Vulkan

About

Username
Vulkan
Joined
Visits
6
Last Active
Roles
member
Points
15
Badges
0
Posts
7
  • 'Checkm8' used to jailbreak iPhone X running iOS 13.1.1

    The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again. 

    I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security. 
    muthuk_vanalingam
  • The 'Checkm8' exploit isn't a big deal to iPhone or iPad users, and here's why

    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.

    The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used. 

    Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level*. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot. 

    It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers. 


    GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions. 

    https://jailbreak.fce365.info/Thread-How-to-use-the-Checkm8-BootROM-Exploit-iPwnDFU-on-iOS-8-up-to-iOS-13-1-1

    https://mobile.twitter.com/FCE365

    Edit:
    *Checkm8 in it’s current forum without any other exploits is still tethered so the bypass would still require the device not reboot else the device would require the exploit again to boot. The bypass does not currently allow the Baseband/sim card to function preventing calls.



    In retrospect probably self defeating not wanting this to happen by talking about it... but considering google is a thing what’s out is out. 
    muthuk_vanalingamwatto_cobra