The iPhone Wiki - User contributions [en]

User:0x8FF

2023-04-13T00:12:54Z

0x8FF: Blanked the page

Cheyote

2023-04-13T00:12:33Z

0x8FF: RIP

{{Infobox software
| name = Cheyote
| title = Cheyote
| developer = [https://twitter.com/OdysseyTeam_ OdysseyTeam_] [https://twitter.com/coolstarorg CoolStar]
| operating system = iOS
| language = English
| genre = Jailbreaking
}}
'''Cheyote''' (formerly known as '''Taurine15''') is an canceled jailbreak for iOS/iPadOS 15. It was going to initially support 15.0-15.1.1.

== External links ==
[https://www.reddit.com/r/jailbreak/comments/w1cmv0/news_on_taurine15_zebra_2_and_my_future_in_the/ Announcement]

[https://www.tumblr.com/coolstarorg/713631798916202496/leaving-the-jailbreak-community?source=share Cancellation]

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]
{{stub|software}}

IBoot-99

2023-01-23T04:27:08Z

0x8FF:

[[File:Iboot-99.jpeg |thumb|right|iBoot-99 running in QEMU (image from [https://twitter.com/mcg29_/status/1606861304697864193 @mcg29])]]

This version of iBoot can be found in [[Alpine 1A420]] NOR dump. It's stored in unencrypted form.

{{stub|firmware}}
[[Category:iBoot]]

File:Iboot-99.jpeg

2023-01-23T04:21:48Z

0x8FF: Image taken from @mcg29 on Twitter. https://twitter.com/mcg29_/status/1606861304697864193/

== Summary ==
Image taken from @mcg29 on Twitter.

https://twitter.com/mcg29_/status/1606861304697864193/

User:0x8FF

2023-01-05T09:33:00Z

0x8FF:

ADAAeAA4AGYAZgAuAG4AZQB0

Saïgon

2023-01-05T09:29:57Z

0x8FF:

{{Infobox software
| name = Saïgon
| title = Saïgon
| developer = [https://twitter.com/cheesecakeufo Abraham Masri (@cheesecakeufo)]
| released = {{Start date|2017|10|15|df=yes}}
| latest release version = beta 3
| latest release date = {{Start date and age|2017|12|10|df=yes}}
| discontinued = {{Start date|2018|01|04}}
| status = Abandoned
| operating system = iOS
| language = English
| genre = Jailbreaking
| website = [https://web.archive.org/web/20180708221035/https://iabem97.github.io/saigon_website/ GitHub Page (Web Archive) - Saïgon]
}}
'''Saïgon''' is a [[semi-untethered jailbreak]] for certain 64-bit devices, running iOS 10.2.1, developed by cheesecakeufo. Saïgon works by sideloading an IPA using [[Cydia Impactor]]. The first beta was released on {{date|2017|10|15}}. It was announced that support for [[iPhone 6s]] on iOS 10.3.1 would come in the future.

Originally based on Adam Donenfeld’s ziVA exploit, Saïgon has been based on Siguza’s [[v0rtex]] exploit since beta 3.

cheesecakeufo no longer provides updates for Saïgon, and has open-sourced the jailbreak on GitHub<ref>https://twitter.com/cheesecakeufo/status/948752448654635008</ref>.

== Version Change Log ==
{| class="wikitable"
|-
! Version
! Date
! Changes
|-
| beta 1
| {{date|2017|10|15}}
|
*Initial release with support for the following devices:
**[[iPhone 6]]
**[[iPhone 6 Plus]] (10.2.1)
**[[iPhone SE (1st generation)]] (10.2.1) (not tested)
**[[iPhone 6s]] (10.2.1) (not tested)
**[[J81AP|iPad Air 2 (Wi-Fi)]] (10.2.1) (not tested)
|-
| beta 2
| rowspan="2" | {{date|2017|10|21}}
|
*Fix for camera not working after jailbreaking
*Support for [[iPhone 6s Plus]]/[[iPad mini 4]]/[[iPad Air 2]]
*Minor bug fixes and changes
*Slightly better at escaping sandbox
*Option to reinstall [[Cydia]] by holding 'jailbreak' button then tapping it again
*Display device model and version
|-
| beta 2 revision 1
|
*Disables Cydia stashing
*Add support for [[iPod touch (6th generation)]]
|-
| beta 3
| {{date|2017|12|10}}
|
*Significantly better success rate using new exploit (v0rtex)
*Support for more devices (not tested)
*Complete re-write of the application
|}

== See also ==
* [[doubleH3lix]] a 64-bit counterpart
* [[Meridian]]
* [[v0rtex]]
* [https://web.archive.org/web/20180906063235/https://github.com/cheesecakeufo/saigon Source code on GitHub (Web Archive)]
<references />

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Saïgon

2023-01-05T09:27:43Z

0x8FF:

{{Infobox software
| name = Saïgon
| title = Saïgon
| developer = [https://twitter.com/cheesecakeufo Abraham Masri (@cheesecakeufo)]
| released = {{Start date|2017|10|15|df=yes}}
| latest release version = beta 3
| latest release date = {{Start date and age|2017|12|10|df=yes}}
| discontinued = {{Start date|2018|01|04}}
| status = Abandoned
| operating system = iOS
| language = English
| genre = Jailbreaking
| website = [https://iabem97.github.io/saigon_website/ GitHub Page - Saïgon]
}}
'''Saïgon''' is a [[semi-untethered jailbreak]] for certain 64-bit devices, running iOS 10.2.1, developed by cheesecakeufo. Saïgon works by sideloading an IPA using [[Cydia Impactor]]. The first beta was released on {{date|2017|10|15}}. It was announced that support for [[iPhone 6s]] on iOS 10.3.1 would come in the future.

Originally based on Adam Donenfeld’s ziVA exploit, Saïgon has been based on Siguza’s [[v0rtex]] exploit since beta 3.

cheesecakeufo no longer provides updates for Saïgon, and has open-sourced the jailbreak on GitHub<ref>https://twitter.com/cheesecakeufo/status/948752448654635008</ref>.

== Version Change Log ==
{| class="wikitable"
|-
! Version
! Date
! Changes
|-
| beta 1
| {{date|2017|10|15}}
|
*Initial release with support for the following devices:
**[[iPhone 6]]
**[[iPhone 6 Plus]] (10.2.1)
**[[iPhone SE (1st generation)]] (10.2.1) (not tested)
**[[iPhone 6s]] (10.2.1) (not tested)
**[[J81AP|iPad Air 2 (Wi-Fi)]] (10.2.1) (not tested)
|-
| beta 2
| rowspan="2" | {{date|2017|10|21}}
|
*Fix for camera not working after jailbreaking
*Support for [[iPhone 6s Plus]]/[[iPad mini 4]]/[[iPad Air 2]]
*Minor bug fixes and changes
*Slightly better at escaping sandbox
*Option to reinstall [[Cydia]] by holding 'jailbreak' button then tapping it again
*Display device model and version
|-
| beta 2 revision 1
|
*Disables Cydia stashing
*Add support for [[iPod touch (6th generation)]]
|-
| beta 3
| {{date|2017|12|10}}
|
*Significantly better success rate using new exploit (v0rtex)
*Support for more devices (not tested)
*Complete re-write of the application
|}

== See also ==
* [[doubleH3lix]] a 64-bit counterpart
* [[Meridian]]
* [[v0rtex]]
* [https://web.archive.org/web/20180906063235/https://github.com/cheesecakeufo/saigon Source code on GitHub (Internet Archive)]
<references />

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Fugu15

2023-01-05T09:13:25Z

0x8FF:

