Everything You Ever Wanted To Ask About Checkm8 And Checkra1n

by Oxygen Forensics 

What’s Checkm8?

Checkm8 is an exploit (program exploiting OS or hardware vulnerabilities) aimed at obtaining access to the execution of its own software code at the earliest stage of iOS device loading.

What makes it stand out?

The richness, and honestly the hype, surrounding Checkm8 is that the vulnerability on which it is based cannot be patched by software (update or change) as it is incorporated in code from read-only memory, which cannot be rewritten, at the stage of manufacturing a device chip. This means that all iOS devices prone to this vulnerability will always remain vulnerable, regardless of the iOS version.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

What are the limitations?

The exploit is only executed in Random Access Memory. This means that after switching off or restarting the device, it will load in normal mode and the investigator would have to execute checkm8 again.

Using Checkm8, it is not possible to bypass a password or quickly crack it since the procession of password, biometric data and the data encryption based on them are performed within the secure enclave processor, which checkm8 has no access to.

List of supported devices

Devices prone to the vulnerability:

  • All devices based on processors: s5l8940x (A5), s5l8942x (A5 Rev A), s5l8945x (A5X), s5l8947x (A5 Rev B), s5l8950x (A6) , s5l8955x (A6X), s5l8960x (A7), t8002 (including S1P and S2), t8004 (S3), t8010 (A10), t8011 (A10), t8015, (A11), s5l8747x (Haywire video adapters processor), t7000 (A8), t7001 (A8X), s7002 (S1), s8000 (A9), s8001 (A9X), s8003 (A9) and t8012 (used in iMac Pro);
  • All iPhones from iPhone 4S to iPhone X;
  • iPad 2, iPad (3rd generation), iPad (4th generation), iPad (5th generation), iPad (6th generation), iPad (7th generation);
  • iPad Air and iPad Air 2;
  • iPad Pro (12.9-inch), iPad Pro (9.7-inch), iPad Pro (12.9-inch) (2nd generation), iPad Pro (10.5-inch);
  • iPad mini, iPad mini 2, iPad mini 3 и iPad mini 4;
  • iPod touch (5th generation), iPod touch (6th generation), iPod touch (7th generation);
  • Apple Watch Series 1, Apple Watch Series 2 and Apple Watch Series 3;
  • Apple TV (3rd generation), Apple TV (4th generation) and Apple TV 4K.

Devices supported by checkm8 exploit:

  • Currently the exploit is adapted to be used on devices based on processors: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011 and t8015.

What’s Checkra1n?

Checkra1n is a semi-tethered jailbreak based on the checkm8 exploit. Basically, checkra1n developers gained access to execution of their code at the first stage of the iOS loading process (the same ability could be given by checkm8). As such, they changed the entire loading process so that after the device has loaded the investigator has root access to the file system and now can execute any unsigned code.

Installation (on macOS)

  • Download the needed MacOS version from the official website
  • Run the downloaded .dmg file by double-clicking on it
  • In the opened window, drag the checkra1n icon to Applications

Usage: GUI mode

To run and install checkra1n in GUI mode:

  • Open the Applications folder on the Mac
  • Right-click on the checkra1n icon and select Open from the drop-down list
  • Select open the program in a similar window
  • If the application does not open, run it again via a double-click
  • Connect the device, wait till it has been detected, and press Start

  • Click Next. The device will load in recovery mode
  • Click Start and put the device in DFU mode, following the instructions

  • If the device does not enter DFU mode, click Retry to try again

  • Wait till the installation has finished
  • If installed successfully, the investigator can access SSH via USB using 44 port.
  • After the installation is complete, the checkra1n application will be added to the device home screen. To install Cydia (unofficial AppStore), run checkra1n, click Cydia and install it.

Note: if the device has entered DFU mode and has stopped responding (blank black screen), or running log text has appeared on the device screen while patching system core, simultaneously press and hold side button and home button (or volume down) until the device restarts.

Usage: CLI mode

To run checkra1n in console mode, launch the Terminal application on the Mac and enter the following commands:

cd “/Applications/checkra1n.app/Contents/MacOS” 

./checkra1n_gui –

The console version of checkra1n will launch. Connect the device in DFU mode and the jailbreak will be installed automatically.

NOTE: Commands should be entered after dragging checkra1n.app to Applications folder on MacOS.

GUI and CLI modes: what’s the difference?

  • When running checkra1n in CLI mode, there is no verification of the device model and iOS version
  • According to our experience, all versions of checkra1n install on devices with iOS 13.2.3-13.3 in CLI mode.

Important differences between versions

  • When installing 0.9.6 and 0.9.7 checkra1n versions on devices with iOS 13.2.3-13.3, after reloading the device would be in USB restricted mode until unlocked
  • USB restricted mode does not allow checkra1n to finish its installation, SSH connection won’t work
  • A few times USB restricted mode switched on the devices with iOS 12.4 when installing checkra1n 0.9.7. It is yet unknown why this happened.
  • When installing earlier checkra1n versions (from 0.9 to 0.9.5), USB restricted mode does not switch on regardless of the iOS version. Thus, those checkra1n versions could be installed on devices without unlocking them and be used to access SSH connection.

Checkra1n traces

To remove the obvious traces of using checkra1n:

If Cydia wasn’t installed, restarting the device would be enough.

If Cydia was installed

  1. Open Checkra1n app on your device. Press Restore system. The device original file system would be restored.
  2. Technically, jailbreak was erased from the phone, but Cydia app is still present.
  3. Install checkra1n again without installing Cydia app.
  4. Connect iPhone to PC, open Terminal window and use the following command:

/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

  1. Then use this command:

brew install libimobiledevice

  1. Open a new Terminal window and use the command:

iproxy 2222 44

  1. Leave the Terminal window open. Press CMD+T keys to open a new tab and then use the command

ssh root@localhost -p 2222

NOTE: if you haven’t manually changed the password, it will be ‘alpine’.

  1. Enter yes and press Enter. Enter the following text in Terminal window and press Enter once again:

uicache –all

  1. The process would take some time. After it’s finished, enter the following command:

killall SpringBoard

  1. Restart the device to remove checkra1n app.

NOTE: that checkra1n icon might not disappear immediately after restarting the device.

After removing the visible traces of checkra1n, some checkra1n-related files might remain in the device file system. However, their directories would be inaccessible without a jailbreak.

Please note that starting from Oxygen Forensic Detective 12.2 Apple iOS devices with checkra1n are fully supported. 

Leave a Comment

Latest Videos

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification 

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_VKk-mhlae1c

Becoming An Amped FIVE Certified Examiner (AFCE)

Forensic Focus 1st December 2023 4:25 pm

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data. 

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data.

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_4z-EgH54KZk

The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Forensic Focus 30th November 2023 2:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles