Permanent Jailbreak checkm8 BootRom Exploit Explained


you won’t talk about jailbreaks you
won’t talk about jailbreaks well I want to talk about jailbreaks
what’s up everybody I can’t believe I’m making this video I’m super stoked to be
making this video I mean we are back from the dead
a bootrom exploit of forever permanent exploit for the iPhone 10 and below
could you ask for anything better I mean I don’t even need Christmas this
year I’m good I don’t know about you guys but I am good so today I’m here to
talk to you about checkmate I really gotta say wow thank you so much
to the individual who decided to release us publicly from the jailbreak community
side from the research side from the pissed-off consumer who’s sick of Apple
side thank you like wow just amazing amazing work Wow all right guys we need
to talk if you talk about checkmate just a little bit I want to put some of this
information out there instead of creating some confusing tutorials to
show you how to use tools that you shouldn’t be using anyways I just want
to go over all the facts where we stand and where we’re going from here so
without any more time wasted let’s jump right into it today we’re gonna be
talking about the checkmate exploit for iPhone 10 and below this covers a 11 all
the way back to a 5 which was included in most of the iPad series I believe
this should work on the X so the a 10 X 11 X all the way back this will also
affect most Apple watches this will definitely affect Apple TV and this
might even affect some of the newer MacBooks with the t1 and t2 chip
now Chapman is a permanent bootrom exploit what does that mean so every
iPhone has an a something chip you can see here this is the a4 chip it’s in
pretty rough shape I tried to unsolder this chip the chip
is kind of divided up you’ll have your GPU and your CPU they’ll have a few
other controllers and memory modules and stuff like that but you’ll have this
tiny little piece in the corner here and it’s called the sacrum and what the SAP
runs job is is to is to verify signature checks normally this can’t really be
patched since it’s a ROM a read-only memory you can’t really modify the code
that it’s running so the only way to get around this signature checks that happen
rate at boot so right when the power button is hit you have to come up with
something really crafty like checkmate that said checkmate is a physical access
exploit meaning you must have the device in hand
you must plug it into a computer have a computer with software to manipulate the
device and put the device into DFU mode so this isn’t something that can be
triggered over the internet this isn’t something that will be able to be
triggered from springboard and what I mean by that is like the uncover
jailbreak which is triggered by an application unfortunately this exploit
won’t work like that you will have to physically put your device into DFU mode
and then you’ll be able to trigger the exploit
so this exploit is tethered and what I just explained is a cathode exploit must
be triggered on each boot we talked about support when I first started the
video but it supports a 5 to a11 devices this includes 32 64 bit devices as far
as I know you this can only be triggered in DFU mode I’m not sure if it can be
triggered in recovery mode quite yet and I’m not sure if a modified I boot or an
I boot exploit which can be patched by Apple would actually be able to trigger
this to create an untethered is still information that’s kind of up
in the air and for now I’m gonna say no in the future I’m going to say maybe so
checkmate is enough to provide a full tethered jailbreak checkmate
does not pone the SAP so when we’re talking about SEP we’re talking about
touch ID we’re talking about face ID if you had your touch ID home button
replaced and it doesn’t work anymore checkmate isn’t gonna help you so this
isn’t gonna work for those those would require separate exploits that probably
wouldn’t be permanent as well check make will not unlock your phone so if your
phone is locked to a carrier this will not affect the baseband this can also
make restoring tricky as the current sep and current baseband must be included in
whatever you restore to or they simply won’t work I mean we’ve already seen
with future restore you can restore back but you might break your touch ID face
ID now the last thing I want to cover in part one here is checkmate could be
triggered by a portable Donald so if you guys are worried about not being able to
jailbreak on the go this might not actually be an issue
I mean raspberry PI’s are really cheap 30 35 dollars everybody’s got a
cigarette lighter in the car technically you could probably bring a portable
device with you in the future that would be able to jailbreak your device so that
you’re never left hanging so let’s move on part two I don’t want to focus on too
much just wanted to get this out there so i pwned efu is a research tool i
pwned efu came out a very very long time ago and then it was updated but it’s
basically for triggering the old-school 3GS and iPhone 4 boot ROM exploit slime
rain 24k pone a lo 8 these were old-school boot ROM exploits and they
were able to be triggered by the iphone d fu i pwned e fu will probably not be
getting an update to be a full-fledged jailbreak
so I just want to throw that out there that I pong DFU is a research tool which
means 99.9% of you should not be using it I really want to stress that this
isn’t a tutorial to show you how to put your device into pone DFU mode because
you don’t need to you should wait for the jail breaks that said i i pwned DF
you can demote and enable a JTAG on a retail device which is extremely
impressive and really really really nice for the research community if you’re
watching this video you have no idea what that means and I get it I do need
to throw it out there for the couple people that are interested in this sort
of thing so a JTAG will require a special cable these special cables are
