Difference between revisions of "Jailbreak"

{{float toc}}

This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching [[:/etc/fstab]] to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.

The original jailbreak also included modifying the [[AFC]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC]]2) that allows access to the full filesystem.

Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.

== Exploits which were used in order to jailbreak 1.x ==

=== 1.0.2 ===

* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)

=== 1.1.1 ===

* [[Symlinks]] (an upgrade jailbreak)

* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])

=== 1.1.2 ===

* [[Mknod]] (an upgrade jailbreak)

=== 1.1.3 / 1.1.4 / 1.1.5 ===

* [[Soft Upgrade]] (an upgrade jailbreak)

* [[Ramdisk Hack]]

== Exploits which are used in order to jailbreak 2.x ==

=== 2.0 / 2.0.1 / 2.0.2 / 2.1 ===

* [[Pwnage]] + [[Pwnage 2.0]]

=== 2.1.1 ===

* [[ARM7 Go]] ([[tethered jailbreak]])

=== 2.2 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

=== 2.2.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[0x24000 Segment Overflow]] + [[ARM7 Go]] (from iOS 2.1.1) ([[n72ap|iPod touch 2G]])

== Exploits which are used in order to jailbreak 3.x ==

=== 3.0 / 3.0.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]])

* [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]])

=== 3.1 / 3.1.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[iBoot-240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])

* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[iBoot-240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

=== 3.1.2 ===

* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[iBoot-240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])

* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[iBoot-240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])

=== 3.1.3 ===

* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])

* [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)

* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])

=== 3.2 ===

* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])

=== 3.2.1 ===

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])

=== 3.2.2 ===

* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]])

== Exploits which are used in order to jailbreak 4.x ==

=== 4.0 / 4.0.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])

* [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])

=== 4.0.2 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])

* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]])

* [[0x24000 Segment Overflow]] ([[n88ap|iPhone 3GS]])

* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])

=== 4.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])

* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[iBoot-240.4|old bootrom]])

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]))

* [[usb_control_msg(0xA1, 1) Exploit]] + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])

=== 4.2.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])

* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[iBoot-240.4|old bootrom]])

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])

* [[usb_control_msg(0xA1, 1) Exploit]] + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])

=== 4.2.6 / 4.2.7 / 4.2.8 ===

* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 CDMA model]])

* [[T1 Font Integer Overflow]] (used for [[Saffron]])

=== 4.3 ===

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])

* [[T1 Font Integer Overflow]] (used for [[Saffron]])

=== 4.3.1 / 4.3.2 / 4.3.3 ===

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit + [[ndrv_setspec() Integer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])

* [[T1 Font Integer Overflow]] (used for [[Saffron]])

=== 4.3.4 / 4.3.5 ===

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])

== Exploits which are used in order to jailbreak 5.x ==

=== 5.0 / 5.0.1 ===

* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[iBoot-359.3|old bootrom]])

* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[iBoot-359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])

* What about teh untether?

== Jailbreak Tools ==

{{:Jailbreak/Apple TV 2G}}

{{:Jailbreak/iPad}}

{{:Jailbreak/iPad 2}}

{{:Jailbreak/iPhone}}

{{:Jailbreak/iPhone 3G}}

{{:Jailbreak/iPhone 3GS}}

{{:Jailbreak/iPhone 4 GSM}}

{{:Jailbreak/iPhone 4 CDMA}}

{{:Jailbreak/iPhone 4S}}

{{:Jailbreak/iPod touch}}

{{:Jailbreak/iPod touch 2G}}

{{:Jailbreak/iPod touch 3G}}

{{:Jailbreak/iPod touch 4G}}