checkm8 is the only extraction method available for the Apple Watch S3 allowing full access to essential evidence stored in the device. In this guide, we will talk about connecting the Apple Watch S3 to the computer, placing the watch into DFU mode, applying the checkm8 exploit and extracting the file system from the device with iOS Forensic Toolkit 8.0.
The Apple Watch Series 3 has set a record as the longest smartwatch that Apple kept around. Initially introduced in September 2017, this model remained on sale for five years until it was finally discontinued in 2022. This model is the last Apple Watch device compatible with the checkm8 exploit.
Please note: steps listed in this guide are provided for the release version of iOS Forensic Toolkit 8.0. The older article checkm8 Extraction of Apple Watch Series 3 is based on the fifth beta version of the tool, and has slightly outdated instructions. While the old instructions still work, please refer to this publication for all future Apple Watch extractions.
Unlike other Apple devices, the Apple Watch does not have a built-in USB port. The hidden diagnostic pins are available and can be used to attach the watch to the computer with an appropriate adapter. Make sure you have everything handy before you begin.
Note: while Apple had partially patched the vulnerability in iOS 14 and 15, watchOS 7 and 8, which are based on those versions of iOS, did not receive the same treatment. As a result, you will not have to remove the watch screen lock passcode in order to apply the exploit. We are not quite sure what’s going on here, but it does appear the patch was simply forgotten.
There are several types of Apple Watch adapters on the market that can be easily sourced from multiple vendors. We tested several adapters, and currently recommend one named S-Dock:
Note that some adapters may not support DFU mode. We recommend one of the adapters we tested in Apple Watch Forensics: The Adapters and Apple Watch Forensics: More on Adapters, which includes models by S-BUS, MagicAWRT and iBUS.
When extracting the Apple Watch, follow these steps:
Launch iOS Forensic Toolkit, then connect the Apple Watch to the computer by using a commercially available adapter. At this time, the watch must be powered down.
On the computer, launch EIFT in wait mode:
./EIFT_cmd boot -w
Then, place the watch into DFU. To do that, press and hold both the Digital Crown and the Side button for ten seconds, then release the Side button while still holding the Digital Crown for 10 more seconds. There will be no indication on the watch; the display should remain black. If you see an Apple logo, the timings were wrong, and you’ll have to repeat the procedure.
Once the watch is in DFU mode, the tool code detects the OS version installed on the watch, and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop it onto the console window, then press ENTER. Alternatively, you can simply paste the firmware download link instead. If you do that, the tool will only download parts of the firmware image that are required to apply the exploit and boot the watch. It may take several attempts to place the device into DFU.
Notably, full IPSW images for Apple Watch devices are scarce. Our tool can use OTA update images for the purpose of applying the exploit.
Once the exploit is applied, the watch screen will display the “Booting” message.
In many cases, the watchOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several OS builds. If the wrong build is used, you will have an option to either repeat the process with a different version of firmware, or continue with the current firmware image (which works in many cases).
If the process was successful, you will see a confirmation.
The Watch will display the following screen:
./EIFT_cmd ramdisk unlockdata -s
This command unlocks the data partition and mounts it read-only. You may be prompted for the passcode; enter the passcode if you know it, or press ENTER to skip (limited DFU extraction will be performed in that case).
If you enter the wrong passcode, an error will be displayed. With correct passcode, the volume is fully unlocked and you can proceed with data (keychain and file system) extraction). If you don’t know the passcode, press ENTER on the screen below. In this case, a very limited BFU extraction will be performed.1
./EIFT_cmd ramdisk keychain -o {filename}
This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder.
./EIFT_cmd ramdisk tar -o {filename}
This command images file system. The checksum (hash value) is calculated on the fly and displayed once the extraction is finished.
The SoC and USB controller in the Apple Watch are significantly slower than their iPhone counterparts, which results in comparatively slow extraction speeds of approximately 3 MB/s.
Limited BFU extraction
If you do not know the screen lock passcode, just press ENTER when prompted. Despite “Device is not unlockable” error, you will be still able to perform a limited BFU (Before First Unlock) extraction).
After extracting the data, load the file system image and a copy of the keychain in the forensic tool of your choice. For the time being, few if any third-party forensic tools have been optimized to support watch-specific data sets. Elcomsoft Phone Viewer fully supports Apple Watch images.
The Apple Watch contains a significant amount of data that is neither included in backups nor synchronized with iCloud. Such unique data may include extensive location data, messages, notifications, and more.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »