iOS Devices: axi0mX releases checkm8, an unpatchable bootrom exploit allowing for jailbreaks on every FW, downgrades, dualbooting and more! – Exploit works on A5-A11 devices including the iPhone X
One of the selling points of iOS devices is their security and the swiftness with which Apple usually releases security patches. This makes them difficult to jailbreak and take control of but now, axi0mX has just released checkm8 which has completely turned the tables!
What is checkm8? Why is it so huge?
Checkm8, by axi0mX, is a bootrom exploit for most modern iOS devices that was released earlier today, a little over 9 years since limera1n‘s release which was a bootrom exploit that worked on the iPhone 3GS/4 and other A4 devices. This exploit, which can be accessed from DFU mode, was patched by Apple in summer 2018 during the iOS 12 beta phase and makes use of a UaF (use-after-free) vulnerability found in iBoot’s USB code.
Bootrom exploits are immensely powerful exploits since they can’t be patched as the vulnerability they leverage is found in the device’s ROM (read-only memory) and can’t be fixed with a software update. Furthermore, these exploits run at a very low-level meaning that they open the doors to a huge number of things including:
- Tethered jailbreaks for every version of iOS running on a compatible device (below)
- This means that the exploit must be run from a computer every time a reboot happens. Untethered exploits require the chaining up of another exploit that has to be found within iOS itself and can be patched with a software update
- A dongle might eventually come by or semi-untethered jailbreaks may pop up to alleviate this limitation
- Downgrading to any other iOS version provided you have saved SHSH blobs & a compatible SEP is currently being signed
- It is unclear whether downgrading without blobs will be possible or how much of a problem the SEP will be
- Dual booting will also be possible and work on kloader64 will probably progress much further now (it currently has partial support for iOS 7.0-8.4.1 as they don’t have KPP)
- Custom Firmwares although a signed SEP and blobs might still be required to install them and use them without booting them from a computer
- Make it easier for security researchers to find bugs and for jailbreak developers to develop jailbreaks for new versions of iOS as boot-looping will no longer be a worry
- Many other things such as potential iCloud lock bypasses (activation might still be an issue) and the ability to boot OSes other than iOS like Android
Which devices does checkm8 work on?
Checkm8 works on Apple A5 to A11 (included) devices which include:
- Every iPhone from the iPhone 4S to the iPhone 8 (Plus)/iPhone X
- The iPod Touch 5, 6 and 7
- Every iPad from the iPad 2 to the iPad 7th generation (no word has been given on whether the exploit is compatible with the iPad 7th generation (released in 2019) but it’s doubtful that Apple has released a bootROM update for A10 devices as the iPod Touch 7 was released earlier this year after the bug was found and patched and is still vulnerable to it)
- Every iPad Pro excluding the 2018 models
- Every iPad Air excluding the iPad Air 3 (2019)
- All iPad Mini devices excluding the iPad Mini 5 (2019)
Due to the wide range of devices supported, the implications of this exploit are huge and the iOS jailbreaking community will keep on benefiting from them for years to come as A10(X)/A11 devices will probably be supported for many more years!
On a concluding note, it’s important to state that checkm8 is simply a bootROM exploit and that no jailbreaks/CFWs have been created with it just yet. However, it’s likely that iOS 12.4.1/2 will get jailbroken in the near future and an iOS 13 jailbreak may not be too far off.
If you have an iPhone XS/XR/11 (Pro), it may be a good idea to sell them off and get yourself an iPhone X or 8 Plus if you want a jailbroken phone for the next few years 😉