Locked iPhone

[H1t M0nk3y]

Hi everyone,

Ok first, I think most people here on this forum know me by now and I am not a bad guy. I say this because this story really look bad... 

My accountant now has an iPhone 4S, but she still has her old iPhone 3G (no longer connect to a carrier). So she is only using her iPhone 4S. This old iPhone 3G was sync and backed up to iTunes, which was installed on her laptop. The problem is that last fall, somebody broke into her office and stole many things, including her laptop. And since she hasn't used her old iPhone 3G for a while, she couldn't remember her password. She tried login in many times and ended up locking her old phone...

The thing is she has pictures of her daughter that was taken by this phone and was backed up on her stolen laptop. She asked me if I could retrieve her pictures...

She contacted Apple and they said the only thing they can do is wipe out the phone for her (since they match the serial number to her name), but they cannot unlock it for her (which is a good thing!). So she came to me, knowing what I do for a leaving...

So you see? My story looks like the ones we get once in a while on this forum! I feel a bit lame for that...  But I have known her for many years now and I know she's telling the truth... The phone's id is under her name and there is a picture of her daughter in the logging screen... And no, I didn't steal/found an iPhone I try to steal data from.

I spent something around 6 hours trying to jailbreak this locked iPhone without success... I think she was using iOS 4.1 or something close to this.

So is it possible to recover pictures from a locked iPhone?

Thanks

[chrisj]

probably not much help, but did you see this?

http://lifehacker.com/5852948/what-to-do-if-youve-forgotten-your-iphones-passcode

It says you can sync the phone even when it's locked. Not having an iphone, and not touching itunes in about 6 years, I don't know if you can add and sync a new device while it is locked.

[H1t M0nk3y]

Thanks chrisj but the problem with this is you need "the" iTunes that was used for the backup BEFORE the phone got locked. As you may or may not know, you can only sync your iPhone, iPod or iPad with a single version of iTunes. If she would still have her laptop (with the version of iTunes she used to sync with), she could recover her phone using this technique. Similarly, if she wouldn't care about her pictures, she could use this procedure with any iTunes to reset the phone to the factory state.

The problem is in the fact she wants her pictures back...

But thanks anyways!

[Matthias2012]

Hello H1t M0nk3y,

how good is your german?
On the last IT-Security Exhibition in Nuernberg/Germany the CIO of ssys.de showed how to get into a locked iPad. Maybe this will give you an idea..
He also said that an iPhone works similiar...
http://www.techcast.com/events/it-sa-livehacking/dienstag-gruen-1015-schreiber
it shows him in action...

Regards

[m0wgli]

Unfortunately, from what I've been able to find (as I'm sure you have), given the circumstances, your friend needs to start considering those pictures lost.

I hope to be proved wrong!

[Matthias2012]

I looked at the video and then I looked at your first posting again and I`am afraid but if your tried to "bruteforce" the pin for the GUI, then the device will have deleted the AES-decryption keys after X attempts and even for a forensic expert the data is lost...

Regards

[ajohnson]

I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.

[chrisj]

As you may or may not know, you can only sync your iPhone, iPod or iPad with a single version of iTunes.

This I did not know, I thought you could sync  / back up to multiple version of iTunes (like I said, haven't used in forever).

what about attaching it to a linux box and just mounting it as a local device? I don't remember having to do anything special when I had my ipod color.

[H1t M0nk3y]

what about attaching it to a linux box and just mounting it as a local device? I don't remember having to do anything special when I had my ipod color.

@chrisj: I tried but the phone itself is locked, so it doesn't work either...

the device will have deleted the AES-decryption keys after X attempts and even for a forensic expert the data is lost...

@Matthias2012: I don't know german at all (regarding the video), but do you know at which iOS version Apple has started to do this?

I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.

@ajohnson: I think I may have to follow this route... I will research on this topic and post my findings. I hope I won't have to buy new hardware...

[m0wgli]

I was looking through these last night, you might find something of use in here:

iOS hacking resource collection

[jjwinter]

Did she use iCloud for backup?

[m0wgli]

Did she use iCloud for backup?

Unfortunately to use iCloud you need iOS 5 or higher, this isn't available for the iPhone 3G.

[H1t M0nk3y]

Well, I think her pictures are gone forever now...

Thanks everyone for you help. At least, I have learn quite a few things along the way...

[ajohnson]

Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.

Have you tried something like this? https://www.youtube.com/watch?v=S6OIK0oL6SI

It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.

[m0wgli]

At least, I have learn quite a few things along the way...

Same here, I know now considerably more about iOS security than I did last week.

Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.

Elcomsoft also offer an iOS Forensic Toolkit which can extract the keys, however, it's availability is restricted to select government entities (such as law enforcement, forensic organizations and intelligence agencies).

It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.

AFAIK this works on a backup of the device, not the physical device.