Everything You Ever Wanted To Ask About Checkm8 And Checkra1n

by Oxygen Forensics 

What’s Checkm8?

Checkm8 is an exploit (program exploiting OS or hardware vulnerabilities) aimed at obtaining access to the execution of its own software code at the earliest stage of iOS device loading.

What makes it stand out?

The richness, and honestly the hype, surrounding Checkm8 is that the vulnerability on which it is based cannot be patched by software (update or change) as it is incorporated in code from read-only memory, which cannot be rewritten, at the stage of manufacturing a device chip. This means that all iOS devices prone to this vulnerability will always remain vulnerable, regardless of the iOS version.

What are the limitations?

The exploit is only executed in Random Access Memory. This means that after switching off or restarting the device, it will load in normal mode and the investigator would have to execute checkm8 again.

Using Checkm8, it is not possible to bypass a password or quickly crack it since the procession of password, biometric data and the data encryption based on them are performed within the secure enclave processor, which checkm8 has no access to.

List of supported devices

Devices prone to the vulnerability:

• All devices based on processors: s5l8940x (A5), s5l8942x (A5 Rev A), s5l8945x (A5X), s5l8947x (A5 Rev B), s5l8950x (A6) , s5l8955x (A6X), s5l8960x (A7), t8002 (including S1P and S2), t8004 (S3), t8010 (A10), t8011 (A10), t8015, (A11), s5l8747x (Haywire video adapters processor), t7000 (A8), t7001 (A8X), s7002 (S1), s8000 (A9), s8001 (A9X), s8003 (A9) and t8012 (used in iMac Pro);
• All iPhones from iPhone 4S to iPhone X;
• iPad 2, iPad (3rd generation), iPad (4th generation), iPad (5th generation), iPad (6th generation), iPad (7th generation);
• iPad Air and iPad Air 2;
• iPad Pro (12.9-inch), iPad Pro (9.7-inch), iPad Pro (12.9-inch) (2nd generation), iPad Pro (10.5-inch);
• iPad mini, iPad mini 2, iPad mini 3 и iPad mini 4;
• iPod touch (5th generation), iPod touch (6th generation), iPod touch (7th generation);
• Apple Watch Series 1, Apple Watch Series 2 and Apple Watch Series 3;
• Apple TV (3rd generation), Apple TV (4th generation) and Apple TV 4K.

Devices supported by checkm8 exploit:

• Currently the exploit is adapted to be used on devices based on processors: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011 and t8015.

What’s Checkra1n?

Checkra1n is a semi-tethered jailbreak based on the checkm8 exploit. Basically, checkra1n developers gained access to execution of their code at the first stage of the iOS loading process (the same ability could be given by checkm8). As such, they changed the entire loading process so that after the device has loaded the investigator has root access to the file system and now can execute any unsigned code.

Installation (on macOS)

• Download the needed MacOS version from the official website
• Run the downloaded .dmg file by double-clicking on it
• In the opened window, drag the checkra1n icon to Applications

Usage: GUI mode

To run and install checkra1n in GUI mode:

• Open the Applications folder on the Mac
• Right-click on the checkra1n icon and select Open from the drop-down list
• Select open the program in a similar window
• If the application does not open, run it again via a double-click
• Connect the device, wait till it has been detected, and press Start

• Click Next. The device will load in recovery mode
• Click Start and put the device in DFU mode, following the instructions

• If the device does not enter DFU mode, click Retry to try again

• Wait till the installation has finished
• If installed successfully, the investigator can access SSH via USB using 44 port.
• After the installation is complete, the checkra1n application will be added to the device home screen. To install Cydia (unofficial AppStore), run checkra1n, click Cydia and install it.

Note: if the device has entered DFU mode and has stopped responding (blank black screen), or running log text has appeared on the device screen while patching system core, simultaneously press and hold side button and home button (or volume down) until the device restarts.

Usage: CLI mode

To run checkra1n in console mode, launch the Terminal application on the Mac and enter the following commands:

cd “/Applications/checkra1n.app/Contents/MacOS” 

./checkra1n_gui –

The console version of checkra1n will launch. Connect the device in DFU mode and the jailbreak will be installed automatically.

NOTE: Commands should be entered after dragging checkra1n.app to Applications folder on MacOS.

GUI and CLI modes: what’s the difference?

• When running checkra1n in CLI mode, there is no verification of the device model and iOS version
• According to our experience, all versions of checkra1n install on devices with iOS 13.2.3-13.3 in CLI mode.

Important differences between versions

• When installing 0.9.6 and 0.9.7 checkra1n versions on devices with iOS 13.2.3-13.3, after reloading the device would be in USB restricted mode until unlocked
• USB restricted mode does not allow checkra1n to finish its installation, SSH connection won’t work
• A few times USB restricted mode switched on the devices with iOS 12.4 when installing checkra1n 0.9.7. It is yet unknown why this happened.
• When installing earlier checkra1n versions (from 0.9 to 0.9.5), USB restricted mode does not switch on regardless of the iOS version. Thus, those checkra1n versions could be installed on devices without unlocking them and be used to access SSH connection.

Checkra1n traces

To remove the obvious traces of using checkra1n:

If Cydia wasn’t installed, restarting the device would be enough.

If Cydia was installed: 

1. Open Checkra1n app on your device. Press Restore system. The device original file system would be restored.
2. Technically, jailbreak was erased from the phone, but Cydia app is still present.
3. Install checkra1n again without installing Cydia app.
4. Connect iPhone to PC, open Terminal window and use the following command:

/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

5. Then use this command:

brew install libimobiledevice

6. Open a new Terminal window and use the command:

iproxy 2222 44

7. Leave the Terminal window open. Press CMD+T keys to open a new tab and then use the command

ssh root@localhost -p 2222

NOTE: if you haven’t manually changed the password, it will be ‘alpine’.

8. Enter yes and press Enter. Enter the following text in Terminal window and press Enter once again:

uicache –all

9. The process would take some time. After it’s finished, enter the following command:

killall SpringBoard

10. Restart the device to remove checkra1n app.

NOTE: that checkra1n icon might not disappear immediately after restarting the device.

After removing the visible traces of checkra1n, some checkra1n-related files might remain in the device file system. However, their directories would be inaccessible without a jailbreak.

Please note that starting from Oxygen Forensic Detective 12.2 Apple iOS devices with checkra1n are fully supported.