The content of the article
Last year, one of the Google Project Zero specialists posted an exploit online for a vulnerability present in all versions of iOS 10 and 11 up to 11.1.2. A tempting opportunity to hack, or rather jailbreak, iOS 11 has appeared on the horizon. To what extent have the expectations of device hacking fans been met? What threat does the existence of the vulnerability (and working jailbreaks) pose to ordinary users and how can it be useful for hackers? Let's try to figure it out in this article.
And then Google appears on the scene - Apple's worst friend. Yes, Apple pays a lot of money for the ability to store iCloud data on Google servers (remember, iCloud is an Apple-managed combination of cloud servers owned by Google, Microsoft, Amazon and AT&T), and yes, Google releases its software for iOS devices - but this does not in any way prevent the company from publishing information about the vulnerabilities found in the Google Project Zero laboratory.
The latest vulnerability found was also discovered by Google lab employee Ian Beer. The vulnerability, named tfp0 (derived from task_for_pid ( 0 ) ), allowed the researcher to write ready-made privilege escalation code in all versions of iOS 10, some versions of macOS, and iOS 11.0–11.1.2.
Google reported the vulnerability to Apple, Apple released an update to iOS 11.2, which closed the vulnerability. Subsequently, information about it and the finished source code were published.
This move by Google was met with mixed reactions by both ordinary users and the jailbreaking community. Many users felt that Google was going too far; this point of view is not without foundation, especially if we remember that Google Project Zero employees published information about vulnerabilities in the Microsoft OS even before Microsoft had time to release patches.
Members of the jailbreaking community also had mixed reactions to this news. Thus, some development teams have released their own versions of jailbreaks simply using ready-made code - without even trying to integrate Cydia (available as source codes). Jay Freeman (saurik) in an interview spoke openly negatively both about those who want to quickly release crude jailbreaks based on ready-made code (get it and sign it!), and about developers who criticize Cydia.
Nevertheless, no matter what they are, there are jailbreaks. Let's see how to install them and how they differ from each other. But first, let’s carefully prepare for the hacking procedure.
So, what should you do before you try to hack your device?
Just create a fresh backup of your data using iTunes. Be sure to set a password for the backup: even if you are one of those who have “nothing to hide,” having a password on the backup will allow you to restore all your data, including saved passwords from the keychain, both to your current device and to another iPhone or iPad. But if you don’t set a password, then all keys and passwords will be encrypted using a hardware key, as a result of which you can restore such a backup in full only to the same phone or tablet from which you created the backup. If something goes wrong, you can always restore your phone from a backup in almost the same form as before jailbreak.
But, unfortunately, you won’t be able to save SHSH2 blobs: Apple has stopped signing all firmware for which jailbreaks are available. The exception is the old iPhone 5 or 5c, for which iOS 10.3.3 is available (and still subscribed).
What all jailbreaks have in common is their limited operating time. After each device reboot, you will have to re-launch the jailbreak utility on the device itself, and once every seven days you will have to repeat the entire process again due to the fact that the digital certificate will expire. The exception is having a registered developer account or corporate account with the appropriate Apple ID; however, using such accounts to sign a jailbreak is quite risky.
Why do you need such a highly specialized jailbreak if you have h3lix? G0blin works a little more stable, it is better compatible with those devices and iOS versions that it supports. The first version (RC1) of the jailbreak includes the SSH service (dropbear); in the second (RC2) SSH is not included, and OpenSSH must be installed separately from Cydia.
Thus, the LiberIOS developer has an extremely negative attitude towards Cydia. Cydia is not (and will not be) included in the utility, and the jailbreak can only be used for purely research purposes.
But the Electra developer included both the SSH service and the Cydia application store in the jailbreak. This is the jailbreak we recommend for use.
In classic jailbreaks, they tried to disable the KPP mechanism. This approach was called KPP bypass; This is what is used in the Pangu and Yalu jailbreaks.
In iOS 11 jailbreaks based on a new vulnerability, the developers decided to bypass KPP in a different way. Now, instead of modifying the kernel, jailbreak modifies other parts of the system - those that are not verified by the KPP mechanism. Yes, nothing prevents Apple from adding checks for these areas of the file system in the next iOS update - but we are talking about the “here and now”!
