checkm8 — Bootrom Exploit
checkm8 là hardware exploit trong SecureROM (bootrom) ảnh hưởng A5 đến A11 chips. Đây là exploit permanent — Apple không thể patch vì bootrom burned vào silicon tại manufacturing time.
Overview
| Field | Detail |
|---|---|
| CVE | CVE-2019-8900 |
| Discoverer | axi0mX |
| Disclosed | September 2019 |
| Affected | A5 (iPhone 4S) → A11 (iPhone X) |
| Type | Use-after-free trong USB DFU stack |
| Permanence | Permanent — cannot be patched |
| Used by | checkra1n, palera1n |
SecureROM (Bootrom)
Boot chain:
SecureROM (bootrom) → iBoot Stage 1 → iBoot Stage 2 → Kernel
SecureROM:
- First code executed when device powers on
- Burned into silicon at factory (read-only)
- Verifies signature of iBoot before loading
- Contains USB DFU (Device Firmware Upgrade) mode
- ~1MB code, very small attack surface
Vulnerability
USB DFU Mode
DFU mode cho phép restore firmware qua USB. Protocol:
1. Host sends firmware data in USB transfers
2. Device receives data into buffer
3. Device verifies and applies firmware
The Bug
USB request lifecycle trong DFU:
1. Setup phase: allocate I/O request buffer
2. Data phase: receive data into buffer
3. Status phase: complete request, process data
Race condition:
1. Host starts DFU upload → device allocates buffer (IO request)
2. Host sends data → device receives into buffer
3. Host sends USB RESET during status phase
→ Device deallocates IO request buffer (free)
4. But: DMA engine still has reference to freed buffer
→ When DFU restarts: old buffer pointer reused
→ Use-After-Free!
Trigger sequence:
USB_CTRL_REQUEST → allocate buffer
USB_DATA → fill buffer with controlled data
USB_RESET → free buffer (but pointer persists)
USB_CTRL_REQUEST → reuse freed buffer → exploit!
Exploitation
1. Trigger UAF → freed buffer reallocated with attacker-controlled data
2. Overwrite USB request handler function pointer
3. Next USB operation → calls attacker's address → code execution in SecureROM context
4. SecureROM runs at highest privilege (before any software)
→ Full device control
→ Bypass Secure Boot chain
→ Load patched iBoot → patched kernel
checkra1n / palera1n
checkra1n
- Semi-tethered jailbreak using checkm8
- Supports iOS 12-14 (some support for iOS 15+)
- Requires computer connection each boot
- Patches kernel at boot time → before any software mitigations
palera1n
- Based on checkm8 + pongoOS (custom pre-boot environment)
- Supports iOS 15-17 on checkm8-vulnerable devices
- Rootless mode (iOS 15+)
- Active development community
Workflow
1. Device enters DFU mode (hardware button combo)
2. checkra1n/palera1n sends checkm8 exploit via USB
3. Code execution in SecureROM → load pongoOS
4. pongoOS patches iBoot → loads patched kernel
5. Patched kernel → jailbreak environment
6. Install Sileo/Zebra + tweaks
Tại Sao Quan Trọng
- Unfixable: Chỉ cần device có chip A5-A11 → luôn jailbreakable
- Pre-boot execution: Code chạy trước mọi software → bypass mọi software mitigation
- Research platform: Cho phép kernel debugging, custom kernelcache
- Learning tool: Tốt nhất để học iOS internals vì có full control
Limitations
- Tethered/semi-tethered: cần computer mỗi boot (hoặc sau reboot)
- Chỉ A5-A11: iPhone X là device mới nhất affected
- USB access required: phải physical access tới device
- Không áp dụng cho A12+ (Apple fixed bootrom)