Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X

A security researcher who goes by "axi0mX" on Twitter today released "checkm8," which he claims is a bootrom exploit for iOS devices equipped with A5 through A11 chips, including the iPhone 4S through iPhone X, several iPad models dating back to the iPad 2, and the fifth-generation iPod touch and later.


This would be the first publicly released bootrom exploit since the iPhone 4 in 2010 and pave the way for a permanent, non-patchable jailbreak on hundreds of millions of affected iOS devices. Since the bootrom is read-only, Apple cannot patch this type of exploit with a software update.


The bootrom exploit has many other possibilities on affected devices, including downgrading iOS versions without SHSH blobs or APTickets, dual booting iOS, and running custom firmwares, according to jailbreak enthusiasts.

This is significant news in the jailbreaking community, as the last bootrom exploit known as "limera1n" was released by George "geohot" Hotz nearly a decade ago for devices with A4 chips and earlier, including the iPhone 4, iPhone 3GS, the third- and fourth-generation iPod touch, and the original iPad.

Top Rated Comments

(View all)
Avatar
9 months ago


This can't be good for the security of these devices...


And have malware installed or spying on you. No thanks. Apple should have gotten their sh** together and not have had the exploit open for nearly a week.

This is a bootrom exploit. It can only be exploited when the device is in DFU recovery mode and will not affect the security of devices being used normally.

This is really the best kind of jailbreak exploit because only the people who really want to go out of their way to jailbreak can use it. Regular users are safe; all it means is that people can do whatever they like with these devices they own now.
Score: 34 Votes (Like | Disagree)
Avatar
9 months ago


All the cool kids violate their warranty. Didn't you know?

one restore on iTunes and your warranty is „restored“ so to speak
Score: 28 Votes (Like | Disagree)
Avatar
9 months ago
I haaaaaaate the new force press/haptic touch menu on iOS 13. I would consider jail breaking just to go back to how that worked on my X on iOS 12.
Score: 16 Votes (Like | Disagree)
Avatar
9 months ago
I haven't been jailbroken since the 3G, what's the big draw of a jailbreak now a days?
Score: 15 Votes (Like | Disagree)
Avatar
9 months ago
Good, now we can have proper downgrade rights on these devices. It's sad that something like this is needed to, for example, downgrade to iOS 10 on an iPad Air 2 for the simple purpose of running 32-bit apps.
Score: 14 Votes (Like | Disagree)
Avatar
9 months ago


Once the data is copied off the phone can't you brute force it without fear of being locked out? What's the encryption like?

You can read through the details yourself if you want: https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf

The NAND itself is encrypted with AES 256. The passcode is the weak point, but to generate the AES 256 key from the passcode, you need the passcode and the unique AES 256 key burned into the Secure Enclave on the SOC. The passcode is run through PBKDF2 and then tangled with the AES 256 key in a one-way operation.

So dumping the flash raw means you face AES 256 at full strength, even if you know the passcode, because you also need the AES 256 key from the SOC to be able to recreate the key yourself if you aren't just brute forcing AES.

The fastest way to crack an iPhone is to brute force the passcode and bypass the lockout on attempts if you can. It also gives you the most access to the content.

Individual containers/files can be encrypted with separate keys based on the level of access the OS should have in different states of lock/unlock, on top of the NAND encryption. So if you dump the flash unencrypted, you then also need to crack the containers for things like email and messages which are also AES 256 encryption. All the more reason to focus even more on the passcode and attempt lockout mechanisms.


This is a bootROM exploit. Every iPhone ever manufactured excluding the iPhone XS and 11 series will always be vulnerable to this exploit regardless of any iOS updates. There is no patch.

Apple still manufactures the iPhone 8 and 3rd Gen Air. I wouldn't be surprised if we see manufacturing runs of those that include the patched boot ROM.
Score: 14 Votes (Like | Disagree)

Top Stories

'This App is No Longer Shared' iOS Bug Preventing Some Apps From Opening

Friday May 22, 2020 3:58 pm PDT by
An app bug is causing some iOS users to be unable to open their apps, with affected iPhone and iPad users seeing the message "This app is no longer shared with you" when attempting to access an app. There are multiple complaints about the issue on the MacRumors forums and on Twitter from users who are running into problems. A MacRumors reader describes the issue:Is anyone else experiencing...

