required in order to perform physical acquisition. For the first time since the iPhone 4, jailbreak developers have discovered a hardware-bound, unpatchable vulnerability in all Apple devices built with an Apple A7, A8, A9, A10 or A11 SoC. Unlike previous works, the checkra1n jailbreak is future-proof: the exploit lies in the bootrom that cannot be patched by Apple.

For the first time, iOS Forensic Toolkit 5.20 supports partial acquisition for BFU (before first unlock) devices, as well as for locked devices with unknown screen lock passcode. The jailbreak is installed via DFU mode and is available for all compatible devices regardless of their lock state of BFU/AFU status. Finally, iOS Forensic Toolkit 5.20 makes it possible to perform partial file system extraction for devices in USB restricted mode.

The new jailbreak can be installed on devices with known or unknown screen lock passcode; more on that in our blog: iOS Device Acquisition with checkra1n Jailbreak

There is also one usability improvement in EIFT 5.20 that will spare some typing. iOS Forensic Toolkit 5.20 now automatically fills in the default root password ‘alpine’ on jailbroken Apple devices when prompted. If the password has been changed, users can still type it in manually.

Release notes:

  • Added file system extraction and keychain decryption support for select Apple devices supported by the checkra1n jailbreak (iPhone 5s through iPhone X; iOS up to 13.2.3 beta)
  • UX improvement: the default root password is now filled in automatically when prompted
  • Fix: some pairing issues with lockdown records have been resolved

See also