Information Technology Reference
In-Depth Information
Acquisition via a custom ramdisk
Acquisition via a custom ramdisk is a novel method to acquire data from an iPhone. It
gains access to the file system by loading a custom ramdisk into the memory and exploiting
a weakness in the boot process while the device is in the DFU mode. A custom ramdisk
contains the forensic tools necessary to dump the file system over USB via an SSH tunnel.
Loading a custom ramdisk onto a device will not alter the user data, and thus the evidence
will not be destroyed.
Imagine a computer that is protected with an OS-level password, we can still access the
hard disk contents by booting with a live CD. Similarly, on the iPhone, we can load a cus-
tom ramdisk over USB and access the file system. However, the iPhone secure boot chain
prevents us from loading the custom ramdisk. We can achieve this by exploiting a Boot
ROM vulnerability and patching successive stages, as shown in the following figure:
An exploited boot chain of an iPhone in DFU mode
Hacker communities have found several Boot ROM vulnerabilities in A4 devices (iPhone 4
and older iPhone models). Currently, there are no Boot ROM exploits for A5+ devices
(iPhone 4S and later models) that allow access for physical acquisition of the device. Boot
ROM vulnerabilities cannot be fixed with software updates, effectively making a device
vulnerable forever.
In addition to this, the file system on the iPhone is encrypted. Since the release of the
iPhone 3GS, the hardware and firmware encryption are built into iOS devices. Every iOS
device has a dedicated AES 256-bit crypto engine (the AES cryptographic accelerator) with
two hardcoded keys: UID (Unique ID) and GID (Group ID) (as stated by Zdziarski in one
of his topics). The CPU on the device cannot read the hardcoded keys but can use them for
encryption and decryption through the AES accelerator. The UID key is unique for each
