BootRom Exploit

On September 29 2019, the ‘chkm8’ bootrom exploit for iPhones 4 up until iPhone X, was released to the public on github. All up to date information will be published here as I learn it.

The Checkm8 BootRom Exploit | The iPhone Data Recovery Dreamhack | Don't Worry about JAILBREAKS

What’s the difference between this & jailbreaking?

Jailbreak software uses discovered exploits. But we haven’t seen a hardware level exploit like this in a long long time. I would estimate about about a week or two before we see any Jailbreak made from this. But at this point there’s not much anyone can do with the exploit until someone develops a jailbreak and ramdisks for us to use.

What is Bootrom?

The bootrom (called “SecureROM” by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won’t be able to fix it without a hardware revision. UnSecureROM?

Can Apple fix this? Or patch it?

This is unpatchable. The bootRom is read only. You cannot write to it. A software update pushed out to devices only touches the NAND. Apple can change all kinds of things on a NAND level, but this executes before the NAND is touched. So not only can Apple do nothing about us executing things in the bootrom, they cant even tell we have, unless we make permanent changes to the NAND

In theory, they can do something on the iPhone 8-X. They can change the way a device enters DFU, or they can make the device go into iBSS DFU, instead of SecureROM DFU. That might stop some, but it doesn’t change the fact that someone like us can just inject 1.8V into FORCE_DFU and enter SecureROM DFU by force

George Hotz – Creator of the LimeRain Jailbreak takes a look at “chkm8”

George Hotz | Programming | Exploring checkm8: a brand new iOS bootrom exploit by axi0mX

Using the exploit for Data Recovery

This is really the main benefit of the exploit for most of us in the repair community.

Considering this exploit is used before the NAND is even accessed its look like the way this is going to work, is that you don’t technically remove the passcode from the device. You mount another ramdisk image and dual boot it to a seperate ‘iOS/RAMDISK, then just mount the user data partition

Credit: “Justin Ashford – Art of Repair” “Ben Duffy” “Ben Nash”

Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer

Credit: Arstechnica

I wanted to learn how Checkm8 will shape the iPhone experience—particularly as it relates to security—so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:

  • Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits
  • The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
  • Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
  • All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
  • Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

Read on to find out, in axi0mX’s own words, why he believes this is the case:

Dan Goodin (Ars): Can we start with the broad details? Can you describe at a high level what Checkm8 is, or what it is not?

axi0mX: It is an exploit, and that means it can get around the protection that Apple built into the bootrom of most recent iPhones and iPads. It can compromise it so that you can execute any code at the bootrom level that you want. That is something that used to be common years ago, during the days of the first iPhone and iPhone 3G and iPhone 4. There were bootrom exploits [then] so that people could jailbreak their phone through the bootrom and that later would not be possible.

The last bootrom exploit that was released was for iPhone 4 back in 2010, I believe by Geohot. After that, it was not possible to exploit an iPhone at this level. All the jailbreaks [that] were done later on [happened] once the operating system boots. The reason that bootrom is special is it’s part of the chip that Apple made for the phone. So whatever code is put there in the factory is going to be there for the rest of its life. So if there is any vulnerability inside the bootrom, it cannot be patched.

Persistence and Secure Enclave

Dan Goodin (Ars): When we talk about things that aren’t patchable, we’re talking about the bug. What about the change to the device itself? Is that permanent, or once the phone is rebooted, does it go back to its original state?

axi0mX: This exploit works only in memory, so it doesn’t have anything that persists after reboot. Once you reboot the phone… then your phone is back to an unexploited state. That doesn’t mean that you can’t do other things because you have full control of the device that would modify things. But the exploit itself does not actually perform any changes. It’s all until you reboot the device.

Dan Goodin (Ars): In a scenario where either police or a thief obtains a vulnerable phone but doesn’t have an unlock PIN, are they going to be helped in any way by this exploit? Does this exploit allow them to access parts of this phone or do things with this phone that they couldn’t otherwise do?

axi0mX: The answer is “It depends.” Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn’t have advanced security protections. So, for example, the [San Bernardino gun man’s] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn’t have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don’t have the PIN.

My exploit does not affect the Secure Enclave at all. It only allows you to get code execution on the device. It doesn’t help you boot towards the PIN because that is protected by a separate system. But for older devices, which have been deprecated for a while now, for those devices like the iPhone 5, there is not a separate system, so in that case you could be able to [access data] quickly [without an unlock PIN].

Dan Goodin (Ars): So this exploit isn’t going to be of much benefit to a person who has that device [with Secure Enclave] but does not have the PIN, right?

axi0mX: If by benefit you mean accessing your data, then yes, that is correct. But it’s still possible they might have other goals than accessing your data, and in that case, it’s possible they would get some benefit.

Dan Goodin (Ars): Are you talking about creating some sort of backdoor that once the owner puts in a PIN it would get sent to the attacker, or a scenario like that?

axi0mX: If, say, for example, you leave your phone in a hotel room, it’s possible that someone did something to your phone that causes it to send all of the information to some bad actor’s computer.

