|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak Exploits"
(Couple more linking additions.) |
|||
| Line 90: | Line 90: | ||
=== 4.2.6 / 4.2.7 / 4.2.8 === |
=== 4.2.6 / 4.2.7 / 4.2.8 === |
||
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]]) |
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]]) |
||
| − | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) |
+ | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]) |
=== 4.2.9 / 4.2.10 === |
=== 4.2.9 / 4.2.10 === |
||
| Line 98: | Line 98: | ||
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]]) |
||
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) |
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]) |
||
| − | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) |
+ | * [[T1 Font Integer Overflow]] (used for [[Saffron]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]) |
=== 4.3.1 / 4.3.2 / 4.3.3 === |
=== 4.3.1 / 4.3.2 / 4.3.3 === |
||
| Line 148: | Line 148: | ||
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]]) |
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]]) |
||
* [[mach_msg_ool_descriptor_ts for heap shaping]] |
* [[mach_msg_ool_descriptor_ts for heap shaping]] |
||
| − | * [[AMFID_code_signing_evasi0n7]] |
+ | * [[AMFID_code_signing_evasi0n7]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]) |
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
||
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
| Line 157: | Line 157: | ||
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133] |
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133] |
||
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272] |
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272] |
||
| − | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273] |
+ | * [[AMFID_code_signing_evasi0n7]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]) |
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278] |
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278] |
||
* [[Symbolic Link Vulnerability]] |
* [[Symbolic Link Vulnerability]] |
||
Revision as of 00:56, 7 December 2014
This page lists the exploits used in Jailbreaks.
Contents
- 1 Exploits which were used in order to jailbreak 1.x
- 2 Exploits which are used in order to jailbreak 2.x
- 3 Exploits which are used in order to jailbreak 3.x
- 4 Exploits which are used in order to jailbreak 4.x
- 5 Exploits which are used in order to jailbreak 5.x
- 6 Exploits which are used in order to jailbreak 6.x
- 7 Exploits which are used in order to jailbreak 7.x
- 8 Exploits which are used in order to jailbreak 8.x
Exploits which were used in order to jailbreak 1.x
1.0.2
- Restore Mode (iBoot had a command named
cp, which had access to the whole filesystem)
1.1.1
- Symlinks (an upgrade jailbreak)
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe)
1.1.2
- Mknod (an upgrade jailbreak)
1.1.3 / 1.1.4 / 1.1.5
- Soft Upgrade (an upgrade jailbreak)
- Ramdisk Hack
- Dual Boot Exploit - Works up to iOS 2.0 beta 3
- diags - Works up to iOS 2.0 beta 5
Exploits which are used in order to jailbreak 2.x
2.0 / 2.0.1 / 2.0.2 / 2.1
2.1.1
2.2
- Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
2.2.1
- Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
- 0x24000 Segment Overflow + ARM7 Go (from iOS 2.1.1) (iPod touch 2G)
Exploits which are used in order to jailbreak 3.x
3.0 / 3.0.1
- Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow ( iPod touch 2G)
- Pwnage + iBoot Environment Variable Overflow (iPhone, iPod touch, and iPhone 3G)
- 0x24000 Segment Overflow + iBoot Environment Variable Overflow (iPod touch 2G and iPhone 3GS)
3.1 / 3.1.1
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
- 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
3.1.2
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
- 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
3.1.3
- Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
- 0x24000 Segment Overflow (for iPod touch 2G and iPhone 3GS devices with older bootroms)
- + Limera1n Exploit (iPhone 3GS old bootrom, used in sn0wbreeze)
- + usb_control_msg(0xA1, 1) Exploit (iPod touch 2G old bootrom, used in sn0wbreeze)
- usb_control_msg(0xA1, 1) Exploit+ Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 2G new bootrom, used in sn0wbreeze)
- Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 3G and iPhone 3GS new bootrom, used in sn0wbreeze)
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
3.2
- MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
- Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPad used in sn0wbreeze 2.9.x)
3.2.1
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
- Limera1n Exploit + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in sn0wbreeze 2.9.x)
3.2.2
Exploits which are used in order to jailbreak 4.x
4.0 / 4.0.1
- Pwnage + Pwnage 2.0 (iPhone 3G)
- 0x24000 Segment Overflow (iPod touch 2G and iPhone 3GS devices with older bootroms)
- Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
- Limera1n Exploit + Packet Filter Kernel Exploit (iPhone 3GS New bootrom, iPod touch 3G, iPhone 4 (iPhone3,1))
4.0.2
- Pwnage + Pwnage 2.0 (iPhone 3G)
- ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (iPod touch 2G)
- 0x24000 Segment Overflow (iPhone 3GS)
- limera1n's bootrom exploit + Packet Filter Kernel Exploit (iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), and iPod touch 4G)
4.1
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
- ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
- limera1n's bootrom exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G))
- usb_control_msg(0xA1, 1) Exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPod touch 2G)
4.2.1
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
- ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
- limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
- usb_control_msg(0xA1, 1) Exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPod touch 2G)
4.2.6 / 4.2.7 / 4.2.8
- limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 4 (iPhone3,3))
- T1 Font Integer Overflow (used for Saffron) (CVE-2011-0226)
4.2.9 / 4.2.10
- limera1n's bootrom exploit (Tethered jailbreak on iPhone 4 (iPhone3,3))
4.3
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
- limera1n's bootrom exploit (tethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
- T1 Font Integer Overflow (used for Saffron) (CVE-2011-0226)
4.3.1 / 4.3.2 / 4.3.3
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
- limera1n's bootrom exploit + ndrv_setspec() Integer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)
- T1 Font Integer Overflow (used for Saffron)
4.3.4 / 4.3.5
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)
Exploits which are used in order to jailbreak 5.x
5.0
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
- Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow- iPhone 4S only
5.0.1
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- limera1n's bootrom exploit + Racoon String Format Overflow Exploit+HFS Heap Overflow on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
- Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow - iPad 2 and iPhone 4S with Absinthe
5.1
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
5.1.1
- limera1n Exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- limera1n Exploit + Rocky Racoon (together for untethered jailbreak on iPhone 3GS with new bootrom, iPhone 4, iPod touch 3G, and iPod touch 4G)
Exploits which are used in order to jailbreak 6.x
6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPhone 4, and iPod touch 4G)
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- Symbolic Link Vulnerability
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
6.1.3 / 6.1.4 / 6.1.5 / 6.1.6
- posix_spawn kernel information leak (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Exploits which are used in order to jailbreak 7.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6
- CVE-2013-5133
- CVE-2014-1272
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CVE-2014-1278
- Symbolic Link Vulnerability
7.1 / 7.1.1 / 7.1.2
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
- i0n1c's Infoleak vulnerability (Pangu v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
- LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
- TempSensor kernel exploit (Pangu 1.1.0)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Exploits which are used in order to jailbreak 8.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
8.0/8.0.1/8.0.2/8.1
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
- enable-dylibs-to-override-cache
- CVE-2014-4455
- LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
- DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
- enable-dylibs-to-override-cache (Also used in Pangu8)
- a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
8.1.1
- LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
- DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
- enable-dylibs-to-override-cache (Also used in Pangu8)
- a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
