The checkm8 exploit for iOS devices emerged in September 2019. It opened new doors for digital forensics researchers and investigators, who are always looking to extract and analyze data from devices.
Can I extract data from a blocked or damaged iPhone? Can I find the PIN code of a blocked device? You will find the answers to these questions and more in this article.
On September 27, 2019, Axi0mX, a Twitter user, presented the Checkm8 exploit to the public. Checkm8 is a vulnerability that compromised information found on millions of Apple devices (from iPhone 4s to iPhone X)
Axi0mX later deleted his original post, but copies of that post can still be found on the web .
Figure 1: Axi0mX’s original post on Twitter.
After the announcement, several firms (especially those who develop forensic programs for mobile device research) and enthusiasts began developing jailbreaks procedures based on the exploit. Their research was largely successful.
Today, the most popular jailbreaks based on the Checkm8 exploit are Checkra1n  and King . Furthermore, proprietary jailbreak procedures—based on the same checkm8 exploit—were also developed. Such procedures are used in premium digital forensic products.
We want you to understand the processes in this article, so we will describe the relevant terms first.
A Jailbreak is a program or procedure that provides you with top-level access to the file system of an iOS device.
A Jailbreak is needed to install tweaks, apps from third-party sources, etc., on an iOS device. In digital forensics, jailbreaks allow you to extract the full file system and keychain data from iOS devices.
You can find more information on public jailbreaks developed for specific iOS versions and iPhone models in the IOS jailbreaking article .
A tethered jailbreak is the kind of jailbreak that requires you to perform the procedure every time the device is rebooted.
Keychain is the technology that stores sensitive user data securely.
By sensitive data, we are referring to names and passwords for websites, credit card data, credentials used to connect to wireless networks, private keys, certificates, etc.
Apple devices use the Advanced Encryption Standard (AES)—the industry-standard 256-bit encryption—to protect the data stored in keychain.
SecureROM is the part of the ROM containing the code that the processor runs first on the power on (or restart).
The code in view usually initializes the loader from the device’s memory, or, if the device is in DFU mode, the code initializes data coming from the USB. SecureROM then proceeds to verify the downloaded program’s signature through built-in cryptographic algorithms.
The data in SecureROM is read-only.
A bootloader is a program that loads and starts the operating system when a device is turned on.
In iOS, the bootloader plays an important role in securing the operating system. It works to ensure that the device gets loaded with legitimate code and only software that is digitally signed by Apple.
This is the mode an iOS device ends up in when one enters the correct passcode just after the device is restarted or powered on.
AFU is less secure when compared to BFU. When a device is in the AFU mode, its files are not encrypted, and they can be extracted by digital forensics tools.
This is the mode an iPhone is in immediately after reboot or power-on event (when it is yet to be unlocked).
In other words, after you restart or turn on an iPhone, the device switches to BFU and stays in this mode until you enter the correct passcode.
In BFU, most files remain encrypted until the correct passcode gets entered.
This is the firmware update process associated with iOS devices. Firmware updates allow users to make changes to the software on the devices. This process comes in handy when you need to restore a damaged device to a healthy state.
With DFU, if necessary, you can downgrade the operating system version running on a device; you can jailbreak a device; and so on.
The mode of entering DFU differs across devices. To learn more about getting an iOS device into DFU mode, see the How to Put an iPhone in DFU Mode, the Apple Way article .
The procedure to get a device into DFU mode might be tricky. You have to follow all instructions correctly. Otherwise, the device will not enter DFU mode.
The procedure complexity is heightened by the fact that the device appearance (screen) in DFU mode is the same as when it is turned off. There is no way you can tell whether the device has successfully entered DFU mode by its appearance.
Sometimes, instead of entering DFU mode, you might find yourself needing to get a device out of it. You will find the required information in the Exiting DFU Mode section of the DFU Mode article .
Checkm8 is a SecureROM exploit that takes advantage of a vulnerability in an iOS device to grant a user administrative (root) access to the device.
Checkm8 allows you to get elevated rights on all Apple devices released between 2011 and 2017 (starting from iPhone 4s to iPhone X), which are running known iOS versions.
The vulnerability in view is permanent; it cannot be patched through software updates. If Apple wants to fix it, they would have to recall millions of devices around the world and modify the BootROM code in them.
Checkm8 allows you to perform a tethered jailbreak. The code for the exploit code gets executed in the device RAM, and after a restart, the user will not see any obvious sign that indicates that their device was jailbroken.
