Professional Documents
Culture Documents
Abstract: A short introduction to iOS and the overall topic of jailbreaking Apple’s iOS devices
as well as a general overview of iOS device and security architecture is followed by a walk-through
of the jailbreaking process itself as well as concrete examples of the currently available jailbreaks
and tools including Cydia, jailbreakme.com and greenpois0n.
Keywords: iOS, jailbreak, security, greenpois0n, jailbreakme.com
Pre iPhone 3g
bootrom!
1. exploit code-execution vulnerability to deploy
and execute jailbreak-payload
iBSS!
minimal 2. execute payload, if required gain root by ex-
iBoot! ploiting privilege escalation vulnerability
iBEC!
3. patch LLB, iBoot and Kernel to remove signa-
ture checks
Ramdisk! kernel! 4. install Cydia to allow installation of unsigned
3rd party applications.
greenpois0n iBoot!
greenpois0n is one of the most recent jailbreaks for
iOS 3.1-4.2.1 which at the time of this writing is
the latest public release of iOS, but it also is an Ramdisk! kernel!
open source jailbreak development kit for working loader.app!
with jailbroken devices as well as developing new
jailbreak tools. [8]
It is developed and released by the Chronic Dev-
Team[16] Figure 7: greenpois0n Jailbreak
greenpois0n toolkit
The greenpois0n tool-kit basically consists of the References
same code as the jailbreak, but split into different
tools for different purposes and easier development [1] Wikipedia - XNU, 10.02.2011,
of future jailbreaks [17]. The following is included http://en.wikipedia.org
but not everything seems to be fully functioning
yet. [2] Wired - U.S. Declares iPhone Jailbreaking
Legal, Over Apples Objections, 26.06.2010
Anthrax Ramdisk development kit
http://www.wired.com
Cyanide iBoot/iBSS Payload development kit
[3] Sogeti ESEC Lab, CVE-2010-3830 - iOS ¡
Doctors Injector front-ends (UI) 4.2.1 packet filter local kernel vulnerability
http://esec-lab.sogeti.com
libirecovery library for communicating with
iBoot/iBSS [4] Sogeti ESEC Lab, iPhone security model and
vulnerabilities HITB SecConf, 2010
Syringe Exploit injector, can also be used to ac-
cess the AES engine [5] Wikipedia - Address space layout randomiza-
tion, 10.02.2011, http://en.wikipedia.org