Here I got the biggest news for the jailbreak community; it’s about checkm8 (checkmate) exploit that is a bootrom exploit from iPhone 4s (A5 chip) to up to iPhone X (A11 chip). Checkm8 BootROM exploit the most significant exploit that has ever been released in the jailbreak, and Apple can never patch this for these devices, and these devices will be jailbreabale forever.
Because, unlike the OS based exploits, which lead to the latest jailbreak, the BootROM exploit doesn’t get blown away when apple pushed the next software update. This means the jailbreak community can relax and enjoy the jailbreak on any iOS version as long as they are using checkm8 jailbreak exploit affected devices.
No matter what iOS version you’re on, you can jailbreak your devices, and whatever Apple releases to try to patch it, it won’t be patched by Apple.
You can even downgrade dual boot as well as load Android if you need it. Axi0mX released this checkm8 bootrom exploit; the tweet is below. The link to the unpatchable exploit.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX 🌧️📲 (@axi0mX) September 27, 2019
Checkm8 is the bootrom level security exploit that can be used on every iPhone from A5 to A11 chip iPhones and iPads.
What is a BootROM Exploit?
A BootROM exploit is something that targets a bug in the BootROM. It's completely different from the bugs targeted at the operating system level; its something is targeting at the hardware level. OS level exploits are patchable, and every time the new firmware update comes, many bugs are patched. But he BootROM exploit cannot be patched by Apple because it's hardware-based, and it's in the ROM. The devices with BootROM exploits stay exploited. This means, every Apple device from A5 to A11 chip that is exploited to Checkm8 BootROM exploit will remain exploited forever, and there are a ton of things that can be done through it.
What is Checkm8 BootROM Exploit?
Checkm8 BootROM exploit is not persistent, and it is used to run code into BootROM that only lasts until the device is rebooted. After that, it goes back to normal. After the reboot, you need to rerun the exploit process to rerun the unsigned code into your device's ROM.
check out ios Cydia tweaks list
As this bug supports A5 to A11 iOS devices, unfortunately, A12 and A13 chip devices aren’t supported because Apple patched checkm8 bug on iPhone XS, iPhone XS Max, and iPhone XR.
Supported Devices For Checkm8 Bootrom Exploit
- iPhone 4s
- iPhone 5
- iPhone 5s
- iPhone 6
- iPhone 6s Plus
- iPhone 7
- iPhone 8
- iPhone X
- iPad 2 – iPad 7
- iPad Mini 1 – iPad Mini 4
- iPad Pro 1 & iPad Pro 2
- Apple TV 3 – Apple TV 4k
- iPod Touch 5 – iPod Touch 7
Devices Not Affected By Checkm8 BootROM Exploit
Checkm8 doesn’t work on A12 and up devices; those devices are below.
- iPhone XR
- iPhone XS
- iPhone XS Max
- iPhone 11
- iPhone 11 Pro
- iPhone 11 Pro Max
- iPad Air 3 (2019)
- iPad Mini 5 (2019)
- iPad Pro 3 (2018)
- And Any Newer Apple Device
This is the biggest ever release in jailbreak history; even you can downgrade iOS to any unsigned iOS version through checkm8 bug. Apart from that, it allows you to do anything you want, including the jailbreak for the latest iOS version available when the jailbreak for these newer versions is updated by developers, like unc0ver jailbreak and chimera jailbreak.
Check how to jailbreak with chimera jailbreak
The latest iOS version in iOS 13.x.x that means nothing because checkm8 bootrom exploit. That means it exploits at the lowest level possible on the device. The bootrom loads the entire boot chain, which makes a phone to power on.
Here is checkm8 windows jailbreak with checkra1n ra1nstorm.
We usually target iOS kernel while we jailbreak through unc0ver, it’s a higher level than bootrom. And that’s what we can target for jailbreak because we have no access to the lower level. But with a checkm8 bug, we have access to almost anything.
Below is the list of tasks this checkm8 bootrom exploit can do.
Checkm8 Bootrom Exploit Capabilities
- Downgrade tethered without SHSH2 blobs
- Verbose Boot / Custom Logo
- Jailbreak tethered the latest iOS
- CFW iCloud Bypass
- DualBoot iOS
- Install another OS like Android, Windows ARM
- Security Research
- Fix boot loop issues via SHH Ramdisk
With this bug release, we are about to experience a golden age again for jailbreaking. Its checkm8 is not depending on the iOS version; it’s in the chips in the iPhones. Therefore whatever Apple releases to patch it, it won’t be able to patch the bug. This bug had brought back the good old days back when everybody was able to do anything on the device by having full control over custom firmware. You can run even the Android OS through this checkm8 bug.
How To Use CheckM8 BootROM Exploit For CFW / Jailbreak (Pwned DFU Mode)
Here in this section, I am showing you how you can use it to put your device in exploited mode using Mac. This unfortunately currently available for Mac and Linux users, so you need to have a macOS/Linux to be able to use this exploit. Because it requires the device to be connected with a computer because it is tethered exploit (mentioned above in important note).
- Step 1:
Go onto this GitHub repo and download the zip file of checkm8 exploit. After it’s downloaded, extract it.
- Step 2:
Open the terminal, type CD and add space, after that drag and drop the extracted folder of the exploit on the terminal.
Here is checkm8 iCloud bypass tutorial to bypass the activation lock.
- Step 3:
Now before doing anything else, put your device into DFU mode. There are two ways to put your device into DFU mode based on device versions. Follow either one below.
iPhone 4S to iPhone 6S DFU Mode
- Press and hold the power button and home button.
- Wait until the screen turns black (phone shuts down).
- Now, wait 3-4 more seconds then release the power button only.
- Keep pressing the home button for ten more seconds.
- At this stage, the screen should be black, but iTunes will detect your phone in recovery mode. At this time, there won’t be any PC or iTunes logo on your phone’s screen. If you see any of the logos, you’re in the recovery mode, not in the DFU mode, in that case, you need to do these steps again.
Checkout the checkm8 jailbreak checkra1n
iPhone 7 or newer versions / iPod touch 7th gen
- Press and hold the power button and volume down button.
- Wait until the screen turns black (phone shuts down).
- Now, wait 3-4 more seconds then release the power button only.
- Keep pressing the volume down button for ten more seconds.
- At this stage, the screen should be black, but iTunes will detect your phone in recovery mode. At this time, there won’t be any PC or iTunes logo on your phone’s screen. If you see any of the logos, you’re in the recovery mode, not in the DFU mode, in that case, you need to do these steps again.
- Step 4:
when your device is in DFU mode, go back to the terminal and type this and press enter. There are chances that it shows that it’s failed, but you need to write the same command again and again until it succeeds. When it is successfully down, it will show you the message that the device is now in pwned DFU mode.
After your device is in Pwned DFU mode, you can use it to send custom boot chains or a modified one. The usages are unlimited, but keep in mind that your phone won’t be showing anything on its screen; it remains black all the time.
This is how you can put your device at pwned DFU mode.
