Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
m (TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2))
(ProxALS not actually used, at least not in TaiG. Not mach_ports_info. corrected, added MachOBundle and more)
Line 189: Line 189:
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
 
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
  +
* a new afc symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
 
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
+
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
  +
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* enable-dylibs-to-override-cache (Also used in Pangu8)
 
  +
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
 
  +
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}})
 
  +
* a new afc symlink attack ({{cve|2014-4480}})
 
  +
Kernel:
* mach_ports info leak kernel exploit ({{cve|2014-4496}})
 
  +
* IOHIDFamily Kernel exploit ({{cve|2014-4487}})
 
  +
* MachOBundleHeaders - to leak kernel addresses (slid)
  +
* mach_port_kobject exploit - to defeat KASLR
  +
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

Revision as of 09:25, 15 February 2015

This page lists the exploits used in jailbreaks.

Contents

Common exploits which are used in order to jailbreak different versions of iOS

Programs which are used in order to jailbreak different versions of iOS

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs which are used in order to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs which are used in order to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs which are used in order to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs which are used in order to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs which are used in order to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs which are used in order to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • i0n1c's Infoleak vulnerability (Pangu v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
  • LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388)
  • TempSensor kernel exploit (Pangu 1.1.0) (CVE-2014-4388)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack
  • IOKit crafted call maker utility (CVE-2014-4407)

Programs which are used in order to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • the same/a similar kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)
  • i0n1c's Kernel info leak (CVE-2014-4491)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)
  • a new afc symlink attack (CVE-2014-4480) - to get onto the device filesystem
* DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
  • a new ovelapping segment attack [in a modified version] (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
  • enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache

Kernel:

  • MachOBundleHeaders - to leak kernel addresses (slid)
  • mach_port_kobject exploit - to defeat KASLR
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory