Skip to main content

New ‘unpatchable’ iOS exploit could lead to permanent jailbreak for iPhone 4s to iPhone X

Jailbreaks have decreased over the last few years. However, last month a mistake by Apple saw a jailbreak for modern iPhones released but it was quickly patched. Today, a security researcher has released what is claimed to be a “permanent unpatchable bootrom exploit” for iPhone 4s all the way up to iPhone X that could lead to a permanent jailbreak.

Twitter user, axi0mX shared their iPhone exploit today called “checkm8.” While they call it an “epic jailbreak” it’s important to note it’s an exploit that could lead to a jailbreak with further work. However, if that potential is realized, checkm8 could be a big deal.

axi0mX explains more:

What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.

Features the exploit allow include:

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)
  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
  • Dump NOR on S5L8920 devices.
  • Flash NOR on S5L8920 devices.
  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

axi0mX notes that this exploit can’t be performed remotely but has to be done over USB.

During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.

Even though the patch that leads to the exploit is easy to find, axi0mX says “the vulnerability is not trivial to exploit on most devices.”

That’s how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.

The exploit was shared on GitHub with a warning that it may brick devices:

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

Notably, Apple vastly expanded its bug bounty program and will begin giving developers pre-jailbroken devices next year. That will give those in the program an “unprecedented, Apple-supported iOS security research platform” that features “ssh, a root shell, and advanced debug capabilities.”

FTC: We use income earning auto affiliate links. More.

totallee clear case iphone 11
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
  翻译: