2015-01-29T00:46:32Z

Sjeezpwn: that exploit was summarised by geohot but was saying it was unknown

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* unknown exploit ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack
* ptmx_get_ioctl crafted call exploit ({{cve|2014-4407}})

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* i0n1c's Kernel info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
* LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
* enable-dylibs-to-override-cache (Also used in Pangu8)
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
* a new ovelapping segment attack [in a modified version] ({{cve|2014-4455}})
* a new afc symlink attack ({{cve|2014-4480}})
* mach_ports info leak {{cve|2014-4496}}
* IOHIDFamily Kernel exploit ({{cve|2014-4487}})