Explore the intricacies of the unfixable Checkm8 vulnerability affecting millions of iPhones' SecureROM in this 39-minute conference talk from the 36C3 event. Dive deep into the process of building an iOS jailbreak from scratch by exploiting a use-after-free vulnerability in Apple's SecureROM. Learn about the DFU interface, the techniques used for exploitation, and how this vulnerability enables full control over the application processor. Discover the implications for security researchers, including the ability to enable debugging functionalities like JTAG. Analyze the root cause of the vulnerability, explore the challenges faced in creating a reliable jailbreak, and gain insights into future plans for this project. Cover topics such as SecureROM, Secure Boot, DFU Protocol, USB Control Transfer, practical trigger methods, Secure ROM Exploitation for A8 and A9 chips, Bootkit ELIS, Bootkit Development, and Jailbreak Development.
Overview
Syllabus
Intro
whoami
whoareus
whatis SecureROM
whatis Secure Boot
DFU Protocol
USB Control Transfer
USB and DFU
Practical Trigger
Secure ROM Exploitation (A8, A9)
Bootkit ELIS
Bootkit Development
Jailbreak Development
Future Plans
Taught by
media.ccc.de