What are the disadvantages of the new method? It requires a major overhaul of Cydia Substrate, which relies on missing KPP checks. To date, the only jailbreak that supports Cydia on iOS 11 is Electra.
If you are interested in the KPP mechanism and the ways in which developers of jailbreaking utilities bypass it, you should go here: How Kernel Patch Protection Works and How Hackers Bypass KPP.
Let's say you installed a jailbreak on a phone with iOS 11.1.2. After some time, the errors accumulated as a result of the experiments led to problems that interfered with the use of the device. What options do you have?
First, you can try resetting your phone to factory settings. Your data will be deleted, but traces of the jailbreak (and possibly some tweaks) may still remain on the system, leading to further instability and making it impossible to install OTA updates correctly. So, a factory reset may help, but not when serious problems have accumulated.
For Apple devices, you can always use device recovery through iTunes. In this case, the latest version of iOS will be downloaded as full firmware, which will be installed on the phone.
What if you are not going to install the latest version of iOS, for which there may not be a jailbreak? If you want to stay on the same version that you installed the jail on?
Before discussing possible options, let's briefly recall how updating (or reinstalling) iOS works. In order for the iPhone to install the firmware, it will need to contact the Apple server and obtain a digital signature. This digital signature will only be valid for a specific device instance and only for a specific version of iOS.
As you can see, Apple holds all the cards here. If the company's server refuses to sign a particular firmware version, you will not be able to install it on your phone or tablet. Speaking of iOS 11, Apple has long stopped signing the latest version 11.1.2, which is jailbroken. Thus, using standard tools, you can only restore your phone to the current (sometimes penultimate) version of iOS, which Apple is currently signing.
If Apple were signing iOS 11.1.2 now, you would be able to keep the SHSH2 blobs. Using SHSH2 blobs, you could restore your iPhone to this version of the system at any time in the future. Alas, saving blobs is only possible while Apple is still signing the required version of iOS.
And yet, there is a way out! Instead of SHSH2 blobs, you can try saving a snapshot of the APFS root file system immediately after jailbreak. In the case of the Electra jail, the required snapshot of the root file system is created during the process of hacking the device. By restoring the APFS image after jailbreak, you can roll back to a known working copy of the system.
How exactly is this done, what is an “APFS image” and where is it created?
Users unfamiliar with the implementation of the Apple File System (APFS) assume that a snapshot is something like a file that is saved in some directory. This is wrong. The closest analogy to an APFS snapshot is the Windows “recovery image”, which can be found in the “System Protection” panel.
Here's how Electra works in its release version (information directly from Coolstar, the developer of the Electra jailbreak):
Great, the snapshot has been created! How can I restore a clean OS from this image, and at the same time remove the “tails” remaining from the jailbreak? At this point I have to slow down: the necessary tool (its name is SemiRestore11) is not ready yet, but Coolstar promises to release it in the near future.
In the future, you will be able to use this utility, but with one caveat: the snapshot will be restored to the state at the time “immediately after the hack,” that is, file system modifications made during the installation of the jailbreak will not be restored.
To completely remove traces of jailbreak, you will need to reset your device to factory settings (Reset → Erase all Contents and Settings). When you reset, all data from / var will be deleted , and you will get a clean version of the system (iOS 11.0–11.1.2).
For now, you just have to wait. It is strictly not recommended to use old versions of SemiRestore or unknown utilities found somewhere unknown.
Let's watch. In order to take advantage of a vulnerability and hack a device, you need to make a conscious effort, perform a number of non-trivial movements and, in general, unlock the phone and establish a trusted connection with the computer. To establish a trusted connection in iOS 11, you will need to not only unlock your phone, but also enter the lock password. And if you know the locking password, then you can create a backup copy of the phone without any vulnerabilities (including all passwords from the browser - for example, passwords from social networks will most likely end up there); if the backup was protected with a password, then it can be reset in just a couple of clicks. Using a lock password, you can reset or change your iCloud password, lock or delete data from all devices registered to the same Apple account; Finally, you can easily unlink your phone from iCloud without knowing your Apple ID password. We have already described all this in the article “What can you do with an iPhone if you know the passcode. How data is leaked, iCloud is stolen and other devices are blocked.”