Dan Goodin (Ars): And that would happen after the legitimate owner returned and entered their PIN?

axi0mX: Yes, but that’s not really a scenario that I would worry much about, because attackers at that level… would be more likely to get you to go to a bad webpage or connect to a bad Wi-Fi hotspot in a remote exploit scenario. Attackers don’t like to be close. They want to be in the distance and hidden.

In this case [involving Checkm8], they would have to physically hold your device in their hand and would have to connect a cable to it. It requires access that most attackers would like to avoid.

This attack does not work remotely

Dan Goodin (Ars): How likely or feasible is it for an attacker to chain Checkm8 to some other exploit to devise remote attacks?

axi0mX: It’s impossible. This attack does not work remotely. You have to have a cable connected to your device and put your device into DFU mode, and that requires you to hold buttons for a couple seconds in a correct way. It’s something that most people have never used. There is no feasible scenario where someone would be able to use this attack remotely.

If you want to talk [about] really hypothetical situations, if you’re a jailbreaker and you’re trying to use your exploit on your own computer and somehow your computer is compromised, it’s possible someone on your computer is going to deliver a different version of the exploit that does more stuff than what you want to do. But that is not a scenario that’s going to apply to most people. That is a scenario that is simply not practical.

Thomas Reed (Malwarebytes): Does the bootrom code that’s loaded into RAM get modified by the exploit, or is that not a requirement? Through this vulnerability, would you need to make modifications to the bootrom code that’s loaded into RAM, or would that not be a factor? Would that not be involved in the way the exploit works? I’m under the assumption that some of the code from the bootrom is loaded into RAM when it’s executed. Maybe I’m wrong about that.

axi0mX: The correct answer is that it’s complicated. The code that is used by the bootrom is all in read-only memory. It doesn’t need to get copied in order for it to be used. In order for my device to be able to do what I want, I want to also inject some custom code. In that case, I can’t write my code into the read-only memory, so my only option is to write it into RAM or, in this case, SRAM—which is the low-level memory that is used by the bootrom—and then have my injected code live in this small space. But the actual bootrom code itself does not get copied in there. It’s only the things that I added to my exploit.

Thomas Reed (Malwarebytes): Can this be used to install any other code, any other programs that you wanted, with root-level permissions, so that you could install malware through this?

axi0mX: The correct answer is “It depends.” When you decide to jailbreak your phone using this exploit, you can customize what Apple is doing. Apple has some advanced protections. A lot of their system is set up so that you don’t have malware running. If you decide to jailbreak, you’re going to get rid of some of the protections. Some people might make a jailbreak that keeps a lot of those protections, but it also allows you to remove protections. Other people might remove all protections altogether.

The jailbreak that you can make with this exploit always requires you to exploit the device fresh after reboot. So if you don’t use the exploit, your device will only boot to a clean install [version] of iOS. It’s not like you can install malware once and then have it stay forever if you’re not using the exploit because iOS has protections against that.

More about persistence

Dan Goodin (Ars): Somebody could use Checkm8 to install a keylogger on a fully up-to-date iOS device, but the second that they rebooted the phone, that keylogger would be gone, right?

axi0mX: Correct. Or it wouldn’t work. They left the keylogger there, but iOS would just say: “This app is not authorized to run on this phone, so I’m not going to run it.”

iOS devices have what’s called a secure bootchain. Starting from the bootrom, every single step is checked by the previous stage so that it is trusted. It always has a signature verified so that the phone only allows you to run software that is meant to be running. If you choose to break that chain of trust and run software that you want to run, then exactly what you do will determine what else can happen. If you choose to not break the chain of trust and you simply use your phone the way that Apple wants you to use it, without jailbreaking it, then this chain of trust is secure. So malware will not be able to get around it the next time you boot your phone, because you are relying on the chain of trust.

You cannot actually persist using this exploit. The only way that you can break the chain of trust is if you manually do it every boot. So you have to be in DFU mode when you boot, and then you have to connect a cable to your phone, and then you have to run the exploit in order to jailbreak your phone. At that point you can do whatever you want. But in no case will that be the case if you… just boot normally. In that sense, it is not persistent.

FURTHER READING

Cellebrite can unlock any iPhone (for some values of “any”)Thomas Reed (Malwarebytes): In the case of a company like Cellebrite or Greyshift getting your device and they want to capture data from it, as I understand it if you don’t have the key—which you wouldn’t because it’s in the Secure Enclave—a lot of the data is going to be encrypted, and it’s not going to be accessible. It sounds like Checkm8 really wouldn’t be of much use to them. Is that correct, or would there be some things that they could do with it?

axi0mX: As a standalone exploit, the answer is “No, they can’t do much with it.” But it’s possible, perhaps likely, that they would use more than one exploit—they have an exploit chain—in order to do what they want to do. And in that case, they could use this one instead of another one that they have because maybe it’s faster, maybe they don’t have to worry about protecting it. So it’s possible that this could serve as a step that they take in order to crack the PIN code.

This does not give them anything that would directly be able to guess the PIN code without other exploits. I don’t know what they have. It’s possible that they just have one thing that they use, and in that case, they probably would not use this in any way. But it’s also possible that this could replace one of the bugs that they use in order to do whatever they’re doing.

