FAQ on the iOS 11 Jailbreak & Jailbreak Toolkit by Jonathan Levin
Jonathan Levin, creator of LiberTV and author of various iOS and macOS security books, has published a new questions and answers session relating to the heavily discussed iOS 11.1.2 jailbreak.
So, Ian Beer's amazing work has CVE-2017-13861 working on all Darwin 17 devices I tested, i.e.
- iPod Touch (iPod7,1)
- iPad Pro 12.9 (iPad6,8)
- iPhone8 (iPhone10,4)
- iPhone X. (iPhone10,6)
- Apple TV 4 (AppleTV,5,..)
- Apple TV 4k (AppleTV6,..)
That means it can work across ALL 64-bit devices (EDIT: GEEZUS, OF COURSE THIS MEANS the 5S and the 6, and the 6S, and the 7 too - and guess what - also the 7+). And possibly the Watch, with some adjustments.
Q: What iOS versions exactly?
11.0.x, 11.1.x. Also TvOS. Still haven't tested on WatchOS 4.0.x and 4.1, because that requires 32-bit porting.
But see below about 10.x.
Q: What if I'm not on one of these versions?
Tough. I only mentioned 4 times on Twitter that you should have updated when you still could.
Q: Can I downgrade with this?
Q: Can I downgrade to a version this works on?
Q: Can this be used for an iCloud bypass?
NO. And don't steal other people's devices.
Q: So wen ETA Jailbreak?
If by "Jailbreak" you mean Cydia and tweaks - then IDK. If you mean a fully working shell environment with arbitrary unsigned binaries, any side loading of any App you want, KPP-less jailbreak, that's in a few days. You know, for Christmas.
Q: Why not Cydia?
Several reasons. A) I hate Cydia. B) CydiaSubstrate code injection requires getting past a sandbox hook (mmap-executable, to be exact), which I don't get around because getting around the sandbox is a technique I DO NOT WANT TO BLOW IN A PUBLIC JAILBREAK.
Edit: Actually, Cydia (as an app) can run fine, and even install out-of-app-store binaries. What WILL NOT work at the moment is code injection
What's that sandbox thing?
It's the "other" MACF policy, which is even more anal than its sister AMFI. I'm leaving it largely untouched, because my method of bypassing it is something I know AAPL can close in two minutes of thought and an hour of work. Btw, this also means you can't run binaries from /tmp or /var/[root/mobile], but it's easy to run binaries from pretty much anywhere else - and the rootfilesystem is mounted r/w, so it can really be anywhere else.
Q: Ok, no Cydia (Substrate), but what?
- Root filesystem remount
- Sandbox escape
- Root, obviously
- Arbitrary binaries, so long as they are self signed with jtool (sorry ldid'ers - get a real code signing tool...)
- Run with any entitlements you want.
- App continues to run as "jailbreakd" to handle process/app launches.
- Code injection (for DYLD_INSERT, coeruption, and - yes - CydiaSubstrate) to be added in the future
- In-memory patching of AMFId to neuter it (rather than have a jailbreakd) also to be added in the future. I was going to add it now, but having a jailbreakd listen on every process has its advantages. I'm thinking of making a SuperSU-style app out of it.
Q: So how does it work?
Long story, and a full writeup shall be detailed soon (I'm also adding Chapter 25 to Volume III of MOXiI in order to cover this). The short version, is I perform all patches in the process list. And one in the root vnode.`
Q: How do you get past code signing?
By touching that despicable amfid in its private parts. This allows me to not touch the trust cache (thanks for blowing that method publicly...), and get notified of every process launch.
Q: I tried that and it still didn't work for me.
There's the sandbox and the container crap to get around So you get around it. Wait for details.
Q: So why aren't you releasing?
Honestly? Because I have absolutely no UI yet. But it will be ready for xmas.
Q: will this be open source?
Yes - The .h file surely, and probably most of the implementation. BUT WITH A LICENSE.
Yes. Relax. Just asking you to give credit and say "Powered by ...." or something like that. Credit where credit is due.
Q: Is this untetehed?
NO. Untethered requires a very early exploit (+ persistence) which is technically possible in one of several ways, each of which is a major 0-day in and of itself. Again - NO.
Q: Is this related to the jailbreak toolkit?
This IS the jailbreak toolkit. At least the parts I can expose in open source - AAPLites see these things too, and I'm sure they have ideas as how to correct them by iOS 12.
Q: And can I use the toolkit to JB?
Actually, yes. The idea is that the toolkit enables you to achieve the same functionality described above with 10 lines of code a total n00b could write. Calling on functions I expose (A C header file - .h)
Q: Can this be used for iOS 10.x? TvOS 10.x
First, thank you for actually reading intently. YES Just give me the kernel_task port and the two offsets I need. But that requires either the S1guza v0rtex style methods (great work, man), and/or a reliable kernel info leak bug. The one used by Ian (CVE-2017-13865) was only introduced in Darwin.
Q: Does your JBToolkit need offsets?
The public version , yes. By ripping some of JTool's code I could deduce the two symbols I need (_kernproc and _rootvnode) directly from the in memory image, but I'm not about to make that part open source. Simply hard code or feed the offsets when you get the source (and when I get a UI for this). It'll be easy.
Q: Are you using async_wake?
Yep. I stand on the shoulders of giants. Well, THE Giant. Ian Beer. He's the man. Though I admit I kind of hate that he blows bugs used in private jailbreaks.
Q: Are you using xerub's patches?
Some patches overlap, but - not his code or any of the numerous GitHub clones people are trying to pass as jailbreaks. I've been using my own set of "KPP-less" (as coined by Xerub), but rather than using offsets I actually got the kernel headers to compile in user mode.. My method of code signing evasion is different than his, and (again) draws from Ian Beer's. The code is 100% mine and draws from no other person, nationality, or anything.
Q: Is <fill in the blank> jailbreak fake?
I don't know. But nothing beats open source, and this will be released as such. Most of the would be jailbreakers directly clone off the async_wake GitHub sources I've seen. (That's why this JB will have that above mentioned license..)
Q: Can I donate?
Yes, but not to me - to a charity of your choice - and as much as you think this work is worth to you. Spread the word - do it, post a screenshot (redact the details, whatever) and just say it's for the jailbreak. #Libertas or something.
What if I use this and I brick my device?
Then it's on you. The powers of root are not for the feint of heart or the feeble of mind.
Happy Holidays, people! Consider this one guaranteed Christmas (and belated Hannukah) gift ☺.