Jailbreak Exploits

This page lists the exploits used in jailbreaks.

Common exploits which are used in order to jailbreak different versions of iOS

 * Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
 * ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
 * 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
 * limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
 * usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch 2G)

PwnageTool (2.0 - 5.1.1)

 * uses different common exploits
 * uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

 * uses different common exploits
 * uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
 * uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

 * uses different common exploits
 * uses the exploits listed below to untether up to iOS 6.1.2

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

 * iBoot -command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

 * iBoot -command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

 * libtiff exploit (Adapted from the PSP scene, used by JailbreakMe)

OktoPrep (1.1.2)
"Upgrade" to 1.1.2 from a jailborken 1.1.1
 * mknod

Soft Upgrade (1.1.3)
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

 * Ramdisk Hack

QuickPwn (2.0 - 2.2.1)

 * uses Pwnage and Pwnage 2.0

Redsn0w Lite (2.1.1)

 * ARM7 Go (for iPod touch 2G only)

purplera1n (3.0)

 * iBoot Environment Variable Overflow
 * uses 0x24000 Segment Overflow

blackra1n (3.1.2)

 * usb_control_msg(0x21, 2) Exploit
 * uses 0x24000 Segment Overflow

Spirit (3.1.2 / 3.1.3 / 3.2)

 * MobileBackup Copy Exploit
 * Incomplete Codesign Exploit
 * BPF_STX Kernel Write Exploit

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

 * Malformed CFF Vulnerability
 * Incomplete Codesign Exploit
 * IOSurface Kernel Exploit

limera1n / greenpois0n (3.2.2)

 * uses different common exploits
 * Packet Filter Kernel Exploit

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

 * Malformed CFF Vulnerability
 * Incomplete Codesign Exploit
 * IOSurface Kernel Exploit

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

 * uses different common exploits
 * Packet Filter Kernel Exploit

greenpois0n (4.1)

 * uses different common exploits
 * Packet Filter Kernel Exploit

greenpois0n (4.2.1)

 * uses different common exploits
 * HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

 * T1 Font Integer Overflow
 * HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch 3G on iOS 4.3.1.
 * T1 Font Integer Overflow
 * IOMobileFrameBuffer Privilege Escalation Exploit

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
 * ndrv_setspec Integer Overflow

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)
Except for the iPad 3
 * MobileBackup2 Copy Exploit
 * a new Packet Filter Kernel Exploit
 * AMFID code signing evasion
 * launchd.conf untether
 * Timezone Vulnerability

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

 * Racoon String Format Overflow Exploit (used both for payload injection and untether)
 * HFS Heap Overflow
 * unknown exploit

Corona Untether (5.0.1)

 * Racoon String Format Overflow Exploit
 * HFS Heap Overflow
 * unknown exploit

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

 * a new Packet Filter Kernel Exploit
 * Racoon DNS4/WINS4 table buffer overflow
 * MobileBackup2 Copy Exploit

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

 * Symbolic Link Vulnerability
 * Timezone Vulnerability
 * Shebang Trick
 * AMFID code signing evasion
 * launchd.conf untether
 * IOUSBDeviceFamily Vulnerability
 * ARM Exception Vector Info Leak
 * dynamic memmove locating
 * vm_map_copy_t corruption for arbitrary memory disclosure
 * kernel memory write via ROP gadget
 * Overlapping Segment Attack

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

 * posix_spawn kernel information leak (by i0n1c)
 * posix_spawn kernel exploit (by i0n1c)
 * mach_msg_ool_descriptor_ts for heap shaping
 * AMFID_code_signing_evasi0n7
 * DeveloperDiskImage race condition (by comex)
 * launchd.conf untether

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

 * Symbolic Link Vulnerability
 * AMFID_code_signing_evasi0n7
 * CrashHouseKeeping chmod vulnarability
 * ptmx_get_ioctl ioctl crafted call

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

 * limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

Pangu (7.1 / 7.1.1 / 7.1.2)

 * Mach-O OSBundleHeaders info leak (Pangu v1.0.0)
 * AppleKeyStore::initUserClient info leak (Pangu >v1.0.0)
 * break_early_random (by i0n1c and Tarjei Mandt of Azimuth)
 * mach_port_kobject exploit - used to recover the permutation value and addresses of kernel objects
 * IOSharedDataQueue notification port overwrite
 * "syslogd chown" vulnerability
 * enterprise certificate (no real exploit, used for initial "unsigned" code execution)
 * "foo_extracted" symlink vulnerability (used to write to /var)
 * /tmp/bigfile (a big file for improvement of the reliability of a race condition)
 * VoIP backgrounding trick (used to auto restart the app)
 * hidden segment attack

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

 * an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
 * enterprise certificate (inside the IPA)
 * a kind of dylib injection into a system process (see IPA)
 * a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
 * a sandboxing problem in debugserver
 * mach_port_kobject exploit - used to recover the permutation value and addresses of kernel objects
 * the same kernel exploit as used in the first Pangu (source @iH8sn0w)
 * enable-dylibs-to-override-cache
 * a new ovelapping segment attack
 * Mach-O OSBundleHeaders info leak

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)
(See also details at newosxbook.com)
 * A new AFC symlink attack - to get onto the device filesystem
 * DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
 * A new overlapping segment attack [in a modified version], dyld, - negative LC_SEGMENT - to allow libmis and xpcdcache to load
 * libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
 * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
 * MobileStorageMounter exploit
 * Backup exploit used to access restricted parts of the filesystem

Kernel:


 * Mach-O OSBundleHeaders info leak - leaks slid addresses
 * mach_port_kobject exploit - used to recover the permutation value and addresses of kernel objects
 * IOHIDFamily Kernel exploit - to overwrite memory

TaiG (8.1.3 / 8.2 / 8.3 / 8.4) and PPJailbreak
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
 * DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
 * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
 * Symbolic linking to AFC
 * Backup exploit to write to protected regions of the disk
 * Code signing exploit
 * Code signing exploit
 * Code signing exploit
 * Code signing exploit
 * IOHIDFamily exploit
 * Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling

Pangu9 (9.0 / 9.0.1 / 9.0.2)

 * Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI.
 * MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables.
 * IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile.
 * dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency
 * Racing KPP for some of the patches.
 * AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing.