Untethered jailbreaks are usually pretty trivial to install, but despite their one-click UIs, there's a lot going on under the hood. On Monday, evad3rs released for devices running iOS 6.0/6.1: Evasi0n.
Forbes Andy Greenberg scored an exclusive interview with David Wang, one of the evad3rs’ four developers, who described in copious detail how the evasi0n jailbreak takes advantage of at least five (count 'em!) vulnerabilities in the iOS 6.1 code to patch the kernel and run unsigned code.
Evasi0n exploits a bug in iOS’s mobile backup system, edits a time zone file, defeats code-signing, makes the root file system writable, decodes Address Space Layout Randomization (ASLR), then exploits a bug in Apple's USB implementation to make the kernel writable. Whoa.
In the Forbes interview, Wang reveals seven bullets on how the evasi0n jailbreak does its magic. Here's my personal favorite:
Even after all those contortions, a device isn’t jailbroken until its restrictions are removed at the “kernel” layer–the deepest part of the operating system that performs the code-signing checks to prevent running unapproved apps using a process called the Apple Mobile File Integrity Daemon. (AMFID) So evasi0n uses launchd to load a library of functions into AMFID every time a program launches that somehow swaps out the function that checks for a code signature for one that always returns an “approved” answer. Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says.
And you can bet Apple is reversing engineering the jailbreak so that they can release a patch to break the, ahem, jailbreak shortly. Accuvant Labs has already begun to reverse engineer the jailbreak and has posted some of their analysis.
More than four million unique devices used Cydia since the evasi0n jailbreak release. (Note: due to downtime, we may have not counted some.)— Jay Freeman (saurik) (@saurik) February 6, 2013
So, are you jailbreaking?