Minutes 2026-04-09

From MTU LUG Wiki
Revision as of 23:29, 9 April 2026 by Freya (talk | contribs) (Created page with "Presentation by Simone on iOS Jailbreaking * What is it? ** Remove restrictions ** Root access ** Sideloading apps ** Bypass code signing * Tools ** Cydia (old) ** Sileo ** Checkra1n * iOS Architecture ** Darwin kernel (derived from FreeBSD) ** Enforces code signing ** Apps are sandboxed ** Secure boot chain (iBoot) * How does it work? ** Exploits *** Bootrom exploits like checkra1n and redsn0w, which are usually unpatchable *** Userland exploits through apps or tools,...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Presentation by Simone on iOS Jailbreaking

  • What is it?
    • Remove restrictions
    • Root access
    • Sideloading apps
    • Bypass code signing
  • Tools
    • Cydia (old)
    • Sileo
    • Checkra1n
  • iOS Architecture
    • Darwin kernel (derived from FreeBSD)
    • Enforces code signing
    • Apps are sandboxed
    • Secure boot chain (iBoot)
  • How does it work?
    • Exploits
      • Bootrom exploits like checkra1n and redsn0w, which are usually unpatchable
      • Userland exploits through apps or tools, usually get patched very quickly
    • Attempt privilege escalation
    • Patch out kernel protections
      • Caries wildly by iOS version and device
  • Types of jailbreaks
    • Untethered
      • Full reboot persistence
      • Died out by iOS 9
    • Semi-untethered
      • No reboot persistence
      • Requires an app to jailbreak each boot
      • Apps must be resigned each week
      • Most common type
    • Semi-tethered
      • Requires a computer to jailbreak each boot
      • Most bootrom exploits are this type
      • Computer tool overrides iOS boot chain
    • Tethered
      • Requires a computer each boot
      • Rare
    • Demo using iOS 10 on an iPhone 5S
      • Using browser exploit called Totally Not Spyware
        • Creates a popup saying the kernel was patched
      • Zebra is the package manager for this jailbreak
      • Reloaded into jailbroken state with theme
      • Hard crashed :(
      • After jailbreaking again, it reloads again and then died immediately.
    • What you can do
      • Install package manager
        • Cydia, Sileo, Zebra
        • Frontends for apt
      • Customization
        • Theming
        • UI modifications
      • Modify app or system behavior
      • SSH server
    • Jailbreaking is dead now
      • Modern iOS is much more secure
        • Signed boot chain
        • Page protection to stop kernel read and write
        • Pointer authentication code
        • Hasn't been a bootrom exploit in years
      • Can't downgrade iOS
        • Every iOS version is signed per individual device
        • SHSH blob must be saved to downgrade, but must be saved while still signed by Appled
        • Firmware incompatibilities
      • Apple hired prominent Jailbreak developers
        • Bug bounty programs
      • Apple added some Jailbreak features to stock iOS
        • Dark theme
        • Icon themes
    • Jailbreak compatibility
      • iPhone X and older
        • All versions vulnerable
        • Bootrom and software exploits
        • Devices are no longer supported by Apple
      • Newer devices
        • Userland exploits on iOS 17 and older
        • Generally don't exist now
    • Risks
      • Security risks
      • Can be unstable
      • Some apps will break
        • Games
        • Banking apps
      • Updating iOS usually patches the exploit
      • Legal grey area
        • Not exactly illegal
        • Violates Apple EULA
Retrieved from "https://lug.mtu.edu/w/index.php?title=Minutes_2026-04-09&oldid=8096"