30/07/13 How Jailbreak Works | Apple 24 Seven

How Jailbreak Works

July 30, 2013 · by Randy Morgan · in Features, iPhone. ·

This is a post from Reddit user Synchronizing (http://www.reddit.com/user/Synchronizing)

A lot of people do not know how jailbreak actually works. They think it’s simply plugging in their
devices to a computer, pressing a button, waiting couple of minutes, and voilá. The reality is, it is
a bit more complex than that.
I will try to explain to the best of my ability on how jailbreak actually works, and hopefully by
the end of this entry you will have an idea how it functions.
What does Jailbreak actually means?
Jailbreak actually means to allow third-party applications to be installed into your iDevice.
Contrary to popular beliefs, it’s actually fully legal to run third-party applications on your device
since James H. Billington’s DMCA revision. Having this in mind the only thing that prevents us
from having an easy jailbreak is Apple.
How does the jailbreak works?
Jailbreak itself is getting control over the root and media partition of your iDevice; where all the
iOS’s files are stored at. To do so /private/etc/fstab must be patched.
fstab is the switch room of your iDevice, controlling the permission of the root and media
partition. The default is ‘read-only’, allowing eyes and no hands. To be able to modify the root
and media partition we must set the fstab to ‘read-write’, allowing eyes and hands (on the root
and media partitions).
Sounds easy? Maybe. The main problem is not getting the files in, but getting them trough
various checkpoints. These checkpoints were put by Apple to verify if the file is indeed legit, or a
third-party. Every file is signed by a key, and with out it, the file will be put aside and be
unusable.
So where do we get the key? Well, it’s not as easy as it sounds. These keys are not simply given
out like candy in a Halloween night, which means we must either unscrew the lock (patch all of
the checkpoints) or go trough the backdoor (bypass). As Saurik said, “patching this out is A)
difficult (especially to track as Apple makes changes) and B) of marginal benefit as adding these
hashes is easy.” In other words, it’s not worth it.
Before I explain how we bypass these checkpoints, we must go over some other stuff.
How does a iDevice bootup?
When an iDevice boots up it goes trough a “chain of trust”. This chain is a series of signature
checks that makes sure everything being ran is Apple approved. It goes on the following (specific)
order:

* Runs Bootrom: Also called “SecureROM” by Apple, it is the first significant code that runs on an
iDevice.
* Runs Bootloader: Generally, it is responsible for loading the main firmware.
* Loads Kernel: Bridge between the iOS and the actual data processing done at the hardware
level.
* Loads iOS: The final step to the chain, iOS starts and we get our nice “Slide to Unlock” view.

Great! Now that you know how your iDevice comes to life, let’s go to the next thing.
apple24seven.com/2013/07/30/how-jailbreak-works/ 1/3
30/07/13 How Jailbreak Works | Apple 24 Seven

Great! Now that you know how your iDevice comes to life, let’s go to the next thing.
What is the roadbloack in a jailbreak?
What prevents an easy jailbreak is the signature checks. While the kernel is loading there are
thousands of checks being done to make sure everything being loaded is Apple approved.
To be more specific, there are many checks trough out the boot which look for one thing, a
signature, a key. If the key is correct we get a green light, if it is wrong, depending where the
check was at or what file it was, it will either crash the iDevice causing a loop, or simply ignore it
and does not execute that specific file at all.
So what is a jailbreaker objective?
The jailbreaker objective is to either patch the checks or simply bypass them. The conventional
way is to bypass them as patching all of them would be simply to time consuming and not very
beneficial.
Thus bringing us to the two main exploit categories:

*
bootrom exploit: Exploit done during the bootrom. It can’t be patched by conventional firmware
update, andmust be patched by new hardware. Since it’s before almost any checkpoint, the
malicious code is injected before everything, thus allowing a passage way to be created to bypass
all checks or simply disable them.
*
userland exploit: Exploit done during or after the kernel has loaded and can easily be patched by
Apple with a software update. Since it’s after all the checks, it injects the malicious code directly
into the openings back into the kernel. These openings are not so easy to find, and once found can
be patched.

Userland exploits is the most common of them two as they are easier to find, and are software
based.
How did some of the released jailbreak actually worked?

* Limera1n (exploit, not tool): Bootrom exploit first used by Geohot. Due to it being a bootrom it
can’t be patched by Apple with a software update, which means it is still usable today in all A4
devices. Yes… including iOS 6.
* JailbreakMe: Userland exploit that used a malformed CFF vulnerability. CFF stands for
Compact Font Format and it’s used to store fonts. Starting with PDF version 1.2 it could be
imbedded directly into the .pdf file, but it had it’s malfunctions. When you accessed Jailbreak.me
via Safari on your iDevice, it would automatically check if you are vulnerable, and open up the
PDF file with the edit CFF. When the CFF opcodes (operation code, specifies the operations to be
performed) were being handled, Comex (the developer of this exploit), found a way to get a stack
overflow (when to much memory is being used in one stack and it attempts to access memory
outside of it’s own stack), by repeatedly pushing and duplicating random numbers onto an
“argument stack” (where arguments are stored). By doing so, it allowed Comex to execute any
command he would like. The problem with this is that even though he had control over the
commands, root is still set as ‘read-only’. He would need to set root as ‘read-write’ so he could use
the commands to his advantage, so Comex digged a bit further and found a
IOSurface.framework vulnerability. It would actually use a ROP payload to get access to the
kernel memory with ‘read-write’ privileges. From there, it’s game over. He then would download
wad.bin (Cydia), install, and restart springboard. You now have yourself a jailbroken device done
by using a userland exploit in Safari. Keep in mind this exploit was huge. It still is categorized as

apple24seven.com/2013/07/30/how-jailbreak-works/ 2/3
30/07/13 How Jailbreak Works | Apple 24 Seven

the simplest (as in user term) and most effective jailbreak yet, while at the same time being a big
worries to Apple. If someone could get into your Phone via Safari to install Cydia, someone could
do the same to steal any information from your iDevice.

These are the two most know jailbreaks out there. Every other exploit is different, and usually
patched by now.
Conclusion
Jailbreak is not the easiest thing out there. It’s time and skill demanding.

Tags: apple, Evasion, iPhone, jailbreak

About these ads (http://en.wordpress.com/about-these-ads/)

Blog at WordPress.com. | Customized Oxygen Theme.

apple24seven.com/2013/07/30/how-jailbreak-works/ 3/3