rare and to be quite honest they’re currently too expensive I’m not gonna
lie I have a Kanzi cable myself but you shouldn’t spend especially right now
spend that kind of money on something that you’re not going to be able to use
please don’t run out and buy this you’re just putting money in somebody else’s
pocket i pwned EF you will remain a research tool and I really stand behind
that we will see other tools come out for jailbreaks but I pong DF you will
not be a jailbreak beware of the fake prototypes so most of you probably don’t
know this but if some of you are interested in Apple products and
especially jailbreaking you may have come across the Apple internal community
which isn’t really a great community but switchboards are pretty impressive and
they’re pretty cool I mean a lot of people are interested in the factory
firmware unfortunately this boot rom exploit will allow a custom firmware to
be made for the affected devices and switchboard can be ported to those
devices back to beware of the fake prototypes watch what you’re buying on
eBay through private sellers if you can get the serial number for that device
and now that serial number appears in Apple’s database it is not a prototype
types do not have valid serial numbers and they are definitely not registered
where you couldn’t look them up so that’s kind of a screaming thing right
there like this is not correct so I don’t want to focus too much more on
this let’s move on going forward checkmate will be the
jailbreak standard and what I mean by this is most if not all jailbreak tools
for the next few years here are going to heavily focus on the checkmate exploit
and to be fair there’s hundreds of millions of devices out there in the
wild today that can take advantage of checkmate and this is why there’s going
to be a real focus on these devices and on this exploit check make is going to
revive tools like red snow red snow was a tool used to jailbreak primarily with
lime rain previously with the 24k pone exploit and it allowed you to do what
most custom firmware tools would do but on the fly a little quicker was a little
easier to use red snow was a really cool tool and I actually my very first
jailbreak was quick poem and quick poem turned into red snow round two points to
I believe I think the last quick poem jailbreak was two point one one and that
was my very first jailbreak if not two point one and I think two point one one
came out anyways that’s where my jailbreak career started that said
something else could come with this we could actually have custom firmware pre
jailbroken and this is kind of an example would be the pwnage tool and
snow buries which back in the day was able to create custom force and I used
to create custom firmwares they would allow you to do neat things like include
a custom boot logo if you had an untethered jailbreak or an untethered
boot ROM exploit like the 24k pone you could also enable verbose mode
instead if you guys haven’t seen verbose mode yet
look on reddit Twitter it’s been all over it’s the one where the text runs
across the screen during boot instead of an Apple logo and what I remember what
was really cool about the Polish tool and snow breeze was you could include
tweaks so you could actually download your favorite tweaks and pre install
them in the firmware and then just flash it right to your phone it was a really
customizable and it was a really refreshing it was an awesome awesome
experience and we actually get to have this again
that said downgrading is also going to be possible kinda when Apple created the
TSS servers and the sh sh blobs they did a good job and on purpose they really
really wanted to prevent jailbreakers from getting back to a jailbroken
firmware if they updated and we’ve gone around and played this cat-and-mouse
game since what three-point-something there are some real big benefits to
saving your sh sh blobs even with checkmate because you could downgrade to
an older firmware that you have blobs for and it essentially could be
untethered in a way where as long as you’re not jailbroken the firmware would
still be intact and you had those valid blobs to actually do a legitimate
downgrade now this is limited by the SEP and the baseband compatibility with the
firmware you’re downloading or downgrading to so this might not be 100%
you can also down grade without blobs technically you could downgrade to any
firmware you want the only limitation to this is if you downgrade your device
using checkmate but you choose not to be jailbroken meaning you just don’t want a
jailbreak you just want a stock firmware you will still have to use checkmate to
boot your device because your device will not have those valid sh-sh
signatures that it’s needs to boot just a normal firmware now that said semi
tether what is semi tell what do I mean by that semi tether is
what we need sh-sh blobs for for downgrading it means a stock firmware if
I download iOS 10 and want a flash iOS 10 to my iPhone 7 and my iPhone 7s on
iOS 13 I can do that without sh-sh blobs but I can’t boot the device without a
jailbreak or anything unless I had those blobs and that’s what a semi tether is
well we could also do this where you could have a jailbroken firmware but
currently like right now when you reboot your phone you reboot in there
non-jailbroken state we could actually have it where if you reboot your device
or your device runs out of battery if it reboots it would be semi tethered so it
would load the vanilla kernel it wouldn’t be jailbroken when it booted
but it would still function where you could use text messaging phone calls you
could browse the Internet so semi tethering is real and it’s something
that we can get to it’s just gonna take some time and like I was said in the
beginning chut may could be untethered anything can happen at this point I mean
we might see sometime in the future something come up and come up publicly
