Cellebrite iPhone-cracking: which iPhone models can be unlocked and accessed—and how to protect your data

Cellebrite’s iPhone cracking kit represents a high-end convergence of hardware and software designed to unlock smartphones and extract the vast majority of data stored on them. Its capabilities vary depending on the iPhone model and the iOS version it’s running, and recent user documentation reveals an expansive feature set intended for forensic and investigative use. While the kit’s reach covers a broad spectrum of devices and data types, it remains grounded in the reality that physical access and certain version-specific limitations determine what can be retrieved. The technology sits at the intersection of professional digital forensics, corporate internal investigations, and public-sector information gathering, raising important questions about privacy, oversight, and the boundaries of lawful access.

The Cellebrite ecosystem: hardware, software, and market positioning

Cellebrite maintains a portfolio of hardware and software solutions designed to unlock iPhones and Android devices and to extract substantial amounts of data from them. The company markets different configurations for different client bases: some versions are sold to commercial organizations for internal investigations or security testing, while Cellebrite Premium is positioned primarily for law enforcement and government use, at least in theory. In practice, the lines between public-sector and private-sector buyers are not perfectly clear, and Cellebrite’s own disclosures have highlighted a broad and sometimes surprising set of government customers. The company has publicly noted having more than 2,800 government customers in the United States alone, many of which do not fit the conventional image of “law enforcement” in the narrower sense. This expansive customer base underscores the kit’s potential impact across multiple branches of government and public institutions.

Beyond the traditional law enforcement sphere, Cellebrite’s clientele spans a spectrum of public and quasi-public entities. Investigators at agencies like the U.S. Fish and Wildlife Service have increasingly relied on advanced digital tools to address a wide range of offenses—from illegal deforestation to noncompliant hunting—areas that, while criminal, are not typically categorized with high-profile data-harming intrusions. Yet these agencies have access to or purchase technologies from Cellebrite, enabling broader capabilities to access encrypted data and to siphon large volumes of information. The list of clients extends to departments such as Agriculture, Education, Veterans Affairs, and Housing and Urban Development; it also includes the Social Security Administration, the U.S. Agency for International Development, and the Centers for Disease Control and Prevention. The breadth of this list illustrates how the company’s tools are used across diverse federal functions, not solely within traditional law enforcement.

In addition to government bodies, Cellebrite serves private-sector users, including blue-chip corporations seeking to conduct internal investigations, or cybersecurity companies that rely on forensic instrumentation to gather evidence, assess breaches, or monitor compliance. The firm’s products are thus positioned as both practical forensic instruments for validated investigations and strategic tools for risk management and governance programs across large organizations. The dual-use nature of this technology—capable of revealing extensive personal and device data—has drawn scrutiny from privacy advocates, policymakers, and audit professionals, who weigh the operational value against potential civil liberties implications.

The flagship kit: what the Cellebrite Premium package includes

The centerpiece of Cellebrite’s current public offering is the Cellebrite Premium kit, a comprehensive hardware-software solution designed to unlock devices and extract data from a wide array of iPhones and Android devices. The kit is packaged to support field and lab environments, with a combination of hardware, software, and accessories intended to maximize data recovery potential while maintaining practical deployment workflows. The core components of the Cellebrite Premium kit include:

• A dedicated Cellebrite Premium laptop, pre-loaded with the company’s suite of forensic software tools.
• An Android Adapter to interface with a wide range of Android devices, enabling data access and extraction tasks across different OS versions and device configurations.
• An iOS Adapter, along with an AFU (After First Unlock) version designed for use after the device has been powered off, ensuring compatibility with devices in various states of operation.
• A complete set of cables and a carrying bag to facilitate portable use in field and on-site environments.
• A hardware license dongle, which is required for the software to run, providing a form of hardware-based copy protection that ties the software to a specific device.

The software component of the kit is capable of performing targeted extractions or full filesystem extractions. When targeting specific data, users can retrieve items such as Messages or photos; when performing full filesystem extractions, the toolkit can access nearly the entire user data store, including sensitive areas like the iOS Keychain and Secure Enclave-related data. The documentation emphasizes that full-file-system extractions yield substantially more data than logical extractions, enabling access to highly protected content and areas that may not be accessible through ordinary logical methods.

The capability to access third-party application data, stored passwords and tokens, chat conversations, location histories, email attachments, and system logs is highlighted as a key advantage of the Premium kit. Importantly, the toolkit can also recover deleted content, increasing the likelihood of uncovering historically available information that might be relevant to investigations. In practical terms, this implies a broad potential for uncovering longstanding digital footprints that could corroborate or challenge witness statements, confirm timelines, or reveal previously hidden activity on a device.

iPhone cracking capabilities: which models and which iOS versions

A central claim of Cellebrite Premium is the ability to unlock and access the full filesystem of various iPhone models, even when the device is protected by a passcode. The unlocking capability is described as independent of the iOS version running on the device, meaning that once the device is unlocked, the operator can access data regardless of the iOS release in use at the time. The range of supported devices and the nuances of how unlocking works across generations are described in the accompanying documentation. The following models have been identified as being fully accessible, even when protected by a passcode, with the appropriate unlocking process:

• iPhone 4S
• iPhone 5
• iPhone 5S
• iPhone 6
• iPhone 6S
• iPhone SE
• iPhone 7
• iPhone 8
• iPhone X

There are notable caveats in the description. For three of these models (the specific three mentioned in the documentation), in-house unlocking was required if the device was running iOS 5 or iOS 6. However, Cellebrite Premium is described as capable of unlocking these devices directly if they are running iOS 7 or later, indicating a combination of internal unlocking capabilities and external kit-based unlocking depending on the iOS version. The reason these particular models can be cracked regardless of iOS version ties to unpatchable vulnerabilities that affect those devices. The known examples include the Checkm8 bootrom exploit and a separate flaw discovered in the Secure Enclave later in the same year, both of which have been characterized as unpatchable in the sense that the vulnerability resides in components that cannot be software-updated to remove the flaw. These unpatchable conditions enable persistent access to the device data irrespective of software updates aimed at patching conventional vulnerabilities.

Beyond those early models, the documentation identifies three iPhone models that can be fully accessed even when the device is locked, provided the iOS version is up to iOS 13.7. Those models are:

• iPhone XR
• iPhone XS
• iPhone 11

In these cases, full access to the filesystem is possible when the device is locked, but the unlocking scope shifts depending on the iOS version. For devices running iOS up to 13.7, the full filesystem can be retrieved by Cellebrite Premium. When the device runs iOS versions beyond that threshold, the capabilities shift in three key ways: full access can be achieved only if the passcode is provided, or other restrictions may apply depending on the device and iOS version.

For devices that are still running iOS 14 or iOS 15, the situation changes further. In those scenarios, the same three models—iPhone XR, iPhone XS, and iPhone 11—cannot be unlocked by the Premium kit or in-house services if a passcode is not provided. In other words, full filesystem access is only possible if the device is unlocked by the user-provided passcode. The legal and practical implications here are notable: law enforcement may or may not have the power to compel a suspect to reveal their passcode, a question that varies by country and jurisdiction and can affect whether full data access is achievable in a given case.

These model/version dynamics reveal a nuanced landscape. Earlier iPhone models enjoyed broader unlocking capabilities due to hardware-level or bootrom vulnerabilities that could be exploited regardless of the iOS version. Later iPhone generations, with tighter security postures and newer hardware protections, require the mere presence or absence of a passcode for full data access, thereby making the process more dependent on user cooperation or legal compulsion. The tension between device security improvements and forensic capabilities is starkly illustrated by these model-by-model distinctions.

A related point concerns the nature of the unlocking process itself. For older devices and certain iOS versions, in-house unlocking was historically required for some models, while Premium could, in other circumstances, perform the unlock directly. This differentiation underscores the evolving architecture of iPhone security and the ongoing arms race between hardware-level protections and forensic tooling with hardware-assisted bypass methods. The documentation suggests that, for some devices and iOS versions, the unlocking process may involve exploiting vulnerabilities in the device’s boot process or secure components, enabling access to the data vaults that contain user data, app data, credentials, and other sensitive information.

It is crucial to note that the documentation reviewed predates the release of the iPhone 13 and indicates that at that time, there was no demonstrated ability to access the iPhone 12 with the kit. The historical context matters because it shows how tools and capabilities can shift as new devices and software updates emerge, and it highlights the need for ongoing vigilance by investigators, policymakers, and privacy advocates regarding what is technically feasible and what remains out of reach.

