The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak Exploits"
(→7.1 / 7.1.1 / 7.1.2: seperated geeksn0w and Pangu, added a few "exploits" found while analysing the binary) |
|||
(138 intermediate revisions by 18 users not shown) | |||
Line 1: | Line 1: | ||
− | This page lists the exploits used in [[ |
+ | This page lists the '''exploits''' used in [[jailbreak]]s. |
+ | |||
− | == Exploits which were used in order to jailbreak 1.x == |
||
+ | These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs. |
||
− | * [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem) |
||
+ | |||
− | === 1.1.1 === |
||
+ | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]]) |
||
− | * [[Symlinks]] (an upgrade jailbreak) |
||
+ | * [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) |
||
− | * [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) |
||
+ | * [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required) |
||
− | === 1.1.2 === |
||
+ | * [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]]) |
||
− | * [[Mknod]] (an upgrade jailbreak) |
||
+ | * [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) |
||
− | === 1.1.3 / 1.1.4 / 1.1.5 === |
||
+ | |||
− | * [[Soft Upgrade]] (an upgrade jailbreak) |
||
− | + | == Common exploits == |
|
+ | == Jailbreak Programs == |
||
+ | === [[PwnageTool]] (2.0 - 5.1.1) === |
||
+ | * uses different common exploits |
||
+ | * uses the exploits listed below to untether up to iOS 5.1.1 |
||
+ | |||
+ | === [[redsn0w]] (3.0 - 6.0) === |
||
+ | * uses different common exploits |
||
+ | * uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1 |
||
+ | * uses the exploits listed below to untether up to iOS 5.1.1 |
||
+ | |||
+ | === [[sn0wbreeze]] (3.1.3 - 6.1.3) === |
||
+ | * uses different common exploits |
||
+ | * uses the exploits listed below to untether up to iOS 6.1.2 |
||
+ | |||
+ | == Programs used to jailbreak 1.x == |
||
+ | === [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) === |
||
+ | * iBoot <code>cp</code>-command exploit |
||
+ | |||
+ | === [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) === |
||
+ | * iBoot <code>cp</code>-command exploit |
||
+ | |||
+ | === [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) === |
||
+ | * [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}}) |
||
+ | |||
+ | === [[mknod|OktoPrep]] (1.1.2) === |
||
+ | "Upgrade" to 1.1.2 from a jailbroken 1.1.1 |
||
+ | * [[mknod]] |
||
+ | |||
+ | === [[Soft Upgrade]] (1.1.3) === |
||
+ | "Upgrade" to 1.1.3 from a running jailbroken 1.1.2 |
||
+ | |||
+ | === [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) === |
||
* [[Ramdisk Hack]] |
* [[Ramdisk Hack]] |
||
− | * [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3 |
||
− | * [[diags]] - Works up to [[iOS]] 2.0 beta 5 |
||
+ | === [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) === |
||
− | == Exploits which are used in order to jailbreak 2.x == |
||
− | === 2.0 / 2.0.1 / 2.0.2 / 2.1 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] |
||
− | === 2.1.1 === |
||
− | * [[ARM7 Go]] ([[tethered jailbreak]]) |
||
− | === 2.2 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | === 2.2.1 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | * [[0x24000 Segment Overflow]] + [[ARM7 Go]] (from iOS 2.1.1) ([[n72ap|iPod touch 2G]]) |
||
− | == |
+ | == Programs used to jailbreak 2.x == |
− | === |
+ | === [[QuickPwn]] (2.0 - 2.2.1) === |
− | * [[Pwnage]] |
+ | * uses [[Pwnage]] and [[Pwnage 2.0]] |
− | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]]) |
||
− | * [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | * [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]]) |
||
− | === 3.1 / 3.1.1 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) |
||
− | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
− | === 3.1.2 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) |
||
− | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
− | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
− | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) |
||
− | === 3.1.3 === |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) |
||
− | * [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms) |
||
− | ** + [[Limera1n Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]], used in [[sn0wbreeze]]) |
||
− | ** + [[usb_control_msg(0xA1, 1) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]], used in [[sn0wbreeze]]) |
||
