Thursday, February 7, 2013

Planetbeing reveals the complicated effort that goes into making a jailbreak

With the release of Evasi0n yesterday, jailbreaking is the popular topic everywhere right now. But many people have the question of what exactly it takes to make a jailbreak. In the specific case of Evasi0n, it took months of digging through obfuscated machine code to find the bugs that would let the Evad3rs successfully jailbreak everyone’s device.
Planetbeing, one of the prominent members of the Evad3rs, took some time to answer questions forForbes, detailing exactly how Evasi0n defeats the code signing procedures that Apple implements on their devices.
Evasi0n begins by running libimobiledevice, a program that substitutes for iTunes to communicate with iOS devices via the same protocol as Apple’s program. Using that tool, Evasi0n exploits a bug in iOS’s mobile backup system to gain access to certain settings that it normally shouldn’t be able to access, namely a file that indicates the device’s time zone.
From there, Evasi0n gains access to the Launch Daemon, which allows them to run code with root privileges, provided they can bypass the code signing. Apple has employed several layers of security to prevent hackers from gaining access to the device, and each one can require multiple bugs to defeat. However, after bypassing code signing,  AMFID, and ASLR, the jailbreaking process is almost complete.
Once it’s beaten ASLR, the jailbreak uses one final bug in iOS’s USB interface that passes an address in the kernel’s memory to a program and “naively expects the user to pass it back unmolested,” according to Wang. That allows evasi0n to write to any part of the kernel it wants. The first place it writes is to the part of the kernel that restricts changes to its code–the hacker equivalent of wishing for more wishes.  ”Once you get into the kernel, no security matters any more,” says Wang. “Then we win.”
Read the whole article for Planetbeing’s detailled account of the jailbreak process, where he goes into exactly how each step of the jailbreak works. If you haven’t yet jailbroken your device, check out our tutorial here

No comments:

Post a Comment