The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "User:Aker"
(→Exploits which are used in order to jailbreak 3.x) |
(moved the content back) |
||
(15 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | = Jailbreak Exploits = |
||
− | |||
− | == Missing == |
||
− | * UnthreadedJB |
||
− | * name "steaks4uce" |
||
− | * references to limera1n and so on |
||
− | * [[Packet Filter Kernel Exploit]] on 4.0.x -> limera1n? |
||
− | |||
− | == Exploits which are used in order to jailbreak different versions of iOS == |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
||
− | * [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
− | * [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required) |
||
− | * [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]]) |
||
− | * [[usb_control_msg(0xA1, 1) Exploit]] (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
− | |||
− | |||
− | == Exploits which are used in order to jailbreak 3.x == |
||
− | === [[purplera1n]] (3.0 / 3.0.1) === |
||
− | * [[iBoot Environment Variable Overflow]] |
||
− | |||
− | === [[blackra1n]] (3.1.2) === |
||
− | * [[usb_control_msg(0x21, 2) Exploit]] |
||
− | |||
− | === [[Spirit]] (3.1.2 / 3.1.3 / 3.2) === |
||
− | * [[MobileBackup Copy Exploit]] |
||
− | * [[Incomplete Codesign Exploit]] |
||
− | * [[BPF_STX Kernel Write Exploit]] |
||
− | |||
− | === [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) === |
||
− | * [[Malformed CFF Vulnerability]] |
||
− | * [[Incomplete Codesign Exploit]] |
||
− | * [[IOSurface Kernel Exploit]] |
||
− | |||
− | === [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) === |
||
− | * [[Packet Filter Kernel Exploit]] |
||
− | |||
− | == Exploits which are used in order to jailbreak 4.x == |
||
− | === [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
||
− | * [[Malformed CFF Vulnerability]] |
||
− | * [[Incomplete Codesign Exploit]] |
||
− | * [[IOSurface Kernel Exploit]] |
||
− | |||
− | === 4.0.2 === |
||
− | * [[Packet Filter Kernel Exploit]] |
||
− | |||
− | === [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (4.1) === |
||
− | * [[Packet Filter Kernel Exploit]] |
||
− | |||
− | === [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) === |
||
− | * [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
− | |||
− | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) === |
||
− | * [[T1 Font Integer Overflow]] |
||
− | * [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
− | |||
− | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
||
− | Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1. |
||
− | * [[T1 Font Integer Overflow]] |
||
− | * [[IOMobileFrameBuffer Privilege Escalation Exploit]] |
||
− | |||
− | === i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) === |
||
− | * [[ndrv_setspec() Integer Overflow]] |
||
− | |||
− | == Exploits which are used in order to jailbreak 5.x == |
||
− | === [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
||
− | * [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether) |
||
− | * [[HFS Heap Overflow]] |
||
− | |||
− | === [[Corona|Corona Untether]] (5.0.1) === |
||
− | * [[Racoon String Format Overflow Exploit]] |
||
− | * [[HFS Heap Overflow]] |
||
− | |||
− | === [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === |
||
− | {{Section Stub}} |
||
− | * a new Packet Filter Kernel Exploit (CVE-2012-3728) |
||
− | * Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727) |
||
− | |||
− | == Exploits which are used in order to jailbreak 6.x == |
||
− | === [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
||
− | * [[Symbolic Link Vulnerability]] |
||
− | * [[Timezone Vulnerability]] |
||
− | * [[Shebang Trick]] |
||
− | * [[AMFID code signing evasion]] |
||
− | * [[launchd.conf untether]] |
||
− | * [[IOUSBDeviceFamily Vulnerability]] |
||
− | * [[ARM Exception Vector Info Leak]] |
||
− | * [[dynamic memmove() locating]] |
||
− | * [[vm_map_copy_t corruption for arbitrary memory disclosure]] |
||
− | * [[kernel memory write via ROP gadget]] |
||
− | |||
− | === [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) === |
||
− | * [[posix_spawn kernel information leak]] (by [[i0n1c]]) |
||
− | * [[posix_spawn kernel exploit]] (CVE-2013-3954) (by [[i0n1c]]) |
||
− | * [[mach_msg_ool_descriptor_ts for heap shaping]] |
||
− | * [[AMFID_code_signing_evasi0n7]] |
||
− | * [[DeveloperDiskImage race condition]] (by [[comex]]) |
||
− | * [[launchd.conf untether]] |
||
− | |||
− | |||
− | == Exploits which are used in order to jailbreak 7.x == |
||
− | {{Section Stub}} |
||
− | === [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133] |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272] |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278] |
||
− | * [[Symbolic Link Vulnerability]] |
||
− | |||
− | === [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) === |
||
− | * [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] |
||
− | |||
− | === [[Pangu]] (7.1 / 7.1.1 / 7.1.2) === |
||
− | * [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0) |
||
− | * break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0) |
||
− | * LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) |
||
− | * TempSensor kernel exploit (Pangu 1.1.0) |
||
− | * "syslogd chown" vulnerability |
||
− | * enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
||
− | * "foo_extracted" symlink vulnerability (used to write to /var) |
||
− | * /tmp/bigfile (a big file for improvement of the reliability of a race condition) |
||
− | * VoIP backgrounding trick (used to auto restart the app) |
||
− | * hidden segment attack |
||
− | |||
− | |||
− | == Exploits which are used in order to jailbreak 8.x == |
||
− | {{Section Stub}} |
||
− | === [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
||
− | * an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) |
||
− | * enterprise certificate (inside the IPA) |
||
− | * a kind of dylib injection into a system process (see IPA) |
||
− | * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
||
− | * a sandboxing problem in debugserver (CVE-2014-4457) |
||
− | * the same/a similar kernel exploit as used in [[Pangu]] (CVE-2014-4461) (source @iH8sn0w) |
||
− | * enable-dylibs-to-override-cache |
||
− | * CVE-2014-4455 |
||
− | |||
− | === [[TaiG]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1) === |
||
− | * LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0) |
||
− | * [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn) |
||
− | * enable-dylibs-to-override-cache (Also used in Pangu8) |
||
− | * a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly) |