| The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. | 
Difference between revisions of "Jailbreak Exploits"
| (159 intermediate revisions by 19 users not shown) | |||
| Line 1: | Line 1: | ||
| − | This page lists the exploits used in [[ | + | This page lists the '''exploits''' used in [[jailbreak]]s. | 
| + | |||
| − | == Exploits which were used in order to jailbreak 1.x == | ||
| + | These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs. | ||
| − | * [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem) | ||
| + | |||
| − | === 1.1.1 === | ||
| + | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]]) | ||
| − | * [[Symlinks]] (an upgrade jailbreak) | ||
| + | * [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) | ||
| − | * [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) | ||
| + | * [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required) | ||
| − | === 1.1.2 === | ||
| + | * [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]]) | ||
| − | * [[Mknod]] (an upgrade jailbreak) | ||
| + | * [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]]) | ||
| − | === 1.1.3 / 1.1.4 / 1.1.5 === | ||
| + | |||
| − | * [[Soft Upgrade]] (an upgrade jailbreak) | ||
| − | + | == Common exploits == | |
| + | == Jailbreak Programs == | ||
| + | === [[PwnageTool]] (2.0 - 5.1.1) === | ||
| + | * uses different common exploits | ||
| + | * uses the exploits listed below to untether up to iOS 5.1.1 | ||
| + | |||
| + | === [[redsn0w]] (3.0 - 6.0) === | ||
| + | * uses different common exploits | ||
| + | * uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1 | ||
| + | * uses the exploits listed below to untether up to iOS 5.1.1 | ||
| + | |||
| + | === [[sn0wbreeze]] (3.1.3 - 6.1.3) === | ||
| + | * uses different common exploits | ||
| + | * uses the exploits listed below to untether up to iOS 6.1.2 | ||
| + | |||
| + | == Programs used to jailbreak 1.x == | ||
| + | === [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) === | ||
| + | * iBoot <code>cp</code>-command exploit | ||
| + | |||
| + | === [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) === | ||
| + | * iBoot <code>cp</code>-command exploit | ||
| + | |||
| + | === [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) === | ||
| + | * [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}}) | ||
| + | |||
| + | === [[mknod|OktoPrep]] (1.1.2) === | ||
| + | "Upgrade" to 1.1.2 from a jailbroken 1.1.1 | ||
| + | * [[mknod]] | ||
| + | |||
| + | === [[Soft Upgrade]] (1.1.3) === | ||
| + | "Upgrade" to 1.1.3 from a running jailbroken 1.1.2 | ||
| + | |||
| + | === [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) === | ||
| * [[Ramdisk Hack]] | * [[Ramdisk Hack]] | ||
| − | * [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3 | ||
| − | * [[diags]] - Works up to [[iOS]] 2.0 beta 5 | ||
| + | === [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) === | ||
| − | == Exploits which are used in order to jailbreak 2.x == | ||
| − | === 2.0 / 2.0.1 / 2.0.2 / 2.1 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] | ||
| − | === 2.1.1 === | ||
| − | * [[ARM7 Go]] ([[tethered jailbreak]]) | ||
| − | === 2.2 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | === 2.2.1 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] + [[ARM7 Go]] (from iOS 2.1.1) ([[n72ap|iPod touch 2G]]) | ||
| − | ==  | + | == Programs used to jailbreak 2.x == | 
| − | ===  | + | === [[QuickPwn]] (2.0 - 2.2.1) === | 
| − | * [[Pwnage]]  | + | * uses [[Pwnage]] and [[Pwnage 2.0]] | 
| − | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]]) | ||
| − | * [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]]) | ||
| − | === 3.1 / 3.1.1 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| − | === 3.1.2 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | * [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| − | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) | ||
| − | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) | ||
| − | === 3.1.3 === | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms) | ||
| − | ** + [[Limera1n Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]], used in [[sn0wbreeze]]) | ||
| − | ** + [[usb_control_msg(0xA1, 1) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]], used in [[sn0wbreeze]]) | ||
| − | * [[usb_control_msg(0xA1, 1) Exploit]]+ [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], used in [[sn0wbreeze]]) | ||
| − | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[N18ap|iPod touch 3G]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], used in [[sn0wbreeze]]) | ||
| − | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) | ||
| − | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) | ||
| − | ===  | + | === [[Redsn0w Lite]] (2.1.1) === | 
| + | * [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only) | ||
| − | * [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]]) | ||
| − | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) | ||
| − | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[K48ap|iPad]] used in [[sn0wbreeze]] 2.9.x) | ||
| − | === 3.2.1 === | ||
| − | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]]) | ||
| − | * [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[sn0wbreeze]] 2.9.x) | ||
| − | === 3.2.2 === | ||
| − | * [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]]) | ||
| − | ==  | + | == Programs used to jailbreak 3.x == | 
| − | ===  | + | === [[purplera1n]] (3.0) === | 
| + | * [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}}) | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]]) | ||
| − | * [[0x24000 Segment Overflow]] | + | * uses [[0x24000 Segment Overflow]] | 
| − | * [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]]) | ||
| − | * [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] New bootrom, [[N18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]]) | ||
| − | ===  | + | === [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) === | 
| + | * [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}}) | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]]) | ||
| − | *  | + | * uses [[0x24000 Segment Overflow]] | 
| − | * [[0x24000 Segment Overflow]] ([[n88ap|iPhone 3GS]]) | ||
| − | * [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) | ||
| − | ===  | + | === [[Spirit]] (3.1.2 / 3.1.3 / 3.2) === | 
| + | * [[MobileBackup Copy Exploit]] | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) | ||
| + | * [[Incomplete Codesign Exploit]] | ||
| − | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]]) | ||
| + | * [[BPF_STX Kernel Write Exploit]] | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| − | * [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])) | ||
| − | * [[usb_control_msg(0xA1, 1) Exploit]] + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]]) | ||
| + | === [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) === | ||
| − | === 4.2.1 === | ||
| + | * [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) | ||
| − | * [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) | ||
| + | * [[Incomplete Codesign Exploit]] | ||
| − | * [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]]) | ||
| + | * [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| − | * [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) | ||
| − | * [[usb_control_msg(0xA1, 1) Exploit]] + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]]) | ||
| − | ===  | + | === [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) === | 
| + | * uses different common exploits | ||
| − | * [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]]) | ||
| + | * [[Packet Filter Kernel Exploit]] | ||
| − | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) | ||
| − | + | == Programs used to jailbreak 4.x == | |
| + | === [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === | ||
| − | * [[limera1n]]'s bootrom exploit (Tethered jailbreak on [[n92ap|iPhone 4 (iPhone3,3)]]) | ||
| + | * [[Malformed CFF Vulnerability]] ({{cve|2010-1797}}) | ||
| + | * [[Incomplete Codesign Exploit]] | ||
| + | * [[IOSurface Kernel Exploit]] ({{cve|2010-2973}}) | ||
| − | === 4. | + | === [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) === | 
| + | * uses different common exploits | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[Packet Filter Kernel Exploit]] | ||
| − | * [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) | ||
| − | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) | ||
| + | === [[greenpois0n (jailbreak)|greenpois0n]] (4.1) === | ||
| − | === 4.3.1 / 4.3.2 / 4.3.3 === | ||
| + | * uses different common exploits | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[Packet Filter Kernel Exploit]] | ||
| − | * [[limera1n]]'s bootrom exploit + [[ndrv_setspec() Integer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) | ||
| − | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) | ||
| − | ===  | + | === [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) === | 
| + | * uses different common exploits | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[HFS Legacy Volume Name Stack Buffer Overflow]] | ||
| − | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]]) | ||
| + | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) === | ||
| − | == Exploits which are used in order to jailbreak 5.x == | ||
| + | * [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) | ||
| − | === 5.0  === | ||
| + | * [[HFS Legacy Volume Name Stack Buffer Overflow]] | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| − | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) | ||
| − | * [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]]- [[n94ap|iPhone 4S]] only | ||
| + | === [[unthredeh4il]] (4.2.6 - 4.2.10) === | ||
| − | ===5.0.1=== | ||
| + | Except for the [[iPad (3rd generation)]] | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| + | * MobileBackup2 Copy Exploit | ||
| − | * [[limera1n]]'s bootrom exploit + [[Racoon String Format Overflow Exploit]]+[[HFS Heap Overflow]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) | ||
| + | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) | ||
| − | * [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]] - [[iPad 2]] and [[iPhone 4S]] with [[Absinthe]] | ||
| + | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) | ||
| + | * [[launchd.conf untether]] | ||
| + | * [[Timezone Vulnerability]] | ||
| + | === [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === | ||
| − | ===5.1=== | ||
| + | Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1. | ||
| − | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) | ||
| + | * [[T1 Font Integer Overflow]] ({{cve|2011-0226}}) | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}}) | ||
| + | === i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) === | ||
| − | ===5.1.1=== | ||
| + | used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3 | ||
| − | * [[limera1n Exploit]] +  [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[ndrv_setspec() Integer Overflow]] | ||
| − | * [[limera1n Exploit]] +  [[Rocky Racoon]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], [[n18ap|iPod touch 3G]], and [[n81ap|iPod touch 4G]]) | ||
| + | === [[unthredeh4il]] (4.3 - 4.3.5) === | ||
| − | == Exploits which are used in order to jailbreak 6.x == | ||
| + | Except for the [[iPad (3rd generation)]] | ||
| − | === 6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2  === | ||
| + | * MobileBackup2 Copy Exploit | ||
| − | * [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], and [[n81ap|iPod touch 4G]]) | ||
| + | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) | ||
| − | * [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]]) | ||
| + | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) | ||
| − | * [[Symbolic Link Vulnerability]] | ||
| + | * [[launchd.conf untether]] | ||
| * [[Timezone Vulnerability]] | * [[Timezone Vulnerability]] | ||
| + | |||
| − | * [[Shebang Trick]] | ||
| + | == Programs used to jailbreak 5.x == | ||
| + | |||
| + | === [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]])  === | ||
| + | * [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether) | ||
| + | * [[HFS Heap Overflow]] ({{cve|2012-0642}}) | ||
| + | * unknown exploit ({{cve|2012-0643}}) | ||
| + | |||
| + | === [[Corona|Corona Untether]] (5.0.1)  === | ||
| + | * [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) | ||
| + | * [[HFS Heap Overflow]] ({{cve|2012-0642}}) | ||
| + | * unknown exploit ({{cve|2012-0643}}) | ||
| + | |||
| + | === [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === | ||
| + | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) | ||
| + | * Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}}) | ||
| + | * MobileBackup2 Copy Exploit | ||
| + | |||
| + | === [[unthredeh4il]] (5.0-5.1.1) === | ||
| + | Except for the [[iPad (3rd generation)]] | ||
| + | * MobileBackup2 Copy Exploit | ||
| + | * a new Packet Filter Kernel Exploit ({{cve|2012-3728}}) | ||
| + | * [[AMFID code signing evasion]] ({{cve|2013-0977}}) | ||
| + | * [[launchd.conf untether]] | ||
| + | * [[Timezone Vulnerability]] | ||
| + | |||
| + | == Programs used to jailbreak 6.x == | ||
| + | === [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)  === | ||
| + | * [[Symbolic Link Vulnerability]] | ||
| + | * [[Timezone Vulnerability]] ({{cve|2013-0979}}) | ||
| + | * [[Shebang Trick]] ({{cve|2013-5154}}) | ||
| * [[AMFID code signing evasion]] | * [[AMFID code signing evasion]] | ||
| * [[launchd.conf untether]] | * [[launchd.conf untether]] | ||
| − | * [[IOUSBDeviceFamily Vulnerability]] | + | * [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}}) | 