Apple Memorial Day Deals: Shop the Best Apple Accessory Sales From Twelve South, eBay, Anker, Mophie, and More

Friday May 22, 2020 6:39 am PDT by
We're now just a few days away from Memorial Day on Monday, May 25, and numerous retailers have opened up discounts in celebration of the holiday. This includes sales on helpful Apple-related accessories like Anker's portable batteries, Beats headphones at eBay, Incase and Incipio's protective iPad and iPhone cases, Mophie's iPhone battery cases, JBL's Bluetooth speakers, and much more. Note:...

Former iOS Chief Scott Forstall Shares Intriguing Story of His Interview With Steve Jobs at NeXT

Friday May 22, 2020 4:01 am PDT by
Former Apple executive and iOS chief Scott Forstall made a rare public appearance this week at Code.org's virtual Code Break event, and in between classes, Forstall shared the intriguing story of how he was hired by Steve Jobs. Forstall revealed that he had been considering working at Microsoft when he went to interview at NexT, the company started by Jobs after he had left Apple. Forstall...

'Apple Glass' Rumored to Start at $499, Support Prescription Lenses, and More

Tuesday May 19, 2020 6:30 am PDT by
Front Page Tech host and leaker Jon Prosser today shared several alleged details about Apple's rumored augmented reality glasses, including an "Apple Glass" marketing name, $499 starting price, prescription lens option, and more. The marketing name will be "Apple Glass" The glasses will start at $499 with the option for prescription lenses at an extra cost There will be displays in both...

Apple's 'Bounce' AirPods Ad Wins 'Best of Advertising' Award

Friday May 22, 2020 10:09 am PDT by
Apple's creative "Bounce" ad designed to highlight the AirPods took top honors in the 99th annual ADC (Art Director's Club) awards for advertising, earning the "Best of Discipline" award along with two Gold Cube awards in the craft in video and branded content categories. Released in June 2019, the ad features a bored man who pulls his AirPods off of their wireless charging pad and then pops ...

Apple's 'AirPods Studio' Over-Ear Headphones Have Reportedly Kicked Off Production

Friday May 22, 2020 7:03 am PDT by
We've been hearing quite a bit recently about Apple's long-rumored over-ear headphones, said to be called "AirPods Studio," and it looks like a launch may be coming in the relatively near future. Artist mockup based on Beats Studio3 Rumors have generally suggested a summer or fall launch for AirPods Studio, with a report earlier this week claiming that suppliers in Vietnam will begin...

Top Stories: Apple Glass and iPhone 12 Rumors, iOS 13.5 Update, and More!

Saturday May 23, 2020 6:00 am PDT by
It was another big week for rumors this week, with a flurry of reports about Apple's augmented reality glasses, the iPhone 12, and Apple's "AirPods Studio" over-ear headphones. This week also saw the release of iOS 13.5, bringing a number of health-related updates to Apple's mobile devices. Subscribe to the MacRumors YouTube channel for more videos. Other topics of interest this week included ...

Apple Releases iPadOS and iOS 13.5 With Exposure Notification API, Face ID Mask Updates, Group FaceTime Changes and More

Wednesday May 20, 2020 10:00 am PDT by
Apple today released iOS and iPadOS 13.5, major updates that come more than a month after the launch of iOS and iPadOS 13.4.1. iOS 13.5 is a major health-related update that brings many features related to the ongoing public health crisis. The iOS and ‌‌iPadOS‌‌ 13.5 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to Settings...

Jon Prosser Claims Apple is Working on 'Steve Jobs Heritage Edition' AR Glasses, Gurman Calls Rumor 'Complete Fiction'

Thursday May 21, 2020 4:50 pm PDT by
Apple is working on a limited-edition version of its augmented reality smart glasses that's designed to look like the round, frameless glasses that Steve Jobs was famous for wearing, according to Jon Prosser. Prosser, who runs YouTube show Front Page Tech and who has been sharing a flood of Apple rumors in recent weeks, mentioned the detail in Cult of Mac's latest Cultcast podcast....

T-Mobile and Sprint Offering Free iPhone SE With Trade-In

Thursday May 21, 2020 1:14 pm PDT by
T-Mobile is launching a Memorial Day promotion that will see the company offering a free iPhone SE to customers who trade in an eligible older smartphone in good condition. From Friday to Monday, customers who trade in an existing smartphone can get a free iPhone SE (sales tax still needs to be paid) or up to $500 off a Samsung Galaxy S20. The free iPhone SE will be provided in the form...