The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak Exploits"
m (CVE-2014-4455 was fixed in 8.1.1) |
|||
(97 intermediate revisions by 17 users not shown) | |||
Line 1: | Line 1: | ||
This page lists the '''exploits''' used in [[jailbreak]]s. |
This page lists the '''exploits''' used in [[jailbreak]]s. |
||
− | == Common exploits |
+ | == Common exploits == |
+ | These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs. |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
||
− | * [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
− | * [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required) |
||
− | * [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]]) |
||
− | * [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
+ | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]]) |
||
− | == Programs which are used in order to jailbreak different versions of iOS == |
||
+ | * [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) |
||
+ | * [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required) |
||
+ | * [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]]) |
||
+ | * [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) |
||
+ | |||
+ | == Jailbreak Programs == |
||
=== [[PwnageTool]] (2.0 - 5.1.1) === |
=== [[PwnageTool]] (2.0 - 5.1.1) === |
||
* uses different common exploits |
* uses different common exploits |
||
Line 22: | Line 24: | ||
* uses the exploits listed below to untether up to iOS 6.1.2 |
* uses the exploits listed below to untether up to iOS 6.1.2 |
||
− | == Programs |
+ | == Programs used to jailbreak 1.x == |
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) === |
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) === |
||
* iBoot <code>cp</code>-command exploit |
* iBoot <code>cp</code>-command exploit |
||
Line 33: | Line 35: | ||
=== [[mknod|OktoPrep]] (1.1.2) === |
=== [[mknod|OktoPrep]] (1.1.2) === |
||
− | "Upgrade" to 1.1.2 from a |
+ | "Upgrade" to 1.1.2 from a jailbroken 1.1.1 |
* [[mknod]] |
* [[mknod]] |
||
Line 39: | Line 41: | ||
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2 |
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2 |
||
− | === [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) === |
+ | === [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) === |
* [[Ramdisk Hack]] |
* [[Ramdisk Hack]] |
||
− | === [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) === |
+ | === [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) === |
− | == Programs |
+ | == Programs used to jailbreak 2.x == |
=== [[QuickPwn]] (2.0 - 2.2.1) === |
=== [[QuickPwn]] (2.0 - 2.2.1) === |
||
* uses [[Pwnage]] and [[Pwnage 2.0]] |
* uses [[Pwnage]] and [[Pwnage 2.0]] |
||
=== [[Redsn0w Lite]] (2.1.1) === |
=== [[Redsn0w Lite]] (2.1.1) === |
||
− | * [[ARM7 Go]] (for [[ |
+ | * [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only) |
− | == Programs |
+ | == Programs used to jailbreak 3.x == |
=== [[purplera1n]] (3.0) === |
=== [[purplera1n]] (3.0) === |
||
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}}) |
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}}) |
||
* uses [[0x24000 Segment Overflow]] |
* uses [[0x24000 Segment Overflow]] |
||
− | === [[blackra1n]] (3.1.2) === |
+ | === [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) === |
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}}) |
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}}) |
||
* uses [[0x24000 Segment Overflow]] |
* uses [[0x24000 Segment Overflow]] |
||
Line 74: | Line 76: | ||
* [[Packet Filter Kernel Exploit]] |
* [[Packet Filter Kernel Exploit]] |
||
− | == Programs |
+ | == Programs used to jailbreak 4.x == |
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
||
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) |
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) |
||
Line 80: | Line 82: | ||
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) |
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) |
||
− | === [[limera1n]] |
+ | === [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) === |
* uses different common exploits |
* uses different common exploits |
||
* [[Packet Filter Kernel Exploit]] |
* [[Packet Filter Kernel Exploit]] |
||
Line 95: | Line 97: | ||
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
||
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
+ | |||
+ | === [[unthredeh4il]] (4.2.6 - 4.2.10) === |
||
+ | Except for the [[iPad (3rd generation)]] |
||
+ | * MobileBackup2 Copy Exploit |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
+ | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) |
||
+ | * [[launchd.conf untether]] |
||
+ | * [[Timezone Vulnerability]] |
||
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
||
− | Except for the [[ |
+ | Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1. |
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
