![]() | |
Original author(s) | evad3rs |
---|---|
Developer(s) | evad3rs |
Initial release | 4 February 2013 |
Stable release | 1.5.3
/ 12 March 2013 |
Written in | C |
Operating system | Windows / OS X / Linux |
Size | Windows: 9.974 MiB [ZIP] OS X: 9.481 MiB [DMG] Linux: 9.405 MiB [TAR.LZMA] |
Available in | English |
Type | Jailbreaking |
License | Freeware |
Website | evasi0n.com/iOS6 |
evasi0n is a jailbreak tool that can perform an untethered jailbreak on iOS 6.0-6.1.2 for all supported devices, excluding both Apple TV (3rd generation) revisions. It was first released on 4 February 2013 by evad3rs, and is available for Windows, Mac OS X, and Linux (x86 and x86_64). There is also a Cydia package called "evasi0n iOS 6.0-6.1.2 untether" which can untether an existing tethered jailbreak without the need to restore and use the desktop tool. It is a userland jailbreak. P0sixninja released the source code with his Twitter announcement on 9-Sept-2017.
Supported Devices[edit]
As of evasi0n's release, the only unsupported devices are the Apple TV (3rd generation) revisions, since the kernels on these devices lack an injection vector to run unsigned code. All other devices running iOS 6.0-6.1.2 are supported (including iOS 5.2 for the Apple TV (2nd generation)).
Cydia Package[edit]
The Cydia package contains just three files:
/private/var/evasi0n/amfi.dylib /private/var/evasi0n/evasi0n /usr/libexec/dirhelper
It also includes three Debian maintenance scripts: prerm
(a bash script that cancels uninstallation if the device is not vulnerable to limera1n), as well as postrm
and extrainst_
binaries.
Version History[edit]
Version | Cydia Package Version | Release Date | # | SHA-1 of evasi0n binary | Changes |
---|---|---|---|---|---|
1.0 | 0.1-1 | 4 February 2013 | 1 | f16f4592e5d65927faf98a25bce51b22ee9bc831
|
|
1.1 | 0.2-3 | 6 February 2013 | 2 | 301003d8aa58a0a2e1bf7030bb903ca42a89c851
|
|
1.2 | 0.3-1 | 8 February 2013 | 3 | 75d140c53bdd615cc279932f843ab3af584086a5
|
|
1.3 | 0.3-2 | 11 February 2013 | 4 | ff5a5e767acb4c9acf9a25555ae172ad254e596a
|
|
1.4 | 0.3-3 | 19 February 2013 | 5 | 3b2cc5e2d7be397c09d369e83ea52094250d86e9
|
|
1.5 | 0.4-1 | 23 February 2013 | 6 | cd5a71b4d0b2767294049cc6b3b2ce3e09d68445
|
|
1.5.1 | 5 March 2013 | 7 | 1a826416932e77f24c94da17884e48ccfe7cdbf6
|
| |
1.5.2 | 0.4.1-1 | 11 March 2013 | 8 | 3e89337956189e6654cd359995ac550f0372ac8b
|
|
1.5.3 | 12 March 2013 | 9 | 3e89337956189e6654cd359995ac550f0372ac8b
|
|
Download[edit]
Version | OS | SHA-1 Hash | Download | |||
---|---|---|---|---|---|---|
1.0 | GNU/Linux | c9e4b15a161b89f0e412721f471c5f8559b6054f
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-11 at the Wayback Machine] |
Mac OS X | 23f99a0d65e71fd79ff072b227f0ecb176f0ffa8
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-11 at the Wayback Machine] | |
Windows | 2ff288e1798b4711020e9dd7f26480e57704d8b2
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-11 at the Wayback Machine] | |
1.1 | GNU/Linux | 6c06a6be87e003eee470eb749b42ffbaafcc9e62
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-01 at the Wayback Machine] |
Mac OS X | ae9d20bc927976a1f55089cd80afca48de0f7a2e
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-01 at the Wayback Machine] | |
Windows | 4225b01afd4a4fd1277565954964bd3310ad8b5f
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-05-01 at the Wayback Machine] | |
1.2 | GNU/Linux | 2e1d1f6c7e6ca775860df03298dce3b0d798658a
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-03-15 at the Wayback Machine] |
Mac OS X | 8f91aba478ad28bda800dc5c303be1699fcfb800