− | * [[usb_control_msg(0xA1, 1) Exploit]]+ [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], used in [[sn0wbreeze]]) |
||
− | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[N18ap|iPod touch 3G]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], used in [[sn0wbreeze]]) |
||
− | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
− | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) |
||
− | === |
+ | === [[Redsn0w Lite]] (2.1.1) === |
+ | * [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only) |
||
− | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) |
||
− | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) |
||
− | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[K48ap|iPad]] used in [[sn0wbreeze]] 2.9.x) |
||
− | === 3.2.1 === |
||
− | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) |
||
− | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[sn0wbreeze]] 2.9.x) |
||
− | === 3.2.2 === |
||
− | * [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]]) |
||
− | == |
+ | == Programs used to jailbreak 3.x == |
− | === |
+ | === [[purplera1n]] (3.0) === |
+ | * [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}}) |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]]) |
||
− | * [[0x24000 Segment Overflow]] |
+ | * uses [[0x24000 Segment Overflow]] |
− | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) |
||
− | * [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] New bootrom, [[N18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]]) |
||
− | === |
+ | === [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) === |
+ | * [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}}) |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]]) |
||
− | * |
+ | * uses [[0x24000 Segment Overflow]] |
− | * [[0x24000 Segment Overflow]] ([[n88ap|iPhone 3GS]]) |
||
− | * [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) |
||
− | === |
+ | === [[Spirit]] (3.1.2 / 3.1.3 / 3.2) === |
+ | * [[MobileBackup Copy Exploit]] |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
||
+ | * [[Incomplete Codesign Exploit]] |
||
− | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]]) |
||
+ | * [[BPF_STX Kernel Write Exploit]] |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
− | * [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])) |
||
− | * [[usb_control_msg(0xA1, 1) Exploit]] + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
+ | === [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) === |
||
− | === 4.2.1 === |
||
+ | * [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) |
||
− | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
||
+ | * [[Incomplete Codesign Exploit]] |
||
− | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]]) |
||
+ | * [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
− | * [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) |
||
− | * [[usb_control_msg(0xA1, 1) Exploit]] + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
− | === |
+ | === [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) === |
+ | * uses different common exploits |
||
− | * [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]]) |
||
+ | * [[Packet Filter Kernel Exploit]] |
||
− | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) |
||
− | + | == Programs used to jailbreak 4.x == |
|
+ | === [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
||
− | * [[limera1n]]'s bootrom exploit (Tethered jailbreak on [[n92ap|iPhone 4 (iPhone3,3)]]) |
||
+ | * [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) |
||
+ | * [[Incomplete Codesign Exploit]] |
||
+ | * [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) |
||
− | === 4. |
+ | === [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) === |
+ | * uses different common exploits |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[Packet Filter Kernel Exploit]] |
||
− | * [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) |
||
− | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) |
||
+ | === [[greenpois0n (jailbreak)|greenpois0n]] (4.1) === |
||
− | === 4.3.1 / 4.3.2 / 4.3.3 === |
||
+ | * uses different common exploits |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[Packet Filter Kernel Exploit]] |
||
− | * [[limera1n]]'s bootrom exploit + [[ndrv_setspec() Integer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) |
||
− | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) |
||
− | === |
+ | === [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) === |
