iOS 10.x Wi-Fi Exploit Released; Raises Hope of iOS 10.x Jailbreak
Back in July, Apple released iOS 10.3.3 which patched a critical Broadpwn exploit that could allow hackers to execute arbitrary code on the Wi-Fi chip on the iPhone, iPad and iPod touch.
Gal Beniamini, a security researcher at Google Project Zero who was credited for discovering the exploit has just released the security exploit. This has sparked off speculations that a hacker will be able to use it to develop a jailbreak for iOS 10.2.1 – iOS 10.3.2 as a reddit user has pointed out that the exploit can get kernel memory access.
Before you get excited, reddit user Siguza summarizes it quite well:
Yes, this can most likely be used to jailbreak iOS <=10.3.3.
Since the Wifi firmware that is stored on disk seems to lack any kind of signature, an untether should be possible by crafting a custom wifi firmware image. It’ll probably take quite some time to create one in that format, since that’s entirely different from normal iOS binaries.
The trickiest part is probably gonna be the first step, i.e. getting onto the Wifi chip, since that requires (availability and) access to a SoftMAC Wifi device, which by far not everyone has. Alternatively, getting root on the device itself should allow the uploading of the same crafted firmware image that would allow an untether, thus executing the attack locally (e.g. triple_fetch could be used to get root <=10.3.2).
All of this will only work on A8 devices and newer (iPhone 6 and up), since older devicesuse USB rather than PCIe for Host <-> Wifi communication (so no luck for iPhone 5/5c/5s, iPad 4, iPad mini 2 and iPad Air).
Additionally, for A8 and A9 devices a new method will have to be devised to obtain the kernel slide once on the Wifi chip, since on the iPhone 7 that is done via the KTRR control registers, which A8/A9 chips lack.
As the reddit user points out that there is still a lot of work to be done for the iOS 10.x jailbreak to be released. So I wouldn’t get your hopes up so soon. Since Apple has patched the exploit in iOS 10.3.3, it won’t work in iOS 11, so the jailbreak won’t support the latest iOS software update.
If you’re on iOS 10.3.2 or lower, then you may want to hold off upgrading if you have been waiting for the jailbreak. As we have advised several times, one of the golden rules of jailbreaking is to stay where you are to increase your chances of getting a jailbreak. However, the flip side of that is, you are exposed to the security exploits like this one, and others which have been fixed so far.
- V0rtex-injector – iOS 10.3.x Tweak Installer Rumor: iOS 10.x - iOS 10.3.2 Jailbreak is Coming Out Soon iOS 11 Bugs We've Found till Now The Current Status of iOS 10.0 – iOS 10.3.3 Jailbreak Why and How to Save SHSH2 Blobs For iOS 10.2 Jailbreak? iOS 10.2.1 Jailbreak Status: Saïgon is Closed, but there is still Hope Ian Beer To Release tfp0 Exploit For iOS 11.1.2 And Below, Potentially Leading To Jailbreak New Bug on iOS 11 Beta3