iOS/iPadOS - Jailbreaking
Why jailbreak?
The main reasons users use jailbreak include:
Sideloading apps
The ability to set up and use alternative apps
Customizing an otherwise closed iOS user interface
Tethering a Mac to an iPhone
The ability to browse the entire file system of the device's internal memory
The reason for jailbreaking the iOS/iPadOS device from the forensic perspective is the ability to read, extract and analyse data that is usually hidden or unavailable to the common device user.
Jailbreaking can provide access to otherwise inaccessible data which is crucial for detailed analysis and a fair, just and impartial investigation.
How to jailbreak an iOS/iPadOS device?
MOBILedit Forensic does not perform the jailbreak itself. The device needs to be jailbroken before connecting to MOBILedit Forensic, after which additional data can then be extracted from the already jailbroken iPhone, iPod Touch or iPad.
The following jailbreak methods have been developed by third parties. Please note that our support team can help you with any connectivity issues that may arise after applying a jailbreak to your device, but the choice of method and the entire jailbreaking process is always the user's own responsibility.
These are three of the main methods of jailbreaking an iOS/iPadOS:
Tethered
This method requires connecting the device to a computer and using an external app to jailbreak it. Once you reboot the device, the jailbreak will cancel but remember that you will not be able to use the device until you jailbreak it again using the same method. This method is mostly used by app developers.
Semi-tethered / Semi untethered
This method requires you to either connect your device to your computer to perform a jailbreak or, use an app. Once jailbroken, the device can function as normal and does not need to remain connected to a computer if the computer method is used. The jailbreak is cancelled every time you reboot the device or after a certain amount of time has passed. Tools suitable for this method usually run in the RAM and therefore minimise any changes or interaction with the OS and this is why it is the preferred method for mobile forensic examiners.
Untethered
This method does not necessarily require a computer to perform a jailbreak on the device as it can be done via an app. It also modifies iOS/iPadOS at a deeper level meaning that no matter how many times you reboot the device, it will remain jailbroken until you manually "un-jailbreak" it. This method is used mostly by end users.
Jailbreak methods are available for almost all iOS/iPadOS devices, except for the latest iOS/iPadOS versions. It usually takes the jailbreaking community only a few months to find a way to jailbreak the latest version of iOS/iPadOS. This means that it is impossible to describe them all in one article.
Currently, Pangu or Cydia Impactor apps are most commonly used to jailbreak iOS/iPadOS devices. For more information about how Cydia Impactor works, please see the official Cydia Impactor developers' website. For the jailbreak procedure description, please see How to use Cydia Impactor article.
For a detailed list of available jailbreaks for specific devices, please see the "iOS Jailbreak" article on reddit.
In some situations where the SSH or AFC2 service is not accessible due to unusual jailbreak settings, MOBILedit Forensic may not recognize that the connected device is jailbroken. A standard logical extraction can still be performed. When SSH or AFC2 communication methods are enabled, you will have the necessary access to carry out your forensic examination using MOBILedit Forensic.
Various 3rd party online sources have been used to compile this guide, for more information, please contact us.
Jailbreaking a device may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
From a forensic point of view, please be aware that some apps will recognise that a device has been jailbroken, notably banking apps. However, it should not restrict their functionality once un-jailbroken.
Bootable USB Flash Disk with Jailbreaking Capability
The bootable USB flash disk with jailbreaking capability is available in the MOBILedit Forensic Connection Kit.
Alternatively, you can create your own bootable Linux USB flash disk with checkra1n, palera1n or both.
Bootable USB Flash Disk with Jailbreaking Capability
checkra1n
checkra1n jailbreak is suitable for devices with A7 to A11 Bionic chipsets running iOS 12.0 to iOS/iPadOS 14.8.1.
palera1n
palera1n jailbreak is suitable for devices with A8 to A11 Bionic chipsets running iOS/iPadOS versions 15.0 to 18.0.
Please ensure that these instructions are used in compliance with legal and ethical standards, especially considering their application in digital forensics and law enforcement contexts.