The state of checkra1n on Apple Silicon Macs

Today we're releasing checkra1n 0.12.3 with support for Apple Silicon Macs as hosts. Due to changes in the USB stack, you may be required to unplug and replug the lightning cable as part of the jailbreaking process.

There is an issue in the USB stack of Apple Silicon Macs that will cause certain devices to crash and reboot when attempting to perform checkm8 over a USB-C port. The problematic part of the exploit can be disabled and replaced with a manual unplugging and replugging of the lightning cable. Checkra1n will detect the conditions that would cause this issue, and instruct the user to perform the replug if necessary.

This issue only affects USB-C on Apple Silicon macs, and only when using A7, A9X, A10 and A10X devices, i.e.:

  • iPhone 5s, 7 and 7 Plus
  • iPad 6th and 7th generation
  • iPad Air 1
  • iPad mini 2 and 3
  • iPad Pro 1st and 2nd generation
  • iPod touch 7
  • Apple TV 4K

If you have any device not listed above, this change does not affect you.
If you have an Apple Silicon Mac mini and are using the USB-A ports, this change does not affect you.
If you have an Intel Mac as host, this change does not affect you.

Technical details for the curious:

The issue is a NULL dereferencing bug that exists in most versions of SecureROM. The bug can be triggered by sending two back-to-back USB resets if, and only if, the EP0_IN endpoint is currently stalled and packets have been queued in such a way that the next USB reset will trigger a different bug, which leaks some memory and re-enables the endpoint after is has been disabled. This is a state that the ROM would normally never be in, but we use the second bug since we need a memory leak for our exploit.
And the USB-C stack on Apple Silicon Macs does send a double reset when we call USBReEnumerate, in contrast to the USB-A stack which does not. We do not currently know what part of the USB stack does this, nor whether this is intended behaviour or not.
T2 and A11 are not affected because the NULL deref has been fixed in these versions. A8/A8X/A9 are not affected because we can use a different memory leak there.

The 0.12.3 release is available for download now on our releases page.

See all news »