So what additional danger does the discovered vulnerability pose? If we talk about the average user, then, perhaps, none. Moreover, an ordinary user will most likely never encounter it: all applications in the App Store are moderated, and a program that exploits this vulnerability will not be allowed there.
Police can use jailbreaking to extract additional information from the device (physical data extraction, for example, using Elcomsoft iOS Forensic Toolkit). You can do this too, but is there any point in it? Compared to what can be extracted from a regular backup (with a password), physically extracting the data will give access to downloaded email messages, system logs and a detailed history of the device's location. You can access application sandboxes - for example, analyze correspondence in Telegram, WhatsApp or Facebook Messenger. You can view your browser's temporary files. This is certainly useful information for the police, but do you need it? Considering that there are practically no useful tweaks for iOS 11 (and the usefulness of old ones in the new version of the OS is a big question), then jailbreaking iOS 11 becomes the lot of enthusiastic developers, security specialists and the police.
(c) https://spy-soft.net/jailbreak-ios-11/
- Jailbreak iOS 11: what does Google have to do with it?
- Preparing for Jailbreak
- Installing jailbreak
- Programs for hacking iOS 10–11.1.2
- Features of iOS 11 jailbreak
- Rollback option
- What could this mean?
Last year, one of the Google Project Zero specialists posted an exploit online for a vulnerability present in all versions of iOS 10 and 11 up to 11.1.2. A tempting opportunity to hack, or rather jailbreak, iOS 11 has appeared on the horizon. To what extent have the expectations of device hacking fans been met? What threat does the existence of the vulnerability (and working jailbreaks) pose to ordinary users and how can it be useful for hackers? Let's try to figure it out in this article.
Jailbreak iOS 11: what does Google have to do with it?
Things haven't been going well in the jailbreaking community in recent years. This is largely due not to the fact that the latest versions of operating systems are particularly safe, but to the amount of money companies pay for the errors they find. New vulnerabilities are very, very difficult to find, and when they are found, they are most often sold to Apple itself or to vulnerability hunters. The temptation to earn 50-100 thousand dollars is great, and rarely do any vulnerabilities become public knowledge.And then Google appears on the scene - Apple's worst friend. Yes, Apple pays a lot of money for the ability to store iCloud data on Google servers (remember, iCloud is an Apple-managed combination of cloud servers owned by Google, Microsoft, Amazon and AT&T), and yes, Google releases its software for iOS devices - but this does not in any way prevent the company from publishing information about the vulnerabilities found in the Google Project Zero laboratory.
The latest vulnerability found was also discovered by Google lab employee Ian Beer. The vulnerability, named tfp0 (derived from task_for_pid ( 0 ) ), allowed the researcher to write ready-made privilege escalation code in all versions of iOS 10, some versions of macOS, and iOS 11.0–11.1.2.
Google reported the vulnerability to Apple, Apple released an update to iOS 11.2, which closed the vulnerability. Subsequently, information about it and the finished source code were published.
This move by Google was met with mixed reactions by both ordinary users and the jailbreaking community. Many users felt that Google was going too far; this point of view is not without foundation, especially if we remember that Google Project Zero employees published information about vulnerabilities in the Microsoft OS even before Microsoft had time to release patches.
Members of the jailbreaking community also had mixed reactions to this news. Thus, some development teams have released their own versions of jailbreaks simply using ready-made code - without even trying to integrate Cydia (available as source codes). Jay Freeman (saurik) in an interview spoke openly negatively both about those who want to quickly release crude jailbreaks based on ready-made code (get it and sign it!), and about developers who criticize Cydia.
Nevertheless, no matter what they are, there are jailbreaks. Let's see how to install them and how they differ from each other. But first, let’s carefully prepare for the hacking procedure.
