iOS hacker axi0mX recently made public a new unpatchable exploit called “checkm8”. This BootROM exploit threatens millions of iPhone and iPad devices.
Table of Contents
checkm8 BootROM exploit threatens iPhone X and older devices
axi0mX‘s latest exploit – checkm8 – affects hundreds of millions of Apple devices. This is quite rightly the biggest thing to ever happen in the security research and jailbreaking scene.
Until now, the last major Apple device, which had a public BootROM exploit, was iPhone 4 (A4 chip). For the uninitiated, BootROM exploits are the holy grail of all iOS exploits since they affect the device’s hardware, not its software.
According to axi0mX, security researchers and hackers can use this exploit to perform the following actions –
- Decrypt keybags using AES engine
- Enable JTAG (requires additional hardware and software)
- Dump the SecureROM
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX (@axi0mX) September 27, 2019
All iPhone and iPad devices that possess A5-A11 Bionic chips are vulnerable (iPhone 4S to iPhone X, 8, and 8 plus) to checkm8.
- iPhone 4S
- iPad 2
- iPad Mini
- iPod Touch (5th generation)
- iPhone 5
- iPhone 5C
- iPad (4th generation)
- iPhone 5S
- iPad Air
- iPad Mini 2
- iPad Mini 3
- iPhone 6
- iPhone 6 Plus
- iPad mini 4
- iPod touch (6th generation)
- iPad Air 2
- iPhone 6S
- iPhone 6S Plus
- iPhone SE
- iPad (2017) 5th Generation
- iPad Pro (12.9-inch) 1st generation
- iPad Pro (9.7-inch)
- iPhone 7
- iPhone 7 Plus
- iPad (2018) 6th generation
- iPod touch (2019) 7th generation
- iPad (2019) 7th generation
- iPad Pro 10.5-inch (2017)
- iPad Pro 12.9-inch (2017) 2nd generation
- iPhone 8
- iPhone 8 Plus
- iPhone X
What is BootROM and how BootROM exploits work
Simply put, BootROM is the first executed code while your Apple device boots.
Apple cannot fix such a BootROM exploit by rolling out a new iOS firmware update as they usually do.
Manufacturers can only patch hardware-based exploits by releasing new models or by manually replacing the hardware of existing devices, which is unrealistic.
So, once we get a jailbreak, affected devices are jailbroken for life – on all iOS versions.
In addition to developing a full-fledged untethered jailbreak, a BootROM exploit can also be used to develop –
- Dual-booting firmware
- Downgrades to unsigned versions
- Develop jailbreak tools for future versions
- Custom firmware flashing
While a BootROM exploit can potentially lead to an untethered jailbreak, checkm8 cannot be used to develop an untether.
It is a nonpersistent or tethered exploit, meaning you will need to connect to your iPhone or iPad to a computer to reboot to jailbroken state.
To develop an untethered jailbreak, developers require a “persistent” exploit that has root access even after the user reboots the device.
Nevertheless, it’s almost unreal that axi0mX has decided to release his exploit publicly considering how valuable it is.
Generally, security companies and bug bounty programs offer bounties over $1 million for hardware exploits such as checkm8.
As of now, no developer has announced any checkm8-based project for iPhone X and older models. But as time passes by, you can expect a whole lot of jailbreak goodies to be released.