Jailbreak Exploits

Missing

• UnthreadedJB

Exploits which are used in order to jailbreak different versions of iOS

• limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
• limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)

Exploits which are used in order to jailbreak 5.x

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

• Racoon String Format Overflow Exploit (used both for payload injection and untether)
• HFS Heap Overflow

Corona Untether (5.0.1)

• Racoon String Format Overflow Exploit
• HFS Heap Overflow

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

• a new Packet Filter Kernel Exploit (CVE-2012-3728)
• Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)

Exploits which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

• limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPhone 4, and iPod touch 4G)
• limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
• Symbolic Link Vulnerability
• Timezone Vulnerability
• Shebang Trick
• AMFID code signing evasion
• launchd.conf untether
• IOUSBDeviceFamily Vulnerability
• ARM Exception Vector Info Leak
• dynamic memmove() locating
• vm_map_copy_t corruption for arbitrary memory disclosure
• kernel memory write via ROP gadget

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

• posix_spawn kernel information leak (by i0n1c)
• posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
• mach_msg_ool_descriptor_ts for heap shaping
• AMFID_code_signing_evasi0n7
• DeveloperDiskImage race condition (by comex)
• launchd.conf untether

Exploits which are used in order to jailbreak 7.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

• CVE-2013-5133
• CVE-2014-1272
• CVE-2014-1273
• CVE-2014-1278
• Symbolic Link Vulnerability

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

• limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

Pangu (7.1 / 7.1.1 / 7.1.2)

• i0n1c's Infoleak vulnerability (Pangu v1.0.0)
• break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
• LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
• TempSensor kernel exploit (Pangu 1.1.0)
• "syslogd chown" vulnerability
• enterprise certificate (no real exploit, used for initial "unsigned" code execution)
• "foo_extracted" symlink vulnerability (used to write to /var)
• /tmp/bigfile (a big file for improvement of the reliability of a race condition)
• VoIP backgrounding trick (used to auto restart the app)
• hidden segment attack

Exploits which are used in order to jailbreak 8.x

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

• an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
• enterprise certificate (inside the IPA)
• a kind of dylib injection into a system process (see IPA)
• a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
• a sandboxing problem in debugserver (CVE-2014-4457)
• the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
• enable-dylibs-to-override-cache
• CVE-2014-4455

TaiG (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1)

• LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
• DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
• enable-dylibs-to-override-cache (Also used in Pangu8)
• a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)