What the checkm8 BootROM exploit can do [FAQ] 2019
Ever since axi0mX dropped the unpatchable checkm8 BootROM exploit, the chatter hasn’t subsided. Each one of us yearns for a permanent jailbreak, but this exploit is capable of a lot more than that. Read the complete FAQ below and see for yourself what you can and can’t do with this exploit.
Q. WHAT CAN THE CHECKM8 BOOTROM EXPLOIT DO?
- Jailbreak the latest signed firmware version as long as you have a vulnerable device.
- Tethered downgrades without SHSH Blobs to any compatible version. However, in doing so, you will encounter issues with the SEP (Secure Enclave Processor). Any feature that depends on SEP will simply not work.
- Flash a Custom Firmware (CFW) for jailbreaking and activating your Apple device, adding a custom boot logo or verbose boot.
- Dump SecureROM for security research.
- Dual-boot two different operating system versions on the same device.
- Load an SSH ramdisk.
- Port and boot experimental builds of Android and possibly even Linux operating system.
- Bypass KPP/KTRR, AMFI, CoreTrust, and other security features.
- Patch all security features present in any operating system update.
Q. IS CHECKM8 TETHERED OR UNTETHERED?
Unlike older exploits like limera1n and SHAtter, checkm8 is tethered, not untethered.
This means all jailbreak and downgrade tools that rely on checkm8 will be tethered or semi-tethered, meaning you will need to execute ipwndfu on the computer while your device is in DFU mode each time you wish to put it in jailbreak mode.
If you reboot your device, it will boot to the non-jailbroken state (stock operating system) just fine, rootlessJB developer Jake James confirmed in a recent tweet.
You will still be able to use the stock operating system without any difficulty even if your iPhone or iPad dies and you can’t access your computer or laptop.
Q. CAN THIS EXPLOIT LEAD TO AN UNTETHERED JAILBREAK?
Unfortunately, any user-facing jailbreak tool based on this exploit will never be untethered.
Nevertheless, we could hardcode a script into a Raspberry Pi Zero that can automatically load checkm8 or use a special battery case that can keep the device in jailbreak mode at all times.
Installer developer Sammy Guichelaar is in talks with a Chinese manufacturer for the production of a “untether” case.
Designed specifically for jailbreak users, the “untether” case will recharge the battery while also turning the semi-untethered jailbreak into a quasi-untethered one.
Incidentally, another enthusiast is also working on something similar called “JBCase”. JBCase is a battery case that comes with a lightning dongle that will keep your jailbreak seemingly untethered.
Once the feasibility study is conducted and the research and development phase is complete, the team behind JBCase will launch a Kickstarter crowdfunding project.
Q. DOES IT AFFECT SEP (SECURE ENCLAVE PROCESSOR)?
No, this exploit does not affect the SEP (Secure Enclave Processor) at all. SEP features such as Touch ID and Face ID will stop working should you update to an incompatible firmware.
This limitation largely renders useless most of the downgrade and upgrade procedures.
Q. CAN I UPGRADE OR DOWNGRADE TO ANY FIRMWARE WITHOUT SHSH BLOBS?
Yes, you can if you have a checkm8-based restore tool, but features reliant on the SEP will become dysfunctional as soon as you upgrade or downgrade your Apple device.
To ensure that Touch ID or Face ID remains functional, you must upgrade to a version that supports the latest SEP and baseband, which makes this exploit all but useless.
However, if you restore to the wrong operating system or end up in a bootloop, you could restore to another version.
For instance, if you restore to, say, iOS 11.1.2 and the restore fails somehow, you will be forced to go to the latest signed version.
With checkm8, you can just put your device into DFU mode, run the restore again and upgrade your device to iOS 12.4, which is compatible with iOS 12.4.1’s SEP and baseband.
Q. CAN APPLE FIX THIS EXPLOIT?
No, checkm8 is a hardware-based bug that can’t be fixed without updating the hardware. Apple will need to release a new device with patched hardware altogether to fix this bug.
You can expect a new version of the iPhone 8/8 Plus and the iPhone X sometime soon since these are the latest devices that are vulnerable to the aforementioned exploit.
If you are interested in jailbreaking or just want to tinker around with the BootROM, now is the time to buy a new iPhone X (or any other vulnerable device).