EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
github.com/axi0mX/ipwndfu
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
github.com/axi0mX/ipwndfu
1/ The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.
2/ What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
3/ Maybe someone can figure out a nice way to use JTAG on iPhone without proprietary hardware and software. I and many others would be forever grateful if someone makes that possible.
4/ Exploit released today supports s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015. Others will be added soon. It is not perfectly reliable yet; it uses a race condition and I only tested it on my MacBook Pro.
5/ During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.
6/ That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
7/ A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.
8/ It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
9/ Needless to say, jailbreaking is not dead. Not anymore. Not today, not tomorrow, not anytime in the next few years. What a time to be alive. It is a tethered bootrom exploit, but it should be possible to make a cable or a dongle that jailbreaks your device without a computer.
10/ What @nervoir mentioned could be implemented, but I think everyone is better off if this is not possible. If Apple has hardware support for this today, I believe they are much better off not using it now. I think doing that would open a can of worms.
11/ Apple's devices can be trusted because SecureROM cannot be modified and Apple's private key is kept safe by Apple. If one-off modification was possible, whether remotely or otherwise, there would be no way to know if anyone was abusing it or if someone found a way to hack it.
12/ It would be a hardware backdoor. Can you imagine all the court orders Apple would get for its use if it was revealed that they can modify devices in this way? No one could be certain if their device was modified or not. I definitely would feel less safe using an iPhone.
