Some of the information provided in this post might be inaccurate; I am by no means an expert in jailbreaking, iOS internals or exploitation. If you spot any inaccurate information, please point it out so I can fix it! Suggesting corrections is much more productive than blindly hating or immediately writing this off as nonsense.
Like it or not, OpenJailbreak and Yalu signified a new era for jailbreaking: a community-driven environment. Future public jailbreaks will likely be catalysed by collaboration among developers, and open source is a very useful platform for this!
Finally, while this strives to inform developers new to jailbreaking, it doesn’t exactly use layman terms. Further independent research on topics will be needed.
— — — — —
What is a jailbreak?
A jailbreak is a set of vulnerabilities chained to overcome Apple’s defence mechanisms and to free your iPhone from its ‘walled garden’. It is important to understand that iOS is indeed an operating system similar to macOS or Linux, just optimised for your phone. In short, it gives you (and software you install) complete root access to your phone. Yes, complete access. As soon as you jailbreak your phone you are literally opening up root access to anything you install. Most software that end users will be able to install comes from trusted repositories, therefore the potential risk is low for those with a sensible mindset.
Most jailbreaks will install Cydia, by saurik. Cydia is an interface for APT, a package manager. It makes installing software user-friendly and provides a secure way for developers to accept payment for their tweaks or themes.
- KPP: Checks for kernel integrity at random intervals and triggers a kernel panic if it suspects it has been compromised. Stands for Kernel Patch Protection.
- KTRR/AMCC: Hardware implementation of KPP which does not perform checks at random intervals, present on A10 processors and above. Marks memory as read only.
- AMFI: Kernel extension that enforces codesigning. Stands for Apple Mobile File Integrity.
- Sandbox: Ensures an application can only access its own container of files, and cannot access any other files on your system.
- containermanagerd: Manages application containers. It is a daemon, as signified by the ‘d’ at the end of its process name.
- TFP0: Allows read/write access to the VM segment of the kernel through task ports. Stands for task_for_pid(0).
Multiple exploits are required to be chained together in order to achieve a complete jailbreak. The order of these may vary depending on the jailbreak, however, they must all be present. The exploits need are listed below:
Read/write access to the kernel is fundamental, and is required in order to patch out subsequent protections. It is fairly self-explanatory. With r/w, we can edit memory values of the kernel similarly to how the popular Cheat Engine works on desktop. You normally obtain kernel r/w by first finding tfp0.
Root access is one of the core concepts behind jailbreaking. Furthermore, setuid(0) must be accessible from other applications, otherwise stuff like Cydia or iCleaner will not function. The most common way to get root in modern jailbreaks is to patch your process’ credentials with the kernel’s, therefore allowing it to run setuid(0). In iOS 11, patching your credentials in this way will not alert KPP. A proper example of this can be seen in ninjaprawn’s fork of async_wake.
In order to patch AMFI without your phone kernel panicking, you need to first bypass KPP. Qwertyoruiopz released a method for this in his yalu102 jailbreak (and he claims it is technically usable on current iOS versions with some modification). This directly attacks KPP and does not circumvent KTRR/AMCC.
However, a popular way to get around KPP at the moment is using xerub’s KPPless. KPPless also means you do not have to defeat KTRR/AMCC, so supports the iPhone 7 and above. As far as I understand it, KPPless will unpatch the kernel before KPP can catch it, meaning no direct attack is needed. It will also modify areas not covered by KPP/KTRR. This method, if successful, also theoretically supports all devices on all current versions.
AMFI must be patched in order to allow binaries that aren’t signed by Apple to run, without this patch Cydia or Dropbear wouldn’t even launch. A few different AMFI patches are floating around, however with iOS 11, the popular solution is to inject the hash of the binary you wish to launch into the AMFI trust chain so that when the process launches AMFI believes it to be valid. The trust chain can be modified with the kernel r/w discussed earlier. This is explained by ninjaprawn in his implementation.
This is an important part of a jailbreak. Without this on a semi-tethered jailbreak, you will be unable to drop your payload (Cydia) or access files outside your container. This can be achieved on modern firmware by copying kernel creds into the process you wish to unsandbox.
NOTE: It is important to unsandbox containermanagerd as seen in mach_portal in order to make sure it handles root applications’ containers properly.
Remounting the Filesystem:
By default, ‘/’ is mounted as read-only. This is why you are unable to write to ‘/’ even with root access. In order to get around this, you must remount the filesystem as read/write. This is normally done through a combination of kernel patching and standard system functions, as seen in this code snippet from xerub.
While not necessary to make a jailbreak work, a tfp0 patch is useful to enable applications running as root to read and write to the kernel. It is also necessary for various downgrading solutions to work, more specifically to enable the setting of your nonce generator in the NVRAM. See futurerestore for more information.
— — — — —
Thanks for reading and congratulations on making it this far through my rambling! You can reach me on reddit at /u/benjibobs, feel free to ask questions, suggest changes or spam with wen eta there.
Gurupriyan is a Software Engineer and a technology enthusiast, he’s been working on the field for the last 6 years. Currently focusing on mobile app development and IoT.