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2015-04-05 at the Wayback Machine] | |
Windows | 9942559caf779da6526b9fd0e207d21554a8a9cf
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2015-03-30 at the Wayback Machine] | |
1.3 | GNU/Linux | d93bc45653345e62a315e0a0aaa1b709aacd26c4
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-02-18 at the Wayback Machine] |
Mac OS X | c239da3fd4e312c8468cdca967c86962b2cbd3f9
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare[dead link] | |
Windows | 92bbe23f125f3b0155334f1925943624e24ce130
|
Google Sites[dead link] | Box[dead link] | MEGA | RapidShare [Archived 2013-10-22 at the Wayback Machine] | |
1.4 | GNU/Linux | 95c34e7a7220d2dab2e93cf9bb62beb49aef8996
|
Google Sites[dead link] | Box[dead link] | MEGA | — |
Mac OS X | 96b62f303e335bb5c6b78034027606fee5fc93c3
|
Google Sites[dead link] | Box[dead link] | MEGA | ||
Windows | 36adf9ccf62aaf770163666e757c7a89e9ba3a55
|
Google Sites[dead link] | Box[dead link] | MEGA | ||
1.5 | GNU/Linux | 923db21a9045df6aaaff27670be92330f4855a21
|
Google Sites[dead link] | Box[dead link] | MEGA | |
Mac OS X | cccf7e5b4a83df8c05dcfed98b9627533c018541
|
Google Sites[dead link] | Box[dead link] | MEGA | ||
Windows | 25799bbeea3733c26fb010e6aca432d686fd8f9f
|
Google Sites[dead link] | Box[dead link] | MEGA | ||
1.5.1 | GNU/Linux | cc0bd166a1480c2a838584b201981db1e45ca411
|
— | Box[dead link] | MEGA | |
Mac OS X | 4a0e9fb8b5f83fbee5e26d1d7db876cefd09832a
|
Box[dead link] | MEGA | |||
Windows | a220bb5fb1ccf5cf1cb666dc03e20ac54890835d
|
Box[dead link] | MEGA | |||
1.5.2 | GNU/Linux | 97fbeb932dd3cb22ec339ec4c2f95a17d570d30c
|
Box[dead link] | — | RapidShare[dead link] | |
Mac OS X | 051079f808f5c31f32ba09c6a39f09a8c3479157
|
Box[dead link] | RapidShare[dead link] | |||
Windows | 30d34e23f860eae28d4ae6513edc46ef8aa2042c
|
Box[dead link] | RapidShare[dead link] | |||
1.5.3 | GNU/Linux | 620dcb7996b1f3497827b11876bf0c2fae069ecf
|
Box[dead link] | MEGA | RapidShare [Archived 2013-03-16 at the Wayback Machine] | |
Mac OS X | 54827d78cb45b7dae4e7566b9ed5c1b833d68850
|
Box[dead link] | MEGA | RapidShare [Archived 2013-05-17 at the Wayback Machine] | ||
Windows | 2f8c2f111a6afefd099ecb0ce5aab63f160940b8
|
Box[dead link] | MEGA | RapidShare [Archived 2013-04-30 at the Wayback Machine] |
Exploits and Vulnerabilities[edit]
evasi0n takes advantage of several vulnerabilities:
- Symbolic Link Vulnerability
- Malformed PairRequest
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
Symbols in Untether code[edit]
Symbol | v1 | v2 | v3 | v4 | v5 | v6 | v7 | v8/9 |
---|---|---|---|---|---|---|---|---|
start | 020B0 | 02EF8 | 02BFC | 02BFC | 02BFC | 02E30 | ? | 02A80 |
find_memmove_arm#search | ? | ? | ? | ? | ? | 0AFA0 | ? | ? |
find_memmove_thumb#search | ? | ? | ? | ? | ? | 0AFD0 | ? | ? |
find_memmove | ? | ? | ? | ? | ? | 0571C | ? | ? |
find_memmove#exit | ? | ? | ? | ? | ? | 05762 | ? | ? |
_catch_exception_raise_state_identity | ? | ? | ? | ? | ? | ? | ? | 065B8 |
See Also[edit]
External Links[edit]
- Accuvant Labs analysis [Archived 2013-12-27 at the Wayback Machine]
- Analysis by kernelpool
- kernelpool presentation at NISlab: slides
- kernelpool presentation at NISlab: video
- Explanation by planetbeing in Forbes
- Hopper Script to demangle evasi0n strings for Mac client of evasi0n, use in Hopper disassembler
- Apple Response: iOS 6.1.3 Security Fixes
- Apple Response: iOS 5.2.1 (Apple TV) Security Fixes
- Slides from HITB presentation in Amsterdam 2013
- Quarkslab blog post describing how evasi0n bypasses code signing [Archived 2013-09-03 at the Wayback Machine]
- Announcement for public release of source
- Public source code