Elcomsoft iOS Forensic Toolkit 8.81 expands OS version support for checkm8, bringing iOS 17 and 18 compatibility for devices that can run these versions of the OS, which includes iPad 6 and 7, iPad Pro 2, AppleTV HD and AppleTV 4K (1st gen) as well as the original HomePod.

The update to Elcomsoft iOS Forensic Toolkit 8.81 expands compatibility of bootloader-level checkm8 extractions, adding support for all versions of iPadOS, tvOS, and audioOS 17 and 18 for macOS and Linux editions.

checkm8 extractions now support all subversions and variations of iOS 17 and 18 on those devices that are capable of running these builds, providing full file system extraction and keychain decryption functionality.

The challenge

iOS 17 introduced major changes in the way encryption keys are generated and managed, which introduces a technical challenge. While the original checkm8 exploit continued to work as expected, the process of unlocking the disk had to be extensively redesigned due to the new method of handling the encryption keys. This required significant efforts to adapt the Toolkit to Apple’s new protection model, ensuring that full file system and keychain access are once again possible for supported devices.

Why it matters?

Full file system extraction for iOS 18 provides unique insight into the evolving data structures and storage mechanisms used by Apple devices. Importantly, Apple TV and HomePod devices cannot be protected with a passcode, so their extraction can offer a valuable alternative source of evidence when the user’s main device is locked, damaged, or unavailable.

Supported hardware

The following devices are capable of running iOS 17 and/or 18:

• iPad 6
• iPad 7
• iPad Pro 2
• AppleTV HD
• AppleTV 4K (1st gen)
• HomePod (1st gen)

Notably, the last supported version for iPad 6 and iPad Pro 2 is iPadOS 17; other listed devices support both versions of the OS. Both Apple TVs and the original HomePod can run the latest versions of iOS 26. Support for these versions of the OS is currently work in progress.

iOS Forensic Toolkit 8.81 release notes

• checkm8: added full file system & keychain extraction for iPadOS/tvOS/audioOS 17 running on iPad 6 & 7, iPad Pro 2, Apple TV HD and 4K (1st gen), HomePod (1st gen) via bootloader exploit (macOS & Linux versions)
• checkm8: added full file system & keychain extraction for iPadOS/tvOS/audioOS 18 running on iPad 7, Apple TV HD and 4K (1st gen), HomePod (1st gen) via bootloader exploit (macOS & Linux versions)
• bugfix: minor bug fixes and compatibility improvements