Up to Speed

So, all of this may sound intimidating. Jailbreak, signing, AMFI, unlock, baseband, iBoot, seczone, untethered jailbreak, checkm8 - there are lots of terms to learn, but most of them are defined here on the wiki. The basics:

• Activation - to bypass the required iTunes signup.
• Jailbreak - to allow full write and execute privileges on any Apple TV, iPad, iPhone or iPod touch.
• Unlock - to allow the use of any mobile phone carrier's SIM.

Think of iPhone as a little computer, even though Apple doesn't want you to. It has a processor, RAM, a "hard drive", an operating system, and a cellular modem on the serial port.

Ways to learn about how jailbreaks work[edit]

The basic idea here is that there are lots of ways to learn more about jailbreaking, for people of all experience levels and backgrounds. You might want to learn enough to actually find vulnerabilities in iOS (which is a huge undertaking), or you might just enjoy learning a little bit out of curiosity. Go through this list and pick something that looks fun to read!

• You can read about general exploitation techniques on Wikipedia, starting with software vulnerabilities and privilege escalation. Learning about types of vulnerabilities can be fun even if you don't have any background yet in programming or security research - it's like learning about how puzzles work. To learn more about security research in general (useful for the beginner), try these links: Getting Started in Information Security by r/netsec, r/netsecstudents resources, and Application Security and Vulnerability Analysis.

• Play with Damn Vulnerable iOS Application (DVIA), "a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment".

• Study the available open source jailbreaking tools.

• Read fuzzing for some explanation of how that technique has been used on iOS, and read how to reverse for some inspiration.

• If you want to really get started, learn assembler for ARM processors. Open Security Training has "Introduction to ARM" materials, for example.

Talks, write-ups and analyses[edit]

• To learn a bit about what it takes to jailbreak an iOS device on more modern iOS versions, see this presentation by tihmstar and CoolStar - it explains the main steps required to achieve one.

• Check out this older conversation with saurik, explaining some of the changes performed by a jailbreak (might not be as relevant for later iOS versions).

• Take a look at the rootless jailbreak write-up by Jake James, which goes through the steps they went through to get a rootless jailbreak up and running on their device.

• Check out Linus Henze's write-up on Fugu14, as well as his presentation on Fugu15 to see how their vulnerabilities were used to create jailbreaks for newer iOS versions.

• This presentation from Luca Todesco goes through how the checkra1n jailbreak actually jailbreaks the device, from the BootROM level to the kernel.

Books[edit]

• Read iOS Hacker's Handbook, published in May 2012: "The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it."

• pod2g also recommends these books: Mac Hacker's Handbook, Mac OS X Internals: A Systems Approach [Archived 2021-03-27 at the Wayback Machine], and A Guide to Kernel Exploitation: Attacking the Core. And here are even more that can be useful: Mac OS X and iOS Internals: To the Apple's Core [Archived 2013-09-24 at the Wayback Machine], Hacking and Securing iOS Applications [Archived 2013-09-03 at the Wayback Machine], OS X and iOS Kernel Programming, and Professional Cocoa Application Security.

• Jonathan Levin posts interesting iOS reverse engineering research. His series of books on "*OS Internals" are a definitive reference. In particular, Volume III deals exclusively with security, insecurity, and dissects every modern jailbreak from evasi0n (6.0) through async_wake (11.1.2) in detail.

• i0n1c has also recommended a couple of books: The Shellcoder's Handbook and The Art of Software Security Assessment. You may also find it interesting to read his outline for a workshop on developing kernel exploits - note the requirements (knowing ARM assembly, ROP, buffer overflows, integer overflows; having access to IDA Pro, Hexrays, BinDiff).

Now[edit]

• Read the timeline.
• If you're serious about learning jailbreak development, check out this 'roadmap' written by Siguza here.

Legacy[edit]

• Members of the team that built Corona for iOS 5.0.1 gave presentations about it, and there are PDFs of their slides available here: Corona for A4 and Corona/Absinthe for A5.

• Check out this analysis of JailbreakMe 3.0 [Archived 2011-07-22 at the Wayback Machine] (Saffron).

• See the presentation "Strategic Analysis of the iOS Jailbreaking Development Community" by Dino Dai Zovi in November 2012.

• Listen to the 25C3 presentation "Hacking the iPhone". This was in 2008, but it explains the basics in detail.

• If you're interested in baseband hacking and unofficial software unlocks, there are slides from a presentation by MuscleNerd: "Evolution of the iPhone Baseband and Unlocks" (PDF).

• Here's some analysis of evasi0n from Accuvant Labs [Archived 2013-12-27 at the Wayback Machine] and from Azimuth Security, along with a high-level explanation from planetbeing. The evad3rs team gave a presentation about evasi0n with slides available. geohot wrote a detailed analysis of evasi0n7.

• i0n1c has given several presentations on iOS jailbreaking techniques, and there are PDFs of his slides available online, including: "iOS Kernel Exploitation", "iPhone Exploitation: One ROPe to bind them all?", "iOS 5: An Exploitation Nightmare?" [Archived 2013-09-14 at the Wayback Machine], and "iOS8 Containers, Sandboxes and Entitlements".