Difference between revisions of "Untethered jailbreak"

From The iPhone Wiki
Jump to: navigation, search
(Different Types)
(Rewrite page, include examples of utilities, more information about specific methods)
 
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
An untethered jailbreak is a type of [[jailbreak]] where your device does not require you to reboot with a connection to an external device capable of executing commands on the device.
+
An '''untethered jailbreak''' is a jailbreak wherein a user can reboot their device at will, and have their device start up with the jailbreak automatically applied without the assistance of a computer or a utility on the device.
   
  +
These jailbreaks can be applied via multiple different methods, the most common of which being kernel exploits.
== Device support ==
 
Many device/firmware combinations can use an untethered jailbreak. The most current version of iOS (5.0.1), as well as the [[N94ap|iPhone 4S]] and [[iPad 2]], can be untethered jailbroken already using [[Absinthe]] or [[Redsn0w]].
 
   
  +
== Kernel exploits ==
Devices as new as the [[N81ap|iPod touch 4G]]/[[K66ap|Apple TV 2G]] have known [[bootrom]] exploits. However, the [[N88ap|iPhone 3GS]] ([[iBoot-359.3|old bootrom]]) and older have bootrom exploits that allow for an untethered jailbreak. Newer devices as old as the [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]), [[N72ap|iPod touch 2G]] ([[iBoot-240.5.1|new bootrom]]), and [[N18ap|iPod touch 3G]] have bootrom exploits that are limited to a [[tethered jailbreak]] (without the assistance of a firmware-based exploit).
 
   
  +
Most untethered jailbreaks rely on vulnerabilities in the kernel and early boot process, typically using a combination of codesigning bypasses and manipulating the system into executing a binary early in the boot process (or obtaining unsigned code execution via a vulnerability in an existing startup process). Once code execution has been obtained, a kernel exploit is used in order to patch the currently loaded kernel to allow for the rootfs to be remounted as read/write, and to allow for unsigned code execution.
==Different Types==
 
There are 2 types of untethered jailbreaks: Patched [[LLB]]-based and kernel hacks. On the first sort, that requires an untethered bootrom dump (e.g. [[24kpwn]] or [[Pwnage 2.0]]), it is permanent and unpatchable, except for an hardware update. This type of jailbreak patches the LLB to not check the firmware at boot-up , letting a pwned kernel or a custom bootlogo to be uploaded to the system. The second type, uploads the unpwned kernel, the system checks the signature, then a kernel exploit happens and the kernel is being patched and changed to fit jailbreak. After the exploit, the bootlogo can be changed. A userland exploit was used before the kernel exploit to get bypassed the iBoot signature checks before the kernel exploit. up to iOS 4.3.3, [[Incomplete Codesign Exploit]] was used. in iOS 4.3.4, it was patched. in 5.0.1 [[Racoon String Format Overflow Exploit]] is used instead. The kernel exploits found so far: [[BPF_STX Kernel Write Exploit]] (works up to iOS 3.2), [[iOSurface Kernel Exploit]] (works up to iOS 4.0.1, excluding 3.2.2), [[Packet Filter Kernel Exploit]] (Works up to iOS 4.2 beta 3), [[HFS Legacy Volume Name Stack Buffer Overflow]] (vulnerability in HFS, works up to iOS 4.2.8), [[ndrv_setspec() integer overflow]] (Works up to iOS 4.3.3) and [[HFS Heap Overflow]] (Works up to iOS 5.0.1)
 
   
==Utilities capable of untethered jailbreaks==
+
Tools that use kernel exploits to achieve untethered jailbreaks:
These jailbreak utilities can perform an untethered jailbreak, sorted by operating system.
 
   
  +
*[[Spirit]]
===iOS===
 
  +
*[[Star|JailbreakMe 2.0 (star)]]/[[Saffron|JailbreakMe 3.0 (saffron)]]
[[Star]] and [[saffron]] run on the device itself, and are completely independent of a computer's operating system. JailbreakMe has supported so far 1.0-1.1.1,3.1.2-4.0.1(no 3.2.2) and 4.3-4.3.3. Each device can be jailbroken on those firmwares, No matter what, but if [[SHSH]] blobs aren't given for a certain firmware, it is not restorable.
 
  +
*[[limera1n]]
  +
*[[greenpois0n]]
  +
*[[Absinthe]]
  +
*[[unthredera1n]]
  +
*[[evasi0n]]
  +
*[[p0sixspwn]]
  +
*[[evasi0n7]]
  +
*[[Pangu]]
  +
*[[Pangu8]]
  +
*[[TaiG]]
  +
*[[etasonJB]]
  +
*[[UntetherHomeDepot]]
  +
*[[Pangu9]]
   
  +
== BootROM exploits ==
   
  +
Older devices, such as the iPhone 3GS, iPod touch 2 (old bootrom) and earlier, have had vulnerabilities discovered in the [[BootROM]] that are able to be executed without the assistance of DFU mode (such as via a malformed image in the NOR) allowing for stages of the boot chain to be overwritten with custom code, such as a patched LLB/iBoot to allow for an unsigned kernel, and a custom boot logo. Examples of bootrom exploits that allow for untethered code execution are [[Pwnage]], [[0x24000 Segment Overflow|24kpwn]] and [[alloc8 Exploit|alloc8]].
===Mac OS X===
 
* [[Spirit]]
 
* [[blackra1n]]
 
* [[Greenpois0n (jailbreak)|greenpois0n]]
 
* [[limera1n]]
 
* [[PwnageTool]]
 
* [[redsn0w]]
 
* [[Absinthe]]
 
   
  +
Tools that use bootROM exploits to achieve untethered jailbreaks:
===Windows===
 
* [[Spirit]]
 
* [[blackra1n]]
 
* [[Greenpois0n (jailbreak)|greenpois0n]]
 
* [[limera1n]]
 
* [[redsn0w]]
 
* [[sn0wbreeze]]
 
* [[Absinthe]]
 
   
  +
*[[redsn0w]]
===Linux===
 
* [[Spirit]]
+
*[[sn0wbreeze]]
  +
*[[PwnageTool]]
* [[Greenpois0n (jailbreak)|greenpois0n]]
 
  +
* [[Absinthe]]
 
* [[redsn0w]] (0.8)
+
*[[ipwndfu]]
  +
== iBoot exploits ==
  +
  +
Some jailbreaks abuse vulnerabilities in the currently installed [[iBoot]] in order to patch out signature checks or load an alternative iBoot, therefore being able to load a patched and jailbroken kernel. Very few jailbreak utilities opt to use this method, as iBoot exploits are rare to come across and are able to be patched by Apple with software updates, thereby only being able to be used if blobs have been saved, or if the device was discontinued before Apple released a patch.
  +
  +
==See also==
  +
*[[Jailbreak]]
  +
*[[Jailbreak Exploits]]
  +
*[[Tethered jailbreak]]
  +
*[[Semi-tethered jailbreak]]
  +
*[[Semi-untethered jailbreak]]
  +
  +
[[Category:Jailbreaking]]

Latest revision as of 02:39, 26 April 2021

An untethered jailbreak is a jailbreak wherein a user can reboot their device at will, and have their device start up with the jailbreak automatically applied without the assistance of a computer or a utility on the device.

These jailbreaks can be applied via multiple different methods, the most common of which being kernel exploits.

Kernel exploits

Most untethered jailbreaks rely on vulnerabilities in the kernel and early boot process, typically using a combination of codesigning bypasses and manipulating the system into executing a binary early in the boot process (or obtaining unsigned code execution via a vulnerability in an existing startup process). Once code execution has been obtained, a kernel exploit is used in order to patch the currently loaded kernel to allow for the rootfs to be remounted as read/write, and to allow for unsigned code execution.

Tools that use kernel exploits to achieve untethered jailbreaks:

BootROM exploits

Older devices, such as the iPhone 3GS, iPod touch 2 (old bootrom) and earlier, have had vulnerabilities discovered in the BootROM that are able to be executed without the assistance of DFU mode (such as via a malformed image in the NOR) allowing for stages of the boot chain to be overwritten with custom code, such as a patched LLB/iBoot to allow for an unsigned kernel, and a custom boot logo. Examples of bootrom exploits that allow for untethered code execution are Pwnage, 24kpwn and alloc8.

Tools that use bootROM exploits to achieve untethered jailbreaks:

iBoot exploits

Some jailbreaks abuse vulnerabilities in the currently installed iBoot in order to patch out signature checks or load an alternative iBoot, therefore being able to load a patched and jailbroken kernel. Very few jailbreak utilities opt to use this method, as iBoot exploits are rare to come across and are able to be patched by Apple with software updates, thereby only being able to be used if blobs have been saved, or if the device was discontinued before Apple released a patch.

See also