Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
m (TaiG (8.1.3 / 8.2 / 8.3 / 8.4) and PPJailbreak)
m (Updating)
Line 2: Line 2:
   
 
== Common exploits which are used in order to jailbreak different versions of iOS ==
 
== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
+
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
+
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
+
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
+
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch 3G]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch 4G]] and [[K66AP|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
+
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
   
 
== Programs which are used in order to jailbreak different versions of iOS ==
 
== Programs which are used in order to jailbreak different versions of iOS ==
Line 49: Line 49:
   
 
=== [[Redsn0w Lite]] (2.1.1) ===
 
=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)
+
* [[ARM7 Go]] (for [[N72AP|iPod touch 2G]] only)
   
 
== Programs which are used in order to jailbreak 3.x ==
 
== Programs which are used in order to jailbreak 3.x ==
Line 97: Line 97:
   
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
+
Except for the [[N18AP|iPod touch 3G]] on iOS 4.3.1.
 
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
 
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
 
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})
 
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})
Line 114: Line 114:
 
* [[Timezone Vulnerability]]
 
* [[Timezone Vulnerability]]
   
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
+
=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
 
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
 
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
 
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
 
* [[HFS Heap Overflow]] ({{cve|2012-0642}})

Revision as of 09:49, 11 October 2015

This page lists the exploits used in jailbreaks.

Contents

Common exploits which are used in order to jailbreak different versions of iOS

Programs which are used in order to jailbreak different versions of iOS

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs which are used in order to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs which are used in order to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs which are used in order to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs which are used in order to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs which are used in order to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs which are used in order to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
  • AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOSharedDataQueue notification port overwrite (CVE-2014-4461)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Programs which are used in order to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)
  • Mach-O OSBundleHeaders info leak (CVE-2014-4491)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  • A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG (8.1.3 / 8.2 / 8.3 / 8.4) and PPJailbreak

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)