
Checkm8 – Bootrom exploit for many iOS devices - theshrike79
https://github.com/axi0mX/ipwndfu
======
segfaultbuserr
I still remember geohot's miracle of his limera1n exploit, which was an
unpatchable iBoot exploit on iPhone 4. And now we have its successor -
axi0mX's ‏checkm8, still an iBoot exploit, still unpatchable. It seems to be
another golden age for iOS jailbreaking has came!

Also, just like limera1n, it requires total physical control over the device
to run the exploit. A complete, untethered jailbreak still requires additional
kernel/userspace exploits, so I don't see it as a major security problem, but
it does make the job of an evil maid a bit easier.

Just for nostalgia, here's the original release text of limera1n.

> limera1n, 6 months in the making

> iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th
> generation)

> 4.0-4.1 and beyond+++

> limera1n is unpatchable

> untethered thanks to jailbreakme star comex

> brought to you by geohot

> hacktivates

> Mac coming in 7 years

> donations keep support alive

> zero pictures of my face

~~~
jorvi
First of all, congrats to Axi0mX! It must have been quite the exploiting
effort.

> It seems to be another golden age for iOS jailbreaking has came!

There is much, much less reason to jailbreak these days than in the iPhone 1 -
5 days. Unlocked iPhones are easy to get. Apple has copied a tremendous amount
of features, and with iOS 13 having both dark mode and a fixed volume HUD even
more reasons (Noctis / Eclipse and SmartVolumeControl2) are gone. And those,
along with CallBarXS (call bar instead of fullscreen calls) and Jellyfish
(weather on your lockscreen) are by far the most popular tweaks. I suspect at
least the fullscreen calling will be redone in iOS 14.

Theming and game emulators will probably never come to the App Store, but
those are even more niche. Terminal emulators and Python environments are
already in the store. That leaves.. SSHing into your phone I guess, which is
mostly a gimmick.

That's not to say the wild wild west wasn't fun back then. I remember both the
Yellowsn0w and Redsn0w periods of jailbreaking vividly. Icy (a Cydia
alternative) dying, being revived, and dying again. Down the nostalgia rabbit
hole we go..

~~~
breakmeout
I’m considering jail breaking to be able to force my phone to stay on 4G.

It’s a stupid omission by Apple to not have a “4G only” toggle. 3G
connectivity really sucks and it’s annoying to randomly be downgraded when you
have perfectly fine 4G coverage.

~~~
steveharman
What do you propose a "stay on 4G" option would do when the device loses 4G
coverage?

Drop signal altogether?

iirc falling back to 3G from 4, or 2G from 3 is to cover temporary coverage
blackspots and allow data / voice communication to continue. Albeit less
optimally.

~~~
apostacy
I have had similar problems. The algorithm they use is not perfect.

My Nexus One used to fall back to 2G whenever my 3G got below like two bars,
it was so annoying. And also there would be a temporary outage while it
switched. I eventually learned how to hard disable 2G, and service improved
greatly, because even one bar of 3G was better than 2G.

------
rahkiin
Everybody seems so happy about this, here on HN and on Twitter. But wouldn't
this allow any law enforcement or bad actor to circumvent any device
protections? Get the phone, do whatever you want with it without anything
blocking you.

Am I missing something or are all these device secure enclaves and fingerprint
protection or key protection now moot?

~~~
rescbr
As far as I understand it, user data is still encrypted and the key is
protected by the Secure Enclave, which is not affected.

This exploit allows flashing unsigned firmware, so by stealing the phone the
attackers won’t be able to decrypt your data, but an evil maid attack is now
(or will be) feasible.

Also, stolen iPhones are now more valuable, as you will be able to bypass
iCloud Lock.

~~~
ehsankia
So if I understand, just losing your phone is safe, but if you find it again
after losing it, you basically shouldn't keep using the phone before
completely reflashing the device?

~~~
Wowfunhappy
Any modifications won’t survive a reboot (this is a “tethered” exploit), so if
you’re concerned just turn the phone off and on again.

Honestly, I find the malicious attack scenarios for this pretty far fetched.

~~~
topranks
Well it won’t come back on in that case (the modified firmware will fail
signature check.). But as you say you are still safe, just don’t unlock the
device before reboot.

~~~
Wowfunhappy
I think that depends on how it's set up, right? I rememember on my old iPod
Touch with a tethered bootrom exploit, you could reboot without a computer but
it would start up in non-Jailbreak mode. If you wanted to boot Jaillbroken,
you had to find a computer. (This was the origin of the term "semi-tethered
Jailbreak").

------
theshrike79
More information on Twitter:
[https://twitter.com/axi0mX/status/1177542201670168576](https://twitter.com/axi0mX/status/1177542201670168576)

~~~
Nextgrid
Unrelated but is it just me or does anyone else think the quality of the
replies matches a typical YouTube comment section?

~~~
xeroaura
A large part of the jailbreak user community is pretty young agewise. Lots of
drama/immaturity/people quitting out of the scene due to toxicity. Some of the
people crafting these released exploits into a functioning jailbreak are in
college or below!

There's a pretty big piracy problem as well (not just cracked iOS apps, but
also cracked paid tweaks released by devs for jailbreak devices) probably due
to the younger ages without access to $.

------
nudgeee
Interesting to see T8012 listed under future support, which is the T2
processor used on 2018+ MacBooks, iMac Pros and Mac Minis.

T8002 is also listed under current support which is the T1 processor used in
2016 & 2017 MacBook Pros with Touch Bar.

~~~
rickmark
[https://github.com/axi0mX/ipwndfu/issues/141](https://github.com/axi0mX/ipwndfu/issues/141)

I've been poking at this already, and I'd venture a guess that the T2 will be
breakable. The reason I think the XS and later are hard is pointer
authentication codes, but that's more conjecture as I don't have a SecureROM
dump from an XS. Plan to examine other parts of the boot-loader like iLLB,
assuming they are not encrypted, for the ARM branch with authentication
instructions...

------
rvz
I haven't seen news like this in years since Geohot (founder of comma.ai)
found the limera1n BootROM exploit for iPhone 4 and below. With this recent
addition, we can have more freedom and control of our iPhones/iPads. This is
indeed a glorious time and a good time to be in the Jailbreak community.

This affects devices ranging from the iPhone 4S to the iPhone X. That is a
large scope of vulnerable devices.

This is equivalent to the Nintendo Switch BootROM exploit and allows all sorts
of OSes such as Linux, Android to be installed on the iDevice.

------
jplayer01
I'm confused. The github only refers to the iPhone 3GS. Further, might this be
a vector for anybody with physical access to gain access to your encrypted
data?

~~~
theshrike79
Github has the code for checkm8:
[https://github.com/axi0mX/ipwndfu/blob/master/checkm8.py](https://github.com/axi0mX/ipwndfu/blob/master/checkm8.py)

The readme hasn't been updated to reflect the exploit yet.

------
alibert
Do I understand this correctly: does this mean that every iOS device from
iPhone 4 to iPhone 8 + iPhone X could be unlocked for data access if you had
physical access to it?

Also one of the following reply to the twitter link posted somewhere in the
comment here [0] has the following:

`During iOS 12 betas in summer 2018, Apple patched a critical use-after-free
vulnerability in iBoot USB code. This vulnerability can only be triggered over
USB and requires physical access. It cannot be exploited remotely. I am sure
many researchers have seen that patch.`

This could explain the recent price reduction of bounty for iOS (lower than
Android) [1]

[0]
[https://news.ycombinator.com/item?id=21091247](https://news.ycombinator.com/item?id=21091247)
[1] [https://www.zdnet.com/article/android-exploits-are-now-
worth...](https://www.zdnet.com/article/android-exploits-are-now-worth-more-
than-ios-exploits-for-the-first-time/)

~~~
topranks
The data on the device is encrypted. This allows you to install a different OS
on the device, but it won’t be able to decrypt the users data without pin
code.

You could potentially flash a new firmware which contains a keylogger and
sends the pin to someone. Or that waits for the user to enter it (decrypting
the disk,) and then siphons off the data.

But on your own with a stolen phone and this you won’t be able to read the
data.

------
amluto
Better link:
[https://github.com/axi0mX/ipwndfu/commit/2d0abd321dfc947899f...](https://github.com/axi0mX/ipwndfu/commit/2d0abd321dfc947899f6b79cf2d189be9a622ab0)

~~~
nabakin
Was about to post this. I think it should be the title link.

------
basch
I very much hope this gives me something i can ram boot and ssh into the
filesystem of a non booting phone.

Should also allow near universal downgrading.

~~~
G4E
Afaik your second statement is sadly impossible. The system needs a blob
"shsh" signed with an 1024 bits rsa key by Apple's server to install an
upgrade or a downgrade. If this key is in the bootrom, you can't override it ?

~~~
basch
but the iOS you install doesnt even need to be signed anymore. Im not an
expert on this, but I would suspect you can delete the entire authorization
step, wholesale.

~~~
kirb
This is true, so long as you accept that you need to use a PC to re-run the
bootrom exploit every time you boot up the phone. The signature checks remain
intact and the system will refuse to boot (goes to recovery mode with a
“restore with iTunes” graphic) without the exploit patching out the checks.

~~~
basch
It just needs something to boot it, not necessarily a computer. I could see a
market for something that looks like this.
[https://www.amazon.com/dp/B07GWLF4GR](https://www.amazon.com/dp/B07GWLF4GR)
that fits in nearly flush.

------
fredsted
>Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5
chip) to iPhone 8 and iPhone X (A11 chip).

Sounds like the iPhones Xs and 11 aren't vulnerable.

~~~
devy
Not yet, for A12 Chip and above.

~~~
topranks
Not ever (as in this bootrom exploit is not present in that hardware.)

------
zozbot234
Would this allow for booting alternative OS's, e.g. on unsupported/EOL
devices?

