Information Technology Reference
In-Depth Information
Creating and loading the forensic toolkit
At this point, all of the prerequisites should be installed, and you should be ready to build
and load the custom ramdisk onto your target iOS device. First, we patch the ramdisk sig-
nature checks in the kernel and build a custom ramdisk with our forensic tools. Later, we
use redsn0w to load the modified kernel and the custom ramdisk by exploiting the Boot
ROM vulnerability.
Downloading the iOS firmware file
An iOS firmware update software archive (IPSW) file for the hardware model with which
you intend to use the custom ramdisk is required. iPhone Data Protection Tools supports
the ramdisk creation for iOS 6 IPSW and lower versions. For best results, use the latest ver-
sion of iOS 5 IPSW to create the ramdisk. iOS 5 kernel is compatible with the previous and
forthcoming iOS versions. So, even if your device is running on iOS 7 or iOS 4, you can
prepare the ramdisk with iOS 5. You can download the IPSW file for the target device from
Copy the downloaded IPSW to the
dataprotection
directory inside the
iphone
folder, as shown in the following command:
$cp ~/Downloads/iPhone3,1_5.1.1_9B208_Restore.ipsw .
Note
The above command ends with
.
which represents the current working directory.
The
iPhone3,1_5.1.1_9B208_Restore.ipsw
file used in the preceding com-
mand targets the iPhone 4 device. The IPSW filenames include the hardware model
(iPhone3,1), the iOS version number (5.1.1), and the specific build number (9B208).
Modifying the kernel
For the custom ramdisk to work properly, a modified kernel is required. The
ker-
nel_patcher.py
script in iPhone Data Protection Tools extracts the
kernelcache
from the supplied IPSW file and patches it. The kernel patching utility makes appropriate
changes to the kernel to disable the code signing to run arbitrary binaries and to allow ac-
cess to restricted functions. Run the
kernel_patcher.py
script on your IPSW to cre-
