This page lists the exploits used in jailbreaks.
Common exploits[edit]
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch, and iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch (2nd generation))
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch (2nd generation) with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch (3rd generation), iPad, iPhone 4, iPod touch (4th generation) and Apple TV (2nd generation))
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch (2nd generation))
Jailbreak Programs[edit]
PwnageTool (2.0 - 5.1.1)[edit]
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)[edit]
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)[edit]
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs used to jailbreak 1.x[edit]
AppTapp Installer (1.0 / 1.0.1 / 1.0.2)[edit]
- iBoot
cp
-command exploit
iBrickr (1.0 / 1.0.1 / 1.0.2)[edit]
- iBoot
cp
-command exploit
AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)[edit]
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)
OktoPrep (1.1.2)[edit]
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
Soft Upgrade (1.1.3)[edit]
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
ZiPhone (1.1.3 / 1.1.4 / 1.1.5)[edit]
iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)[edit]
Programs used to jailbreak 2.x[edit]
QuickPwn (2.0 - 2.2.1)[edit]
- uses Pwnage and Pwnage 2.0
Redsn0w Lite (2.1.1)[edit]
- ARM7 Go (for iPod touch (2nd generation) only)
Programs used to jailbreak 3.x[edit]
purplera1n (3.0)[edit]
blackra1n (3.1 / 3.1.1 / 3.1.2)[edit]
Spirit (3.1.2 / 3.1.3 / 3.2)[edit]
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)[edit]
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)[edit]
- uses different common exploits
- Packet Filter Kernel Exploit
Programs used to jailbreak 4.x[edit]
JailbreakMe 2.0 / Star (4.0 / 4.0.1)[edit]
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)[edit]
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)[edit]
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)[edit]
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)[edit]
unthredeh4il (4.2.6 - 4.2.10)[edit]
Except for the iPad (3rd generation)
- Symbolic Link Vulnerability
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)[edit]
Except for the iPod touch (3rd generation) on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)[edit]
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
unthredeh4il (4.3 - 4.3.5)[edit]
Except for the iPad (3rd generation)
- Symbolic Link Vulnerability
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 5.x[edit]
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)[edit]
- Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Corona Untether (5.0.1)[edit]
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)[edit]
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- Symbolic Link Vulnerability
unthredeh4il (5.0-5.1.1)[edit]
Except for the iPad (3rd generation)
- Symbolic Link Vulnerability
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Programs used to jailbreak 6.x[edit]
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)[edit]
- Symbolic Link Vulnerability
- Timezone Vulnerability (CVE-2013-0979)
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)[edit]
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs used to jailbreak 7.x[edit]
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)[edit]
![]() | This section needs expansion. You can help by adding to it. |
- Symbolic Link Vulnerability (CVE-2013-5133)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CrashHouseKeeping chmod vulnerability (CVE-2014-1272)
- ptmx_get_ioctl crafted call (CVE-2014-1278)
Geeksn0w (7.1 / 7.1.1)[edit]
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)[edit]
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
- initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOSharedDataQueue notification port overwrite (CVE-2014-4461)
- syslogd chown vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- foo_extracted symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Programs used to jailbreak 8.x[edit]
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)[edit]
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
- enable-dylibs-to-override-cache
- a new ovelapping segment attack (CVE-2014-4455)
TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)[edit]
(See also details at newosxbook.com)
- A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
- DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
- A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
- libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
- MobileStorageMounter exploit (CVE-2015-1062)
- Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOHIDFamily kernel exploit (CVE-2014-4487) - to overwrite memory
TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)[edit]
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
- DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
- Symbolic linking to AFC (CVE-2015-5746)
- Backup exploit to write to protected regions of the disk (CVE-2015-5752)
- Code signing exploit (CVE-2015-3802)
- Code signing exploit (CVE-2015-3803)
- Code signing exploit (CVE-2015-3805)
- Code signing exploit (CVE-2015-3806)
- IOHIDFamily exploit (CVE-2015-5774)
- AirTraffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)
EtasonJB and Home Depot (8.4.1)[edit]
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
Programs used to jailbreak 9.x[edit]
Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)[edit]
- Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DeveloperDiskImage. (CVE-2015-7037)
- MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
- IOHIDFamily use-after-free for kernel information leak / code execution as mobile. (CVE-2015-6974)
- dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
- Racing KPP for some of the patches.
- AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)
Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)[edit]
- IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)
jbme (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)[edit]
- Webkit exploit (CVE-2016-4657)
Home Depot (9.1-9.3.4)[edit]
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
JailbreakMe 4.0 (9.1-9.3.4)[edit]
- OSUnserialize Information leak (CVE-2016-4655)
- Kernel exploit (CVE-2016-4656)
- Webkit exploit (CVE-2016-4657)
Phœnix (9.3.5 / 9.3.6)[edit]
Programs used to jailbreak 10.x[edit]
extra_recipe+yaluX (10.0-10.1.1)[edit]
- set_dp_control_port exploit to execute arbitrary code with kernel privileges. (CVE-2016-7644)
yalu102 (10.0.1-10.2)[edit]
doubleH3lix (10.0.1 - 10.3.3)[edit]
Meridian (10.0 - 10.3.3)[edit]
TotallyNotSpyware (10.0 - 10.3.3)[edit]
H3lix (10.0.1 - 10.3.4)[edit]
Programs used to jailbreak 11.x[edit]
Unc0ver (11.0-11.4.1)[edit]
11.0 - 11.1.2
11.0 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.0 - 11.4.1
Electra (11.0-11.4.1)[edit]
11.0 - 11.1.2
11.2 - 11.3.1
- mptcp_usr_connectx (multi_path) (CVE-2018-4241)
- getvolattrlist (empty_list) (CVE-2018-4243)
11.2 - 11.4.1
Programs used to jailbreak 12.x[edit]
Chimera (12.0 - 12.5.3)[edit]
12.0 - 12.1.2
12.0 - 12.2/12.4
Unc0ver (12.0 - 12.5.3)[edit]
12.0 - 12.1.2
12.0 - 12.2/12.4
12.4.1
12.4.2 - 12.5.3
checkra1n (12.3 - 12.5.3)[edit]
Programs used to jailbreak 13.x[edit]
Unc0ver (13.0 - 13.5.5~b1 (excluding 13.5.1))[edit]
13.0 - 13.3 (before version 5.0.0)
13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)
- tachy0n (LightSpeed) (CVE-2020-9859)
Odyssey (13.0 - 13.7)[edit]
13.0 - 13.5
- tardy0n (LightSpeed) (CVE-2020-9859)
13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)
13.5.1 - 13.7 (for devices with A8/A9 SoCs)
- oob_events (CVE-2020-27905), (CVE-2020-9964)
checkra1n (13.0 - 13.7)[edit]
Programs used to jailbreak 14.x[edit]
checkra1n (14.0 - 14.8.1)[edit]
Unc0ver (14.0 - 14.8)[edit]
- ivac entry use-after-free (CVE-2021-1782)
- pattern-f's closed source exploit (CVE-2021-30883)
Taurine (14.0 - 14.3)[edit]
Programs used to jailbreak 15.x[edit]
palera1n (15.0 - 15.7.3)[edit]
XinaA15 (15.0 - 15.1.1)[edit]
- multicast_bytecopy (CVE-2021-30937)
- weightbufs (CVE-2022-32845, CVE-2022-32948, CVE-2022-42805, CVE-2022-32899)