Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(I corrected the capitalization of "lightspeed" ("LightSpeed") and added the AppleAVE2Driver exploit and AppleSPUProfileDriver info leak that is used in unc0ver to jailbreak iOS 12.4.1.)
(Added iOS 14 edit)
(3 intermediate revisions by the same user not shown)
Line 339: Line 339:
 
* SockPuppet ({{cve|2019-8605}})
 
* SockPuppet ({{cve|2019-8605}})
   
===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===
+
===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===
   
 
12.0 - 12.1.2
 
12.0 - 12.1.2
Line 354: Line 354:
 
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})
 
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})
   
===[[checkra1n]] (12.3 - 12.4.7)===
+
12.4.2 - 12.4.8
  +
  +
* oob_timestamp ({{cve|2020-3837}})
  +
* cuck00 information leak ({{cve|2020-3836}})
  +
  +
===[[checkra1n]] (12.3 - 12.4.8)===
   
 
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
 
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
Line 360: Line 365:
 
== Programs used to jailbreak 13.x ==
 
== Programs used to jailbreak 13.x ==
   
===[[Unc0ver]] (13.0 - 13.5)===
+
===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===
  +
  +
13.0 - 13.3 (before version 5.0.0)
   
 
* oob_timestamp ({{cve|2020-3837}})
 
* oob_timestamp ({{cve|2020-3837}})
  +
* cuck00 information leak ({{cve|2020-3836}})
  +
  +
13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)
  +
 
* tachy0n (LightSpeed) ({{cve|2020-9859}})
 
* tachy0n (LightSpeed) ({{cve|2020-9859}})
   
===[[checkra1n]] (13.0 - 13.5)===
+
===[[checkra1n]] (13.0 - 13.7)===
  +
  +
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
  +
  +
== Programs used to jailbreak 14.x ==
  +
  +
===[[checkra1n]] (14.0 - 14.2~b)===
   
 
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})
 
* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Revision as of 00:34, 24 September 2020

This page lists the exploits used in jailbreaks.

Contents

Common exploits

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

Jailbreak Programs

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailbroken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 / 1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)

Programs used to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs used to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1 / 3.1.1 / 3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs used to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

unthredeh4il (4.2.6 - 4.2.10)

Except for the iPad (3rd generation)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch (3rd generation) on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

unthredeh4il (4.3 - 4.3.5)

Except for the iPad (3rd generation)

Programs used to jailbreak 5.x

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

unthredeh4il (5.0-5.1.1)

Except for the iPad (3rd generation)

Programs used to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs used to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
  • AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOSharedDataQueue notification port overwrite (CVE-2014-4461)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Programs used to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  • A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)

EtasonJB and Home Depot (8.4.1)

Programs used to jailbreak 9.x

Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)

  • Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
  • MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
  • IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
  • dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
  • Racing KPP for some of the patches.
  • AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)

Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

  • IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)

jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

Home Depot (9.1-9.3.4)

JailbreakMe 4.0 (9.1-9.3.4)

Phœnix (9.3.5 / 9.3.6)

Programs used to jailbreak 10.x

extra_recipe+yaluX (10.0-10.1.1)

  • set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)

yalu102 (10.0.1-10.2)

  • mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)

doubleH3lix (10.0.1 - 10.3.3)

Meridian (10.0 - 10.3.3)

TotallyNotSpyware (10.0 - 10.3.3)

H3lix (10.0.1 - 10.3.4)

Programs used to jailbreak 11.x

Unc0ver (11.0-11.4.1)

11.0 - 11.1.2

11.0 - 11.3.1

11.0 - 11.4.1

Electra (11.0-11.4.1)

11.0 - 11.1.2

11.2 - 11.3.1

11.2 - 11.4.1

Programs used to jailbreak 12.x

Chimera (12.0 - 12.2 / 12.4)

12.0 - 12.1.2

12.0 - 12.2/12.4

Unc0ver (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)

12.0 - 12.1.2

12.0 - 12.2/12.4

12.4.1

12.4.2 - 12.4.8

checkra1n (12.3 - 12.4.8)

Programs used to jailbreak 13.x

Unc0ver (13.0 - 13.5.5~b1 (excluding 13.5.1))

13.0 - 13.3 (before version 5.0.0)

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

checkra1n (13.0 - 13.7)

Programs used to jailbreak 14.x

checkra1n (14.0 - 14.2~b)