23 votes

Permanent Bootrom Exploit for iOS Devices with A5-A11 Processors

15 comments

  1. JXM
    (edited )
    Link
    This basically means that any iPhone from the 4S to the X are able to be jailbroken without Apple being able to do much to stop them since the bootrom is...well, read only. Since Apple is selling...

    This basically means that any iPhone from the 4S to the X are able to be jailbroken without Apple being able to do much to stop them since the bootrom is...well, read only. Since Apple is selling the iPhone 8/8 Plus still, this is a pretty big deal. They'd have to do a hardware revision to fix it.

    The downside is that these devices are now vulnerable to all sorts of malicious attacks. An attacker would still need physical access to the device, but it's still not good.

    Note: I've linked to the /r/jailbreak thread about it because the Tweet that the thread links to lacks any sort of context and the thread provides some good context for what this means for iOS devices going forward. If anyone thinks the Tweet is the more appropriate link, feel free to change it.

    10 votes
  2. [10]
    Silbern
    Link
    I'm supposed to be getting an iPhone SE later today, so this is perfect, I'm planning on jail breaking it if it's possible to do so. I'd actually gladly trade a physical access vulnerability, at...

    I'm supposed to be getting an iPhone SE later today, so this is perfect, I'm planning on jail breaking it if it's possible to do so. I'd actually gladly trade a physical access vulnerability, at which point I assume the device is compromised anyway, for the customizability and flexibility jail breaking offers.

    5 votes
    1. [2]
      JXM
      Link Parent
      A good assumption to make. One thing to note is that it is a tethered exploit. So if you reboot, you’ll need your computer around.

      A good assumption to make.

      One thing to note is that it is a tethered exploit. So if you reboot, you’ll need your computer around.

      4 votes
      1. Silbern
        Link Parent
        Yeah, that's definitely the biggest downside, but given how rarely I usually reboot my phone, I think I'd still make it. I'll probably first try exploiting iOS 12 if it has it though, since that...

        Yeah, that's definitely the biggest downside, but given how rarely I usually reboot my phone, I think I'd still make it. I'll probably first try exploiting iOS 12 if it has it though, since that one doesn't need to be tethered. I'm hoping eventually someone will make a little device that injects the exploit on the go without needing a computer, that would make this absolutely perfect!

        3 votes
    2. [7]
      tomf
      Link Parent
      Did you get your SE and was it on 12.4?

      Did you get your SE and was it on 12.4?

      1 vote
      1. [6]
        Silbern
        Link Parent
        I did! And it’s on 12.3.1 actually. Been absolute ages since I’ve looked into anything jailbreaking or even owned an Apple product, so I don’t know if that’s a good version to be on or not... But...

        I did! And it’s on 12.3.1 actually. Been absolute ages since I’ve looked into anything jailbreaking or even owned an Apple product, so I don’t know if that’s a good version to be on or not... But I have no intentions of updating until I know more, so I won’t accidentally wipe it out.

        1 vote
        1. [5]
          hhh
          Link Parent
          12.3-12.3.2 unfortunately don't have jailbreaks actually. 12.0-12.2 and 12.4.0 do though. if you have the option of updating to 13.0 you should consider it as usually major versions are...

          12.3-12.3.2 unfortunately don't have jailbreaks actually. 12.0-12.2 and 12.4.0 do though. if you have the option of updating to 13.0 you should consider it as usually major versions are jailbreakon within a few months of their release. on the other hand maybe 12.3.1 will get a jailbreak but 13.0 won't. who knows.

          either way this is just with current jailbreaks (chimera or unc0ver) and obviously the news in op would change that. the jailbreak from that would be tethered though which would be more of a hassle than the current semi-untethered jailbreaks.

          2 votes
          1. [4]
            Silbern
            Link Parent
            Interesting, thank you very much. Yeah, I’d definitely prefer the untethered if possible, guess I’ll give it a few months and see about jail breaking then. I’ll definitely consider updating then,...

            Interesting, thank you very much. Yeah, I’d definitely prefer the untethered if possible, guess I’ll give it a few months and see about jail breaking then. I’ll definitely consider updating then, especially since it’s unlikely anyone will do it for 12.3 now and there’s always unc0ver.

            2 votes
            1. [3]
              tomf
              Link Parent
              It's a shame it came with that specific version -- but like hhh said, go up to 13. Might as well start collecting blobs with https://tsssaver.1conan.com/ or use the telegram bot...

              It's a shame it came with that specific version -- but like hhh said, go up to 13. Might as well start collecting blobs with https://tsssaver.1conan.com/ or use the telegram bot https://telegram.me/rjailbreakbot just in case.

              If this whole bootrom thing hits us normal folk, it'll be a game changer -- and ultimately better for everybody involved.

              I've had an SE for a few years. It's the best form factor. Welcome to the club!

              1 vote
              1. [2]
                Silbern
                Link Parent
                Yeah, I chose it specifically for the form factor. Not a fan of iOS and definitely not of Apple as a company, but no one else makes small phones anymore, and this is a mighty fine product after...

                Yeah, I chose it specifically for the form factor. Not a fan of iOS and definitely not of Apple as a company, but no one else makes small phones anymore, and this is a mighty fine product after using it for a day. Totally worth it!

                And thanks, I’ll be sure to do that then. Would it be wise to stay on 13.1.1, as opposed to upgrading to any future minor releases?

                1 vote
                1. tomf
                  Link Parent
                  I'd go up to 13.0 for now - but get all of your blobs just in case. I've only switched versions with blobs once, but it worked well.

                  I'd go up to 13.0 for now - but get all of your blobs just in case. I've only switched versions with blobs once, but it worked well.

  3. Deimos
    Link
    Some more info about this exploit and its connotations in this post on Trail of Bits: Tethered jailbreaks are back

    Some more info about this exploit and its connotations in this post on Trail of Bits: Tethered jailbreaks are back

    4 votes
  4. [3]
    cyanide
    Link
    Link to the files: https://github.com/axi0mX/ipwndfu
    3 votes
    1. [2]
      2zla
      Link Parent
      Somewhat unrelated, but if Microsoft has acquired GitHub, what are the legal implications of hosting code which allows one to potentially break the TOS of an Apple device?

      Somewhat unrelated, but if Microsoft has acquired GitHub, what are the legal implications of hosting code which allows one to potentially break the TOS of an Apple device?

      2 votes
      1. Bauke
        Link Parent
        From GitHub's TOS: I'm fairly certain if Apple wanted to they could get GitHub to remove it but seeing as that repository has been up since at least April 2017 I don't think they care. Maybe they...

        From GitHub's TOS:

        You may create or upload User-Generated Content while using the Service. You are solely responsible for the content of, and for any harm resulting from, any User-Generated Content that you post, upload, link to or otherwise make available via the Service, regardless of the form of that Content. We are not responsible for any public display or misuse of your User-Generated Content.

        I'm fairly certain if Apple wanted to they could get GitHub to remove it but seeing as that repository has been up since at least April 2017 I don't think they care. Maybe they will now after this exploit has been discovered.

        5 votes