Difference between revisions of "Untethered jailbreak"

From The iPhone Wiki
Jump to: navigation, search
m (Device support: Updating.)
Line 1: Line 1:
  +
An '''untethered jailbreak''' uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer – in other words, it will be jailbroken even after each reboot.
An untethered jailbreak is a type of [[jailbreak]] where your device does not require you to reboot with a connection to an external device capable of executing commands on the device.
 
   
== Device support ==
+
== Untethered exploits ==
  +
Any [[M68AP|iPhone 2G]], [[N45AP|iPod touch]], [[N82AP|iPhone 3G]], [[N88AP|iPhone 3GS]] (running the [[Bootrom 359.3|old bootrom]]) or [[N72AP|iPod touch 2G]] (running the [[Bootrom 240.4|old bootrom]]) can be jail broken untethered no matter what version it is running. These devices have bootrom exploits that are able to jailbreak untethered - namely [[Pwnage 2.0]] and [[0x24000 Segment Overflow]].
Many device/firmware combinations can use an untethered jailbreak.
 
 
Devices as new as the [[iPhone 4|iPhone 4]]/[[N81AP|iPod touch 4G]]/[[K66AP|Apple TV 2G]] have known [[bootrom]] exploits. However, the [[N88AP|iPhone 3GS]] ([[Bootrom 359.3|old bootrom]]) and older have bootrom exploits that allow for an untethered jailbreak. Newer devices as old as the [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]), [[N72AP|iPod touch 2G]] ([[Bootrom 240.5.1|new bootrom]]), and [[N18AP|iPod touch 3G]] have bootrom exploits that are limited to a [[tethered jailbreak]] (without the assistance of a firmware-based exploit).
 
   
 
==Different Types==
 
==Different Types==
There are 2 types of untethered jailbreaks: Patched [[LLB]]-based and kernel hacks. On the first sort, that requires an untethered bootrom dump (e.g. [[24kpwn]] or [[Pwnage 2.0]]), it is permanent and unpatchable, except for an hardware update. This type of jailbreak patches the LLB to not check the firmware at boot-up , letting a pwned kernel or a custom bootlogo to be uploaded to the system. The second type, uploads the unpwned kernel, the system checks the signature, then a kernel exploit happens and the kernel is being patched and changed to fit jailbreak. After the exploit, the bootlogo can be changed. A userland exploit was used before the kernel exploit to get bypassed the iBoot signature checks before the kernel exploit. up to iOS 4.3.3, [[Incomplete Codesign Exploit]] was used. in iOS 4.3.4, it was patched. in 5.0.1 [[Racoon String Format Overflow Exploit]] is used instead. The kernel exploits found so far: [[BPF_STX Kernel Write Exploit]] (works up to iOS 3.2), [[iOSurface Kernel Exploit]] (works up to iOS 4.0.1, excluding 3.2.2), [[Packet Filter Kernel Exploit]] (Works up to iOS 4.2 beta 3), [[HFS Legacy Volume Name Stack Buffer Overflow]] (vulnerability in HFS, works up to iOS 4.2.8), [[ndrv_setspec() Integer Overflow]] (Works up to iOS 4.3.3) and [[HFS Heap Overflow]] (Works up to iOS 5.0.1)
+
There are 2 types of untethered jailbreaks: Patched [[LLB]]-based and kernel hacks. For a patched [[LLB]]-based jailbreak, an untethered bootrom dump (such as [[24kpwn]] or [[Pwnage 2.0]]) is required. This type of jailbreak patches the LLB so that it does not check the firmware at bootup, allowing for a pwned kernel or a custom bootlogo to be uploaded to the system.
 
==Utilities capable of untethered jailbreaks==
 
These jailbreak utilities can perform an untethered jailbreak, sorted by operating system.
 
 
===iOS===
 
[[Star]] and [[saffron]] run on the device itself, and are completely independent of a computer's operating system. JailbreakMe has supported so far 1.0-1.1.1,3.1.2-4.0.1(no 3.2.2) and 4.3-4.3.3. Each device can be jailbroken on those firmwares, No matter what, but if [[SHSH]] blobs aren't given for a certain firmware, it is not restorable.
 
 
 
===Mac OS X===
 
* [[Absinthe]]
 
* [[blackra1n]]
 
* [[evasi0n]]
 
* [[evasi0n7]]
 
* [[Greenpois0n (jailbreak)|greenpois0n]]
 
* [[limera1n]]
 
* [[Pangu]]
 
* [[Pangu8]]
 
* [[PPJailbreak]]
 
* [[PwnageTool]]
 
* [[redsn0w]]
 
* [[Spirit]]
 
* [[TaiG]]
 
   
  +
The second type, which hacks the kernel, uploads the unpwned kernel, which the system then checks for a signature, then a kernel exploit is uploaded and the kernel is being patched and changed to run unsigned code. After the exploit, the bootlogo can be changed. A userland exploit was used before the kernel exploit in order to bypass the iBoot signature checks before the kernel exploit.
===Windows===
 
* [[Absinthe]]
 
* [[evasi0n]]
 
* [[evasi0n7]]
 
* [[blackra1n]]
 
* [[Greenpois0n (jailbreak)|greenpois0n]]
 
* [[limera1n]]
 
* [[Pangu]]
 
* [[Pangu8]]
 
* [[redsn0w]]
 
* [[sn0wbreeze]]
 
* [[Spirit]]
 
* [[TaiG]]
 
   
===Linux===
+
==See Also==
* [[Absinthe]]
+
*[[Jailbreak]]
* [[evasi0n]]
+
*[[Jailbreak Exploits]]
* [[Greenpois0n (jailbreak)|greenpois0n]]
+
*[[Tethered jailbreak]]
  +
*[[Semi-tethered jailbreak]]
* [[redsn0w]] (0.8)
 
  +
*[[Semi-untethered jailbreak]]
* [[Spirit]]
 
   
 
[[Category:Jailbreaking]]
 
[[Category:Jailbreaking]]

Revision as of 12:59, 11 March 2017

An untethered jailbreak uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer – in other words, it will be jailbroken even after each reboot.

Untethered exploits

Any iPhone 2G, iPod touch, iPhone 3G, iPhone 3GS (running the old bootrom) or iPod touch 2G (running the old bootrom) can be jail broken untethered no matter what version it is running. These devices have bootrom exploits that are able to jailbreak untethered - namely Pwnage 2.0 and 0x24000 Segment Overflow.

Different Types

There are 2 types of untethered jailbreaks: Patched LLB-based and kernel hacks. For a patched LLB-based jailbreak, an untethered bootrom dump (such as 24kpwn or Pwnage 2.0) is required. This type of jailbreak patches the LLB so that it does not check the firmware at bootup, allowing for a pwned kernel or a custom bootlogo to be uploaded to the system.

The second type, which hacks the kernel, uploads the unpwned kernel, which the system then checks for a signature, then a kernel exploit is uploaded and the kernel is being patched and changed to run unsigned code. After the exploit, the bootlogo can be changed. A userland exploit was used before the kernel exploit in order to bypass the iBoot signature checks before the kernel exploit.

See Also