Preparing for Jailbreak
For some reason, almost nowhere is the process that should precede the installation of jailbreak discussed. Meanwhile, if something goes wrong, you may have to update your device to the latest version of iOS and restore your data.So, what should you do before you try to hack your device?
Just create a fresh backup of your data using iTunes. Be sure to set a password for the backup: even if you are one of those who have “nothing to hide,” having a password on the backup will allow you to restore all your data, including saved passwords from the keychain, both to your current device and to another iPhone or iPad. But if you don’t set a password, then all keys and passwords will be encrypted using a hardware key, as a result of which you can restore such a backup in full only to the same phone or tablet from which you created the backup. If something goes wrong, you can always restore your phone from a backup in almost the same form as before jailbreak.
But, unfortunately, you won’t be able to save SHSH2 blobs: Apple has stopped signing all firmware for which jailbreaks are available. The exception is the old iPhone 5 or 5c, for which iOS 10.3.3 is available (and still subscribed).
Installing jailbreak
All new jailbreaks based on the vulnerability discovered in Google Project Zero are installed in exactly the same way. However, existing Yalu jailbreaks are installed in the same way. The list of steps is simple.- Download the jailbreak IPA file (links below) and the Cydia Impactor application.
- We connect the iPhone to the computer and establish a trust relationship by confirming the request “Trust this computer?” (Please note: for iOS 11, you will need to enter your device lock password at this stage; for iOS 10, no password is required).
- Launch Cydia Impactor and drag the jailbreak IPA file onto it.
- Cydia Impactor will ask for your Apple ID and password. Enter the Apple ID and password for any active Apple account (by the way, you can easily use a new, just created account).
- The IPA file will be signed (the certificate is valid for only seven days!) and downloaded to the device. That's not all; In order to run the file, you will need to confirm that you trust the digital signature.
- To confirm the power of attorney of the digital signature with which you signed the IPA file at the time it was downloaded to the device, go to Settings → General → Profiles → Profiles & Device management (if the system is set to Russian, then “Settings → General → Profiles” or “ Profiles and device management") Please note: in order to confirm the trusted status of the certificate, you will have to allow the phone to access the Internet (at a minimum, establish a connection to the ppq.apple.com server).
- Only after this you can finally launch the jailbreak itself. If everything goes well, the phone will be hacked and you will gain access to the device's file system.
What all jailbreaks have in common is their limited operating time. After each device reboot, you will have to re-launch the jailbreak utility on the device itself, and once every seven days you will have to repeat the entire process again due to the fact that the digital certificate will expire. The exception is having a registered developer account or corporate account with the appropriate Apple ID; however, using such accounts to sign a jailbreak is quite risky.
Programs for hacking iOS 10–11.1.2
So, what jailbreaks based on the described vulnerability are currently available? There are quite a few of them, but only a few are useful. Here's what we selected:- h3lix (iOS 10.0–10.3.3, 32-bit);
- Meridian (iOS 10.0–10.3.3, 64-bit);
- g0blin (iOS 10.3.x, 64-bit, A7–A9 only);
- LiberIOS (iOS 11.0–11.1.2);
- Electra (iOS 11.0–11.1.2).
h3lix: iOS 10 for 32-bit devices
h3lix is a typical representative of the new generation of jailbreaks. It supports all 32-bit devices running all versions of iOS 10. This includes iPhone 5, 5c, and 32-bit iPad and iPod Touch. The developers included Cydia in the jailbreak, so there are no difficulties installing unsigned applications. We did not find any particular problems with this jailbreak, so we can recommend it for any 32-bit devices on all versions of iOS 10.Meridian: iOS 10 for 64-bit devices
Meridian jailbreak will help you hack 64-bit devices (iPhone 5s - iPhone X, as well as iPad tablets of the corresponding generations) running on any version of iOS. In our testing, this jailbreak turned out to be extremely finicky, so if your phone is running iOS 10.2.1 or older, it's better to use Yalu or Saigon. Cydia is included; In order for the application store to work, do not forget to click extract dpkg immediately after jailbreak.g0blin: iOS 10.3.x, 64-bit, only for devices on A7–A9
Standing apart in the warm company of jailbreaks is the g0blin utility, which can hack a limited number of combinations of devices and iOS versions. In particular, models from iPhone 5s to iPhone 7/Plus are supported, as well as iPad tablets equipped with processors of the A7, A8 and A9 generations. Supported iOS versions are also limited: jailbreak only works on iOS 10.3–10.3.3.Why do you need such a highly specialized jailbreak if you have h3lix? G0blin works a little more stable, it is better compatible with those devices and iOS versions that it supports. The first version (RC1) of the jailbreak includes the SSH service (dropbear); in the second (RC2) SSH is not included, and OpenSSH must be installed separately from Cydia.
