Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(Exploits which are used in order to jailbreak 7.x: Adding 7.0.x exploits. Taken from http://support.apple.com/kb/HT6162 any marked 'evad3rs')
m (forgot to add this to v1ntex)
(130 intermediate revisions by 16 users not shown)
Line 1: Line 1:
This page lists the exploits used in [[Jailbreak]]s.
+
This page lists the '''exploits''' used in [[jailbreak]]s.
  +
== Exploits which were used in order to jailbreak 1.x ==
 
  +
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)
 
  +
=== 1.1.1 ===
 
  +
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[Symlinks]] (an upgrade jailbreak)
 
  +
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])
 
  +
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
=== 1.1.2 ===
 
  +
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[Mknod]] (an upgrade jailbreak)
 
  +
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
=== 1.1.3 / 1.1.4 / 1.1.5 ===
 
  +
* [[Soft Upgrade]] (an upgrade jailbreak)
 
=== 1.0.2 ===
+
== Common exploits ==
  +
== Jailbreak Programs ==
  +
=== [[PwnageTool]] (2.0 - 5.1.1) ===
  +
* uses different common exploits
  +
* uses the exploits listed below to untether up to iOS 5.1.1
  +
  +
=== [[redsn0w]] (3.0 - 6.0) ===
  +
* uses different common exploits
  +
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
  +
* uses the exploits listed below to untether up to iOS 5.1.1
  +
  +
=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
  +
* uses different common exploits
  +
* uses the exploits listed below to untether up to iOS 6.1.2
  +
  +
== Programs used to jailbreak 1.x ==
  +
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
  +
* iBoot <code>cp</code>-command exploit
  +
  +
=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
  +
* iBoot <code>cp</code>-command exploit
  +
  +
=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
  +
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})
  +
  +
=== [[mknod|OktoPrep]] (1.1.2) ===
  +
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
  +
* [[mknod]]
  +
  +
=== [[Soft Upgrade]] (1.1.3) ===
  +
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
  +
  +
=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
 
* [[Ramdisk Hack]]
 
* [[Ramdisk Hack]]
* [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3
 
* [[diags]] - Works up to [[iOS]] 2.0 beta 5
 
   
  +
=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===
== Exploits which are used in order to jailbreak 2.x ==
 
=== 2.0 / 2.0.1 / 2.0.2 / 2.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]]
 
=== 2.1.1 ===
 
* [[ARM7 Go]] ([[tethered jailbreak]])
 
=== 2.2 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
=== 2.2.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] + [[ARM7 Go]] (from iOS 2.1.1) ([[n72ap|iPod touch 2G]])
 
   
== Exploits which are used in order to jailbreak 3.x ==
+
== Programs used to jailbreak 2.x ==
=== 3.0 / 3.0.1 ===
+
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
+
* uses [[Pwnage]] and [[Pwnage 2.0]]
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]])
 
* [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]])
 
=== 3.1 / 3.1.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])
 
* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
=== 3.1.2 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])
 
* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
=== 3.1.3 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)
 
** + [[Limera1n Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]], used in [[sn0wbreeze]])
 
** + [[usb_control_msg(0xA1, 1) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]], used in [[sn0wbreeze]])
 
* [[usb_control_msg(0xA1, 1) Exploit]]+ [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], used in [[sn0wbreeze]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[N18ap|iPod touch 3G]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], used in [[sn0wbreeze]])
 
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
   
=== 3.2 ===
+
=== [[Redsn0w Lite]] (2.1.1) ===
  +
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[K48ap|iPad]] used in [[sn0wbreeze]] 2.9.x)
 
=== 3.2.1 ===
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[sn0wbreeze]] 2.9.x)
 
=== 3.2.2 ===
 
* [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]])
 
   
== Exploits which are used in order to jailbreak 4.x ==
+
== Programs used to jailbreak 3.x ==
=== 4.0 / 4.0.1 ===
+
=== [[purplera1n]] (3.0) ===
  +
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)
+
* uses [[0x24000 Segment Overflow]]
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
* [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] New bootrom, [[N18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]])
 
   
=== 4.0.2 ===
+
=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
  +
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]])
+
* uses [[0x24000 Segment Overflow]]
* [[0x24000 Segment Overflow]] ([[n88ap|iPhone 3GS]])
 
* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]])
 
   
=== 4.1 ===
+
=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
  +
* [[MobileBackup Copy Exploit]]
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
 
  +
* [[Incomplete Codesign Exploit]]
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]])
 
  +
* [[BPF_STX Kernel Write Exploit]]
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]))
 
* [[usb_control_msg(0xA1, 1) Exploit]] + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])
 
   
  +
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
=== 4.2.1 ===
 
  +
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
 
  +
* [[Incomplete Codesign Exploit]]
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]])
 
  +
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
 
* [[usb_control_msg(0xA1, 1) Exploit]] + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])
 
   
=== 4.2.6 / 4.2.7 / 4.2.8 ===
+
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
  +
* uses different common exploits
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 (iPhone3,3)]])
 