+ | * uses different common exploits |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
− | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) |
||
+ | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) === |
||
− | == Exploits which are used in order to jailbreak 5.x == |
||
+ | * [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
||
− | === 5.0 === |
||
+ | * [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
− | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) |
||
− | * [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]]- [[n94ap|iPhone 4S]] only |
||
+ | === [[unthredeh4il]] (4.2.6 - 4.2.10) === |
||
− | ===5.0.1=== |
||
+ | Except for the [[iPad (3rd generation)]] |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
+ | * MobileBackup2 Copy Exploit |
||
− | * [[limera1n]]'s bootrom exploit + [[Racoon String Format Overflow Exploit]]+[[HFS Heap Overflow]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
− | * [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]] - [[iPad 2]] and [[iPhone 4S]] with [[Absinthe]] |
||
+ | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) |
||
+ | * [[launchd.conf untether]] |
||
+ | * [[Timezone Vulnerability]] |
||
+ | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
||
− | ===5.1=== |
||
+ | Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1. |
||
− | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) |
||
+ | * [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}}) |
||
+ | === i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) === |
||
− | ===5.1.1=== |
||
+ | used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3 |
||
− | * [[limera1n Exploit]] + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[ndrv_setspec() Integer Overflow]] |
||
− | * [[limera1n Exploit]] + [[Rocky Racoon]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], [[n18ap|iPod touch 3G]], and [[n81ap|iPod touch 4G]]) |
||
+ | === [[unthredeh4il]] (4.3 - 4.3.5) === |
||
− | == Exploits which are used in order to jailbreak 6.x == |
||
+ | Except for the [[iPad (3rd generation)]] |
||
− | === 6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2 === |
||
+ | * MobileBackup2 Copy Exploit |
||
− | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
− | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) |
||
+ | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) |
||
− | * [[Symbolic Link Vulnerability]] |
||
+ | * [[launchd.conf untether]] |
||
* [[Timezone Vulnerability]] |
* [[Timezone Vulnerability]] |
||
+ | |||
− | * [[Shebang Trick]] |
||
+ | == Programs used to jailbreak 5.x == |
||
+ | |||
+ | === [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
||
+ | * [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether) |
||
+ | * [[HFS Heap Overflow]] ({{cve|2012-0642}}) |
||
+ | * unknown exploit ({{cve|2012-0643}}) |
||
+ | |||
+ | === [[Corona|Corona Untether]] (5.0.1) === |
||
+ | * [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) |
||
+ | * [[HFS Heap Overflow]] ({{cve|2012-0642}}) |
||
+ | * unknown exploit ({{cve|2012-0643}}) |
||
+ | |||
+ | === [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
+ | * Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}}) |
||
+ | * MobileBackup2 Copy Exploit |
||
+ | |||
+ | === [[unthredeh4il]] (5.0-5.1.1) === |
||
+ | Except for the [[iPad (3rd generation)]] |
||
+ | * MobileBackup2 Copy Exploit |
||
+ | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) |
||
+ | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) |
||
+ | * [[launchd.conf untether]] |
||
+ | * [[Timezone Vulnerability]] |
||
+ | |||
+ | == Programs used to jailbreak 6.x == |
||
+ | === [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
||
+ | * [[Symbolic Link Vulnerability]] |
||
+ | * [[Timezone Vulnerability]] ({{cve|2013-0979}}) |
||
+ | * [[Shebang Trick]] ({{cve|2013-5154}}) |
||
* [[AMFID code signing evasion]] |
* [[AMFID code signing evasion]] |
||
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
− | * [[IOUSBDeviceFamily Vulnerability]] |
+ | * [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}}) |
− | * [[ARM Exception Vector Info Leak]] |
+ | * [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}}) |
* [[dynamic memmove() locating]] |
* [[dynamic memmove() locating]] |
||
* [[vm_map_copy_t corruption for arbitrary memory disclosure]] |
* [[vm_map_copy_t corruption for arbitrary memory disclosure]] |
||
* [[kernel memory write via ROP gadget]] |
