How The Evasi0n iOS 6.x Untethered Jailbreak Works
Today was an awesome day for the Jailbreaking community! For the first time in nearly a year an Untethered Jailbreak was released that works on all devices including the iPhone 5 and 4th generation iPad with Retina display. The Jailbreak worked almost flawlessly, with only some people reporting errors with the stock Weather app. The Evasi0n iOS 6.x Untethered Jailbreak was downloaded a whopping 100,000 times in only 10 minutes as well, which proves this will likely be the biggest adoption rate for Jailbroken devices the community has ever seen.
As Jailbreaking tools nowadays are so well tested, it is easy for people to forget just how complex they really are. Sure a Jailbreaking tool looks simple behind the graphical user interface (GUI), but underneath it is the work of hundreds of hours from some of the brightest minds in the exploitation / hacking industry.
Braden Thomas from Accuvant Labs has recently provided a detailed explanation on how Evasi0n was accomplished. It is definitely a technical read that is not for the feint hearted, but the introduction provides a somewhat helpful overview.
Evasi0n’s userland component is very unique, because it is entirely filesystem-based. It doesn’t require memory corruption to escalate privileges from mobile to root. Perhaps it was named evasi0n because it evades all the userland exploit defenses instead of attacking them head-on.
Evasi0n works in 3 stages that are described below. All of the stages use functionality on the phone exposed by MobileBackup, the daemon used to backup user data from the device, and restore backups back to the device. Since backups are created by the user’s device, and must be interchangeable between devices, they cannot be easily cryptographically signed, so they are essentially untrusted data.
Something to point out with Evasi0n is unlike Jailbreaking exploits used with JailbreakMe, Evasi0n’s is less dangerous in terms of what it could do in the hands of a malicious hacker. Thomas explains:
Uunlike the previous jailbreakme.com exploits, which could be used against an unwitting victim, jailbreaks that require USB tethering have a lower security impact, and are usually only useful to the phone’s owner. Attackers are less interested because iPhones with a passcode set will refuse to communicate over USB if they are locked, unless they have previously paired with the connecting computer. So your phone is stolen and it’s locked, attackers won’t be able to jailbreak it. Therefore, only malicious code already running on your computer can leverage USB jailbreaks nefariously.
Definitely check out the entire article on Accuvant Labs if you are curious about all the technicalities. I think now would be a good time to remind you that if you enjoyed the iOS 6.x Untethered Jailbreak released by the Evad3rs donate to all the hard work and effort that went into it (or click their ads hehe).