Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(Why do we need this duplicates?)
(added CVEs from `APPLE-SA-2015-01-27-1 Apple TV 7.0.3')
Line 182: Line 182:
 
* a kind of dylib injection into a system process (see IPA)
 
* a kind of dylib injection into a system process (see IPA)
 
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
 
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4457 CVE-2014-4457])
+
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4461 CVE-2014-4461]) (source @iH8sn0w)
+
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
 
* enable-dylibs-to-override-cache
 
* enable-dylibs-to-override-cache
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4455 CVE-2014-4455]
+
* unknown exploits ({{cve|2014-4455}}, {{cve|2014-4491}}
   
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
Line 192: Line 192:
 
* enable-dylibs-to-override-cache (Also used in Pangu8)
 
* enable-dylibs-to-override-cache (Also used in Pangu8)
 
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
 
* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
  +
* unknown exploits ({{cve|2014-4480}}, {{cve|2014-4455}}, {{cve|2014-4487}}, {{cve|2014-4496}})

Revision as of 19:09, 27 January 2015

This page lists the exploits used in jailbreaks.

Contents

Common exploits which are used in order to jailbreak different versions of iOS

Programs which are used in order to jailbreak different versions of iOS

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs which are used in order to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs which are used in order to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs which are used in order to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs which are used in order to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs which are used in order to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs which are used in order to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • i0n1c's Infoleak vulnerability (Pangu v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
  • LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388)
  • TempSensor kernel exploit (Pangu 1.1.0) (CVE-2014-4388)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack
  • CVE-2014-4407

Programs which are used in order to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • the same/a similar kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • unknown exploits (CVE-2014-4455, CVE-2014-4491

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)