'Checkm8' used to jailbreak iPhone X running iOS 13.1.1

AppleInsiderAppleInsider
Posted:
in iPhone edited December 2019
The security researcher who developed the "Checkm8" exploit has continued working, and has demonstrated an iPhone X booting in verbose mode with the aid of the exploit that was revealed on Friday.




According to "axi0mX." the jailbreak took only seconds on an iPhone X running iOS 13.1.1. As the exploit is in the boot ROM, the operating system version isn't really relevant to the exploit, as the security chain is broken before the device gets to the patchable iOS part.

As before, the exploit still requires a tether, meaning a connection to a computer. Additionally, a reboot will prevent any system modifications like keyloggers installed during the jailbreak from loading, and restores the Secure bootchain.

HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks @qwertyoruiopz pic.twitter.com/4fyOx3G7E0

-- axi0mX (@axi0mX)
As the developer of the exploit said on Saturday, the demonstration is the next logical step in developing a new and full jailbreak. Because of the limitations involved in a boot ROM exploit and the Secure Enclave engineering in the iPhone 5s and later, it still doesn't imply anything further in regards to device security.

The exploit works on any iPhone up to and including the iPhone X. User data and passcode security is maintained with any device that includes a Secure Enclave, including the iPad Air and newer, iPod touch seventh generation, and the iPhone 5s and newer.

Comments

  • Reply 1 of 14
    VulkanVulkan Posts: 7member
    The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again. 

    I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security. 
    muthuk_vanalingam
  • Reply 2 of 14
    Mike WuertheleMike Wuerthele Posts: 6,861administrator
    Vulkan said:
    The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again. 

    I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security. 
    Right, this is what we said yesterday.
    muthuk_vanalingamlkrupp
  • Reply 3 of 14
    eriamjheriamjh Posts: 1,644member
    This jailbreak could be how that company claimed to be able to access data on every iPhone ever made (or whatever) for law enforcement.
    watto_cobra
  • Reply 4 of 14
    chasmchasm Posts: 3,303member
    Yes, this is an exploit law enforcement can take (and certainly has taken) advantage of, but for 99+ percent of iPhone users this is a huge non-event due to the requirements of the hack -- phone not in your possession, tethered, a reboot wipes out anything installed using the exploit, etc.

    That said it pays to be aware of stuff like this when traveling, and of course Apple is learning how to block this exploit going forward, so the research that went into it is valuable.
    macseekerDAalsethcoolfactorwatto_cobra
  • Reply 5 of 14
    coolfactorcoolfactor Posts: 2,243member

    It would be nice for the developer to not mislead people into thinking that this is a complete compromise of the device security. No, he wants people to think that for headlines.
    ericthehalfbeeurahara
  • Reply 6 of 14
    ericthehalfbeeericthehalfbee Posts: 4,486member
    coolfactor said:

    It would be nice for the developer to not mislead people into thinking that this is a complete compromise of the device security. No, he wants people to think that for headlines.

    This x1000. He knew it didn’t have persistence, couldn’t access the Secure Enclave or give up your PIN or get access to your data.

    But the way he talks (tweets) it sure sounds like this is the end of security for iOS device users.

    Even in his interview he refuses to give answers to simple questions and always obfuscates with words like “it depends”. Always have to give readers some hope by leaving the door open, even if it’s only open by a micron.
    watto_cobra
  • Reply 7 of 14
    sergiozsergioz Posts: 338member
    I am interested to know why iPhone 11 can’t be jailbroken? What is different about bionic 13’s boot ROM?
    razorpitwatto_cobra
  • Reply 8 of 14
    personmanpersonman Posts: 60member
    sergioz said:
    I am interested to know why iPhone 11 can’t be jailbroken? What is different about bionic 13’s boot ROM?
    The iPhones 11 (and the Xs and Xr) ROMs do not have the exploit. It was either patched by Apple or they removed it in the course of development.
    sergioz
  • Reply 9 of 14
    mtbnutmtbnut Posts: 199member
    Wow, an iPhone does all that when booting up? It's crazy that all that complexity is happening on such a simple-looking device. (Insert graphic showing an iPhone ~ equal sign ~ 500,000 ENIACS)
    edited September 2019 tokyojimuwatto_cobra
  • Reply 10 of 14
    normangnormang Posts: 118member
    It's a non-event in more ways than one.... Who in the world wants to waste their time anymore jailbreaking their iPhone, what advantage is there? And then there is the big downside, your less secure, and you could brick your device and once Apple sees how, you really got an expensive brick...
    watto_cobra
  • Reply 11 of 14
    libertyforalllibertyforall Posts: 1,418member
    So is 13.1.2 a patch for this?  
  • Reply 12 of 14
    bluefirexbluefirex Posts: 4member
    So is 13.1.2 a patch for this?  
    There is no patch for this. The exploit is in the BootROM. ROM stands for „read-only memory“. Apple would need to patch hardware.
    edited October 2019
  • Reply 13 of 14
    netmagenetmage Posts: 314member
    bluefirex said:
    So is 13.1.2 a patch for this?  
    There is no patch for this. The exploit is in the BootROM. ROM stands for „read-only memory“. Apple would need to patch hardware.
    I think you mean “replace hardware” - there is no patching hardware. 
  • Reply 14 of 14
    netmagenetmage Posts: 314member
    eriamjh said:
    This jailbreak could be how that company claimed to be able to access data on every iPhone ever made (or whatever) for law enforcement.
    Only for those users using a simple PIN - your data is still encrypted and can only be decrypted on-device with the right PIN
    or passcode.
    It also isn’t possible to bypass the 10 count limit if the processor is an A11 or newer so you can’t realistically boot force guess the PIN on those. 
    edited October 2019
Sign In or Register to comment.