MTU LUG Wiki

Minutes 2026-04-09

Presentation by Simone on iOS Jailbreaking

  • What is it?
    • Remove restrictions
    • Root access
    • Sideloading apps
    • Bypass code signing
  • Tools
    • Cydia (old)
    • Sileo
    • Checkra1n
  • iOS Architecture
    • Darwin kernel (derived from FreeBSD)
    • Enforces code signing
    • Apps are sandboxed
    • Secure boot chain (iBoot)
  • How does it work?
    • Exploits
      • Bootrom exploits like checkra1n and redsn0w, which are usually unpatchable
      • Userland exploits through apps or tools, usually get patched very quickly
    • Attempt privilege escalation
    • Patch out kernel protections
      • Caries wildly by iOS version and device
  • Types of jailbreaks
    • Untethered
      • Full reboot persistence
      • Died out by iOS 9
    • Semi-untethered
      • No reboot persistence
      • Requires an app to jailbreak each boot
      • Apps must be resigned each week
      • Most common type
    • Semi-tethered
      • Requires a computer to jailbreak each boot
      • Most bootrom exploits are this type
      • Computer tool overrides iOS boot chain
    • Tethered
      • Requires a computer each boot
      • Rare
    • Demo using iOS 10 on an iPhone 5S
      • Using browser exploit called Totally Not Spyware
        • Creates a popup saying the kernel was patched
      • Zebra is the package manager for this jailbreak
      • Reloaded into jailbroken state with theme
      • Hard crashed :(
      • After jailbreaking again, it reloads again and then died immediately.
    • What you can do
      • Install package manager
        • Cydia, Sileo, Zebra
        • Frontends for apt
      • Customization
        • Theming
        • UI modifications
      • Modify app or system behavior
      • SSH server
    • Jailbreaking is dead now
      • Modern iOS is much more secure
        • Signed boot chain
        • Page protection to stop kernel read and write
        • Pointer authentication code
        • Hasn't been a bootrom exploit in years
      • Can't downgrade iOS
        • Every iOS version is signed per individual device
        • SHSH blob must be saved to downgrade, but must be saved while still signed by Appled
        • Firmware incompatibilities
      • Apple hired prominent Jailbreak developers
        • Bug bounty programs
      • Apple added some Jailbreak features to stock iOS
        • Dark theme
        • Icon themes
    • Jailbreak compatibility
      • iPhone X and older
        • All versions vulnerable
        • Bootrom and software exploits
        • Devices are no longer supported by Apple
      • Newer devices
        • Userland exploits on iOS 17 and older
        • Generally don't exist now
    • Risks
      • Security risks
      • Can be unstable
      • Some apps will break
        • Games
        • Banking apps
      • Updating iOS usually patches the exploit
      • Legal grey area
        • Not exactly illegal
        • Violates Apple EULA
Retrieved from "https://lug.mtu.edu/w/index.php?title=Minutes_2026-04-09&oldid=8096"