Information Technology Reference
In-Depth Information
DFU mode
During the boot-up process, if the Boot ROM is not able to load or verify LLB, then the
iPhone displays a black screen. This mode is known as the
Device Firmware Upgrade
(
DFU
) mode. DFU mode is a low-level diagnostic mode and is designed to perform firm-
ware upgrades for the iPhone. During a firmware upgrade, the iPhone goes through a dif-
ferent boot sequence as shown in the following figure. Most forensic tools use DFU mode
to perform a physical acquisition.
A secure boot chain of an iPhone in DFU mode
In DFU mode, the Boot ROM boots first, which, in turn, verifies and runs the second stage
boot loaders, iBSS and iBEC. The iBEC loader verifies and loads the kernel. The kernel
verifies and loads the
ramdisk
into memory. Again, most forensic acquisition methods re-
quire the iOS device to be successfully entered in DFU mode. As mentioned in
Chapter 1
,
Introduction to Mobile Forensics
, all steps must be well documented by the examiner. The
handling of the iOS device is no exception. DFU mode is a method recognized in mobile
device forensics and is deemed to be a forensically sound action to prepare the device for
forensic acquisition.
To enter DFU mode, perform the following steps:
1. Download and install iTunes on your forensic workstation from
ht-
2. Connect your device to the forensic workstation via a USB cable.
3. Turn off the device.
4. Hold down the Power button for 3 seconds.
5. Hold down the Home button without releasing the Power button for exactly 10
seconds.
