Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I still remember geohot's miracle of his limera1n exploit, which was an unpatchable iBoot exploit on iPhone 4. And now we have its successor - axi0mX's ‏checkm8, still an iBoot exploit, still unpatchable. It seems to be another golden age for iOS jailbreaking has came!

Also, just like limera1n, it requires total physical control over the device to run the exploit. A complete, untethered jailbreak still requires additional kernel/userspace exploits, so I don't see it as a major security problem, but it does make the job of an evil maid a bit easier.

Just for nostalgia, here's the original release text of limera1n.

> limera1n, 6 months in the making

> iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)

> 4.0-4.1 and beyond+++

> limera1n is unpatchable

> untethered thanks to jailbreakme star comex

> brought to you by geohot

> hacktivates

> Mac coming in 7 years

> donations keep support alive

> zero pictures of my face



First of all, congrats to Axi0mX! It must have been quite the exploiting effort.

> It seems to be another golden age for iOS jailbreaking has came!

There is much, much less reason to jailbreak these days than in the iPhone 1 - 5 days. Unlocked iPhones are easy to get. Apple has copied a tremendous amount of features, and with iOS 13 having both dark mode and a fixed volume HUD even more reasons (Noctis / Eclipse and SmartVolumeControl2) are gone. And those, along with CallBarXS (call bar instead of fullscreen calls) and Jellyfish (weather on your lockscreen) are by far the most popular tweaks. I suspect at least the fullscreen calling will be redone in iOS 14.

Theming and game emulators will probably never come to the App Store, but those are even more niche. Terminal emulators and Python environments are already in the store. That leaves.. SSHing into your phone I guess, which is mostly a gimmick.

That's not to say the wild wild west wasn't fun back then. I remember both the Yellowsn0w and Redsn0w periods of jailbreaking vividly. Icy (a Cydia alternative) dying, being revived, and dying again. Down the nostalgia rabbit hole we go..


There a plethora of reasons I still Jailbreak my phone, but some off the top of my head:

• Put an extra column of icons per page on my homescreen.

• Rename apps on the homescreen, and change their icons.

• Enable the iPad's "grid" app switcher on my phone.

• Remove the stupid app bar in Messages.

• Hide various UI elements around the OS and in apps, to make everything cleaner. (Cool note: you can use PermaFlex to hide nearly any arbitrary element.)

• Downgrade apps that release updates I dislike.

• Stop Apple News from creating "personalized" recommendations that would keep me in a filter bubble.

• Play audio from Youtube videos (in Safari) while the screen is locked.

• Install a Userscript that gets rid of AMP in Google search results.

I realize a lot of these things are nitpicks—some maybe even personal eccentricities—but taken together they just make my phone a lot more pleasant to use. I would not buy an iPhone I could not Jailbreak, full stop.


> Play audio from Youtube videos (in Safari) while the screen is locked.

You have a long good list of reasons, but this one is fixable by installing the YouTube app and paying for premium.


If Google tried to charge for background playback on desktop, the extensions would arrive within days. iOS allows Google to get away with it, but that's precisely the problem with iOS's model.

Besides, I don't want to install a separate app. It's a website, and I should be able to use my web browser.

Edit: Also, this patch doesn't just work on Youtube, it's for any video in Safari.


I use invidio.us to listen to YouTube videos in the background and it works great.



> If Google tried to charge for background playback on desktop

To be fair premium includes lots of things, including unlimited music streaming ala Spotify, ad free YouTube etc.

You’re not paying only for the background playback. Literally no one would be willing to pay for that. It’s just a minor perk, that’s all.

A perk you said you’d be willing to risk JBing your (expensive) phone over. Most people would probably be more willing to just pay the fee for what is a fairly decent music streaming service.


You COULD play YouTube videos in the background by default in Safari up until about summer 2016. Then, they sneakily added a hook that kills it if it loses focus. But sometimes there's a race condition or something and it doesn't take, so videos will still play audio in the background sometimes, and you could fool it for awhile by requesting desktop version of the YouTube page.

Point is, this was there by default, and they intentionally sabotaged it to force you to use their paid service. This is shitty malware-like behavior and I do not want to encourage them. I would not give them a single cent and I happily spent time to defeat it, because fuck them.


In your outrage, you are completely missing the point.

I don’t care about anything you’re saying here about how things are or were. Really. Not one bit.

I was merely saying that for that -one- particular reason for jailbreaking, a much simpler alternative exist (from a layman perspective).

That’s really just factual information, contributing to the discussion if you like, and downvoting me because you have grudge with Google and Apple is utterly misguided.


I just don’t like being extorted.


Neither do I but it's not even the extortion part that prevents me for signing up for a service like that.

It's knowing that they will link my viewing habits to my Google account and never delete them.


This fix brings a problem that now you're paying to be tracked and profiled. It may not be a problem for everyone but...


or write your own small app to do that :) there are a bunch of ways and premade libraries to get Youtube to deliver videos straight from its CDN. Then just play them using av foundation and add some features you want.


I'm paraphrasing, but if you think you can hack your way to individuality, you are not so smart. Check it: https://youarenotsosmart.com/2010/04/12/selling-out/


We hear this “Apple has done everything you could only get with a jailbreak so jailbreaking is now obsolete” every year, yet we still see neat new system-level functionality ideas show up all the time. Plenty of new ideas came about from jailbreakers in the “post-limera1n” era (2014 - present) including ones you’ve mentioned. I’d be certain this will open the floodgates to a plethora of new ideas, simply because it’ll soon be far less risky to develop jailbreak things (no need to be concerned about soft-bricking your phone, forcing you to restore to the latest, probably non-jailbreakable iOS version). The workarounds employed by the latest jailbreaks to avoid triggering security checks also made it just that little bit more annoying to work with. Developers being able to run in a “fully jailbroken, anything goes” state like the jailbreaks of yesteryear, as well as being able to develop on top of iOS beta releases, would encourage development once more.

And no terminal app in the App Store compares to actually running your code on bare metal with no clever workarounds required to make Apple happy. I don’t want to add network delays (mosh is great but still just isn’t the same) and worry about transferring files around, or force myself to run inside an emulated, fenced-off world (iSH). It’s just easier to run programs like, well, actual programs. This is why I develop NewTerm, a local terminal app for iOS, and am a huge fan of Termux on Android which neatly packages an entire self-contained ecosystem that still runs on bare metal.


> Theming and game emulators will probably never come to the App Store, but those are even more niche.

Apple thankfully enabled sideloading for "free" developer accounts, and someone released AltStore (a distribution method for the Delta game emulator) yesterday [1].

[1] https://news.ycombinator.com/item?id=21083092


But you usually have a three app limit and need to reinstall every seven days. Altstore is using some very clever tricks to get around that, and while I applaud the developer’s creativity I don’t expect it to last.


You forget call recording.


I’m considering jail breaking to be able to force my phone to stay on 4G.

It’s a stupid omission by Apple to not have a “4G only” toggle. 3G connectivity really sucks and it’s annoying to randomly be downgraded when you have perfectly fine 4G coverage.


Do confirm there's actually software to do this before you Jailbreak (unless you plan to code it yourself). I'm not personally aware of anything.


There was last time I checked.


Yeah thats really annoying. Why does that even happen?


What do you propose a "stay on 4G" option would do when the device loses 4G coverage?

Drop signal altogether?

iirc falling back to 3G from 4, or 2G from 3 is to cover temporary coverage blackspots and allow data / voice communication to continue. Albeit less optimally.


I have had similar problems. The algorithm they use is not perfect.

My Nexus One used to fall back to 2G whenever my 3G got below like two bars, it was so annoying. And also there would be a temporary outage while it switched. I eventually learned how to hard disable 2G, and service improved greatly, because even one bar of 3G was better than 2G.


Firstly, losing 4G coverage isn’t an issue where I use my phone. I don’t live in a third world country like the US. Despite this my iPhone will randomly decide to downgrade to 3G.

As to what the phone should do when going outside an 4G coverage area when being in “4G only” mode is nothing. It should just aggressively try to reconnect. A discrete icon about 3G network availability should be shown. A press on the 3G icon would enable temporary 3G roaming.

The underlying problem is that Apple handles roaming between 2G/3G/4G networks poorly. I could wish Apple would do it better, but that’s like wishing for an unicorn. Hence my strong leanings toward jailbreaing.


iBoot and BootROM is different. iBoot is software (patchable) while BootROM is read-only. Otherwise, agree! It's really a big achievement.


I'm very confused. On one hand, the tweet claims to have a bootrom exploit. On the other hand, the fifth tweet in the chain talks about an iBoot vulnerability that got patched in ios12 beta[1].

Maybe the vulnerable codepath has some code sharing between iBoot and SecureROM?

[1]: https://twitter.com/axi0mX/status/1177544539046703104


> Maybe the vulnerable codepath has some code sharing between iBoot and SecureROM?

It does.


Comex himself has spoken! It turns out I definitely didn't understand it correctly. Thanks for the clarification!


Do you have iBoot's source code from the leak a while back?



If I've understood this correctly, it was an iBoot vulnerability enabling the exploitation of the BootROM vulnerability untethered (without connecting to a computer again). Since the iBoot vulnerability is patched, the phone has to be connected to a computer every time to boot if there has been any tinkering (custom FW or any change in boot sequence).

So prepatch you could exploit the BootROM vulnerability untethered with the iBoot vulnerability, but postpatch have to connect to a computer to boot every time if you have done any tinkering which is why it is currently only adviced for security researchers. Tinkering with the BootROM also leads to invalidations of APTickets (so a future restore may be impossible without special gear).


> It seems to be another golden age for iOS jailbreaking has came!

It's sadly limited to the A11 (iPhone X) chips and everything before that.


That's pretty darn great compared to the current situation. Perhaps not quite a return to the redsn0w days, but a major boon all the same.

A (large?) majority of the iPhones currently in circulation will soon be Jailbreakable—not just for one brief moment in time (as with iOS 12.4), but on every future version of iOS. I didn't think that was ever going to happen again.


As an A12 owner, I'm really happy my device is now reasonably more secure if taken into a government back room during customs or via an evil maid attack. Different perspective I suppose.


willfully sacrificing freedom for security writ small.


Intentionally buying and using a secure device isn't what that phrase is about. Benjamin Franklin wasnt arguing against safes.


how is this like a safe? you possess the keys to a safe you own. you do not possess the keys to iphones with a12 chips in the sense that this exploit delivers.


If we're keeping up with the safe analogy, this exploit doesn't give you the keys to your safe, it gives everyone the keys to your safe.


the safe analogy fails because again: no one except apple has the keys to the "safe" that they own




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: