The One Weird Trick SecureROM Hates presented at BlueHatIL 2020

by Luca Todesco (@qwertyoruiop),


Summary : Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones, in SecureROM - a critical component in Apple's Secure Boot model. The vulnerability allows security researchers and jailbreakers alike to take full control over the application processor's execution.This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using a use-after-free bug in Apple's SecureROM. This is key component which is designed to bring up the application processor during boot, and also exposes a firmware update interface over USB called DFU.By abusing this vulnerability it is possible to unlock full control of the application processor, and enable debugging functionalities such as JTAG, helping security researchers look for other security vulnerabilities in Apple devices more effectively.In this talk we will explain the root cause of the vulnerability and the techniques used for exploiting it. We will also discuss some of the hurdles we encountered while trying to turn this bug into a reliable jailbreak, and talk about the progress we made so far and our plans for the future of the project.​​​​​​​​