iOS 11.0–11.2: LiberIOS and Electra
There are at least two ready-made jailbreaks for iOS 11: LiberIOS and Electra. Both jailbreaks use the same code, but the developers' approaches differ.Thus, the LiberIOS developer has an extremely negative attitude towards Cydia. Cydia is not (and will not be) included in the utility, and the jailbreak can only be used for purely research purposes.
But the Electra developer included both the SSH service and the Cydia application store in the jailbreak. This is the jailbreak we recommend for use.
Features of iOS 11 jailbreak
iOS 11 jailbreaking tools use a new approach called KPP-less. KPP (Kernel Patch Protection) is a kernel integrity check mechanism first used by Apple in iOS 9. This mechanism checks the integrity of the system kernel both during the boot process and during operation. The peculiarity of the KPP mechanism is that the next check can be carried out at a random time. If you hack the device, and the KPP background service detects changes in the system kernel, the phone will simply reboot. KPP was developed by Apple primarily to protect against jailbreaking, but it can also help against malicious code (at least in theory).In classic jailbreaks, they tried to disable the KPP mechanism. This approach was called KPP bypass; This is what is used in the Pangu and Yalu jailbreaks.
In iOS 11 jailbreaks based on a new vulnerability, the developers decided to bypass KPP in a different way. Now, instead of modifying the kernel, jailbreak modifies other parts of the system - those that are not verified by the KPP mechanism. Yes, nothing prevents Apple from adding checks for these areas of the file system in the next iOS update - but we are talking about the “here and now”!
What are the disadvantages of the new method? It requires a major overhaul of Cydia Substrate, which relies on missing KPP checks. To date, the only jailbreak that supports Cydia on iOS 11 is Electra.
If you are interested in the KPP mechanism and the ways in which developers of jailbreaking utilities bypass it, you should go here: How Kernel Patch Protection Works and How Hackers Bypass KPP.
Rollback option
Keep in mind: jailbreaking your system may be irreversible. This doesn't mean you can't restore your device through iTunes or reset it to factory settings. However, let's try to figure out what will happen in both cases.Let's say you installed a jailbreak on a phone with iOS 11.1.2. After some time, the errors accumulated as a result of the experiments led to problems that interfered with the use of the device. What options do you have?
First, you can try resetting your phone to factory settings. Your data will be deleted, but traces of the jailbreak (and possibly some tweaks) may still remain on the system, leading to further instability and making it impossible to install OTA updates correctly. So, a factory reset may help, but not when serious problems have accumulated.
For Apple devices, you can always use device recovery through iTunes. In this case, the latest version of iOS will be downloaded as full firmware, which will be installed on the phone.
What if you are not going to install the latest version of iOS, for which there may not be a jailbreak? If you want to stay on the same version that you installed the jail on?
Before discussing possible options, let's briefly recall how updating (or reinstalling) iOS works. In order for the iPhone to install the firmware, it will need to contact the Apple server and obtain a digital signature. This digital signature will only be valid for a specific device instance and only for a specific version of iOS.
As you can see, Apple holds all the cards here. If the company's server refuses to sign a particular firmware version, you will not be able to install it on your phone or tablet. Speaking of iOS 11, Apple has long stopped signing the latest version 11.1.2, which is jailbroken. Thus, using standard tools, you can only restore your phone to the current (sometimes penultimate) version of iOS, which Apple is currently signing.
