Technical Procedure
This section explains some low-level technical details of the operations performed by the iLiberty+ tool. These techniques are intended for those desiring a technical explanation of the procedure or who seek to reproduce or reimplement it, and are not necessary for general forensic examination.
Many different methods have been devised by the iPhone development community to gain access to an iPhone’s operating system, but very few of them are able to do so without destroying evidence, or even destroying the entire filesystem. The technique used in this manual is considered to be forensically safe in that it is capable of accessing the device without corrupting user data.
Unsigned RAM Disks
A RAM disk is a filesystem that resides in memory, and is not physically written on disk. Most Unix kernels are capable of booting the operating system from memory, and most versions of iPhone software also support this.
The technique used by iLiberty+ for iPhone software versions 1.0.2–1.1.4 gains access to the operating system by booting an unsigned RAM disk from the iPhone’s resident memory. This RAM disk is copied into the iPhone’s memory and booted by setting the appropriate kernel flags using Apple’s MobileDevice framework. This section is based specifically on version 7.4.2 of the device framework. Because the function calls change slightly for newer versions of the framework, you will have to install this framework with a copy of iTunes 7.4.2 in order to reproduce the procedure ...