GrapheneOS seems to resist AFU extraction
The usb bypass is possible due to apple not actually doing what is advertised unlike GrapheneOS. They likely still allow some sort of connection that these âadaptersâ can spoof themselves as. My Magic Keyboard still works BFU+ Lockdown Mode but I donât know if thatâs intended or not. These screenshots also back up this theory.
Hopefully we find more AFU limitations in the future and apple fixes its lousy usb restricted mode.
Just from the screen shot it isnât clear if that iPhone is in BFU or AFU. Also unknown if it has USB restricted mode enabled or if the unlock attempt was ever eventually successful.
We do know Major Adamâs phone remains locked.
Not necessarily. Itâs pretty much always going to be less secure but not inherently insecure.
Not always going to be possible especially if youâre in distress. GrapheneOS has an auto reboot feature for this reason; it just needs to hold out in AFU long enough for auto reboot to kick in.
âAlso using Graykey 5.2.0 and it doesnât even recognize that a device gets plugged into it to even
do a BFU or an initial device identify.â
He got DMâs stating that he needs a new adapter from people with direct knowledge about these tools not internet scavengers like me.
Considering the usb setting is enabled by default on newer iOS, chances are like 80/20 that it was enabled.
This screenshot from a Cellebrite employee makes me wonder if USB-C added some limitations to their capabilities because it seems like the lightning connectors gave them no issue at all. The police officer also says Cellebrite Inseyets UFED documents refer to âlocked USB-Câ devices as unsupported but this has never been a problem before.
I suspect that the challenge lies more with Cellebriteâs engineering. Since Cellebrite CAS can bypass the USB-C restricted mode and perform AFU without any problems, I think they are simply delayed in implementing and rolling out this exploit across their Cellebrite Premium boxes, especially given the different variants of Cellebrite Premium boxes they need to support. Essentially, even the USB-C iPhone can be AFU extracted; itâs only a matter of time before all Cellebrite Premium boxes are capable of doing the same.
Thank you for your meticulous post. Do you think about converting it to a blog post, maybe?
iOS 18 and higher introduced a inactivity reboot timer that sends your device back to BFU after a certain amount of days. This is why keeping your phone up to date is important!
Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops
I kinda just keep replying to this with new info I gather
Video of iPhone running iOS 18.2 beta 2 rebooting after 72 hours of not being unlocked.
Update on inactivity reboot by Magnet Forensics
Apparently Graykey support matrix has been leaked. Standing by for nowâŚ
Is access to control center still a requirement for afu extraction?
Iâm not sure. On my phone I turn off everything from showing on lock screen in case any of the settings are vulnerable.
This is the most sensible approach. We can/will never know the complete capabilities of all actors.
As I suggested earlier, Graykey support matrix leaked.
iPhone: Graykey-iPhone.xlsx - Google Sheets
Iphone (Backup): https://files.catbox.moe/pal7dn.xlsx
Android: Graykey-Android.xlsx - Google Sheets
Android (Backup): https://files.catbox.moe/fsinh5.xlsx
I donât get it. There is full, consent, partial, partial bfu and none.
Full means they can get all data encrypted with the user password in afu, probably parts from bfu diagnostics and brute force. They can possibly extract data in any state. Does full mean full data in any state including bfu? They have full for the iPhone 12 series up to early versions of iOS 17. That would mean they can extract full data from these even with the device powered off. They also have full for old iPhones vulnerable to jailbreaking. For these iPhones full for sure means also with the device powered off bfu and full data.
Consent probably means with user password or some kind of authorization? They have consent for iPhone 14 models on versions before iOS 17.6. They donât have consent on iPhone 15 models from 17.3.1. Does that mean they canât even extract data with the user password? Or is consent some kind of authorization? What does consent mean? With the user password, full data is accessible. Does that mean they didnât develop their tool to do an extraction on these versions?
They have partial on iPhone 14 models from 17.6 as well as partial on iPhone 15 models from 17.3.1 until 18.0.1 only from 18.1 which just came out they donât have anything for any device. Probably they will have partial. What is partial? Pre boot diagnostics or more? Is it different per device and version? What more? They also list partial bfu on some older devices so is there a difference between partial and partial bfu. Is partial more than partial bfu or is it the same data they can get with partial, only they can get it in bfu? Or does partial even mean itâs not full but only a part of it like only afu no bf? What is partial? Partial data extracted without being able to get into the user password encrypted data or only a part of full methods?
My guess is this
Full = AFU, BFU, Bruteforce Support, Can Bypass Almost All Countermeasures
Full + AFU = Full + AFU can obtain a near full file system extraction from lockscreen.
Partial = No bruteforce, BFU/AFU capable
Partial AFU = Access to files with Access to files with NSFileProtectionCompleteUntilFirstUserAuthentication protection level (pretty much everything) and access to keychain files with kSecAttrAccessibleAlways/kSecAttrAccessibleAfterFirstUnlock.
Partial BFU = System data, general device info, OS files, files protected with NSFileProtectionNone class, random thumnbnails, access to keychain files with kSecAttrAccessibleAlways.
Consent = No data without passcode
But it only says partial in the table no matter if they can get user password encrypted data afu or only system data bfu. Thatâs a huge difference. That makes the table pretty confusing and doesnât really tell
I didnât look at the android table
Shouldnât they always be able to get some diagnostics system data like apple does? Is that partial bfu? If yes you wouldnât wanna have partial in the table there but consent when they canât get any meaningful data. Why even have partial there if all they are able to do is run apple diagnostics and get some system data? Thatâs misleading
Can you explain what you wrote in partial afu? NSFileProtectionCompleteUntilFirstUserAuthentication What exactly does this? Does it leave parts of the file system unencrypted when locked? It should still be encrypted unless they can get hold of the keys in ram. And then they can do full file system extraction of everything thats encrypted with the user password. Where did you get that from?
Guess NSFileProtectionCompleteUntilFirstUserAuthentication is the user password encrypted data. This is pretty much everything except health data and probably significant locations. For app data it depends on the encryption level the developer has set