Imaging iPhone 4S w...
 
Notifications
Clear all

Imaging iPhone 4S with JZ tools & other forensic programs

8 Posts
6 Users
0 Likes
499 Views
Robbo747
(@robbo747)
Posts: 37
Eminent Member
Topic starter
 

I have currently a handset locked iPhone 4S (A1387) & I'm trying the JZ tools on a Apple Mac, but with so far no luck. The phone has 5.0.1 firmware-verified at scene before it timed out into handset lock mode.

I place the phone into DFU mode & firstly attempt an Encryption Key Recovery, where the recover-keys script can brute force a four-digit pin code & display the pin on the screen and save to the desktop, as well as recover encryption keychains.

I had no luck with this. I checked the phone is in DFU mode through System Profiler, after this I ran the recover-keys script; ie
MULTIPLATFORM_IOS5 Administrator$ sudo ./recover-keys.sh iPhone4,1_5.0.1_9A405_Restore.ipsw -usbmuxd

It looks like I get a kernel cache patch error
/iPhoneTools/AutomatedTools/OSX/MULTIPLATFORM_IOS5/Crypto /iPhoneTools/AutomatedTools/OSX/MULTIPLATFORM_IOS5
Traceback (most recent call last)
File "kernel_patcher.py", line 7, in <module>
from Crypto.Cipher import AES
ImportError No module named Crypto.Cipher
/iPhoneTools/AutomatedTools/OSX/MULTIPLATFORM_IOS5
Beginning remote acquisition…

…and the IPSW file is not recognised….
Unable to recognize specified IPSW
/iPhoneTools/AutomatedTools/OSX/MULTIPLATFORM_IOS5/iPhone4,1_5.0.1_9A405_Restore.ipsw
The other ipsw file for 5.0.1 was also attempted iPhone4,1_5.0.1_9A406_Restore, but to no avail.
** Any clue why there are two ipsw firmware files for 5.01? Perhaps to do with when iPhone 4S being released unlocked from November in the US?

Next, I attempt a Raw Disk Recovery by pointing the recover-raw script at the ipsw file
MULTIPLATFORM_IOS5 Administrator$ ./recover-raw.sh iPhone4,1_5.0.1_9A405_Restore.ipsw

Normally I would wait to see something on the iphone screen but I see nothing.

Waiting for device to begin listening…
(If device is already listening, disconnect and reconnect cable)
Creating USB tunnel to device…
Initiating disk recovery…
9552 [12/19/2011 091121] connecting to recovery agent on 127.0.0.17777
9552 [12/19/2011 091121] connected
9552 [12/19/2011 091121] writing to [rdisk-1324249881-12_19_2011_09_11_21.dd]
Unable to recognize specified IPSW
iPhone4,1_5.0.1_9A405_Restore.ipsw
Cannot open /kernelcache.patched

* Has anyone had success using JZ tools on iPhone 4S?
* Cellebrite Physical Pro, FTS iXam, XRY & Lantern all work up to iPhone 4 models, but I haven't seem them working around a handset lock on a 4S currently.

Thanks

 
Posted : 19/12/2011 10:02 am
Logan
(@logan)
Posts: 66
Trusted Member
 

Robbo747,

I do not believe that the iPhone 4S is supported by Elcomsoft or the JZ tools yet. The 4S uses a different chip (the A5) which I believe an exploit has not yet been found (or has been found but not published yet).

Looks like you will have to obtain the pass code from the owner…?

 
Posted : 19/12/2011 12:45 pm
Robbo747
(@robbo747)
Posts: 37
Eminent Member
Topic starter
 

Thanks Logan. I managed to get the Crypto Cipher Python module working OK, so I don't get errors now, however when attempting a recover-keys or recover-raw, no running display is showing on the exhibit & these JZ scripts are writing out to zero kb files. I agree- its likely to do with the A5 chip found in the 4S.

Any Elcomsoft, Lantern iOS, XRY, Cellebrite, FTS iXam people out there for any pointers???

 
Posted : 28/12/2011 6:45 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

None of the tools support locked 4S and iPad 2 devices.

 
Posted : 28/12/2011 11:58 pm
Logan
(@logan)
Posts: 66
Trusted Member
 

Like I said, no exploit has been made public yet. Without an exploit in the A5 SoC (System on a Chip), then the software cannot access the files required to obtain or circumvent the pass code.

Without an exploit, software manufacturers cannot build support for it.

 
Posted : 29/12/2011 2:29 pm
pjarlov
(@pjarlov)
Posts: 2
New Member
 

Good morning,

No more news since this case about imaging an IPhone 4S ?

Thank you very much

Philippe

 
Posted : 05/10/2012 2:41 pm
 Doug
(@doug)
Posts: 185
Estimable Member
 

Sadly not.

Apart from Elcomsoft's iPhone ToolKit being able to take an image of an iPhone 4S IF it is already jail broken and has SSH installed on it.

 
Posted : 05/10/2012 4:23 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
 

None of the tools support locked 4S and iPad 2 devices.

I can confirm this also.

Spoke with somebody from NTAC regarding this. These are the boys in the know. If they can't crack it, nobody can! Just have to wait a little longer… I'm sure somebody is not far off!

 
Posted : 05/10/2012 4:53 pm
Share: