Jailbreak Exploits

Missing

• UnthreadedJB
• name "steaks4uce"
• references to limera1n and so on

Exploits which are used in order to jailbreak different versions of iOS

• Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
• ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
• 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
• limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
• usb_control_msg(0xA1, 1) Exploit (for tethered jailbreak on iPod touch 2G)

Exploits which are used in order to jailbreak 4.x

4.0 / 4.0.1

• Pwnage + Pwnage 2.0 (iPhone 3G)
• 0x24000 Segment Overflow (iPod touch 2G and iPhone 3GS devices with older bootroms)
• Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
• Limera1n Exploit + Packet Filter Kernel Exploit (iPhone 3GS New bootrom, iPod touch 3G, iPhone 4 (iPhone3,1))

4.0.2

• Pwnage + Pwnage 2.0 (iPhone 3G)
• ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (iPod touch 2G)
• 0x24000 Segment Overflow (iPhone 3GS)
• limera1n's bootrom exploit + Packet Filter Kernel Exploit (iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), and iPod touch 4G)

4.1

• Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
• ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
• limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
• limera1n's bootrom exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G))
• usb_control_msg(0xA1, 1) Exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPod touch 2G)

greenpois0n (4.2.1)

• HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

• T1 Font Integer Overflow
• HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

• T1 Font Integer Overflow
• IOMobileFrameBuffer Privilege Escalation Exploit

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

• ndrv_setspec() Integer Overflow

Exploits which are used in order to jailbreak 5.x

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

• Racoon String Format Overflow Exploit (used both for payload injection and untether)
• HFS Heap Overflow

Corona Untether (5.0.1)

• Racoon String Format Overflow Exploit
• HFS Heap Overflow

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

• a new Packet Filter Kernel Exploit (CVE-2012-3728)
• Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)

Exploits which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

• Symbolic Link Vulnerability
• Timezone Vulnerability
• Shebang Trick
• AMFID code signing evasion
• launchd.conf untether
• IOUSBDeviceFamily Vulnerability
• ARM Exception Vector Info Leak
• dynamic memmove() locating
• vm_map_copy_t corruption for arbitrary memory disclosure
• kernel memory write via ROP gadget

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

• posix_spawn kernel information leak (by i0n1c)
• posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
• mach_msg_ool_descriptor_ts for heap shaping
• AMFID_code_signing_evasi0n7
• DeveloperDiskImage race condition (by comex)
• launchd.conf untether

Exploits which are used in order to jailbreak 7.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

• CVE-2013-5133
• CVE-2014-1272
• CVE-2014-1273
• CVE-2014-1278
• Symbolic Link Vulnerability

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

• limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

Pangu (7.1 / 7.1.1 / 7.1.2)

• i0n1c's Infoleak vulnerability (Pangu v1.0.0)
• break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
• LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
• TempSensor kernel exploit (Pangu 1.1.0)
• "syslogd chown" vulnerability
• enterprise certificate (no real exploit, used for initial "unsigned" code execution)
• "foo_extracted" symlink vulnerability (used to write to /var)
• /tmp/bigfile (a big file for improvement of the reliability of a race condition)
• VoIP backgrounding trick (used to auto restart the app)
• hidden segment attack

Exploits which are used in order to jailbreak 8.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

• an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
• enterprise certificate (inside the IPA)
• a kind of dylib injection into a system process (see IPA)
• a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
• a sandboxing problem in debugserver (CVE-2014-4457)
• the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
• enable-dylibs-to-override-cache
• CVE-2014-4455

TaiG (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1)

• LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
• DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
• enable-dylibs-to-override-cache (Also used in Pangu8)
• a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)