Difference between revisions of "User:Aker"

= Jailbreak Exploits =

== Missing ==

* UnthreadedJB

* name "steaks4uce"

* references to limera1n and so on

* 4.0.2 -> limera1n?

== Exploits which are used in order to jailbreak different versions of iOS ==

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])

* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)

* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])

* [[usb_control_msg(0xA1, 1) Exploit]] (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Exploits which are used in order to jailbreak 4.x ==

=== 4.0 / 4.0.1 ===

* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])

* [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)

* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])

* [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] New bootrom, [[N18ap|iPod touch 3G]], [[n90ap|iPhone 4 (iPhone3,1)]])

=== 4.0.2 ===

* [[Packet Filter Kernel Exploit]]

=== [[limera1n]] / [[greenpois0n|greenpois0n (jailbreak)]] (4.1) ===

* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===

* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===

* [[T1 Font Integer Overflow]]

* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===

Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.

* [[T1 Font Integer Overflow]]

* [[IOMobileFrameBuffer Privilege Escalation Exploit]]

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===

* [[ndrv_setspec() Integer Overflow]]

== Exploits which are used in order to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===

* [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)

* [[HFS Heap Overflow]]

=== [[Corona|Corona Untether]] (5.0.1) ===

* [[Racoon String Format Overflow Exploit]]

* [[HFS Heap Overflow]]

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===

{{Section Stub}}

* a new Packet Filter Kernel Exploit (CVE-2012-3728)

* Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)

== Exploits which are used in order to jailbreak 6.x ==

=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===

* [[Symbolic Link Vulnerability]]

* [[Timezone Vulnerability]]

* [[Shebang Trick]]

* [[AMFID code signing evasion]]

* [[launchd.conf untether]]

* [[IOUSBDeviceFamily Vulnerability]]

* [[ARM Exception Vector Info Leak]]

* [[dynamic memmove() locating]]

* [[vm_map_copy_t corruption for arbitrary memory disclosure]]

* [[kernel memory write via ROP gadget]]

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===

* [[posix_spawn kernel information leak]] (by [[i0n1c]])

* [[posix_spawn kernel exploit]] (CVE-2013-3954) (by [[i0n1c]])

* [[mach_msg_ool_descriptor_ts for heap shaping]]

* [[AMFID_code_signing_evasi0n7]]

* [[DeveloperDiskImage race condition]] (by [[comex]])

* [[launchd.conf untether]]

== Exploits which are used in order to jailbreak 7.x ==

{{Section Stub}}

=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===

* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]

* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]

* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]

* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]

* [[Symbolic Link Vulnerability]]

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===

* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===

* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)

* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)

* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)

* TempSensor kernel exploit (Pangu 1.1.0)

* "syslogd chown" vulnerability

* enterprise certificate (no real exploit, used for initial "unsigned" code execution)

* "foo_extracted" symlink vulnerability (used to write to /var)

* /tmp/bigfile (a big file for improvement of the reliability of a race condition)

* VoIP backgrounding trick (used to auto restart the app)

* hidden segment attack

== Exploits which are used in order to jailbreak 8.x ==

{{Section Stub}}

=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===

* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)

* enterprise certificate (inside the IPA)

* a kind of dylib injection into a system process (see IPA)

* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)

* a sandboxing problem in debugserver (CVE-2014-4457)

* the same/a similar kernel exploit as used in [[Pangu]] (CVE-2014-4461) (source @iH8sn0w)

* enable-dylibs-to-override-cache

* CVE-2014-4455

=== [[TaiG]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1) ===

* LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)

* [[DeveloperDiskImage race condition]] (by [[comex]]) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)

* enable-dylibs-to-override-cache (Also used in Pangu8)

* a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)