checkm8 BootROM exploit affects millions of Apple devices
iOS hacker axi0mX recently made public a new unpatchable exploit called “checkm8”. This BootROM exploit threatens millions of iPhone and iPad devices.
CHECKM8 BOOTROM EXPLOIT THREATENS IPHONE X AND OLDER DEVICES
axi0mX‘s latest exploit – checkm8 – affects hundreds of millions of Apple devices. This is quite rightly the biggest thing to ever happen in the security research and jailbreaking scene.
Until now, the last major Apple device, which had a public BootROM exploit, was iPhone 4 (A4 chip). For the uninitiated, BootROM exploits are the holy grail of all iOS exploits since they affect the device’s hardware, not its software.
According to axi0mX, security researchers and hackers can use this exploit to perform the following actions –
- Decrypt keybags using AES engine
- Enable JTAG (requires additional hardware and software)
- Dump the SecureROM
All iPhone and iPad devices that possess A5-A11 Bionic chips are vulnerable (iPhone 4S to iPhone X, 8, and 8 plus) to checkm8.
Hackers have released plenty of BootROM exploits in the past; for instance – SHAtter and Limera1n. However, none of those exploits affected such a wide range of models.
iPod Touch (5th generation)
iPad (4th generation)
iPad Mini 2
iPad Mini 3
iPhone 6 Plus
iPad mini 4
iPod touch (6th generation)
iPad Air 2
iPhone 6S Plus
iPad (2017) 5th Generation
iPad Pro (12.9-inch) 1st generation
iPad Pro (9.7-inch)
iPhone 7 Plus
iPad (2018) 6th generation
iPod touch (2019) 7th generation
iPad (2019) 7th generation
iPad Pro 10.5-inch (2017)
iPad Pro 12.9-inch (2017) 2nd generation
iPhone 8 Plus
WHAT IS BOOTROM AND HOW BOOTROM EXPLOITS WORK
Simply put, BootROM is the first executed code while your Apple device boots.
Apple cannot fix such a BootROM exploit by rolling out a new iOS firmware update as they usually do.
Manufacturers can only patch hardware-based exploits by releasing new models or by manually replacing the hardware of existing devices, which is unrealistic.
So, once we get a jailbreak, affected devices are jailbroken for life – on all iOS versions.
While a BootROM exploit can potentially lead to an untethered jailbreak, checkm8 cannot be used to develop an untether.
It is a nonpersistent or tethered exploit, meaning you will need to connect to your iPhone or iPad to a computer to reboot to jailbroken state.
To develop an untethered jailbreak, developers require a “persistent” exploit that has root access even after the user reboots the device.
Nevertheless, it’s almost unreal that axi0mX has decided to release his exploit publicly considering how valuable it is.
Generally, security companies and bug bounty programs offer bounties over $1 million for hardware exploits such as checkm8.
As of now, no developer has announced any checkm8-based project for iPhone X and older models. But as time passes by, you can expect a whole lot of jailbreak goodies to be released.