There are several jailbreak implementations based on the checkm8 exploit. Some developers released jailbreaks similar to Checkra1n. Others have gone their own way to develop their own unique jailbreak procedures (for example, Cellebrite).
Check the Technical analysis of the checkm8 exploit article  to learn more about the checkm8 exploit.
Checkra1n is a semi-tethered jailbreak based on the Checkm8 exploit. It was developed by a group of enthusiasts. Today, it is still one of the popular programs used to jailbreak iOS devices.
Initially, checkra1n was developed for MacOS alone. And then it got ported to Linux. Currently, software enthusiasts are probably working on porting it to Windows.
After Checkra1n for Linux got released, enthusiasts were able to run it on an Android device .
Figure 2: Checkra1n jailbreak ported to Android .
When investigators and researches tried to use public jailbreaks based on Checkm8 exploit, they encountered these challenges:
- An Apple developer account is required to use certain jailbreaks. This account costs $99 per year. Some people cannot afford such expenses.
- The jailbreaks were originally developed for macOS. Some people do not have a Mac or cannot afford workstations that run macOS.
- Several jailbreaks based on checkm8 leave remnants in the file system of the devices. This way, one can determine whether the device was jailbroken. However, such processes go against the concepts in forensics. Like other forms of evidence, digital evidence must remain pristine and unaltered.
The jailbreak in Belkasoft Evidence Center (BEC) is defined by these features:
- Belkasoft Evidence Center exploits an “unpatchable” vulnerability in iOS devices. This vulnerability is contained in the BootROM and cannot be fixed by planned updates, which Apple sends to iOS devices.
- The jailbreak allows you to extract data in a forensically sound manner. No traces are left behind on the device on which the jailbreak gets performed.
- Support for iOS devices starting from iPhone 5s to iPhone X and iOS 12.3 to 13.4.1 (at the time this article was written) . For older iOS versions, Belkasoft Evidence Center employs a different vulnerability.
- The jailbreak can be used on Windows. No Mac workstation is needed.
This the full list of supported devices (iPhones):
iPhone 5s, iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus, iPhone SE, iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, iPhone X
Soon, Belkasoft will implement support for these devices:
- iPads: iPad 2, iPad Mini, iPad Mini 2, iPad Mini 3, iPad Mini 4, iPad Air, iPad Air 2, iPad 5 (2017), iPad Pro 12.9 inch), iPad Pro (9.7 inch), iPad Pro (10.5 inch), iPad Pro (12.9 inch), iPad 6G, iPad 7G.
- Apple TVs using the A11 chip or an older processor.
- Apple watches using the A11 chip or an older processor.
When extracting the full file system and keychain chain from an iOS device, the researcher has to take note of these things:
- The jailbreak procedure in Belkasoft Evidence Center can only be used on a computer running Windows 10;
- The device to be studied must be physically connected to the computer through a USB 3.0 port.
- The computer must have iTunes installed from the Microsoft store.
Before you start the extraction, create a new case in Belkasoft Evidence Center.
On the Add data source screen, click on Mobile.
Click on Apple Checkm8.
Figure 3: The Select mobile type for acquisition screen in Belkasoft Evidence Center.
Now, you must specify the parameters for the device you intend to study, such as its model and the iOS version running on it.
Get the device to DFU mode (by following the instructions on your screen).
The device status is displayed on the right side of the window. As soon as the device enters DFU mode, its status will appear on your screen. You will then have to specify the path where the extracted data must be saved and click on the Next button.
Figure 4: The Checkm8 screen showing the device status in Belkasoft Evidence Center.
Once the extraction processes reach completion, the following data will be extracted from the iOS device: the full file system and keychain data.
Belkasoft Evidence Center will prompt you to choose the artifacts you want to analyze in groups.
Figure 5: The data types for analysis screen in Belkasoft Evidence Center.
After BEC analyzes the extracted data, it will present them in categories. Data extracted from keychain falls under the Passwords category.
Figure 6: Extracted data categories in Belkasoft Evidence Center.
We have had enough time to figure out the places where jailbreaks—based on the checkm8 exploit—can be applied in mobile forensics. You can use them this way:
iTunes backups store a limited amount of data. They typically lack information on emails and chats from messengers. They also do not contain system files and logs, which a researcher needs to understand how devices function.
Since the jailbreak procedure based on checkm8 allows you to extract the full file system, you get to resolve all the described problems. In this case, the researcher gets full access to all files and data stored on the device.
Keychain is like the Ford-Knox of a device under study. Keychain houses the most sensitive data.