Thomas Reed (Malwarebytes): I think the appeal of that would be that it’s something that Apple can’t patch. If they had an exploit chain that would give them access to a lot of devices.

Dan Goodin (Ars): So this is more of an incremental development [for Cellebrite and Grayshift] as opposed to a game changer?

axi0mX: I don’t think that they can do anything today with Checkm8 that they couldn’t do yesterday [without Checkm8]. It’s just that yesterday maybe they would do it a slightly different way. I don’t think they gain anything from this release.

Dan Goodin (Ars): What is it about the newer chipsets that prevents Checkm8 from working? Is it possible someone could tweak Checkm8 to make it work on these newer chipsets?

axi0mX: I think it’s unlikely. There were changes to make [newer chipsets] not exploitable. All I know is I can’t get it to work. For me, it’s not something that I can do. What I do involves using multiple bugs. Some that are not serious might be required to access other bugs that are more serious. Because Apple patched some bugs in the newer phones, it can no longer be exploited as far as I know.

Dan Goodin (Ars): So you don’t see much chance that somebody is going to chain Checkm8 to something else and be able to achieve the same result with newer iPhones?

axi0mX: I can’t say it’s impossible, and there are some really good hackers out there. It’s always possible. I think it’s unlikely. I know I couldn’t do it. The chance is always there, but I think it’s very unlikely.

A jailbreaking renaissance

axi0mX: If you have a few minutes, I have more things that you may find interesting:

Apple has been making jailbreaks very difficult. Things were much better a couple years ago. Before about 2016 there were regular jailbreaks that worked well and a lot of people could jailbreak your phone. That changed with iOS 9, and jailbreaks no longer had persistence, and they were not even reliable. So you would have to try a couple of steps before the jailbreak worked. Jailbreaking became inaccessible to people because you couldn’t get a phone, even an older phone, and jailbreak it, and customize it, and make software that changes things about the phone. People were saying “jailbreaking is dead” because it’s not what it used to be.

Now, the reason [Checkm8] is so great for iOS jailbreakers is people will be able to just get an iPhone X and then be able to jailbreak it on any [iOS] version. That is great because that means anyone can decide to jailbreak and sit down at their computer, connect their phone, and be jailbroken in not much time.

Now, what I released today doesn’t allow you to jailbreak your phone completely with Cydia and other things you would expect from a jailbreak, but that will come soon. And you will be able to jailbreak your phone pretty much anytime you want and on the latest version. And that latest version part is also important, because in the past when people were jailbreaking phones, they had to stay on an older version of the operating system in order for it to have the vulnerabilities that they were using to jailbreak.

Fun and safe

axi0mX: But now, with this technique, you will be able to use the latest version of iOS and still jailbreak your phone because you can run any version of iOS you want, so you can always have the latest security patches. You don’t have to stay on an older version that has security vulnerabilities just so you can jailbreak, and you won’t have to wait until a jailbreak is available. This is going to make jailbreaking a lot more accessible and a lot safer for everyone. That is one of the reasons I am very excited about this work.

A small group of people enjoy jailbreaking, and they do it for fun because they like to tinker with their phone, or change the way it looks, or hack it. But there’s another group of people where, say, there’s an incident where you believe your email was hacked and you want to find out what happened. In that case you want to be able to look at the storage on your phone and see what kind of artifact do you get, and what kind of log files, and analyze what’s there to see if you can identify what happened. And if you were, say, the victim of an attempted hack, or maybe if the hack was successful, in order to get this forensic copy you need to be able to access the storage on a low level that’s not possible unless you jailbreak your phone.

In the past couple years, you couldn’t just jailbreak the phone on the latest version of iOS if you needed to for any reason. You would have to let the phone sit until it was finally jailbreakable and only then would you be able to do it. That changes now. If you need to see what’s happening on your phone, you can just jailbreak it one time with Checkm8 and then get a full forensic copy of your data and your log files and history. That’s one scenario.

Monitoring in real time

axi0mX: The other scenario is sometimes people want to look for attackers or things happening in real time. Say you go to a website [and] your phone will send traffic to various webservers and various webservers will send back files. If you are doing tracking in real time, you can see what’s happening. If you want to, say, explore what happens when your phone goes to a website, you can’t do that if you don’t have a jailbreak because Apple doesn’t give you the specific permissions that you need to see things happening at such a low level on your phone.

Now, anytime you want, you will be able to jailbreak your phone, either one time or every single time, you will be able to analyze what’s happening in real time. Say you have traffic that is connecting to your phone from some country you don’t think should be connecting, like Russia, then you would know that something is happening right away. And you would be able to see it and block it. For people who do research… it was impossible to do that on iOS. You would need to have your own custom jailbreak, or you would have to have an old version of iOS, or you would have to wait until a jailbreak is available.

The things I just mentioned are things that I’m quite excited about, because the iOS jailbreak community is great and they’re going to benefit from this. It’s also going to help people who want to research either the security of iOS or the security of apps they’re using. All of that is going to benefit for the next couple of years.