You are on page 1of 7

Jailbreaking iOS –

How an iPhone breaks free


Kai Aras
Computer Science and Media
Stuttgart Media University, Nobelstrasse 10 Stuttart, Germany
kai.aras@010dev.com

Abstract: A short introduction to iOS and the overall topic of jailbreaking Apple’s iOS devices
as well as a general overview of iOS device and security architecture is followed by a walk-through
of the jailbreaking process itself as well as concrete examples of the currently available jailbreaks
and tools including Cydia, jailbreakme.com and greenpois0n.
Keywords: iOS, jailbreak, security, greenpois0n, jailbreakme.com

1. Introduction What is a Jailbreak ?


As mentioned already, the process of jailbreaking
Jailbreaking is a popular expression that is often an iOS device involves the removal of several secu-
used in the context of circumventing security mech- rity mechanisms in order to allow unsigned code to
anisms in Apple’s iOS devices such as the iPhone or be executed or in other words, untrusted 3rd party
the iPad. The term itself seems to be derived from applications to be installed and used. In practice,
breaking out of the iPhone’s so called chroot-jail, a Jailbreak is distributed as a piece of software,
which goes back to the first iPhone hackers and the a complete solution that performs said removal of
original iPhone. security mechanisms and provides alternative ways
Today, the term jailbreaking in general refers to to install untrusted 3rd party software.
the process of removing several technical restric-
tions from an iOS device, allowing developers to What a Jailbreak can do
add additional functionality as well as giving users
the freedom to install 3rd party applications not A Jailbreak can serve many purposes, some are
supported by Apple. generally positive and some are not. Because com-
The following sections provide an overview of how a monly available tools are so easy to use, jailbreak-
jailbreak actually works, including a brief introduc- ing has become very popular even for non-technical
tion to the iOS hardware and security architecture, users. Jay Freeman, who develops and maintains
an explanation of possible attack vectors, as well as the unofficial Cydia Store already counts about
a description of the most recent jailbreaks and tools nine million devices running his store [2] and there-
at the time of this writing. fore being jailbroken as well.
The following lists the most common reasons for
users to jailbreak their device.
• Installation of untrusted 3rd party applica-
What is iOS ? tions.
• Installation of system extensions such as cus-
iOS is a mobile operating system developed by Ap-
tom sounds and themes but also additional
ple and deployed on every iPhone, iPod Touch and
functionality for system applications like Mo-
iPad as well as the latest generation of AppleTV.
bile Safari.
iOS is based on Apple’s desktop operating system
Mac OSX, it uses slightly modified versions of the • Starting point for unlocking and activating a
same Kernel which is named XNU [1] and the sys- device
tem libraries.
Unlike Mac OSX and due to it’s limited hardware • Allow deeper system access to developers and
resources, iOS can more or less be considered to be researchers.
a single tasking environment, which in this context • Installation of pirated software.
means that from a users point of view, there is only
one active application, at any time.
Why it exists
From a technical point of view, the system in fact is
capable of doing multitasking, however unlike desk- There are a number of reasons for jailbreaks to ex-
top operating systems it does not expose this to ist, while there is no actual data available on this,
users nor developers. the following seem to be the most obvious ones.
• Smart people like to figure out the inner work- Application Processor
ings of unknown systems.
The application processor runs the iOS operating
• Software Distribution on iOS is completely system and therefore everything the user interacts
controlled by Apple. with, in current generation devices such as the iPad
or the iPhone4, this is the famous Apple A4 chip,
• 3rd Party Developers cannot modify system older generations use different versions of ARM-
components. based SoCs supplied by Infineon.

• 3rd Party Developers are restricted to use pri-


vate APIs. Baseband Processor
The baseband processor runs a different operating
Legal Situation system, which is called NucleusOS in previous gen-
With jailbreaking being added to the Digital Mil- eration devices [10] and ThreadX in current genera-
lennium Copyright Act’s anti-circumvention provi- tion devices, both of these are Real-time Operating
sion, jailbreaking has officially become legal in the Systems (RTOS) optimized for embedded devices.
USA, the situation in the rest of the world however In general the baseband handles everything related
remains unclear.[2] to radio communication, this includes Wifi, Blue-
Apart from copyright infringement, jailbreaking an tooth as well as GSM/UMTS. The application pro-
iOS device always voids the warranty given by Ap- cessor interacts with the baseband as if it would be
ple. a regular resource, even though the baseband is a
complete, independent system.