Passcodes, brute-force methods, and the limits of speed

Unlocking devices with the Cellebrite Premium kit often involves brute-force techniques to defeat passcodes. The process requires the ability to disable the lockout mechanism that Apple imposes after repeated failed attempts. Even with such bypasses, the rate of attempts remains slow due to built-in delays designed to mitigate rapid or automated guessing attempts. The user guidance in the documentation includes an explicit caution: the process can be very time-consuming, with a stated example of approximately 100 passcode attempts per day. Even at this modest rate, the time-to-access can be measured in days or weeks for devices with longer or more complex passcodes.

A notable nuance in the process is the potential to incorporate personally meaningful information about the device owner into the initial set of attempts. The documentation indicates that investigators can input personal data such as dates of birth or significant dates (for example, a partner’s birthday) to seed the initial attempts. Such data can be used to generate an initial set of attempts that, if correct, may reduce the time to first success before pivoting to brute-force attempts. This approach underlines the importance of protecting even seemingly trivial personal data, as such information can inadvertently facilitate faster unlock attempts if it falls into the wrong hands.

A significant advancement highlighted in the documentation is the introduction of an autonomous mode for brute-force unlocking. Historically, brute-force attempts required the device to remain connected to the Premium kit for the duration of the process. The autonomous mode changes this dynamic by allowing the iPhone to become the site of the attack itself. The Premium kit can install software that executes the dictionary attack directly on the iPhone, enabling the device to continue the attack even after it has been disconnected from the kit. This means that multiple devices can be attacked concurrently, with each device running the attack independently on its own hardware and environment. The net effect is a potential acceleration of data access across a fleet of devices, particularly in settings where investigators must process large numbers of phones in a short time frame.

It is important to emphasize that all Cellebrite attacks require physical access to the device. This is a fundamental constraint that forces any real-world deployment to operate in proximity to the device for at least initial engagement, and often for some portion of the data acquisition process. This stands in contrast to some remote surveillance tools, such as certain spyware platforms, which can operate with minimal or zero-click access in some configurations. The physical-access requirement remains a core security and privacy consideration in evaluating the broader implications of Cellebrite’s technology.

In addition to the technical limitations and operational realities, it is worth understanding that the rate of attempts is bounded by safeguards and the device’s own security posture. For devices with robust passcode policies, long passcodes, or multi-factor protections, the time required to breach a device can be substantial, even with the most advanced tooling. The documentation’s explicit acknowledgment of time-intensive processes serves as a reminder that these tools do not guarantee instantaneous data access and that investigators must plan for extended timelines, resource allocation, and careful workflow design when handling sensitive data.

Operational workflows: how autonomous mode changes the process

Autonomous mode represents a shift in how the brute-force unlocking workflow can be conducted. Previously, the device under examination had to remain connected to the Cellebrite Premium kit for the entire duration of the attack. This created logistical constraints—physical proximity to the device, the potential risk of device tampering, and limitations on throughput if multiple devices needed simultaneous processing. The autonomous mode mitigates some of these constraints by enabling the attack to operate on the device itself, even after disconnection, thereby allowing the forensic team to parallelize processing across multiple devices and to manage a larger caseload.

The autonomous approach is accomplished by installing the software that drives the dictionary attack directly onto the iPhone. Once the attack is underway, investigators can disconnect the device from the kit, and the device will continue to operate in the mode required to carry out the brute-force process. After initiation, the target device’s own hardware performs the operation, and the attack can be run across several devices simultaneously. This capability has practical implications for public-safety and corporate security teams facing backlogs and the need for scalable evidence gathering.

The autonomous capability also introduces additional considerations around control and visibility. For instance, when the attack runs directly on the device, it becomes crucial to ensure that the device’s data integrity and the chain of custody are preserved. Analysts must document the exact state of the device at the outset, the sequence of events during the attack, and any intermediate results. They must also consider how to verify results securely once the device returns to the connected workflow. These steps are essential to ensure that evidence remains admissible in court or in internal investigations.

From a policy perspective, the autonomous mode reinforces the importance of defined governance around the use of powerful forensic tools. Given the potential for sensitive data to be exposed or misused, organizations leveragingsuch capabilities typically implement strict access controls, audit trails, and chain-of-custody procedures. They also assess legal authority, jurisdictional compliance, and the ethical implications of bypassing or circumventing device security features. The combination of technical capability and procedural discipline is critical to balancing the legitimate needs of investigators with the privacy and civil-liberties concerns that accompany powerful data-access tools.

