To boot a custom ramdisk on an iPhone 6s Plus, an attacker or researcher must first exploit a vulnerability in the boot process. Historically, this has been achieved using checkm8 (a permanent bootrom exploit affecting all A5–A11 chips, including the A9 in the 6s Plus). Checkm8 allows the execution of unsigned code at the iBoot stage, enabling the loading of a custom ramdisk image. This ramdisk is typically a stripped-down version of iOS, containing only essential tools (e.g., launchd, a minimal shell, usbmux, and data recovery utilities) and packaged in an IMG3 or IM4P format signed with a valid (or patched-out) signature. The most common legitimate use of a ramdisk on the iPhone 6s Plus is data recovery and forensic imaging . When a device is locked with a passcode and the user is uncooperative or deceased, law enforcement and forensic firms may use a checkm8-based ramdisk to boot the device without touching the main storage’s OS. Once booted, the ramdisk can mount the device’s actual file system (typically encrypted with a key derived from the user’s passcode and hardware UID) and attempt brute-force attacks or, in older iOS versions, extract files. For example, tools like ipwnder and Ramdisk Creator allow researchers to boot a lightweight ramdisk on the 6s Plus, then use ssh over USB to navigate the device’s file system, provided that the decryption key can be obtained or bypassed.
The iPhone 6s Plus, released in 2015, represented a significant leap in Apple’s smartphone technology, featuring the A9 chip, 2 GB of LPDDR4 RAM, and the NVMe-based storage architecture. While most users interact with iOS through its polished graphical interface, security researchers, forensic analysts, and advanced jailbreak developers often rely on a lower-level tool: the ramdisk . A ramdisk—a block of system memory (RAM) temporarily partitioned to act as a storage device—plays a crucial but often misunderstood role in accessing, recovering, and manipulating data on devices like the iPhone 6s Plus. This essay explores the concept of an iPhone ramdisk, its technical implementation on the 6s Plus, its practical applications, and the security limitations that modern Apple hardware imposes. Technical Foundations of an iPhone Ramdisk On a standard computer, a ramdisk is simply a portion of RAM formatted with a file system. On an iPhone, however, the term “ramdisk” takes on a more specialized meaning: it is a custom, minimalistic file system loaded into the device’s RAM during a low-level boot phase, typically when the device is in DFU (Device Firmware Upgrade) mode or a pwned (exploited) state. The iPhone 6s Plus, like all iOS devices, does not normally allow arbitrary ramdisk booting because Apple’s Secure Enclave and boot ROM verify every component of the boot chain—from LLB (Low-Level Bootloader) to iBoot to the kernelcache. ramdisk iphone 6s plus
Another application is . Some semi-tethered jailbreaks for the 6s Plus use a ramdisk to re-apply patches after a reboot. By booting a ramdisk that contains a patched kernelcache, the jailbreak can remount the root partition as read-write and install necessary binaries. The popular checkra1n jailbreak, which supports the iPhone 6s Plus, operates on exactly this principle: it exploits checkm8, loads a ramdisk, and then boots a patched kernel, all without modifying the boot ROM. Limitations and Security Barriers Despite the power of a ramdisk, the iPhone 6s Plus incorporates formidable security that limits what a ramdisk can achieve. The most significant barrier is Data Protection —Apple’s per-file encryption system. Even when a custom ramdisk is booted, the user data partition remains encrypted with a class key that is wrapped with the device’s UID (unique ID burned into the A9 chip) and the user’s passcode. Without the passcode, the ramdisk can only access metadata or encrypted blobs. Moreover, after the iPhone 6s Plus’s introduction, Apple strengthened the Secure Enclave’s role; the SEP (Secure Enclave Processor) manages the actual decryption keys and never exposes them to the main CPU or any ramdisk. Thus, a ramdisk cannot simply “read” locked user data; it can only attempt to brute-force the passcode via the SEP, which enforces escalating delays and eventually wipes the device after 10 incorrect attempts. To boot a custom ramdisk on an iPhone
Another limitation is hardware-bound. The iPhone 6s Plus has 2 GB of RAM, which must simultaneously host the ramdisk, the kernel, and any tools. Large ramdisks (e.g., those containing a full iOS GUI) are impractical, so most ramdisks are command-line only. Additionally, once a ramdisk is booted, the device loses normal cellular and wireless functions unless specific drivers are loaded, limiting live data capture. From a forensic perspective, a ramdisk is a double-edged sword. On one hand, it allows investigators to create a bit-for-bit image of the device’s storage without booting the main OS (which could trigger data overwrites or remote wipe commands). On the other hand, the act of booting a custom ramdisk is invasive and can alter system state—for example, by modifying the kernel’s boot arguments or leaving traces in the syslog. Moreover, because checkm8 is a hardware exploit, Apple cannot patch it on existing iPhone 6s Plus devices, making them permanently vulnerable to ramdisk-based attacks. This has led to ethical debates: while ramdisks enable legitimate data recovery for forgotten passcodes (with user consent), they also empower malicious actors with physical access to bypass basic lock screens. Conclusion The ramdisk for the iPhone 6s Plus is a powerful but constrained tool, rooted in the exploitation of the checkm8 bootrom vulnerability. It enables advanced data recovery, jailbreaking, and forensic imaging by allowing an unsigned, minimal file system to boot in place of iOS. However, Apple’s layered security—particularly Data Protection and the Secure Enclave—ensures that a ramdisk alone cannot compromise a fully updated device with a strong passcode. For the iPhone 6s Plus, which remains popular among enthusiasts and forensic examiners due to its checkm8 vulnerability, the ramdisk symbolizes the ongoing arms race between device security and physical access. Ultimately, while ramdisks offer a backstage pass into iOS’s internals, they are not a magic key to user data but rather a specialized instrument requiring deep technical skill and ethical restraint. This ramdisk is typically a stripped-down version of