2. iOS Device Architecture


3. iOS Security Model
Every iOS device includes two completely separate
systems on a chip (SoCs), an application processor The iOS security model heavily relies on memory
and a baseband processor. protection, code signing and sand boxing. The fol-
Each of both processors can be thought of as a lowing gives an overview of these mechanisms and
small separate computer including it’s own ARM briefly describes how they work.
core or CPU, RAM and NOR which is a special
kind of flash-based, persistent memory. In addi-
tion, the application processor also owns a larger Application Sandbox
NAND based flash chip, which stores the iOS op-
erating system as well as user content. iOS enforces a number of security mechanisms in
greenp0ison! order to isolate applications from each other and to
dfu! being load
prevent malicious code from
iboot!
executed.
camera! display! syringe! First, the NAND flash is divided into two logi-
ROP!
cal partitions, a read-only system partition, and ramdisk!
restore! recpvery!
a writeable user partition. kernel!
code signing! libp0ison! console! are stored
While the kernel and the system software
application iOS!
processor!
on the system partition, all 3rd party applications
emory protection! itunes!
nx bit! are installed onto the user
encryption! partition. iboot!
In addition,
libirecovery! all applications, even those pre-installed by Apple
UART! are running in context of a less privileged user ac-
I2S! libusb! count named mobile user.
DMA!
GPIO! signature checked signature checked runs as!
by iBoot! by Kernel! mobile user! non executable
stack and heap!
baseband NucleusOS / code signing!
processor! ThreadX! kernel! application! W^X policy!

sys / (r)! user /private/var (rw)! by kernel!

WIFI! GSM/UMTS! NAND!


at execve()!

Figure 2: iOS application sandbox


Figure 1: iOS Hardware Architecture
Memory Protection Boot sequence
iOS makes heave use of hardware enforced memory Normal Boot A chain of trust is constructed by
protection mostly known as NX bit on x86 plat- performing subsequent signature checks on every
forms and XD bit on ARM-based platforms, this stage of the boot sequence, beginning with the low
means memory pages can be restricted not to be level bootloader (llb) being checked and loaded by
executed or written to, making it difficult for at- the bootrom. The llb then signature checks and
tackers to execute malicious code. This is comple- loads the second stage bootloader, iBoot which
mented by another mechanism known under the does the same for the kernel and so on. Figure
term WX̂ policy [6], which means a page in mem- 3 shows the complete sequence for a regular iOS
ory can either be writeable or executable but never boot. [10]
both at the same time.
With iOS 4.3, which at the time of this writing is
still in beta, Apple will introduce yet another mem-
bootrom! bo
ory protection feature called Address Space Layout
signature
Randomization (ASLR) [5], this is an anti exploita- check!
tion technique, that randomly arranges a process’s llb! i
signature
memory structures in different ways, so attackers check!
cannot predict memory addresses of interest at run-
time.
iBoot! i
signature
check!
kernel! Ramdisk! k
Code Signing signature
check!
iOS in general only allows to execute applications
that are signed by Apple, this is checked directly NAND! sys software!
signature
by the kernel each and every time an application is check!
started. When an application is launched, the sys-
application!
tem call execve is called with the applications bi- boot
bootrom!the kernel then looks
nary passed as an argument, bootrom!
signature
at the binary to see if it’s signed, checks the signa-
check! Figure 3: iOS boot sequence ll
ture and executes on success.
llb!
In addition, the kernel itself is also signature
signature iBSS!
minimal
checked before being loaded by iBoot, check!
which is sig- iBoot! iBo
nature checked in the iBoot!
previous stage signature
as well, going Recovery Mode iBEC! Recovery mode is a fail-safe
down to the first piece of code that runs,check!which is option in iBoot that allows to upload a ramdisk
the bootrom.[7] kernel! and reflash the device as shown in Figure 4. Ramdisk! ker
signature
Ramdisk!
The ramdisk kernel!
can either be a restore ramdisk, which
check! performs a clean restore of the device or an upgrade
Encryption sys software!
NAND! ramdisk, which leaves user data untouched. [8] [4]
Every iOS powered device features asignature
built-in AES
check!
hardware engine for encrypting and decrypting
data at reasonable application!
speeds and security in combina-
tion with a pair of hardware keys named GID-Key bootrom!
signature
which is shared by all devices using the same appli-
check!
cation processor and UID-Key which is unique to llb!
signature
each device.
check!
The keys that are actually used for encrypting and
decrypting however, are not the hardware keys iBoot!
signature
themselves, but another set of keys derived from check!
those. Ramdisk! kernel!
Since these keys are wired in hardware and never
used on actual data, they cannot be easily ex-
tracted, but the code that runs on the device is
still able to use the AES engine and therefore to Figure 4: iOS Recovery mode
decrypt filesystem images or ramdisks without hav-
ing to extract the GID- and UID-Keys. This can
be done in several ways, one of which is provided DFU Mode Device Firmware Upgrade or DFU
by an open source tool named ”syringe” which is mode as shown if Figure 5, is a fall-back option,
derived from the recent greenpois0n jailbreak tool. that allows to bootstrap the restore process from
[8] any given state.
DFU mode can be entered manually by booting the well. The following describes what happens dur-
device while holding a certain key combination for ing a generic jailbreak on older generation devices
a certain amount of time. [8] [4] followed by the same process adapted for current
generation devices.

