An iOS hacker and cybersecurity researcher today publicly released what he claimed to be a “permanent unpatchable bootrom exploit,” in other words, an epic jailbreak that works on all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip).
Dubbed Checkm8, the exploit leverages unpatchable security weaknesses in Apple’s Bootrom (SecureROM), the first significant code that runs on an iPhone while booting, which, if exploited, provides greater system-level access.
“EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices,” said axi0mX while announcing the publicly release of the exploit on Twitter.
The new exploit came exactly a month after Apple released an emergency patch for another critical jailbreak vulnerability that works on Apple devices including the iPhone XS, XS Max, and XR and the 2019 iPad Mini and iPad Air, running iOS 12.4 and iOS 12.2 or earlier.
Since the bootrom exploits are hardware-level issues and can not be patched without a hardware revision, a simple software update can’t address the newly released bootrom exploit.
It should be noted that the Checkm8 exploit itself is not a full jailbreak with Cydia, instead, is just an exploit which researchers and jailbreak community can use to develop a fully working jailbreak tool.
Features the Checkm8 exploit allows include as mentioned below:
- Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit.
- Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
- Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
- Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
- Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
- Dump NOR on S5L8920 devices.
- Flash NOR on S5L8920 devices.
- Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.
“This is possibly the biggest news in the iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community,” says axi0mX, who released the exploit on GitHub.
“Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.”
axi0mX says he discovered the underlying bootrom vulnerability while analyzing a security patch Apple released in 2018 to address a previously discovered critical use-after-free vulnerability in iBoot USB code.
axi0mX also notes that his exploit can not be performed remotely. Instead, it can only be triggered over USB and requires physical access.
The jailbreak only works on iPhones running Apple’s A5 and A11 chipsets and does not work on the latest two chipsets, i.e., A12 and A13.