| − | * [[ARM Exception Vector Info Leak]] | + | * [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}}) | 
| * [[dynamic memmove() locating]] | * [[dynamic memmove() locating]] | ||
| * [[vm_map_copy_t corruption for arbitrary memory disclosure]] | * [[vm_map_copy_t corruption for arbitrary memory disclosure]] | ||
| * [[kernel memory write via ROP gadget]] | * [[kernel memory write via ROP gadget]] | ||
| + | * [[Overlapping Segment Attack]] ({{cve|2013-0977}}) | ||
| + | |||
| + | === [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) === | ||
| + | * [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]]) | ||
| + | * [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]]) | ||
| + | * [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}}) | ||
| + | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) | ||
| + | * [[DeveloperDiskImage race condition]] (by [[comex]]) | ||
| + | * [[launchd.conf untether]] | ||
| + | |||
| + | == Programs used to jailbreak 7.x == | ||
| + | === [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === | ||
| + | {{Section Stub}} | ||
| + | * [[Symbolic Link Vulnerability]] ({{cve|2013-5133}}) | ||
| + | * [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}}) | ||
| + | * CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}}) | ||
| + | * ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}}) | ||
| + | |||
| + | === [[Geeksn0w]] (7.1 / 7.1.1) === | ||
| + | * [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] | ||
| + | |||
| + | === [[Pangu]] (7.1 / 7.1.1 / 7.1.2) === | ||
| + | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0) | ||
| + | * AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0) | ||
| + | * break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}}) | ||
| + | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects | ||
| + | * IOSharedDataQueue notification port overwrite ({{cve|2014-4461}}) | ||
| + | * "syslogd chown" vulnerability | ||
| + | * enterprise certificate (no real exploit, used for initial "unsigned" code execution) | ||
| + | * "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}}) | ||
| + | * /tmp/bigfile (a big file for improvement of the reliability of a race condition) | ||
| + | * VoIP backgrounding trick (used to auto restart the app) | ||
| + | * hidden segment attack | ||
| + | |||
| + | == Programs used to jailbreak 8.x == | ||
| + | === [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === | ||
| + | * an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) | ||
| + | * enterprise certificate (inside the IPA) | ||
| + | * a kind of dylib injection into a system process (see IPA) | ||
| + | * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) | ||
| + | * a sandboxing problem in debugserver ({{cve|2014-4457}}) | ||
| + | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects | ||
| + | * the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______) | ||
| + | * enable-dylibs-to-override-cache | ||
| + | * a new ovelapping segment attack ({{cve|2014-4455}}) | ||
| + | |||
| + | === [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) === | ||
| + | (See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com]) | ||
| + | * A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem | ||
| + | * [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache | ||
| + | * A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load | ||
| + | * libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative) | ||
| + | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache) | ||
| + | * MobileStorageMounter exploit ({{cve|2015-1062}}) | ||
| + | * Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}}) | ||
| + | |||
| + | Kernel: | ||
| + | |||
| + | * Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses | ||
| + | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects | ||
| + | * IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory | ||
| + | |||
| + | === [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) === | ||
| + | (See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html) | ||
| + | * [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI | ||
| + | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis) | ||
| + | * Symbolic linking to AFC ({{cve|2015-5746}}) | ||
| + | * Backup exploit to write to protected regions of the disk ({{cve|2015-5752}}) | ||
| + | * Code signing exploit ({{cve|2015-3802}}) | ||
| + | * Code signing exploit ({{cve|2015-3803}}) | ||
| + | * Code signing exploit ({{cve|2015-3805}}) | ||
| + | * Code signing exploit ({{cve|2015-3806}}) | ||
| + | * IOHIDFamily exploit ({{cve|2015-5774}}) | ||
| + | * Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}}) | ||
| + | |||
| + | === [[EtasonJB]] and [[Home Depot]] (8.4.1) ===  | ||
| + | |||
| + | * OSUnserialize Information leak ({{cve|2016-4655}}) | ||
| + | * Kernel exploit ({{cve|2016-4656}}) | ||
| + | |||
| + | == Programs used to jailbreak 9.x == | ||
| + | === [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) === | ||
| + | * Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}}) | ||
| + | * MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables.  ({{cve|2015-7051}}) | ||
| + | * IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}}) | ||
| + | * dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}}) | ||
| + | * Racing KPP for some of the patches. | ||
| + | * AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}}) | ||
| + | |||
| + | === [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === | ||
| + | * IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}}) | ||
| + | |||
| + | === [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) === | ||
| + | * Webkit exploit ({{cve|2016-4657}}) | ||
| + | |||
| + | === [[Home Depot]] (9.1-9.3.4) ===  | ||
| + | * OSUnserialize Information leak ({{cve|2016-4655}}) | ||
| + | * Kernel exploit ({{cve|2016-4656}}) | ||
| + | |||
| + | === [[JailbreakMe 4.0]] (9.1-9.3.4) ===  | ||
| + | * OSUnserialize Information leak ({{cve|2016-4655}}) | ||
| + | * Kernel exploit ({{cve|2016-4656}}) | ||
| + | * Webkit exploit ({{cve|2016-4657}}) | ||
| + | |||
| + | === [[Phœnix]] (9.3.5 / 9.3.6) ===  | ||
| + | * OSUnserialize Information leak ({{cve|2016-4655}}) | ||
| + | * mach_port_register Kernel exploit ({{cve|2016-4669}}) | ||
| + | |||
| + | == Programs used to jailbreak 10.x == | ||
| + | |||
| + | === [[extra_recipe+yaluX]] (10.0-10.1.1) === | ||
| + | |||
| + | * set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}}) | ||
| + | |||
| + | === [[yalu102]] (10.0.1-10.2) === | ||
| + | |||
| + | * mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}}) | ||
| + | |||
| + | === [[doubleH3lix]] (10.0.1 - 10.3.3) === | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | |||
| + | === [[Meridian]] (10.0 - 10.3.3) === | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | |||
| + | === [[TotallyNotSpyware]] (10.0 - 10.3.3) === | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | * WebKit JIT optimization bug exploit ({{cve|2018-4233}}) | ||
| + | |||
| + | === [[H3lix]] (10.0.1 - 10.3.4) === | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | |||
| + | == Programs used to jailbreak 11.x == | ||
| + | |||
| + | ===[[Unc0ver]] (11.0-11.4.1)=== | ||
| + | |||
| + | 11.0 - 11.1.2  | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | |||
| + | 11.0 - 11.3.1 | ||
| + | |||
| + | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) | ||
| + | * getvolattrlist (empty_list) ({{cve|2018-4243}}) | ||
| + | |||
| + | 11.0 - 11.4.1 | ||
| + | |||
| + | * voucher_swap ({{cve|2019-6225}})  | ||
| + | |||
| + | ===[[Electra]] (11.0-11.4.1)=== | ||
| + | |||
| + | 11.0 - 11.1.2 | ||
| + | |||
| + | * IOSurface Kernel Exploit ({{cve|2017-13861}}) | ||
| + | |||
| + | 11.2 - 11.3.1 | ||
| + | |||
| + | * mptcp_usr_connectx (multi_path) ({{cve|2018-4241}}) | ||
| + | * getvolattrlist (empty_list) ({{cve|2018-4243}}) | ||
| + | |||
| + | 11.2 - 11.4.1 | ||
| + | |||
| + | * v1ntex ({{cve|2019-6225}}) | ||
| + | |||
| + | == Programs used to jailbreak 12.x == | ||
| + | |||
| + | ===[[Chimera]] (12.0 - 12.5.3)=== | ||
| + | |||
| + | 12.0 - 12.1.2 | ||
| + | |||
| + | * voucher_swap ({{cve|2019-6225}})  | ||
| + | |||
| + | 12.0 - 12.2/12.4 | ||
| + | |||
| + | * SockPuppet ({{cve|2019-8605}}) | ||
| + | |||
| + | ===[[Unc0ver]] (12.0 - 12.5.3)=== | ||
| + | |||
| + | 12.0 - 12.1.2 | ||
| + | |||
| + | * voucher_swap ({{cve|2019-6225}})  | ||
| + | |||
| + | 12.0 - 12.2/12.4 | ||
| + | |||
| + | * SockPuppet ({{cve|2019-8605}}) | ||
| + | |||
| + | 12.4.1 | ||
| + | |||
| + | * AppleAVE2Driver exploit ({{cve|2019-8795}}) | ||
| + | * AppleSPUProfileDriver information leak ({{cve|2019-8794}}) | ||
| + | |||
| + | 12.4.2 - 12.5.3 | ||
| + | |||
| + | * oob_timestamp ({{cve|2020-3837}}) | ||
| + | * cuck00 information leak ({{cve|2020-3836}}) | ||
| + | |||
| + | ===[[checkra1n]] (12.3 - 12.5.3)=== | ||
| + | |||
| + | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) | ||
| + | |||
| + | == Programs used to jailbreak 13.x == | ||
| + | |||
| + | ===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))=== | ||
| + | |||
| + | 13.0 - 13.3 (before version 5.0.0) | ||
| + | |||
| + | * oob_timestamp ({{cve|2020-3837}}) | ||
| + | * cuck00 information leak ({{cve|2020-3836}}) | ||
| + | |||
| + | 13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0) | ||
| + | |||
| + | * tachy0n (LightSpeed) ({{cve|2020-9859}}) | ||
| + | |||
| + | ===[[Odyssey]] (13.0 - 13.7)=== | ||
| + | |||
| + | 13.0 - 13.5 | ||
| + | |||
| + | * tardy0n (LightSpeed) ({{cve|2020-9859}}) | ||
| + | |||
| + | 13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9) | ||
| + | |||
| + | * FreeTheSandbox_LPE_POC_13.7 | ||
| + | |||
| + | 13.5.1 - 13.7 (for devices with A8/A9 SoCs) | ||
| + | |||
| + | * oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}}) | ||
| + | |||
| + | ===[[checkra1n]] (13.0 - 13.7)=== | ||
| + | |||
| + | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) | ||
| + | |||
| + | == Programs used to jailbreak 14.x == | ||
| + | |||
| + | ===[[checkra1n]] (14.0 - 14.8.1)=== | ||
| + | |||
| + | * [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}}) | ||
| + | |||
| + | ===[[Unc0ver]] (14.0 - 14.8)=== | ||
| + | * ivac entry use-after-free ({{cve|2021-1782}}) | ||
| − | === 6.1.3 / 6.1.4 / 6.1.5 / 6.1.6 === | ||
| + | * pattern-f's closed source exploit ({{cve|2021-30883}}) | ||
| − | *? | ||
| + | ===[[Taurine]] (14.0 - 14.3)=== | ||
| − | == Exploits which are used in order to jailbreak 7.x == | ||
| − | === 7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6 === | ||
| − | * ? | ||
| + | * cicuta_virosa ({{cve|2021-1782}}) | ||
| − | === 7.1 === | ||
| − | *[[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]] | ||
Latest revision as of 04:17, 1 May 2022
This page lists the exploits used in jailbreaks.
Contents
- 1 Common exploits
- 2 Jailbreak Programs
- 3 Programs used to jailbreak 1.x
- 4 Programs used to jailbreak 2.x
- 5 Programs used to jailbreak 3.x
- 6 Programs used to jailbreak 4.x
- 6.1 JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- 6.2 limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- 6.3 greenpois0n (4.1)
- 6.4 greenpois0n (4.2.1)
- 6.5 JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
- 6.6 unthredeh4il (4.2.6 - 4.2.10)
- 6.7 JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
- 6.8 i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
- 6.9 unthredeh4il (4.3 - 4.3.5)
 
- 7 Programs used to jailbreak 5.x
- 8 Programs used to jailbreak 6.x
- 9 Programs used to jailbreak 7.x
- 10 Programs used to jailbreak 8.x
- 11 Programs used to jailbreak 9.x
- 12 Programs used to jailbreak 10.x
- 13 Programs used to jailbreak 11.x
- 14 Programs used to jailbreak 12.x
- 15 Programs used to jailbreak 13.x
- 16 Programs used to jailbreak 14.x
Common exploits
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch (2nd generation))
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch (2nd generation) with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch (3rd generation), iPad, iPhone 4, iPod touch (4th generation) and Apple TV (2nd generation))
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch (2nd generation))
Jailbreak Programs
PwnageTool (2.0 - 5.1.1)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs used to jailbreak 1.x
AppTapp Installer (1.0 / 1.0.1 / 1.0.2)
- iBoot cp-command exploit
iBrickr (1.0 / 1.0.1 / 1.0.2)
- iBoot cp-command exploit
AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)
OktoPrep (1.1.2)
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
Soft Upgrade (1.1.3)
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
ZiPhone (1.1.3 / 1.1.4 / 1.1.5)
iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)
Programs used to jailbreak 2.x
QuickPwn (2.0 - 2.2.1)
- uses Pwnage and Pwnage 2.0
Redsn0w Lite (2.1.1)
- ARM7 Go (for iPod touch (2nd generation) only)
Programs used to jailbreak 3.x
purplera1n (3.0)
blackra1n (3.1 / 3.1.1 / 3.1.2)
Spirit (3.1.2 / 3.1.3 / 3.2)
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)
- uses different common exploits
- Packet Filter Kernel Exploit
Programs used to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
unthredeh4il (4.2.6 - 4.2.10)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch (3rd generation) on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
unthredeh4il (4.3 - 4.3.5)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 5.x
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Corona Untether (5.0.1)
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- MobileBackup2 Copy Exploit
unthredeh4il (5.0-5.1.1)
Except for the iPad (3rd generation)
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs used to jailbreak 7.x