||
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}}) |
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}}) |
||
Line 105: | Line 115: | ||
* [[ndrv_setspec() Integer Overflow]] |
* [[ndrv_setspec() Integer Overflow]] |
||
+ | === [[unthredeh4il]] (4.3 - 4.3.5) === |
||
− | == Programs which are used in order to jailbreak 5.x == |
||
+ | Except for the [[iPad (3rd generation)]] |
||
− | === [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) === |
||
− | Except for the [[iPad 3]] |
||
* MobileBackup2 Copy Exploit |
* MobileBackup2 Copy Exploit |
||
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
Line 114: | Line 123: | ||
* [[Timezone Vulnerability]] |
* [[Timezone Vulnerability]] |
||
+ | == Programs used to jailbreak 5.x == |
||
− | === [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
||
+ | |||
+ | === [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
||
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether) |
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether) |
||
* [[HFS Heap Overflow]] ({{cve|2012-0642}}) |
* [[HFS Heap Overflow]] ({{cve|2012-0642}}) |
||
Line 129: | Line 140: | ||
* MobileBackup2 Copy Exploit |
* MobileBackup2 Copy Exploit |
||
+ | === [[unthredeh4il]] (5.0-5.1.1) === |
||
− | == Programs which are used in order to jailbreak 6.x == |
||
+ | Except for the [[iPad (3rd generation)]] |
||
− | === [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
||
+ | * MobileBackup2 Copy Exploit |
||
− | * [[Symbolic Link Vulnerability]] ({{cve|2013-0979}}) |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
+ | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) |
||
+ | * [[launchd.conf untether]] |
||
* [[Timezone Vulnerability]] |
* [[Timezone Vulnerability]] |
||
+ | |||
+ | == Programs used to jailbreak 6.x == |
||
+ | === [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
||
+ | * [[Symbolic Link Vulnerability]] |
||
+ | * [[Timezone Vulnerability]] ({{cve|2013-0979}}) |
||
* [[Shebang Trick]] ({{cve|2013-5154}}) |
* [[Shebang Trick]] ({{cve|2013-5154}}) |
||
* [[AMFID code signing evasion]] |
* [[AMFID code signing evasion]] |
||
Line 147: | Line 166: | ||
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]]) |
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]]) |
||
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}}) |
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}}) |
||
− | * [[AMFID_code_signing_evasi0n7]] |
+ | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) |
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
||
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
− | == Programs |
+ | == Programs used to jailbreak 7.x == |
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
||
{{Section Stub}} |
{{Section Stub}} |
||
− | * [[Symbolic Link Vulnerability]] |
+ | * [[Symbolic Link Vulnerability]] ({{cve|2013-5133}}) |
+ | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) |
||
− | * unknown exploits ({{cve|2013-5133}}, {{cve|2014-1272}}, {{cve|2014-1273}}, {{cve|2014-1278}}) |
||
+ | * CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}}) |
||
+ | * ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}}) |
||
− | === [[Geeksn0w]] (7.1 / 7.1.1 |
+ | === [[Geeksn0w]] (7.1 / 7.1.1) === |
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] |
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] |
||
=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) === |
=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) === |
||
− | * |
+ | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0) |
− | * |
+ | * AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0) |
− | * |
+ | * break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}}) |
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
− | * TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}}) |
||
+ | * IOSharedDataQueue notification port overwrite ({{cve|2014-4461}}) |
||
* "syslogd chown" vulnerability |
* "syslogd chown" vulnerability |
||
* enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
* enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
||
Line 171: | Line 193: | ||
* VoIP backgrounding trick (used to auto restart the app) |
* VoIP backgrounding trick (used to auto restart the app) |
||
* hidden segment attack |
* hidden segment attack |
||
− | * unknown exploit ({{cve|2014-4407}} |
||
− | == Programs |
+ | == Programs used to jailbreak 8.x == |
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
||
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) |
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) |
||
Line 180: | Line 201: | ||
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
||
* a sandboxing problem in debugserver ({{cve|2014-4457}}) |
* a sandboxing problem in debugserver ({{cve|2014-4457}}) |
||
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
− | * the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) |
||
+ | * the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______) |
||
* enable-dylibs-to-override-cache |
* enable-dylibs-to-override-cache |
||
− | * |
+ | * a new ovelapping segment attack ({{cve|2014-4455}}) |
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) === |
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) === |
||
+ | (See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com]) |
||
− | * LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0) |
||
+ | * A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem |
||
− | * [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn) |
||
+ | * [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache |
||
− | * enable-dylibs-to-override-cache (Also used in Pangu8) |
||
+ | * A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load |
||
− | * a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly) |
||
+ | * libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative) |
||
− | * unknown exploits ({{cve|2014-4480}}, {{cve|2014-4487}}, {{cve|2014-4496}}) |
||
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache) |
||
+ | * MobileStorageMounter exploit ({{cve|2015-1062}}) |
||
+ | * Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}}) |
||
+ | |||
+ | Kernel: |
||
+ | |||
+ | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses |
||
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
+ | * IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory |
||
+ | |||
+ | === [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) === |
||
+ | (See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html) |
||
+ | * [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI |
||
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis) |
||
+ | * Symbolic linking to AFC ({{cve|2015-5746}}) |
||
+ | * Backup exploit to write to protected regions of the disk ({{cve|2015-5752}}) |
||
+ | * Code signing exploit ({{cve|2015-3802}}) |
||
+ | * Code signing exploit ({{cve|2015-3803}}) |
||
+ | * Code signing exploit ({{cve|2015-3805}}) |
||
+ | * Code signing exploit ({{cve|2015-3806}}) |
||
+ | * IOHIDFamily exploit ({{cve|2015-5774}}) |
||
+ | * Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}}) |
||
+ | |||
+ | === [[EtasonJB]] and [[Home Depot]] (8.4.1) === |
||
+ | |||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | |||
+ | == Programs used to jailbreak 9.x == |
||
+ | === [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) === |
||
+ | * Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}}) |
||
+ | * MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}}) |
||
+ | * IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}}) |
||
+ | * dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}}) |
||
+ | * Racing KPP for some of the patches. |
||
+ | * AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}}) |
||
+ | |||
+ | === [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === |
||
+ | * IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}}) |
||
+ | |||
+ | === [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === |
||
+ | * Webkit exploit ({{cve|2016-4657}}) |
||
+ | |||
+ | === [[Home Depot]] (9.1-9.3.4) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | |||
+ | === [[JailbreakMe 4.0]] (9.1-9.3.4) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | * Webkit exploit ({{cve|2016-4657}}) |
||
+ | |||
+ | === [[Phœnix]] (9.3.5 / 9.3.6) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * mach_port_register Kernel exploit ({{cve|2016-4669}}) |
||
+ | |||
+ | == Programs used to jailbreak 10.x == |
||
+ | |||
+ | === [[extra_recipe+yaluX]] (10.0-10.1.1) === |
||
+ | |||
+ | * set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}}) |
||
+ | |||
+ | === [[yalu102]] (10.0.1-10.2) === |
||
+ | |||
+ | * mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}}) |
||
+ | |||
+ | === [[doubleH3lix]] (10.0.1 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | === [[Meridian]] (10.0 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | === [[TotallyNotSpyware]] (10.0 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | * WebKit JIT optimization bug exploit ({{cve|2018-4233}}) |
||
+ | |||
+ | === [[H3lix]] (10.0.1 - 10.3.4) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | == Programs used to jailbreak 11.x == |
||
+ | |||
+ | ===[[Unc0ver]] (11.0-11.4.1)=== |
||
+ | |||
+ | 11.0 - 11.1.2 |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | 11.0 - 11.3.1 |
||
+ | |||
+ | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) |
||
+ | * getvolattrlist (empty_list) ({{cve|2018-4243}}) |
||
+ | |||
+ | 11.0 - 11.4.1 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | ===[[Electra]] (11.0-11.4.1)=== |
||
+ | |||
+ | 11.0 - 11.1.2 |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | 11.2 - 11.3.1 |
||
+ | |||
+ | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) |
||
+ | * getvolattrlist (empty_list) ({{cve|2018-4243}}) |
||
+ | |||
+ | 11.2 - 11.4.1 |
||
+ | |||
+ | * v1ntex ({{cve|2019-6225}}) |
||
+ | |||
+ | == Programs used to jailbreak 12.x == |
||
+ | |||
+ | ===[[Chimera]] (12.0 - 12.5.3)=== |
||
+ | |||
+ | 12.0 - 12.1.2 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | 12.0 - 12.2/12.4 |
||
+ | |||
+ | * SockPuppet ({{cve|2019-8605}}) |
||
+ | |||
+ | ===[[Unc0ver]] (12.0 - 12.5.3)=== |
||
+ | |||
+ | 12.0 - 12.1.2 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | 12.0 - 12.2/12.4 |
||
+ | |||
+ | * SockPuppet ({{cve|2019-8605}}) |
||
+ | |||
+ | 12.4.1 |
||
+ | |||
+ | * AppleAVE2Driver exploit ({{cve|2019-8795}}) |
||
+ | * AppleSPUProfileDriver information leak ({{cve|2019-8794}}) |
||
+ | |||
+ | 12.4.2 - 12.5.3 |
||
+ | |||
+ | * oob_timestamp ({{cve|2020-3837}}) |
||
+ | * cuck00 information leak ({{cve|2020-3836}}) |
||
+ | |||
+ | ===[[checkra1n]] (12.3 - 12.5.3)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | == Programs used to jailbreak 13.x == |
||
+ | |||
+ | ===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))=== |
||
+ | |||
+ | 13.0 - 13.3 (before version 5.0.0) |
||
+ | |||
+ | * oob_timestamp ({{cve|2020-3837}}) |
||
+ | * cuck00 information leak ({{cve|2020-3836}}) |
||
+ | |||
+ | 13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0) |
||
+ | |||
+ | * tachy0n (LightSpeed) ({{cve|2020-9859}}) |
||
+ | |||
+ | ===[[Odyssey]] (13.0 - 13.7)=== |
||
+ | |||
+ | 13.0 - 13.5 |
||
+ | |||
+ | * tardy0n (LightSpeed) ({{cve|2020-9859}}) |
||
+ | |||
+ | 13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9) |
||
+ | |||
+ | * FreeTheSandbox_LPE_POC_13.7 |
||
+ | |||
+ | 13.5.1 - 13.7 (for devices with A8/A9 SoCs) |
||
+ | |||
+ | * oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}}) |
||
+ | |||
+ | ===[[checkra1n]] (13.0 - 13.7)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | == Programs used to jailbreak 14.x == |
||
+ | |||
+ | ===[[checkra1n]] (14.0 - 14.8.1)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | ===[[Unc0ver]] (14.0 - 14.8)=== |
||
+ | |||
+ | * ivac entry use-after-free ({{cve|2021-1782}}) |
||
+ | * pattern-f's closed source exploit ({{cve|2021-30883}}) |
||
+ | |||
+ | ===[[Taurine]] (14.0 - 14.3)=== |
||
+ | |||
+ | * cicuta_virosa ({{cve|2021-1782}}) |
Latest revision as of 04:17, 1 May 2022
This page lists the exploits used in jailbreaks.
Contents
- 1 Common exploits
- 2 Jailbreak Programs
- 3 Programs used to jailbreak 1.x
- 4 Programs used to jailbreak 2.x
- 5 Programs used to jailbreak 3.x
- 6 Programs used to jailbreak 4.x
- 6.1 JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- 6.2 limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- 6.3 greenpois0n (4.1)
- 6.4 greenpois0n (4.2.1)
- 6.5 JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
- 6.6 unthredeh4il (4.2.6 - 4.2.10)
- 6.7 JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
- 6.8 i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
- 6.9 unthredeh4il (4.3 - 4.3.5)
- 7 Programs used to jailbreak 5.x
- 8 Programs used to jailbreak 6.x
- 9 Programs used to jailbreak 7.x
- 10 Programs used to jailbreak 8.x
- 11 Programs used to jailbreak 9.x
- 12 Programs used to jailbreak 10.x
- 13 Programs used to jailbreak 11.x
- 14 Programs used to jailbreak 12.x
- 15 Programs used to jailbreak 13.x
- 16 Programs used to jailbreak 14.x
Common exploits
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch (2nd generation))
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch (2nd generation) with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch (3rd generation), iPad, iPhone 4, iPod touch (4th generation) and Apple TV (2nd generation))
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch (2nd generation))
Jailbreak Programs
PwnageTool (2.0 - 5.1.1)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs used to jailbreak 1.x
AppTapp Installer (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp
-command exploit
iBrickr (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp
-command exploit
AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)
OktoPrep (1.1.2)
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
Soft Upgrade (1.1.3)
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
ZiPhone (1.1.3 / 1.1.4 / 1.1.5)
iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)
Programs used to jailbreak 2.x
QuickPwn (2.0 - 2.2.1)
- uses Pwnage and Pwnage 2.0
Redsn0w Lite (2.1.1)
- ARM7 Go (for iPod touch (2nd generation) only)
Programs used to jailbreak 3.x
purplera1n (3.0)
blackra1n (3.1 / 3.1.1 / 3.1.2)
Spirit (3.1.2 / 3.1.3 / 3.2)
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)
- uses different common exploits
- Packet Filter Kernel Exploit
Programs used to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
unthredeh4il (4.2.6 - 4.2.10)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch (3rd generation) on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
unthredeh4il (4.3 - 4.3.5)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 5.x
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Corona Untether (5.0.1)
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- MobileBackup2 Copy Exploit
unthredeh4il (5.0-5.1.1)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs used to jailbreak 7.x
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- Symbolic Link Vulnerability (CVE-2013-5133)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CrashHouseKeeping chmod vulnerability (CVE-2014-1272)
- ptmx_get_ioctl ioctl crafted call (CVE-2014-1278)
Geeksn0w (7.1 / 7.1.1)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
- AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOSharedDataQueue notification port overwrite (CVE-2014-4461)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Programs used to jailbreak 8.x
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
- enable-dylibs-to-override-cache
- a new ovelapping segment attack (CVE-2014-4455)
TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)
(See also details at newosxbook.com)
- A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
- DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
- A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
- libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
- MobileStorageMounter exploit (CVE-2015-1062)
- Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory
TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
- DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
- Symbolic linking to AFC (CVE-2015-5746)
- Backup exploit to write to protected regions of the disk (CVE-2015-5752)
- Code signing exploit (CVE-2015-3802)
- Code signing exploit (CVE-2015-3803)
- Code signing exploit (CVE-2015-3805)
- Code signing exploit (CVE-2015-3806)
- IOHIDFamily exploit (CVE-2015-5774)
- Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)
EtasonJB and Home Depot (8.4.1)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
Programs used to jailbreak 9.x
Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)
- Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
- MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
- IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
- dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
- Racing KPP for some of the patches.
- AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)
Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)
jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- Webkit exploit (CVE-2016-4657)
Home Depot (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
JailbreakMe 4.0 (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
- Webkit exploit (CVE-2016-4657)
Phœnix (9.3.5 / 9.3.6)
- OSUnserialize Information leak (CVE-2016-4655)
- mach_port_register Kernel exploit (CVE-2016-4669)
Programs used to jailbreak 10.x
extra_recipe+yaluX (10.0-10.1.1)
- set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)
yalu102 (10.0.1-10.2)
- mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)
doubleH3lix (10.0.1 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
Meridian (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
TotallyNotSpyware (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
- WebKit JIT optimization bug exploit (CVE-2018-4233)
H3lix (10.0.1 - 10.3.4)
- IOSurface Kernel Exploit (CVE-2017-13861)
Programs used to jailbreak 11.x
Unc0ver (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.0 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.0 - 11.4.1
- voucher_swap (CVE-2019-6225)
Electra (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.2 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.2 - 11.4.1
- v1ntex (CVE-2019-6225)
Programs used to jailbreak 12.x
Chimera (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
Unc0ver (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
12.4.1
- AppleAVE2Driver exploit (CVE-2019-8795)
- AppleSPUProfileDriver information leak (CVE-2019-8794)
12.4.2 - 12.5.3
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
checkra1n (12.3 - 12.5.3)
Programs used to jailbreak 13.x
Unc0ver (13.0 - 13.5.5~b1 (excluding 13.5.1))
13.0 - 13.3 (before version 5.0.0)
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)
- tachy0n (LightSpeed) (CVE-2020-9859)
Odyssey (13.0 - 13.7)
13.0 - 13.5
- tardy0n (LightSpeed) (CVE-2020-9859)
13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)
- FreeTheSandbox_LPE_POC_13.7
13.5.1 - 13.7 (for devices with A8/A9 SoCs)
- oob_events (CVE-2020-27905), (CVE-2020-9964)
checkra1n (13.0 - 13.7)
Programs used to jailbreak 14.x
checkra1n (14.0 - 14.8.1)
Unc0ver (14.0 - 14.8)
- ivac entry use-after-free (CVE-2021-1782)
- pattern-f's closed source exploit (CVE-2021-30883)
Taurine (14.0 - 14.3)
- cicuta_virosa (CVE-2021-1782)