|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "User:Aker"
m (→limera1n / greenpois0n (jailbreak) (4.1): fix link) |
(→Jailbreak Exploits: copy iOS 3) |
||
| Line 13: | Line 13: | ||
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]]) |
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]]) |
||
* [[usb_control_msg(0xA1, 1) Exploit]] (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
* [[usb_control_msg(0xA1, 1) Exploit]] (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
| + | |||
| + | |||
| + | == Exploits which are used in order to jailbreak 3.x == |
||
| + | === 3.0 / 3.0.1 === |
||
| + | * [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
| + | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]]) |
||
| + | * [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
| + | * [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]]) |
||
| + | === 3.1 / 3.1.1 === |
||
| + | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
| + | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) |
||
| + | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
| + | === 3.1.2 === |
||
| + | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
| + | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) |
||
| + | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
| + | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
| + | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) |
||
| + | === 3.1.3 === |
||
| + | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
| + | * [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms) |
||
| + | ** + [[Limera1n Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]], used in [[sn0wbreeze]]) |
||
| + | ** + [[usb_control_msg(0xA1, 1) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]], used in [[sn0wbreeze]]) |
||
| + | * [[usb_control_msg(0xA1, 1) Exploit]]+ [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], used in [[sn0wbreeze]]) |
||
| + | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[N18ap|iPod touch 3G]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], used in [[sn0wbreeze]]) |
||
| + | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
| + | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) |
||
| + | |||
| + | === 3.2 === |
||
| + | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
| + | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) |
||
| + | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[K48ap|iPad]] used in [[sn0wbreeze]] 2.9.x) |
||
| + | === 3.2.1 === |
||
| + | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) |
||
| + | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[sn0wbreeze]] 2.9.x) |
||
| + | === 3.2.2 === |
||
| + | * [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]]) |
||
| + | |||
== Exploits which are used in order to jailbreak 4.x == |
== Exploits which are used in order to jailbreak 4.x == |
||
Revision as of 08:43, 6 December 2014
Contents
- 1 Jailbreak Exploits
- 1.1 Missing
- 1.2 Exploits which are used in order to jailbreak different versions of iOS
- 1.3 Exploits which are used in order to jailbreak 3.x
- 1.4 Exploits which are used in order to jailbreak 4.x
- 1.5 Exploits which are used in order to jailbreak 5.x
- 1.6 Exploits which are used in order to jailbreak 6.x
- 1.7 Exploits which are used in order to jailbreak 7.x
- 1.8 Exploits which are used in order to jailbreak 8.x
Jailbreak Exploits
Missing
- UnthreadedJB
- name "steaks4uce"
- references to limera1n and so on
- Packet Filter Kernel Exploit on 4.0.x -> limera1n?
Exploits which are used in order to jailbreak different versions of iOS
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
- usb_control_msg(0xA1, 1) Exploit (for tethered jailbreak on iPod touch 2G)
Exploits which are used in order to jailbreak 3.x
3.0 / 3.0.1
- Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow ( iPod touch 2G)
- Pwnage + iBoot Environment Variable Overflow (iPhone, iPod touch, and iPhone 3G)
- 0x24000 Segment Overflow + iBoot Environment Variable Overflow (iPod touch 2G and iPhone 3GS)
3.1 / 3.1.1
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
- 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
3.1.2
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
- 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
3.1.3
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- 0x24000 Segment Overflow (for iPod touch 2G and iPhone 3GS devices with older bootroms)
- + Limera1n Exploit (iPhone 3GS old bootrom, used in sn0wbreeze)
- + usb_control_msg(0xA1, 1) Exploit (iPod touch 2G old bootrom, used in sn0wbreeze)
- usb_control_msg(0xA1, 1) Exploit+ Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 2G new bootrom, used in sn0wbreeze)
- Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 3G and iPhone 3GS new bootrom, used in sn0wbreeze)
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
3.2
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
- Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPad used in sn0wbreeze 2.9.x)
3.2.1
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
- Limera1n Exploit + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in sn0wbreeze 2.9.x)
3.2.2
Exploits which are used in order to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
4.0.2
limera1n / greenpois0n (4.1)
greenpois0n (4.2.1)
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch 3G on iOS 4.3.1.
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
Exploits which are used in order to jailbreak 5.x
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (used both for payload injection and untether)
- HFS Heap Overflow
Corona Untether (5.0.1)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
Exploits which are used in order to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability
- Timezone Vulnerability
- Shebang Trick
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability
- ARM Exception Vector Info Leak
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping
- AMFID_code_signing_evasi0n7
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Exploits which are used in order to jailbreak 7.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
Geeksn0w (7.1 / 7.1.1 / 7.1.2)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- i0n1c's Infoleak vulnerability (Pangu v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
- LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
- TempSensor kernel exploit (Pangu 1.1.0)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Exploits which are used in order to jailbreak 8.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
- enable-dylibs-to-override-cache
- CVE-2014-4455
TaiG (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1)
- LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
- DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
- enable-dylibs-to-override-cache (Also used in Pangu8)
- a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
