|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "User:Aker"
m (→Exploits which are used in order to jailbreak 4.x) |
(link CVEs, add MB2, add UnthreadedJB, PwnageTool, redsn0w and sn0wbreeze) |
||
| Line 1: | Line 1: | ||
= Jailbreak Exploits = |
= Jailbreak Exploits = |
||
| + | == Common exploits which are used in order to jailbreak different versions of iOS == |
||
| − | == Missing == |
||
| − | * UnthreadedJB |
||
| − | * references to limera1n and so on |
||
| − | * sn0wbreeze, PwnageTool, redsn0w |
||
| − | |||
| − | == Exploits which are used in order to jailbreak different versions of iOS == |
||
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]]) |
||
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
| Line 13: | Line 8: | ||
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]]) |
||
| − | == |
+ | == Programs which are used in order to jailbreak different versions of iOS == |
| + | === [[PwnageTool]] (2.0 - 5.1.1) === |
||
| + | * uses different common exploits |
||
| + | * uses the exploits listed below to untether up to iOS 5.1.1 |
||
| + | |||
| + | === [[redsn0w]] (3.0 - 6.0) === |
||
| + | * uses different common exploits |
||
| + | * uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1 |
||
| + | * uses the exploits listed below to untether up to iOS 5.1.1 |
||
| + | |||
| + | === [[sn0wbreeze]] (3.1.3 - 6.1.3) === |
||
| + | * uses different common exploits |
||
| + | * uses the exploits listed below to untether up to iOS 6.1.2 |
||
| + | |||
| + | == Programs which are used in order to jailbreak 3.x == |
||
=== [[purplera1n]] (3.0 / 3.0.1) === |
=== [[purplera1n]] (3.0 / 3.0.1) === |
||
| − | * [[iBoot Environment Variable Overflow]] (CVE-2009-2795) |
+ | * [[iBoot Environment Variable Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2795 CVE-2009-2795]) |
| + | * uses [[0x24000 Segment Overflow]] |
||
=== [[blackra1n]] (3.1.2) === |
=== [[blackra1n]] (3.1.2) === |
||
| − | * [[usb_control_msg(0x21, 2) Exploit]] (CVE-2010-0038) |
+ | * [[usb_control_msg(0x21, 2) Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0038 CVE-2010-0038]) |
| + | * uses [[0x24000 Segment Overflow]] |
||
=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) === |
=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) === |
||
| Line 26: | Line 37: | ||
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) === |
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) === |
||
| − | * [[Malformed CFF Vulnerability]] (CVE-2010-1797) |
+ | * [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797]) |
* [[Incomplete Codesign Exploit]] |
* [[Incomplete Codesign Exploit]] |
||
| − | * [[IOSurface Kernel Exploit]] (CVE-2010-2973) |
+ | * [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973]) |
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) === |
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) === |
||
| + | * uses different common exploits |
||
* [[Packet Filter Kernel Exploit]] |
* [[Packet Filter Kernel Exploit]] |
||
| − | == |
+ | == Programs which are used in order to jailbreak 4.x == |
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) === |
||
| − | * [[Malformed CFF Vulnerability]] (CVE-2010-1797) |
+ | * [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797]) |
* [[Incomplete Codesign Exploit]] |
* [[Incomplete Codesign Exploit]] |
||
| − | * [[IOSurface Kernel Exploit]] (CVE-2010-2973) |
+ | * [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973]) |
=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) === |
=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) === |
||
| + | * uses different common exploits |
||
* [[Packet Filter Kernel Exploit]] |
* [[Packet Filter Kernel Exploit]] |
||
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) === |
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) === |
||
| + | * uses different common exploits |
||
* [[Packet Filter Kernel Exploit]] |
* [[Packet Filter Kernel Exploit]] |
||
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) === |
=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) === |
||
| + | * uses different common exploits |
||
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) === |
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) === |
||
| − | * [[T1 Font Integer Overflow]] (CVE-2011-0226) |
+ | * [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]) |
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
* [[HFS Legacy Volume Name Stack Buffer Overflow]] |
||
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) === |
||
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1. |
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1. |
||
| − | * [[T1 Font Integer Overflow]] (CVE-2011-0226) |
+ | * [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]) |
| − | * [[IOMobileFrameBuffer Privilege Escalation Exploit]] (CVE-2011-0227) |
+ | * [[IOMobileFrameBuffer Privilege Escalation Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0227 CVE-2011-0227]) |
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) === |
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) === |
||
* [[ndrv_setspec() Integer Overflow]] |
* [[ndrv_setspec() Integer Overflow]] |
||
| − | == |
+ | == Programs which are used in order to jailbreak 5.x == |
| + | === [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) === |
||
| + | Except for the [[iPad 3]] |
||
| + | * MobileBackup2 Copy Exploit |
||
| + | * a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728]) |
||
| + | * [[AMFID code signing evasion]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977]) |
||
| + | * [[launchd.conf untether]] |
||
| + | * [[Timezone Vulnerability]] |
||
| + | |||
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) === |
||
| − | * [[Racoon String Format Overflow Exploit]] (CVE-2012-0646 |
+ | * [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646])(used both for payload injection and untether) |
| − | * [[HFS Heap Overflow]] (CVE-2012-0642) |
+ | * [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642]) |
| + | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643] |
||
| − | * CVE-2012-0643 |
||
=== [[Corona|Corona Untether]] (5.0.1) === |
=== [[Corona|Corona Untether]] (5.0.1) === |
||
| − | * [[Racoon String Format Overflow Exploit]] (CVE-2012-0646) |
+ | * [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646]) |
| − | * [[HFS Heap Overflow]] (CVE-2012-0642) |
+ | * [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642]) |
| + | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643] |
||
| − | * CVE-2012-0643 |
||
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === |
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === |
||
{{Section Stub}} |
{{Section Stub}} |
||
| − | * a new Packet Filter Kernel Exploit (CVE-2012-3728) |
+ | * a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728]) |
| − | * Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727) |
+ | * Racoon DNS4/WINS4 table buffer overflow ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3727 CVE-2012-3727]) |
| + | * MobileBackup2 Copy Exploit |
||
| − | == |
+ | == Programs which are used in order to jailbreak 6.x == |
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) === |
||
| − | * [[Symbolic Link Vulnerability]] (CVE-2013-0979) |
+ | * [[Symbolic Link Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0979 CVE-2013-0979]) |
* [[Timezone Vulnerability]] |
* [[Timezone Vulnerability]] |
||
| − | * [[Shebang Trick]] (CVE-2013-5154) |
+ | * [[Shebang Trick]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5154 CVE-2013-5154]) |
| − | * [[AMFID code signing evasion]] (CVE-2013-0977) |
+ | * [[AMFID code signing evasion]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977]) |
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
| − | * [[IOUSBDeviceFamily Vulnerability]] (CVE-2013-0981) |
+ | * [[IOUSBDeviceFamily Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 CVE-2013-0981]) |
| − | * [[ARM Exception Vector Info Leak]] (CVE-2013-0978) |
+ | * [[ARM Exception Vector Info Leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0978 CVE-2013-0978]) |
* [[dynamic memmove() locating]] |
* [[dynamic memmove() locating]] |
||
* [[vm_map_copy_t corruption for arbitrary memory disclosure]] |
* [[vm_map_copy_t corruption for arbitrary memory disclosure]] |
||
| Line 90: | Line 114: | ||
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) === |
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) === |
||
| − | * [[posix_spawn kernel information leak]] (CVE-2013- |
+ | * [[posix_spawn kernel information leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]]) |
| − | * [[posix_spawn kernel exploit]] (CVE-2013-3954) (by [[i0n1c]]) |
+ | * [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]]) |
| − | * [[mach_msg_ool_descriptor_ts for heap shaping]] |
+ | * [[mach_msg_ool_descriptor_ts for heap shaping]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3953 CVE-2013-3953]) |
* [[AMFID_code_signing_evasi0n7]] |
* [[AMFID_code_signing_evasi0n7]] |
||
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
* [[DeveloperDiskImage race condition]] (by [[comex]]) |
||
* [[launchd.conf untether]] |
* [[launchd.conf untether]] |
||
| − | == |
+ | == Programs which are used in order to jailbreak 7.x == |
{{Section Stub}} |
{{Section Stub}} |
||
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) === |
||
| Line 112: | Line 136: | ||
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0) |
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0) |
||
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0) |
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0) |
||
| − | * LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388) |
+ | * LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388]) |
| − | * TempSensor kernel exploit (Pangu 1.1.0) ( CVE-2014-4388) |
+ | * TempSensor kernel exploit (Pangu 1.1.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388]) |
* "syslogd chown" vulnerability |
* "syslogd chown" vulnerability |
||
* enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
