What the checkm8 BootROM exploit can do [FAQ]

Ever since axi0mX dropped the unpatchable checkm8 BootROM exploit, the chatter hasn’t subsided. Each one of us yearns for a permanent jailbreak, but this exploit is capable of a lot more than that. Read the complete FAQ below and see for yourself what you can and can’t do with this exploit.

Q. What can the checkm8 BootROM exploit do?

  • Jailbreak the latest signed firmware version as long as you have a vulnerable device.
  • Tethered downgrades without SHSH Blobs to any compatible version. However, in doing so, you will encounter issues with the SEP (Secure Enclave Processor). Any feature that depends on SEP will simply not work.  
  • Flash a Custom Firmware (CFW) for jailbreaking and activating your Apple device, adding a custom boot logo or verbose boot.
  • Dump SecureROM for security research.
  • Dual-boot two different operating system versions on the same device.
  • Load an SSH ramdisk.
  • Port and boot experimental builds of Android and possibly even Linux operating system.   
  • Bypass KPP/KTRR, AMFI, CoreTrust, and other security features. 
  • Patch all security features present in any operating system update.
  • Demote device to enable JTAG
  • Boot device
  • Send file to device in DFU Mode
  • install alloc8 exploit to NOR
  • USB exploit for pwned DFU Mode
  • Dump memory to stdout
  • Hexdump memory to stdout
  • Dump NOR to file
  • Flash NOR (header and firmware only) from file
  • Install 24Kpwn exploit to NOR
  • Remove 24Kpwn exploit from NOR
  • Remove alloc8 exploit to NOR
  • AES decrypt with GID key
  • AES encrypt with GID key
  • AES decrypt with UID key
  • AES decrypt with UID key

Q. Is checkm8 tethered or untethered?

Unlike older exploits like limera1n and SHAtter, checkm8 is tethered, not untethered.

This means all jailbreak and downgrade tools that rely on checkm8 will be tethered or semi-tethered, meaning you will need to execute ipwndfu on the computer while your device is in DFU mode each time you wish to put it in jailbreak mode. 

If you reboot your device, it will boot to the non-jailbroken state (stock operating system) just fine, rootlessJB developer Jake James confirmed in a recent tweet.

You will still be able to use the stock operating system without any difficulty even if your iPhone or iPad dies and you can’t access your computer or laptop.  

Q. Which devices are compatible?

Currently, only the following devices are compatible –   

  • s5l8947x – Apple TV 3rd-generation
  • s5l8950x – iPhone 5, iPhone 5C
  • s5l8955x – iPad 4th-generation
  • s5l8960x – iPad Air, iPhone 5S, iPad mini 2, iPad mini 3
  • t8002 – Apple Watch 1, Apple Watch 2
  • t8004 – Apple Watch 3
  • t8010 – iPad 6th/7th-generation, iPhone 7, iPhone 7 Plus, iPod Touch 7th-generation
  • t8011 – iPad Pro (10.5-inch), iPad Pro (12.9-inch) 2nd-generation, Apple TV 4k
  • t8015 – iPhone 8/8 Plus, iPhone X

Developers plan to release future versions with support for the following devices – 

  • s5l8940x/s5l8942x – iPad 2nd Gen, iPhone 4S, iPod Touch 5th Gen, iPad Mini 
  • s5l8945x – iPad 3rd-generation
  • t7000 – iPad Mini 4, iPhone 6/6 Plus, iPod Touch 6th-generation, Apple TV 4
  • t7001 – iPad Air 2
  • s7002 – Apple Watch 1st-generation
  • s8000 – iPad 5th-generation, iPhone 6S/6S Plus, iPhone SE
  • s8001 – iPad Pro (12.9-inch), iPad Pro (9.7-inch)
  • s8003 – iPhone 6S/6S Plus, iPhone SE

Q. Can this exploit lead to an untethered jailbreak?  

Unfortunately, any user-facing jailbreak tool based on this exploit will never be untethered.

Nevertheless, we could hardcode a script into a Raspberry Pi Zero that can automatically load checkm8 or use a special battery case that can keep the device in jailbreak mode at all times.     

jailbreak

Installer developer Sammy Guichelaar is in talks with a Chinese manufacturer for the production of a “untether” case.                       

Designed specifically for jailbreak users, the “untether” case will recharge the battery while also turning the semi-untethered jailbreak into a quasi-untethered one.

Incidentally, another enthusiast is also working on something similar called “JBCase”. JBCase is a battery case that comes with a lightning dongle that will keep your jailbreak seemingly untethered.       

JBCase

Once the feasibility study is conducted and the research and development phase is complete, the team behind JBCase will launch a Kickstarter crowdfunding project.     

Q. Does it affect SEP (Secure Enclave Processor)?

No, this exploit does not affect the SEP (Secure Enclave Processor) at all.  SEP features such as Touch ID and Face ID will stop working should you update to an incompatible firmware.

This limitation largely renders useless most of the downgrade and upgrade procedures.

Q. Can I upgrade or downgrade to any firmware without SHSH Blobs?

Yes, you can if you have a checkm8-based restore tool, but features reliant on the SEP will become dysfunctional as soon as you upgrade or downgrade your Apple device.

To ensure that Touch ID or Face ID remains functional, you must upgrade to a version that supports the latest SEP and baseband, which makes this exploit all but useless.

SHSH

However, if you restore to the wrong operating system or end up in a bootloop, you could restore to another version.

For instance, if you restore to, say, iOS 11.1.2 and the restore fails somehow, you will be forced to go to the latest signed version.

With checkm8, you can just put your device into DFU mode, run the restore again and upgrade your device to iOS 12.4, which is compatible with iOS 12.4.1’s SEP and baseband.                    

Q. Can Apple fix this exploit?

No, checkm8 is a hardware-based bug that can’t be fixed without updating the hardware. Apple will need to release a new device with patched hardware altogether to fix this bug.

You can expect a new version of the iPhone 8/8 Plus and the iPhone X sometime soon since these are the latest devices that are vulnerable to the aforementioned exploit.

If you are interested in jailbreaking or just want to tinker around with the BootROM, now is the time to buy a new iPhone X (or any other vulnerable device). 

14 Comments

  1. richi October 16, 2019
    • Gian October 18, 2019
  2. Mike October 12, 2019
    • Gian October 14, 2019
  3. Maxime October 6, 2019
    • Gian October 6, 2019
      • Maxime October 6, 2019
        • Gian October 6, 2019
          • Maxime October 6, 2019
          • Gian October 7, 2019
  4. Brian October 4, 2019
    • Gian October 6, 2019
  5. kimo October 2, 2019
    • Gian October 3, 2019

Leave a Reply

Share29
Tweet