If Apple were signing iOS 11.1.2 now, you would be able to keep the SHSH2 blobs. Using SHSH2 blobs, you could restore your iPhone to this version of the system at any time in the future. Alas, saving blobs is only possible while Apple is still signing the required version of iOS.
And yet, there is a way out! Instead of SHSH2 blobs, you can try saving a snapshot of the APFS root file system immediately after jailbreak. In the case of the Electra jail, the required snapshot of the root file system is created during the process of hacking the device. By restoring the APFS image after jailbreak, you can roll back to a known working copy of the system.
How exactly is this done, what is an “APFS image” and where is it created?
Users unfamiliar with the implementation of the Apple File System (APFS) assume that a snapshot is something like a file that is saved in some directory. This is wrong. The closest analogy to an APFS snapshot is the Windows “recovery image”, which can be found in the “System Protection” panel.
Here's how Electra works in its release version (information directly from Coolstar, the developer of the Electra jailbreak):
- Before jailbreaking a device, Electra will check the state of the device's file system (if another jailbreak or many tweaks were installed, the check will not pass).
- If the file system is in a “sufficiently clean” state (the jailbreak is installed on a clean system, or one of the pre-builds of Electra was installed - without tweaks that modify the system partition), a snapshot of the APFS root file system will be created.
- If another jailbreak was installed or other potentially dangerous file system modifications were detected, Electra will ask for confirmation to continue the hacking procedure.
Great, the snapshot has been created! How can I restore a clean OS from this image, and at the same time remove the “tails” remaining from the jailbreak? At this point I have to slow down: the necessary tool (its name is SemiRestore11) is not ready yet, but Coolstar promises to release it in the near future.
In the future, you will be able to use this utility, but with one caveat: the snapshot will be restored to the state at the time “immediately after the hack,” that is, file system modifications made during the installation of the jailbreak will not be restored.
To completely remove traces of jailbreak, you will need to reset your device to factory settings (Reset → Erase all Contents and Settings). When you reset, all data from / var will be deleted , and you will get a clean version of the system (iOS 11.0–11.1.2).
For now, you just have to wait. It is strictly not recommended to use old versions of SemiRestore or unknown utilities found somewhere unknown.
What could this mean?
Having a vulnerability that allows you to gain root privileges is serious. But is this vulnerability in iOS so scary for the average user?Let's watch. In order to take advantage of a vulnerability and hack a device, you need to make a conscious effort, perform a number of non-trivial movements and, in general, unlock the phone and establish a trusted connection with the computer. To establish a trusted connection in iOS 11, you will need to not only unlock your phone, but also enter the lock password. And if you know the locking password, then you can create a backup copy of the phone without any vulnerabilities (including all passwords from the browser - for example, passwords from social networks will most likely end up there); if the backup was protected with a password, then it can be reset in just a couple of clicks. Using a lock password, you can reset or change your iCloud password, lock or delete data from all devices registered to the same Apple account; Finally, you can easily unlink your phone from iCloud without knowing your Apple ID password. We have already described all this in the article “What can you do with an iPhone if you know the passcode. How data is leaked, iCloud is stolen and other devices are blocked.”
So what additional danger does the discovered vulnerability pose? If we talk about the average user, then, perhaps, none. Moreover, an ordinary user will most likely never encounter it: all applications in the App Store are moderated, and a program that exploits this vulnerability will not be allowed there.
Police can use jailbreaking to extract additional information from the device (physical data extraction, for example, using Elcomsoft iOS Forensic Toolkit). You can do this too, but is there any point in it? Compared to what can be extracted from a regular backup (with a password), physically extracting the data will give access to downloaded email messages, system logs and a detailed history of the device's location. You can access application sandboxes - for example, analyze correspondence in Telegram, WhatsApp or Facebook Messenger. You can view your browser's temporary files. This is certainly useful information for the police, but do you need it? Considering that there are practically no useful tweaks for iOS 11 (and the usefulness of old ones in the new version of the OS is a big question), then jailbreaking iOS 11 becomes the lot of enthusiastic developers, security specialists and the police.
(c) https://spy-soft.net/jailbreak-ios-11/