  +
* [[Packet Filter Kernel Exploit]]
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
   
=== 4.2.9 / 4.2.10 ===
+
== Programs used to jailbreak 4.x ==
  +
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[limera1n]]'s bootrom exploit (Tethered jailbreak on [[n92ap|iPhone 4 (iPhone3,3)]])
 
  +
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
  +
* [[Incomplete Codesign Exploit]]
  +
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
   
=== 4.3 ===
+
=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
  +
* uses different common exploits
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
  +
* [[Packet Filter Kernel Exploit]]
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
 
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
   
  +
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
=== 4.3.1 / 4.3.2 / 4.3.3 ===
 
  +
* uses different common exploits
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
  +
* [[Packet Filter Kernel Exploit]]
* [[limera1n]]'s bootrom exploit + [[ndrv_setspec() Integer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]])
 
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
   
=== 4.3.4 / 4.3.5 ===
+
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
  +
* uses different common exploits
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 (iPhone3,1)]], and [[n81ap|iPod touch 4G]])
 
   
  +
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
== Exploits which are used in order to jailbreak 5.x ==
 
  +
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
=== 5.0 ===
 
  +
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]])
 
* [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]]- [[n94ap|iPhone 4S]] only
 
   
  +
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
===5.0.1===
 
  +
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[limera1n]]'s bootrom exploit + [[Racoon String Format Overflow Exploit]]+[[HFS Heap Overflow]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]])
 
  +
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})
* [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]] - [[iPad 2]] and [[iPhone 4S]] with [[Absinthe]]
 
   
  +
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
===5.1===
 
  +
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], and [[n81ap|iPod touch 4G]])
 
  +
* [[ndrv_setspec() Integer Overflow]]
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
   
  +
== Programs used to jailbreak 5.x ==
===5.1.1===
 
  +
=== [[unthredeh4il]] (4.2.6-5.1.1) ===
* [[limera1n Exploit]] + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
Except for the [[iPad (3rd generation)]]
* [[limera1n Exploit]] + [[Rocky Racoon]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], [[n18ap|iPod touch 3G]], and [[n81ap|iPod touch 4G]])
 
  +
* MobileBackup2 Copy Exploit
  +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
  +
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
  +
* [[launchd.conf untether]]
  +
* [[Timezone Vulnerability]]
   
  +
=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
== Exploits which are used in order to jailbreak 6.x ==
 
  +
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
=== 6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2 ===
 
  +
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], and [[n81ap|iPod touch 4G]])
 
  +
* unknown exploit ({{cve|2012-0643}})
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
* [[Symbolic Link Vulnerability]]
 
  +
=== [[Corona|Corona Untether]] (5.0.1) ===
  +
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
  +
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
  +
* unknown exploit ({{cve|2012-0643}})
  +
  +
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
  +
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
  +
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
  +
* MobileBackup2 Copy Exploit
  +
  +
== Programs used to jailbreak 6.x ==
  +
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
  +
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
 
* [[Timezone Vulnerability]]
 
* [[Timezone Vulnerability]]
* [[Shebang Trick]]
+
* [[Shebang Trick]] ({{cve|2013-5154}})
 
* [[AMFID code signing evasion]]
 
* [[AMFID code signing evasion]]
 
* [[launchd.conf untether]]
 
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]]
+
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]]
+
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
 
* [[dynamic memmove() locating]]
 
* [[dynamic memmove() locating]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[kernel memory write via ROP gadget]]
 
