'Checkm8' used to jailbreak iPhone X running iOS 13.1.1

The security researcher who developed the "Checkm8" exploit has continued working, and has demonstrated an iPhone X booting in verbose mode with the aid of the exploit that was revealed on Friday.

According to "axi0mX." the jailbreak took only seconds on an iPhone X running iOS 13.1.1. As the exploit is in the boot ROM, the operating system version isn't really relevant to the exploit, as the security chain is broken before the device gets to the patchable iOS part.

As before, the exploit still requires a tether, meaning a connection to a computer. Additionally, a reboot will prevent any system modifications like keyloggers installed during the jailbreak from loading, and restores the Secure bootchain.

HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks @qwertyoruiopz pic.twitter.com/4fyOx3G7E0
— axi0mX (@axi0mX) September 29, 2019

As the developer of the exploit said on Saturday, the demonstration is the next logical step in developing a new and full jailbreak. Because of the limitations involved in a boot ROM exploit and the Secure Enclave engineering in the iPhone 5s and later, it still doesn't imply anything further in regards to device security.

The exploit works on any iPhone up to and including the iPhone X. User data and passcode security is maintained with any device that includes a Secure Enclave, including the iPad Air and newer, iPod touch seventh generation, and the iPhone 5s and newer.

14 Comments

Vulkan 7 comments · 5 Years

About 5 years ago

The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again.

I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security.

Mike Wuerthele 6901 comments · 8 Years

About 5 years ago

Vulkan said:

The upside of what I think we learned of this for jailbreaking is if you are on any signed version of iOS such as iOS 13.1.1 when using this exploit it will allow you to become jailbroken, but once you reboot the device the jailbreak ceases to function. Being that the iOS version is signed the device will then proceed to boot into a clean version of iOS. A unsigned version of iOS without shsh blobs will only function in the exploited state, rebooting will cause the whole device to be stuck on the apple logo until you exploit again.
I believe once a jailbreak is available the Cydia app and any jailbreak apps may still remain on the device in storage on a signed version of iOS until you system restore, but will not open or function due to apples security.

Right, this is what we said yesterday.

eriamjh 1760 comments · 17 Years

About 5 years ago

This jailbreak could be how that company claimed to be able to access data on every iPhone ever made (or whatever) for law enforcement.

chasm 3590 comments · 10 Years

About 5 years ago

Yes, this is an exploit law enforcement can take (and certainly has taken) advantage of, but for 99+ percent of iPhone users this is a huge non-event due to the requirements of the hack -- phone not in your possession, tethered, a reboot wipes out anything installed using the exploit, etc.

That said it pays to be aware of stuff like this when traveling, and of course Apple is learning how to block this exploit going forward, so the research that went into it is valuable.