The One Weird Trick SecureROM Hates


Playlists: '36c3' videos starting here / audio

Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones' SecureROM. This is a critical component in Apple's Secure Boot model and allows security researchers and jailbreakers alike to take full control over the application processor's execution.

This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using an use-after-free in Apple's SecureROM. This is key code which is designed to bring up the application processor during boot but also exposes a firmware update interface over USB called DFU.
By abusing this vulnerability it is possible to unlock full control of the application processor, including enabling debugging functionalities such as JTAG, helping security researchers look for security vulnerabilities in Apple devices more effectively.
We will analyse the root-cause and techniques used for exploitation, as well mention some of the hurdles we encountered while trying to turn this into a reliable jailbreak and plans for the future of this project.


These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.