* [[kernel memory write via ROP gadget]]
  +
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})
  +
  +
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
  +
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
  +
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
  +
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
  +
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
  +
* [[DeveloperDiskImage race condition]] (by [[comex]])
  +
* [[launchd.conf untether]]
  +
  +
== Programs used to jailbreak 7.x ==
  +
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
  +
{{Section Stub}}
  +
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
  +
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
  +
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
  +
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})
  +
  +
=== [[Geeksn0w]] (7.1 / 7.1.1) ===
  +
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]
  +
  +
=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
  +
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
  +
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
  +
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
  +
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
  +
* "syslogd chown" vulnerability
  +
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  +
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
  +
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  +
* VoIP backgrounding trick (used to auto restart the app)
  +
* hidden segment attack
  +
  +
== Programs used to jailbreak 8.x ==
  +
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
  +
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  +
* enterprise certificate (inside the IPA)
  +
* a kind of dylib injection into a system process (see IPA)
  +
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  +
* a sandboxing problem in debugserver ({{cve|2014-4457}})
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
  +
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
  +
* enable-dylibs-to-override-cache
  +
* a new ovelapping segment attack ({{cve|2014-4455}})
  +
  +
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
  +
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
  +
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
  +
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  +
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  +
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  +
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  +
* MobileStorageMounter exploit ({{cve|2015-1062}})
  +
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})
  +
  +
Kernel:
  +
  +
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
  +
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
  +
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory
  +
  +
=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
  +
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
  +
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
  +
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
  +
* Symbolic linking to AFC ({{cve|2015-5746}})
  +
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
  +
* Code signing exploit ({{cve|2015-3802}})
  +
* Code signing exploit ({{cve|2015-3803}})
  +
* Code signing exploit ({{cve|2015-3805}})
  +
* Code signing exploit ({{cve|2015-3806}})
  +
* IOHIDFamily exploit ({{cve|2015-5774}})
  +
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})
  +
  +
=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===
  +
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* Kernel exploit ({{cve|2016-4656}})
  +
  +
== Programs used to jailbreak 9.x ==
  +
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
  +
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
  +
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
  +
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
  +
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
  +
* Racing KPP for some of the patches.
  +
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})
  +
  +
=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
  +
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})
  +
  +
=== [[Home Depot]] (9.1-9.3.4) ===
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* Kernel exploit ({{cve|2016-4656}})
  +
  +
=== [[Phœnix]] (9.3.5 / 9.3.6) ===
  +
* OSUnserialize Information leak ({{cve|2016-4655}})
  +
* mach_port_register Kernel exploit ({{cve|2016-4669}})
  +
  +
== Programs used to jailbreak 10.x ==
  +
  +
=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===
  +
  +
* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})
  +
  +
=== [[yalu102]] (10.0.1-10.2) ===
  +
  +
* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})
  +
  +
=== [[H3lix]] / [[doubleH3lix]] / [[Meridian]] (10.0-10.3.4) ===
  +
  +
(Note: [[H3lix]] is the only jailbreak for iOS 10.3.4 so far. Exploits are still the same)
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
== Programs used to jailbreak 11.x ==
  +
  +
===[[Electra]] (11.0-11.4.1)===
  +
  +
11.0 - 11.1.2
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
11.2 - 11.3.1
  +
  +
* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
  +
* getvolattrlist (empty_list) ({{cve|2018-4243}})
  +
  +
11.2 - 11.4.1
  +
  +
* v1ntex ({{cve|2019-6225}})
  +
  +
== Programs used to jailbreak 12.x ==
  +
  +
===[[Unc0ver]] (11.0-12.2/12.4)===
  +
  +
11.0 - 11.1.2
  +
  +
* IOSurface Kernel Exploit ({{cve|2017-13861}})
  +
  +
11.0 - 11.3.1
  +
  +
* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
  +
* getvolattrlist (empty_list) ({{cve|2018-4243}})
  +
  +
11.0 - 12.1.2
  +
  +
* voucher_swap ({{cve|2019-6225}})
  +
  +
11.0 - 12.2/12.4
  +
  +
* sockpuppet ({{cve|2019-8527}})
  +
  +
===[[Chimera]] (12.0-12.2/12.4)===
  +
  +
12.0 - 12.1.2
   
  +
* voucher_swap ({{cve|2019-6225}})
=== 6.1.3 / 6.1.4 / 6.1.5 / 6.1.6 ===
 
*?
 
   
  +
12.0 - 12.2/12.4
== Exploits which are used in order to jailbreak 7.x ==
 
=== 7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6 ===
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3948 CVE-2013-3948]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]
 
   
  +
* sockpuppet ({{cve|2019-8527}})
=== 7.1 / 7.1.1 ===
 
*[[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]
 

Revision as of 07:21, 14 September 2019

This page lists the exploits used in jailbreaks.

Contents

Common exploits

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

Jailbreak Programs

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailbroken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 / 1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)

Programs used to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs used to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1 / 3.1.1 / 3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs used to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch (3rd generation) on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs used to jailbreak 5.x

unthredeh4il (4.2.6-5.1.1)

Except for the iPad (3rd generation)

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs used to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs used to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
  • AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOSharedDataQueue notification port overwrite (CVE-2014-4461)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Programs used to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  • A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)

EtasonJB and Home Depot (8.4.1)

Programs used to jailbreak 9.x

Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)

  • Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
  • MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
  • IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
  • dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
  • Racing KPP for some of the patches.
  • AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)

Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

  • IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)

Home Depot (9.1-9.3.4)

Phœnix (9.3.5 / 9.3.6)

Programs used to jailbreak 10.x

extra_recipe+yaluX (10.0-10.1.1)

  • set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)

yalu102 (10.0.1-10.2)

  • mach_voucher_extract_attr_recipe_trap memory corruption. (CVE-2017-2370)

H3lix / doubleH3lix / Meridian (10.0-10.3.4)

(Note: H3lix is the only jailbreak for iOS 10.3.4 so far. Exploits are still the same)

Programs used to jailbreak 11.x

Electra (11.0-11.4.1)

11.0 - 11.1.2

11.2 - 11.3.1

11.2 - 11.4.1

Programs used to jailbreak 12.x

Unc0ver (11.0-12.2/12.4)

11.0 - 11.1.2

11.0 - 11.3.1

11.0 - 12.1.2

11.0 - 12.2/12.4

Chimera (12.0-12.2/12.4)

12.0 - 12.1.2

12.0 - 12.2/12.4