Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

There are numerous exploit mitigations in iOS 6.1 that make jailbreaking incredibly difficult, including sandboxing, ASLR, and code signature requirements, but that didn't stop four developers from defeating all of them.

Inside the Evasi0n jailbreak for iOS 6.1 - Jason O'Grady

Untethered jailbreaks are usually pretty trivial to install, but despite their one-click UIs, there's a lot going on under the hood. On Monday, evad3rs released the first untethered jailbreak for devices running iOS 6.0/6.1: Evasi0n.

Forbes Andy Greenberg scored an exclusive interview with David Wang, one of the evad3rs’ four developers, who described in copious detail how the evasi0n jailbreak takes advantage of at least five (count 'em!) vulnerabilities in the iOS 6.1 code to patch the kernel and run unsigned code.

Evasi0n exploits a bug in iOS’s mobile backup system, edits a time zone file, defeats code-signing, makes the root file system writable, decodes Address Space Layout Randomization (ASLR), then exploits a bug in Apple's USB implementation to make the kernel writable. Whoa.

In the Forbes interview, Wang reveals seven bullets on how the evasi0n jailbreak does its magic. Here's my personal favorite:

Even after all those contortions, a device isn’t jailbroken until its restrictions are removed at the “kernel” layer–the deepest part of the operating system that performs the code-signing checks to prevent running unapproved apps using a process called the Apple Mobile File Integrity Daemon. (AMFID) So evasi0n uses launchd to load a library of functions into AMFID every time a program launches that somehow swaps out the function that checks for a code signature for one that always returns an “approved” answer. Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says.

And you can bet Apple is reversing engineering the jailbreak so that they can release a patch to break the, ahem, jailbreak shortly. Accuvant Labs has already begun to reverse engineer the jailbreak and has posted some of their analysis. 

This tweet from Jay Freeman, administrator of the Cydia appstore, gives an estimate of the popularity of the new evasi0n jailbreak.

So, are you jailbreaking?