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- Symbolic Link Vulnerability (CVE-2013-5133)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CrashHouseKeeping chmod vulnerability (CVE-2014-1272)
- ptmx_get_ioctl ioctl crafted call (CVE-2014-1278)
Geeksn0w (7.1 / 7.1.1)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
- AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOSharedDataQueue notification port overwrite (CVE-2014-4461)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Programs used to jailbreak 8.x
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
- enable-dylibs-to-override-cache
- a new ovelapping segment attack (CVE-2014-4455)
TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)
(See also details at newosxbook.com)
- A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
- DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
- A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
- libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
- MobileStorageMounter exploit (CVE-2015-1062)
- Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory
TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
- DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
- Symbolic linking to AFC (CVE-2015-5746)
- Backup exploit to write to protected regions of the disk (CVE-2015-5752)
- Code signing exploit (CVE-2015-3802)
- Code signing exploit (CVE-2015-3803)
- Code signing exploit (CVE-2015-3805)
- Code signing exploit (CVE-2015-3806)
- IOHIDFamily exploit (CVE-2015-5774)
- Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)
EtasonJB and Home Depot (8.4.1)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
Programs used to jailbreak 9.x
Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)
- Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
- MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
- IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
- dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
- Racing KPP for some of the patches.
- AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)
Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)
jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)
- Webkit exploit (CVE-2016-4657)
Home Depot (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
JailbreakMe 4.0 (9.1-9.3.4)
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
- Webkit exploit (CVE-2016-4657)
Phœnix (9.3.5 / 9.3.6)
- OSUnserialize Information leak (CVE-2016-4655)
- mach_port_register Kernel exploit (CVE-2016-4669)
Programs used to jailbreak 10.x
extra_recipe+yaluX (10.0-10.1.1)
- set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)
yalu102 (10.0.1-10.2)
- mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)
doubleH3lix (10.0.1 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
Meridian (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
TotallyNotSpyware (10.0 - 10.3.3)
- IOSurface Kernel Exploit (CVE-2017-13861)
- WebKit JIT optimization bug exploit (CVE-2018-4233)
H3lix (10.0.1 - 10.3.4)
- IOSurface Kernel Exploit (CVE-2017-13861)
Programs used to jailbreak 11.x
Unc0ver (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.0 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.0 - 11.4.1
- voucher_swap (CVE-2019-6225)
Electra (11.0-11.4.1)
11.0 - 11.1.2
- IOSurface Kernel Exploit (CVE-2017-13861)
11.2 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.2 - 11.4.1
- v1ntex (CVE-2019-6225)
Programs used to jailbreak 12.x
Chimera (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
Unc0ver (12.0 - 12.5.3)
12.0 - 12.1.2
- voucher_swap (CVE-2019-6225)
12.0 - 12.2/12.4
- SockPuppet (CVE-2019-8605)
12.4.1
- AppleAVE2Driver exploit (CVE-2019-8795)
- AppleSPUProfileDriver information leak (CVE-2019-8794)
12.4.2 - 12.5.3
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
checkra1n (12.3 - 12.5.3)
Programs used to jailbreak 13.x
Unc0ver (13.0 - 13.5.5~b1 (excluding 13.5.1))
13.0 - 13.3 (before version 5.0.0)
- oob_timestamp (CVE-2020-3837)
- cuck00 information leak (CVE-2020-3836)
13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)
- tachy0n (LightSpeed) (CVE-2020-9859)
Odyssey (13.0 - 13.7)
13.0 - 13.5
- tardy0n (LightSpeed) (CVE-2020-9859)
13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)
- FreeTheSandbox_LPE_POC_13.7
13.5.1 - 13.7 (for devices with A8/A9 SoCs)
- oob_events (CVE-2020-27905), (CVE-2020-9964)
checkra1n (13.0 - 13.7)
Programs used to jailbreak 14.x
checkra1n (14.0 - 14.8.1)
Unc0ver (14.0 - 14.8)
- ivac entry use-after-free (CVE-2021-1782)
- pattern-f's closed source exploit (CVE-2021-30883)
Taurine (14.0 - 14.3)
- cicuta_virosa (CVE-2021-1782)