that would be able to untether this one way or another so the next part is
something I wanted to focus a little bit more on this one is probably what you
guys watch this video for the previous information really didn’t matter what’s
next well what’s next is we need new tools I explained this in the beginning
i pwned efu as a research tool it’s not made for jailbreakers and it never will
be so we need new tools and we need
jailbreak teams to make these tools to ask for an updated timeline well it’s
attracted a lot of attention from some really talented individuals
unfortunately the jailbreak community was really nasty to those people they
maybe share a bit and they might not that’s that there are two active
jailbreak teams right now who are amazing they’re both this Shamir and the
uncover team have done so much for the community in the last few years here I
mean both of them regardless of what you think of one of them or another they’re
there they’re trying and they’re working on this so I believe those are gonna be
who we see and possibly we might actually see a new team form or teams
maybe somebody won’t like the way somebody does something and they’ll
decide to form their own team and put together their own jailbreak the beauty
of this is it’s open source so anybody can do anything they want as long as it
benefits the end user as long as our community grows it doesn’t matter whose
name is on it okay so just remember that when you form opinions on people because
of other people’s opinions now what this is a big one here what about the iPhone
as they’re 10s 10 are 11 11 not Pro and iPad not Pro 20 19 or 20 you know I
can’t remember when they did the update what about you guys so currently this
jailbreak doesn’t affect you whatsoever and I don’t see the checkmate exploit
ever getting ported to new devices you can’t really it’s been patched by Apple
and we’re not gonna get really lucky we’re all they forgot one bite and you
can actually enable it and make it work it’s just not gonna happen
that said research equals motivation and I have this little chart here for a
reason there are a lot of really intelligent
people who are motivated by the research and if they discover something and they
will discover something for these new devices it’ll eventually come out and
we’ve actually already seen demos of the latest devices the iPhone 11 being
jailbroken this has already happened it’s not a matter of if it’s a matter of
time time and oh why money because money goes with
time if you’re not seventeen living in your parents house he’ll understand that
everything including time cost money you have to give these people a lot of
respect I see people asking all the time when et
a man don’t do that don’t be that guy because these guys gave up time when
they could be making money because they loved the motivation because they’re
fueled by the research when you start doing this this is what you get just to
when ETA you become all on your own this really really really matters so you guys
got to be very careful about demanding things and not being patient a team of
people very dedicated people with a lot of time in their hands they’ve got to
get their heads together to make this a jailbreak it’s not like we can just slap
something together and everybody’s sitting in the corner giggling with
their jailbreak and the public’s just sitting there wondering when it’s gonna
come out that’s not the case I bet you the second it’s possible five seconds
later it’ll be on the internet out there for everybody it’s just the way things
work right hackers are motivated because they love the reaction and they love
being able to beat companies and be the first and we’re all human so that’s
gonna be it’ll ill come it’s not gonna be a day it’s not gonna be a week it’s
probably not even gonna be a month but within the next month to two months here
you guys will have a jailbreak and it’ll work on the latest firmware and it
doesn’t matter which firmware comes out and once that platform is built it’ll be
easy to maintain which means new updates for firmwares that come out you’ll be
able to upgrade as much as you want they’ll be no limitations anymore it’s
gonna be the golden era so be very thankful for what we have right now that
said for reliable sources and reliable news in the jailbreak community stay
away from reddit unless you follow the release I really have a personal thing
with reddit I really despise the reddit community just so you guys know you
stand one percent of all of us and your opinions don’t matter thank you very
much make sure you guys follow big-time
youtubers like everything Apple pro and reputable news sites like i download
blog and nine-to-five mac also check out the hackers themselves like the uncover
team loves posting stuff there are a lot of prominent developers tweet developers
that also are interested in security and research and we’ll show you and there
are some really cool people out there so i find for one- post you can read on
reddit you can find the truth in about 30 seconds on twitter just sayin the last thing here I wanted to talk to
you guys it’s something that most jailbreakers are not thinking about but
there are a lot of other people out there that are thinking this
so what checkmate and everything you’ve just told me basically all these phones
are jailbroken they’re jailbroken forever and there’s nothing we can do
about it are a five to a 11 device is safe what is safe this is a really
really really tough question to answer I almost didn’t want to touch on it I’m
not going to tell you you’re safe but I’m not going to tell you a brand new
iPhone that nobody’s ever held in their hands beside Apple is safe this is
really up to you and what you want to believe how can you prevent a DF you
brute force if you’re using one of these devices well a four or six digit PIN
code could be brute forced pretty quickly and now that we have checkmate
it would be fairly easy to remove the limitations that would prevent the
