Respawn is an experimental research tool for iPhone models vulnerable to the infamous checkm8 vulnerability. It is a completely-rewritten version of an older project, Pawn. The name is a portmanteau of "resurrected Pawn".
While the project is mostly just for fun and nostalgia now, the original purpose was to create a high-quality checkm8 exploit implementation and subsequent environment for iPhone security research.
Respawn's code is aims to be modern, pragmatic, and easy to read. Numerous design decisions, bits of lore, etc. are documented inside.
Respawn uses CMake as its build system, and has a few small dependencies that are already included as submodules. Start by performing a recursive clone of Respawn and all of its submodules:
git clone --recurse-submodules git@github.com:jonpalmisc/respawn.gitNext, once inside the cloned repo, configure the project with CMake:
cmake -S . -B build # -GNinja ...If you get errors about missing
CMakeLists.txtfiles, you likely forgot to clone recursively (or otherwise initialize all submodules) as shown above.
Finally, simply build the project with CMake:
cmake --build buildAt this point, if you are not on macOS you will notice you are missing some headers. Respawn uses Sioku for all of its USB operations, which is based on IOKit. Sorry...
A respawn executable will be available at ./build/respawn upon completion.
Once built, first run respawn -h to see a full list of options; the built-in
help will always have the most up-to-date usage instructions and options.
By default, Respawn doesn't emit much output. If something isn't working or if
you desire more detail, the -v flag can be passed to Respawn to enable
verbose logging.
Most likely, you will want to use Respawn's REPL interface to poke around on
the device. Running respawn -r will launch the REPL, exploiting the device
first if it has not been already.
To get started, try reading SecureROM's build banner string:
> ia.read(0x100000200, 64)
100000200: 5365 6375 7265 524f 4d20 666f 7220 7437 SecureROM for t7
100000210: 3030 3073 692c 2043 6f70 7972 6967 6874 000si, Copyright
100000220: 2032 3031 332c 2041 7070 6c65 2049 6e63 2013, Apple Inc
100000230: 2e00 0000 0000 0000 0000 0000 0000 0000 ................
The
interactivemodule is aliased toiain the REPL for convenience.
Respawn's REPL is really just a Lua REPL with some native functions exposed. You can evaluate arbitrary Lua code, automate device actions by loading Lua scripts, etc.
Respawn expects to find its built-in Lua modules in the
luafolder of the current working directory. The invocation above should actually be./build/respawnif you followed the build instructions above and are in the project's root directory; alternatively you can copy the executable out of the build folder to the root directory.
To get more familiar with using the REPL to interact with the device, take a
look at test.lua, which checks that all of the features
provided by the device module are working as expected. If you aren't writing
scripts, you will probably want to use the equivalent functions in the
interactive module to get better feedback.
- Only devices with T7000 or S8000 SoCs are supported.
- Initial exploitation time varies considerably based on unknown factors.
- Only one device can be connected at once.
- Respawn only builds and runs on macOS since it depends on IOKit.
Being one of the most recent SoCs still vulnerable to checkm8, support for T8015 devices is desirable and is a glaring omission right now. Respawn's predecessor Pawn (which remains closed-source) had mostly-complete support for T8015 devices, but via a rather messy implementation that would require rewriting to integrate back into this project.
Given that checkm8 is largely dead now in 2023, T8015 support may never arrive; but maybe with enough rainy days it will.
Acknowledgements are due to a handful of individuals that othewise don't appear in the Git history:
- Parts of Respawn's predecessor Pawn were contributed by @0cyn.
- An old version of @0x7ff's gaster was used as a reference during the early stages of Pawn's development back in 2022.
- Like many other checkm8 proejcts, some of the exploit primitives
(
ExploitDriver::do_*in Respawn's case) are lifted from ipwndfu by @axi0mX.
Furthermore, this project would have been a lot less fun and a lot more annoying without the knowledge and moral support contributed by the artist formerly known as @bendycatus, @Siguza, and other friends I'm probably forgetting along the way.
Copyright © 2022–2023 Jon Palmisciano. All rights reserved.
Use of Respawn and its source code is governed by the BSD 3-Clause license; the full terms of the license can be found in LICENSE.txt.