Checkm8 jailbreak exploit is a hardware vulnerability in BootRom (a.k.a. SecureROM) of iPhones. This is unfixable by any iOS update, so it is called as unpatchable permanent jailbreak. Read for Full Checkm8 Jailbreak exploit guide.

checkm8 jailbreak
checkm8 jailbreak

This was founded by axi0mX and announced by his Twitter providing some more information about the exploit. Basic steps of the checkm8 exploit are mentioned below.

Furthermore, this exploit does work on iPhone chips of A4 – A11 despite the iOS version. Not only iPhones can be affected but the iWatch, Apple TV are also affected by this vulnerability.

So basically this is A4 – A11 Jailbreak. But A12 and A13 jailbreak are not yet covered by the exploit. A4 – A11 jailbreak means the iPhone 4S to iPhone 8 and iPhone X Jailbreak.

Checkra1n jailbreak
checkra1n jailbreak

axi0mX’s findings are based on his own and littlelailo’s. So by summarising all the findings together, below brief description has been made. This is the main technical introduction of how checkm8 jailbreak works. 

Note: The information is shortened for a better understanding of the majority of the users. 

Checkm8 Jailbreak process

  1. Heap feng-shui – This stage is necessary for arranging the heap in a way that is beneficial for the exploitation of use-after-free

2. Allocation and freeing of the IO buffer without clearing the global state

At this stage, an incomplete OUT request for uploading the image is created. While a global state is initialized, and the address of the buffer in the heap is written to the io_buffer. Then, DFU is reset with a DFU_CLR_STATUS request, and a new iteration of DFU begins.

3. Overwriting usb_device_io_request in the heap with use-after-free

a usb_device_io_request type object is allocated in the heap, and it is overflown with t8010_overwrite, whose content was defined at the first stage.

4. Placing the payload

At this stage, every following packet is put into the memory area allocated for the image. 

A Payload looks like this.

Payload of checkm8 jailbreak
Payload of checkm8 jailbreak

5. Execution of callback-chain

After USB reset, the loop of canceling incomplete usb_device_io_request in the queue by going through a linked list is started

6. Execution of shellcode

So this is the summary of the checkm8 jailbreak exploit. The vulnerability is not fully described here but the steps are mentioned clearly.  There is a jailbreak tool developed based on this vulnerability called checkra1n jailbreak. Public tool of Checkra1n Jailbreak is not yet released and we will bring you the tool as soon as it was released from the developers’ end. Still, the release date of Checkra1n jailbreak has not been announced. So this is the current Checkra1n jailbreak status.

Checkm8 and Checkra1n jailbreak tool

This checkra1n Jailbreak is compatible with iOS 13.5.1 and said to be compatible with iOS 13.6 jailbreak also in near future. Checkm8 exploit and Checkra1n Jailbreak tools will play a huge role in the jailbreak community with a revolutionized change in jailbreak history.

You may download Checkra1n jailbreak from here once the public tool arrived.

Checkm8 Cydia or Sileo is the other topic users tend to read. We will bring another article about the Checkm8 Jailbreak package manager. “Will checkm8 come along with Cydia?”.

Special thanks go to : 

  1. ipwndfu jailbreak  gui 
  2. littlelailo, apollo.txt
  3. Habr.com – a1exdandy
  4. taig9.com