By extracting keychain data, a researcher gets to access passwords (for sites and applications) and other sensitive credentials stored on a device.
The jailbreaks based on Checkm8 were so effective that some researchers even attempted to use them to figure out the PIN of blocked iOS devices.
In theory, according to Apple’s security policy , such attempts to breach a device’s security should result in the device getting blocked (or data on it getting wiped) after the tenth unsuccessful trial. However, for some reason, things didn’t play out that way.
Some researchers even reported that they were able to find the passcode through sequential passcode search procedures (Brute-force attacks), while others warned of the dangers associated with such operations. Our laboratory was unable to reproduce their results, though.
Figure 7: Conversations on Twitter on using UFED to do a sequential passcode search .
Through the Checkm8 exploit, researchers can create programs to restore the PINs of blocked iPhone 4S, iPhone 5, and iPhone 5s devices. However, we have no way of telling if such programs have already been created and are being used already (as at the time this article was written).
After an iOS device gets blocked, the user’s data in its memory stays safe. However, new data that comes in (SMS, chat in messengers, etc.) does not get inside the secured part of the memory. Well, this means data on the user’s accounts (some of them), wireless network connection history, information on paired Bluetooth devices, the DataUsage.sqlite file, WhatsApp files, Viber, the list of blocked contacts, plist files, etc. can be extracted by a researcher using Belkasoft Evidence Center.
Sometimes, the volume of data involved gets so high that an inexperienced researcher might erroneously think that they have extracted all the available user’s data from a blocked device!
To find out more about what data can be extracted from a blocked iPhone, see these articles on the topic: Elcomsoft and Mattia Epifani (Mattia Epifani) [12-16].
Jailbreaks based on checkm8 can be used to extract data from a corrupted or bricked iOS device.
Corruption events usually occur in these situations: When a device is being updated, when a device is left with little or no memory space, when a program fails and causes the device to stop loading. There are many of such cases involving iPhone 6 and iPhone 7.
Belkasoft successfully implemented a new proprietary jailbreak based on the Checkm8 exploit, which can be used to extract the full file system and keychain data from an iOS device under investigation.
With Belkasoft Evidence Center, an investigator—with a Windows computer—can now perform forensically-sound data extraction and analysis tasks on iOS devices.
Additionally, experts can now conduct deep or advanced research on iOS artifacts, especially on items that were inaccessible or unavailable before.
- A copy of Axi0mx’s post: https://twitter.com/pwn20wnd/status/1177548471756214273
- Checkra1n: https://checkra.in/
- King: https://github.com/pgarba/King
- IOS jailbreaking: https://en.wikipedia.org/wiki/IOS_jailbreaking
- How to get an iPhone into DFU mode (the Apple way): https://www.payetteforward.com/how-to-put-iphone-dfu-mode/
- DFU mode: https://www.theiphonewiki.com/wiki/DFU_Mode
- Technical analysis of the checkm8 exploit: https://habr.com/ru/company/dsec/blog/472762/
- Your rooted Android phone can jailbreak an iPhone with checkra1n: https://www.xda-developers.com/jailbreak-apple-iphone-using-checkra1n-rooted-android-phone/
- Complete file system extraction for iOS devices using Belkasoft Evidence Center: https://belkasoft.com/full_file_system_extraction_for_ios_devices_with_belkasoft_evidence_center
- Apple Platform Security: https://support.apple.com/guide/security/welcome/web
- A copy of posts on Twitter involving Kevin and Shahar Tal: https://twitter.com/jifa/status/1232610940882968577?s=20
- BFU Extraction: Forensic Analysis of Locked and Disabled iPhones: https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of-locked-and-disabled-iphones/
- Extracting Data from Locked iPhones: https://blog.elcomsoft.com/2015/11/extracting-data-from-locked-iphones/
- Checkra1n Era — Ep 1 — Before First Unlock (aka “I lost my iPhone! And now?”): https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-1-before-first-unlock.html
- Checkra1n Era — Ep 2 — Extracting data “Before First Unlock” (aka “I found a locked iPhone! And now?”): https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-2-extracting-data.html
- Checkra1n Era — Ep 4 — Analyzing extractions “Before First Unlock”: https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
About the Author
Igor Mikhaylov is a digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including EnCE, ACE and MCFE. Igor is authored Mobile Forensics Cookbook: Data Acquisition, Extraction, Recovery Techniques, and Investigations Using Modern Forensic Tools, as well as many blog posts and articles on digital forensics and incident response you can find online.