* [[kernel memory write via ROP gadget]] |
||
+ | * [[Overlapping Segment Attack]] ({{cve|2013-0977}}) |
||
− | === 6.1.3 / 6.1.4 / 6.1.5 / 6.1.6 === |
+ | === [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) === |
+ | * [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]]) |
||
− | {{Section Stub}} |
||
+ | * [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]]) |
||
− | * [[Symbolic Link Vulnerability]] (Used by [[p0sixspwn]] to write to the file system in /var) |
||
+ | * [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}}) |
||
− | * [[DeveloperDiskImage race condition]] (Used by [[p0sixspwn]] to remount /) |
||
+ | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) |
||
+ | * [[DeveloperDiskImage race condition]] (by [[comex]]) |
||
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
− | * [[AMFID_code_signing_evasion]] |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] |
||
− | * [[posix_spawn kernel information leak]] |
||
− | * [[mach_msg_ool_descriptor_ts for heap shaping]] |
||
− | == |
+ | == Programs used to jailbreak 7.x == |
+ | === [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
||
{{Section Stub}} |
{{Section Stub}} |
||
+ | * [[Symbolic Link Vulnerability]] ({{cve|2013-5133}}) |
||
− | === 7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6 === |
||
+ | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133] |
||
+ | * CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}}) |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272] |
||
+ | * ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}}) |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] |
||
− | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278] |
||
− | * [[Symbolic Link Vulnerability]] |
||
− | === 7.1 / 7.1.1 |
+ | === [[Geeksn0w]] (7.1 / 7.1.1) === |
− | [[geeksn0w]] |
||
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] |
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] |
||
+ | |||
− | [[Pangu]] |
||
+ | === [[Pangu]] (7.1 / 7.1.1 / 7.1.2) === |
||
− | * Infoleak vulnerability |
||
+ | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0) |
||
− | * “syslogd chown” vulnerability |
||
+ | * AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0) |
||
− | * enterprise certificate (no real exploit, used for initial unsigned code execution) |
||
+ | * break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}}) |
||
− | * "foo_extracted" symlink vulnerability (used to write to /var) |
||
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
− | * /tmp/bigfile (maybe a timeout) |
||
+ | * IOSharedDataQueue notification port overwrite ({{cve|2014-4461}}) |
||
− | * VoIP background trick (used to auto restart the app) |
||
+ | * "syslogd chown" vulnerability |
||
+ | * enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
||
+ | * "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}}) |
||
+ | * /tmp/bigfile (a big file for improvement of the reliability of a race condition) |
||
+ | * VoIP backgrounding trick (used to auto restart the app) |
||
+ | * hidden segment attack |
||
+ | |||
+ | == Programs used to jailbreak 8.x == |
||
+ | === [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
||
+ | * an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) |
||
+ | * enterprise certificate (inside the IPA) |
||
+ | * a kind of dylib injection into a system process (see IPA) |
||
+ | * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
||
+ | * a sandboxing problem in debugserver ({{cve|2014-4457}}) |
||
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
+ | * the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______) |
||
+ | * enable-dylibs-to-override-cache |
||
+ | * a new ovelapping segment attack ({{cve|2014-4455}}) |
||
+ | |||
+ | === [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) === |
||
+ | (See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com]) |
||
+ | * A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem |
||
+ | * [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache |
||
+ | * A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load |
||
+ | * libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative) |
||
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache) |
||
+ | * MobileStorageMounter exploit ({{cve|2015-1062}}) |
||
+ | * Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}}) |
||
+ | |||
+ | Kernel: |
||
+ | |||
+ | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses |
||
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
+ | * IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory |
||
+ | |||
+ | === [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) === |
||
+ | (See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html) |
||
+ | * [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI |
||
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis) |
||
+ | * Symbolic linking to AFC ({{cve|2015-5746}}) |
||
+ | * Backup exploit to write to protected regions of the disk ({{cve|2015-5752}}) |
||
+ | * Code signing exploit ({{cve|2015-3802}}) |
||
+ | * Code signing exploit ({{cve|2015-3803}}) |
||
+ | * Code signing exploit ({{cve|2015-3805}}) |
||
+ | * Code signing exploit ({{cve|2015-3806}}) |
||
+ | * IOHIDFamily exploit ({{cve|2015-5774}}) |
||
+ | * Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}}) |
||
+ | |||
+ | === [[EtasonJB]] and [[Home Depot]] (8.4.1) === |
||
+ | |||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | |||
+ | == Programs used to jailbreak 9.x == |
||
+ | === [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) === |
||
+ | * Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}}) |
||
+ | * MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}}) |
||
+ | * IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}}) |
||
+ | * dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}}) |
||
+ | * Racing KPP for some of the patches. |
||
+ | * AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}}) |
||
+ | |||
+ | === [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === |
||
+ | * IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}}) |
||
+ | |||
+ | === [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === |
||
+ | * Webkit exploit ({{cve|2016-4657}}) |
||
+ | |||
+ | === [[Home Depot]] (9.1-9.3.4) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | |||
+ | === [[JailbreakMe 4.0]] (9.1-9.3.4) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * Kernel exploit ({{cve|2016-4656}}) |
||
+ | * Webkit exploit ({{cve|2016-4657}}) |
||
+ | |||
+ | === [[Phœnix]] (9.3.5 / 9.3.6) === |
||
+ | * OSUnserialize Information leak ({{cve|2016-4655}}) |
||
+ | * mach_port_register Kernel exploit ({{cve|2016-4669}}) |
||
+ | |||
+ | == Programs used to jailbreak 10.x == |
||
+ | |||
+ | === [[extra_recipe+yaluX]] (10.0-10.1.1) === |
||
+ | |||
+ | * set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}}) |
||
+ | |||
+ | === [[yalu102]] (10.0.1-10.2) === |
||
+ | |||
+ | * mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}}) |
||
+ | |||
+ | === [[doubleH3lix]] (10.0.1 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | === [[Meridian]] (10.0 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | === [[TotallyNotSpyware]] (10.0 - 10.3.3) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | * WebKit JIT optimization bug exploit ({{cve|2018-4233}}) |
||
+ | |||
+ | === [[H3lix]] (10.0.1 - 10.3.4) === |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | == Programs used to jailbreak 11.x == |
||
+ | |||
+ | ===[[Unc0ver]] (11.0-11.4.1)=== |
||
+ | |||
+ | 11.0 - 11.1.2 |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | 11.0 - 11.3.1 |
||
+ | |||
+ | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) |
||
+ | * getvolattrlist (empty_list) ({{cve|2018-4243}}) |
||
+ | |||
+ | 11.0 - 11.4.1 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | ===[[Electra]] (11.0-11.4.1)=== |
||
+ | |||
+ | 11.0 - 11.1.2 |
||
+ | |||
+ | * IOSurface Kernel Exploit ({{cve|2017-13861}}) |
||
+ | |||
+ | 11.2 - 11.3.1 |
||
+ | |||
+ | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) |
||
+ | * getvolattrlist (empty_list) ({{cve|2018-4243}}) |
||
+ | |||
+ | 11.2 - 11.4.1 |
||
+ | |||
+ | * v1ntex ({{cve|2019-6225}}) |
||
+ | |||
+ | == Programs used to jailbreak 12.x == |
||
+ | |||
+ | ===[[Chimera]] (12.0 - 12.5.3)=== |
||
+ | |||
+ | 12.0 - 12.1.2 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | 12.0 - 12.2/12.4 |
||
+ | |||
+ | * SockPuppet ({{cve|2019-8605}}) |
||
+ | |||
+ | ===[[Unc0ver]] (12.0 - 12.5.3)=== |
||
+ | |||
+ | 12.0 - 12.1.2 |
||
+ | |||
+ | * voucher_swap ({{cve|2019-6225}}) |
||
+ | |||
+ | 12.0 - 12.2/12.4 |
||
+ | |||
+ | * SockPuppet ({{cve|2019-8605}}) |
||
+ | |||
+ | 12.4.1 |
||
+ | |||
+ | * AppleAVE2Driver exploit ({{cve|2019-8795}}) |
||
+ | * AppleSPUProfileDriver information leak ({{cve|2019-8794}}) |
||
+ | |||
+ | 12.4.2 - 12.5.3 |
||
+ | |||
+ | * oob_timestamp ({{cve|2020-3837}}) |
||
