Tachy0n is a permanent, unpatchable jailbreak for all bootroms from checkm8-vulnerable devices (A5-A11 on iOS 14.x). Leveraging a hardware vulnerability, it modifies the Secure Enclave Processor (SEP) firmware, enabling persistent code execution even after updates or restores. This effectively removes Apple's ability to revoke the jailbreak through software updates. While powerful, Tachy0n is primarily a research project and a proof-of-concept, currently lacking the user-friendly tools of a typical jailbreak. It aims to lay the groundwork for future jailbreaks and serve as a secure platform for experimentation and research on Apple's security systems.
Siguza's blog post, titled "Tachy0n: The Last 0day Jailbreak," details the culmination of a seven-year journey culminating in the development and release of a potent jailbreak exploit for iOS devices. The exploit, dubbed "checkm8," targets a vulnerability within the BootROM, a piece of read-only memory responsible for the earliest stages of the device's startup process. Due to its location in the BootROM, this vulnerability is immutable by software updates, making it exceptionally powerful and persistent across device iterations affected by the flaw. The blog post characterizes this vulnerability as a "game over" scenario for Apple, as patching it requires a physical hardware revision.
The exploit itself leverages a weakness in the device's USB Device Firmware Update (DFU) mode, a low-level state used for restoring firmware. By carefully crafting a malicious data packet sent during this mode, Siguza managed to trigger a buffer overflow, effectively granting control over the secure boot chain. This vulnerability allows for the execution of arbitrary code on the device, effectively bypassing Apple's security mechanisms. The blog post provides intricate technical details about the exploitation process, including the specific vulnerability within the USB control transfer handling and the method utilized to gain code execution. It also touches upon the painstaking reverse engineering process involved in understanding the BootROM's inner workings.
Siguza emphasizes the significance of this achievement, noting the rarity and difficulty of uncovering BootROM vulnerabilities. They also highlight the long and arduous process involved in developing the exploit, including the time spent understanding the complex interplay of hardware and software during the boot process. While acknowledging the potential misuse of such a powerful tool, Siguza expresses hope that its release will foster further research and contribute positively to the jailbreaking community, allowing for deeper exploration of the iOS operating system and unlocking functionalities restricted by Apple. The exploit is released under a somewhat restrictive license, limiting its use to specific devices and preventing direct commercial exploitation. This, according to the post, is a conscious decision aimed at minimizing the potential for malicious use while still providing researchers and enthusiasts with access to the exploit. The post concludes by suggesting that this exploit might represent the final userland 0day jailbreak due to the increasing complexity and security hardening of modern Apple devices.
Summary of Comments ( 36 )
https://news.ycombinator.com/item?id=44083388
Hacker News users discuss the Tachy0n jailbreak, expressing skepticism about its "last 0day" claim, noting that future iOS versions will likely patch the exploit. Some debate the practicality of the jailbreak given its limited scope to older devices and the availability of checkm8 for similar models. Others commend the technical achievement and the author's clear explanation of the exploit. Concerns about the potential for misuse of the exploit are also raised, alongside discussions about the ethics of disclosing such vulnerabilities. Several commenters point out the limitations of patching bootROM exploits, suggesting this won't be the truly "last" 0day. There's also interest in the potential for using the exploit for purposes other than jailbreaking, like device repair. Finally, a few users share personal anecdotes about jailbreaking and express nostalgia for the practice's heyday.
The Hacker News post titled "Tachy0n: The Last 0day Jailbreak" generated a significant amount of discussion, with many commenters expressing a mix of nostalgia, technical curiosity, and concern.
Several commenters reminisced about the "golden age" of jailbreaking, recalling the excitement and sense of community that surrounded it. They discussed the various tools and exploits used in the past, comparing them to Tachy0n and highlighting the evolution of jailbreaking techniques. Some expressed sadness that this might be one of the last opportunities for this kind of exploit due to increasing security measures implemented by Apple.
A recurring theme in the comments was the technical discussion of the exploit itself. Commenters inquired about the specifics of the vulnerability, how it was discovered, and the implications for future iOS security. Some debated the ethics of jailbreaking and the potential security risks associated with it. There was also discussion around the difficulty of finding and utilizing such vulnerabilities in modern iOS versions.
Some users expressed concern about the potential misuse of the exploit. They worried that the availability of such tools could lead to increased malware and security breaches. Others countered this argument, stating that jailbreaking primarily empowers users to customize their devices and bypass restrictions imposed by Apple.
A few comments focused on the practical aspects of jailbreaking. Users asked questions about compatibility with different iOS versions and devices, the process of installing the jailbreak, and the availability of tweaks and modifications. Some shared their personal experiences with jailbreaking and offered advice to newcomers.
Several commenters also discussed the cat-and-mouse game between Apple and the jailbreaking community, noting that Apple often patches vulnerabilities quickly after they are discovered. This led to discussions about the future of jailbreaking and the likelihood of similar exploits being found in the future.
Finally, there was some discussion about the name "Tachy0n" itself, with users speculating about its meaning and significance in relation to the exploit.
Overall, the comments on the Hacker News post reflect the complex and multifaceted nature of the jailbreaking community, highlighting the technical skills, ethical considerations, and nostalgic sentiment associated with this practice.