The client landscape: government uses, corporate investigations, and cybersecurity partnerships

Cellebrite’s client base includes a mix of public-sector agencies, private corporations, and security-focused firms. Government agencies often cite the need to address a broad array of offenses and challenges, from violent crime and fraud to public-safety concerns and regulatory compliance. The broad roster of agencies cited in public disclosures—ranging from environmental enforcement bodies to welfare and health agencies—highlights how digital forensics tools can be integrated into a wide range of investigative workflows. In many cases, these agencies face complex cases where phone data can provide critical corroboration for timelines, communications, and activity across several years or even decades.

Private-sector organizations also rely on Cellebrite’s offerings for internal investigations, compliance monitoring, risk assessment, and incident response. In large enterprises, digital forensics plays a central role in investigating data breaches, employee misconduct, and regulatory inquiries. By enabling the extraction of messages, emails, app data, andsystem-level information, the tools support investigators in reconstructing events, identifying misconfigurations or policy violations, and gathering evidence for disciplinary or legal actions. For cybersecurity companies, Cellebrite’s capabilities complement a broader suite of defensive and investigative services, enabling red-team exercises, breach simulations, and post-incident analyses that require a deep understanding of what data can be retrieved from devices owned or controlled by individuals under investigation.

The varied client base also raises questions about governance, ethics, and the appropriate use of forensic tools. When a government agency or a private company relies on the same hardware and software to access highly sensitive personal data, there is a heightened need for oversight, documented procedures, and transparency about how data is accessed, stored, and used. The possibility of cross-border data flows, data retention policies, and international cooperation in investigations makes the governance landscape particularly complex. As a result, organizations employing Cellebrite Premium typically implement internal controls, data minimization practices, and clear policies on data handling, retention, and dissemination to ensure that the use of the kit aligns with legal requirements and ethical standards.

Data access scope: what “full filesystem” means in practice

The promise of full filesystem access when using Cellebrite Premium is a central feature that distinguishes the kit from more limited forensic tools. The full filesystem access means that investigators can retrieve not only visible data but also hidden, encrypted, or otherwise protected content and metadata that resides within the device’s storage partitions. The implications for evidence collection are significant. Access to Keychain-stored credentials and tokens, for example, can unlock or enable access to a wide range of services and apps, potentially revealing account access patterns, session tokens, and stored credentials across multiple applications. Access to chat histories, location data, emails and attachments, and system logs contributes to a more comprehensive reconstruction of user activity. The ability to recover deleted content further expands the potential evidentiary footprint, creating a more complete historical record of interactions and communications.

From a forensic perspective, the ability to access third-party app data and tokens is particularly important. Many modern apps store data in encrypted containers or secure storage that is difficult to retrieve through conventional data extraction methods. By extracting data from these containers and recovering tokens or credentials stored in the device’s secure storage, investigators can obtain access to in-app communications, cloud-synced content, and other artifacts that might otherwise be inaccessible. The data recovered from these sources can provide critical context for investigations, help verify alibis, reveal patterns of behavior, or corroborate financial transactions and communications.

It is important to understand that the extent of data access is not unlimited and is constrained by a combination of device protections, OS-level safeguards, and legal considerations. For instance, in cases where the device’s OS hardening and encryption are particularly strong, or where a passcode is required to unlock, full filesystem access may be contingent on legitimate access to the passcode or on a successful bypass of device protections. The distinction between access with and without passcodes is salient in such contexts, as it directly affects the likelihood of obtaining comprehensive data from a given device and scenario.

Legal and privacy considerations: scope, limits, and oversight

The use of high-powered forensics tools like Cellebrite Premium sits squarely in a landscape of legal and privacy considerations. Law enforcement agencies and other authorized entities operate under a framework of statutes and regulatory requirements that govern when and how data can be accessed, what data can be retrieved, and how it must be stored and protected. The ability to compel a suspect to reveal a passcode varies by jurisdiction and can significantly affect the practical outcomes of an investigation. In jurisdictions where compelled disclosure of a passcode is permissible, access to the device’s full filesystem may be achieved even when the device is otherwise locked. In other jurisdictions, legal protections against self-incrimination or privacy rights may limit such access, or require court orders or other formal processes to compel disclosure.

The potential for overreach or misuse is a focal point for privacy advocates. The combination of in-depth data extraction capabilities and broad potential client bases increases the risk that sensitive personal information could be exposed or mishandled if governance structures are inadequate. In response, many organizations implement strict access controls, robust chain-of-custody protocols, and explicit documentation of the legal basis for data retrieval. They also require clear retention policies, audit trails, and risk assessments that identify the potential for civil liberties concerns and reputational risk if data is mishandled. The public discourse around digital forensics tools emphasizes the need for transparent reporting, independent oversight, and continuous evaluation of the ethical implications of deploying such capabilities in both criminal and civil contexts.

The rapid evolution of device security features and the ongoing discovery of new vulnerabilities means this space remains dynamic. As Apple and other device manufacturers respond to forensic challenges with updated hardware protections and software security measures, forensic vendors must adapt to maintain their capabilities. This cat-and-mouse dynamic has a direct impact on how investigations are planned, how evidence is gathered, and how courts and regulators assess the admissibility and reliability of data obtained through such tools. It also underscores the importance of ongoing training for investigators to understand both the capabilities and the limitations of the technologies they rely on, ensuring responsible use and sound technical judgment.

Practical implications: privacy, security, and policy considerations

The existence and deployment of powerful iPhone-cracking tools like Cellebrite Premium have broad implications for individual privacy and national security alike. On one hand, such tools enable investigators to uncover critical evidence, solve complex cases, and protect public safety by enabling the retrieval of data that would otherwise be inaccessible. On the other hand, the same capabilities raise legitimate concerns about privacy, the potential for abuse, and the risk that sensitive personal information could be exposed or exploited if misused. The balance between facilitating legitimate investigations and safeguarding civil liberties is delicate, requiring thoughtful governance, independent oversight, and rigorous safeguards.

The public debate around these technologies often centers on the following questions:

• How can authorities ensure that access to private data is strictly limited to legitimate crime and safety objectives?
• What kinds of oversight and accountability mechanisms are necessary to prevent abuse or overreach?
• How should retention, access controls, and data minimization be structured to protect individuals’ privacy while preserving the integrity of investigations?
• What role should policymakers play in setting standards for the sale and deployment of such tools, and how should export controls, licensing, and end-user agreements shape responsible use?

These questions are not merely theoretical. They influence the design of procurement policies, the implementation of internal controls, and the broader ecosystem of vendors, customers, and regulatory bodies that interact with digital-forensics tools. Stakeholders—ranging from law enforcement to civil-liberties organizations and from enterprise security teams to privacy advocates—continue to seek clearer boundaries, better transparency, and stronger safeguards to ensure that the powerful capabilities described in these tools are used responsibly and legally.

Conclusion

Cellebrite Premium represents a sophisticated, high-end forensic instrument that blends hardware, software, and specialized support to enable comprehensive data extraction from iPhones and other devices. Its reported capabilities span full filesystem access, retrieval of protected data such as Keychain credentials and Secure Enclave information, recovery of deleted content, and the ability to access third-party app data, tokens, chat conversations, location histories, and system logs. The tool’s applications vary across a broad client base, from federal and state agencies to corporate security teams and cybersecurity firms, reflecting the diverse investigative needs of public and private sectors.

The landscape of device security, vulnerability discovery, and forensics is continually evolving. Older iPhone models and certain iOS versions have historically shown greater susceptibility to unlocking techniques, while newer devices with hardened protections rely more on passcodes or require legitimate access to unlock. The introduction of autonomous brute-force mode marks a significant development in operational efficiency, enabling attacks to run on devices themselves and to proceed independently after initial deployment. Yet, even with these advances, physical access remains a fundamental prerequisite, and access is bounded by legal authority, jurisdictional rules, and ethical standards.

As technology advances and device security continues to strengthen, the forensic community, policymakers, and privacy advocates will continue to scrutinize tools like Cellebrite Premium. The ongoing dialogue will shape how such capabilities are deployed, governed, and regulated, ensuring that the pursuit of investigative effectiveness remains balanced with fundamental privacy rights and civil liberties. The conversation will likely influence both the design of future devices and the evolution of forensic methodologies, guiding responsible adoption and robust oversight to address the intricate challenges at the heart of modern digital investigations.