Jailbreak Exploits

This page lists the exploits used in Jailbreaks.

1.0.2

 * Restore Mode (iBoot had a command named, which had access to the whole filesystem)

1.1.1

 * Symlinks (an upgrade jailbreak)
 * libtiff exploit (Adapted from the PSP scene, used by JailbreakMe)

1.1.2

 * Mknod (an upgrade jailbreak)

1.1.3 / 1.1.4 / 1.1.5

 * Soft Upgrade (an upgrade jailbreak)
 * Ramdisk Hack
 * Dual Boot Exploit - Works up to iOS 2.0 beta 3
 * diags - Works up to iOS 2.0 beta 5

2.0 / 2.0.1 / 2.0.2 / 2.1

 * Pwnage + Pwnage 2.0

2.1.1

 * ARM7 Go (tethered jailbreak)

2.2

 * Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)

2.2.1

 * Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
 * 0x24000 Segment Overflow + ARM7 Go (from iOS 2.1.1) (iPod touch 2G)

3.0 / 3.0.1

 * Pwnage + Pwnage 2.0 (iPhone, iPod touch, and iPhone 3G)
 * ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow ( iPod touch 2G)
 * Pwnage + iBoot Environment Variable Overflow (iPhone, iPod touch, and iPhone 3G)
 * 0x24000 Segment Overflow + iBoot Environment Variable Overflow (iPod touch 2G and iPhone 3GS)

3.1 / 3.1.1

 * Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
 * usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
 * 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)

3.1.2

 * Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
 * usb_control_msg(0x21, 2) Exploit (tethered jailbreak on iPod touch 2G new bootrom, iPhone 3GS new bootrom, and iPod touch 3G)
 * 0x24000 Segment Overflow + usb_control_msg(0x21, 2) Exploit (iPod touch 2G old bootrom and iPhone 3GS old bootrom)
 * MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
 * Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)

3.1.3

 * Pwnage + Pwnage 2.0 (together for untethered jailbreak on iPhone, iPod touch, and iPhone 3G)
 * 0x24000 Segment Overflow (for iPod touch 2G and iPhone 3GS devices with older bootroms)
 * + Limera1n Exploit (iPhone 3GS old bootrom, used in sn0wbreeze)
 * + usb_control_msg(0xA1, 1) Exploit (iPod touch 2G old bootrom, used in sn0wbreeze)
 * usb_control_msg(0xA1, 1) Exploit+ Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 2G new bootrom, used in sn0wbreeze)
 * Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPod touch 3G and iPhone 3GS new bootrom, used in sn0wbreeze)
 * MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
 * Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)

3.2

 * MobileBackup Copy Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (all devices, used in Spirit)
 * Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
 * Limera1n Exploit + Incomplete Codesign Exploit + BPF_STX Kernel Write Exploit (iPad used in sn0wbreeze 2.9.x)

3.2.1

 * Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in Star)
 * Limera1n Exploit + Incomplete Codesign Exploit + IOSurface Kernel Exploit (iPad, used in sn0wbreeze 2.9.x)

3.2.2

 * Limera1n Exploit + Packet Filter Kernel Exploit (iPad)

4.0 / 4.0.1

 * Pwnage + Pwnage 2.0 (iPhone 3G)
 * 0x24000 Segment Overflow (iPod touch 2G and iPhone 3GS devices with older bootroms)
 * Malformed CFF Vulnerability + Incomplete Codesign Exploit + IOSurface Kernel Exploit (all devices, used in Star)
 * Limera1n Exploit + Packet Filter Kernel Exploit (iPhone 3GS New bootrom, iPod touch 3G, iPhone 4 (iPhone3,1))

4.0.2

 * Pwnage + Pwnage 2.0 (iPhone 3G)
 * ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (iPod touch 2G)
 * 0x24000 Segment Overflow (iPhone 3GS)
 * limera1n's bootrom exploit + Packet Filter Kernel Exploit (iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), and iPod touch 4G)

4.1

 * Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
 * ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
 * limera1n's bootrom exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G))
 * usb_control_msg(0xA1, 1) Exploit + Packet Filter Kernel Exploit (together for untethered jailbreak on iPod touch 2G)

