Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

Summary:There are numerous exploit mitigations in iOS 6.1 that make jailbreaking incredibly difficult, including sandboxing, ASLR, and code signature requirements, but that didn't stop four developers from defeating all of them.

Inside the Evasi0n jailbreak for iOS 6.1 - Jason O'Grady

Untethered jailbreaks are usually pretty trivial to install, but despite their one-click UIs, there's a lot going on under the hood. On Monday, evad3rs released the first untethered jailbreak for devices running iOS 6.0/6.1: Evasi0n.

Forbes Andy Greenberg scored an exclusive interview with David Wang, one of the evad3rs’ four developers, who described in copious detail how the evasi0n jailbreak takes advantage of at least five (count 'em!) vulnerabilities in the iOS 6.1 code to patch the kernel and run unsigned code.

Evasi0n exploits a bug in iOS’s mobile backup system, edits a time zone file, defeats code-signing, makes the root file system writable, decodes Address Space Layout Randomization (ASLR), then exploits a bug in Apple's USB implementation to make the kernel writable. Whoa.

In the Forbes interview, Wang reveals seven bullets on how the evasi0n jailbreak does its magic. Here's my personal favorite:

Even after all those contortions, a device isn’t jailbroken until its restrictions are removed at the “kernel” layer–the deepest part of the operating system that performs the code-signing checks to prevent running unapproved apps using a process called the Apple Mobile File Integrity Daemon. (AMFID) So evasi0n uses launchd to load a library of functions into AMFID every time a program launches that somehow swaps out the function that checks for a code signature for one that always returns an “approved” answer. Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says.

And you can bet Apple is reversing engineering the jailbreak so that they can release a patch to break the, ahem, jailbreak shortly. Accuvant Labs has already begun to reverse engineer the jailbreak and has posted some of their analysis. 

This tweet from Jay Freeman, administrator of the Cydia appstore, gives an estimate of the popularity of the new evasi0n jailbreak.

So, are you jailbreaking? 

Topics: Apple, iOS, Software

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.