Pre iPhone 3g
bootrom!
1. exploit code-execution vulnerability to deploy
and execute jailbreak-payload
iBSS!
minimal 2. execute payload, if required gain root by ex-
iBoot! ploiting privilege escalation vulnerability
iBEC!
3. patch LLB, iBoot and Kernel to remove signa-
ture checks
Ramdisk! kernel! 4. install Cydia to allow installation of unsigned
3rd party applications.

Figure 5: iOS DFU Mode


Post iPhone 3g
1. exploit code-execution vulnerability to deploy
and execute jailbreak-payload
bootrom!
4. Attack Vectors
signature 2. execute payload, if required gain root by ex-
check! ploiting privilege escalation vulnerability
Recovery/DFUllb! mode are meant to be used
signature
to bootstrap the recovery process, but can be 3. install Cydia to allow installation of unsigned
used to access the bootrom and check!
therefore to 3rd party applications.
iBoot!
attack iBoot.
signature 4. exploit kernel vulnerability again on each boot
Bootrom exploits can be used to check!
target the sys- to regain unsigned code execution
Ramdisk! kernel!
tem’s lowest entry-point. These exploits re-
quire a physical connection to the device, but
also cannot be fixed by firmware upgrades.
Tethered vs. Untethered
Jailbreaks usually come in two flavours, most of the
iBoot is present in two versions on each device. time a tethered one is released first and an update
First, there’s an iBoot in the bootrom that can to make it untethered follows after a short time.
be accessed via DFU mode. Second, there’s There is only one major difference between these
the regular iBoot in the NOR. While the latter two, while a untethered jailbreak only has to be
one is updated with each firmware upgrade, done once, the tethered version only persists un-
the iBoot in the Bootrom is not. til the device is rebooted or looses battery, to boot
Userland exploits in applications like safari or into a jailbroken state again, the device needs to be
components used within them can be used. attached (tethered) to a PC running the jailbreak
Userland jailbreaks usually require an addi- software.
tional privilege escalation vulnerability in or- The reason for this is the fact that besides the ex-
der to break out of the exploited application’s ploit used to inject and perform the actual jail-
sandbox. break, a kernel exploit is required as well in order
to be able to reboot the device into a jailbroken
Kernel exploits can be used to gain root privi- state. Due to the bootrom not checking the llb be-
leges after exploiting a code execution vuler- fore loading it at boot time, the chain of trust could
ability in a userland application as well as to truly be broken and this step was not required on
persist a jailbreak or make it untethered, so older devices or older firmware versions.
that the jailbreak persists a device reboot.

6. Jailbreaking vs. Unlocking


5. The Breakout
The term Unlocking is often used in conjunction
Since Apple is continuously closing vulnerabilities with the process of jailbreaking. However, it is an
and improving it’s security mechanisms, the gen- entirely different process serving a very different
eral jailbreaking process has changed over time as purpose.
While a jailbreak removes certain security mecha- Cydia
nisms to allow unsigned code-execution, an Unlock
Cydia has become the main tool for installing
serves the purpose of removing a carrier lock, forc-
and managing untrusted 3rd party software on
ing the device to accept any working sim card.
jailbroken devices. At the time of this writing,
The reason these two processes are so different lies
Cydia was distributed and auto-installed by all of
in the fact that the jailbreak takes place on the
the recently published jailbreaks.
Application Processor, while the Unlock has to be
Cydia is an unofficial AppStore developed by Jay
achieved by modifying the Baseband,
Freeman (saurik) that unlike the official AppStore
which is a completely different system as described
which is managed by Apple, allows 3rd party
in Section 2. However, the process of unlocking
developers to distribute and monetize applications,
usually requires the device to be jailbroken.
system extensions, themes and more without
having to go through any review process at all.
How the Unlock works While this may sound like a good thing, it actually
opens the door for malware to enter the world of
The goal of an unlock is to free a device from it’s iOS, since most of the security mechanisms put in
carrier lock, which is usually used in subsidized place to prevent this have already been removed
phones to make a phone work only with the car- while jailbreaking the device.
rier that sold it. From a technical point of view, Cydia is nothing
To achieve this, the lock state of the device has more than a ARM port of the well known Debian
to be altered, which is hard since it’s kept in an Advanced Packaging Tool (APT) in combination
encrypted and protected section of the baseband’s with a natively written UI front-end. [12]
flash memory or the mechanism that checks the
lock state needs to be disabled. Because a bootrom
exploit for the baseband processor has not been Star
found yet, current unlocks rely on the second way,
which in practice means running a deamon process Star is the jailbreak that was recently deployed to
on the application processor that exploits vulnera- Jailbreakme.com. [14] It is a complete userland
bilities in the baseband’s operating system to dis- jailbreak and apart from that is completely web-
able checks of the devices lock state on the fly. As based as well, meaning it does not require any ad-
mentioned already, this requires the phone to be ditional hard- or software besides the device to be
jailbroken in order to be able to use the applica- jailbroken.
tion processor as a base platform for unlocking the In practice, star is presented as a website that when
device. visited from a compatible device allows the user to
perform a jailbreak simply by swiping the screen
and confirming the process.
7. Jailbreaks and Tools As easy as this sounds, the star jailbreak is
a complex piece of software that makes use of
At the time of this writing, many jailbreaks and multiple vulnerabilities and advanced exploitation
tools have been published, the following describes techniques such as Return-oriented Programming
the most recent and important releases. In general, (ROP) which is also known under the term return
all tools are available for Mac OSX and Windows. to libc attack [9]
Figure 6 shows the involved components and the
order of performed actions. First, a malicious pdf
PwnageTool document is deployed via http, then a stack over-
flow in the FreeType2 font-parser used in the pdf
PwnageTool a jailbreak tool for creating custom reader-module included in mobile safari is exploited
firmware images that can be installed via iTunes to inject a payload which then exploits a buffer
using the regular restore process.[11] overflow in a kernel extension to gain root privi-
Each release usually relies on a different vulnera- leges. Once the breakout from the exploited appli-
bility, but the idea is the same, it takes an official cation’s sandbox has happened, the jailbreak down-
firmware images and allows for customisations such loads a second payload containing the Cydia App
as removal or pre installation of specific tools or and some additional libraries required to install Cy-
libraries, then it performs the same injection and dia and complete the jailbreak. [8]
patching process as other jailbreaks to finally make
the device accept the custom built firmware image
in a regular iTunes restore.
limera1n
The most recent release makes use of the same
bootrom vulnerability as other current tools such limera1n is a jailbreak released in October 2010 by
as limera1n or greenpois0n. Georg Hotz [15]. Unlike the Star jailbreak, it re-
greenpois0n jailbreak
bootrom!
The greenpois0n jailbreak is very similar to the
payload 2! previous limera1n jailbreak, they both are fully
llb!
automated solutions available for Mac and Win-
iBoot! payload 1! dows, they both require a usb connection and even
4! use the very same bootrom exploit to perform the
kernel! 5! jailbreak. As shown in figure 7, the jailbreak ex-
1! ploits a bootrom vulnerability to bootstrap a re-
application! mobile safari! cydia! store process that uploads a ramdisk containing a
2! small loader application which can later be used to
3! PDF CFF Font install Cydia and complete the jailbreak.
parser!
In addition, a kernel exploit by comex [13], which
also is shared between greenpois0n, limera1n and
PwnageTool, is used to disable signature checking
Figure 6: Star Jailbreak (jailbreakme.com) on each reboot and therefore make the jailbreak
untethered.
quires the device to be connected to a usb host
which runs the actual jailbreak software.
limera1n uses an undisclosed bootrom exploit to bootrom!
bootstrap the jailbreak process and boot device
into a jailbroken state, then a kernel exploit de-
veloped by comex [13] is used to make the it ”un- iBSS!
tethered” e.g. make the jailbreak persist reboots
and power losses. iBSS Payload!

greenpois0n iBoot!
greenpois0n is one of the most recent jailbreaks for
iOS 3.1-4.2.1 which at the time of this writing is
the latest public release of iOS, but it also is an Ramdisk! kernel!
open source jailbreak development kit for working loader.app!
with jailbroken devices as well as developing new
jailbreak tools. [8]
It is developed and released by the Chronic Dev-
Team[16] Figure 7: greenpois0n Jailbreak

greenpois0n toolkit
The greenpois0n tool-kit basically consists of the References
same code as the jailbreak, but split into different
tools for different purposes and easier development [1] Wikipedia - XNU, 10.02.2011,
of future jailbreaks [17]. The following is included http://en.wikipedia.org
but not everything seems to be fully functioning
yet. [2] Wired - U.S. Declares iPhone Jailbreaking
Legal, Over Apples Objections, 26.06.2010
Anthrax Ramdisk development kit
http://www.wired.com
Cyanide iBoot/iBSS Payload development kit
[3] Sogeti ESEC Lab, CVE-2010-3830 - iOS ¡
Doctors Injector front-ends (UI) 4.2.1 packet filter local kernel vulnerability
http://esec-lab.sogeti.com
libirecovery library for communicating with
iBoot/iBSS [4] Sogeti ESEC Lab, iPhone security model and
vulnerabilities HITB SecConf, 2010
Syringe Exploit injector, can also be used to ac-
cess the AES engine [5] Wikipedia - Address space layout randomiza-
tion, 10.02.2011, http://en.wikipedia.org

[6] Wikipedia - WX, 10.02.2011,


http://en.wikipedia.org
[7] Charlie Miller and Vincenzo Iozzo, Fun and
Games with Mac OS X and iPhone Payloads
Black Hat Europe 2009
[8] the iPhone wiki, 10.02.2010,
http://theiphonewiki.com
[9] Erik Buchanan, Ryan Roemer, and Stefan Sav-
age, Return-Oriented Programming: Exploits
Without Code Injection Black Hat USA 2008

[10] iPhone Dev-Team, Hacking the iPhone, 25th


Chaos Communication Congress (25C3), 2008
[11] iPhone dev-team, 14.11.2010,
http://blog.iphone-dev.org
[12] Jay Freeman (saurik) - Bringing De-
bian APT to the iPhone , 10.02.2011,
http://www.saurik.com/
[13] comex - github, 10.02.2010,
https://github.com/comex

[14] comex, 14.11.2010, http://jailbreakme.com


[15] Georg Hotz (geohot), 14.11.2010,
http://limera1n.com/
[16] Chronic dev-team , 14.11.2010,
http://chronic-dev.org

[17] Chronic dev-team - github repository,


10.02.2011, https://github.com

You might also like