The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(Programs which are used in order to jailbreak 8.x: Why did you remove the exploits? They use the same as TaiG. Ask Yodah.)
(Asked Pwn about this, he said to remove.)
(85 intermediate revisions by 17 users not shown)
Line 1: Line 1:
 
This page lists the '''exploits''' used in [[jailbreak]]s.
  
This page lists the '''exploits''' used in [[jailbreak]]s.
   
== Common exploits which are used in order to jailbreak different versions of iOS ==
 +
== Common exploits ==
  +
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
  
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
  
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
  
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
  
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
  
   
  +
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
== Programs which are used in order to jailbreak different versions of iOS ==
  
  +
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
  +
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
  +
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
  +
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
  +
  +
== Jailbreak Programs ==
 
=== [[PwnageTool]] (2.0 - 5.1.1) ===
  
=== [[PwnageTool]] (2.0 - 5.1.1) ===
 
* uses different common exploits
  
* uses different common exploits
Line 22: Line 24:
 
* uses the exploits listed below to untether up to iOS 6.1.2
  
* uses the exploits listed below to untether up to iOS 6.1.2
   
== Programs which are used in order to jailbreak 1.x ==
 +
== Programs used to jailbreak 1.x ==
 
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
  
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
 
* iBoot <code>cp</code>-command exploit
  
* iBoot <code>cp</code>-command exploit
Line 30: Line 32:
   
 
=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
  
=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 CVE-2006-3459])
 +
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})
   
 
=== [[mknod|OktoPrep]] (1.1.2) ===
  
=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
 +
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
 
* [[mknod]]
  
* [[mknod]]
   
Line 39: Line 41:
 
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
  
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
   
=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
 +
=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
 
* [[Ramdisk Hack]]
  
* [[Ramdisk Hack]]
   
=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===
 +
=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===
   
== Programs which are used in order to jailbreak 2.x ==
 +
== Programs used to jailbreak 2.x ==
 
=== [[QuickPwn]] (2.0 - 2.2.1) ===
  
=== [[QuickPwn]] (2.0 - 2.2.1) ===
 
* uses [[Pwnage]] and [[Pwnage 2.0]]
  
* uses [[Pwnage]] and [[Pwnage 2.0]]
   
 
=== [[Redsn0w Lite]] (2.1.1) ===
  
=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)
 +
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)
   
== Programs which are used in order to jailbreak 3.x ==
 +
== Programs used to jailbreak 3.x ==
 
=== [[purplera1n]] (3.0) ===
  
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2795 CVE-2009-2795])
 +
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
 
* uses [[0x24000 Segment Overflow]]
  
* uses [[0x24000 Segment Overflow]]
   
=== [[blackra1n]] (3.1.2) ===
 +
=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0038 CVE-2010-0038])
 +
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
 
* uses [[0x24000 Segment Overflow]]
  
* uses [[0x24000 Segment Overflow]]
   
Line 66: Line 68:
   
 
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
  
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797])
 +
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
 
* [[Incomplete Codesign Exploit]]
  
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973])
 +
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
   
 
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
  
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
Line 74: Line 76:
 
* [[Packet Filter Kernel Exploit]]
  
* [[Packet Filter Kernel Exploit]]
   
== Programs which are used in order to jailbreak 4.x ==
 +
== Programs used to jailbreak 4.x ==
 
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
  
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797])
 +
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
 
* [[Incomplete Codesign Exploit]]
  
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973])
 +
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
   
=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
 +
=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
 
* uses different common exploits
  
* uses different common exploits
 
* [[Packet Filter Kernel Exploit]]
  
* [[Packet Filter Kernel Exploit]]
Line 93: Line 95:
   
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
  
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
 +
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
 
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
  
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
  +
  +
=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
  +
Except for the [[iPad (3rd generation)]]
  +
* MobileBackup2 Copy Exploit
  +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
  +
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
  +
* [[launchd.conf untether]]
  +
* [[Timezone Vulnerability]]
   
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
  
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
 +
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
 +
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0227 CVE-2011-0227])
 +
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})
   
 
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
  
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
Line 105: Line 115:
 
* [[ndrv_setspec() Integer Overflow]]
  
* [[ndrv_setspec() Integer Overflow]]
   
  +
=== [[unthredeh4il]] (4.3 - 4.3.5) ===
== Programs which are used in order to jailbreak 5.x ==
  
  +
Except for the [[iPad (3rd generation)]]
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
  
Except for the [[iPad 3]]
  
 
* MobileBackup2 Copy Exploit
  
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728])
 +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977])
 +
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
 
* [[launchd.conf untether]]
  
* [[launchd.conf untether]]
 
* [[Timezone Vulnerability]]
  
* [[Timezone Vulnerability]]
   
  +
== Programs used to jailbreak 5.x ==
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
  
  +
* [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646]) (used both for payload injection and untether)
  
  +
=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642])
  
  +
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643]
  
  +
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
  +
* unknown exploit ({{cve|2012-0643}})
   
 
=== [[Corona|Corona Untether]] (5.0.1) ===
  
=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646])
 +
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642])
 +
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
  +
* unknown exploit ({{cve|2012-0643}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643]
  
   
 
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
  
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728])
 +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3727 CVE-2012-3727])
 +
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
 
* MobileBackup2 Copy Exploit
  
* MobileBackup2 Copy Exploit
   
  +
=== [[unthredeh4il]] (5.0-5.1.1) ===
== Programs which are used in order to jailbreak 6.x ==
  
  +
Except for the [[iPad (3rd generation)]]
  +
* MobileBackup2 Copy Exploit
  +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
  +
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
  +
* [[launchd.conf untether]]
  +
* [[Timezone Vulnerability]]
  +
  +
== Programs used to jailbreak 6.x ==
 
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
  
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0979 CVE-2013-0979])
 +
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
 
* [[Timezone Vulnerability]]
  
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5154 CVE-2013-5154])
 +
* [[Shebang Trick]] ({{cve|2013-5154}})
 
* [[AMFID code signing evasion]]
  
* [[AMFID code signing evasion]]
 
* [[launchd.conf untether]]
  
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 CVE-2013-0981])
 +
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0978 CVE-2013-0978])
 +
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
 
* [[dynamic memmove() locating]]
  
* [[dynamic memmove() locating]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
  
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[kernel memory write via ROP gadget]]
  
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977])
 +
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})
   
 
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
  
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
 +
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
 +
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3953 CVE-2013-3953])
 +
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]]
 +
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
 
* [[DeveloperDiskImage race condition]] (by [[comex]])
  
* [[DeveloperDiskImage race condition]] (by [[comex]])
 
* [[launchd.conf untether]]
  
* [[launchd.conf untether]]
   
== Programs which are used in order to jailbreak 7.x ==
 +
== Programs used to jailbreak 7.x ==
 
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
  
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
 
{{Section Stub}}
  
{{Section Stub}}
  +
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]
  
  +
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]
  
  +
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]
  
  +
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]
  
* [[Symbolic Link Vulnerability]]
  
   
=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
 +
=== [[Geeksn0w]] (7.1 / 7.1.1) ===
 
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]
  
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]
   
 
=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
  
=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
 +
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
 +
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
  +
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388])
  
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* TempSensor kernel exploit (Pangu 1.1.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388])
  
  +
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
 
* "syslogd chown" vulnerability
  
* "syslogd chown" vulnerability
 
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4386 CVE-2014-4386])
 +
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
 
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
 
* VoIP backgrounding trick (used to auto restart the app)
  
* VoIP backgrounding trick (used to auto restart the app)
 
* hidden segment attack
  
* hidden segment attack
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4407 CVE-2014-4407]
  
   
== Programs which are used in order to jailbreak 8.x ==
 +
== Programs used to jailbreak 8.x ==
 
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
  
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
 
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
Line 182: Line 200:
 
* a kind of dylib injection into a system process (see IPA)
  
* a kind of dylib injection into a system process (see IPA)
 
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4457 CVE-2014-4457])
 +
* a sandboxing problem in debugserver ({{cve|2014-4457}})
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4461 CVE-2014-4461]) (source @iH8sn0w)
  
  +
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
 
* enable-dylibs-to-override-cache
  
* enable-dylibs-to-override-cache
  +
* a new ovelapping segment attack ({{cve|2014-4455}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4455 CVE-2014-4455]
  
  +
  +
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
  +
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
  +
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
  +
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  +
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  +
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  +
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  +
* MobileStorageMounter exploit ({{cve|2015-1062}})
  +
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})
  +
  +
Kernel:
  +
  +
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
  +
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory
  +
  +
=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
  +
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
  +
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
  +
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
  +
* Symbolic linking to AFC ({{cve|2015-5746}})
  +
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
  +
* Code signing exploit ({{cve|2015-3802}})
  +
* Code signing exploit ({{cve|2015-3803}})
  +
* Code signing exploit ({{cve|2015-3805}})
  +
* Code signing exploit ({{cve|2015-3806}})
  +
* IOHIDFamily exploit ({{cve|2015-5774}})
  +
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})
  +
  +
=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===
  +
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* Kernel exploit ({{cve|2016-4656}})
  +
  +
== Programs used to jailbreak 9.x ==
  +
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
  +
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
  +
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
  +
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
  +
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
  +
* Racing KPP for some of the patches.
  +
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})
  +
  +
=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
  +
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})
  +
  +
=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
  +
* Webkit exploit ({{cve|2016-4657}})
  +
  +
=== [[Home Depot]] (9.1-9.3.4) ===
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* Kernel exploit ({{cve|2016-4656}})
  +
  +
=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* Kernel exploit ({{cve|2016-4656}})
  +
* Webkit exploit ({{cve|2016-4657}})
  +
  +
=== [[Phœnix]] (9.3.5 / 9.3.6) ===
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* mach_port_register Kernel exploit ({{cve|2016-4669}})
  +
  +
== Programs used to jailbreak 10.x ==
  +
  +
=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===
  +
  +
* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})
  +
  +
=== [[yalu102]] (10.0.1-10.2) ===
  +
  +
* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})
  +
  +
=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
=== [[Meridian]] (10.0 - 10.3.3) ===
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})
  +
  +
=== [[H3lix]] (10.0.1 - 10.3.4) ===
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
== Programs used to jailbreak 11.x ==
  +
  +
===[[Unc0ver]] (11.0-11.4.1)===
  +
  +
11.0 - 11.1.2
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
11.0 - 11.3.1
  +
  +
* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
  +
* getvolattrlist (empty_list) ({{cve|2018-4243}})
  +
  +
11.0 - 11.4.1
  +
  +
* voucher_swap ({{cve|2019-6225}})
  +
  +
===[[Electra]] (11.0-11.4.1)===
  +
  +
11.0 - 11.1.2
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
11.2 - 11.3.1
  +
  +
* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
  +
* getvolattrlist (empty_list) ({{cve|2018-4243}})
  +
  +
11.2 - 11.4.1
  +
  +
* v1ntex ({{cve|2019-6225}})
  +
  +
== Programs used to jailbreak 12.x ==
  +
  +
===[[Chimera]] (12.0 - 12.2 / 12.4)===
  +
  +
12.0 - 12.1.2
  +
  +
* voucher_swap ({{cve|2019-6225}})
  +
  +
12.0 - 12.2/12.4
  +
  +
* sockpuppet ({{cve|2019-8527}})
  +
  +
===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===
  +
  +
12.0 - 12.1.2
  +
  +
* voucher_swap ({{cve|2019-6225}})
  +
  +
12.0 - 12.2/12.4
  +
  +
* sockpuppet ({{cve|2019-8527}})
  +
  +
===[[checkra1n]] (12.3 - 12.4.7)===
  +
  +
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
  +
  +
== Programs used to jailbreak 13.x ==
  +
  +
===[[Unc0ver]] (13.0 - 13.5)===
  +
  +
* oob_timestamp ({{cve|2020-3837}})
   
=== [[TaiG]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 +
===[[checkra1n]] (13.0 - 13.5)===
* LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
  
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
  
* enable-dylibs-to-override-cache (Also used in Pangu8)
  
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
  
   
  +
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
=== [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
  
* LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
  
* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
  
* enable-dylibs-to-override-cache (Also used in Pangu8)
  
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
  

Revision as of 17:04, 26 May 2020

This page lists the exploits used in jailbreaks.

Contents

Common exploits

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

Jailbreak Programs

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailbroken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 / 1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)

Programs used to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs used to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1 / 3.1.1 / 3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs used to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

unthredeh4il (4.2.6 - 4.2.10)

Except for the iPad (3rd generation)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch (3rd generation) on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

unthredeh4il (4.3 - 4.3.5)

Except for the iPad (3rd generation)

Programs used to jailbreak 5.x

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

unthredeh4il (5.0-5.1.1)

Except for the iPad (3rd generation)

Programs used to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs used to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
  • AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOSharedDataQueue notification port overwrite (CVE-2014-4461)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Programs used to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  • A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)

EtasonJB and Home Depot (8.4.1)

Programs used to jailbreak 9.x

Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)

  • Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
  • MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
  • IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
  • dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
  • Racing KPP for some of the patches.
  • AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)

Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

  • IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)

jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

Home Depot (9.1-9.3.4)

JailbreakMe 4.0 (9.1-9.3.4)

Phœnix (9.3.5 / 9.3.6)

Programs used to jailbreak 10.x

extra_recipe+yaluX (10.0-10.1.1)

  • set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)

yalu102 (10.0.1-10.2)

  • mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)

doubleH3lix (10.0.1 - 10.3.3)

Meridian (10.0 - 10.3.3)

TotallyNotSpyware (10.0 - 10.3.3)

H3lix (10.0.1 - 10.3.4)

Programs used to jailbreak 11.x

Unc0ver (11.0-11.4.1)

11.0 - 11.1.2

11.0 - 11.3.1

11.0 - 11.4.1

Electra (11.0-11.4.1)

11.0 - 11.1.2

11.2 - 11.3.1

11.2 - 11.4.1

Programs used to jailbreak 12.x

Chimera (12.0 - 12.2 / 12.4)

12.0 - 12.1.2

12.0 - 12.2/12.4

Unc0ver (12.0 - 12.2 / 12.4 / 12.4.1)

12.0 - 12.1.2

12.0 - 12.2/12.4

checkra1n (12.3 - 12.4.7)

Programs used to jailbreak 13.x

Unc0ver (13.0 - 13.5)

checkra1n (13.0 - 13.5)

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Jailbreak_Exploits&oldid=102930"