Checkm8 / checkra1n acquisitions/extractions

Get up and running quickly with a platform to perform checkm8 based iOS extractions

Checkm8 is a bootROM based vulnerability/exploit. Checkra1n is the tool to conduct a tethered jailbreak.

First, some light reading: & more info here

This guide does not focus on the specific vulnerability being exploited, it provides a guide on how to perform a filesystem acquisition using checkra1n within a Linux environment. This article does not provide any guidance or insight into bypassing any security restrictions involving biometrics or personal credentials.

My working environment is typically a Windows environment with specific tasks performed inside a Linux VM or VPS, or within WSL). Although WSL is great, it does not currently support USB devices, and as such, will not work with iproxy/libusbmuxd/checkra1n.

There are a few methods to get up and running quickly.

1) Download Kali, image to a boot USB, boot, add checkra1n repo, install checkra1n, run checkra1n 2) Download other Debian-based OS, add checkra1n repo, install checkra1n, run checkra1n 3) Download bootra1n, image to USB, boot, run checkra1n

I personally prefer option 1. Most of us have a Kali ISO sitting around somewhere. One primary consideration needs to be the size of the data being acquired from the iOS device. You need to have a boot device which is large enough to acquire that data, or your host machine needs to accommodate another device. For me, I boot Kali off a standard USB and acquire data to an external SSD/HDD.

Using bootra1n or other pre-compiled tool sets does not give you the flexibility you require. I prefer to build an environment based on tools that I'm familiar with, and then roll that back into a live image to deploy on removable media.

You can try using a virtual machine to perform this, but mucking around with USB pass through is going to cause issues when entering/exiting DFU mode, exploiting the device, and may cause unexpected results and/or damage.

Create a bootable USB using your preferred tool. Rufus, balenaEtcher, Win32 Disk Imager are all good options. Here we'll use Win32 Disk Imager.

Write. Boot. Test it's working. You can run through the steps to enable encrypted persistence, however that's outside the scope of this article.

Now we have to add Checkra1n's repo to our sources.list so we can install the appropriate packages

echo "deb /" | sudo tee -a /etc/apt/sources.list
sudo apt-key adv --fetch-keys
sudo apt update
sudo apt-get install checkra1n

Now is also a good time to install iproxy. iProxy is contained within libusbmuxd-tools

$ sudo checkra1n

The above command is for the following GUI. You can also run the following command for the CLI version

$ sudo checkra1n -c

Connect your iOS device to your host machine. "Trust" the computer, enter your PIN.

Select [Start] and follow the prompts to place the device into DFU mode.

Select [Next] and your iOS device will restart into restore mode.

Wait until this process completes. Once the device has booted (and checkra1n says it has completed), then proceed.

$ iproxy 4242 22

Run iproxy for libusbmuxd communication. This will allow you to SSH into your iOS device via USB.

Disable auto screen locking. When the screen locks, it will kill any SSH sessions. (iOS 14.2; Settings -> Display & Brightness -> Auto-Lock; set to Never)

Now we SSH into our device. Root password is alpine.

$ ssh root@ -p 4242

If all you're seeking is user data, that is stored in /private/var and can be logically acquired using the following command (from your host machine, not within the bash prompt on your device)

$ ssh root@ -p 4242 'tar -cf - /private/var/' > private-var.tar

From here, you can parse the tarball in your forensic tool of choice; MSAB XRY, Cellebrite UFED, Magnet AXIOM or even Autopsy.

For more information, please see these articles;

[1] [2] [3]

Last updated