{{Infobox software
| name = Fugu15
| title = Fugu15
| logo = [[File:Fugu15 icon.png|85px]]
| developer = [https://twitter.com/LinusHenze Linus Henze]
| released = {{Start date|2022|10|31|df=yes}}
| operating system = iOS
| language = English
| genre = Jailbreaking
| license = [[wikipedia:MIT License|MIT License]]
| website = [https://github.com/pinauten/Fugu15 The GitHub page]

}}

'''Fugu15''' is a [[semi-untethered jailbreak]] for iOS 15 (up to 15.4.1 or 15.5 beta 2<ref>https://appledb.dev/jailbreak/Fugu15.html</ref>). Like [[Fugu14]], it only supports arm64e devices out of the box. It does not support tweak injection due to being a rootless jailbreak.

It has been tested to work on the [[D331pAP|iPhone XS Max]], [[N104AP|iPhone 11]], [[D53gAP|iPhone 12]], [[D54pAP|iPhone 12 Pro Max]], and [[D17AP|iPhone 13]].

== External links ==
[https://objectivebythesea.org/v5/talks/OBTS_v5_lHenze.pdf Slides Presented at Objective by the Sea v5]

[https://www.youtube.com/watch?v=aK0xPGMG0NI Video Presentation at Objective by the Sea v5]
[[Category:Jailbreaks]]
[[Category:Jailbreaking]]
{{stub|software}}

Palera1n

2023-01-05T09:10:35Z

0x8FF:

{{lowercase}}
{{Infobox software
| name = palera1n
| title = palera1n
| logo = [[File:palera1n logo.png|85px]]
| developer = [https://twitter.com/itsnebulalol Nebula] [https://twitter.com/mineekdev Mineek] [https://twitter.com/dedbeddedbed Nathan] [https://twitter.com/riscv64 asdfugil] [https://twitter.com/llsc121 llsc12] [https://twitter.com/bestdevelopr Plooshi]
| latest release version = 1.4.1
| latest release date = {{start date and age|2022|12|18}}
| released =
| operating system = [[wikipedia:macOS|macOS]] [[wikipedia:Linux|Linux]]
| language = English
| genre = Jailbreaking
| license = [[wikipedia:GNU General Public License#Version 3|GNU GPL v3]]
| website = [https://palera.in palera.in]
}}

'''palera1n''' is a jailbreak for iOS/iPadOS 15 and later on all devices vulnerable to the [[checkm8 Exploit]].

== Compatibility ==
palera1n supports iOS/iPadOS 15.0 and later. It can jailbreak [[Semi-tethered jailbreak|semi-tethered]] with tweak injection on 15.0-15.3.1. On 15.4 and later, it can jailbreak semi-tethered without tweaks, [[Tethered jailbreak|tethered]] with tweaks, or semi-tethered with tweaks (this last option uses 5-10 GB of storage).

On A10 and A11 devices, the passcode must be disabled while in the jailbroken state, and on A10 and A11 devices running iOS/iPadOS 16 and later, you can't jailbreak if you've ever set a passcode, which requires a reset to factory settings to fix.

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]
{{stub|software}}

User:0x8FF

2022-12-09T07:19:02Z

0x8FF:

I like trolling big corporations :P

User:0x8FF

2022-09-26T06:52:04Z

0x8FF:

ligma

== Links ==

Website: https://0x8ff.net/

GitHub: https://github.com/0x8ff/

Twitter: https://twitter.com/0x8ff/

User:0x8FF

2022-08-10T00:27:00Z

0x8FF:

Hobbyist hacker. Pwn da world!!

== Links ==

Website: https://0x8ff.net/

GitHub: https://github.com/0x8ff/

Twitter: https://twitter.com/0x8ff/

User:0x8FF

2022-08-10T00:21:25Z

0x8FF:

Pwn da world!! Or something.