* enterprise certificate (no real exploit, used for initial "unsigned" code execution) |
||
| − | * "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386) |
+ | * "foo_extracted" symlink vulnerability (used to write to /var) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4386 CVE-2014-4386]) |
* /tmp/bigfile (a big file for improvement of the reliability of a race condition) |
* /tmp/bigfile (a big file for improvement of the reliability of a race condition) |
||
* VoIP backgrounding trick (used to auto restart the app) |
* VoIP backgrounding trick (used to auto restart the app) |
||
* hidden segment attack |
* hidden segment attack |
||
| + | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4407 CVE-2014-4407] |
||
| − | * CVE-2014-4407 |
||
| − | == |
+ | == Programs which are used in order to jailbreak 8.x == |
{{Section Stub}} |
{{Section Stub}} |
||
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) === |
||
| Line 129: | Line 153: | ||
* a kind of dylib injection into a system process (see IPA) |
* a kind of dylib injection into a system process (see IPA) |
||
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
||
| − | * a sandboxing problem in debugserver (CVE-2014-4457) |
+ | * a sandboxing problem in debugserver ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4457 CVE-2014-4457]) |
| − | * the same/a similar kernel exploit as used in [[Pangu]] (CVE-2014-4461) (source @iH8sn0w) |
+ | * the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4461 CVE-2014-4461]) (source @iH8sn0w) |
* enable-dylibs-to-override-cache |
* enable-dylibs-to-override-cache |
||
| + | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4455 CVE-2014-4455] |
||
| − | * CVE-2014-4455 |
||
=== [[TaiG]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1) === |
=== [[TaiG]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1) === |
||
Revision as of 22:13, 6 December 2014
Contents
- 1 Jailbreak Exploits
- 1.1 Common exploits which are used in order to jailbreak different versions of iOS
- 1.2 Programs which are used in order to jailbreak different versions of iOS
- 1.3 Programs which are used in order to jailbreak 3.x
- 1.4 Programs which are used in order to jailbreak 4.x
- 1.4.1 JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- 1.4.2 limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)
- 1.4.3 greenpois0n (4.1)
- 1.4.4 greenpois0n (4.2.1)
- 1.4.5 JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
- 1.4.6 JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
- 1.4.7 i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
- 1.5 Programs which are used in order to jailbreak 5.x
- 1.6 Programs which are used in order to jailbreak 6.x
- 1.7 Programs which are used in order to jailbreak 7.x
- 1.8 Programs which are used in order to jailbreak 8.x
Jailbreak Exploits
Common exploits which are used in order to jailbreak different versions of iOS
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch 2G)
Programs which are used in order to jailbreak different versions of iOS
PwnageTool (2.0 - 5.1.1)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs which are used in order to jailbreak 3.x
purplera1n (3.0 / 3.0.1)
blackra1n (3.1.2)
Spirit (3.1.2 / 3.1.3 / 3.2)
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)
- uses different common exploits
- Packet Filter Kernel Exploit
Programs which are used in order to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch 3G on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
Programs which are used in order to jailbreak 5.x
unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)
Except for the iPad 3
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (CVE-2012-0646)(used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- CVE-2012-0643
Corona Untether (5.0.1)
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- CVE-2012-0643
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- MobileBackup2 Copy Exploit
Programs which are used in order to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability (CVE-2013-0979)
- Timezone Vulnerability
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs which are used in order to jailbreak 7.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
Geeksn0w (7.1 / 7.1.1 / 7.1.2)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- i0n1c's Infoleak vulnerability (Pangu v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
- LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388)
- TempSensor kernel exploit (Pangu 1.1.0) (CVE-2014-4388)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
- CVE-2014-4407
Programs which are used in order to jailbreak 8.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- the same/a similar kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
- enable-dylibs-to-override-cache
- CVE-2014-4455
TaiG (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1)
- LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
- DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
- enable-dylibs-to-override-cache (Also used in Pangu8)
- a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)
