Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2: Adding some CVE's as well as a missed exploit from evasi0n's page.)
(Couple more linking additions.)
Line 90: Line 90:
 
=== 4.2.6 / 4.2.7 / 4.2.8 ===
 
=== 4.2.6 / 4.2.7 / 4.2.8 ===
 
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]])
 
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]])
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
+
* [[T1 Font Integer Overflow]] (used for [[Saffron]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
   
 
=== 4.2.9 / 4.2.10 ===
 
=== 4.2.9 / 4.2.10 ===
Line 98: Line 98:
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
 
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
+
* [[T1 Font Integer Overflow]] (used for [[Saffron]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
   
 
=== 4.3.1 / 4.3.2 / 4.3.3 ===
 
=== 4.3.1 / 4.3.2 / 4.3.3 ===
Line 148: Line 148:
 
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
 
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
 
* [[mach_msg_ool_descriptor_ts for heap shaping]]
 
* [[mach_msg_ool_descriptor_ts for heap shaping]]
* [[AMFID_code_signing_evasi0n7]]
+
* [[AMFID_code_signing_evasi0n7]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273])
 
* [[DeveloperDiskImage race condition]] (by [[comex]])
 
* [[DeveloperDiskImage race condition]] (by [[comex]])
 
* [[launchd.conf untether]]
 
* [[launchd.conf untether]]
Line 157: Line 157:
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]
+
* [[AMFID_code_signing_evasi0n7]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273])
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]
 
* [[Symbolic Link Vulnerability]]
 
* [[Symbolic Link Vulnerability]]

Revision as of 00:56, 7 December 2014

This page lists the exploits used in Jailbreaks.

Exploits which were used in order to jailbreak 1.x

1.0.2

  • Restore Mode (iBoot had a command named cp, which had access to the whole filesystem)

1.1.1

1.1.2

  • Mknod (an upgrade jailbreak)

1.1.3 / 1.1.4 / 1.1.5

Exploits which are used in order to jailbreak 2.x

2.0 / 2.0.1 / 2.0.2 / 2.1

2.1.1

2.2

2.2.1

Exploits which are used in order to jailbreak 3.x

3.0 / 3.0.1

3.1 / 3.1.1

3.1.2

3.1.3

3.2

3.2.1

3.2.2

Exploits which are used in order to jailbreak 4.x

4.0 / 4.0.1

4.0.2

4.1

4.2.1

4.2.6 / 4.2.7 / 4.2.8

4.2.9 / 4.2.10

4.3

4.3.1 / 4.3.2 / 4.3.3

4.3.4 / 4.3.5

Exploits which are used in order to jailbreak 5.x

5.0

5.0.1

5.1

5.1.1

Exploits which are used in order to jailbreak 6.x

6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2

6.1.3 / 6.1.4 / 6.1.5 / 6.1.6

Exploits which are used in order to jailbreak 7.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6

7.1 / 7.1.1 / 7.1.2

Geeksn0w

Pangu

  • i0n1c's Infoleak vulnerability (Pangu v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
  • LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
  • TempSensor kernel exploit (Pangu 1.1.0)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Exploits which are used in order to jailbreak 8.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

8.0/8.0.1/8.0.2/8.1

Pangu8

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • CVE-2014-4455

TaiG

8.1.1