* Socials *

GitHub: https://github.com/0x8ff/
Twitter: https://twitter.com/0x8ff/
Website: https://0x8ff.net/

User:0x8FF

2022-07-07T22:52:52Z

0x8FF:

I have a Twitter:

https://twitter.com/0x8ff/

Jailbreak Exploits

2022-05-01T04:17:58Z

0x8FF:

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]]
* [[Timezone Vulnerability]] ({{cve|2013-0979}})
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.5.3

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.5.3)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.8.1)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[Unc0ver]] (14.0 - 14.8)===

* ivac entry use-after-free ({{cve|2021-1782}})
* pattern-f's closed source exploit ({{cve|2021-30883}})

===[[Taurine]] (14.0 - 14.3)===

* cicuta_virosa ({{cve|2021-1782}})

Jailbreak Exploits

2022-05-01T04:16:21Z

0x8FF:

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]]
* [[Timezone Vulnerability]] ({{cve|2013-0979}})
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.5.3

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.5.3)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.8.1)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.8)===

* ivac entry use-after-free ({{cve|2021-1782}})
* pattern-f's closed source exploit ({{cve|2021-30883}})

===[[Taurine]] (14.0 - 14.3)===

* cicuta_virosa ({{cve|2021-1782}})

User:0x8FF

2022-03-19T21:11:27Z

0x8FF:

I am also known as shulkk.

Twitter:
https://twitter.com/_shulkk

User:0x8FF

2022-03-19T21:11:10Z

0x8FF:

'''Hello World'''
I am also known as shulkk.

Twitter:
https://twitter.com/_shulkk

User:0x8FF

2022-03-08T03:56:04Z

0x8FF:

Hello World!

twitter.com/0x8FF
github.com/0x8FF

Sileo

2022-03-04T05:03:25Z

0x8FF: Remove Broken BigBoss Hyperlink and More

'''Sileo''' is an open source software installer created by Sileo Team ([https://www.twitter.com/cstar_ow CoolStar], [https://www.twitter.com/aesign_ Alessandro Chiarlitti] and [https://www.twitter.com/kabiroberai Kabir Oberai]) that uses the Debian [[APT]] system for package management.

Sileo, which supports all devices (except [[List of Apple Watches|Apple Watches]]) running iPhone/Apple TV tvOS 11 - iOS 12.4 on [[Electra]] and [[Chimera]] jailbreaks.

By default, Sileo includes the third party repos such as: BigBoss, Chariz, Chimera (or Electra, depending on the jailbreak tool), Dynastic and Packix.

== See Also ==
* [[Sileo Errors]]

== External Links ==
* [https://getsileo.app/ Sileo website]

[[Category:Software]]
[[Category:Application]]
[[Category:Jailbreaking]]
[[Category:Package Manager]]

Sileo

2022-03-02T00:48:44Z

0x8FF: Added a few words.

'''Sileo''' is an open source software installer created by Sileo Team ([https://www.twitter.com/cstar_ow CoolStar], [https://www.twitter.com/aesign_ Alessandro Chiarlitti] and [https://www.twitter.com/kabiroberai Kabir Oberai]) that uses the Debian [[APT]] system for package management.

Sileo, which supports all devices (except [[List of Apple Watches|Apple Watches]]) running iPhone/Apple TV tvOS 11 - iOS 12.4 on [[Electra]] and [[Chimera]] jailbreaks.

By default, Sileo includes the third party repos [[BigBoss]], Chariz, Chimera (or Electra, depending on the jailbreak tool), Dynastic and Packix.

== See Also ==
* [[Sileo Errors]]

== External Links ==
* [https://getsileo.app/ Sileo website]

[[Category:Software]]
[[Category:Application]]
[[Category:Jailbreaking]]
[[Category:Package Manager]]

User:0x8FF

2022-03-02T00:24:55Z

0x8FF: Created page with "d2h5IGRpZCB5b3UgZXZlbiBib3RoZXI="

d2h5IGRpZCB5b3UgZXZlbiBib3RoZXI=