Checkm8 is an exploit (program exploiting OS or hardware vulnerabilities) aimed at obtaining access to the execution of its own software code at the earliest stage of iOS device loading.
What makes it stand out?
The richness, and honestly the hype, surrounding Checkm8 is that the vulnerability, which it is based, cannot be patched by software (update or change) as it is incorporated in code from read-only memory, which cannot be rewritten, at the stage of manufacturing a device chip. This means that all iOS devices prone to this vulnerability will always remain vulnerable, regardless of the iOS version.
What can be done with it?
- Obtain a semi-tethered jailbreak of any vulnerable device regardless of its iOS version
- Load custom iOS versions (Note, a jailbreak also customizes iOS to get root access to file system and execute the unsigned code).
- Makes it is possible to extract all the device data (must enter the screenlock password) or data which is not dependent on the password input (BFU/ Before First Unlock).
- Install previous iOS versions (Note, will lose user data in the process)
- Theoretically, install and launch Linux or Android on the iOS device.
- Obtain access to the debugger processor mode.
What are the limitations?
The exploit is only executed in Random Access Memory. This means that after switching off or restarting the device, it will load in normal mode and the investigator would have to execute checkm8 again.
Using Checkm8, it is not possible to bypass a password or quickly crack it since the procession of password, biometric data and the data encryption based on them are performed within the secure enclave processor, which checkm8 has no access.
List of supported devices
Devices prone to the vulnerability:
- All devices based on processors: s5l8940x (A5), s5l8942x (A5 Rev A), s5l8945x (A5X), s5l8947x (A5 Rev B), s5l8950x (A6) , s5l8955x (A6X), s5l8960x (A7), t8002 (including S1P and S2), t8004 (S3), t8010 (A10), t8011 (A10), t8015, (A11), s5l8747x (Haywire video adapters processor), t7000 (A8), t7001 (A8X), s7002 (S1), s8000 (A9), s8001 (A9X), s8003 (A9) and t8012 (used in iMac Pro);
- All iPhones from iPhone 4S to iPhone X;
- iPad 2, iPad (3rd generation), iPad (4th generation), iPad (5th generation), iPad (6th generation), iPad (7th generation);
- iPad Air and iPad Air 2;
- iPad Pro (12.9-inch), iPad Pro (9.7-inch), iPad Pro (12.9-inch) (2nd generation), iPad Pro (10.5-inch);
- iPad mini, iPad mini 2, iPad mini 3 и iPad mini 4;
- iPod touch (5th generation), iPod touch (6th generation), iPod touch (7th generation);
- Apple Watch Series 1, Apple Watch Series 2 and Apple Watch Series 3;
- Apple TV (3rd generation), Apple TV (4th generation) and Apple TV 4K.
Devices supported by checkm8 exploit:
- Currently the exploit is adapted to be used on devices based on processors: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011 and t8015.
Checkra1n is a semi-tethered jailbreak based on the checkm8 exploit. Basically, checkra1n developers, gained access to execution of their code at the first stage of the iOS loading process (the same ability could be given by checkm8). In such they changed the entire loading process so that after the device has loaded the investigator has root access to the file system and now can execute any unsigned code.
Installation (on macOS)
- Download the needed MacOS version from the official website.
- Run the downloaded .dmg file by double-clicking on it
- In the opened window drag the checkra1n icon to Applications
Usage: GUI mode
To run and install checkra1n in GUI mode:
- Open the Applications folder on the Mac.
- Right-click on the checkra1n icon and select Open from the drop-down list
- Select open the program in a similar window
- If the application does not open, run it again via a double-click
- Connect the device, wait till it has be detected and press Start
- Click Next. The device will load in recovery mode
- Click Start and put the device in DFU mode, following the instructions
- If the device does not enter DFU mode, click Retry to try again
- Wait till the installation has finished
- If installed successfully, the investigator can access SSH via USB using 44 port.
- After the installation is complete, the checkra1n application will be added to the device home screen. To install Cydia (unofficial AppStore), run checkra1n, click Cydia and install it.
Note: if device has entered DFU mode and has stopped responding (blank black screen), or running log text has appeared on the device screen while patching system core, simultaneously press and hold side button and home button (or volume down) until the device restarts.
Usage: CLI mode
To run checkra1n in console mode, launch the Terminal application on the Mac and enter the following commands:
The console version of checkra1n will launch. Connect the device in DFU mode and the jailbreak will be installed automatically.
NOTE: Commands should be entered after dragging checkra1n.app to Applications folder on MacOS.
GUI and CLI modes: what’s the difference?
- When running checkra1n in CLI mode, there is no verification of the device model and iOS version
- According to our experience, all versions of checkra1n install on devices with iOS 13.2.3-13.3 in CLI mode.
Important differences between versions
- When installing 0.9.6 and 0.9.7 checkra1n versions on devices with iOS 13.2.3-13.3, after reloading the device would be in USB restricted mode until unlocked
- USB restricted mode does not allow checkra1n to finish its installation, SSH connection won’t work
- A few times USB restricted mode switched on the devices with iOS 12.4 when installing checkra1n 0.9.7. It is yet unknown, why.
- When installing earlier checkra1n versions (from 0.9 to 0.9.5), USB restricted mode does not switch on regardless of the iOS version. Thus, those checkra1n versions could be installed on devices without unlocking them and be used to access SSH connection.
To remove the obvious traces of using checkra1n,
If Cydia wasn’t installed, restarting the device would be enough.
If Cydia was installed:
1. Open Checkra1n app on your device. Press Restore system. The device original file system would be restored.
2. Technically, jailbreak was erased from the phone, but Cydia app is still present.
3. Install checkra1n again without installing Cydia app.
4. Connect iPhone to PC, open Terminal window and use the following command:
/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”
5. Then use this command:
brew install libimobiledevice
6. Open new Terminal window and use command:
iproxy 2222 44
7. Leave the Terminal window open. Press CMD+T keys to open a new tab and then use the command
ssh root@localhost -p 2222
NOTE: if you haven’t manually change the password, it would be alpine.
8. Enter yes and press Enter. Enter the following text in Terminal window and press Enter once again:
9. The process would take some time. After it’s finished, enter the following command:
10. Restart the device to remove checkra1n app.
NOTE: that checkra1n icon might not disappear immediately after restarting the device.
After removing the visible traces of checkra1n, some checkra1n-related files might remain in the device file system. However, their directories would be inaccessible without a jailbreak.
Checkra1n on Windows and Linux
Official version for Linux is available starting from checkra1n 0.9.8. To use it:
- Download checkra1n for Linux from the official website
- Open Terminal app for Linux
- Enter the following:
cd /home/<Username>/Downloads/ #path to the downloaded version, by default it will be in Downloads
chmod 755 checkra1n
sudo ./checkra1n #run checkra1n in GUI mode
sudo ./checkrain -c #run checkrain in CLI mode
There are at least two unofficial solutions enabling installation of checkra1n from Windows or Linux:
https://github.com/ra1nstorm/ra1nstorm-helper/releases/ (based on running virtual macOS on virtual Linux)
https://ra1nusb.dabeecao.org/ (based on running Hackintosh)
NOTE: We haven’t had an opportunity to test those personally. However, according to the reviews, they work.