This weekend I did more testing with the new Checkm8 exploit, this time with an iPhone 6s, iPhone 7 Plus, and iPhone XR. I will post notes on 6s in future; there is no Checkm8 option for the iPhone XR currently (see below), even after updating iOS from 12.1.2 to 13.3.1.
So below I will cover the test iPhone 7 Plus.
-iPhone 7 Plus Model A1661
running iOS 13.3
– 32 GB capacity
-Available space 11.52 GB
-I tried both with and without access to the phone passcode
I ran Logical Method 1 in Physical Analyzer; it collected a 13.9 GB .tar
Ran Logical Method 2 in Physical Analyzer; it collected a 17.7 GB .tar
Opened Physical Analyzer and loaded Method 1 and Method 2.
Opened Physical Analyzer and loaded Method 1 & Method 2.
Next I took same test phone and opened UFED 4PC
Plug in phone and auto detect; check model in phone’s settings to confirm correct; select
Advanced Logical then Full File System Checkm8*.
Put phone in DFU mode**
When it finished, loaded in Physical Analyzer.
*This will only be an option if the phone is within the models and iOS ranges described here. When I tried an iPhone XR, the “Advanced Logical Full File System” menu item did not appear in UFED as an option.
**The iPhone 7 Plus was no problem, but it took me numerous attempts to get the iPhone 6s into DFU mode. It was finally accomplished with the help of this video (753)
Same for iPhone 8 timing is tricky so practice, this one helped me
Checkm8 will run (see pics) and you will be prompted on your machine for phone’s passcode.
Phone showed 73.28 GB extraction as it was in progress.
Advanced Logical Full File System Checkm8 acquisition with passcode collected a 35.8 GB .dar
Opened Physical Analyzer and loaded Advanced Logical Full File System Checkm8 acquisition.
Comparison photos – same as last time, on the left is the combined Logical Method 1 & Method 2 using PA. On the right is Advanced Logical Full File System Checkm8 using UFED. Also posted cropped together photos showing all data sets pulled. The results speak for themselves.
Also included photos of when the Checkm8 exploit starts and the extraction screen. Photos available here
I tried following the guide I linked to above to obtain a partial file system (Before-First-Unlock) with no passcode. I changed the passcode and then did not enter the correct passcode again. After several tries and poking around for forums & articles, and a million failed attempts and reboots, I called it a night but will try again. If anyone can share their method or any good articles/guides/forum posts on checkra1n/ Checkm8 BFU, it would be greatly appreciated. Interested in seeing what it collects.