Jailbreak Exploits

This page lists the exploits used in jailbreaks.

Common exploits[edit source]

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch, and iPhone 3G)
ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch (2nd generation))
0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch (2nd generation) with old bootrom; another exploit as the limera1n Exploit is required)
limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch (3rd generation), iPad, iPhone 4, iPod touch (4th generation) and Apple TV (2nd generation))
usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch (2nd generation))

Jailbreak Programs[edit source]

PwnageTool (2.0 - 5.1.1)[edit source]

uses different common exploits
uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)[edit source]

uses different common exploits
uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)[edit source]

uses different common exploits
uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x[edit source]

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)[edit source]

iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)[edit source]

iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)[edit source]

libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)

OktoPrep (1.1.2)[edit source]

"Upgrade" to 1.1.2 from a jailbroken 1.1.1

mknod

Soft Upgrade (1.1.3)[edit source]

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 / 1.1.5)[edit source]

Ramdisk Hack

iLiberty / iLiberty+ (1.1.3 / 1.1.4 / 1.1.5)[edit source]

Programs used to jailbreak 2.x[edit source]

QuickPwn (2.0 - 2.2.1)[edit source]

uses Pwnage and Pwnage 2.0

Redsn0w Lite (2.1.1)[edit source]

ARM7 Go (for iPod touch (2nd generation) only)

Programs used to jailbreak 3.x[edit source]

purplera1n (3.0)[edit source]

blackra1n (3.1 / 3.1.1 / 3.1.2)[edit source]

Spirit (3.1.2 / 3.1.3 / 3.2)[edit source]

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)[edit source]

limera1n / greenpois0n (3.2.2)[edit source]

uses different common exploits
Packet Filter Kernel Exploit

Programs used to jailbreak 4.x[edit source]

JailbreakMe 2.0 / Star (4.0 / 4.0.1)[edit source]

limera1n (4.0 / 4.0.1 / 4.0.2 / 4.1)[edit source]

uses different common exploits
Packet Filter Kernel Exploit

greenpois0n (4.1)[edit source]

uses different common exploits
Packet Filter Kernel Exploit

greenpois0n (4.2.1)[edit source]

uses different common exploits
HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)[edit source]

unthredeh4il (4.2.6 - 4.2.10)[edit source]

Except for the iPad (3rd generation)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)[edit source]

Except for the iPod touch (3rd generation) on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)[edit source]

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

ndrv_setspec() Integer Overflow

unthredeh4il (4.3 - 4.3.5)[edit source]

Except for the iPad (3rd generation)

Programs used to jailbreak 5.x[edit source]

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)[edit source]

Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
HFS Heap Overflow (CVE-2012-0642)
unknown exploit (CVE-2012-0643)

Corona Untether (5.0.1)[edit source]

Racoon String Format Overflow Exploit (CVE-2012-0646)
HFS Heap Overflow (CVE-2012-0642)
unknown exploit (CVE-2012-0643)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)[edit source]

unthredeh4il (5.0-5.1.1)[edit source]

Except for the iPad (3rd generation)

Programs used to jailbreak 6.x[edit source]

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)[edit source]

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)[edit source]

Programs used to jailbreak 7.x[edit source]

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)[edit source]

Geeksn0w (7.1 / 7.1.1)[edit source]

limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

Pangu (7.1 / 7.1.1 / 7.1.2)[edit source]

Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
IOSharedDataQueue notification port overwrite (CVE-2014-4461)
syslogd chown vulnerability
enterprise certificate (no real exploit, used for initial "unsigned" code execution)
foo_extracted symlink vulnerability (used to write to /var) (CVE-2014-4386)
/tmp/bigfile (a big file for improvement of the reliability of a race condition)
VoIP backgrounding trick (used to auto restart the app)
hidden segment attack

Programs used to jailbreak 8.x[edit source]

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)[edit source]

an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
enterprise certificate (inside the IPA)
a kind of dylib injection into a system process (see IPA)
a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
a sandboxing problem in debugserver (CVE-2014-4457)
mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
enable-dylibs-to-override-cache
a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)[edit source]

(See also details at newosxbook.com)

A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
MobileStorageMounter exploit (CVE-2015-1062)
Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
IOHIDFamily kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG and PPJailbreak (8.1.3 / 8.2 / 8.3 / 8.4)[edit source]

DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
Symbolic linking to AFC (CVE-2015-5746)
Backup exploit to write to protected regions of the disk (CVE-2015-5752)
Code signing exploit (CVE-2015-3802)
Code signing exploit (CVE-2015-3803)
Code signing exploit (CVE-2015-3805)
Code signing exploit (CVE-2015-3806)
IOHIDFamily exploit (CVE-2015-5774)
AirTraffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)

EtasonJB and Home Depot (8.4.1)[edit source]

OSUnserialize Information leak (CVE-2016-4655)
Kernel exploit (CVE-2016-4656)

Programs used to jailbreak 9.x[edit source]

Pangu9 (9.0 / 9.0.1 / 9.0.2 / 9.1)[edit source]

Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DeveloperDiskImage. (CVE-2015-7037)
MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
IOHIDFamily use-after-free for kernel information leak / code execution as mobile. (CVE-2015-6974)
dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
Racing KPP for some of the patches.
AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)