~~~
jeron
Define alternative - this exploit means you could dual boot OSs, custom IPSWs,
and downgrade at will

Edit: also yes theoretically you can upgrade to any iOS version at will as
well

------
alexlouis99
I have a question... I have an Iphone 7 Plus that I've been holding onto for
awhile now that has an Icloud Lock (I bought it used and didn't set up the
phone while I was there.. I know, stupid mistake) So will this exploit
PERMANENTLY bypass the Icloud Lock once I install a new firmware etc. Or every
time the phone shuts off / restarts I have to run the code once it gets
developed in order to do this? That would really suck if that's the case.

------
NightMKoder
I would be interested to know what the impact on Secure Enclave will be from
this exploit. From quick googling it sounds like bootrom isn’t involved in
booting SEP. One large change from the exploit though is unlocking isn’t
required to jailbreak.

Aside from that though - are there any extra abilities gained that weren’t
already accessible as root (i.e. jailbreak) in iOS?

~~~
monocasa
Replacing the kernel is the big one. On current hardware, once the kernel is
loaded, the DRAM controller has its own memory protection unit seperate from
the CPUs' MMUs that's set once and then can't be modified until the next
reboot. This is used to enforce that the code segment of the kernel can't be
written to even if you have access to physical memory or the page tables.

It might make the secure enclave easier to hack, just by having a nicer,
democratized access to application kernel space. But AFAIK none of this
directly affects the secure enclave as it has its own bootrom that's way
smaller and mainly just cryptographically verfies and executes a blob loaded
by the main kernel.

------
londons_explore
Parsing complex untrusted data (USB packets) without a sandbox at the highest
privilege level... What were they thinking?

~~~
uxp100
I don’t think they can avoid a usb device stack in bootrom. I haven’t read
about this much yet, but without bootrom USB device mode support, the BL can’t
be flashed on a bricked device. So, devices that are functional still, but
somehow corrupted couldn’t be fixed in an Apple Store (or at home?). They’d
likely be trash.

I’m sure they have multiple redundant BLs, so I don’t know how often this
actually happens.

That USB code was surely the riskiest thing in the bootrom by far though. They
will be re-evaluating if it is necessary in new chips.

They also probably provision the devices with USB in the factory. But if
that’s all the usb was for, I would suspect it would be disabled as the last
step.

~~~
dev_dull
Couldn’t they use some other wire format that simply uses the same port?

~~~
kirb
Apple actually used to do this on MacBooks - one of the USB ports has mux
circuitry that can be switched to an SMC programming mode that merely uses USB
as the physical connection for their SMC programmer tool, bypassing the USB
host controller and not using the USB protocol. It was removed in the 2016
onwards MacBooks as the T1/T2 supersedes the SMC, so it follows the same
design patterns as iPhone hardware.

------
DenisM
It seems like everyone who owns affected phones has to carry a "usb condom"
from now on.

[https://duckduckgo.com/?q=usb+condom&t=h_&ia=web](https://duckduckgo.com/?q=usb+condom&t=h_&ia=web)

~~~
djrogers
No, not the case. The device must be put into DFU mode before the exploit is
attempted - it doesn't work on the phone in any other state.

~~~
Wowfunhappy
In addition, I don't know that you could actually extract any data through
this exploit, due to SEP holding the keys.

~~~
DenisM
The idea is to plant a trojan and wait for the user to unlock the secure
enclave later.

------
cromka
Why is it unpatchable? Even with physical access, via iTunes or something?

~~~
arayh
It exploits the bootrom, which is by definition unpatchable.

~~~
uxp100
I suspect Apple has ways from the factory to fix this. Secure Fuses that can
disable code paths, or inject code. But unpatchable in the field.

~~~
saagarjha
In the factory, Apple can just create new hardware without this flaw.

~~~
uxp100
That would be in the fab, not the factory, might mean tossing out inventory,
and will take longer. I'm guessing they will do both.

------
hansdieter1337
oh no, they found the NSA backdoor :(

------
gao8a
Would something this calibre qualify for the $1M bug bounty?

~~~
topranks
It was already found by Apple and fixed in iPhone XS & 11, so not sure if it
would qualify.

------
exabrial
"Physical access owns"

You can make it inconvenient (for both users and attackers) but there is
simply no escaping eventually someone with physical access will get in.

~~~
als0
It’s largely down to security economics. Boot ROMs can eventually be bypassed
although difficult. But the real goal is actually to make it difficult enough
such that you require physical access, specialised equipment and knowledge in
order to pull it off - essentially making sure attacks are difficult to scale.

------
iaml
With the current state of iOS 13 and now this, I'm guessing apple can kiss
their 88% adoption rate[0] goodbye.

[0]
[https://www.macrumors.com/2019/08/08/ios-12-adoption-88-perc...](https://www.macrumors.com/2019/08/08/ios-12-adoption-88-percent/)

~~~
ceejayoz
Why would I avoid an OS update over a bootrom exploit?

~~~
iaml
I'm guessing people will downgrade to more stable version of OS. Also
downgrade for 32 bit apps.

~~~
uxp100
I doubt enough to make an adoption rate dent. But, I do have some 32 bit apps
I wouldn't mind playing around with for a bit. Some synths and a game or two.

