Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'Checkm8' used to jailbreak iPhone X running iOS 13.1.1

Last updated

The security researcher who developed the "Checkm8" exploit has continued working, and has demonstrated an iPhone X booting in verbose mode with the aid of the exploit that was revealed on Friday.

According to "axi0mX." the jailbreak took only seconds on an iPhone X running iOS 13.1.1. As the exploit is in the boot ROM, the operating system version isn't really relevant to the exploit, as the security chain is broken before the device gets to the patchable iOS part.

As before, the exploit still requires a tether, meaning a connection to a computer. Additionally, a reboot will prevent any system modifications like keyloggers installed during the jailbreak from loading, and restores the Secure bootchain.

As the developer of the exploit said on Saturday, the demonstration is the next logical step in developing a new and full jailbreak. Because of the limitations involved in a boot ROM exploit and the Secure Enclave engineering in the iPhone 5s and later, it still doesn't imply anything further in regards to device security.

The exploit works on any iPhone up to and including the iPhone X. User data and passcode security is maintained with any device that includes a Secure Enclave, including the iPad Air and newer, iPod touch seventh generation, and the iPhone 5s and newer.



14 Comments

Vulkan 5 Years · 7 comments

The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again. 

I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security. 

Mike Wuerthele 8 Years · 6906 comments

Vulkan said:
The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again. 
I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security. 

Right, this is what we said yesterday.

eriamjh 17 Years · 1772 comments

This jailbreak could be how that company claimed to be able to access data on every iPhone ever made (or whatever) for law enforcement.

chasm 10 Years · 3624 comments

Yes, this is an exploit law enforcement can take (and certainly has taken) advantage of, but for 99+ percent of iPhone users this is a huge non-event due to the requirements of the hack -- phone not in your possession, tethered, a reboot wipes out anything installed using the exploit, etc.

That said it pays to be aware of stuff like this when traveling, and of course Apple is learning how to block this exploit going forward, so the research that went into it is valuable.