password from being brute forced there’s currently if you try to if you re enter
a password in five times or something like that it’ll start to create a delay
that could be removed by this exploit and the devices could be brute forced
indefinitely the only real thing you guys could do is
use a very long text with characters like a physical passcode on your device
which you’re actually able to do I’m not saying that it can’t be beaten I don’t
know if the NSA wants in there getting in but that would definitely make brute
forcing your data at least on the device just ridiculous like you’d have to be
somebody who they really wanted the information to to waste that kind of
time in computer power but it’s not bulletproof now that check main has come around does
this mean we’re gonna see more malware and will malware infest the jailbreak
community so if you don’t jailbreak I don’t believe malware is gonna go up for
you anymore than it already is there is
malware out there for iOS and for Windows and Android and Mac there is
nothing even Linux there’s nothing that’s safe so no I don’t I don’t think
this is gonna make it any safer and can you detect it well I guess if you’re
tech-savvy and you’re very careful and you pay attention to your device and
what’s installed on your device and what your device is doing then the jailbreak
might actually make you a little more secure because you could actually peek
in and see what’s going on so not being jailbroken might leave you from not
noticing what’s going on that said again this is a physical access exploit so if
somebody wants to put a rat tool into your phone they would have to have
physical access to it for time and unless they have some sort of way of
untethering it in case you shut it off and then turn the device back on if
you’re really that paranoid just reboot your phone like 13 times a day so every
time you reboot your device the jailbreak would have to be re-enabled
correctly or those tools wouldn’t even function so unless there’s an untethered
which can actually be done without the DFU exploits so don’t think that
companies or governments or really bad people with a lot of money can’t still
get into your phone using other methods I mean boo ROM exploits have been just
one of many different methods into a device and back to the malware of
infecting the jailbreak community we are going to see an influx of users and we
may see more malware than usual but once again this is not new and I don’t expect
it to grow out of control that being said should you sell your old device for
the iPhone 11 and is the iPhone 11 actually safe this is a really really
interesting in this one I really wanted to touch on just very quickly
back in 2015 I learned about a bootrom exploit a private bootrom exploit for
the iphone 6 6s I even heard rumors that was untethered it could be tethered or
untethered permanently folks we don’t have that exploit today chat mate was
not that exploit so is your iPhone 11 actually safe the fact that we’re
talking about checkmate today means there’s something better so it all comes
down to what you believe do you believe the company that sells you the privacy
and says you can trust us or do you believe the hackers giggling in the
corner saying you can trust us nothing is safe anything that you put online can
can be hacked it can be taken from you so you just need to be careful about the
information you put out on the Internet and really be aware of the situation not
so much the device you’re using when you start to rely on a company to protect
your privacy a device to protect your privacy you get sloppy and then you get
hacked so that’s my advice that is my advice thank you guys for watching this
video it has been a long video I can’t believe I talked for 20 X minutes I’m
super super excited for the jailbreak I’m super excited for our community this
means so much and I really hope that this video helps some of you figure out
what’s going on right now and why some of you is like I keep reading this
where’s the jailbreak they said there was a jailbreak and I there’s no
jailbreak well yeah there isn’t a jailbreak there’s a brand new hexaploid
and it’s gonna take quite a bit of time before we can get a jailbreak but when
you finally get a jailbreak it’s going to be amazing and you’re gonna keep
getting jail breaks I mean we were lucky to see two or three a year at this point
we’re gonna be seeing them our few months this is gonna be really cool
and it’s gonna go on now for years the iPhone 10 it’s only like what two or
three years old I’m sure Apple will discontinue it a lot
sooner than they had originally intended but we got at least two more years
before that device is considered old I mean even in two years it’s gonna be a
great device the iPhone 10 is my main it’s my daily driver and I will not be
buying anything new for quite a while because why
it’s fast it’s great I got the biggest size yeah thanks for watching guys make
sure you like my video subscribe to my channel because it really helps me out
I’m gonna start making a lot more content for the jailbreak community
again thank you guys for sticking around we’ll see you again next time check mate

11 thoughts on “Permanent Jailbreak checkm8 BootRom Exploit Explained

  1. Came here just to scroll through the video but caught. Very well done 👍 You should try to make a more “click baiyt” title to get some traction

  2. Wow😳. This is a really good video. I like this guy! Why doesn't this video have like a million views lol. Thank you so much for the information, i really appreciate it. Keep making great awesome video 👍🏼.

  3. A technical analysis of checkm8 is now available for anyone wishing to learn more about the exploit. Big thanks to a1exdandy and habr for posting this technical writeup! https://habr.com/en/company/dsec/blog/472762/ #checkm8

Leave a Reply

Your email address will not be published. Required fields are marked *