Extended Abstract: Jailbreaking iOS

How an iPhone breaks free

Kai Aras
Computer Science and Media
Stuttgart Media University, Nobelstrasse 10 Stuttart, Germany
kai.aras@010dev.com

Abstract: This is the short version of a detailed introduction to the topic of jailbreaking Apple’s
iOS devices. A general overview of iOS device and security architecture is followed by a quick
walk-through of the jailbreaking process as well as an overview of the currently available jailbreaks
and tools.
Keywords: iOS, jailbreak, security

1. Introduction Boot sequence

A chain of trust is constructed by performing sub-
Jailbreaking is a popular expression that is often
sequent signature checks on every stage of the boot
used in the context of hacking Apple’s iOS de-
sequence, beginning with the low level bootloader
vices such as the iPhone or the iPad. The term
(llb) beeing checked and loaded by the bootrom.
itself seems to be derived from breaking out of the
The llb then signature checks and loads the secod
iPhone’s so called chroot-jail, which goes back to
stage bootloader- iBoot which does the same for
the first iPhone hackers and the original iPhone.
the kernel and so on. Figure 4.1 shows the com-
Today, the term jailbreaking in general refers to boot
plete sequence forchain!
a regular iOS boot. 1)
the processload
of removing
iboot! several technical restric-
dfu!
tions from an iOS device, allowing developers to
add additional functionality as well as giving users bootrom!
the freedom to install 3rd partyramdisk!
applications not
recpvery!
supported by Apple.
The following sections provide ankernel!
overview of how llb! signature check!
console!
a jailbreak actually works, including a brief intro-
duction to the iOS Hardware and Security architec-
itunes! iboot!of possible attack vectors, as
ture, an explanation
NOR! iBoot! signature check!
on!
well as a description of the most recent jailbreaks
at the time of this writing. signature check!
signature check!
ramdisk! kernel!
signature check!
by
2. iOS Device Architecture
runs as! signature checked by
mobile user! Kernel!
Every iOS device includes two completely separate sys software!
code signing!
system on a chips (SoCs), an application processor signature check!

! and a baseband
application! processor.
The application processor runs the iOS operating 3rd party app!
! user /private/var
system and (rw)! by kernel!
therefore everything the user interacts
with, while the baseband processor is exclusively
NAND!responsible for managing everything related to the
at execve()! Figure 1: iOS boot sequence
radio.
Each of both processors has their own ARM core,
NOR-flash and RAM. The baseband also runs a
different operating system, which is called Nucleu- Application Sandbox
sOS. 1) iOS enforces a number of security mechanisms in
order to isolate applications from each other and to
prevent malicious code from beeing executed.
3. iOS Security Model First, the NAND flash is divided into two logi-
cal partitions, a read-only system partition, and
The iOS security model heavily relies on memory a writeable user partition.
protection, code signing and sand boxing. Second, all applications are signature checked by
 restore! recpvery!
kernel! llb! signature check!
console!

itunes! iboot! NOR! iBoot! signature check!

encryption!
the kernel before being executed. In addition, an Kernel exploits can be used to gain root privi-
signature check!
application’s stack and heap as well as unsingned leges after exploiting a code execution vulera- signature c

memory pages in general cannot be executed.1) ramdisk!

bility in a userland kernel!
application.
signature check!

signature checked signature checked runs as!

by iBoot! by Kernel! mobile user! non executable 6. The Breakout
sys software!
stack and heap! signature check!
code signing!
The following takes place during a generic jail-
kernel! application! W^X policy!
break. 3rd party app!
sys / (r)! user /private/var (rw)! by kernel!
1. exploit code-execution vulnerability to deploy
NAND! and execute jailbreak-payload
at execve()!
2. execute payload, if required gain root by ex-
Figure 2: iOS application sandbox ploiting privilege escalation vulnerability
3. patch LLB, iBoot and Kernel to remove signa-
ture checks

4. Jailbreaking vs. Unlocking 4. install cydia to allow installation of unsigned

The term Unlocking is often used in conjunction
with the process of jailbreaking. However, it is an
entirely different process serving a very different
purpose.
While a jailbreak removes certain security mecha-
nisms to allow unsigned code-execution, an Unlock
serves the purpose of removing a carrier lock, forc-
ing the device to accept any working sim card.
The reason these two processes are so different lies
in the fact that the jailbreak takes place on the
Application Processor, while the Unlock has to be
achived by modifying the Baseband,
which is a completely different system as described
in Section 2. However, the process of unlocking
usually requires the device to be jailbroken.
5. Attack Vectors
Recovery/DFU mode are meant to be used
to bootstrap the recovery process, but can be
used to access the Bootrom and therefore to
attack iBoot.
Bootrom exploits can be used to target the sys-
tem’s lowest entry-point. These exploits re-
quire a physical connection to the device, but
also cannot be fixed by firmware upgrades.
iBoot is present in two versions on each device.
First, there’s an iBoot in the Bootrom that can
be accessed via DFU mode. Second, there’s
the regular iBoot in the NOR. While the latter
one is updated with each firmware upgrade,
the iBoot in the Bootrom is not.
Userland exploits in applications like safari or
components used within them can be used.
Userland jailbreaks usually require an addi-
tional privilege escalation vulnerability in or-
der to break out of the exploited application’s
sandbox.
3rd party applications.
7. Jailbreaks and Tools
At the time of this writing, many jailbreaks have
been published, the following describes the most
recent releases.
Greenp0sion is on of the most recent jailbreaks
for iOS 3.1 - 4.1 as well as a toolkit for develop-
ing jailbreaks. It is developed by the Chronic
Dev-Team.2)
Star is the jailbreak that was recently deployed
to Jailbreakme.com. It is a complete userland
jailbreak that makes use of a stack overflow in
the FreeType2 library used in iOS.3)
Limera1n is a jailbreak that uses an undisclosed
exploit in the bootrom as well as a userland
exploit to achieve unsigned code execution, it
has been developed by Georg Hotz and is also
implemented in greenp0ison.2) 5)
PwnageTool a jailbreak tool for creating cus-
tom firmware images that can be installed via
iTunes using the regular restore process.4)
References
[1] iPhone Dev-Team, Hacking the iPhone, 25th
Chaos Communication Congress (25C3), 2008
[2] Chronic dev-team , 14.11.2010, http://chronic-
dev.org
[3] comex, 14.11.2010, http://jailbreakme.com
[4] iPhone dev-team, 14.11.2010,
http://blog.iphone-dev.org
[5] Georg Hotz (geohot), 14.11.2010,
http://limera1n.com/