+ | * cuck00 information leak ({{cve|2020-3836}}) |
||
+ | |||
+ | ===[[checkra1n]] (12.3 - 12.5.3)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | == Programs used to jailbreak 13.x == |
||
+ | |||
+ | ===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))=== |
||
+ | |||
+ | 13.0 - 13.3 (before version 5.0.0) |
||
+ | |||
+ | * oob_timestamp ({{cve|2020-3837}}) |
||
+ | * cuck00 information leak ({{cve|2020-3836}}) |
||
+ | |||
+ | 13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0) |
||
+ | |||
+ | * tachy0n (LightSpeed) ({{cve|2020-9859}}) |
||
+ | |||
+ | ===[[Odyssey]] (13.0 - 13.7)=== |
||
+ | |||
+ | 13.0 - 13.5 |
||
+ | |||
+ | * tardy0n (LightSpeed) ({{cve|2020-9859}}) |
||
+ | |||
+ | 13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9) |
||
+ | |||
+ | * FreeTheSandbox_LPE_POC_13.7 |
||
+ | |||
+ | 13.5.1 - 13.7 (for devices with A8/A9 SoCs) |
||
+ | |||
+ | * oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}}) |
||
+ | |||
+ | ===[[checkra1n]] (13.0 - 13.7)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | == Programs used to jailbreak 14.x == |
||
+ | |||
+ | ===[[checkra1n]] (14.0 - 14.8.1)=== |
||
+ | |||
+ | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) |
||
+ | |||
+ | ===[[Unc0ver]] (14.0 - 14.8)=== |
||
+ | |||
+ | * ivac entry use-after-free ({{cve|2021-1782}}) |
||
+ | * pattern-f's closed source exploit ({{cve|2021-30883}}) |
||
+ | |||
+ | ===[[Taurine]] (14.0 - 14.3)=== |
||
+ | |||
+ | * cicuta_virosa ({{cve|2021-1782}}) |
Latest revision as of 04:17, 1 May 2022
This page lists the exploits used in jailbreaks.
Contents
- 1 Common exploits
- 2 Jailbreak Programs
- 3 Programs used to jailbreak 1.x
- 4 Programs used to jailbreak 2.x
- 5 Programs used to jailbreak 3.x
- 6 Programs used to jailbreak 4.x
- 6.1 JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- 6.2 limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- 6.3 greenpois0n (4.1)
- 6.4 greenpois0n (4.2.1)
- 6.5 JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
- 6.6 unthredeh4il (4.2.6 - 4.2.10)
- 6.7 JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
- 6.8 i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
- 6.9 unthredeh4il (4.3 - 4.3.5)
- 7 Programs used to jailbreak 5.x
- 8 Programs used to jailbreak 6.x
- 9 Programs used to jailbreak 7.x
- 10 Programs used to jailbreak 8.x
- 11 Programs used to jailbreak 9.x
- 12 Programs used to jailbreak 10.x
- 13 Programs used to jailbreak 11.x
- 14 Programs used to jailbreak 12.x
- 15 Programs used to jailbreak 13.x
- 16 Programs used to jailbreak 14.x
Common exploits
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch (2nd generation))
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch (2nd generation) with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch (3rd generation), iPad, iPhone 4, iPod touch (4th generation) and Apple TV (2nd generation))
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch (2nd generation))
Jailbreak Programs
PwnageTool (2.0 - 5.1.1)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs used to jailbreak 1.x
AppTapp Installer (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp
-command exploit
iBrickr (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp
-command exploit
AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)
OktoPrep (1.1.2)
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
Soft Upgrade (1.1.3)
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
ZiPhone (1.1.3 / 1.1.4 / 1.1.5)
iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)
Programs used to jailbreak 2.x
QuickPwn (2.0 - 2.2.1)
- uses Pwnage and Pwnage 2.0
Redsn0w Lite (2.1.1)
- ARM7 Go (for iPod touch (2nd generation) only)
Programs used to jailbreak 3.x
purplera1n (3.0)
blackra1n (3.1 / 3.1.1 / 3.1.2)
Spirit (3.1.2 / 3.1.3 / 3.2)
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)
- uses different common exploits
- Packet Filter Kernel Exploit
Programs used to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
unthredeh4il (4.2.6 - 4.2.10)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch (3rd generation) on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
unthredeh4il (4.3 - 4.3.5)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 5.x
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Corona Untether (5.0.1)
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- MobileBackup2 Copy Exploit
unthredeh4il (5.0-5.1.1)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs used to jailbreak 7.x
