Also, just like limera1n, it requires total physical control over the device to run the exploit. A complete, untethered jailbreak still requires additional kernel/userspace exploits, so I don't see it as a major security problem, but it does make the job of an evil maid a bit easier.
Just for nostalgia, here's the original release text of limera1n.
> limera1n, 6 months in the making
> iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)
> 4.0-4.1 and beyond+++
> limera1n is unpatchable
> untethered thanks to jailbreakme star comex
> brought to you by geohot
> Mac coming in 7 years
> donations keep support alive
> zero pictures of my face
> It seems to be another golden age for iOS jailbreaking has came!
There is much, much less reason to jailbreak these days than in the iPhone 1 - 5 days. Unlocked iPhones are easy to get. Apple has copied a tremendous amount of features, and with iOS 13 having both dark mode and a fixed volume HUD even more reasons (Noctis / Eclipse and SmartVolumeControl2) are gone. And those, along with CallBarXS (call bar instead of fullscreen calls) and Jellyfish (weather on your lockscreen) are by far the most popular tweaks. I suspect at least the fullscreen calling will be redone in iOS 14.
Theming and game emulators will probably never come to the App Store, but those are even more niche. Terminal emulators and Python environments are already in the store. That leaves.. SSHing into your phone I guess, which is mostly a gimmick.
That's not to say the wild wild west wasn't fun back then. I remember both the Yellowsn0w and Redsn0w periods of jailbreaking vividly. Icy (a Cydia alternative) dying, being revived, and dying again. Down the nostalgia rabbit hole we go..
• Put an extra column of icons per page on my homescreen.
• Rename apps on the homescreen, and change their icons.
• Enable the iPad's "grid" app switcher on my phone.
• Remove the stupid app bar in Messages.
• Hide various UI elements around the OS and in apps, to make everything cleaner. (Cool note: you can use PermaFlex to hide nearly any arbitrary element.)
• Downgrade apps that release updates I dislike.
• Stop Apple News from creating "personalized" recommendations that would keep me in a filter bubble.
• Play audio from Youtube videos (in Safari) while the screen is locked.
• Install a Userscript that gets rid of AMP in Google search results.
I realize a lot of these things are nitpicks—some maybe even personal eccentricities—but taken together they just make my phone a lot more pleasant to use. I would not buy an iPhone I could not Jailbreak, full stop.
You have a long good list of reasons, but this one is fixable by installing the YouTube app and paying for premium.
Besides, I don't want to install a separate app. It's a website, and I should be able to use my web browser.
Edit: Also, this patch doesn't just work on Youtube, it's for any video in Safari.
To be fair premium includes lots of things, including unlimited music streaming ala Spotify, ad free YouTube etc.
You’re not paying only for the background playback. Literally no one would be willing to pay for that. It’s just a minor perk, that’s all.
A perk you said you’d be willing to risk JBing your (expensive) phone over. Most people would probably be more willing to just pay the fee for what is a fairly decent music streaming service.
Point is, this was there by default, and they intentionally sabotaged it to force you to use their paid service. This is shitty malware-like behavior and I do not want to encourage them. I would not give them a single cent and I happily spent time to defeat it, because fuck them.
I don’t care about anything you’re saying here about how things are or were. Really. Not one bit.
I was merely saying that for that -one- particular reason for jailbreaking, a much simpler alternative exist (from a layman perspective).
That’s really just factual information, contributing to the discussion if you like, and downvoting me because you have grudge with Google and Apple is utterly misguided.
It's knowing that they will link my viewing habits to my Google account and never delete them.
And no terminal app in the App Store compares to actually running your code on bare metal with no clever workarounds required to make Apple happy. I don’t want to add network delays (mosh is great but still just isn’t the same) and worry about transferring files around, or force myself to run inside an emulated, fenced-off world (iSH). It’s just easier to run programs like, well, actual programs. This is why I develop NewTerm, a local terminal app for iOS, and am a huge fan of Termux on Android which neatly packages an entire self-contained ecosystem that still runs on bare metal.
Apple thankfully enabled sideloading for "free" developer accounts, and someone released AltStore (a distribution method for the Delta game emulator) yesterday .
It’s a stupid omission by Apple to not have a “4G only” toggle. 3G connectivity really sucks and it’s annoying to randomly be downgraded when you have perfectly fine 4G coverage.
Drop signal altogether?
iirc falling back to 3G from 4, or 2G from 3 is to cover temporary coverage blackspots and allow data / voice communication to continue. Albeit less optimally.
My Nexus One used to fall back to 2G whenever my 3G got below like two bars, it was so annoying. And also there would be a temporary outage while it switched. I eventually learned how to hard disable 2G, and service improved greatly, because even one bar of 3G was better than 2G.
As to what the phone should do when going outside an 4G coverage area when being in “4G only” mode is nothing. It should just aggressively try to reconnect. A discrete icon about 3G network availability should be shown. A press on the 3G icon would enable temporary 3G roaming.
The underlying problem is that Apple handles roaming between 2G/3G/4G networks poorly. I could wish Apple would do it better, but that’s like wishing for an unicorn. Hence my strong leanings toward jailbreaing.
Maybe the vulnerable codepath has some code sharing between iBoot and SecureROM?
So prepatch you could exploit the BootROM vulnerability untethered with the iBoot vulnerability, but postpatch have to connect to a computer to boot every time if you have done any tinkering which is why it is currently only adviced for security researchers.
Tinkering with the BootROM also leads to invalidations of APTickets (so a future restore may be impossible without special gear).
It's sadly limited to the A11 (iPhone X) chips and everything before that.
A (large?) majority of the iPhones currently in circulation will soon be Jailbreakable—not just for one brief moment in time (as with iOS 12.4), but on every future version of iOS. I didn't think that was ever going to happen again.
Am I missing something or are all these device secure enclaves and fingerprint protection or key protection now moot?
This exploit allows flashing unsigned firmware, so by stealing the phone the attackers won’t be able to decrypt your data, but an evil maid attack is now (or will be) feasible.
Also, stolen iPhones are now more valuable, as you will be able to bypass iCloud Lock.
Honestly, I find the malicious attack scenarios for this pretty far fetched.
What prevents unauthorized firmware from requesting that the Secure Enclave decrypt all data? Similar to having control over an HSM - you can’t extract the key but you can perform cryptographic operations.
The only ways around this are:
* physical extraction of the embedded memory in the SE (I'm not sure if this is actually feasible, it's certainly a destructive attack)
* "updating" the SE firmware - this is what the FBI wanted Apple to do in that terrorism case, that Apple develop a SE firmware that leaks the secret key
* exploiting bugs in the SE firmware - this is what the FBI ended up doing by hiring either Cellebrite or some anonymous hackers (depending on which source one believes).
Of course, none of that matters if you can reflash the device or exploit the boot ROM.
why not both?
I hope we get some word from Apple about this.
Only for older models, the newest series is not vulnerable.
Only A12 and A13 devices are unaffected (XS/XR, 11).
Android devices could allow you to do this out of the box if Google allowed you to upload your own keys and sign your own boot image by providing the tools to developers / power users. They haven't and they won't.
Sadly that means Apple is unlikely to do it either given how much more strict they are on these things.
These seem like a fair compromise.
You can sign your own firmware and re-lock the bootloader. It goes into the yellow state, and re-unlocking will wipe it again.
If you try to visit a site in Google Chrome that Google thinks is hosting malware, they pop up a huge red message saying the site will harm your computer. There is a continue link, but... well, I don't have access to any analytics on this, but I would guess not many people visit those sites.
Why does everyone on HN act like this phenomena? I’m often talking about the HN bubble and this is another example.
If my primary device is the one displaying the warning, the only way I can find out what it means is to dismiss the warning and then 1) google it or 2) ask someone.
1) doesn't tend to happen outside of the tech bubble. 2) happens way way later, if it happens at all, as the odds of someone you can ask being around when it happens is slim. And more importantly, you need to make a phone call / check your email / do something with social media which is more important than the warning, as the warning can be dismissed and life can go on.
Odds are you forget about it entirely, and remember weeks later to ask a friend about somethingsomething boot warning insecure and then hand over your phone to them to have a look, at which point your friend loses their mind over what's happened, while the phone owner remains unconvinced it's really an issue since everything is still working correctly, and refuses to let their friend rebuild their phone for them as it'll take too long.
Source: happened to my friend's android phone. they still wont let me fix it.
How many people in other context like cars ignore warning lights?
Must we continue to drag things out and design for the lowest common denominator?
The security benefits are real, but the implementations are poor. On Android devices, a locked bootloader guarantees your device will be e-waste within 2 years.
> During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.
There's a pretty big piracy problem as well (not just cracked iOS apps, but also cracked paid tweaks released by devs for jailbreak devices) probably due to the younger ages without access to $.
T8002 is also listed under current support which is the T1 processor used in 2016 & 2017 MacBook Pros with Touch Bar.
I've been poking at this already, and I'd venture a guess that the T2 will be breakable. The reason I think the XS and later are hard is pointer authentication codes, but that's more conjecture as I don't have a SecureROM dump from an XS. Plan to examine other parts of the boot-loader like iLLB, assuming they are not encrypted, for the ARM branch with authentication instructions...
This affects devices ranging from the iPhone 4S to the iPhone X. That is a large scope of vulnerable devices.
This is equivalent to the Nintendo Switch BootROM exploit and allows all sorts of OSes such as Linux, Android to be installed on the iDevice.
The readme hasn't been updated to reflect the exploit yet.
Also one of the following reply to the twitter link posted somewhere in the comment here  has the following:
`During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.`
This could explain the recent price reduction of bounty for iOS (lower than Android) 
You could potentially flash a new firmware which contains a keylogger and sends the pin to someone. Or that waits for the user to enter it (decrypting the disk,) and then siphons off the data.
But on your own with a stolen phone and this you won’t be able to read the data.
Should also allow near universal downgrading.
It should very much allow you to upgrade/downgrade iOS to your hearts content.
Sounds like the iPhones Xs and 11 aren't vulnerable.
Edit: also yes theoretically you can upgrade to any iOS version at will as well
Building reliable hardware support into your alternative OS is the hard bit though.
Aside from that though - are there any extra abilities gained that weren’t already accessible as root (i.e. jailbreak) in iOS?
It might make the secure enclave easier to hack, just by having a nicer, democratized access to application kernel space. But AFAIK none of this directly affects the secure enclave as it has its own bootrom that's way smaller and mainly just cryptographically verfies and executes a blob loaded by the main kernel.
I’m sure they have multiple redundant BLs, so I don’t know how often this actually happens.
That USB code was surely the riskiest thing in the bootrom by far though. They will be re-evaluating if it is necessary in new chips.
They also probably provision the devices with USB in the factory. But if that’s all the usb was for, I would suspect it would be disabled as the last step.
But if they are really upset about this, they will consider it.
You can make it inconvenient (for both users and attackers) but there is simply no escaping eventually someone with physical access will get in.