The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Jailbreak Exploits

From The iPhone Wiki

Revision as of 01:04, 7 December 2014 by IAdam1n (talk | contribs) (→‎1.1.1: So they still have them from iPhoneOS 1.1.1.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

This page lists the exploits used in Jailbreaks.

Contents

1 Exploits which were used in order to jailbreak 1.x
2 Exploits which are used in order to jailbreak 2.x
3 Exploits which are used in order to jailbreak 3.x
4 Exploits which are used in order to jailbreak 4.x
5 Exploits which are used in order to jailbreak 5.x
- 5.1 5.0
- 5.2 5.0.1
- 5.3 5.1
- 5.4 5.1.1
6 Exploits which are used in order to jailbreak 6.x
- 6.1 6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2
- 6.2 6.1.3 / 6.1.4 / 6.1.5 / 6.1.6
7 Exploits which are used in order to jailbreak 7.x
- 7.1 7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6
- 7.2 7.1 / 7.1.1 / 7.1.2
8 Exploits which are used in order to jailbreak 8.x
- 8.1 8.0/8.0.1/8.0.2/8.1
- 8.2 8.1.1

Exploits which were used in order to jailbreak 1.x

1.0.2

Restore Mode (iBoot had a command named cp, which had access to the whole filesystem)

1.1.1

Symlinks (an upgrade jailbreak)
libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)

1.1.2

Mknod (an upgrade jailbreak)

1.1.3 / 1.1.4 / 1.1.5

Soft Upgrade (an upgrade jailbreak)
Ramdisk Hack
Dual Boot Exploit - Works up to iOS 2.0 beta 3
diags - Works up to iOS 2.0 beta 5

Exploits which are used in order to jailbreak 2.x

2.0 / 2.0.1 / 2.0.2 / 2.1

Pwnage + Pwnage 2.0

2.1.1

ARM7 Go (tethered jailbreak)

2.2

Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)

2.2.1

Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
0x24000 Segment Overflow + ARM7 Go (from iOS 2.1.1) (iPod touch 2G)

Exploits which are used in order to jailbreak 3.x

3.0 / 3.0.1

Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow ( iPod touch 2G)
Pwnage + iBoot Environment Variable Overflow (iPhone, iPod touch, and iPhone 3G)
0x24000 Segment Overflow + iBoot Environment Variable Overflow (iPod touch 2G and iPhone 3GS)

3.1 / 3.1.1

Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)

3.1.2

Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)

3.1.3

Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
0x24000 Segment Overflow (for iPod touch 2G and iPhone 3GS devices with older bootroms)
- + Limera1n Exploit (iPhone 3GS old bootrom, used in sn0wbreeze)
- + usb_control_msg(0xA1, 1) Exploit (iPod touch 2G old bootrom, used in sn0wbreeze)
usb_control_msg(0xA1, 1) Exploit+ Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 2G new bootrom, used in sn0wbreeze)
Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 3G and iPhone 3GS new bootrom, used in sn0wbreeze)
MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)

3.2

MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPad used in sn0wbreeze 2.9.x)

3.2.1

Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
Limera1n Exploit + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in sn0wbreeze 2.9.x)

3.2.2

Limera1n Exploit + Packet Filter Kernel Exploit (iPad)

Exploits which are used in order to jailbreak 4.x

4.0 / 4.0.1

Pwnage + Pwnage 2.0 (iPhone 3G)
0x24000 Segment Overflow (iPod touch 2G and iPhone 3GS devices with older bootroms)
Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
Limera1n Exploit + Packet Filter Kernel Exploit (iPhone 3GS New bootrom, iPod touch 3G, iPhone 4 (iPhone3,1))

4.0.2

Pwnage + Pwnage 2.0 (iPhone 3G)
ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (iPod touch 2G)
0x24000 Segment Overflow (iPhone 3GS)
limera1n's bootrom exploit + Packet Filter Kernel Exploit (iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), and iPod touch 4G)

4.1

Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
limera1n's bootrom exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G))
usb_control_msg(0xA1, 1) Exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPod touch 2G)

4.2.1

Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
usb_control_msg(0xA1, 1) Exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPod touch 2G)

4.2.6 / 4.2.7 / 4.2.8

limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 4 (iPhone3,3))
T1 Font Integer Overflow (used for Saffron) (CVE-2011-0226)

4.2.9 / 4.2.10

limera1n's bootrom exploit (Tethered jailbreak on iPhone 4 (iPhone3,3))

4.3

limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
limera1n's bootrom exploit (tethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
T1 Font Integer Overflow (used for Saffron) (CVE-2011-0226)

4.3.1 / 4.3.2 / 4.3.3

limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
limera1n's bootrom exploit + ndrv_setspec() Integer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)
T1 Font Integer Overflow (used for Saffron)

4.3.4 / 4.3.5

limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)

Exploits which are used in order to jailbreak 5.x

5.0

limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow- iPhone 4S only

5.0.1

limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
limera1n's bootrom exploit + Racoon String Format Overflow Exploit+HFS Heap Overflow on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow - iPad 2 and iPhone 4S with Absinthe

5.1

limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)

5.1.1

limera1n Exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
limera1n Exploit + Rocky Racoon (together for untethered jailbreak on iPhone 3GS with new bootrom, iPhone 4, iPod touch 3G, and iPod touch 4G)

Exploits which are used in order to jailbreak 6.x

6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2

limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPhone 4, and iPod touch 4G)
limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
Symbolic Link Vulnerability
Timezone Vulnerability (CVE-2013-0979)
Shebang Trick
AMFID code signing evasion
launchd.conf untether
IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
ARM Exception Vector Info Leak (CVE-2013-0978)
dynamic memmove() locating
vm_map_copy_t corruption for arbitrary memory disclosure
kernel memory write via ROP gadget
Overlapping Segment Attack (CVE-2013-0977)

6.1.3 / 6.1.4 / 6.1.5 / 6.1.6

Exploits which are used in order to jailbreak 7.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6

7.1 / 7.1.1 / 7.1.2

limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

i0n1c's Infoleak vulnerability (Pangu v1.0.0)
break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
TempSensor kernel exploit (Pangu 1.1.0)
"syslogd chown" vulnerability
enterprise certificate (no real exploit, used for initial "unsigned" code execution)
"foo_extracted" symlink vulnerability (used to write to /var)
/tmp/bigfile (a big file for improvement of the reliability of a race condition)
VoIP backgrounding trick (used to auto restart the app)
hidden segment attack

Exploits which are used in order to jailbreak 8.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

8.0/8.0.1/8.0.2/8.1

an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
enterprise certificate (inside the IPA)
a kind of dylib injection into a system process (see IPA)
a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
a sandboxing problem in debugserver (CVE-2014-4457)
the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
enable-dylibs-to-override-cache
CVE-2014-4455

LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
enable-dylibs-to-override-cache (Also used in Pangu8)
a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)

8.1.1

LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
enable-dylibs-to-override-cache (Also used in Pangu8)
a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Jailbreak_Exploits&oldid=43938"

Pages With Stub Sections