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- Symbolic Link Vulnerability (CVE-2013-5133)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CrashHouseKeeping chmod vulnerability (CVE-2014-1272)
- ptmx_get_ioctl ioctl crafted call (CVE-2014-1278)
Geeksn0w (7.1 / 7.1.1)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
- AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOSharedDataQueue notification port overwrite (CVE-2014-4461)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Programs used to jailbreak 8.x
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
- enable-dylibs-to-override-cache
- a new ovelapping segment attack (CVE-2014-4455)
TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)
(See also details at newosxbook.com)
- A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
- DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
- A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
- libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
- MobileStorageMounter exploit (CVE-2015-1062)
- Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory
TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
- DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
- Symbolic linking to AFC (CVE-2015-5746)
- Backup exploit to write to protected regions of the disk (CVE-2015-5752)
- Code signing exploit (CVE-2015-3802)
- Code signing exploit (CVE-2015-3803)
- Code signing exploit (CVE-2015-3805)
- Code signing exploit (CVE-2015-3806)
- IOHIDFamily exploit (CVE-2015-5774)
- Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)
EtasonJB and Home Depot (8.4.1)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
Programs used to jailbreak 9.x
Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)
- Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
- MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
- IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
- dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
- Racing KPP for some of the patches.
- AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)
Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)
jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- Webkit exploit (CVE-2016-4657)
Home Depot (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
JailbreakMe 4.0 (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
- Webkit exploit (CVE-2016-4657)
Phœnix (9.3.5 / 9.3.6)
- OSUnserialize Information leak (CVE-2016-4655)
- mach_port_register Kernel exploit (CVE-2016-4669)
Programs used to jailbreak 10.x
extra_recipe+yaluX (10.0-10.1.1)
- set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)
yalu102 (10.0.1-10.2)
- mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)
doubleH3lix (10.0.1 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
Meridian (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
TotallyNotSpyware (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
- WebKit JIT optimization bug exploit (CVE-2018-4233)
H3lix (10.0.1 - 10.3.4)
- IOSurface Kernel Exploit (CVE-2017-13861)
Programs used to jailbreak 11.x
Unc0ver (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.0 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.0 - 11.4.1
- voucher_swap (CVE-2019-6225)
Electra (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.2 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.2 - 11.4.1
- v1ntex (CVE-2019-6225)
Programs used to jailbreak 12.x
Chimera (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
Unc0ver (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
12.4.1
- AppleAVE2Driver exploit (CVE-2019-8795)
- AppleSPUProfileDriver information leak (CVE-2019-8794)
12.4.2 - 12.5.3
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
checkra1n (12.3 - 12.5.3)
Programs used to jailbreak 13.x
Unc0ver (13.0 - 13.5.5~b1 (excluding 13.5.1))
13.0 - 13.3 (before version 5.0.0)
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)
- tachy0n (LightSpeed) (CVE-2020-9859)
Odyssey (13.0 - 13.7)
13.0 - 13.5
- tardy0n (LightSpeed) (CVE-2020-9859)
13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)
- FreeTheSandbox_LPE_POC_13.7
13.5.1 - 13.7 (for devices with A8/A9 SoCs)
- oob_events (CVE-2020-27905), (CVE-2020-9964)
checkra1n (13.0 - 13.7)
Programs used to jailbreak 14.x
checkra1n (14.0 - 14.8.1)
Unc0ver (14.0 - 14.8)
- ivac entry use-after-free (CVE-2021-1782)
- pattern-f's closed source exploit (CVE-2021-30883)
Taurine (14.0 - 14.3)
- cicuta_virosa (CVE-2021-1782)