Some good news for jailbreaking scene
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
1/ The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.
2/ What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
3/ Maybe someone can figure out a nice way to use JTAG on iPhone without proprietary hardware and software. I and many others would be forever grateful if someone makes that possible.
4/ Exploit released today supports s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015. Others will be added soon. It is not perfectly reliable yet; it uses a race condition and I only tested it on my MacBook Pro.
5/ During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.
6/ That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
8/ will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
9/ Needless to say, jailbreaking is not dead. Not anymore. Not today, not tomorrow, not anytime in the next few years. What a time to be alive. It is a tethered bootrom exploit, but it should be possible to make a cable or a dongle that jailbreaks your device without a computer.
