Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

Summary: There are numerous exploit mitigations in iOS 6.1 that make jailbreaking incredibly difficult, including sandboxing, ASLR, and code signature requirements, but that didn't stop four developers from defeating all of them.

TOPICS: Apple, iOS, Software
Inside the Evasi0n jailbreak for iOS 6.1 - Jason O'Grady

Untethered jailbreaks are usually pretty trivial to install, but despite their one-click UIs, there's a lot going on under the hood. On Monday, evad3rs released the first untethered jailbreak for devices running iOS 6.0/6.1: Evasi0n.

Forbes Andy Greenberg scored an exclusive interview with David Wang, one of the evad3rs’ four developers, who described in copious detail how the evasi0n jailbreak takes advantage of at least five (count 'em!) vulnerabilities in the iOS 6.1 code to patch the kernel and run unsigned code.

Evasi0n exploits a bug in iOS’s mobile backup system, edits a time zone file, defeats code-signing, makes the root file system writable, decodes Address Space Layout Randomization (ASLR), then exploits a bug in Apple's USB implementation to make the kernel writable. Whoa.

In the Forbes interview, Wang reveals seven bullets on how the evasi0n jailbreak does its magic. Here's my personal favorite:

Even after all those contortions, a device isn’t jailbroken until its restrictions are removed at the “kernel” layer–the deepest part of the operating system that performs the code-signing checks to prevent running unapproved apps using a process called the Apple Mobile File Integrity Daemon. (AMFID) So evasi0n uses launchd to load a library of functions into AMFID every time a program launches that somehow swaps out the function that checks for a code signature for one that always returns an “approved” answer. Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says.

And you can bet Apple is reversing engineering the jailbreak so that they can release a patch to break the, ahem, jailbreak shortly. Accuvant Labs has already begun to reverse engineer the jailbreak and has posted some of their analysis. 

This tweet from Jay Freeman, administrator of the Cydia appstore, gives an estimate of the popularity of the new evasi0n jailbreak.

So, are you jailbreaking? 

Topics: Apple, iOS, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • bugs

    The only bug this jailbreak employs is the improper checking in file paths when symlinks are used. It is not knows if this happens outside of the backup process, but it may. Any path related permissions should be checked after symlinks expansion.

    The other bug with the code less library is also interesting, but is in fact only necessary for lazier coding.

    Fixing the first bug will make these jailbreaks very hard to implement, with the cost of little performance loss.
  • Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

    bugs or no bugs. software is software. whatever kind of o/s or any software hardening is implemented, as long as the physical device is accessible nothing can be done to mitigate breaching and modifying the behaviour of the system. apple or no apple, the nomenclature software means that it is malleable and can easily be modified ... anybody who believes that their o/s is secured is living in a dream world.
  • Finally!

    more sleepless nights ahead!
  • Where do people get the time to do this sort of thing?

    Don't they have jobs and families to eat up all their time?
    Laraine Anne Barker
  • What's the problem?

    The little guy wins again. Age old conflict with the same plot, repeated time and time again like a game for children. What's the problem? We never seem to grow up.
  • Condemned To A Life On The Run

    The "jailbreak" metaphor is apt, because after you break out, you will forever be pursued by Apple's software-updater police, determined to lock you up again. You can never after trust any new items that your device may try to download. You are forever glancing over your shoulder, wondering if the next knock on your updater's door will be the one where they come for you.

    Who wants to live in such a world? I don't.
  • what?

    this isn't the fugitive man
  • Jailbreak 6.1.3

    The jailbreak for ios 6.1.3 is a tethered one, hopefully they will released a untethered one. but I was able to jailbreak my phone successfully to ios 6.1.3 using the guide here at WWW.JAILBREAKHOME.COM
    Adam Daieh