4.2.1

 * Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
 * ARM7 Go (from iOS 2.1.1) + 0x24000 Segment Overflow (together for untethered jailbreak on iPod touch 2G old bootrom)
 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
 * limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
 * usb_control_msg(0xA1, 1) Exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPod touch 2G)

4.2.6 / 4.2.7 / 4.2.8

 * limera1n's bootrom exploit + HFS Legacy Volume Name Stack Buffer Overflow (together for untethered jailbreak on iPhone 4 (iPhone3,3))
 * T1 Font Integer Overflow (used for Saffron)

4.2.9 / 4.2.10

 * limera1n's bootrom exploit (Tethered jailbreak on iPhone 4 (iPhone3,3))

4.3

 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
 * limera1n's bootrom exploit (tethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), iPod touch 4G, and Apple TV 2G)
 * T1 Font Integer Overflow (used for Saffron)

4.3.1 / 4.3.2 / 4.3.3

 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS old bootrom)
 * limera1n's bootrom exploit + ndrv_setspec Integer Overflow (together for untethered jailbreak on iPhone 3GS new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)
 * T1 Font Integer Overflow (used for Saffron)

4.3.4 / 4.3.5

 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4 (iPhone3,1), and iPod touch 4G)

5.0

 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
 * Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow- iPhone 4S only

5.0.1

 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
 * limera1n's bootrom exploit + Racoon String Format Overflow Exploit+HFS Heap Overflow on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
 * Racoon String Format Overflow Exploit (used both for payload injection and untether)+HFS Heap Overflow - iPad 2 and iPhone 4S with Absinthe

5.1

 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)

5.1.1

 * limera1n Exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
 * limera1n Exploit + Rocky Racoon (together for untethered jailbreak on iPhone 3GS with new bootrom, iPhone 4, iPod touch 3G, and iPod touch 4G)

6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2

 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPhone 4, and iPod touch 4G)
 * limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
 * Symbolic Link Vulnerability
 * Timezone Vulnerability
 * Shebang Trick
 * AMFID code signing evasion
 * launchd.conf untether
 * IOUSBDeviceFamily Vulnerability
 * ARM Exception Vector Info Leak
 * dynamic memmove locating
 * vm_map_copy_t corruption for arbitrary memory disclosure
 * kernel memory write via ROP gadget

6.1.3 / 6.1.4 / 6.1.5 / 6.1.6

 * posix_spawn kernel information leak (by i0n1c)
 * posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
 * mach_msg_ool_descriptor_ts for heap shaping
 * AMFID_code_signing_evasi0n7
 * DeveloperDiskImage race condition (by comex)
 * launchd.conf untether

7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6

 * CVE-2013-5133
 * CVE-2014-1272
 * CVE-2014-1273
 * CVE-2014-1278
 * Symbolic Link Vulnerability

7.1 / 7.1.1 / 7.1.2
Geeksn0w Pangu
 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
 * i0n1c's Infoleak vulnerability (Pangu v1.0.0)
 * break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
 * LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
 * TempSensor kernel exploit (Pangu 1.1.0)
 * "syslogd chown" vulnerability
 * enterprise certificate (no real exploit, used for initial "unsigned" code execution)
 * "foo_extracted" symlink vulnerability (used to write to /var)
 * /tmp/bigfile (a big file for improvement of the reliability of a race condition)
 * VoIP backgrounding trick (used to auto restart the app)
 * hidden segment attack

8.0/8.0.1/8.0.2/8.1
Pangu8
 * an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
 * enterprise certificate (inside the IPA)
 * a kind of dylib injection into a system process (see IPA)
 * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
 * a sandboxing problem in debugserver (CVE-2014-4457)
 * the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
 * enable-dylibs-to-override-cache
 * CVE-2014-4455

TaiG
 * LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
 * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) (Also used in Pangu8)
 * enable-dylibs-to-override-cache (Also used in Pangu8)
 * a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)

8.1.1

 * LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
 * DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
 * enable-dylibs-to-override-cache (Also used in Pangu8)
 * a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)