The One Weird Trick SecureROM Hates - qwertyoruiop
36c3 - Security - 12/29/2019
Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones' SecureROM. This is a critical component in Apple's Secure Boot model and allows security researchers and jailbreakers alike to take full control over the application processor's execution.
This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using an use-after-free in Apple's SecureROM. This is key code which is designed to bring up the application processor during boot but also exposes a firmware update interface over USB called DFU.
By abusing this vulnerability it is possible to unlock full control of the application processor, including enabling debugging functionalities such as JTAG, helping security researchers look for security vulnerabilities in Apple devices more effectively.
We will analyse the root-cause and techniques used for exploitation, as well mention some of the hurdles we encountered while trying to turn this into a reliable jailbreak and plans for the future of this project.